Embed Size (px)
Citation preview
BUILDING A SECURITY PROGRAM THAT PROTECTS AN ORGANIZATION’S MOST CRITICAL ASSETS
SYMANTEC DLP COMPONENTS
Endpoint Prevent
Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec Data Loss Prevention, you can monitor and block:
• Instant messages sent to a partner containing confidential M&A information• Web mail with product plans attached going to a competitor• Customer lists being copied to USB or other removable media devices• Email containing PII sent via hosted email security services • Source code that is copied to a local drive• Mobile devices for email sent containing confidential data• Product design documents being burned to CD/DVD• Price lists being printed or faxed to a competitor
WHAT WE WILL COVER TODAY
What is a Critical Asset Protection Program
Data Loss Prevention Governance
Use Cases
Avoiding Common Pitfalls
Open Q&A
Managed Services
Consulting Services
Technical Services
Product Solutions
Security Assessments
Training Services
ABOUT BEW GLOBAL
Focused Expertise
Global Service DeliveryFounded 2002
Quality Management
SOLUTION OFFERINGS
BEW GLOBAL’S DLP EXPERTISE
• Global Support in 130 countries
• Manage DLP Solutions in 22 Countries
• Daily Management of 1,000,000+ Users
• Deployed 400+ DLP Projects
• Completed 500+ Assessments
• Localized Chinese DLP Practice(2011)
• 1st Managed DLP Services Provider (2008)
VENDOR RECOGNITIONS
• Symantec Master Specialization DLP Partner
• RSA’s Only Authorized Managed DLP Partner
• Websense Certified TRITONs – More than any other partner, 10 Olympians & 5 Gladiators
BEW Global works in cooperation with customers to plan, implement and maintain a Critical Asset Protection Program (CAPP) that clearly defines what assets are deemed most important to the customer organization based on revenue, income, reputation and core operational impact..
BEW GLOBAL’S PROVEN APPROACH
REALISTIC SCOPE, MEASUREABLE RESULTS
Through a comprehensive interview and information gathering process, BEW Global works with the customer to develop a realistic Critical Asset Protection Program (CAPP) scope that defines the assets as well as the core attributes of those assets in regards creation, storage, usage and transmission.
CRITICAL ASSET LIFECYCLE MAPPING
Critical Asset Creation
The point in time when the asset is created. This could be the first swipe of a credit card, the initial lines of code for a new application or the acquisition of a new VM Cluster. Today, asset creation can be the product of multiple groups or systems.
Critical Asset Storage
Once the asset has been created the asset is stored. For intangible assets this may be in RAM, on a hard disk, NAS, SharePoint or other types of data storage. Tangible assets like servers, routers or laptops may be racked in a datacenter, placed in a remote office closet or placed on a home office desk.
Critical Asset Use
Protecting the critical assets becomes a more manageable endeavor by mapping the authorized usage characteristics of the assets within the CAPP scope, and then applying the optimal combination of people, process and technology.
Critical Asset Transmission
The transmission threat vector is utilized for authorized operations. Assessing how critical asset information is shared within and outside the organization provides key insight to the required protection mechanisms necessary to protect against inadvertent or malicious asset exposure.
CONTENT TYPES
SAMPLE CAPP PROGRAM SCOPE
Priority Security Concern Category Program Scope Supported Response
1
Disclosure of customer and employee PII data
Customer and
Employee Data
Symantec Network Discover – File Share scanning to
gain visibility into storage locations Symantec Network Monitor– Email monitoring to
gain visibility into transmission
2 Disclosure of PCI data Customer Data
Symantec Network Discover – File Share scanning to
gain visibility into storage locations Symantec Network Monitor– Email monitoring to
gain visibility into transmission
3 Disclosure and unauthorized use of customer “ARM Logs”
Proprietary Customer
Data
Symantec Network Discover – File Share scanning to
gain visibility into storage locations Symantec Network Monitor– Email monitoring to
gain visibility into transmission
4 Disclosure of Proprietary and Licensed source code
Intellectual Property
Symantec Network Discover – File Share scanning to
gain visibility into storage locations Symantec Network Monitor– Email monitoring to
gain visibility into transmission
CRITICAL ASSET MANAGEMENT CONCERNS
SAMPLE CAPP PROGRAM SCOPE
Category Data Element Description / Requirement Data Identifiers
Personally Identifiable Information
(PII)
Social Security
Numbers
The Human Resources, Finance, and Legal departments identified SSN as a key piece of PII to be protected by the Critical Asset Protection Program.
