information leakage - a knowledge based approach

ILLYAS KOOLIYANKALCISO - ADX

Information Leakage – A Knowledge Based Approach

• Introduction• Some real life examples• Existing Security Mechanisms?• Best Approach towards Protection• Protection Mechanisms• Technology behind DLP• Case Study• Summary

Why Data is a Priority?

Indirect Costs$1.5M$15/record

Opportunity Costs$7.5M$75/record

Direct Costs$5.0M$50/record

Cost of Data Breaches$140/record

Source: Ponemon Institute SVB Alliant

Leakage of confidential/proprietary information Un patched vulnerabilities Insider attacks Spyware Phishing attacks Malicious Code Spam Denial of Service attacks Fraud Keystroke loggers

52%

24%18%14%10%

4%4%4%2%2%

What do you consider to pose the biggest current threat to your organization’s overall security? (multiple responses)

Source: Merrill Lynch survey of 50 North American CISOs, July 2006

70% - loss caused by insiders

23% of loss is from malicious intent

92% use email to send confidential data

55% use portable devices to take confidential data out of the workplace every week

Some stats

Top Leakage concerns of customers

•More mobility, flexibility

•Criminals

•Business impact – Reputation,

monitory, growth, …

•Legal and Regulatory compliances

•International standards like ISO 27001

•Personally…

A serious Concern Now?

• A researcher, who accidentally sends a new product formula to hundreds of partners

OR• A junior member of the finance team

who unknowingly exposes the company’s unannounced financial results to the public

A Hard-working, loyal employee who takes home his laptop or a USB drive for the weekend to get work done

and

Accidentally leaves it on the subway as he runs to greet his children at the end of a long workweek

“Internal risk that can lead to data loss are real.”

Data Leakage - Boundary

Employees(remote workers,mobile workers)

Business Partners(Suppliers, outsourcers,

consultants)

CompetitorsCustomers

Hackers

ContractorsTemporaries

Visitors

Digital Business

Digital Business Cyber-crime

Cyber-crime

SOURCE: FORRESTER RESEARCH

Employees

Sensitive Data

Existing Security Devices/Solutions?

Data - Concerns

Holistic Approach

People

Process

Technology

•Develop and implement fool proof processes in overall business environment (Information –at all stages/states)

•Staff Awareness and support

•Implement appropriate technology to assist the users and the organization to protect the data efficiently and without business interruption.

• Information leaked by Internal/Authorized users

• Performance issues.• False Positives and False Negatives• User Resistance & Org Culture of Trust,

openness• Impact to the normal business operations?

Challenges!

• Business requires information easily and seamlessly

• Existing security solutions and tools-limited capability

• Huge amount of sensitive data; unwanted/outdated data

Is it Easy?

• Approach it as a business problem, not technical.

• Formulate a comprehensive strategy for Data protection

• Develop a classification policy

• Analyze various data sources and data, classify it, and conduct detailed risk assessment.

• Identify and select an appropriate technical solution for DLP

How can you protect?

How can you protect?

• State of the Data– in motion, at rest, in use.

• Develop/Decide on the policies to be applied based on the sensitivity and classification

• Apply light weight policies and train the users to be more careful

• Actions – Controls (Log, Alert, Justification, block, etc)

• Monitor and Fine Tune Approach it phase by phase – Begin with log only, analyze the events and tighten

the controls slowly and steadily.

Databases

Transaction

Applications

Data At Rest• Data classification• Device control• Content control• Application control

Transaction Data• Direct Database Access• Access via Applications

• Web applications• Web services

Data Storage (SAN

and NAS)Servers,Endpoints

CommunicationChannels

Data In Motion• Outgoing communications• Internal communications• Databases and documents• Monitoring and enforcement

Employees(Honest & Rogue)

Customers& Criminals

Accidental, Intentional and Malicious Leaks

Employees(Honest & Rogue)

Employees(Honest & Rogue)

Courtesy: www.PortAuthorityTech.com

The Landscape

• Lets you secure the data you know you need to protect

• Automate the discovery and understanding of the data you don’t know

• By securing all your information—from the datacenter to the network endpoints—you protect it through all phases of its lifecycle—at rest, in motion, and in use—and ensure its confidentiality and integrity.

What DLP offer?

• Identify and Classify data in motion, at rest, and in use

• Dynamically apply the desired type and level of control, including the ability to perform mandatory access control that can’t be circumvented by the user

• Monitors multiple channels for specific inbound and outbound content

DLP Products may differs based on these.

How Does DLP Work?

Through

• Deep content inspection • Contextual security analysis of transaction

(attributes of originator, data object, medium, timing, recipient/destination, etc.)

• With a centralized management framework.

The systems are designed to detect and prevent the unauthorized use and

transmission of confidential information

How?

Capabilities

Data ProtectionWhat is the UserDoing With It?Read, Write, Print, Move, Burn, Copy/Paste, Upload, etc.

Where Did theData Come From?(What Classification?)

Where Is theData Going?

What is the Policy regarding Actions to be taken?

Devices

Applications

Networks

1 42 3

Reduce Your Risk

Audit, Notify, Quarantine, Block

Encrypt…

Reduce Risk

• Enable enforcement policy• Quarantine suspicious

messages• Create audit trail of all

communications to substantiate compliance

• Reduce violations to required levels

EnforceLearn

Define Metrics

• Use pre-defined policies or create custom policies

• Learn critical information using information fingerprinting service

Monitor

• Monitor communication channels

• Reporting of matches against policies and information fingerprints

• Tune policies

Assess Risk

Courtesy: www.PortAuthorityTech.com

• Information Leakage is a serious concern to organizations and individuals

• Approach has to be holistic addressing through People, Process and Technology

• DLP technology addresses Data in motion, rest and at use.

Summary

• Classification Policy, Information about Data and Data Source, Classify those, Select DLP Solution, Develop Policies and Test, Apply, Monitor, Fine Tune, Awareness

• Action – Log, Alert, Justify, Block etc..

• Resistance, Org Culture, Performance, huge amount of known/unknown data etc are some of the obstacles.

• Start with light weight policies and gradually tighten it once the awareness and adaptability is achieved

• Information Leakage Prevention is an ongoing process