Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor,

Similar presentations


Presentation on theme: "Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor,"— Presentation transcript:

1 Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO Lead Auditor, ISSMP, PMP Director, Security Consulting Services ENCODE SA Greek ICT Forum, October 2007

2 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

3 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

4 Impact from Data Leakage …  Brand damage  Stock price  Regulatory fines  Loss of customers/business  Legal and contract liability  Notification and compensation  Increased security costs  Marketing and security response  Lawsuits

5 The Economics of Data Leakage The Financial Services Authority (FSA) has fined Nationwide Building Society (Nationwide) £980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home. ChoicePoint to pay $15 million over data breach Data broker sold information on 163,000 people to alleged crime ring In addition to a $10 million fine, ChoicePoint will also create a $5 million fund to help consumers who became victims of identity theft … DuPont Employee Walked Away With $400 Million In Trade Secrets Company scientist downloaded 22,000 sensitive documents and accessed 16,000 others as he got ready to take a job with a competitor … TJX says 45.7 million customer records were compromised with an estimated cost over $1 billion ….. for a Regulated industry the cost per data record leaked is from $90 to $305 … Forrester Research.. for a Regulated industry the cost per data record leaked is from $90 to $305 … Forrester Research

6 Executive Directive …  Simple to say but complex to deliver –Find the data Data discovery Data classification –Monitor the data Identify data use and users Watch the data at rest and in use –Protect the data Stop data misuse Encrypt at rest based on risk Encrypt in transit on the network or device “Protect My Sensitive Data! …and don’t interfere with the business!”

7 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

8 Defining a Critical System  Usually we define a system as:  Data  Business Application  Database Server(s)  Application/Web Servers and/or Mainframe  Supportive network infrastructure  … Systems Networks / Directories Databases Applications

9 Traditional Security Efforts  So we apply:  Network Perimeter Security –Simple/Common: “Border Firewall” –Advanced: Internal Segmentation, IPS  Access Control on Systems/Applications –Simple/Common: username/password, app/sys permissions –Advanced: Strong authentication, RBAC and IDM  System Auditing (for the very advanced)  Disaster Recovery But still we face critical security issues Systems Networks / Directories Databases Applications

10 What traditional security efforts cannot counter  Exposed output files from the systems  Information Leakage by authorised users  Changes by authorised users  Outsourcers –Collection Agencies –Call Centers –Printing Houses –IT Outsourcers (Service Providers, Development…)  Administrators  Mobile Users  Lost laptops, Removable media (USBs…) ……

11 Redefining Business System  In essence we had omitted – the Points of Use of the Information/Data processed by the system, i.e. the various workstations/laptops – the People – the Processes Systems Networks / Directories Databases Users Applications ?

12 Business Data Main Categories Application Data Financial info Transactions Subscriber Info Files PDFs Spreadsheets Word Documents s  Application data: data that is managed by various applications.  Files: documents, s, presentations, etc.

13 “Why traditional controls fail”  Privileged Users – Privileged users should and have access to the systems and data, so Access Control at Apps/servers cannot help a lot – On the other hand we have no “Access Control” at the Point of Use, i.e. the user’s PC/Laptop, Terminal Services  Vanishing Perimeters – With so many parties accessing systems and data inside the border firewall we cannot talk about network perimeters anymore  Infrastructure-centric Controls are not enough – Our Data live beyond Infrastructure controls (e.g. laptops, outsourcers, business partners…) – With current Infrastructure-centric controls is very difficult to obtain a view of our data “whereabouts”, who accessed what and what they did with it!

14 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

15 Priorities for data protection 39% 48% 49% 51% 57% 70% 73% 75% 77% 86% Paper theft Theft of backup tapes Social engineering Hardware theft Insider abuse: authorized users Spyware on employee computers Insider abuse: unauthorized access Attacks on customer desktops Web site vulnerabilities Trojans on employee computers Network or system vulnerabilities Which type of breaches are a top or high priority to your company? Percentages reflect those who answered “top priority” or “high priority.” Source: Forrester user survey of 83 data protection decision-makers, December 2005

16 Where data breaches are really occurring 0% 4% 7% 11% 14% 18% 21% 29% 39% Theft of backup tapes Don't know Network or system vulnerabilities Web site vulnerabilities Paper theft Insider abuse: unauthorized access Social engineering Attack on customer desktops Spyware on employee computers Trojans on employee computers Hardware theft Insider abuse: authorized users Base: 28 of the 83 (34%) data protection decision-makers, who experienced at least one breach What are the primary means by which data breaches occurred in 2005? Source: Forrester user survey of 83 data protection decision-makers, December 2005

17 Protection priorities don't align with reality Priority Gap Degree of likelihood Degree of concern Source: Forrester user survey of 83 data protection decision-makers, December 2005 Network or system vulnerabilities Web site vulnerabilities Insider abuse: unauthorized access Theft of backup tapes Attack on customer desktops Trojans on employee computers Spyware on employee computers Paper theft Social engineering Hardware theft Insider abuse: authorized users Lowest Highest

18 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

19 What we have to do  Even the best Access Control at the Application/Server level cannot help much with Data Protection when it comes to authorised users (internal or otherwise)  What we have to do: –Accountability & Control at the Point of Use or the Endpoint –Distribute controls throughout our “redefined” system –Ensure that these controls cannot be bypassed even by privileged users (e.g. Admin) and can be centrally managed –Data-centric controls instead of only infrastructure-centric ones –Context-based controls instead of “black & white” ones

20 What DLP products do …they Secure The “Virtual Perimeter” for Data

21 How DLP technology works [1]  Monitor & Control every data access/transfer activity – File access – Network uploads/transfers – Print Operations – Removable media – Clipboard operations – Application field-level logging  Enforce Risk/Classification-based policies  Allow business operations – stop/alert for unauthorised/suspicious ones!

22 How DLP technology works [2] What is the User Doing With It? Read, Write, Print, Move, Burn, Copy/Paste, Upload, etc. Where Did the Data Come From? (What Classification?) Where Is the Data Going? What is the Policy regarding Actions to be taken? Devices Applications Networks 1423

23 How DLP technology works [3]  “All files coming from the xyz File Share should be “vaulted” in a specific directory”  “All files coming from the xyz Client Application should be “vaulted” in a specific directory”  No Copy/Paste outside from the Biz App Client xyz  “Files in Directory xyz can be Printed only on Printer ABC”  “Files in Directory xyz cannot be copied to Removable Media (e.g. USB sticks, CD/DVD)”  “All files coming from the xyz File Share should be “transparently encrypted” ……

24 Business Data Putting all together… Systems Networks / Directories Databases Applications Traditional Controls DLP Controls (protecting virtual perimeter) Employees Partners Outsourcers Data flows to the user

25 But most important…  Understand your risk profile.  Set proper priorities.  Allocate budgets accordingly.

26 _


Download ppt "Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor,"

Similar presentations


Ads by Google