Transcript Slide 1

Enterprise Information Protection
When DLP is Not
Enough?
Graham Howton
Channel Manager, EMEA
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Agenda
•Introduction to Verdasys
•Gartner
•The Insider Threat and APT’s
•Enterprise Information Protection (EIP)
•Importance of user-awareness
•Use-Cases
Enable ownership & control
independent of network infrastructure
—
Uniquely satisfy an expanding set of
critical use cases
—
Scale from the desktop to the cloud
FINANCIAL
—
INSURANCE
Secure business processes not
infrastructure
HI-TECH &
OUTSOURCING
—
RETAIL &
TELECOM
Data-centric, risk based protection of
structured and unstructured data
LIFE SCIENCES &
MANUFACTURING
—
GOVERNMENT
ENERGY &
DEFENSE
Enterprise Information Protection
FINANCIAL
Verdasys: The Leader in EIP
© 2011 Verdasys Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY
Gartner Magic Quadrant 2011
4
Traditional Approaches Have Failed
New Threat = New Product, Vendor
Force Business Process to Change
User Productivity Impacted
Numerous Control Panels, Interfaces
Multiple disparate Policies, Reports
Expensive Deployments, Support
Increasing Complexity, Cost and Risk
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
US National Security Agency
Experts from the US National Security Agency and government labs said
America had to change the way it thought about protecting Department of
Defense (DoD) computer networks.
"We've got the wrong mental model here," said Dr James Peery, head of the
Information Systems Analysis Centre at the Sandia National Laboratories. "I
think we have to go to a model where we assume that the adversary is in
our networks.“
That change would mean spending less time shoring up firewalls and
gateways and more time ensuring data was safe, he said.
Dr Kaigham Gabriel, current head of the Defense Advanced Research Projects
Agency, likened the current cybersecurity efforts of the US DoD to treading
water in the middle of the ocean.
All that did was slightly delay the day when the DoD drowned under the weight
of maintaining its network defences, he said. The DoD oversees 15,000
networks that connect about seven million devices.
Federal Bureau of Investigation
Shawn Henry - “Top Cyber Cop”
The Federal Bureau of Investigation's top cyber cop offered a grim
appraisal of the nation's efforts to keep computer hackers from plundering
corporate data networks: "We're not winning," he said.
10 years worth of research and
development, valued at more than $1
billion, was stolen by hackers
unidentified company?
Companies need to do more than just react to intrusions!
Source: Mar. 28, 2012, on page B1 in The Wall Street Journal, with the headline:
U.S. Outgunned in Hacker War
Top Data Security Challenges
Insider Threats
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Insider Threat
•
Privileged user data management is the “last mile” of
data security
•
Insiders are trusted with IP, but it is difficult to hold them
accountable for its use
•
When incidents occur, investigations are costly, timeconsuming, and don’t necessarily provide smoking guns
to prosecute
•
So far, WikiLeaks has not been a game-changer for
privileged user management in banks or insurers, but
APT has taken the Insider Threat to another level
•
Solution value dependent on potential damages caused
if insider steals IP
Defining Insider Threat Types
• Malicious
– Motivation = anger, dissatisfaction
– Threat = attack systems and network
• Theft
– Motivation = money, economic gain
– Includes corporate & state espionage
– Threat = data theft
• Hacktivits (e.g. Anonymous)
– Motivation = anger & dissatisfaction or belief
– Threat = data theft
What Happens When Cyber Espionage
Succeeds
The vicious cycle of compromise
Data compromise occurs in market leader
Competitor launches new product or service
- Time to market is equal or ahead
- Competitive product is offered at a lower price
- Greatly reduced R&D costs
Company or business unit financials become negative
- Margins on sales & volume of sales begin to drop
Company can no longer compete and exits market
where it was once a leader
- Sale of business loses money for company & investors
Bad guys use profits to define and enter new markets
Insider Threat Incident: LG
Joeng (only known name)
• Copied 1,182 top secret plasma display design files onto his personal
drive and went to Changhong-Orion PDP
– Changhong, reportedly paid Joeng $300,000 per year, an apartment and
a car (while he still collecting his LG salary)
• LG was unaware Jeong had left, leaving his access to the network
open
– Stole file: plasma display panel production
– Stole files: plant’s power system and construction blueprints
• LG was made aware of thefts by a distributor in SE Asia
• Joeng was extradited, Prosecutors in Seoul indicted Joeng for spying
• Cost to LG - estimated at more than $1 Billion
– Changhong has not returned any of the stolen secrets
Lessons Learned
• How was Joeng caught?
