Data Leak Prevention:Data Leak Prevention: Safeguarding Corporate InformationSafeguarding Corporate Informationin a world of vanishing perimetersin a world of vanishing perimeters

Kostas PapadatosMSc InfoSec, CISSP, ISO 27001 Lead Auditor, ISSMP, PMP

Director, Security Consulting ServicesENCODE SA

Greek ICT Forum, October 2007

Agenda

The Business Problem…

Why Traditional Controls Fail?

Are We Making the Right Investments?

What We Can Do!

Agenda

The Business Problem…

Why Traditional Controls Fail?

Are We Making the Right Investments?

What We Can Do!

Impact from Data Leakage … Brand damage Stock price Regulatory fines Loss of customers/business Legal and contract liability Notification and compensation Increased security costs Marketing and security response Lawsuits

The Economics of Data Leakage

The Financial Services Authority (FSA) has fined Nationwide Building Society (Nationwide) £980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home.

ChoicePoint to pay $15 million over data breach

Data broker sold information on 163,000 people to alleged

crime ring

In addition to a $10 million fine, ChoicePoint will also create a $5 million fund to help

consumers who became victims of identity theft …

DuPont Employee Walked Away With $400 Million In Trade Secrets

Company scientist downloaded 22,000 sensitive documents and accessed 16,000 others as he got

ready to take a job with a competitor …

TJX says 45.7 million customer records were compromised with an estimated cost over $1 billion …

.. for a Regulated industry the cost per data record

leaked is from $90 to $305 …

Forrester Research

.. for a Regulated industry the cost per data record

leaked is from $90 to $305 …

Forrester Research

Executive Directive …

Simple to say but complex to deliver– Find the data

• Data discovery• Data classification

– Monitor the data• Identify data use and users• Watch the data at rest and in use

– Protect the data• Stop data misuse• Encrypt at rest based on risk• Encrypt in transit on the network or device

“Protect My Sensitive Data!

…and don’t interfere with the business!”

Agenda

The Business Problem…

Why Traditional Controls Fail?

Are We Making the Right Investments?

What We Can Do!

Defining a Critical System

Usually we define a system as:

Data Business Application Database Server(s) Application/Web Servers

and/or Mainframe Supportive network

infrastructure …

Systems

Networks / Directories

Databases

Applications

Traditional Security Efforts

So we apply: Network Perimeter Security

– Simple/Common: “Border Firewall”

– Advanced: Internal Segmentation, IPS

Access Control on Systems/Applications– Simple/Common:

username/password, app/sys permissions

– Advanced: Strong authentication, RBAC and IDM

System Auditing (for the very advanced)

Disaster Recovery

But still we face critical security issues

Systems

Networks / Directories

Databases

Applications

What traditional security efforts cannot counter

Exposed output files from the systems

Information Leakage by authorised users

Changes by authorised users

Outsourcers– Collection Agencies– Call Centers– Printing Houses– IT Outsourcers (Service Providers, Development…)

Administrators

Mobile Users

Lost laptops, Removable media (USBs…)

…

Redefining Business System

In essence we had omitted – the Points of

Use of the Information/Data processed by the system, i.e. the various workstations/laptops

– the People– the Processes

Systems

Networks / Directories

Databases Users

Applications

?

Business Data Main Categories

Application Data

Financial info

Transactions

Subscriber Info

Files

PDFs

Spreadsheets

Word Documents

Emails

Application data: data that is managed by various applications.

Files: documents, emails, presentations, etc.

`

“Why traditional controls fail”

Privileged Users– Privileged users should and have access to the systems

and data, so Access Control at Apps/servers cannot help a lot

– On the other hand we have no “Access Control” at the Point of Use, i.e. the user’s PC/Laptop, Terminal Services

Vanishing Perimeters– With so many parties accessing systems and data inside

the border firewall we cannot talk about network perimeters anymore

Infrastructure-centric Controls are not enough– Our Data live beyond Infrastructure controls (e.g.

laptops, outsourcers, business partners…)– With current Infrastructure-centric controls is very

difficult to obtain a view of our data “whereabouts”, who accessed what and what they did with it!