SSNs store on customers and employees
9 numeric characters
Customer Data TSN
[client name] Serial Number – Numbers are assigned to and uniquely identify each [client name] set top box. These numbers are associated to records (ARM logs) collected on each [client name] device containing sensitive customer information.
15 Digit Hexadecimal number First 3 digits represent the
TSN prefix The following 11 represent
the unit ID Final digit is a checksum
Payment Card
Industry Data
Credit Card Numbers
During regular transactions with customers [client name] collects and stores Credit Card Numbers. [client name] is currently categorized as a PCI level 2 vendor but strives for level 1 compliance.
All major national and international credit card vendors
Source Code
Copyrighted/Proprieta
ry Code
Proprietary source code and copyrighted source code
Adobe Copyright Broadcom Copyright Microsoft Copyright [client name] Copyright
TARGET DATA ELEMENTS:
SAMPLE CAPP PROGRAM SCOPESERVICE MILESTONE TIMELINE
Milestone Description Target Date
Data Loss Prevention System Technical Install
Data Loss Prevention system technically installed, tested and prepared to monitor all communications
Complete
Critical Asset Protection Program Implemented
Resources in place to manage Critical Asset Protection application, policies, triage incidents, develop analytics, and work with business to remediate events
07/2013
Critical Asset Protection Program Kick-off
Actively monitor production traffic with first crafted production policies targeted at specific data elements/client information ensuring data is going to the correct clients
07/2013
Critical Asset Protection System and Program Tuning
Working with the business to review incidents and leverage data to improve policy accuracy within the Critical Asset Protection system
08/2013
Policy Accuracy Target – 90% +
Tuning the Critical Asset Protection policies to the point of 90% or greater accuracy on outbound email communications, allowing for initial testing of prevention controls
09/2013
Blocking Pilot – Select User Group
Identification of first user group set-up for blocking or quarantine of unauthorized communications flagged by the DLP system
09/2013
Blocking – Full Production roll-out
Phased roll-out of remaining business units to be included within the email blocking and quarantine scope of the Critical Asset Protection system
09/2013
Phase # 1 Completion
Program in place for constant refinement of policies as the business evolves, communication with business units on violations, business analytics delivered, and unauthorized communications blocked
09/2013
USE CASE: DLP PRE-PROJECT STATEOrganization Overview: Manufacturing firm of 30,000 employees operating in 50 countries globally
DLP Scope: Protection of Intellectual Property (General)
DLP Primary Issue: Lack of staff and buy-in from business owners who handle critical assets
Application Management: Most information security tools operated and “managed” by IT or networks
Policy Governance: No internal resources with any experience with DLP policy construction
Incident Triage: Lean staff of Infosec staff already buried by SIEM and other tools output
Event Management: Informal event management process with little feedback to the business
Reporting and Metrics: Zero customized reports. Very little business analysis provided
Status: Charged with implementing DLP to protect Critical Assets & IP
APPLICATIONSUPPORT & INTEGRATION
Primary System DLP Management = Human Resource / Expertise Requirements
Integrated System Management = Cross Department Collaboration Processes
Health Check & System Validation Management = System Resource Requirements
Vendor Management = Primary and Integrated Technology Vendor Relationships
POLICY & RULE GOVERNANCE
Who requests rules & policy requirements?
Are business owners engaged?
Who reviews rule requests?
Criteria for approved rule?
What’s the process for converting a rule request into a policy?
Who’s responsible for converting a rule into technical policy? Do they have technical policy authoring expertise?
What is the formal policy development process?
First drafts rarely work as expected!
Is there a process to relay production policy metrics to stakeholders?
WORKFLOW DEVELOPMENT & MANAGEMENT
Who develops & manages policy “buckets”? False positive, inbound partner, outbound employee
Who defines thresholds that determine response rules for each “bucket”? Are 10 SSNs a high, medium or low severity incident?
Who designs & sets the policy response triggers?
Malicious, Inadvertent, Suspicious, above threshold.
