14. 13
Agenda
Enterprise – Growing Challenges
Business Drivers for DLP
DLP Specific Challenges & Misnomer
Solution Decision Making
Approaches / Solutions to solve Data Security
Challenges
Approach & Methodology
Critical Success Factor
Project Outcome
Key Learning’s
15. 14
Enterprise - Growing Challenges
Growing Employee base and across locations
Enabling Employee friendly environment to keep them
motivated & achieve work-life balance
Governed by different regulations and compliance requirement
Data Residing in multiple locations
Multiple Stakeholders Involved & lack of understanding
Everyone thinks all their data is critical and important (not so
important)
Evolving Dynamic threat landscape (Government agencies,
Fortune 100 companies, Enterprises are being constantly
targeted & some of them successful too)
Outsourcing & its related discrete requirements /
commitments
Growing adoption of public cloud / infrastructure / networks
16. 15
Drivers Why it matters?
Business Confidentiality
Regulatory Compliance
Business Drivers for DLP
To comply with Regulatory and Compliance
requirements
Avoid penalties for non-compliance
Prevent data breaches / infiltration
Protect business interests, including
customer confidence
Protect Company & Customer IPR
Protect Brand Value
17. 16
DLP Specific Challenges & Misnomer
“All” our data is critical and confidential
IT department should be able to identify and classify critical
business information
Lets fingerprint all our data
Lets configure DLP to protect all data
Lets block all sensitive information from going out and allow
information transfer only on senior management approvals
We have defined 200 policies but the DLP solution is not
raising any meaningful alerts
18. 17
Approaches to solve Data Security Challenges
There are multiple solutions available in the market to address
the Data Security requirement and most of them work in
complementary fashion to one another.
DLP solution to be adopted to address the missing piece / gap
created in other data security solutions as highlighted below.
Solutions Area it Covers Missing Piece
Full Disk Encryption Works on the Disk level to
encrypt the drive
All these solutions cannot
differentiate the data (i.e.)
the classified information –
Private / Confidential &
Public data
Device Control Works on the device level
again to either allow or
disallow the drive
Access Control & RMS Works based on rights /
privileges enabled for user /
IP or User Intervention is
required
Email Encryption Works based on user /
domain as per policy
DLP Works on the Classified
Information to enable
19. 18
Solution Decision Making
Adopt solution which is easy to understand and implement
DLP solution deployment should not call for architectural /
design / product changes for existing services like email &
web rather it should integrate seamlessly with minimum or no
changes
Proper Categorization of vanilla DLP policy based on
Industries & Countries
Solution should be scalable & reliable from architecture
standpoint
Support for multitude of systems used in the Corporate
environment
Easy and straight-forward integration should be possible with
existing internal systems (Directory Services, Monitoring
Services & SIEM etc)
Vendor support & good Roadmap / vision is the key
Availability of Reliable Partner for the vendor in the local
country with good deployment and process experience in
rolling out DLP
20. 19
Approach & Methodology
Act on all the Outcome coming from
analysis
Initiate work on long term strategy
Enable custom policy as per
requirement
Fine tune policy
Make Deployment inline
Expand the coverage and footprint
Repeat entire cycle (Continuous
Process)
Establish Policy, Process & Procedure
Review Identified & Classified Data
Establish Infrastructure
Enable shortlisted default policy to
create visibility
Deploy DLP for identified channel
Role Segregation
Enable Console Access for different
stakeholder to create impact
Enable Incident Monitoring &
Response
Delivery weekly & monthly report for
management & stakeholder visibility
Establish Governance
Initiation
Establish Objective & goals (short
& long term)
Plan Infrastructure
Establish Design
Identify Matching Default Policies
Identify Critical Channels
Stakeholder Analysis
Communicate
Awareness & Training
Define Ownership
Establish Procedure for
Critical Data Identification
& Classification
List Actions to be
performed
Analysis whether Data classification
procedure is being followed
Analysis the need for more trainings
