ciso round table on effective implementation of dlp & data security
Post on 23-Jun-2015
392 Views
Preview:
TRANSCRIPT
CISO Roundtable: Effective Implementation of
DLP and Data Security
©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.
Venkatasubramanian RamakrishnanDirector- Global Information SecurityCognizant Technology Solutions
Information Security and Data Protection Strategy
| ©2013, Cognizant 3
Contents
2 Inflection Point
3 Key Disrupting Factors
4 Role of Information Security Function
5 Data Security Strategy
6 Key Points
7 Big Picture
8 Threat Modeling
9 Sample Threat Modeling
| ©2013, Cognizant 4
Inflection Point
| ©2013, Cognizant 5
Key Disrupting Factors
1. Greater Business Partner Responsibility for Technology Projects
2. Workplace of the Future
3. Sharper Executive Focus on Risk Management
4. Core Responsibility Overlap with the Legal Function
5. Sophistication of External Threat Vectors
| ©2013, Cognizant 6
Role of Information Security Function
2000-2004 2005-2012 2012 & Beyond
Control Owner
Decision Owner
Decision Facilitator
Ris
k M
an
ag
em
en
t P
hilo
sop
hy
| ©2013, Cognizant 7
Data Security Strategy
| ©2013, Cognizant 8
Key Points
1. New Era requires information security system design with a counter-intelligence mind set!
2. Competitive economic pressures and national security issues drive various entities to seek information and Intellectual Property
3. Counterintelligence awareness of the security leaders is the first step to improve the protection of proprietary information
| ©2013, Cognizant 9
Big Picture
THREATS
BUSINESS MODEL
Strategy, people, process, technology and infrastructure in place to drive towards objectives
OPPORTUNITIES OBJECTIVES
strategic, operational ,
customer, compliance objectivesOPPORTUNITIES
MANDATORY BOUNDARY (laws, government regulations and other
mandates)
VOLUNTARY BOUNDARY (organizational values, contractual obligations,
internal policies and other promises )
| ©2013, Cognizant 10
Threat Modeling
Capabilities
Competition
Strategic Plans Political, Economic & Social Forces
Markets Customers
Technology Developments
Industry Structure
Competitive intelligence Collectors
Terrorists
“Ethically Flexible”
Employees
Critical Elements of Business Intelligence
State Sponsored Attack
Resource Poaching
Threats
Economic or Industrial Espionage
Monitor External Environment• Monitor social media for any chatter on new methods or targets of
attacks.• Engage in peer conversations to share knowledge and stay up-to-date
on threat vectors, new techniques, known bad IP addresses, etc.• Understand what kinds of activities and news reports are likely to
increase the chances of an incident.
| ©2013, Cognizant 11
Sample Threat Modeling
List of data or information that may be under threat
Who may want itHow motivated are they to get it(Ask these questions)
Priority for Incident Response Planning(Determined by the previous three factors)
Client credit card numbers
Hacker-thieves Etc.
What kind of clients do you have?
Etc.Low/Med/High
Intellectual property data
Competitors Foreign
governments interested in a particular IP or technology
Etc.
Will this IP significantly alter the market share landscape on the industry?
Is the IP capable of providing extensive competitive advantage?
Are there ideological reasons for stealing such information?
Etc.
Low/Med/High
Manage Potential Threats• Determine what assets, data, information, etc. the organization owns that
may be of particular interest to attackers. Also determine how important this information or data is to the business.
• Determine who may want such information, how sophisticated they are, and what channels they may use to attempt to cause an incident.
• Determine how motivated potential attackers may be.
©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.
Thank you
13
Data Leakage Prevention (DLP) Project
14
Agenda
Enterprise – Growing ChallengesBusiness Drivers for DLPDLP Specific Challenges & MisnomerSolution Decision MakingApproaches / Solutions to solve Data Security
ChallengesApproach & MethodologyCritical Success FactorProject OutcomeKey Learning’s
15
Enterprise - Growing Challenges
Growing Employee base and across locations Enabling Employee friendly environment to keep them
motivated & achieve work-life balance Governed by different regulations and compliance
requirement Data Residing in multiple locations Multiple Stakeholders Involved & lack of understanding Everyone thinks all their data is critical and important (not so
important) Evolving Dynamic threat landscape (Government agencies,
Fortune 100 companies, Enterprises are being constantly targeted & some of them successful too)
Outsourcing & its related discrete requirements / commitments
Growing adoption of public cloud / infrastructure / networks
16
Drivers Why it matters?
