Understanding Data Loss Prevention

2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved.

Best Practices for Implementing Data Loss Prevention (DLP)

• Michael Avdeev DLP Solution Architect, McAfee

• John Callaghan Sr. Mgr. Engineering Research , SilverSky

2013 ISACA Webinar Program. © 2013 ISACA. All rights reserved. 2

Welcome! • Type in questions using the Ask A Question button

• All audio is streamed over your computer

– Having technical issues? Click the ? Button

• Click Attachments button to find a printable copy of this presentation

• After the webinar, ISACA members may earn 1 CPE credit – Find a link to the Event Home Page on the Attachments button – Click the CPE Quiz link on the Event Home Page to access the quiz – Once you pass the quiz, you’ll receive a link to a printable CPE

Certificate

• Tell us what you thought of this event! – By using the FEEDBACK button – Complete the Webinar Survey on the Attachments button

• Question or suggestion? Email them to [email protected]

mailto:[email protected]


Today’s Speakers

Michael Avdeev DLP Enterprise Solution Architect

McAfee

John J. Callaghan, CISM, Senior Manager

Security & Engineering Research, SilverSky


Motivations

“A world of needs… … essential considerations”

What • Another Tool or Governance approach

Why • Mandate, IP, Regulatory, Compliance

When • Immediately .vs. Planned

Where • Across the business, by geography

How • “By Policy”, Training, Top-Down, Inter-organizational


Considerations

“The obvious... … and not so obvious”

• Business Goals

• Company Primary IP

• Industry & Legal Requirements

• Corporate Security Policies

• New Projects ‘rollout’ history

• Secondary IP concerns

• Business unit Practices & Repositories

• Varying adherence to Corporate Policy

• Exposed IP

• Extranet/sharing issues


Challenges

“Securing the Data… … loss / theft / corruption”

• Today: Data = Dollars • Crime: Cybercrime is simply Crime • News: Success stories need to outweigh breaches • Statistics: At the close


Data-in-Motion

Data-at-Rest

Data-in-Use

Data Types

WI

LD

WI

LD

WE

ST

Data Loss Vectors

Email Web Post Network IM Chat

Desktop/Laptop Database

Removable Media

Screen Printer

File Share

Clipboard


DLP

Governance

Risk Assessment

Compliance

Classification

Policies

Discovery

Remediation

Awareness

DLP Elements


Governance Summary: • Data Governance = confidentiality, integrity and availability of data

• Monitor the flow/storage of data in your environment

Action: • Develop a governance structure

• Define roles & responsibility

• Create a communication plan

• Create governance metrics

Examples: • Centralized vs. De-Centralized

• Set up a central site for document

storage & communications

• Use DLP policies to generate

metrics


Risk Assessment Summary: • Identify all data types, threat vectors, and potential business impact

• Prioritize ranking of risks and a list of initiatives to mitigate the risk

Action: • Execute the RA

• Create a detailed action plan

• Assign owners to RA results

• Formalize a recurring RA plan

Examples: • Use asset management tools to

catalog assets

• Use DLP to identify risk in systems,

applications, lines of business, etc.


Compliance Summary: • Sensitive information regulated by governmental and industry statutes

• Avoid fines, increased audit costs, embarrassment, or prosecution

Action: • Identify governing bodies

• Identify statutes

• Create a data element mapping

• Create compliance metrics

Examples: • Monitor PCI data movement both

within and outside of the company

• Use IT GRC tools to manage

compliance


Classification Summary: • Classify data according to its value and risk

• Protect classes of data; not individual elements

Action: • Gather initial and new data

elements

• Develop a standard framework

• Identify data owners and users

• Identify approved data storage

systems

Examples: • Set up workshops to gather initial

data elements

• Use DLP data discovery scans to

gather new data elements

• Catalog locations and move data

to approved storage locations


Policies

Summary: • Flexible policies that grows with the organization over time

• User education on policies, standards, and guidelines

Action: • Review existing policies

• Create new policies

• Socialize polices with users

• Evaluate effectiveness

Examples: • Educate key stake holders (HR,

compliance team, biz units)

• Set up a recurring update program

to measure policy effectiveness


Discovery

Summary: • Find sensitive data in areas you don’t expect it to.