Analysis the visibility created by
default policy
Analysis effectiveness of existing policy
enabled
Check whether short term goal is met and
analysis triggering of strategy for long
term goal
Analysis stakeholder involvement &
support obtained
Decide whether enabling protection or
inline mode can be done
DLP
Approach
21. 20
Critical Success Factor
IT is a facilitator and not the business data owner of the DLP
project
DLP Project Success is directly proportionate to business user
involvement, buy in, contribution and approvals
Enable DLP in Monitor mode First & then Block Later based on
monitoring outcome
Understand Data Classification & Policy Definition is not an
one time exercise. Repeat PDCA principle (Plan, Do, Check &
Act) on a defined periodicity
Realize that DLP can not eliminate security breaches but helps
reduce the risk by detecting and preventing incidents
22. 21
Project Outcome
All Critical Channels like web, email & mobile devices are being
covered & monitored
Data movement within Organization is getting tracked better
365*24*7 monitoring in place to handle high / medium
severity incidents reported in DLP
Awareness among Employees Improved and this resulted in
improved compliance & reduction in data related incidents
Happy Customers & Auditors
23. 22
Key Learning’s
DLP Approach should be chosen based on the Culture of the
Organization
Establishing frequent connects with stakeholders & employees
is the key to success
Enabling visibility for Business stakeholders resulted in
quicker adoption
DLP Journey will not be an One Time exercise / project rather
it will be ongoing process / operation to be strictly followed &
adhered by all stakeholders
Establishing an Governance Organization dedicated to DLP
Journey helped in driving & communicating change to wow’s
24. Understanding of Technology Architecture
and Solutions for Data Security.
Maheswaran.S, Manager, Sales Engineering,
SAARC
29. Image Detection
• Detects Sensitive Text within Images
– Screen captures
– Scanned checks
– Scanned receipts
– Applications which has image outputs
– Fax pages
– etc.
30. Data Drip Detection
Detects multiple instances of small data leaks over
time
John Doe
Joe Smith
3:01 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith
3:14 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith
3:17 PM
Customer Information
Joe,
Here is a customer information:
John Doe
Joe Smith
4:45 PM
Customer Information
Joe,
Here is a customer information:
Mike McDonald CCN: 1111-2222-3333-4444
John Doe
Joe Smith
4:50 PM
Re: Customer Information
Joe,
Here is another customer information:
Jane Brown CCN: 1234-2345-3456-4567
John Doe
Joe Smith
3:01 PM
Customer Information
Joe,
Here is a customer information:
Low Impact
Incident High Impact
Event
Within 2 Hours
31. Data in Motion – Network DLP
30
• Look - Don’t Touch
• See’s unencrypted
Outbound Traffic
Port-Span
• Look AND Touch
• Proxy for Web & FTP
• MTA for Email
• ActiveSync for
Mobile
In-Line
• Network Printers
Agent
32. Channel Detection and Response
31
Network DLP
Web
Audit
*Block
Alert
Notify
Email
Audit
Block
Quarantine
Encrypt
Alert
Notify
FTP
Audit
Block
Alert
Notify
Network
Printer
Audit
Block
Alert
Notify
Active
Sync
Audit
Block
Alert
Notify
IM
&
Custom
Channels
Audit
Block
Alert
Notify
RESPONSE OPTIONS BY CHANNEL
34. Data in Use - Endpoint DLP Channels
USB Drives
Local Printer
LAN Storage
Internet
Print
Server
Network Printer 2
Network Printer 1
Removable
Media
Applications
35. Detection and Response
34
Endpoint DLP
Applications
Permit
Confirm
Block
Email Quarantine
Alert
Notify
Removable
Media
Permit
Confirm
Block
Encrypt to USB
Alert
Notify
Storage
Alert/Log
Scripts
- Encrypt
- Tombsto
Quarantin
- EDRM
RESPONSE OPTIONS
36. Data at Rest - Discovery
35
- Network-based Discovery
- Conducted over LAN/WAN
- Manage by Schedule and/or bandwidth
- Leverage VM’s as Multipliers
- Perform Discovery Locally
- Fastest Discovery
- Manage by Schedule, CPU Utilization, Power
Supply
- The Best of Both Worlds
- Leverage any combination
Agentless
Agent
Hybrid
37. Advanced Remediation Capabilities
Discovery
• Remediation Scripts
– Several predefined scripts available
– Customizable for highest flexibility
• Common Remediation Action
** Requires 3rd Party
Move/Quarantine Encrypt** Classification Tag
(Microsoft FCI)
Apply EDRM** Purge/Delet
e
39. Business Intelligent Policy Framework
Who
Human Resources
Customer Service
Finance
Accounting
Legal
Sales
Marketing
Technical Support
Engineering
What
