1. CISO Roundtable:
Effective Implementation of
DLP and Data Security

2. ©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.
Venkatasubramanian Ramakrishnan
Director- Global Information Security
Cognizant Technology Solutions
Information Security and Data
Protection Strategy

3. | ©2013, Cognizant2
Contents
2 Inflection Point
3 Key Disrupting Factors
4 Role of Information Security
Function
5 Data Security Strategy
6 Key Points
7 Big Picture
8 Threat Modeling
9 Sample Threat Modeling

4. | ©2013, Cognizant3
Inflection Point

5. | ©2013, Cognizant4
Key Disrupting Factors
1.Greater Business Partner Responsibility for Technology Projects
2.Workplace of the Future
3.Sharper Executive Focus on Risk Management
4.Core Responsibility Overlap with the Legal Function
5.Sophistication of External Threat Vectors

6. | ©2013, Cognizant5
Role of Information Security Function
2000-2004 2005-2012 2012 & Beyond
Control Owner
Decision Owner
Decision Facilitator
RiskManagementPhilosophy

7. | ©2013, Cognizant6
Data Security Strategy

8. | ©2013, Cognizant7
Key Points
1.New Era requires information security system design with a
counter-intelligence mind set!
2.Competitive economic pressures and national security issues drive
various entities to seek information and Intellectual Property
3.Counterintelligence awareness of the security leaders is the first
step to improve the protection of proprietary information

9. | ©2013, Cognizant8
Big Picture
T
H
R
E
A
T
S
BUSINESS MODEL
Strategy, people, process, technology and
infrastructure in place to drive towards objectives
OPPORTUNITIES
OBJECTIVES
strategic,
operational ,
customer,
compliance
objectivesOPPORTUNITIES
MANDATORY BOUNDARY
(laws, government regulations and other mandates)
VOLUNTARY BOUNDARY
(organizational values, contractual obligations, internal
policies and other promises )

10. | ©2013, Cognizant9
Threat Modeling
Capabilities
Competition
Strategic Plans Political, Economic
& Social Forces
Markets Customers
Technology
Developments
Industry
Structure
Competitive
intelligence
Collectors
Terrorists
“Ethically Flexible”
Employees
Critical Elements of
Business Intelligence
State Sponsored
Attack
Resource
Poaching
Threats
Economic or
Industrial Espionage
Monitor External Environment
• Monitor social media for any chatter on new methods or targets of
attacks.
• Engage in peer conversations to share knowledge and stay up-to-date
on threat vectors, new techniques, known bad IP addresses, etc.
• Understand what kinds of activities and news reports are likely to
increase the chances of an incident.

11. | ©2013, Cognizant10
Sample Threat Modeling
List of data or
information that
may be under
threat
Who may want it
How motivated are they to
get it
(Ask these questions)
Priority for Incident
Response Planning
(Determined by the
previous three
factors)
Client credit card
numbers
Hacker-thieves
Etc.
What kind of clients do you
have?
Etc.
Low/Med/High
Intellectual
property data
Competitors
Foreign
governments
interested in a
particular IP or
technology
Etc.
Will this IP significantly
alter the market share
landscape on the industry?
Is the IP capable of
providing extensive
competitive advantage?
Are there ideological
reasons for stealing such
information?
Etc.
Low/Med/High
Manage Potential Threats
• Determine what assets, data, information, etc. the organization owns that
may be of particular interest to attackers. Also determine how important
this information or data is to the business.
• Determine who may want such information, how sophisticated they are,
and what channels they may use to attempt to cause an incident.
• Determine how motivated potential attackers may be.

12. ©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.
Thank you

13. 12
Data Leakage Prevention (DLP) Project

14. 13
Agenda
 Enterprise – Growing Challenges
 Business Drivers for DLP
 DLP Specific Challenges & Misnomer
 Solution Decision Making
 Approaches / Solutions to solve Data Security
Challenges
 Approach & Methodology
 Critical Success Factor
 Project Outcome
 Key Learning’s

15. 14
Enterprise - Growing Challenges
 Growing Employee base and across locations
 Enabling Employee friendly environment to keep them
motivated & achieve work-life balance
 Governed by different regulations and compliance requirement
 Data Residing in multiple locations
 Multiple Stakeholders Involved & lack of understanding
 Everyone thinks all their data is critical and important (not so
important)
 Evolving Dynamic threat landscape (Government agencies,
Fortune 100 companies, Enterprises are being constantly
targeted & some of them successful too)
 Outsourcing & its related discrete requirements /
commitments
 Growing adoption of public cloud / infrastructure / networks

16. 15
Drivers Why it matters?
Business Confidentiality
Regulatory Compliance
Business Drivers for DLP
 To comply with Regulatory and Compliance
requirements
 Avoid penalties for non-compliance
 Prevent data breaches / infiltration
 Protect business interests, including
customer confidence
 Protect Company & Customer IPR
 Protect Brand Value

