Transcript Document
OPTIMIZE YOUR DATA LOSS PREVENTION INVESTMENT FOR BOTTOM LINE RESULTS
DATA LOSS
PREVENTION EXPERTISE
Providing DLP Since 2002 Deployed 400+ DLP Projects Completed 500+ Assessments Manage DLP Solutions in 22 Countries Provide Daily Management of 1,000,000+ Users Globally QUI C K FAC T S
Symantec Master Specialization DLP Partner RSA’s Only Authorized Managed DLP Partner 1st Managed DLP Services Provider (2008) Localized Chinese DLP Practice (2011) Global Support in 130 countries Websense Certified TRITONs – More than any other partner, 7 Olympians & 1 Gladiator
MARKET EVOLUTION
-
2005/2006 GARTNER RESULTS
BEW Global forms partnership with Vericept in 2002. At the time of this report, BEW had 38 deployments of Vericept in the US and UK.
BEW Global and Vontu form a partnership. BEW Global is the first Vontu reseller. Vidius changes name to PortAuthority and accelerates product development and US presence. Reconnex enters market with forensics approach.
MARKET EVOLUTION
-
2007 GARTNER RESULTS
Websense acquires PortAuthority. ($80M) Trend Micro acquires Provilla, October 2007. Raytheon acquires Oakley Networks, October 2007. Tablus touted for exceptional data-at-rest capabilities. “Grid Worker”
MARKET EVOLUTION
-
2008 GARTNER RESULTS
Vontu acquired by Symantec. ($350M) Tablus acquired by RSA. ($40M Approx.) McAfee acquires Reconnex for network DLP ($46M) and Onigma ($20M) for Host DLP.
Verdasys and Fidelis announce strategic partnership.
MARKET EVOLUTION
-
2009 GARTNER RESULTS
CA acquires Orchestria, January 2009. GTB struggles to gain a significant customer base. Palisade Systems and Code Green Networks target SMB DLP market. Workshare late entry into DLP market lacks functionality. Vericept acquired by Trustwave.
MARKET EVOLUTION
-
2010 GARTNER RESULTS
Symantec releases 10.5 and DataInsight to enhance DAR capabilities. RSA releases 8.0 with enhanced endpoint capabilities. Strategic partnership with Varonis. Websense releases 7.5 with upgraded management interface. Claims DLP in 30-minutes. McAfee releases 9.0 with greater integration with network and host DLP into ePO console.
MARKET EVOLUTION
-
2011 GARTNER RESULTS
MARKET EVOLUTION
-
2013 GARTNER RESULTS
USE CASE:
DLP PRE-PROJECT STATE
Organization Overview: DLP Scope: DLP Primary Issue: Application Management: Policy Governance: Incident Triage: Event Management: Reporting and Metrics: Status: Medical Device & Pharmaceutical Manufacturer, 40,000 employees globally Protection of Intellectual Property (General) Customer overwhelmed with inaccurate incident data, no meaningful information Operated and managed by IT Security with limited input from business Failure to use a lifecycle software development process for policy construction Infrequently reviewed by IT with little to no review by business owners Hard to accomplish due to large # of false positives. No “gold nuggets” Zero customized reports. No relevant business analysis provided System generates 25,000 incidents/day / 750,000 incidents/month
BEW GLOBAL
METHODOLOGY
ASSESS QUANTIFY IMPLEMENT OPTIMIZE REVIEW BEW GLOBAL’S CORE DIFFERENTIATORS
Methodology based on the cornerstones of ISO Plan-Do-Check-Act Leverage our proven Quality Management System (QMS) to drive continuous improvement Reduce risk and increase operational efficiencies
POLICY & RULE
GOVERNANCE
Who requests rules & policy requirements? Are business owners engaged?
Who reviews rule requests? Criteria for approved rule?
What’s the process for converting a rule request into a policy? Who’s responsible for converting a rule into technical policy?
Do they have technical policy authoring expertise? What is the formal policy development process?
First drafts rarely work as expected!
Is there a process to relay production policy metrics to stakeholders?
WORKFLOW
DEVELOPMENT & MANAGEMENT
Who develops & manages policy “buckets”?
False positive, inbound partner, outbound employee Who defines thresholds that determine response rules for each “bucket”?
Are 10 SSNs a high, medium or low severity incident?
Who designs & sets the policy response triggers? Malicious, Inadvertent, Suspicious, above threshold. Triage response options: Human notification System notification (auto) Hybrid? Who’s responsible for building alerts, alarms & notifications?
Has business been engaged on event management?
Who manages the DLP policy & rules repository?
Why recreate the wheel?
INCIDENT TRIAGE
& EVENT MANAGEMENT
Who reviews volume & yield of incidents & events?
What’s the review frequency? How are events/incidents routed?
Who owns the incident/event? What metrics are developed to measure success of rules & related policy? Who ‘s responsible for developing metrics?
Revision of rules based on quality of policy results.
Who manages policy optimization process? How does DLP fit in overall incident/event management process? Can this be mapped to DLP system? How will integrated systems be tied together to yield valued info?
Secure mail, web gateway, GRC, SIEM
BUSINESS ANALYTICS
Who drives report requirements? Requestors, Reviewers, others?
Who develops reports? Do they have the expertise with 3 rd party reporting tools?