– Third party distributor recognized technical manuals were copied
and alerted LG
• Lessons Learned
– Data monitoring: location, access and movement related to
sensitive data must be understood
– De-provisioning process at the network, application and data
levels needs to be in place an effective.
– Business Managers and HR must work with Security
– USB device usage monitoring and controls, as well as other
channels need to be in place
Insider Threat Mitigation: Best Practices
1. Create integrated processes Business, HR and
Security
– Create standard on-boarding and off-boarding processes
– Increase data usage monitoring for incidents & departures
2. Distribute trust amongst multiple parties to force
collusion
– Most insiders act alone
3. Link Policy Training w/ Risk and Compliance
Analysis
– Real-time education, alerting & justification prompts
– Allow self-compliance; create clear deterrence
Insider Threat Mitigation: Best Practices
• Assess insider risks by content and context
– Not just “what”, but “who, where, when, & how”
– Using a sliding response scale; risk based approach
• Create Data Identification & Classification
– Automatic or manual tagging (w/ auditing)
– Files using previously tagged content inherit classification
• Use Identity-based Data Controls
– Based on user rights, file sensitivity, source & destination, etc
– Use encryption for data access - closes “super user” loopholes
Insider Threat Mitigation: Best Practices
• Implement integrated physical and logical (technical)
security controls to cover more risks effectively
– Camera monitoring, linked with data usage and movement
controls
• Put Data Usage Monitoring & Control in Place
– Host based monitoring is a requirement
– Establish data usage norms, watch for behavioral changes
• Forensically Log Events
– Assure all data transactions are user-attributable
– Logs must be evidentiary grade and tamper proof
EIP: The Balance of Enablement and
Security
Implementing both technology and process to maximize the
“left” while minimizing the “right”
LEFT
RIGHT
Productivity
Flexibility
Mobility
Creativity
Simplicity
Ease of Use
Transparency
Value Return
Cost
Information Security
Operational Security
Data Loss Prevention
Regulatory Compliance
User Education & Awareness
Trust but Verify
BALANCE
Build a unified and collaborative information governance program
Beware!!!!
All DLP
solutions are
not the
same!!!!!!
Enterprise Information Protection
EIP is an information centric platform and methodology
– Enables efficient data exchange
– Protects sensitive information
– Improves data governance, risk mitigation and compliance
– Empowers the individual
– Allows Business to function
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Distinct Information Protection Strategies
Distributed Data Discovery
Automated Classification and Tagging
Host Content & Context Monitoring & Control
Unified Encryption (file, email, disk)
Removable Media / Device Mgt
Application Based Email Monitoring & Control
VDI/Virtual Environment Controls
Logical Network Segmentation
Secure Collaboration
Export Data Controls
Email Monitoring & Control
Application Vaulting
Application Data Management
eDiscovery & Forensics
Host Based Network Control
Information Policy Awareness & Training
Legacy Application Remediation
Host Monitoring & Control
Process Compliance Enforcement & Auditing
Network Monitoring & Control
Data Discovery
21
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Enterprise Information Protection
EIP focuses on business value creation not on the risks it mitigates
– Enables the implementation of value building business drivers, by enforcing the
proper, secure and compliant use of information
EIP
Core Business
Processes
Outsourced
Processes
Supply Chain
Processes
Third Party
Processes
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Digital Guardian System Architecture
Digital Guardian
Management Server
Reporting
Policy
Definition
Configuration
Alert
Management
Data Usage
& Alerts
Content &
Control Policies
BES or EAS
Server
Agent
Virtualization
Infrastructure
(Citrix, VMware)
Desktop/Laptop
Agents
Server
Agents
eDiscovery
Agent
Network
Agents
VDI Agents
Mobile
Users
Repository Remote Scanning
- File shares
- Sharepoint
Actionable Data Classification
Increased Flexibility, Adoption and Accuracy
• Three levels of data definition
– Context
– Content
Context
– User
• Classification travels with the data
– Meta Tag
Automatic
Tamper Proof
Inheritance
Persistence
Drives policy
Meta & NTFS Tags
– NTFS Tag
• Multi-level & multifaceted
classification
– Sensitivity level & data type tags
– Tag verification & propagation
– Data movement audit and tracking
User
Content
The Context of Data-Centric Security
DISCOVER
MONITOR
What & where is
Sensitive Data?
