1. Data Loss – Prevention and Controls
Mark Lachniet, Solutions Architect – Analysts International
Bret Straffon, PSS Security – Cisco Systems
Lansing, MI
July 15th, 2008

2. Presentation Overview
This presentation will provide an overview of issues surrounding Data Loss Prevention (DLP) and provide a roadmap for understanding:
How it impacts YOUR organization
Regulations and standards (e.g. PCI and GLBA) that address it
How it is affecting industry and the economy in general
Some vendor-agnostic approaches to dealing with data loss and breaches
How Cisco’s product line can help you address DLP concerns in a cost effective and scalable manner
How Analysts International’s expertise and services can help to prevent and recover from incidents
CAVEAT EMPTOR: Many of the topics discussed in this seminar cover legal topics. You should consult your own legal counsel!

3. Introductions – Mark Lachniet
Mark Lachniet from Analysts International
Solutions Architect with Analysts International’s security group
With Analysts International for approximately 8 years
Previously an I.T. director at a K-12 school district and instructor for Walsh College’s NSA-certified Masters in Information Assurance (MSIA) Program
Provide oversight on all security services
Perform hands-on work in most areas with a focus on “holistic” security such as policies and procedures, regulatory compliance, Business Continuity Planning, and technical areas such as forensics, incident response, web app security, etc.
Member of the International High Technology Crime Investigation Association (HTCIA)
GIAC Gold Certified Forensic Analyst (GCFA)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)

4. Introductions – Bret Straffon
Bret Straffon,
Product Sales Specialist – Security Solutions
With Cisco for approximately 3 years
Prior to Cisco – spent time at Cybertrust, Open Service, Trend Micro, ISS, Deloitte and Touche.
Total of 9 years experience selling Security solutions
BSBA - Management Information System – CMU ‘94

5. Agenda 11:00 am Section 0 &1 (Mark Lachniet) (45mins)
11:45 am Lunch is distributed (20mins)
12:05 pm Section 2 (Mark Lachniet) (45 mins)
12:50 pm Section 3 (Cisco) (45 mins)
1:35 pm Section 4 (Mark Lachniet) (20 mins)
1:55 pm Q&A (all) (5 minutes or as needed)

6. Section 1 – Data Loss Overview
Mark Lachniet, Solutions Architect – Analysts International
Lansing, MI
July 15th, 2008

7. Overview of Data Loss Prevention
There have been hundreds of significant breaches in the last few years, and public (as well as legislative) attention is now on the problem so it will only get more important over time
Failure to control data leakage has very public and painful ramifications (bad press, plummeting stock prices, fees and penalties, lawsuits, regulatory non-compliance, etc.)
We must be concerned about controlling our sensitive data throughout its entire life-cycle (from creation to destruction)
History has shown that being “out in front” of, and prepared for, upcoming (and inevitable) trends such as data breach disclosure laws is more cost effective than a late response

8. Types of Data To Protect
The type of data you need to protect will obviously depend upon your industry, and some are more susceptible than others
Personally Identifiable Information (PII) such as addresses, phone numbers, etc.
Personal Financial Information (PFI) such as account numbers and balances, purchasing history, credit card information
Personal Health Information (PHI), includes personal health records, billing, etc. Covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Internal secrets (marketing, payroll, passwords, etc)

9. The Pain of a Breach
If you have a breach, the impact could be significant, possibly even going out of business
Loss of stakeholder confidence (the public, customers, investors, partners, etc.)
Lost productivity (inability to work, servers down, people re-assigned for clean-up, data recovery costs)
Fees for not meeting Service Level Agreements (e.g. in manufacturing industries)
Costs associated with notification (sending “oops” letters, staffing a toll free information line, providing credit counseling to victims, etc.)
Internal and external consultant costs
Blackmail and extortion attempts
Submitting to mandatory audits

10. The Pain of a Breach – Examples
8 August 2002 Microsoft and FTC Reach Passport Privacy and Security Settlement
A Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and amount of data collected by its Passport services. As part of a settlement with the government, Microsoft will refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Microsoft could face fines of $11,000 a day if it fails to comply with the agreement.
ChoicePoint
In January 2006, consumer data provider ChoicePoint Inc. agreed to pay $15 million to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights when thieves breached its database.

11. The Pain of a Breach – Examples
“T.J. Maxx Parent Company Data Theft Is The Worst Ever”
The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve.
TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007.
The FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades.

12. The Pain of a Breach – Examples
EggHead.com
3.7 million customer records were stolen (including mine)
End consumers were covered – we just had to fill out a form for the credit card company, and would have only been liable for $50 max
However, it was necessary for consumers to actually identify and contest the charges
Egghead actually informed customers (this is before this was a common practice) and hence were able to keep some stakeholder confidence
Credit card companies were not happy – they had to re-issue cards and sued egghead for costs
Egghead was apparently forced out of business due to these lawsuits from the credit card companies
Eventually re-branded themselves as newegg.com, a company which I actually purchase from (can lightning strike twice?)

13. Other Penalties for Breaches
In addition, there may be other types of damages for failure to maintain good security and/or alert victims
By law:
In the State of New York, can be fined $10 per instance of failed notification not to exceed $150,000
Many other states have similar fines on the books, and more and more states are passing breach notification laws. See for an interactive map
At a federal level, the FTC or SEC may step in
By civil suit:
Choicepoint: $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges
Disciplinary action:
Lose job or vacation time
An Ohio Department of Administrative Services employee lost a week of vacation!