17. 16
DLP Specific Challenges & Misnomer
 “All” our data is critical and confidential
 IT department should be able to identify and classify critical
business information
 Lets fingerprint all our data
 Lets configure DLP to protect all data
 Lets block all sensitive information from going out and allow
information transfer only on senior management approvals
 We have defined 200 policies but the DLP solution is not
raising any meaningful alerts

18. 17
Approaches to solve Data Security Challenges
 There are multiple solutions available in the market to address
the Data Security requirement and most of them work in
complementary fashion to one another.
 DLP solution to be adopted to address the missing piece / gap
created in other data security solutions as highlighted below.
Solutions Area it Covers Missing Piece
Full Disk Encryption Works on the Disk level to
encrypt the drive
All these solutions cannot
differentiate the data (i.e.)
the classified information –
Private / Confidential &
Public data
Device Control Works on the device level
again to either allow or
disallow the drive
Access Control & RMS Works based on rights /
privileges enabled for user /
IP or User Intervention is
required
Email Encryption Works based on user /
domain as per policy
DLP Works on the Classified
Information to enable

19. 18
Solution Decision Making
 Adopt solution which is easy to understand and implement
 DLP solution deployment should not call for architectural /
design / product changes for existing services like email &
web rather it should integrate seamlessly with minimum or no
changes
 Proper Categorization of vanilla DLP policy based on
Industries & Countries
 Solution should be scalable & reliable from architecture
standpoint
 Support for multitude of systems used in the Corporate
environment
 Easy and straight-forward integration should be possible with
existing internal systems (Directory Services, Monitoring
Services & SIEM etc)
 Vendor support & good Roadmap / vision is the key
 Availability of Reliable Partner for the vendor in the local
country with good deployment and process experience in
rolling out DLP

20. 19
Approach & Methodology
 Act on all the Outcome coming from
analysis
 Initiate work on long term strategy
 Enable custom policy as per
requirement
 Fine tune policy
 Make Deployment inline
 Expand the coverage and footprint
 Repeat entire cycle (Continuous
Process)
 Establish Policy, Process & Procedure
 Review Identified & Classified Data
 Establish Infrastructure
 Enable shortlisted default policy to
create visibility
 Deploy DLP for identified channel
 Role Segregation
 Enable Console Access for different
stakeholder to create impact
 Enable Incident Monitoring &
Response
 Delivery weekly & monthly report for
management & stakeholder visibility
 Establish Governance
 Initiation
 Establish Objective & goals (short
& long term)
 Plan Infrastructure
 Establish Design
 Identify Matching Default Policies
 Identify Critical Channels
 Stakeholder Analysis
 Communicate
 Awareness & Training
 Define Ownership
 Establish Procedure for
Critical Data Identification
& Classification
 List Actions to be
performed
 Analysis whether Data classification
procedure is being followed
 Analysis the need for more trainings
 Analysis the visibility created by
default policy
 Analysis effectiveness of existing policy
enabled
 Check whether short term goal is met and
analysis triggering of strategy for long
term goal
 Analysis stakeholder involvement &
support obtained
 Decide whether enabling protection or
inline mode can be done
DLP
Approach

21. 20
Critical Success Factor
 IT is a facilitator and not the business data owner of the DLP
project
 DLP Project Success is directly proportionate to business user
involvement, buy in, contribution and approvals
 Enable DLP in Monitor mode First & then Block Later based on
monitoring outcome
 Understand Data Classification & Policy Definition is not an
one time exercise. Repeat PDCA principle (Plan, Do, Check &
Act) on a defined periodicity
 Realize that DLP can not eliminate security breaches but helps
reduce the risk by detecting and preventing incidents

22. 21
Project Outcome
 All Critical Channels like web, email & mobile devices are being
covered & monitored
 Data movement within Organization is getting tracked better
 365*24*7 monitoring in place to handle high / medium
severity incidents reported in DLP
 Awareness among Employees Improved and this resulted in
improved compliance & reduction in data related incidents
 Happy Customers & Auditors

23. 22
Key Learning’s
 DLP Approach should be chosen based on the Culture of the
Organization
 Establishing frequent connects with stakeholders & employees
is the key to success
 Enabling visibility for Business stakeholders resulted in
quicker adoption
 DLP Journey will not be an One Time exercise / project rather
it will be ongoing process / operation to be strictly followed &
adhered by all stakeholders
 Establishing an Governance Organization dedicated to DLP
Journey helped in driving & communicating change to wow’s

24. Understanding of Technology Architecture
and Solutions for Data Security.
Maheswaran.S, Manager, Sales Engineering,
SAARC

25. 24
Data Security Technologies
Data
Security
DRMDLP GRC/SOC
Access
Control EncryptionFAM

26. 25
Data Types & DLP Approach
Source : www.oxford-consulting.com

27. DLP – Key Capabilities

28. Identification Methods
27
Described RegisteredDescribed RegisteredLearned

29. Image Detection
• Detects Sensitive Text within Images
– Screen captures
– Scanned checks
– Scanned receipts
– Applications which has image outputs
– Fax pages
– etc.