Classification
Persistent
Inheritance
Context
Application
Location
Type
Content
Expression
Similarity
Keyword
Dictionary
IDENTITY
ACTIVITY
DESTINATION
CONTROL
Who is
using the Data?
What is the User
Doing With It?
Where Is the
Data Going?
What action is
appropriate?
IT Admin
DBA
Desktop
Network
Privileged
Executives
Hi-Value
Rights
Access
Usage
Context
Location
Wireless
LAN
VPN
Files
Move
Copy/Paste
Burn/Print
Upload/IM
Email
Attach
Copy/Paste
Compose/Send
Application Data
View
Delete
Modify
Export
Servers
Devices
Networks
Applications
Printers
IP Addresses
Recipients
Incident Alert
Detection
Prompt User
Intent/Educate
Warn Users
Awareness
Encrypt Data
Protection
Access Control
Block Action
Prevention
Mask Data
Need to know
Continuous Logging, Auditing – Summary, Inventory, Trending & Forensic Reporting
Digital Guardian Enforces A Virtual
Information Protection Perimeter
Partner
Site
Citrix
Server
DG
Partner
Site
Corporate
Email
File
Server
Web Email
Trust
Verification
Agent
Digital Guardian
Server
Outsourcer A
Partner
Site
Password _ _ _ _ _ _
Outsourcer B
Use-Case - Social Networking Risks
•
With the tremendous power of social
networking, comes a myriad of associated risk:
• IP Protection
• Privacy Protection
• Risks to Reputation
•
National Security Risk
• Key location and movement information
•
IT Risk
•
•
•
•
Apps written quickly by unknown parties,
Security and intrusion vulnerabilities,
Inability to control apps contained within browser
User ability to install unauthorized apps.
• Incident – Soldier posts operational details on
Facebook!
27
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT
REPRODUCE.
Digital Guardian End Point & Server
Data Monitoring and Control
Data Monitoring
Non-Company Network
• Visibility into data usage
• Audit and logging
Logging
(default)
• Data Life Cycle Management
Alert Admin
– Records management…data retention
company
Detection
Warn User
Data Usage Control
company
Awareness
• Enforce acceptable use policies through
real-time controls
Prompt User
Intent
Encrypt Data
– Mask
– Prompt, warn and justify
– Alert and incident escalation management
– Block
myaccess.company.com
Accountability
Protection
company
Block Action
Prevention
Mask Data
Need to
Know
company
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Login Warning Prompt
29
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT
REPRODUCE.
Pasting Data
30
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT
REPRODUCE.
Report Capability
•
Logins by site (When Possible)
•
Uploads by site
•
Uploads by file extension
•
Downloads by site
•
Downloads by file extension
•
ADE attempts by site
•
ADE attempts by extension
31
PA
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT
REPRODUCE.
Typical APT Attack Lifecycle: Example
Network App
Memory
Machine
User
Network
Server
Spear
Phishing
(?)
Final Destination
IP
Network
Internet
Network
IP
Machine
DG APT Defense in Depth:
Many opportunities to Detect, Alert and Stop
!
!
!
!
!
Network
Agent
STOP
Network
Agent
Core
(App Control)
APT
Module
Core
DG
Server
Core
#@%&!