14. States with Breach Laws
From:
38 States have them as of February 12, 2008
Interesting note: In many cases, if the lost data was in an encrypted format, you may not have to make a disclosure due to “safe harbor”

15. What Happens to that Lost Data???
A lot of times, nothing – the tape or laptop was lost or stolen, and never heard of again. No direct impact was known (but they still had to report it)
In some cases, it may be used for identity theft, which is a real problem, but in many cases, it is sold on the black market
Computer crime is now within the domain of organized crime such as the “Russian Business Network”
There is an entire community and hierarchy of traffickers

16. The Lucrative World of Malware and “Bot Herding”
People are making money! Millions of dollars!
There are entire economies based on computer crime:
Hackers: Produce new exploits in common software and sell the “0 day” exploits to Bot Herders
Bot Herders: Use the new exploits to distribute malware to end users. These are used for Denial of Service extortion, spamming, stealing network or PII information, click advertisement abuse, etc. They sell their harvested information to criminals.
Criminals: Use their obtained credit card and bank account information to perpetuate financial crimes and pay for further development
Finding ways to identify, control and remove malware (especially unidentified malware) is a boom market
Limiting exposure (for example through good system security and products such as Cisco’s Iron Port appliances) can minimize this risk

17. Malicious Code Threats (2007)
One very real problem is that there is a proliferation of malware, and Anti-Virus simply cannot keep up with all the new versions

18. The Value of Information (2007)

19. The List Not to Be On – attrition.org
Attrition.org used to maintain a list of “hacked” organizations, but they were unable to keep up
Now they are focusing on data breaches – see:

20. Attrition.org – March of 2008 (1 month)
Baltimore Highway Administration - [ ] (Employee information for about 1,800 accidentally exposed on internal server) [archive]
Child Assessment Service, Tuen Mun Centre - [ ] (Medical data and identity on 700 children exposed) [archive]
University of Colorado at Boulder - [ ] (Names, addresses, and Social Security numbers of about 9,500 on compromised server) [archive]
WiseBuys - [ ] (Hundreds of credit and debit card numbers reported stolen) [archive]
Coos County Oregon - [ ] (Nearly 500 Social Security numbers and personal information reported on stolen laptop) [archive]
Chrysler Financial - [ ] (Data tape lost in transit contained personal information) [archive]
Southern Connecticut State University - [ ] (11,000 students and alumni exposed on website) [archive]
University of Texas Health Science Center - [ ] (Social Security numbers available on about 2,000 billing envelopes) [archive]

21. Attrition.org – March of 2008 (1 month)
CollegeInvest - [ ] (Lost hard drive exposes 200,000 customers during office relocation) [archive]
University of Massachusetts - [ ] (Hackers breach system accessing thousands of medical records) [archive]
Boots Dental Plan - [ ] (Account details of 34,000 stolen from courier) [archive]
LendingTree - [ ] (Social Security numbers, names, addresses, and other personal information inappropriately accessed) [archive]
Bank of Ireland - [ ] (Account information, addresses, and medical information of 10,000 on stolen laptops) [archive]
Central Collection Bureau - [ ] (Social Security numbers and names of 700,000 on stolen server) [archive]
University of Miami - [ ] (Stolen tapes containing names, addresses, and medical records of 2.1 million patients) [archive]

22. Attrition.org – March of 2008 (1 month)
Connecticut State University System / Buffalo State / Northwest Missouri State University - [ ] (Stolen laptop contains names and Social Security numbers of 20,500 students) [archive]
University of Virginia - [ ] (Social Security numbers and names of over 7,000 on stolen laptop) [archive]
Stokes County High Schools - [ ] (Stolen computer exposes 800 student names and Social Security numbers) [archive]
University of Toledo - [ ] (Name, address, and Social Security numbers for 6,488 exposed on internal server) [archive]
West Seneca School District - [ ] (Students hack school district computer system 1,800 employees notified) [archive]
Bowdoin College - [ ] (Student Social Security numbers, names, addresses, insurance information left exposed on server) [archive]

23. Attrition.org – March of 2008 (1 month)
New York-Presbyterian Hospital/Weill Cornell Medical Center - [ ] (Names, phone numbers and some Social Security numbers of 40,000 stolen by employee) [archive]
Joliet West High School - [ ] (Names and Social Security numbers of "about every student enrolled" accessed) [archive]
Wellcare - [ ] (71,000 insurance records including Social Security numbers exposed on internet) [archive]
WellPoint - [ ] (Social Security numbers and medical information for about 128,000 exposed on internet) [archive]
Pfizer - [ ] (Stolen laptop contains names and credit card numbers of about 800) [archive]
University of California, Irvine - [ ] (Up to 7,000 affected - very few details available) [archive]
Okemo Mountain Resort - [ ] (Computer network breach exposes tens of thousands of credit card transactions) [archive]

24. Managing the Societal Impact of High-Tech Crime
And those were only the incidents that were reported, and for which someone bothered to make an entry in the database
Obviously, this is a problem that is costly both to the people affected and to the economy in general
“Computer Economics” estimates $13 Billion world-wide in 2006, and its getting worse
To mitigate this, government (through regulations and laws) and industries (through self-regulation) are starting to develop standards and controls
Some standards are proactive, some reactive
We will discuss a couple – the Payment Card Industry (PCI) and Gramm-Leach-Bliley Act (GLBA)

25. The Payment Card Industry (PCI)
A consortium of credit card companies including Visa and Mastercard
Has implemented the PCI Data Security Standard (PCI DSS)
This affects anyone who stores or processes credit card information, though there are different categories:
“According to payment brand rules, all merchants and service providers are required to comply with the PCI Data Security Standard in its entirety.”

26. The Payment Card Industry (PCI)
There are numerous requirements as part of the PCI standard
These are partially based on what type of data you process or store, namely the Primary Account Number (which means you must comply)
There are some items that you can never store:

27. PCI Requirements – The “Big 12”
Cisco ASA firewalls are well accepted way to meet Requirement #1
Use of IPSEC VPN (e.g. in ASA and ISR routers) can meet Requirement #4
Use of Cisco’s CSA agent can help meet Requirements #3 and #6
A well designed network and regular security assessments can also help to meet Requirement #6

28. PCI Requirements – The “Big 12”
Cisco’s MARS Appliance can help to meet Requirement #10
Regular vulnerability assessments (e.g. Analysts ISAS, OSAS and WASA services) can help address Requirement #11
Analysts policy development services can help to address Requirement #12
OF COURSE a mature and well-run organization with proper practices and procedures is the essential glue that pulls together all of the external products and services, and is without a doubt the MOST important part

29. The Gramm-Leach Bliley Act (GLBA)
Includes three primary components:
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."

