Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Loss – Prevention and Controls

Similar presentations


Presentation on theme: "Data Loss – Prevention and Controls"— Presentation transcript:

1 Data Loss – Prevention and Controls
Mark Lachniet, Solutions Architect – Analysts International Bret Straffon, PSS Security – Cisco Systems Lansing, MI July 15th, 2008

2 Presentation Overview
This presentation will provide an overview of issues surrounding Data Loss Prevention (DLP) and provide a roadmap for understanding: How it impacts YOUR organization Regulations and standards (e.g. PCI and GLBA) that address it How it is affecting industry and the economy in general Some vendor-agnostic approaches to dealing with data loss and breaches How Cisco’s product line can help you address DLP concerns in a cost effective and scalable manner How Analysts International’s expertise and services can help to prevent and recover from incidents CAVEAT EMPTOR: Many of the topics discussed in this seminar cover legal topics. You should consult your own legal counsel!

3 Introductions – Mark Lachniet
Mark Lachniet from Analysts International Solutions Architect with Analysts International’s security group With Analysts International for approximately 8 years Previously an I.T. director at a K-12 school district and instructor for Walsh College’s NSA-certified Masters in Information Assurance (MSIA) Program Provide oversight on all security services Perform hands-on work in most areas with a focus on “holistic” security such as policies and procedures, regulatory compliance, Business Continuity Planning, and technical areas such as forensics, incident response, web app security, etc. Member of the International High Technology Crime Investigation Association (HTCIA) GIAC Gold Certified Forensic Analyst (GCFA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA)

4 Introductions – Bret Straffon
Bret Straffon, Product Sales Specialist – Security Solutions With Cisco for approximately 3 years Prior to Cisco – spent time at Cybertrust, Open Service, Trend Micro, ISS, Deloitte and Touche. Total of 9 years experience selling Security solutions BSBA - Management Information System – CMU ‘94

5 Agenda 11:00 am Section 0 &1 (Mark Lachniet) (45mins)
11:45 am Lunch is distributed (20mins) 12:05 pm Section 2 (Mark Lachniet) (45 mins) 12:50 pm Section 3 (Cisco) (45 mins) 1:35 pm Section 4 (Mark Lachniet) (20 mins) 1:55 pm Q&A (all) (5 minutes or as needed)

6 Section 1 – Data Loss Overview
Mark Lachniet, Solutions Architect – Analysts International Lansing, MI July 15th, 2008

7 Overview of Data Loss Prevention
There have been hundreds of significant breaches in the last few years, and public (as well as legislative) attention is now on the problem so it will only get more important over time Failure to control data leakage has very public and painful ramifications (bad press, plummeting stock prices, fees and penalties, lawsuits, regulatory non-compliance, etc.) We must be concerned about controlling our sensitive data throughout its entire life-cycle (from creation to destruction) History has shown that being “out in front” of, and prepared for, upcoming (and inevitable) trends such as data breach disclosure laws is more cost effective than a late response

8 Types of Data To Protect
The type of data you need to protect will obviously depend upon your industry, and some are more susceptible than others Personally Identifiable Information (PII) such as addresses, phone numbers, etc. Personal Financial Information (PFI) such as account numbers and balances, purchasing history, credit card information Personal Health Information (PHI), includes personal health records, billing, etc. Covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Internal secrets (marketing, payroll, passwords, etc)

9 The Pain of a Breach If you have a breach, the impact could be significant, possibly even going out of business Loss of stakeholder confidence (the public, customers, investors, partners, etc.) Lost productivity (inability to work, servers down, people re-assigned for clean-up, data recovery costs) Fees for not meeting Service Level Agreements (e.g. in manufacturing industries) Costs associated with notification (sending “oops” letters, staffing a toll free information line, providing credit counseling to victims, etc.) Internal and external consultant costs Blackmail and extortion attempts Submitting to mandatory audits

10 The Pain of a Breach – Examples
8 August 2002 Microsoft and FTC Reach Passport Privacy and Security Settlement A Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and amount of data collected by its Passport services. As part of a settlement with the government, Microsoft will refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Microsoft could face fines of $11,000 a day if it fails to comply with the agreement. ChoicePoint In January 2006, consumer data provider ChoicePoint Inc. agreed to pay $15 million to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights when thieves breached its database.