Source Code
Business Plans
M&A Plans
Employee Salary
Patient Information
Financial Statements
Customer Records
Technical Documentation
Competitive Information
Where
Benefits Provider
Personal Web Storage
Blog
Customer
USB
Spyware Site
Business Partner
Competitor
Analyst
How
File Transfer
Instant Messaging
Peer-to-Peer
Print
Email
Web
Audit
Notify
Remove
Quarantine
Encrypt
Block
Removable Media
Copy/Paste
Print Screen
Action
Confirm
Regulations & Compliance - (PCI-DSS, ISO 27001, HIPAA, SOX, Data Privacy Act, IT Act, GLBA etc), Data stored in multiple location – (Desktops/Laptops/Servers/DB/Web/Cloud etc). Names of Company who have been hacked in recent past - Google / RSA / Twitter / Facebook Hack etcAdoption of SAAS / PAAS business models / offerings
DLP should take care of incoming data transfers too
Regular release of default policies in a defined frequency, Reporting & Logging should be quick, reliable etc as forensic information to be captured and retained will be huge based on the logging & retention policy of the Organization, Support for Windows, Unix & Mac systems
Approach 1: Think, Plan & Try BIG (Big Bang Approach Fails in most of the cases as every stakeholder has their own priority, project & business to deal with and maybe this will be successful in Process Centric Organization) Approach 2: Think BIG, Plan smaller action’s to create visibility, to make stakeholders understand the business impact & to commit & then drive faster adoption (This will work in almost all Enterprises)
The 80:20 principle
Most customers looks at DLP project as a large black box that you trough everything on it (Data Classification, Access management, Encryption, Discovery, DRM) and hope for the best – problem is that this leads to a massive investment, on infrastructure, resources, planning and they don’t see results in a long time – when Executive asking for the results the answer is usually “this is still in process”Websense suggests a different approach where we recommend our customers to build small boxes (Box have 3 dimensions : Channel , Data, Business unit/region) – if the customer starts with focus target, let say Financial data over email coming from the corporate They will see quick results , reason is that this is manageable , focused and will show quick ROI Results will also create appetite to other business units to get into to project
Most DLP solution can alert administrators if a specified type of sensitive information reaches a predefined threshold of data transmission. For example, any transmission which is suspected of having more than 5 credit card numbers could alert the administrator. However, most DLP solutions cannot support a similar scenario of policy violation; 5 or more transmissions with each transmission containing a single credit card number.Smart Detection feature enables administrators to define policies that span multiple incidents over a specified period of time. As the graphics shows, 5 email from the same user throughout the course of a day, with each email containing credit card information can alert the administrator as possible violation.Websense is the only vendor providing this level of sophistication.
While many focus on USB drives when it comes to endpoint protection, there are several other channels of possible data loss.
For discovery, there are several remediation actions available. Actions such as tombstone (delete file and leave a note indicating its been deleted), ransom note (indicating where/how to get the file) as well as encryption and application of electronic digital rights management are supported.With remediation action for discovery, we support custom scripts enabling high flexibility to meet specific customer requirements.
Comprehensive data security is multi-faceted. Despite some misnomers of focusing primarily on the data itself, a comprehensive solution must address the entire flow of data.First, you must understand who should have access to particular data.Second, the data itself must be well identified.Third, the valid location of where such data can reside must be defined.How such data can and cannot be transmitted must be then defined.Finally, all the previous steps are all for nought unless you can granularly control the action associated with each scenario.As you can see, comprehensive data security must consider various factors requiring simple and unified management. Websense is the only vendor offering Unified Policy Design covering all facets of data security.