30. The GLBA Privacy Rule 313
Is primarily concerned with how you process and use information, and most notably that organizations have implemented a privacy policy and protection plan
Past analysis by Analysts International has identified several specific provisions as part of our Security Needs Analysis Service (but you should consult your own legal counsel before accepting these as gospel):
A formal information privacy policy has been created
The information privacy is regularly communicated to internal and external stakeholders
The privacy policy includes an inventory of existing data collection practices
The privacy policy makes a distinction between Consumers (e.g. any NON-individual seeking a financial product or service) and a Customer (e.g. any individual with an established relationship)

31. The GLBA Protection Rule 314
Is concerned with how you protect sensitive data
Encrypt the data
Properly dispose of it (and require outsourced service providers to do so as well)
Have a formal incident response plan to detect and respond to threats
Have a formal risk assessment program is in place and someone designated to maintain it
A formal “administrator termination” process is used to remove all access rights from former employees
Safeguards are regularly monitored and tested

32. Summary – Data Loss Prevention
Data disclosures are bad, and getting worse
It is difficult to identify requirements, to whom and how they apply, and how to address them in a cost effective manner
Difficult to manage and monitor large I.T. infrastructures, products are needed
Expertise in security and regulatory compliance is difficult to come by, and Subject Matter Experts are expensive to hire, train and keep on staff
A high level of organizational maturity is required to pass audits, let alone truly comply with the “spirit” if the laws

33. Section 2 – Threat Vectors and Internal Controls
Mark Lachniet, Solutions Architect – Analysts International
Lansing, MI
July 15th, 2008

34. Data Loss Threat Vectors and Controls
Many controls are best done internally, such as creating a formal I.T. security management framework, or identifying the type of data you need to protect
Some controls are most efficient when automated with products – for example aggregating logs from a large number of systems and analyzing them for incidents
Some controls require significant security expertise, or require “third party independence” such as doing security audits, and may need to be outsourced for cost reasons
In the next section, we will discuss a number of threats (though not a complete list) that pertain to DLP and propose some appropriate controls that can be done internally, with Cisco Products, or Analysts’ services

35. Intentional Misconduct by Insiders

36. Misconduct by Partners, Service Providers and Clients

37. Conventional Hack Attacks

38. Targeted Attacks

39. Contracted Malware

40. Stolen or Lost Data

41. Awareness of Sensitive Data

42. Not Prepared for a Breach

43. Limited Budget and Resources

44. Encourage Maturity In Operations
In general, the more organized you are, the better your security will be, the less likely you are to suffer a breach, and the less expensive I.T. will be to the organization!
Consider adopting the ITIL standards in areas such as documentation, change control, etc.
Also formally define your security polices, expectations, procedures (e.g. server hardening, application development, database security, remote access, etc.)
Consider the Capability Maturity Model – where are you on security?

45. Manage Employees Do regular background checks of applicants
Have strong, documented linkages between H.R. and I.T.
Require sign-off on Acceptable Use Policies (AUP) and Non-Disclosure Agreements (NDA)
Provide training and awareness on security issues, recommended at 1week/year per I.T. employee, less for end users
Regularly monitor employee activity

46. Formalize Risk Management
I.T. Risk Management should be a formal process in your organization
Consider creating a workgroup tasked with managing security that is responsible for:
Promoting awareness of Information Security issues within the organization
Identifying and managing strategic, operational and financial I.T. risks
Identifying and managing I.T. regulatory compliance requirements and controls
Identify security needs, budgetary and staffing requirements, etc.
Act as an interface to other departments within the organization to provide guidance and assistance on information security issues

47. Create an Information Classification System
Identify the types of critical data you have in use through self-assessments, interviews, external audits
Classify this data into some logical but maintainable types
Determine how each of these categories must be handled from creation to disposal:
Physical Storage: Locked rooms, clean desk policies
Logical Storage: Approved file shares, encrypted tape / USB flash, on encrypted hard drives if taken outside of the organization
Disclosure: Who is allowed to have the information? Is it on a “need to know” basis?
Destruction: Must it be shredded? Completely wiped before resale?

48. Create an Incident Response Plan
Have a formal plan, that people are aware of and can use, on how to respond to an incident
Consider items such as:
How will you identify a breach?
What is the appropriate response, based on the type of information?
What information will you record about the incident?
Who is allowed to talk to whom?
What types of incidents will require an “oops letter” to go out? Who makes the call on this?
Will you have to file a Suspicious Activity Report (SAR) with an oversight agency?

49. Forensic Readiness
Forensic readiness is related to incident response, but focuses on taking steps to accumulate forensic data before an incident happens
Do you have log files from all of your network devices? Servers? Would they be available if the device was wiped?
Do you have the ability to do log analysis with software such as Sawmill in an ad-hoc basis for data mining?
Do you have processes, procedures and tools to analyze and preserve data?
Do you know who to call if you are out of your depth?
Do you have legal help?
Are you covering your data retention requirements?

50. Privacy Policy Do you have a written privacy policy?
Does it match the regulatory requirements that you may be subject to?
Does it align with your information classification and incident response procedures?
Has your lawyer reviewed it?

