Zdravko Stoychev, CISM CRISC

1 10
th
regional conference Information Security and Storage, 2011 Sofia, Bulgaria
Zdravko Stoychev, CISM CRISC
8oard reroer ol l3ACA-3ol|a Crapler
Cerl|l|cal|ors ard Researcr Coord|ralor
10
th
regional Information Security and Storage conference
The New Cross-Section, Sep 28
th
, 2011 Sofia, Bulgaria
0ata Leakage Prevent|on 8ystem
{wnar k|no ol an|ma| |s rn|s?j
2 10
th
ACEN0A
The need of new skills
What a DLP system is?
To DLP or not to DLP? Questions, Risks, Outcomes
Examples Business needs, Insider threats, Implementation
Questions
3 10
th
A need of new sk|||s
Ab ovo (usque ad mala)
- From the beginning to the end
4 10
th
New sk|||s that 6|80 need now
RSA appoints its first CSO
EMCs security division RSA has plucked its first chief security officer (CSO) from NetWitness,
the company it acquired shortly after admitting it was hacked;
Following RSA's offer to replace as many as 40 million SecurID tokens, three Australian banks
have dumped their tokens, including Australia's largest bank, Westpac;
Eddie Schwartz, RSAs new CSO:
Only job more public and challenging at the moment would be CSO of Sony.
Sony promised its first CISO
In response to its equally devastating breach, Sony promised to appoint its first chief information
security officer (CISO) to ensure the company could avoid a repeat;
However, Lulzsec is claiming to have attacked the servers yet again and say that they have
walked away with unencrypted security information.
At this point in time we are not in the position to say one way or another
what the impact will be in full."
Source: itnews, ghacks
5 10
th
Source: World Economic Forum
6 10
th
New sk|||s that 6|80 need now
Technical knowledgethat connects to business operations
While technical expertise is something a CISO has always needed, in fact, it is this level of
knowledge that will broaden the gap and continue to differentiate senior information security
leaders, from their counterparts with backgrounds solely in physical security, and make them
more attractive in the selection process.
Business acumenat a whole new level
While you may be an expert in application security, comparing yourself to a group of application
security professionals will only keep you in application security and won't get you elevated to
management. In the past ISO've used their peer group of security pros to be their benchmark of
what their skills should be; now that is really the executive team.
Communication abilityincluding the skill of listening
In order for a security program to be implemented correctly you have to be able to get that
message to everyone. Everybody has to develop some kind of security conscience. The listening
skills may be even more important than speaking in the first stages of communicating with others
throughout the organization.
Leadership skillno matter your current position
Of all the skills today's employer is looking for from their CISO or security manager, it is
leadership. And many companies may be hiring a CISO because they are seeking change within
an organization and they want a CISO who can drive their security in a new direction. And that
takes someone with leadership ability.
Source: CSO Magazine
7 10
th
Exp|a|n: 0LP
Et ipsa scientia potestas est
- And knowledge itself, is power
8 10
th
Data leakage/loss prevention (DLP) is:
A set of information security tools that
is intended to stop users from sending
sensitive or critical information outside
of the corporate network.
Adoption of DLP, variously called data
leak prevention, information loss
prevention or extrusion prevention, is
being driven by significant insider
threats and by more rigorous state
privacy laws, many of which have
stringent data protection or access
components.
DLP products use business rules to
examine file content and tag
confidential and critical information so
that users cannot disclose it.
Tagging is the process of classifying
which data on a system is confidential
and marking it appropriately.
Example: A user who accidentally or
maliciously attempts to disclose
confidential information that's been
tagged will be denied, e.g. prevent a
sensitive financial spreadsheet from
being emailed by one employee to
another within the same corporation.
what |s a 0LP system?
9 10
th
Key 0LP quest|ons (1)
The first and the foremost thing is to answer the question: What problem space are we
talking about when we talk about Data Leakage?
The Data Leakage problem can be defined as any unauthorized access of data due to an
improper implementation or inadequacy of a technology, process or a policy.
Next, the second question to answer is what part of the problem space defined above
does the DLP product market solve?
In the above definition of data leakage, the DLP solutions are designed to prevent unauthorized
access of data due to inadequacy or improper implementation of a process or a policy, but not
technology. They are not designed to address data leakage issues resulting from external
attacks.
Hence the DLP systems primarily help enforce acceptable use policies and processes
for an enterprise.
What you dont have is that:
They are not designed to solve the part of data leakage problem space that is related to
technologythe information security aspect. So, it is not an information security data leakage
issue that the DLP solution is trying to solve.
Source: InfoSecIsland
10 10
th
Key 0LP quest|ons (2)
The third question that comes to mind, where is our enterprise in this Data Leakage
Problem space?
Surprisingly, one will notice that Data Leakage is already a part of one's enterprise security
strategy in the form of deployed firewalls, encryption solutions, IDS, LDAP etc.
Next, getting to the real question does my enterprise need to invest in a DLP solution?
And this is a million dollar question which requires comprehensive evaluation specifically to the
current state of enterprise security technology investments, and of course the data type the
enterprise processes/stores.