30. Data Drip Detection
Detects multiple instances of small data leaks over
time
John Doe
Joe Smith
3:01 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith
3:14 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith
3:17 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith
4:45 PM
Customer Information
Joe,
Here is a customer information:
Mike McDonald CCN: 1111-2222-3333-4444
John Doe
Joe Smith
4:50 PM
Re: Customer Information
Joe,
Here is another customer information:
Jane Brown CCN: 1234-2345-3456-4567
John Doe
Joe Smith
3:01 PM
Customer Information
Joe,
Here is a customer information:
Low Impact
Incident High Impact
Event
Within 2 Hours

31. Data in Motion – Network DLP
30
• Look - Don’t Touch
• See’s unencrypted
Outbound Traffic
Port-Span
• Look AND Touch
• Proxy for Web & FTP
• MTA for Email
• ActiveSync for
Mobile
In-Line
• Network Printers
Agent

32. Channel Detection and Response
31
Network DLP
Web
Audit
*Block
Alert
Notify
Email
Audit
Block
Quarantine
Encrypt
Alert
Notify
FTP
Audit
Block
Alert
Notify
Network
Printer
Audit
Block
Alert
Notify
Active
Sync
Audit
Block
Alert
Notify
IM
&
Custom
Channels
Audit
Block
Alert
Notify
RESPONSE OPTIONS BY CHANNEL

33. SSL Decryption
32
SSL Dynamic
Content
Control
Dynamic
Threat
Protection
S
S
L
Web
Security
DLP
39 percent of
malicious Web attacks
included data-stealing
code

34. Data in Use - Endpoint DLP Channels
USB Drives
Local Printer
LAN Storage
Internet
Print
Server
Network Printer 2
Network Printer 1
Removable
Media
Applications

35. Detection and Response
34
Endpoint DLP
Applications
Permit
Confirm
Block
Email Quarantine
Alert
Notify
Removable
Media
Permit
Confirm
Block
Encrypt to USB
Alert
Notify
Storage
Alert/Log
Scripts
- Encrypt
- Tombsto
Quarantin
- EDRM
RESPONSE OPTIONS

36. Data at Rest - Discovery
35
- Network-based Discovery
- Conducted over LAN/WAN
- Manage by Schedule and/or bandwidth
- Leverage VM’s as Multipliers
- Perform Discovery Locally
- Fastest Discovery
- Manage by Schedule, CPU Utilization, Power
Supply
- The Best of Both Worlds
- Leverage any combination
Agentless
Agent
Hybrid

37. Advanced Remediation Capabilities
Discovery
• Remediation Scripts
– Several predefined scripts available
– Customizable for highest flexibility
• Common Remediation Action
** Requires 3rd Party
Move/Quarantine Encrypt** Classification Tag
(Microsoft FCI)
Apply EDRM** Purge/Delet
e

38. DLP - Management & Reporting

39. Business Intelligent Policy Framework
Who
Human Resources
Customer Service
Finance
Accounting
Legal
Sales
Marketing
Technical Support
Engineering
What
Source Code
Business Plans
M&A Plans
Employee Salary
Patient Information
Financial Statements
Customer Records
Technical Documentation
Competitive Information
Where
Benefits Provider
Personal Web Storage
Blog
Customer
USB
Spyware Site
Business Partner
Competitor
Analyst
How
File Transfer
Instant Messaging
Peer-to-Peer
Print
Email
Web
Audit
Notify
Remove
Quarantine
Encrypt
Block
Removable Media
Copy/Paste
Print Screen
Action
Confirm

40. Enforce Policy by Geo Location

41. Email-based Incident Workflow
• Options to Click within
the email notification to:
– change severity
– escalate
– assign
– ignore
– etc.

42. Demonstrating Risk Reduction
41
Web Email FTP IM
Network
Printing
Jan 200 150 50 10 45
Feb 100 100 15 5 30
Mar 60 76 5 2 15
90-Day Risk Reduction 70% 49% 90% 80% 67%
60
76
5
2 15
100
100
15
5
30
200 150 50 10 45
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
LikelihoodofDataLoss
90-Day (High Impact) Risk Reduction

43. Incident Management & Reporting Dashboards
42
The following are samples of our weekly and monthly dashboards
on incident management.

44. Thank You

45. Questions and Answers
44