Agenda

The Business Problem…

Why Traditional Controls Fail?

Are We Making the Right Investments?

What We Can Do!

Priorities for data protection

39%

48%

49%

51%

57%

70%

73%

75%

75%

77%

86%

Paper theft

Theft of backup tapes

Social engineering

Hardware theft

Insider abuse: authorized users

Spyware on employee computers

Insider abuse: unauthorized access

Attacks on customer desktops

Web site vulnerabilities

Trojans on employee computers

Network or system vulnerabilities

Which type of breaches are a top or high priority to your company?

Percentages reflect those who answered “top priority” or “high priority.”

Source: Forrester user survey of 83 data protection decision-makers, December 2005

Where data breaches are really occurring

0%

4%

7%

11%

11%

14%

14%

18%

21%

29%

29%

39%

Theft of backup tapes

Don't know

Network or system vulnerabilities

Web site vulnerabilities

Paper theft

Insider abuse: unauthorized access

Social engineering

Attack on customer desktops

Spyware on employee computers

Trojans on employee computers

Hardware theft

Insider abuse: authorized users

Base: 28 of the 83 (34%) data protection decision-makers, who experienced at least one breach

What are the primary means by which data breaches occurred in 2005?

Source: Forrester user survey of 83 data protection decision-makers, December 2005

Protection priorities don't align with reality

66332

-1-1-1-2-6-9

PriorityGap

Degree of likelihoodDegree of concern

Source: Forrester user survey of 83 data protection decision-makers, December 2005

0 2 4 6 8 10 12

Network or system vulnerabilities

Web site vulnerabilities

Insider abuse: unauthorized access

Theft of backup tapes

Attack on customer desktops

Trojans on employee computers

Spyware on employee computers

Paper theft

Social engineering

Hardware theft

Insider abuse: authorized users

Lowest Highest

Agenda

The Business Problem…

Why Traditional Controls Fail?

Are We Making the Right Investments?

What We Can Do!

What we have to do

Even the best Access Control at the Application/Server level cannot help much with Data Protection when it comes to authorised users (internal or otherwise)

What we have to do:– Accountability & Control at the Point of Use or the

Endpoint

– Distribute controls throughout our “redefined” system

– Ensure that these controls cannot be bypassed even by privileged users (e.g. Admin) and can be centrally managed

– Data-centric controls instead of only infrastructure-centric ones

– Context-based controls instead of “black & white” ones

What DLP products do

…they Secure The “Virtual Perimeter” for Data

How DLP technology works [1]

Monitor & Control every data access/transfer activity– File access– Network uploads/transfers– Print Operations– Removable media– Clipboard operations– Application field-level logging

Enforce Risk/Classification-based policies

Allow business operations – stop/alert for unauthorised/suspicious ones!

How DLP technology works [2]

What is the UserDoing With It?Read, Write, Print, Move,

Burn, Copy/Paste, Upload, etc.

Where Did theData Come From?(What Classification?)

Where Is theData Going?

What is the Policy regarding

Actions to be taken?

Devices

Applications

Networks

1 42 3

How DLP technology works [3]

“All files coming from the xyz File Share should be “vaulted” in a specific directory”

“All files coming from the xyz Client Application should be “vaulted” in a specific directory”

No Copy/Paste outside from the Biz App Client xyz

“Files in Directory xyz can be Printed only on Printer ABC”

“Files in Directory xyz cannot be copied to Removable Media (e.g. USB sticks, CD/DVD)”

“All files coming from the xyz File Share should be “transparently encrypted”

…

Bu

sin

es

s D

ata

Bu

sin

es

s D

ata

Putting all together…

Systems

Networks / Directories

Databases

Applications

Traditional Controls

DLP Controls (protecting virtual perimeter)

Employees

Partners

Outsourcers

Data flows to the user

But most important…

Understand your risk profile.

Set proper priorities.

Allocate budgets accordingly.

www.encodegroup.com_