51. Section 3 – Managing Data Loss - Cisco Solutions
Bret Straffon,
PSS Security
Lansing, MI
July 15th, 2008

52. IronPort Gateway Security Products
Internet
IronPort SenderBase
Security Appliance
WEB
Security
Appliance
Provides opty to discuss the range of services and products that IronPort offers.
Network security has moved beyond simple packet filters, and stateful firewalls to truly understand the application.
From the X1000, designed for demanding ISP environments to the C100 for companies starting at five users.
ESA: Protects port 25. Spam, Viruses, Outbreaks, Phishing and Spoofing inbound. Policy enforcement and encryption outbound.
SMA: Protects port 80. Spyware and malware inbound. Acceptable use policy outbound.
SMA: ties it all together. Today it acts as a centralized quarantine, in the future it is the centralized reporting and tracking device across both platforms.
Security MANAGEMENT Appliance 52

53. IronPort – Gateway Solutions
Security (C-Series)
Protection from External Attacks
Spam
Virus
Denial of Service
Phishing
Directory Harvesting
Misdirected Bounces
Protection of Internal Property
Compliance
Data Leakage
Encryption
Brand Protection
Authentication
Web Security (S-Series)
Control Web Traffic
High performance web proxy
Web Policy & URL Filtering
Fully integrated complete content inspection
L4 traffic monitor protects all network ports
Protect from Web Threats
Adware
Virus
Phishing
Browser Hijackers
Keyloggers
Trojans
and more 53

54. Data Loss Prevention Deployment IronPort Reduces Complexity
Before IronPort
After IronPort
Internet
Internet
Firewall
Firewall
Encryption Platform
DLP Scanner
DLP Policy Manager
MTA
Anti-Spam
Anti-Virus
Policy Enforcement
Mail Routing
IronPort Security Appliance
Note to speaker: This is one of the most important slides to present when describing our integrated DLP offering.
Another compelling aspect to IronPort’s DLP offering is integrating encryption, supported by IronPort PXE secure envelope technology. In this slide, we’ve listed some legacy solutions and their shortcomings:
which include multiplatform deployment models
the need for administrators to manage complex certificate requirements
the need for center receiver plug-ins
IronPort PXE is a single integrated platform with no certificate complexity and no plug-ins are required.
Groupware
Groupware
Users
Users

55. Combines Email & Web Traffic Analysis
The IronPort SenderBase® Network Global Reach Yields Benchmark Accuracy
30B+ queries daily
150+ and Web parameters
25% of the World’s Traffic
Cisco Network Devices
Combines & Web Traffic Analysis
View into both & Web traffic dramatically improves detection
80% of spam contains URLs
is a key distribution vector for Web-based malware
Malware is a key distribution vector for Spam zombie infections
SenderBase is one of our strongest assets.
SenderBase is the world’s largest and web traffic monitoring network.
We have visibility into a wide range of parameters and we see a great deal of the world’s network traffic.
30 billion plus queries to SenderBase daily.
In the future, we will also be seeing more data from Cisco Network Devices, including firewalls, routers, and switches.
A unique aspect of SenderBase is that it has visibility into AND web traffic.
80% of spam contains URLs, this gives us a key data feed for powering our Web Reputation technology that feeds both the C-Series and S-Series product lines.
IronPort SenderBase
IronPort
Security Appliances
IronPort WEB
Security Appliances

56. IronPort Reputation Filters Dell Case Study
Dell’s challenge:
Dell currently receives 26 million messages per day
Only 1.5 million are legitimate messages
68 existing gateways running Spam Assassin were not accurate
IronPort’s solution:
IronPort Reputation Filters block over 19 million messages per day
5.5 million messages per day scanned by IronPort Anti-Spam
Replaced 68 servers with 8 IronPort appliances
“IronPort has increased the quality and reliability of our network operations, while reducing our costs.”
— Tim Helmstetter Manager, Global Collaborative Systems Engineering and Service Management, DELL CORPORATION
The benefits of IronPort Reputation Filtering are captured nicely in this Dell case study.
Dell was receiving 26 million messages a day with only 1.5 million being legitimate. They had approximately 70 servers running Spam Assassin and a variety of other commercial and open source technologies, trying to deal with the spam volumes, virus, as well as policy enforcement.
Dell employed IronPort and Reputation Filtering blocked around 20 million messages daily, the rest of the messages being scanned by the anti-spam scanner. This allowed us to reduce their server footprint from 68 servers to 8 IronPort appliances.
The overall accuracy of the spam filtering increased dramatically. And the total cost of ownership was also substantially reduced.
Accuracy of spam filtering increased 10x
Servers consolidated by 70%
Operating costs reduced by 75%
MAILBOXES PROTECTED
100,000+

57. IronPort Email Encryption The Easiest Path to Protecting Confidential Email
Universal Reach: send to any user
Auditable Policy Enforcement
Content scanning at gateway drives encryption
Does not rely on or require user action
Easiest to use
Transparent to sender
No client software for sender or receiver, no certificates needed
Easiest to Deploy and Manage
No client software
Hosted key management infrastructure   
IronPort Encryption solves these problems, providing the easiest-to-use, easiest-to-deploy encryption solution for regulatory compliance and protection of sensitive information.
Send to any inbox: supports all enterprise clients, e.g. Outlook, Notes, Groupwise; as well as all webmail clients, e.g. Yahoo! Mail, AOL Mail, GMail, etc.
No client software to install: all it requires is a web browser
No certificates: all managed automatically through an IronPort hosted service
C-Series Compliance Filters and content filters ensure that the encryption policy is consistently enforced without relying on sender action—perfect for compliance audits
Receive
Enter password
View secure message

58. Data Loss Prevention Foundation Integrated Scanning
Compliance Dictionaries
Custom Content Filters
Users
Outbound Mail
Smart Identifiers
Our customized content folders give the administrator the ability to write rules that are specific to their organizational needs.
We also provide compliance dictionaries that give Administrators a turn-key solution for HIPPA and GLBA dictionaries so they won’t have to go out and do the research themselves.
We also have smart identifiers which with the checkbox allow administrators to scan for specific numerical strings. These identifiers are unique because they automatically look for expression patterns. The smart identifiers also have the intelligence embedded in them to look for the check sums, or whether or not it is a valid social security number.
IronPort also provides a very wide range of attachment scanning feature that allows for scanning text in over 400 different attachment types.
We also have a weighted content dictionary that provides an extension of our existing functionality. Instead of having a binary yes or no, indicating existence of that word, we give administrators the ability to put a numerical weighting on each word triggered; therefore as the sum of those weights exceeds a threshold the filter action is enabled.
Integrated Scanning Makes DLP Deployments Quick & Easy
Weighted Content Dictionaries
Attachment Scanning

