Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate,

Published byLee Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate,"— Presentation transcript:

1 Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate, School of CS Yogesh Mundada, PhD student, School of CS Mukarram Tariq, PhD Georgia Tech pedigree@gtnoise.net http://gtnoise.net/pedigree

2 Motivation: Data Leakage Prevention Security breaches skyrocketing; each incident costs $6.75 million on average [1] Privacy Rights Clearinghouse reports 93.8 million personal records as lost or stolen since 2005 Many companies dealing in sensitive information (e.g., financial information, source code, health records) have little to no DLP infrastructure [1] 2010 Global Cost of a Data Breach, April 2010; http://www.ponemon.org/data-security

3 Problems with Existing Technology Not cohesive: needs separate solutions for data leaks through email, USB, network, etc. Not Comprehensive: rely on heuristics to identify and filter confidential data— susceptible to circumvention (e.g., format conversion, encryption) Complicated Maintenance and Management: policies have to be maintained both at endpoints and in the network—needs constant updating

4 Pedigree’s Vision Pedigree aims to stop many data leaks in enterprises—accidental or intentional— using a content-agnostic, formal approach called Information Flow Control [1] Advantages – Highly expressive, fine-grained policy controls for both operators and users – Impossible to circumvent by encrypting or copy-pasting sensitive data – Low deployment overhead D. E. Denning, “A Lattice Model of Secure Information Flow”, CACM 1976

5 How does Pedigree work? Pedigree requires a small module on the OS at endpoints called a labeler (eqvt to installing antivirus software) Pedigree associates metadata—called labels—to sensitive information. Labels are tracked across the enterprise by labelers Enforcers located at end-hosts (i.e., as an OS module) and in the network (i.e., a firewall) enforce policies each time information flows from one resource to another

6 Example Fileserver Policy DB Alice Bob Enterprise Network F F Alice first creates sensitive file F on fileserver Alice sets policies on F Allow only Bob read access to F Disallow sending outside enterprise Bob can read F Although Bob can read F, he cannot copy F to a removable drive or send F outside the enterprise But other users cannot

7 Use-case 1 Protecting company-wide information not ready for public release (e.g., quarterly reports) Pedigree solution – Report creator adds a sensitive “taint” to the label of the report – Any user who accesses the data can only read it; they cannot electronically leak the data without compromising their operating system (very hard)

8 Use-case 2 A user wants to get feedback on a document from a diverse group of users in the enterprise, but does not wish them to take the document outside the enterprise servers Pedigree solution – The user uses a simple GUI to create a new group (distinct from OS groups) giving other users only “read” but not “export” access – Users in the group can read the data, but cannot copy it to removable drives or send it over email – Users not in the group cannot even read the data (done separately from OS permission checks)

9 Technical Details Pedigree software on endpoints performs checks each time two resources with incompatible labels interact – e.g., a process reads a file labeled “sensitive” If a process reads a sensitive file, its own label acquires the sensitive status All future communication by this process will be labeled “sensitive”, and can be checked by enforcers – Stops accidental data leakage – Not thwarted by encrypting the sensitive information

10 Target Market Large number of potential customers – Financial / banking institutions – Organizations that maintain health records, or seek regulatory compliance – Corporations that wish to safeguard their internal reports, source code, etc. Ideally, any institution that deals with sensitive information can benefit from Pedigree deployment

11 Competition Many security companies offer DLP products – RSA Data Loss Prevention, McAfee Data Loss Prevention, CA Technologies Security DLP, etc. Key advantages of Pedigree – Content-agnostic: cannot be thwarted by encryption – Comprehensive solution: no need to purchase many different products (e.g., Host DLP, Network DLP, Email DLP, etc.) Key limitation: Does not identify sensitive data

Download ppt "Pedigree: Network-wide Protection Against Enterprise Data Leaks Team: Nick Feamster, Assistant Professor, School of CS Anirudh Ramachandran, PhD candidate,"

Similar presentations

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,

1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.

Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.
IAPP 2004. 2 CONFIDENTIAL Insider Leakage Threatens Privacy.

IAPP CONFIDENTIAL Insider Leakage Threatens Privacy.
The traditional perimeter is rapidly eroding IT needs continuous data protection that work across ‘classic ‘boundaries’ Consumerization of IT Users.

The traditional perimeter is rapidly eroding IT needs continuous data protection that work across ‘classic ‘boundaries’ Consumerization of IT Users.
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.

Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.
Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.

Hackers They can u Read the data files u Run the application programs u Modify some files which may cause damages Individuals who gain unauthorized access.
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.

Compliance in Office 365 Edge Pereira Sandy Millar From Avanade Australia OSS304.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Similar presentations

Ads by Google