Attacker
Core + AFE
Core + Network Agent
Core
Network Agent
US Department of Justice
“…our critical requirements are persistent classification, global visibility
and complete data usage audit. Verdasys uniquely delivers those
capabilities and partnered with us to extend their platform to do more… ”
Chad Fulgham, CISO DOJ
Classified information protection, audit and investigation on an
unprecedented scale
Use Case Coverage
•
Classified information protection
•
Privileged user monitoring and control
•
Mobile workforce enablement
Future Coverage
•
Legacy application monitoring & audit
Critical Differentiators
•
Actionable & persistent data classification
•
Audit and forensic case management
•
Hardened & Stealthy agent
Eliminated physical security paradigms
•
Eliminated $12M in alternative building
hardware & software costs
Reduced investigative costs
•
Cut investigation costs by $8M per annum
Reduced Potential Classified Breach Costs
•
Estimated $100 Million per annum
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
ING BANK
“Our security goal is to create more collaborative environments.
Digital Guardian mitigates the risk of data loss in our open work
places and supports are partnership with Workers Councils ”
Eric Luiken, Chief Architect
Protecting PII while supporting an open and collaborative working
environment
Use Case Coverage
•
•
•
•
PII protection
User policy awareness & training
Remote media control and encryption
Social networking control
(Face Book & Linked in)
Future Coverage
ROI: Reduced Software Costs
Displaced USB device and
Email gateway & monitoring
software reducing licenses and
support costs by $2.5M
• Email encryption
Critical Differentiators
• Social Networking upload controls
• Workers Council approval
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Ferrari Formula-1 Racing
“Digital Guardian has grown to be one of the pillars of our security strategy
and our foremost tool for insider threat prevention and protection.”
Davide Ferrari,
Direzione Operazioni
Securing critical design IP across the enterprise and at 20 race
tracks around the globe.
Current Use Case Coverage
•
•
•
Race car design and racing strategy IP
protection
Privileged user monitoring & Control
eDiscovery and Forensics
Future Platform Development
•
Unified encryption (email, file and full disk)
Critical Differentiators
•
•
Secure collaboration at race sites
•
Save $2M per annum in alternative
security costs
Decreased administrative staff
•
Reduce FTE costs by $4M per annum
Prosecuted Insider Compromise
•
$100 Million fine to F-1 Racing
•
Default victory of Constructor Cup $500M
Real-time Privileged user monitoring and audit
Forensic case management
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Data-Centric Questions?
• How do you know where your sensitive data is right now?
• How do you know how data moves within your business
processes and what your employees are actually doing with the
data they access to do their jobs?
• What are your employees doing with your data when they are
off or outside the network?
• How do you manage data on mobile devices and BYOPC?
More Data-Centric Questions?
• What is the 3rd line of your corporate security policy?
• How many of your employees actually know it?
• How do you effectively train your employees on data
security polices and ensure they are in compliance in real-time?
• What would the benefit be to the organization if
security enabled the business instead of security
controls or policies hindering business processes?
Comprehensive Data Security,
Lowest TCO
Increased Complexity, Cost and Risk
Lower TCO, Complexity & Risk
Force Business Process to Change
No Change to Business Process
User Productivity Impacted
User Productivity Not Impacted
New Threat = New Product, Vendor
New Threat = New Policy, Control
Numerous Control Panels, Interfaces
Single Control Panel & Interface
Multiple Policies, Reports
Unified Policies, Integrated Reports
Expensive Deployments, Support
Single Vendor, Lower Costs
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Proven EIP Success
Lower TCO, Complexity & Risk
“Rival Racing Team Fined $100 Million in Spy Scandal”
No Changewith
to Business
Process
USG agrees settlement
Lafarge
Mon, 07 Dec 2009
User
Productivity
Impacted
Under the agreement
USG
will receiveNot
USD105m
New Threat = New Policy, Control
Single Control Panel & Interface
Unified Policies, Integrated Reports
Single Vendor, Lower Costs
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
The Four Seminal Ideas of Data Security
1. Data is the correct unit of measurement
• Requirement is data-centric not Network or Device centric
• Visibility, monitoring, control
2. Operate close to the user
• The desktop is today’s data router
• Understand full-context of data type, content & user action
3. Take a risk based approach to protection
• Automated, persistent discovery & classification of data
• Classification-driven information monitoring and policy enforcement
4. Flexibility to support and enhance business processes
• No one response/control is appropriate to all risks
• Shaping user behavior through warnings/prompts of greatest value
• Encryption as an integrated control safeguards data; establishes trust
Thank You