Download - RSA 2010 Kevin Rowney
Title of Presentation
Kevin Rowney
Symantec Corporation.
Session ID: TUT-M51
SECURITY BASICS BOOT CAMP: Intrusion detection and data loss prevention
Agenda
What are the challenges today around data loss?
What is Data Loss Prevention (DLP)?
How does DLP address key challenges?
How does DLP work?
2
• What are the challenges today around data loss?
3
Data Loss Prevention is a
top 3 security project in 2010.
- Gartner Top 10 Security Priorities for 2010
285 million records were stolen
in 2008, which is more than the last 3 years combined
- PrivacyRights.org
Cyber crime has surpassed illegal drug trafficking as a criminal moneymaker.
Cost of a Data Breach is Increasing
$6.75 MillionThe average cost to remediate a data breach
for US companies in 2009
5
83 MillionThe total number of consumer records in publicly
reported data breaches in 2008
Source: “Cost of a Data Breach Survey,” Ponemon Institute, 2009
$200 Billion Losses from IP theft from US companies every year
Primary Threat Agents Behind Data Loss
66
Well-Meaning Insiders
Malicious Insiders Hackers
DLP Risk Management Relevancy
Methods Used in Current Hacks
77
Methods Used in Current Hacks
88
CAPTURE
Accesses data on unprotected systems
Installs malware to secretly acquire crucial data
3
DISCOVERY
Hacker then maps organization’s defenses from the inside
Creates a battle plan
2
INCURSION
Attacker breaks into the network by targeting vulnerable system or naïve employees
1
EXFILTRATION
Confidential data sent to back to enemy’s “home base” for exploitation and fraud
4
Intrusion Detection
9
Act of detecting actions that attempt to compromise the confidentiality, integrity or
availability of a resource.
Manual
log file review
Automatic
intrusion detection
system (IDS)
intrusion prevention system (IPS)
DLP Answers 3 Questions About Risk of Breach
How best toprevent its loss?
How is it being used?
Where is yourconfidential data?
10
MANAGE
• Find data wherever it is stored
• Create inventory of sensitive data
• Manage data clean up
• Understand how data is being used
• Understand content and context
• Gain visibility into policy violations
• Proactively secure data
• Prevent confidential data loss
• Enforce data protection policies
DISCOVER PROTECTMONITOR
• Define unified policy across enterprise
• Detect content accurately• Remediate and report on incidents
Key DLP Capabilities
11
MANAGE
MANAGE
DISCOVER
• Identify scan targets
• Run scan to find sensitive data on network & endpoint
• Enable or customize policy templates
• Remediate and report on risk reduction
MONITOR
1
2 3
PROTECT
4
5
• Inspect data being sent
• Monitor network & endpoint events
• Block, remove or encrypt
• Quarantine or copy files
• Notify employee & manager
How It Works
1
2
13
SECURED CORPORATE LAN DMZDisconnected
SPAN Port or Tap
MTA or Proxy
Data Loss Prevention Architecture
• Use cases: • How DLP manages risk of breach
14
15
SECURED CORPORATE LAN DMZDisconnected
SPAN Port or Tap
MTA or Proxy
DLP for Storage – Use Cases
DISCOVER
PROTECT
16
Fix Broken Business Processes500k Personal Records on Open Share
Find it. Fix it.Remove from open share and leave a file marker.
16
17
SECURED CORPORATE LANDMZ
Disconnected
SPAN Port or Tap
MTA or Proxy
DLP for Network – Use Cases
MONITOR
PROTECT
1
8
Protect Competitive Advantage Unencrypted product design documents sent to a partner
18
1
9
Educate users with automated email.Protect intellectual property.
Protect Competitive Advantage Unencrypted product design documents sent to a partner
19
20
SECURED CORPORATE LAN DMZDisconnected
SPAN Port or Tap
MTA or Proxy
DLP for Endpoint – Use Cases
MONITOR
DISCOVER
PROTECT
2
1
Fix Exposed Data on a DesktopCall center records improperly stored on an Endpoint
21
2
2
Notify user via automated email.Empower users to self remediate.
Clean Up Exposed Data on a DesktopCall center records improperly stored on an Endpoint
22
Protect Competitive AdvantagePricing copied to USB
23
24
Stop it from being copied to USB.Notify User. Launch investigation.
Protect Competitive AdvantagePricing copied to USB
24
Prevent Breach of Customer DataSensitive data sent via personal webmail
Block the email.On or off the corporate network.
25
1000
800
600
400
200
0
Inci
de
nts
Pe
r W
ee
k
Remediation
Notification
Prevention
Risk Reduction Over Time
Visibility
Continuous Risk Reduction
Expected Measurable Risk Reduction
80% risk reduction in 20
days with automated notification
70% risk reduction due to employee
education
95% reduction in new
incidents within one year due to
automated protection
98% reduction in unauthorized
sharing of design specs
with fingerprinted
detection
97% risk reduction due to structured data
detection of every U.S.
citizen’s SSN and identify
information
Healthcare InsuranceFinancial Services
Business Services
Manufacturing
How Most Enterprises Get Started with DLP
2
8
• In your enterprise, is exposure likely to translate to breach?
• Do these threat models make sense to the “C-level” execs?
Define your requirements: Is
DLP for you?
• DLP risk-assessments are an easy way to measure exposure
• In many cases, risk-assessments catch live breaches on site
How big is your company’s risk?
• Who’s solution is the best fit for your requirements?
Explore initial discussions with
vendors
Title of Presentation
Kevin Rowney
Symantec Corporation.
Thank You!