Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor,

Published byMichael Robbins Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor,"— Presentation transcript:

1 Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor, ISSMP, PMP Director, Security Consulting Services ENCODE SA Greek ICT Forum, October 2007

2 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

3 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

4 Impact from Data Leakage …  Brand damage  Stock price  Regulatory fines  Loss of customers/business  Legal and contract liability  Notification and compensation  Increased security costs  Marketing and security response  Lawsuits

5 The Economics of Data Leakage The Financial Services Authority (FSA) has fined Nationwide Building Society (Nationwide) £980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home. ChoicePoint to pay $15 million over data breach Data broker sold information on 163,000 people to alleged crime ring In addition to a $10 million fine, ChoicePoint will also create a $5 million fund to help consumers who became victims of identity theft … DuPont Employee Walked Away With $400 Million In Trade Secrets Company scientist downloaded 22,000 sensitive documents and accessed 16,000 others as he got ready to take a job with a competitor … TJX says 45.7 million customer records were compromised with an estimated cost over $1 billion ….. for a Regulated industry the cost per data record leaked is from $90 to $305 … Forrester Research.. for a Regulated industry the cost per data record leaked is from $90 to $305 … Forrester Research

6 Executive Directive …  Simple to say but complex to deliver –Find the data Data discovery Data classification –Monitor the data Identify data use and users Watch the data at rest and in use –Protect the data Stop data misuse Encrypt at rest based on risk Encrypt in transit on the network or device “Protect My Sensitive Data! …and don’t interfere with the business!”

7 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

8 Defining a Critical System  Usually we define a system as:  Data  Business Application  Database Server(s)  Application/Web Servers and/or Mainframe  Supportive network infrastructure  … Systems Networks / Directories Databases Applications

9 Traditional Security Efforts  So we apply:  Network Perimeter Security –Simple/Common: “Border Firewall” –Advanced: Internal Segmentation, IPS  Access Control on Systems/Applications –Simple/Common: username/password, app/sys permissions –Advanced: Strong authentication, RBAC and IDM  System Auditing (for the very advanced)  Disaster Recovery But still we face critical security issues Systems Networks / Directories Databases Applications

10 What traditional security efforts cannot counter  Exposed output files from the systems  Information Leakage by authorised users  Changes by authorised users  Outsourcers –Collection Agencies –Call Centers –Printing Houses –IT Outsourcers (Service Providers, Development…)  Administrators  Mobile Users  Lost laptops, Removable media (USBs…) ……

11 Redefining Business System  In essence we had omitted – the Points of Use of the Information/Data processed by the system, i.e. the various workstations/laptops – the People – the Processes Systems Networks / Directories Databases Users Applications ?

12 Business Data Main Categories Application Data Financial info Transactions Subscriber Info Files PDFs Spreadsheets Word Documents Emails  Application data: data that is managed by various applications.  Files: documents, emails, presentations, etc.

13 “Why traditional controls fail”  Privileged Users – Privileged users should and have access to the systems and data, so Access Control at Apps/servers cannot help a lot – On the other hand we have no “Access Control” at the Point of Use, i.e. the user’s PC/Laptop, Terminal Services  Vanishing Perimeters – With so many parties accessing systems and data inside the border firewall we cannot talk about network perimeters anymore  Infrastructure-centric Controls are not enough – Our Data live beyond Infrastructure controls (e.g. laptops, outsourcers, business partners…) – With current Infrastructure-centric controls is very difficult to obtain a view of our data “whereabouts”, who accessed what and what they did with it!