Triage response options: Human notificationSystem notification (auto)Hybrid?
Who’s responsible for building alerts, alarms & notifications? Has business been engaged on event management?
Who manages the DLP policy & rules repository? Why recreate the wheel?
Who reviews volume & yield of incidents & events? What’s the review frequency?
How are events/incidents routed? Who owns the incident/event?
How does DLP fit in overall incident/event management process?
Can this be mapped to DLP system?
What metrics are developed to measure success of rules & related policy?
Who ‘s responsible for developing metrics?
Revision of rules based on quality of policy results.
Who manages policy optimization process?
How will integrated systems be tied together to yield valued info?
Secure mail, web gateway, GRC, SIEM
INCIDENT TRIAGE & EVENT MANAGEMENT
BUSINESS ANALYTICS
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Do they have the expertise with 3rd party reporting tools?
Are the metrics valuable & driving meaningful change?
Report accuracy tied into QA process?
USE CASE: POST-PROJECT STATE
Organization Overview: Defined specific business units to initiate program
DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings
DLP Primary Goal: Identification of unauthorized movement of specific elements of IP
Application Management: Operated by a combination of IT, messaging & desktop management teams
Policy Governance: 100% customized policies based on data collected from business unit
Incident Triage: Daily review of incidents by Intelisecure Managed Services team
Event Management: Incidents meeting severity criteria routed to business unit for investigation
Reporting and Metrics: Behavioral pattern analysis leading to preventive actions
Status: R&D teams have high-level of confidence in ability to identify leakage of IP
QMS SAMPLE QUARTERLY REPORT
Intelisecure DLP QMS: Six Month Trend
Application Management
Policy Governance
Incident Triage
Event Management
Reporting & Analytics
Time
Nu
mb
er o
f H
ou
rs
PITFALL 1: NO PLAN OF ATTACK
5 Pieces of DLP Advice You Can’t Afford to Ignore 21
PITFALL 2: FAILURE TO ENGAGE THE BUSINESS
5 Pieces of DLP Advice You Can’t Afford to Ignore 22
PITFALL 3: INADEQUATELY TRAINED RESOURCES
DATA LOSS PROTECITON PITFALLS: MISSING THE TARGET – FALSE SENSE OF SECURITY
Mis-configured Tap or Port Span
ProblemMissing segments of network traffic or protocols
Solution Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured.
Encryption – The Masked Data
Problem Analysis of data DID NOT take place prior to encryption.
SolutionComprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan.
Misfire of Network Discovery Scans
Problem Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process.
SolutionIdentify potential data stores by discussing the DLP program with staff to understand process.
Network versus Endpoint Discovery
Problem Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same.
SolutionPrior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method. .
THE PANDORA’S BOX OF DLP
Environment Assessment
Staying in Contact
User PerformanceImpacts
Network/System Performance Impacts
• ProblemNo rigorous endpoint environment assessment prior to the selection of the application & enablement.
• SolutionAddress age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints.
• Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results.
• SolutionPhased deployment of endpoint with validation via test plan on initial success of ALL agents & on-going endpoint agent health reports.
• Problem Implementing same policies for network based & endpoint assessments without testing or modification.
• SolutionUtilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment.
• Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections.
• SolutionThorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.
DATA LOSS PROTECITON PITFALLS:
BEW GLOBAL IS THE CHOICE OF MARKET LEADERS
CLIENTS INCLUDE
MANUFACTURING OIL & GAS RETAIL / ENTERTAINMENT
TOP 100 GLOBAL
BEW GLOBAL IS THE CHOICE OF MARKET LEADERS
CLIENTS INCLUDE
UNIVERSITIES INSURANCEHEALTHCARE FINANCE
TOP 50
UPCOMING WEBINARS For more in fo rmat ion v is i t www.bewglobal .com/webinars
BUILDING A CRITICAL ASSET PROTECTION PROGRAM
10/24 @ 1pm EST
TECHNICAL DEMO SERIES: Symantec
10/31 @ 1pm EST
TECHNICAL DEMO SERIES: RSA
11/7 @ 1pm EST
TECHNICAL DEMO SERIES: Websense
11/14 @ 1pm EST
TECHNICAL DEMO SERIES: McAfee
11/21 @ 1pm EST
QUESTIONS?