Hence the DLP system should be/ is implicitly a part of an enterprise security strategy.
What you should do/ have is:
Enterprise Data Classification if you cannot answer the question where is my sensitive data,
you need to first work on a data classification effort for your enterprise;
Streamline or Implement Processes and Policies in support of data leakage prevention;
Perform a gap assessment on current security infrastructure that already implicitly supports DLP
or can be leveraged to support DLP purely for cost savings.
11 10
th
To 0LP or Not?
Amat victoria curam
- Victory loves preparation
12 10
th
R|sks m|t|gated by 0LP
DLP solutions help mitigate following risks:
Identifying insecure business processes. For example, use of FTP for transporting
personal data;
Accidental data disclosure by employees. For example, employee sending
unencrypted email containing sensitive data;
Intentional data leakage by employees. For example, disgruntled employees stealing
data or an employee leaving the company with sensitive data.
The problem space is not solved comprehensively by DLP solutions!
Example: an employee can still take a picture of sensitive data and leak it.
So DLP are being systems that aid the enforcement of acceptable use policies and
process with certain limitations.
13 10
th
Usua| 0LP outcomes
Data Classification efforts can be very easy for a small enterprise, and a beast for large
enterprise. Similarly, implementing a DLP solution is an easy and effective for a small
enterprise vs. a medium or large enterprise.
The larger enterprises should always use a phased approach and also account for the
extra manpower required to continuously configure, monitor and tune the DLP solution.
This will reduce false positives and false negatives, which is usually the biggest
problem enterprises have reported once implementing the DLP solution.
Some of the features could result in serious business interruptions in the case of no data
classification or a rules misconfiguration;
Also, it's easy to get blown away by some of the rally features like copy-paste functions for certain
kinds of data, or pattern matching features, etc.
Its not the tool which is a problem here, it's the preparation and implementation
shortcomings that result in such outcomes.
Conclusion: the DLP solutions address only a subset of data leakage issues and only
help enforce acceptable use policies and processes with a number of limitations. They
do not prevent information security related data leakage issues.
14 10
th
0LP Examp|e
A bove maiore discit arare minor
- A good example makes a good job
15 10
th
Examp|e: us|ness needs
In most of the cases, the company exchanges information with third parties (customers,
partners, authorities etc) using the E-mail and the Internet services;
Sensitive Information is located at many places, such as in:
central databases;
workstations (local drives) and laptops;
shared workplaces (file servers, SharePoint servers);
USB sticks and external hard drives.
The company provides E-mail and Internet services to the users of its own units (and
probably several group companies).
The risk of inadvertent or deliberate data loss due to inadequate
security measures and users negligence is present. Isnt it?
To answer that question we have to evaluate the existing threats
16 10
th
Examp|e: |ns|der threats
Lack of or insufficient security policies & procedures;
Appropriate security measures not implemented (perimeter, endpoints);
Lack of employees awareness & training;
Lack of employees diligence;
Disgruntled employees steal corporate data;
Misuse of corporate computers, systems and passwords;
Information destruction and recycling of media;
Remote working & mobility;
Economic crisis.
17 10
th
Prevent|on examp|e: E-ma||
Based on the policies and rules, the DLP Email Prevent system
Releases the message (no violation of policies)
Blocks the message (unauthorized user)
Modifies the header of the message (authorized users).
When the SMTP Gateway receives an email with this special header, forwards it to the
encryption server.
The encryption server encrypts the email and sends it back to the SMTP Gateway for
forwarding it to the Internet.
No user (sender) intervention is required.
Different encryption options provided for the recipients.
18 10
th
Prevent|on examp|e: E-ma||
19 10
th
Prevent|on examp|e: |nternet
Proxy server forwards all web traffic to the DLP Web Prevent system;
Based on the policies and rules, the DLP system can:
block the file upload or remove the confidential content from the file;
release the traffic back to the proxy server.
Main goal is to block the uploading of files using HTTP/S or FTP:
real-time monitoring of the ongoing traffic transparent to the users;
blocking certain websites based on BlackLists / keywords, etc;
encrypted traffic is being monitored too (by replacing root CA).
No additional protection (encryption) mechanism.
20 10
th
Prevent|on examp|e: |nternet
21 10
th
Next steps
Related security projects to consider for minimizing the risks of Data Leakage:
Discover where the sensitive Information is located across the company and take
relevant measures;
Implement DLP at workstations with critical operations, in conjunction with the current
Endpoint security technology;
Protection at the endpoint (workstations, laptops, removable storage devices, mobile
devices, smartphones);
Protecting Databases from unauthorized access and actions (audit & prevent);
Protection for shared information (file servers, backups, Databases) by using
encryption mechanisms;
This is an ongoing process (Monitoring, assessment, optimization).
22 10
th
0uest|ons
Prudens quaestio dimidium scientiae
- To know what to ask is already to know half
23 10
th
0uest|ons
Thank you for your time!
Zdravko Stoychev, CISM CRISC
http://twitter.com/zdravkos

Zdravko Stoychev, CISM CRISC

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Zdravko Stoychev, CISM CRISC

Uploaded by

Copyright:

Available Formats

1 10

You might also like