rsa 2010 kevin rowney

Title of Presentation

Kevin Rowney

Symantec Corporation.

Session ID: TUT-M51

SECURITY BASICS BOOT CAMP: Intrusion detection and data loss prevention

Agenda

What are the challenges today around data loss?

What is Data Loss Prevention (DLP)?

How does DLP address key challenges?

How does DLP work?

2

• What are the challenges today around data loss?

3

Data Loss Prevention is a

top 3 security project in 2010.

- Gartner Top 10 Security Priorities for 2010

285 million records were stolen

in 2008, which is more than the last 3 years combined

- PrivacyRights.org

Cyber crime has surpassed illegal drug trafficking as a criminal moneymaker.

Cost of a Data Breach is Increasing

$6.75 MillionThe average cost to remediate a data breach

for US companies in 2009

5

83 MillionThe total number of consumer records in publicly

reported data breaches in 2008

Source: “Cost of a Data Breach Survey,” Ponemon Institute, 2009

$200 Billion Losses from IP theft from US companies every year

Primary Threat Agents Behind Data Loss

66

Well-Meaning Insiders

Malicious Insiders Hackers

DLP Risk Management Relevancy

Methods Used in Current Hacks

77

Methods Used in Current Hacks

88

CAPTURE

Accesses data on unprotected systems

Installs malware to secretly acquire crucial data

3

DISCOVERY

Hacker then maps organization’s defenses from the inside

Creates a battle plan

2

INCURSION

Attacker breaks into the network by targeting vulnerable system or naïve employees

1

EXFILTRATION

Confidential data sent to back to enemy’s “home base” for exploitation and fraud

4

Intrusion Detection

9

Act of detecting actions that attempt to compromise the confidentiality, integrity or

availability of a resource.

Manual

log file review

Automatic

intrusion detection

system (IDS)

intrusion prevention system (IPS)

DLP Answers 3 Questions About Risk of Breach

How best toprevent its loss?

How is it being used?

Where is yourconfidential data?

10

MANAGE

• Find data wherever it is stored

• Create inventory of sensitive data

• Manage data clean up

• Understand how data is being used

• Understand content and context

• Gain visibility into policy violations

• Proactively secure data

• Prevent confidential data loss

• Enforce data protection policies

DISCOVER PROTECTMONITOR

• Define unified policy across enterprise

• Detect content accurately• Remediate and report on incidents

Key DLP Capabilities

11

MANAGE

MANAGE

DISCOVER

• Identify scan targets

• Run scan to find sensitive data on network & endpoint

• Enable or customize policy templates

• Remediate and report on risk reduction

MONITOR

1

2 3

PROTECT

4

5

• Inspect data being sent

• Monitor network & endpoint events

• Block, remove or encrypt

• Quarantine or copy files

• Notify employee & manager

How It Works

1

2

13

SECURED CORPORATE LAN DMZDisconnected

SPAN Port or Tap

MTA or Proxy

Data Loss Prevention Architecture

• Use cases: • How DLP manages risk of breach

14

15

SECURED CORPORATE LAN DMZDisconnected

SPAN Port or Tap

MTA or Proxy

DLP for Storage – Use Cases

DISCOVER

PROTECT

16

Fix Broken Business Processes500k Personal Records on Open Share

Find it. Fix it.Remove from open share and leave a file marker.

16

17

SECURED CORPORATE LANDMZ

Disconnected

SPAN Port or Tap

MTA or Proxy

DLP for Network – Use Cases

MONITOR

PROTECT

1

8

Protect Competitive Advantage Unencrypted product design documents sent to a partner

18

1

9

Educate users with automated email.Protect intellectual property.

Protect Competitive Advantage Unencrypted product design documents sent to a partner

19

20

SECURED CORPORATE LAN DMZDisconnected

SPAN Port or Tap

MTA or Proxy

DLP for Endpoint – Use Cases

MONITOR

DISCOVER

PROTECT

2

1

Fix Exposed Data on a DesktopCall center records improperly stored on an Endpoint

21

2

2

Notify user via automated email.Empower users to self remediate.

Clean Up Exposed Data on a DesktopCall center records improperly stored on an Endpoint

22

Protect Competitive AdvantagePricing copied to USB

23

24

Stop it from being copied to USB.Notify User. Launch investigation.

Protect Competitive AdvantagePricing copied to USB

24

Prevent Breach of Customer DataSensitive data sent via personal webmail

Block the email.On or off the corporate network.

25

1000

800

600

400

200

0

Inci

de

nts

Pe

r W

ee

k

Remediation

Notification

Prevention

Risk Reduction Over Time

Visibility

Continuous Risk Reduction

Expected Measurable Risk Reduction

80% risk reduction in 20

days with automated notification

70% risk reduction due to employee

education

95% reduction in new

incidents within one year due to

automated protection

98% reduction in unauthorized

sharing of design specs

with fingerprinted

detection

97% risk reduction due to structured data

detection of every U.S.

citizen’s SSN and identify

information

Healthcare InsuranceFinancial Services

Business Services

Manufacturing

How Most Enterprises Get Started with DLP

2

8

• In your enterprise, is exposure likely to translate to breach?

• Do these threat models make sense to the “C-level” execs?

Define your requirements: Is

DLP for you?

• DLP risk-assessments are an easy way to measure exposure

• In many cases, risk-assessments catch live breaches on site

How big is your company’s risk?

• Who’s solution is the best fit for your requirements?

Explore initial discussions with

vendors

Title of Presentation

Kevin Rowney

Symantec Corporation.

Thank You!