59. Data Loss Prevention Foundation Integrated Remediation
Remediation: Encryption
Remediation: Notification
Users
Outbound Mail
This slide captures the integrated remediation features.
After the administrator has set up scanning policies, you want to make sure the remediation is representative of the work flow that makes sense for the Admin. Our features will do things like notify, notify either the sender, the recipient or even the Admin of someone else when a DOP violation takes place. Also, it will provide a robust report that has a great deal of information on what DOP rules are being violated and by whom.
Lastly, is the quarantine feature. Quarantine represents the location of where a message that violates the DLP policy is stored for further review by the administrator. Our quarantine allows the administrator to log in and easily see which words violated the policy. Additionally, the quarantine has the ability to delegate access to the quarantine to someone other than the staff. (Some organizations want a compliance team to review the content that violates a policy and our quarantine gives them the ability to do that.)
Integrated Remediation Eases Work Flow Burden
Remediation: Reporting
Remediation: Quarantine

60. How It Works: Recipient Experience
Notification
Envelope

61. Business Class Email Enhanced Visibility and Control
Guaranteed Read Receipt
Guaranteed Recall
Guaranteed Read receipts provides non-repudiation – I know you opened the message at this date and time…”please don’t say you didn’t get the invoice”
Guaranteed recall provides ability to keep a message from being opened if it was inadvertently delivered; e.g. fat fingered an to someone and concerned that critical information may have gone to the wrong person. We call this the “diving save”.
This available to every sender individually for messages that they’ve sent; and at an administrator level for all messages sent by the organization.

62. Categories: by Domain, Username, or LDAP
IronPort Security Manager Single view of policies for the entire organization
Categories: by Domain, Username, or LDAP IT
Encrypt New Passwords
SALES
Identify & Encrypt POs
One thing that is true in this business is that one size does not fit all when it comes to security policies. Customers want to have a unique policy depending upon who the user is, what LDAP group they are in or even what domain they belong to. The IronPort Security Manager provides end-users that level of policy assignment. The administrator can determine based off of a variety of settings what policies they end-user is going to get from anti-spam, anti-virus, content filters and virus outbreak filters. This is all made possible in one easy to use, easy to manage dashboard.
LEGAL
Archive all mail
Encrypt mail With Outside Counsel
“IronPort Security Manager serves as a single, versatile dashboard to manage all the services on the appliance.” – PC Magazine

63. Regulatory Compliance IronPort
Pre-Defined Filters
Compliance Dictionaries
Pre-Defined Filters
Smart Identifiers
Encryption (Message Based & TLS)
Compliance Dictionaries
IM, Skype, P2P
Encryption (Message Based & TLS)
As you know, the primary goal of smart lexicons and content dictionaries is to filter any outgoing message that contains sensitive personal information. Let’s discuss IronPort’s content dictionaries using HIPAA as an example (because HIPAA has one of the most ‘strict’ set of rules for compliance).
<<The rest of the notes focus on HIPAA specifically>>
The Challenge:
The real answer for 100% security is to simply encrypt ALL outgoing messages. However, this is not a viable option. Therefore, the challenge is to create an effective solution that mitigates risk, but also:
Interoperates with existing technology
Does not over encrypt (false positives)
Has minimal maintenance requirements
The natural tendency (and currently accepted model) is to use brute force and attempt to build an “all inclusive” medically related word list. This is not effective because:
The list could never be truly all inclusive
Would require constant maintenance
Takes an inordinate amount of CPU time to process
HIPAA does not require protection of the information simply because it is “medical” in nature, but does require it when that medical information could reasonably be tied to a single “identifiable” individual
Notes on the lexicons:
Personal Identifiers – based on the 18 classification for patient identifiers as outlined in Each of these is assigned a weight of “2”
Crossover Words – common words you would expect to find between an identifier and a medical condition flag. Assigned a weight of “3”
Medical Condition Flags – common medical condition flags that when standing alone do not require protection. Assigned a weight of “1 or 2” depending on its frequency of use in non-medical conversation.
The Lexicon itself is not the all-inclusive safety net, but rather a best practices methodology and tool for adhering to the core premise of compliance – taking reasonable and appropriate action.
IM, Skype, P2P
Smart Identifiers

64. Acceptable Use IronPort
URL Filtering / Webmail Control
Custom Filter Creation
URL Filtering / Webmail Control
Custom Filter Creation
AUP Dictionaries
Granular Policy Management
AUP Dictionaries
As you know, the primary goal of smart lexicons and content dictionaries is to filter any outgoing message that contains sensitive personal information. Let’s discuss IronPort’s content dictionaries using HIPAA as an example (because HIPAA has one of the most ‘strict’ set of rules for compliance).
<<The rest of the notes focus on HIPAA specifically>>
The Challenge:
The real answer for 100% security is to simply encrypt ALL outgoing messages. However, this is not a viable option. Therefore, the challenge is to create an effective solution that mitigates risk, but also:
Interoperates with existing technology
Does not over encrypt (false positives)
Has minimal maintenance requirements
The natural tendency (and currently accepted model) is to use brute force and attempt to build an “all inclusive” medically related word list. This is not effective because:
The list could never be truly all inclusive
Would require constant maintenance
Takes an inordinate amount of CPU time to process
HIPAA does not require protection of the information simply because it is “medical” in nature, but does require it when that medical information could reasonably be tied to a single “identifiable” individual
Notes on the lexicons:
Personal Identifiers – based on the 18 classification for patient identifiers as outlined in Each of these is assigned a weight of “2”
Crossover Words – common words you would expect to find between an identifier and a medical condition flag. Assigned a weight of “3”
Medical Condition Flags – common medical condition flags that when standing alone do not require protection. Assigned a weight of “1 or 2” depending on its frequency of use in non-medical conversation.
The Lexicon itself is not the all-inclusive safety net, but rather a best practices methodology and tool for adhering to the core premise of compliance – taking reasonable and appropriate action.
Granular Policy Management

65. Intellectual Property Protection IronPort
Remediation: Reporting
Data Leakage Dictionaries
Custom Filter Creation
Data Leakage Dictionaries
Remediation: Notification
Remediation: Quarantine
Remediation: Notification
Remediation: Reporting
Custom Filter Creation
Remediation: Quarantine

