ibm data security services data security services network data leakage prevention powered by fidelis...

© 2009 IBM Corporation

IBM Data Security Services

Network Data Leakage PreventionPowered by Fidelis XPS

Johan CelisSecurity Solutions Architect, PCI QSAIBM ISS EMEA



Enterprise Content Protection (ECP)� Automated discovery of sensitive content, classifying / tagging of files

� Policy-based enforcement of data protection policy (prevent, allow, encrypt, etc.)

� Close the gap between user action and automated policy-enforced action

� Endpoint – Network – Server / Data Center

� Key Business Partners: – Fidelis Security Systems

– Verdasys



How we got here� Selection Process

� Lab Evaluation– Multiple Products

– 8+ months

– Functional Approach vs. Use Case

– 107 data types

– 129 protocol variations

– 306 data operations

– Normal, Advanced and Expert categories

� Presented Methodology

� Single Focus Solutions Outperform– Focus on being best at single solution

– Prevents resource : technology dilution

0

10

20

30

40

50

60

70

80

90

100

Normal Advanced Expert Overall(w eighted)

nDLP - Categories

Vendor-1

Vendor-2

Vendor-3



Extent of DLP Coverage Meets Your Requirements

• Network DLP Solution– Advantages

• Provides wide coverage quickly• Covers all network traffic, regardless of

application, channel, and endpoint devices.• Stop data leakage in real time, even on

gigabit networks.– Challenges

• Does not provide coverage of devices outside the network

• Endpoint DLP Solution– Advantages

• Wide coverage across a variety of endpoints• Provides coverage outside the network• Automated discovery of sensitive content,

classifying / tagging of files– Challenges

• More challenging and time consuming to implement.

• Enabling all endpoint devices with sensitive data, and managing addition of new endpoint devices

• Enterprise DLP Solution– Best of both worlds

– Holistic solution with provides a layered security approach

– Enables a targeted approach –focusing on endpoint in some areas of the business, network focus in others, and a combined approach where needed.



Deployment Coverage Table

Yes

Yes

No

All Platforms

Rapid for existing

Proventia Moderate Otherwise

Rapid

Moderate to Slow

Deployment Timeline

No

YesBinary and

Partial

Limited

RegisteredData

No

No

Yes

Removable Media

Protects devices

"visible" to Deployed

Device

Granular, CentralizedYesNoYes

Network DLPFidelis

Gives visibility to

magnitude of policy

violations

LimitedLimitedNoYes

IPS Proventia Content Analyzer

Protects Deployed

Device

Granular, CentralizedYesYesPartially

Endpoint DLPVerdasys

Coverage Model

Policy-DrivenContextual Awareness

Outside Corp.

Network

Server Farm / Intranet



All Things Being Equal…..or not !

�Endpoint ≠ Network

�Network DLP ≠ IDS/IPS

�Endpoint DLP ≠ AV/Firewall

�Content ≠ Context



IBM Network DLP OverviewFidelis Security Systems gives organizations the power to protect their brand, intellectual property and resources by stopping data leakage

� Network Sensor

� Award Winning

� Real-Time

� Low Latency

� Performance

� Prevention

� Profiling

� Accuracy

� Visibility

� Deployment Flexibility

� Integration

� External Validation



Deployment

UsersProxy Server

XPS-Proxy

Proxied Traffic (incl. HTTPS)

Servers

Users

Mail Servers

Mail Traffic (incl. TLS)

XPS-Internal

XPS-Internal

XPS-Mail

XPS-Direct

ICAP

SMTP

SMTP

Milter

ANY TRAFFIC

Mail Gateway

Internal Traffic

CommandPost

XPS Direct plus: Intranet protocols, control DB2,

Oracle, LDAP, CIFS, SMB on the wire, in real-time

TAP/SPAN or In-LineAlert, Prevent, Throttle

Handles SSL allowing proxy server to decode (e.g.

Bluecoat). Provide Educational Feedback

Deploy as ServerAlert, Prevent, Re-Direct

SMTP Based as part of MX/MTA chain or using Milter

API

Deploy as ServerAlert, Prevent, Quarantine,

Re-Route

Real-time, High Performance port agnostic control of the

insider threat

TAP/SPAN or In-LineAlert, Prevent, Throttle



Performance Prevention

Mbps

1000

100

10

Gen 1.x Fidelis XPS

Ports

65,535

50

Gen 1.x Fidelis XPS

Time to Value

Time

Gen 1.x

Fidelis XPS

Profiling vs. Registration• Legacy’s IP is in data registration algorithms

• Data registration is expensive• Unregistered data create false

negative/type II errors• DLP owner doesn’t own integration

• Fidelis XPS focused on accurate profiling technologies

• Low false positives AND low false negatives

0 2 weeks 6+ Months

Legacy typically fail between 50-100MbpsLegacy typically fail between 50-100Mbps Limited Mitigation—prevention for 1-4 portsLimited Mitigation—prevention for 1-4 ports



