Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate,

Slides:

Advertisements

Similar presentations

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,

Advertisements

Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

IAPP CONFIDENTIAL Insider Leakage Threatens Privacy.

The traditional perimeter is rapidly eroding IT needs continuous data protection that work across ‘classic ‘boundaries’ Consumerization of IT Users.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.

Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Adversaries in Clouds: Protecting Data in Cloud-Based Applications Nick Feamster Georgia Tech.

MIT Libraries’ FileMaker Use Policy as an example local DLC policy.

Raz-Lee Security iSecurity for iSeries. 2 Facts about Raz-Lee  Internationally renowned iSeries solutions provider  Founded in 1983  100% focused on.

Comprehensive DLP Solutions in Large Geographically Dispersed Companies.

IT-Partners Limited © 2011 IT Partners Limited Y OUR IT SOLUTION P ARTNERS Managing Director Confidential Data Loss Prevention Sunny Ho 1.

InterGuard The only complete internal threat platform Data Loss PreventionWeb FilteringLaptop SecurityEmployee Monitoring Total Visibility and Control.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

AtomPark Software is founded in The head office is located in Saint-Petersburg, Russia. Company is officially registered in the United States. AtomPark.

Managing and Securing Endpoints Bruce Hotte Chief Information Officer Jeff Swan Network Supervisor  The definition of “endpoint” used to be simple: a.

Security and backups GCSE ICT.

Group 2: Marco Hidalgo Wesley Lao Michelle Marquez-Lim

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

SPH Information Security Update September 10, 2010.

Small Business Security Keith Slagle April 24, 2007.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.

© 2009 WatchGuard Technologies WatchGuard XCS Data Loss Prevention Ensuring Privacy & Security of Outbound Content.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.

5 different ways to get tricked on the internet. 1. Viruses A virus is a computer malware program that copies it’s files to the computer. This may allow.

New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Enterprise Mobility Suite: Simplify security, stay productive Protect data and empower workers Unsecured company data can cost millions in lost research,

CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.

Learning Intention Security of Information. Why protect files? To prevent unauthorised access to confidential information To prevent virus/corruption.

Computer Security Sample security policy Dr Alexei Vernitski.

Welcome Esuring Your File Sharing Solution is Secure and Compliant Hosts: Josh Bopp Rebekah Stevens Paisley Coxsey President Account Manager Relationship.

Get2Modern A plan for Windows XP & Office 2003 EOS migration in SMB Microsoft Confidential. NDA required.

Your data, protected and under control wherever they go SealPath Enterprise – IRM

Novell iFolder Novell Academy QuickTrain. What is iFolder? Novell iFolder lets users’ files follow them anywhere A simple and secure way to access, organize.

Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

The time to address enterprise mobility is now

Cloud-First, Modern Windows Management and Security

9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.

Threat Landscape for Data Security

Encryption in Office 365 Shobhit Sahay Technical Product Manager

Data Loss Prevention in Office 365

DATA LOSS PREVENTION Mr. Collins Oduor.

<offer name> with Microsoft 365 Business Secure Deployment

Comodo Dome Data Protection

Presentation transcript:

Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate, School of CS Yogesh Mundada, PhD student, School of CS Mukarram Tariq, PhD Georgia Tech

Motivation: Data Leakage Prevention Security breaches skyrocketing; each incident costs $6.75 million on average [1] Privacy Rights Clearinghouse reports 93.8 million personal records as lost or stolen since 2005 Many companies dealing in sensitive information (e.g., financial information, source code, health records) have little to no DLP infrastructure [1] 2010 Global Cost of a Data Breach, April 2010;

Problems with Existing Technology Not cohesive: needs separate solutions for data leaks through , USB, network, etc. Not Comprehensive: rely on heuristics to identify and filter confidential data— susceptible to circumvention (e.g., format conversion, encryption) Complicated Maintenance and Management: policies have to be maintained both at endpoints and in the network—needs constant updating

Pedigree’s Vision Pedigree aims to stop many data leaks in enterprises—accidental or intentional— using a content-agnostic, formal approach called Information Flow Control [1] Advantages – Highly expressive, fine-grained policy controls for both operators and users – Impossible to circumvent by encrypting or copy-pasting sensitive data – Low deployment overhead D. E. Denning, “A Lattice Model of Secure Information Flow”, CACM 1976

How does Pedigree work? Pedigree requires a small module on the OS at endpoints called a labeler (eqvt to installing antivirus software) Pedigree associates metadata—called labels—to sensitive information. Labels are tracked across the enterprise by labelers Enforcers located at end-hosts (i.e., as an OS module) and in the network (i.e., a firewall) enforce policies each time information flows from one resource to another

Example Fileserver Policy DB Alice Bob Enterprise Network F F Alice first creates sensitive file F on fileserver Alice sets policies on F Allow only Bob read access to F Disallow sending outside enterprise Bob can read F Although Bob can read F, he cannot copy F to a removable drive or send F outside the enterprise But other users cannot

Use-case 1 Protecting company-wide information not ready for public release (e.g., quarterly reports) Pedigree solution – Report creator adds a sensitive “taint” to the label of the report – Any user who accesses the data can only read it; they cannot electronically leak the data without compromising their operating system (very hard)

Use-case 2 A user wants to get feedback on a document from a diverse group of users in the enterprise, but does not wish them to take the document outside the enterprise servers Pedigree solution – The user uses a simple GUI to create a new group (distinct from OS groups) giving other users only “read” but not “export” access – Users in the group can read the data, but cannot copy it to removable drives or send it over – Users not in the group cannot even read the data (done separately from OS permission checks)

Technical Details Pedigree software on endpoints performs checks each time two resources with incompatible labels interact – e.g., a process reads a file labeled “sensitive” If a process reads a sensitive file, its own label acquires the sensitive status All future communication by this process will be labeled “sensitive”, and can be checked by enforcers – Stops accidental data leakage – Not thwarted by encrypting the sensitive information

Target Market Large number of potential customers – Financial / banking institutions – Organizations that maintain health records, or seek regulatory compliance – Corporations that wish to safeguard their internal reports, source code, etc. Ideally, any institution that deals with sensitive information can benefit from Pedigree deployment

Competition Many security companies offer DLP products – RSA Data Loss Prevention, McAfee Data Loss Prevention, CA Technologies Security DLP, etc. Key advantages of Pedigree – Content-agnostic: cannot be thwarted by encryption – Comprehensive solution: no need to purchase many different products (e.g., Host DLP, Network DLP, DLP, etc.) Key limitation: Does not identify sensitive data