the malicious insider and data loss how to read the writings on...

The Malicious Insider and Data Loss – How to Read the Writings on the Wall

Andreas Zengel / Guido Sanchidrian

SYMANTEC VISION 2012

The Facts

Top root cause for data breaches are

negligent people and

malicious / criminal attacks

Within malicious attack type, a big portion is caused by

malicious insiders

The Malicious Insider and Data Loss


Safeguarding Confidential Data = Complex Challenge

Mobile devices have made instant access to personal and confidential data

Organisations look for automated, process-oriented way of identifying and managing confidential data on networks, datacenter servers, workplace desktops as well as mobile devices



Blurred Line between Professional And Personal Lives

Same devices to electronically connect to fellow employees, customers, prospects as well as to families and friends



Fundamental Privacy Rights vs. Legitimate Business Interests

“In considering the question of surveillance, it must be borne in mind that while workers have a

right to a certain degree of privacy in the workplace, this right must be balanced against

the right of the employer to control the functioning of his business and defend himself

against workers' actions likely to harm employers' legitimate interests, for example, the

employer's liability for the action of their workers”

Copeland v. United Kingdom - European Court of Human Rights



Fundamental Privacy Rights vs. Legitimate Business Interests

“Workers do not abandon their right

to privacy and data protection every

morning at the doors of the

workplace. They do have a legitimate

expectation of a certain degree of

privacy in the workplace ...”

Article 29 Working Party



Best Practice: Understand General Principles for Monitoring



Best Practice: Identify The Purposes For Monitoring

To negotiate with employees, works councils and data protection authorities

Business reasons

Data inventory and classification



Best Practice: Monitoring Must Be Proportionate

Identify clear purposes

Identify adverse impact

Considering alternatives

Taking into account the obligations

Judging whether monitoring is justified



Best Practice: Consultation

Armed with the former assessments, enter into consultations with employees, their unions or other representatives

Includes discussion of the purposes for monitoring, how monitoring will take place, when it will occur and what will be done with the information collected during monitoring



Best Practice: Understand The Laws Of Each Country

Unless you aren‘t a professional lawyer, seek legal counsel on

–General Privacy Laws

–Personal Data Protection Laws and Regulations

–Workplace Privacy Laws

–Current Discussion



Best Practice: Implement Technology That Fosters Compliance



Steps to a Successful DLP Program



Some Facts About Data Security


• So, users need help doing the right thing

In the absence of education or experience, people naturally make

poor security decisions with confidential data.

• > 70% of breaches happen without purpose

Most costly breaches come from simple failures or mistakes, not from

ingenious hackers or thieves.

• Having the right metrics is invaluable in demonstrating progress against your goals.

Security isn’t about security. It’s about achieving risk reduction at

some cost.

* Adapted from the 5 Laws of Data Security by Herbert H. Thompson


Key Success Factors

Key Success Factors

Executive Level Involvement

Prioritized Approach

Business Owner Involvement

Trained Incident Response Team

Employee Awareness



Prioritized Approach Recommended Starting Points:

Strategically add policies

Strategically add protocols and

exit points

Strategically add

repositories

Strategically add users and

endpoints

Greatest Potential for

Loss Endpoint / Data-In-Use:

– Users with access to

highly sensitive data

– At-risk employees

– Portable computers

Network / Data-In-Motion:

– High-volume, high-risk

protocols and egress

points

Storage / Data-At-Rest:

– High-access, high-volume,

public repositories

16 The Malicious Insider and Data Loss


Continuous Risk Reduction 1000

800

600

400

200

0

Employee and Business Unit Communication

Sender Auto Notification

Business Unit Risk Scorecard

Refine Policies

Enable EDM/IDM

Fix Broken Business Processes

Refine Policies

Refine Policies

Enable Lookups

Business Unit Risk Scorecard

Identify Broken

Business Processes

Inci

de

nts

Pe

r W

ee

k Prevention/Protection Notification Remediation Baseline

Risk Reduction Over Time

Enable blocking



Incident Response Workflow

90% of DLP is Incident Response

Right Automation Resolution, Enforcement, Notification, Integration Right Person Route Incidents to Right Responder Right Order High Severity Incidents First Right Information 5 Second Test Right Action 1 Click Response Right Metrics Prove Results to Execs and Auditors



Next Step: Know Where Your Information Is and Where It’s Going

– A technical assessment that will help quantify your business data loss risks.

– Symantec DLP software is deployed into your network to:

• monitor outgoing traffic

• identify sensitive data used by the organisation

• scan shared network storage areas

– Analyse the results and create an executive report about data at risk and security incidents

Information Protection Risk Assessment


Thank you!

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.

Contact [email protected] or [email protected] to get a copy of the whitepaper „Data Loss Prevention and Monitoring in the Workplace: Best Practice Guide for Europe” and to get further information on Information Protection Risk Assessment


mailto:[email protected]

mailto:[email protected]

the malicious insider and data loss how to read the writings on...

Documents