66. CA Dept. of Alcohol & Drug Programs Data Loss Prevention via IronPort’s Email Security Appliances
“The selection of the IronPort and encryption system fulfilled the need for a secure electronic messaging system as the department requires a secure transmission method to meet HIPAA guidelines as well as other administrative requirements...”
— Gary Hummel, CISSP
Information Security Officer
Dept. of Alcohol & Drug Programs
ADP’s Challenge:
State mandated outbound content filtering
Encryption to meet HIPAA and similar regulations
Prevent accidental disclosures of state data, including patient records and SSNs
Secure messaging with outside partners
Other needs: phishing protection, easy message retention, improved system management
The IronPort Solution:
IronPort C-Series security appliance
Encryption Envelope Server, IronPort Anti-Spam, IronPort Virus Outbreak Filters, Sophos Anti-virus
IronPort Results:
Rapid deployment of Data Loss Prevention technology
Ensures compliance with state and federal laws
Set and forget management; little to no administrative intervention
Industry leading anti-spam and anti-virus protection at the network perimeter, providing a first line of defense for Exchange servers

67. IronPort Encryption Use Cases
Government
Tax forms
Land registry
Defense procurement
Benefit statements
Health Care
Patient Appointments
Invoices
Prescriptions
Treatment plans
Test results
Pharmaceutical
Drug research collaboration
FDA Submissions
Financial Services
Trade Confirmations
Broker/Agent Networks
Insurance Policies
Bank Statements
Credit Card Statements
Account Service Requests
Loan/Account Applications
General
Operations / Finance
Order confirmations
Invoices
Purchase Orders
Payment details
PCI Compliance
Sales
Quotes
Product Presentations
Business Development
M&A discussions
Deal negotiation
Legal
Contracts
Patents
Attorney-Client Privilege IT
Password seeding
Live password resets
Voic transcription HR
Benefits statements
Offer / pay letters
Stock option grants
Time cards
Pay slips
Marketing
Product roadmaps
Price lists
Promotion codes
Engineering / R&D
Design collaboration
Header One
Copyright © Cisco Systems, Inc. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. All other trademarks are the property of Cisco Systems, Inc. or their respective owners. While every effort is made to ensure the information given is accurate, Cisco does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice.

68. IronPort Security Appliances Integrated Security Appliances For The Network Perimeter
• L4 traffic monitor inspects all traffic
• Web reputation for preventive filtering
• Integrated complete content inspection
• Data Loss Prevention
Multi Layer Spam Protection
Industry Leading Virus Protection
Data Loss Prevention
Unmatched Performance
IronPort S-Series WEB SECURITY APPLIANCE
IronPort C-Series SECURITY APPLIANCE

69. Cisco Data Loss Prevention Portfolio Extend the value of your investment, leverage functionality
Data Center
Tape Devices
Storage Media Encryption
Prevent unauthorized access and loss of data at rest
Fully integrated with SAN fabric and management
Secure, highly available service
IronPort
Prevent Data Loss at Network Perimeter
Multi-Protocol Scanning
Leverage Existing Anti-Spam and Anti-Spyware Infrastructure
Application
Server
MDS 9000
Network Edge
Corporate Network
Employees
Security Appliance
WEB
Security
Appliance
Internet
Partners
Cisco Security Agent
Prevent endpoint data loss
Prevents bypass of IronPort network protection
Content classification similar to IronPort in a future release
Remote Employees
Customers

70. Concern: Endpoint Data is Mobile
How is data mobile?
USB, Floppy, CD Burner
SSL encrypted transfers – Webmail, p2p, IM
Cut and Paste
Dial-up modem, Bluetooth, IRDA interfaces
What’s the concern?
Protecting Intellectual Property stored on the endpoint
Demonstrating that regulated data is properly controlled
Auditing and enforcing corporate use policies for data on laptops

71. CSA Prevents Data Loss on the Endpoint
Restrict copying sensitive data to removable media
USB, floppy disk, CD Burner
Restrict sending sensitive data via unauthorized interfaces
Modem, Bluetooth, IRDA; printer (6.0)
Block sending sensitive data via webmail, p2p, IM
No cut & paste clipboard abuse
Security Appliance
WEB
Security
Appliance
Content scanning on endpoint available in an upcoming release

72. Removable Media Controls
Controls for USB drives, CD, iPod
Monitor usage
Confidential file controls
Authorized user controls
Location-based controls
End user Business Justification for audits
Consolidated event reporting of USB usage

73. Identify Sensitive Data – Content or Context
File Content – certain data patterns are recognized
File Context – data written by certain applications is known to be sensitive

74. Educate the End User Reinforce Acceptable-Use Policies
Educate & Modify end user behavior
Justification window provides audit trail
Allows timely access to data without sacrificing productivity
Localized in 11 different languages 74

75. Data Loss Prevention Logs & Reports
Comprehensive repository of DLP events
Stores justification responses for audit trail
Provides single audit log & activity reports

76. Concern: Endpoint Users are Mobile
When are users mobile?
Working from home
During trips at hotels and business partners
Daily with public and retail hotspots
What’s the concern?
Continuity of data mobility controls when not in the office
Ensuring corporate network data security protections cannot be bypassed

77. CSA Enforces Policy for Mobile Users
CSA can require the use of VPN for remote users
CSA can block SSL sessions not sent via corporate proxy
These ensure IronPort corporate network mail & web protections are not bypassed
Corporate Network
/Web
VPN
Internet
Remote Employees

78. Colorado State Employees Credit Union Data Loss Prevention via Cisco Security Agent
“USB ports are disabled using the Cisco Security Agent, so only certain people such as IT can write to flash drives. We usually don’t encrypt the entire drive on users’ laptops, but do provide secure storage areas so that end users can just save the files to that location and they will always be encrypted.”
— Tom Gonzales, Senior Network Administrator Colorado State Employees Credit Union
Colorado State’s Challenge:
Concerned about Data Loss Prevention
Needed a way to secure employee laptops, disk drives, USB flash drives and CD-ROMs
The Cisco Security Agent Solution:
Cisco Security Agent deployed on their endpoints
Cisco Security Agent disables the usage of USB ports
Cisco Security Agent allows only authorized users such as IT to write to flash drives
Cisco Security Agent mandates that all file storage must be done in secure encrypted partitions
Cisco Security Agent Results:
Mandates compliance to Colorado State’s established security policy
Ensures compliance to State and federal laws for credit unions