14 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

15 Priorities for data protection 39% 48% 49% 51% 57% 70% 73% 75% 77% 86% Paper theft Theft of backup tapes Social engineering Hardware theft Insider abuse: authorized users Spyware on employee computers Insider abuse: unauthorized access Attacks on customer desktops Web site vulnerabilities Trojans on employee computers Network or system vulnerabilities Which type of breaches are a top or high priority to your company? Percentages reflect those who answered “top priority” or “high priority.” Source: Forrester user survey of 83 data protection decision-makers, December 2005

16 Where data breaches are really occurring 0% 4% 7% 11% 14% 18% 21% 29% 39% Theft of backup tapes Don't know Network or system vulnerabilities Web site vulnerabilities Paper theft Insider abuse: unauthorized access Social engineering Attack on customer desktops Spyware on employee computers Trojans on employee computers Hardware theft Insider abuse: authorized users Base: 28 of the 83 (34%) data protection decision-makers, who experienced at least one breach What are the primary means by which data breaches occurred in 2005? Source: Forrester user survey of 83 data protection decision-makers, December 2005

17 Protection priorities don't align with reality 6 3 2 -2 -6 -9 Priority Gap Degree of likelihood Degree of concern Source: Forrester user survey of 83 data protection decision-makers, December 2005 Network or system vulnerabilities Web site vulnerabilities Insider abuse: unauthorized access Theft of backup tapes Attack on customer desktops Trojans on employee computers Spyware on employee computers Paper theft Social engineering Hardware theft Insider abuse: authorized users Lowest Highest

18 Agenda  The Business Problem…  Why Traditional Controls Fail?  Are We Making the Right Investments?  What We Can Do!

19 What we have to do  Even the best Access Control at the Application/Server level cannot help much with Data Protection when it comes to authorised users (internal or otherwise)  What we have to do: –Accountability & Control at the Point of Use or the Endpoint –Distribute controls throughout our “redefined” system –Ensure that these controls cannot be bypassed even by privileged users (e.g. Admin) and can be centrally managed –Data-centric controls instead of only infrastructure-centric ones –Context-based controls instead of “black & white” ones

20 What DLP products do …they Secure The “Virtual Perimeter” for Data

21 How DLP technology works [1]  Monitor & Control every data access/transfer activity – File access – Network uploads/transfers – Print Operations – Removable media – Clipboard operations – Application field-level logging  Enforce Risk/Classification-based policies  Allow business operations – stop/alert for unauthorised/suspicious ones!

22 How DLP technology works [2] What is the User Doing With It? Read, Write, Print, Move, Burn, Copy/Paste, Upload, etc. Where Did the Data Come From? (What Classification?) Where Is the Data Going? What is the Policy regarding Actions to be taken? Devices Applications Networks 1423

23 How DLP technology works [3]  “All files coming from the xyz File Share should be “vaulted” in a specific directory”  “All files coming from the xyz Client Application should be “vaulted” in a specific directory”  No Copy/Paste outside from the Biz App Client xyz  “Files in Directory xyz can be Printed only on Printer ABC”  “Files in Directory xyz cannot be copied to Removable Media (e.g. USB sticks, CD/DVD)”  “All files coming from the xyz File Share should be “transparently encrypted” ……

24 Business Data Putting all together… Systems Networks / Directories Databases Applications Traditional Controls DLP Controls (protecting virtual perimeter) Employees Partners Outsourcers Data flows to the user

25 But most important…  Understand your risk profile.  Set proper priorities.  Allocate budgets accordingly.

26 www.encodegroup.com _

Download ppt "Data Leak Prevention: Safeguarding Corporate Information in a world of vanishing perimeters Kostas Papadatos MSc InfoSec, CISSP, ISO 27001 Lead Auditor,"

Similar presentations

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Copyright © 2014 STEALTHbits Technologies, Inc.. All rights reserved. | STEALTHbits Technologies, Inc. The Unstructured Data Challenge 1.

Copyright © 2014 STEALTHbits Technologies, Inc.. All rights reserved. | STEALTHbits Technologies, Inc. The Unstructured Data Challenge 1.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.

SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.
Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.

Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.
Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.

Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Introduction to Network Defense

Introduction to Network Defense
Chapter 3 Ethics, Privacy & Security

Chapter 3 Ethics, Privacy & Security
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.

Similar presentations

Ads by Google