Are DLP system generated reports adequate?
Are the metrics valuable & driving meaningful change?
Report accuracy tied into QA process?
APPLICATION
MANAGEMENT PITFALL Inadequately Trained Infrastructure Resources Inadequate Planning & Resources
Problem:
Current IT infrastructure management is often inadequately trained for planning, deployment and ongoing operational management of DLP system. (Oracle vs. SQL, etc.)
Solution :
Better internal planning & cross functional involvement. In addition to outsourced 3 availability. rd party management of on premise solution or fully managed cloud-based delivery. This provides you with instant expertise reducing the need for staffing and providing higher
POLICY GOVERNANCE
PITFALL
No Plan of Attack Inadequate Planning & Resources
Problem:
A survey of 50 DLP customers in 2010 said unmanageable incidents.
83% o
f firms did not consider the overall DLP system cycle & the necessary resources for optimal system usage prior to solution acquisition. Inadequate or lack of resources leads to poor policy construction &
Solution :
A well thought out DLP scope with a supporting policy governance process that is
VERY inclusive of business units
as well as involvement with the triage & event management process. There must be people budgeted for any DLP project as well as preparation for business unit buy-in. input
POLICY GOVERNANCE
PITFALL
Failure to Engage the Business Stuck in the IT Department
•
Problem:
A survey of 50 DLP customers in 2010 said
76%
the creation & usage of the data targeted for protection. of firms stated the DLP system technical management & daily operations were the responsibility of a group directly involved with IT. In these cases it is very rare to find heavy involvement from business owners directly involved with •
Solution
in conjunction with technical management, is the best recipe for success on the
:
Designation of a primary business owner of the DLP solution,
front-end planning phase
of the project. Without direct & serious involvement from the business, it is very likely that the entire DLP program will never get more than mediocre results.
POLICY GOVERNANCE
PITFALL
Lack of Rule Customization Inaccuracy of Out-of-Box (OOB) Policies
•
Problem:
The reliance of organizations to use OOB policies as the primary detection criteria for their DLP scope. In many cases data identifiers in OOB policies may
never capture unique attributes
of a organizations information targets, yielding a combination of false positives and false negatives which lead to an unmanageable incident yield. •
Solution :
Prior to enabling
ANY
managed production policies, it is highly recommended to select
one primary data criteria
to focus initial efforts. Once agreed upon, use business process mapping to capture how the data is used and stored. Then, obtain examples and construct policies based on the collected data.
DATA-IN-MOTION
PITFALLS:
Missing the Target – False Sense of Security Mis-configured Tap or Port Span Encryption – The Masked Data Problem
Missing segments of network traffic or protocols
Solution
Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured.
Problem
Analysis of data DID not take place prior to encryption.
Solution
Comprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan.
Misfire of Network Discovery Scans Problem
Locations of sensitive data
never targeted
by the organization for scanning due to lack of an effective policy governance process.
Solution
Identify potential data stores by discussing the DLP program with staff to understand process.
Network versus Endpoint Discovery Problem
Running DAR scans using a combo of network & endpoint without thinking about which
policy types & detection methods are not the same.
Solution
Prior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on .
scanning method.
DATA-IN-USE
(ENDPOINT) PITFALLS:
The Pandora’s Box of DLP Environment Assessment Staying in Contact User Performance Impacts Network/System Performance Impacts
•
Problem
No rigorous endpoint environment assessment prior to the selection of the application & enablement.
•
Solution
Address age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints. •
Problem
Failure to monitor endpoint population & their frequency of
“checking-in”
to the management server with validated results. •
Solution
Phased deployment of endpoint with validation via test plan on initial success of ALL agents & on going endpoint agent health reports. •
Problem
Implementing same policies for network based & endpoint assessments without testing or modification. •
Solution
Utilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment. •
Problem
Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections. •
Solution
Thorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.
QMS SAMPLE
QUARTERLY REPORT
USE CASE
–POST PROJECT STATE
Organization Overview: DLP Scope: DLP Primary Goal: Application Management: Policy Governance: Incident Triage: Event Management: Reporting and Metrics: Status:
Medical Device & Pharmaceutical Manufacturer, 40,000 employees globally Focused on 3 specific product lines linked to highest revenue & earnings Identification of unauthorized movement of specific elements of IP Operated by a combination of IT, messaging & desktop management teams 100% customized policies based on data collected from business unit Daily review of incidents by Information Security Incidents meeting severity criteria routed to business unit for investigation Behavioral pattern analysis leading to preventive actions R&D teams have high-level of confidence in ability to identify leakage of IP
B E W G L O B AL H Q
5613 DTC Parkway Suite 1250 Greenwood Village, CO 80111 USA (ph) +1 720 227 0990 (fax) +1 720 227 0984
www.bewglobal.com
B E W G L O B AL E M E A
3 Albany Court Albany Park Camberley GU16 7QR England (ph) +44 (0) 845 481 0882 (fax) +44 (0) 871 714 2170
www.bewglobal.com
B E W G L O B AL A P A C
520 Oxford Street Level 23, Tower 1 Bondi Junction Sydney 2022 (ph) +61 (2) 9513 8800 (fax) +61 (2) 9513 8888
www.bewglobal.com