79. Intrusion Prevention “Zero Update” Track Record
CSA has a proven track record of stopping brand new exploits, botnets, targeted attacks, worms, and viruses over past 7 years:
2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)
2002 – Sircam, Debploit, SQL Snake, Bugbear,
2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer
2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)
2005 – Internet Explorer Command Execution Vulnerability, Zotob
2006 – USB Hacksaw, IE VML exploit, WMF, IE Textrange, RDS Dataspace
2007 – Rinbot, Storm Trojan, Big Yellow, Word(MS07-014), MS ANI 0Day, MS DNS 0Day
CSA core value - ability to stop new malware with the default policies
No signatures, or configuration updates required 79

80. Integrated Agent with ClamAV™ Open Source Antivirus
ClamAV virus scanning engine packaged with CSA, as single installable agent
Protects Windows desktops & servers at no additional cost
accurately identifies malware
prevents malware execution
quarantines or deletes malware
CSA Management Center manages agent policies, signature updates
Provides a true single agent - single console endpoint security solution
All other trademarks mentioned in this document are the property of their respective owners.

81. Integrated Agent with Clam Antivirus
ClamAV is widely deployed on UNIX/Linux servers
Scrubs traffic for malware
Protects millions of Windows desktops
Database contains over 200,000 unique signatures
Shadowserver Foundation independent research: ClamAV™ has high degree of malware detection accuracy.
Source: Shadowserver.org wild testing
All other trademarks mentioned in this document are the property of their respective owners.

82. Single Integrated Management
CSA Management Center provides enterprise class security management
Agents poll the CSAMC periodically for security updates
CSAMC distributes daily AV signature updates
Due to CSA’s best-in-class protection - agents are always protected, even out of office – without immediate sig updates
Relying on CSA protection allows more sensible management of antivirus and patching updates
All other trademarks mentioned in this document are the property of their respective owners.

83. Increased Security thru Better Visibility
What do I have installed?
CSA tracks which applications are installed on which systems in the network
Better visibility = Increased Security
What do I use?
Is it at risk or malicious?
This visibility gives customers the ability to implement a workflow, with analysis of the current state of the application infrastructure leading to analysis of application usage and dataflow, leading to better analysis of where the most critical security issues are, leading to a more effective, targeted remediation.
The information from CSA can help customers implement this workflow, and lower their security and administrative costs by better focusing security administration tasks.
How do I control it?
CSA reports where malware, spyware, unauthorized applications may be installed

84. Policy Control – Application Trust Levels
CSA monitors & controls all applications and processes
Trust Levels offer flexible, easy to manage control
White List : Trusted Business Apps (permissive controls)
Grey List: Permitted Applications (more restrictive controls)
Black List: Undesired Applications (block use)
Provides robust security without sacrificing ease of management & deployment

85. Regulatory Compliance Benefits for PCI Compliance
Provides compliance solution for 9 out of 12 PCI requirements
Predefined PCI Policies offer ease of management & audit
26 Rule Modules, 150 rules
Validated by Cybertrust (official PCI auditor)
Runs on Servers, Point-Of-Sale terminals, desktops and laptops
CSA can be customized for other compliance mandates

86. Predefined CSA PCI Policies

87. Inform NIPS of Hostile Hosts
2. Global Correlation is invoked and the CSAMC updates all the CSA agents with threat information
4. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the hacker
Desktops
CSA MC
3. All connection attempts by the hacker to CSA protected devices are dynamically blocked
Here, you see how CSA can interact with a network IPS.
Hacker is trying to do recognizance, scanning servers for vulnerabilities.
Now, Global Correlation kicks in, and CSA Management Center updates all agents with data on the threat.
The attacker is blocked by CSA agents that received a dynamically generated signature.
The network IPS was also informed to raise the risk rating for the source of the attack.
As you can see, the network IPS benefits from a correlation of events registered by multiple end-hosts using a CSA agent.
Servers
1. Hacker scans internal servers for vulnerabilities 87

88. DSCP Marking by Application or OS
Per-Application QoS
Example: CSA and QoS
Desktop
DSCP Marking by Application or OS
DSCP Marking by CSA
Class-Based Weighted Fair Queuing (CB-WFQ)
Low-Latency Queuing (LLQ)
Internet Explorer
Default
AF11
BitTorrent
AF11
Default
Cisco IP Communicator EF EF
AF11: 50% (CB-WFQ)
EF: 15% (LLQ)
Default: 10% (CB-WFQ)
This figure illustrates the architecture of an operation system using a CSA agent when generating and marking IP packets.
Initially it is at the discretion of an application to mark packets with the desired DiffServ Code Point (DSCP) value. Or, it is set based on the OS defaults. This approach allows end-hosts to set arbitrary DSCP values.
For example, a user might want to set DSCP AF41 to all packets knowing that the QoS implementation favors this class and gives it more bandwidth.
Or, an attacker might want to perform a denial-of-service attack on the IP telephony infrastructure by flooding a link with EF-marked packets which will consume all network resources given to IP telephony using Low-Latency Queuing (LLQ) on a bottleneck link even though the flooding packets are not in the VoIP VLAN/VPN.
FTP Client
Default
AF11
“Bad” software can mark packets to:
Get a better service from the network
To perform an attack (e.g. flooding with EF-marked packets can cause DoS for IP telephony)
Use CSA to remark packets according to QoS design 88