• Identify broken process, bad actors, and “data drift”

Action: • Create a data discover program

• Define data storage type

• Define data categories

• Define data owners

Examples: • Identify “data drift” in “data-at-rest”

(file servers, database)

• Identify “data drift” in “data-in-use”

(local disks on laptops and

desktops)


Remediation

Summary: • More than fixing the data – look at the people and the process

• Remediation is NOT done until root causes are identified and risk is

mitigated

Action: • Develop data/incident response

programs

• Perform system/data clean-up

• Implement mitigation actions

Examples: • Root caused PCI data leakage due

to a broken business process

• Automatically encrypt all patient

data via outbound email traffic


Awareness

Summary: • Your employees are a critical line of defense

• Embed employee education into your DLP program

Action: • Develop a security awareness

program for employees

• Develop specific data protection

training for data owners

Examples: • Posters

• Webpage with guidelines

• Quick situational videos


Approaching the Task

Deployment Best Practices • Solid preparation • Understand the data & rules • Be realistic with the project plan • Communication, communication, communication

Protecting Data is a Process Problem…


Deployment Best Practices • Scope the hardware appropriately • Get buy-in from key stakeholders early • Evaluate DLP endpoint strategies • Have a realistic test environment so you can see problems early

Solid Preparation

• Privacy rules differ state by state, country by country • Understand how data is being used in your company before building policies • Understand chain-of-custody implications of collecting evidence in a DLP

solution

Understand the Data & Rules

• You can’t watch everything - prioritize what’s important • Start small and grow your coverage • Know what you need to watch for and what you cannot watch for • Document well and define key statistical performance metrics

Be Realistic

• Weekly calls (technical level & governance level calls with senior management) • Define departmental champions to help overcome roadblocks • Keep the CISO actively involved • Train downstream – don’t limit it to just security

Good Communication

Presenter

Presentation Notes


Who? What? When? How?

Data Type Risk Level Findings PCI Data Exposed User Ignorance of Policy

PII Data Exposed PII data sent, received and stored UNENCRYPTED

Intellectual Property Leaks “Confidential” files sent to questionable destinations

State Privacy Law Violations Broken business process

You cannot protect the data you don’t know about!


Streamline Policies

Fine tune and test policies without interrupting business

Define Policy

Test Policy

Tune Rules

Data Analytics

Violations

Data


Inventory with Metadata

Categorization & Classification

Remediation Prioritized

Discovery Best Practices

PCI Data

Sensitive IP

Encrypt

Delete

Move


Management Model P

roac

tive

Rea

ctiv

e

Decentralized Centralized

• Complex IP environment • Business driven needs • Small security team

Business Flex Dedicated Team

Light Coverage Part-Timer

• High regulatory requirements • Mature business model • Strong security team

• Low regulatory environment • Low business drivers • Small security team

• High business drivers • Little management buy-in • Strong security team

Presenter

Presentation Notes


What You Learned Today

• The 8 Essential DLP Elements

• DLP Deployment Best Practices & Examples

• Different DLP Management Models

Remember … You cannot protect the data you don’t know about! Start small and be realistic about your project plan. Get buy-in from business users early. Protecting data is a process problem.

Presenter

Presentation Notes


Resource & Tools

• Verizon Data Breach Investigation report: http://www.verizonenterprise.com/DBIR/2013/

• “Implementing and Managing a DLP Solution” Whitepaper http://mcaf.ee/dphvg -> White Papers

To find out more about McAfee DLP solution • Public page http://mcaf.ee/dphvg

• Regulation link http://www.mcafee.com/data-protection-laws

• Data Risk Assessment http://dataprotection.mcafee.com/forms/RiskAssessment

• Blogs http://siblog.mcafee.com/category/data-protection

• Videos http://www.youtube.com/McafeeDLP

• Twitter handle @McAfeeDLP

http://www.verizonenterprise.com/DBIR/2013/

http://mcaf.ee/dphvg

http://mcaf.ee/dphvg

http://dataprotection.mcafee.com/forms/RiskAssessment

http://www.youtube.com/McafeeDLP


Questions?


Thank You!

Michael Avdeev, [email protected] John Callaghan, [email protected]

Understanding Data Loss Prevention

Software

event home page

identify data drift

data amp

rights reserved

engineering research

dlp

realistic

data