Business Confidentiality
Regulatory Compliance
Business Drivers for DLP
To comply with Regulatory and Compliance requirements
Avoid penalties for non-compliance Prevent data breaches / infiltration
Protect business interests, including customer confidence
Protect Company & Customer IPR Protect Brand Value
17
DLP Specific Challenges & Misnomer
“All” our data is critical and confidential IT department should be able to identify and classify critical
business information Lets fingerprint all our data Lets configure DLP to protect all data Lets block all sensitive information from going out and allow
information transfer only on senior management approvals We have defined 200 policies but the DLP solution is not
raising any meaningful alerts
18
Approaches to solve Data Security Challenges
There are multiple solutions available in the market to address the Data Security requirement and most of them work in complementary fashion to one another.
DLP solution to be adopted to address the missing piece / gap created in other data security solutions as highlighted below.
Solutions Area it Covers Missing PieceFull Disk Encryption Works on the Disk level to
encrypt the drive
All these solutions cannot differentiate the data (i.e.) the classified information –
Private / Confidential & Public data
Device Control Works on the device level again to either allow or disallow the drive
Access Control & RMS Works based on rights / privileges enabled for user / IP or User Intervention is required
Email Encryption Works based on user / domain as per policy
DLP Works on the ClassifiedInformation to enable protection as per policy
19
Solution Decision Making
Adopt solution which is easy to understand and implement DLP solution deployment should not call for architectural /
design / product changes for existing services like email & web rather it should integrate seamlessly with minimum or no changes
Proper Categorization of vanilla DLP policy based on Industries & Countries
Solution should be scalable & reliable from architecture standpoint
Support for multitude of systems used in the Corporate environment
Easy and straight-forward integration should be possible with existing internal systems (Directory Services, Monitoring Services & SIEM etc)
Vendor support & good Roadmap / vision is the key Availability of Reliable Partner for the vendor in the local
country with good deployment and process experience in rolling out DLP
20
Approach & Methodology
Act on all the Outcome coming from analysis Initiate work on long term strategy Enable custom policy as per
requirement Fine tune policy Make Deployment inline Expand the coverage and footprint Repeat entire cycle (Continuous Process)
Establish Policy, Process & Procedure Review Identified & Classified Data Establish Infrastructure Enable shortlisted default policy to
create visibility Deploy DLP for identified channel Role Segregation Enable Console Access for different
stakeholder to create impact Enable Incident Monitoring &
Response Delivery weekly & monthly report for
management & stakeholder visibility Establish Governance
Initiation Establish Objective & goals (short
& long term) Plan Infrastructure Establish Design Identify Matching Default Policies Identify Critical Channels Stakeholder Analysis
Communicate Awareness & Training Define Ownership Establish Procedure for
Critical Data Identification & Classification
List Actions to be performed
Analysis whether Data classification procedure is being followed Analysis the need for more trainings Analysis the visibility created by default policy Analysis effectiveness of existing policy
enabled Check whether short term goal is met and
analysis triggering of strategy for long term goal
Analysis stakeholder involvement & support obtained
Decide whether enabling protection or inline mode can be done
Check
Act
Plan
Do
DLP Approach
21
Critical Success Factor
IT is a facilitator and not the business data owner of the DLP project
DLP Project Success is directly proportionate to business user involvement, buy in, contribution and approvals
Enable DLP in Monitor mode First & then Block Later based on monitoring outcome
Understand Data Classification & Policy Definition is not an one time exercise. Repeat PDCA principle (Plan, Do, Check & Act) on a defined periodicity
Realize that DLP can not eliminate security breaches but helps reduce the risk by detecting and preventing incidents
22
Project Outcome
All Critical Channels like web, email & mobile devices are being covered & monitored
Data movement within Organization is getting tracked better 365*24*7 monitoring in place to handle high / medium severity
incidents reported in DLP Awareness among Employees Improved and this resulted in
improved compliance & reduction in data related incidents Happy Customers & Auditors
23
Key Learning’s
DLP Approach should be chosen based on the Culture of the Organization
Establishing frequent connects with stakeholders & employees is the key to success
Enabling visibility for Business stakeholders resulted in quicker adoption
DLP Journey will not be an One Time exercise / project rather it will be ongoing process / operation to be strictly followed & adhered by all stakeholders
Establishing an Governance Organization dedicated to DLP Journey helped in driving & communicating change to wow’s
Understanding of Technology Architecture and Solutions for Data Security.