89. Network Integrated Solutions CSA with NAC, DLP and IronPort
NAC Appliance
Verifies CSA version and if it’s running
Check systems states like “insecure boot detected” and if sensitive data exists
Check user identity if CSA reports sensitive data is on system
IronPort
Prevent Data Loss at Network Perimeter
Multi-Protocol Scanning
Leverage Existing Anti-Spam and Anti-Spyware Infrastructure
Internet
ASA
NAC Appliance
IronPort
Intranet
Cisco Security Agent
Prevent loss of sensitive data:
Scan data files for sensitive data
Prevent copying to external media (USB flash and disk, IR/Bluetooth devices)
Prevent using with (inter)network applications ( , IM, browser)
Prevents bypass of IronPort network protection
Now, we’re looking at a solution in which CSA is used in combination with the NAC and IronPort appliances.
CSA is configured for DLP and enforces the usage of IronPort for web and traffic.
NAC ensures that CSA is running and up-to-date and prevents access to enterprise resources if the security posture is not healthy.
IronPort is used to enforce DLP at network perimeter, for web and , as well as to minimize spam and spyware leakage into the network. 89

90. Operational Efficiency Administrator Dashboard
The dashboard helps the administrator see what needs to be done today
Quick access to common tasks
Centralized visibility into the effectiveness of your endpoint protection 90

91. Network Admission Control
Using the network to enforce policies ensures that incoming devices are compliant.
Authenticate & Authorize
Enforces authorization policies and privileges
Supports multiple user roles
Quarantine & Enforce
Isolate non-compliant devices from rest of network
MAC and IP-based quarantine effective at a per-user level
Scan & Evaluate
Agent scan for required versions of hotfixes, AV, etc
Network scan for virus and worm infections and port vulnerabilities
Update & Remediate
Network-based tools for vulnerability and threat remediation
Help-desk integration

92. Cisco NAC Partnerships
Cisco NAC is committed to protecting customer’s investments in partner applications
Cisco NAC Supports Policies for 300+ Applications, Including these Vendors:

93. Cisco NAC – Available Appliances and Network Modules
Users = online, concurrent
Super
Manager
manages up to 40
Enterprise and
Branch Servers
Standard
Manager
manages up to 20
Enterprise and
Branch Servers
Manager
Lite
manages up to 3
3500 users
Branch Office
or SMB Servers
2500 users
1500 users
Profiler Server Appliance
NAS Models
100 users
250 users
500 users
License on NAS - Not additional Appliance
50 users NM
100 users NM
Extended Guest Services - Appliance

94. Section 4 – Managing Data Loss – Analysts Solutions
Mark Lachniet, Solutions Architect – Analysts International
Lansing, MI
July 15th, 2008

95. Analysts International Security Services
Analysts International staffs engineers and consultants dedicated entirely to security services
This includes a wide range of functions including policy development, incident response/forensics, security assessments, hardware and software installation and configuration, etc.
Includes both preventative and reactive services, should they be necessary
Analysts International’s security engineers/consultants specialize in various compliance areas such as PCI, HIPPA, GLBA and DIACAP

96. Policy and Procedure Development
If you are interested in getting help with developing your policies, practices and procedures, Analysts can assign a consultant who can work with you to help
Every organization is different, and one size does not fit all
We have helped other organizations create the same procedures (e.g. Information Classification, Incident Response, Log Review) that are discussed in this seminar
In addition, we have worked with many organizations to create security policies such as:
Acceptable Use Policies
Remote access policies
Security device minimum standards / baseline configs
Wireless security policies
And many more

97. Incident Response Services
In the unfortunate event that you suspect you have been hacked or had a breach, Analysts can help you to determine the scope of an incident and its possible ramifications
Tracking attacks through multiple firewalls, routers, Windows and UNIX servers, databases and applications is time consuming and technically demanding
We can assist you with to:
Minimize the disruption to your organization
Find out what happened
Identify short-term recovery and mitigation strategies
Create reports on the scope and nature of the incident
Identify long-term improvements that will reduce future risk
Interface with Law enforcement and legal counsel as needed

98. Administrator Termination Services
In the event that you need to terminate an I.T. employee with significant levels of access
Often used in “hostile” departures such as employees being fired
Also used by organizations as a best practice to create a re-usable termination procedure in low-risk departures
Analysts’ staff will work with you to:
Evaluate the risk posed by the departing employee
Participate in exit interviews if desired
Identify physical and intellectual property to be retrieved
Identify systems that the individual may have had access to
Create a list of tasks that will need to be performed such as changing passwords, contacting vendors and partners, updating software, etc.
Analyze systems for “time bombs” or other evidence of abuse
Change passwords on servers, network devices, remote access systems, telephony systems, etc.

99. Vulnerability Assessments
Internet Security Assessment Service (ISAS) used to scan Internet-accessible servers for security flaws that could be used to breach security
On-Site Assessment Service (OSAS) used to scan Internal servers for security flaws that could be used by a malicious employee or partner, or exploited by automated systems such as worms
Web Application Security Assessment (WASA) used to analyze web applications for security flaws that could lead to a hack of sensitive back-end databases or trusted systems
Customized assessments of products and systems such as security appliances, Citrix systems, wireless devices, etc. can also be performed as needed

100. Security Needs Assessment Service (SNAS)
The SNAS process is intended to be a wide-ranging review of security practices and procedures
Primarily based on discussions and reviews of documentation
Often used when an organization wants to get a “check up” on their current posture, or wants to identify the most important areas to focus on for security
Yearly third-party security audits are frequently required by financial auditors
Often customized to address specific concerns such as compliance with a specific regulation such as GLBA, NCUA, Michigan Gaming Control Board, etc.
Provides a detailed deliverable with a security ranking matrix that maps each recommendation on a cost vs. gain matrix, so you can quickly identify the “low hanging fruit”

101. Security Needs Assessment Service (SNAS)
The above is an example of the ranking matrix – with the “sweet spot” (cheap and high-gain) in the upper right-hand corner

102. Questions, Comments and Discussion
Contacts
Analysts International Cisco Systems
Mark Lachniet Bret Straffon
Solutions Architect PSS - Security
(517) (office) (248) (office)
Lance Miller Scott Maxwell
Security Practice Director CAM – Cisco Channel
(248) (office) (614) (office)