Session Architecture

In real-time in-memory on partial sessions

Fidelis built document decoders support partial

files: requirement for prevention of direct-to-

Internet traffic

10 different content analyzers – all can be logically

combined

Mitigates risk of data leakage with channels control

including IM, P2P, Webmail, encryption and other rogue

channels



Detection Techniques

1.Smart Identity Profiling (SIP)2.Keyword 3.Keyword in sequence4.Regular expressions5.Binary signature6.Session and decoding path

7. Exact file matching 8. Partial Content 9. Embedded image file10. File name

Profiling Registration

Boolean combination of analyzerspersonal identify information, (1. SIP)

AND “Billing,” (2. Keyword)

AND protocol is NOT FTP (channel – not shown)

AND recipient is NOT Approved_Organization_List



Gen 1.5 Extrusion: Limited PreventionGen 1.0 was Sniffer Only



Fidelis XPS – First Gen 2.0: Comprehensive PreventionHas MTA and Proxy too (not shown)



14

FIDELIS XPS COMMANDPOST COMMANDPOST+

• Web-based enterprise administration

• Integrated with SiteProtector

FIDELIS XPS INTERNAL

FIDELIS XPS PROXY PROXY+

FIDELIS XPS MAIL

FIDELIS XPS SCOUT

FIDELIS XPS 1000 DIRECT 100 DIRECT

• Prevention across all 65,535 ports

• Port independent application & protocol monitoring

• Gigabit speed performance without sampling

• Only network DLP to address Internal traffic

• Gain visibility and control of information leaving data centers and between divisions

• Standard ICAP interface to proxy servers

• SSL inspection (when supported by the proxy)

• Policy –based user notification

• Graceful control of corporate e-mail

• Flexible deployment – MTA or Milter support

• Quarantine/redirect to secure e-mail gateways

Fidelis Appliances to Address the Needs of Your Unique Environment

• All-in-one portable network appliance brings DLP to audit, assessment, and incident response teams

© 2009 IBM Corporation7-apr-09


Fidelis Demo



Detection AND Prevention

� All Ports, All Protocols, All Products

� Inline and Out-of-band

� Real-Time not Spool and Analyze



Building A Policy

� Rule = What Action to take when we discover particular ContentContent flowing, or with attributes of, a particular ChannelChannel going to or from a LocationLocation.

� Policy = Logical collection of (related) Rules

� Assignment = Allocation of policies to sensors

� Operate Right to Left

� Simple Boolean combination– Content: 11 Engines

– Channels: Numerous

– Locations: Addresses, Directory, Country

– Actions: Alert, Prevent, Throttle, Quarantine, Reroute, Re-Direct

Location

Channel

SRC IP DST IP Country Directory

SRC Port DST Port

Application Protocol

Client, User, Encryption

Session (size, duration)

Time (Day, Week etc.)

Subject, Headers, Mode, Method……..

Content

Meta Data

Additional informationData Content

Policy Rule: Action

Rule: Action

Rule: Action



Content Fingerprinting

� Profiling:– Smart Identity Profiling (US)

– Smart Identity Profiling (Intl.)

– Keyword

– Keyword in sequence

– Regular expressions

– Binary signature

– Session and decoding path

� Registration (and Hybrid) – Exact file matching

– Partial Content

– Embedded image file

– File name



Performance

� Partial Decoding Decoders – Not 3rd Party

� 1.4 Gbps of DLP throughput – not just wire speeds

� Competition stop at about 80-150 Mbps– Requires multiple devices + L7 Switch to achieve same speed

� IBM tested on corp. network at 600 Mbps (10min age) saturated Gigabit peaks

– No data lost, full inspection

� Competition:– Began SAMPLING DATA at 80 Mbps

– Dropped data

– Lost TERABYTES of data per day

– Already had fewer protocols to look at !

� Reduces cost



Detection AND Prevention

– All Ports, All Protocols, All Products

– Inline and Out-of-band

– Real-Time not Spool and Analyze

� Performance– Partial Decoding Decoders – Not 3rd Party

– 1.4 Gbps of DLP throughput – not just wire speeds

– Competition stop at about 80-150 Mbps

– Requires multiple devices + L7 Switch to achieve same speed– IBM tested on corp. network at 600 Mbps (10min age) saturated Gigabit peaks

– No data lost, full inspection– Competition:

– Began SAMPLING DATA at 80 Mbps– Dropped data– Lost TERABYTES of data per day– Already had fewer protocols to look at !

– Reduces cost



Questions?

Johan CelisSecurity Solutions ArchitectIBM ISS EMEA

ibm data security services data security services network data leakage prevention powered by fidelis...

Documents