Maheswaran.S, Manager, Sales Engineering, SAARC
25
Data Security Technologies
Data Security
DRMDLP GRC/SOC
Access Control EncryptionFAM
26
Data Types & DLP Approach
Source : www.oxford-consulting.com
DLP – Key Capabilities
28
Identification Methods
Described RegisteredDescribed Registered Learned
Image Detection
Detects Sensitive Text within Images
Screen capturesScanned checksScanned receiptsApplications which has image outputsFax pagesetc.
Data Drip Detection
Detects multiple instances of small data leaks over time
John DoeJoe Smith
3:01 PM
Customer Information
Joe,
Here is a customer information:
John DoeJoe Smith
3:14 PM
Customer Information
Joe,
Here is a customer information:
John DoeJoe Smith
3:17 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith4:45 PM
Customer Information
Joe,
Here is a customer information:Mike McDonald CCN: 1111-2222-3333-4444
John DoeJoe Smith
4:50 PM
Re: Customer Information
Joe,
Here is another customer information:Jane Brown CCN: 1234-2345-3456-4567
John DoeJoe Smith
3:01 PM
Customer Information
Joe,
Here is a customer information:
Low Impact IncidentHigh Impact Event
Within 2 Hours
31
Data in Motion – Network DLP
•Look - Don’t Touch •See’s unencrypted Outbound Traffic
Port-Span
•Look AND Touch•Proxy for Web & FTP•MTA for Email•ActiveSync for Mobile
In-Line
•Network Printers
Agent
32
Channel Detection and Response
Network DLP
Web
Audit*BlockAlertNotify
AuditBlockQuarantineEncryptAlertNotify
FTP
AuditBlockAlertNotify
Network Printer
Audit Block AlertNotify
Active Sync
AuditBlockAlertNotify
IM &Custom Channels
AuditBlockAlertNotify
RESPONSE OPTIONS BY CHANNEL
33
SSL Decryption
SSL Dynamic Content Control
Dynamic Threat
Protection
SSL
Web Security
DLP
39 percent of malicious Web attacks included data-stealing
code
Data in Use - Endpoint DLP Channels
USB Drives
Local Printer
LAN Storage
Internet
Print Server
Network Printer 2
Network Printer 1
Removable Media
Applications
35
Detection and Response
Endpoint DLP
Applications
PermitConfirmBlockEmail QuarantineAlertNotify
Removable Media
PermitConfirmBlockEncrypt to USBAlertNotify
Storage
Alert/LogScripts - Encrypt - Tombstone - Quarantine - EDRM
RESPONSE OPTIONS
36
Data at Rest - Discovery
- Network-based Discovery - Conducted over LAN/WAN- Manage by Schedule and/or bandwidth- Leverage VM’s as Multipliers
- Perform Discovery Locally- Fastest Discovery- Manage by Schedule, CPU Utilization, Power Supply
- The Best of Both Worlds- Leverage any combination
Agentless
Agent
Hybrid
Advanced Remediation Capabilities Discovery
• Remediation Scripts– Several predefined scripts available – Customizable for highest flexibility
• Common Remediation Action
** Requires 3rd Party
Move/Quarantine Encrypt** Classification Tag(Microsoft FCI)
Apply EDRM** Purge/Delete
DLP - Management & Reporting
Business Intelligent Policy Framework
Who
Human Resources
Customer Service
Finance
Accounting
Legal
Sales
Marketing
Technical Support
Engineering
What
Source Code
Business Plans
M&A Plans
Employee Salary
Patient Information
Financial Statements
Customer Records
Technical Documentation
Competitive Information
Where
Benefits Provider
Personal Web Storage
Blog
Customer
USB
Spyware Site
Business Partner
Competitor
Analyst
How
File Transfer
Instant Messaging
Peer-to-Peer
Web
Audit
Notify
Remove
Quarantine
Encrypt
Block
Removable Media
Copy/Paste
Print Screen
Action
Confirm
Enforce Policy by Geo Location
Email-based Incident Workflow
Options to Click within the email notification to:
change severityescalateassignignoreetc.
42
Demonstrating Risk Reduction
Web Email FTP IM Network Printing
90-Day Risk Reduction 0.7 0.493333333333333
0.9 0.8 0.666666666666667
Mar 60 76 5 2 15
Feb 100 100 15 5 30
Jan 200 150 50 10 45
5%
15%
25%
35%
45%
55%
65%
75%
85%
95%
60
76
5
2 15
100
100
15
5
30
200 150 50 10 45
90-Day (High Impact) Risk Reduction
Like
lihoo
d of
Dat
a Lo
ss
Incident Management & Reporting Dashboards
43
The following are samples of our weekly and monthly dashboards on incident management.
Thank You
Questions and Answers
45
top related