11 The Pain of a Breach – Examples
“T.J. Maxx Parent Company Data Theft Is The Worst Ever” The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve. TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007. The FTC ordered TJX to designate an individual responsible for information security, identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes. In addition, TJX must submit to a third-party audit of its security program every two years for the next two decades.

12 The Pain of a Breach – Examples
EggHead.com 3.7 million customer records were stolen (including mine) End consumers were covered – we just had to fill out a form for the credit card company, and would have only been liable for $50 max However, it was necessary for consumers to actually identify and contest the charges Egghead actually informed customers (this is before this was a common practice) and hence were able to keep some stakeholder confidence Credit card companies were not happy – they had to re-issue cards and sued egghead for costs Egghead was apparently forced out of business due to these lawsuits from the credit card companies Eventually re-branded themselves as newegg.com, a company which I actually purchase from (can lightning strike twice?)

13 Other Penalties for Breaches
In addition, there may be other types of damages for failure to maintain good security and/or alert victims By law: In the State of New York, can be fined $10 per instance of failed notification not to exceed $150,000 Many other states have similar fines on the books, and more and more states are passing breach notification laws. See for an interactive map At a federal level, the FTC or SEC may step in By civil suit: Choicepoint: $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges Disciplinary action: Lose job or vacation time An Ohio Department of Administrative Services employee lost a week of vacation!

14 States with Breach Laws
From: 38 States have them as of February 12, 2008 Interesting note: In many cases, if the lost data was in an encrypted format, you may not have to make a disclosure due to “safe harbor”

15 What Happens to that Lost Data???
A lot of times, nothing – the tape or laptop was lost or stolen, and never heard of again. No direct impact was known (but they still had to report it) In some cases, it may be used for identity theft, which is a real problem, but in many cases, it is sold on the black market Computer crime is now within the domain of organized crime such as the “Russian Business Network” There is an entire community and hierarchy of traffickers

16 The Lucrative World of Malware and “Bot Herding”
People are making money! Millions of dollars! There are entire economies based on computer crime: Hackers: Produce new exploits in common software and sell the “0 day” exploits to Bot Herders Bot Herders: Use the new exploits to distribute malware to end users. These are used for Denial of Service extortion, spamming, stealing network or PII information, click advertisement abuse, etc. They sell their harvested information to criminals. Criminals: Use their obtained credit card and bank account information to perpetuate financial crimes and pay for further development Finding ways to identify, control and remove malware (especially unidentified malware) is a boom market Limiting exposure (for example through good system security and products such as Cisco’s Iron Port appliances) can minimize this risk

17 Malicious Code Threats (2007)
One very real problem is that there is a proliferation of malware, and Anti-Virus simply cannot keep up with all the new versions

18 The Value of Information (2007)

19 The List Not to Be On – attrition.org
Attrition.org used to maintain a list of “hacked” organizations, but they were unable to keep up Now they are focusing on data breaches – see:

20 Attrition.org – March of 2008 (1 month)
Baltimore Highway Administration - [ ] (Employee information for about 1,800 accidentally exposed on internal server) [archive] Child Assessment Service, Tuen Mun Centre - [ ] (Medical data and identity on 700 children exposed) [archive] University of Colorado at Boulder - [ ] (Names, addresses, and Social Security numbers of about 9,500 on compromised server) [archive] WiseBuys - [ ] (Hundreds of credit and debit card numbers reported stolen) [archive] Coos County Oregon - [ ] (Nearly 500 Social Security numbers and personal information reported on stolen laptop) [archive] Chrysler Financial - [ ] (Data tape lost in transit contained personal information) [archive] Southern Connecticut State University - [ ] (11,000 students and alumni exposed on website) [archive] University of Texas Health Science Center - [ ] (Social Security numbers available on about 2,000 billing envelopes) [archive]

21 Attrition.org – March of 2008 (1 month)
CollegeInvest - [ ] (Lost hard drive exposes 200,000 customers during office relocation) [archive] University of Massachusetts - [ ] (Hackers breach system accessing thousands of medical records) [archive] Boots Dental Plan - [ ] (Account details of 34,000 stolen from courier) [archive] LendingTree - [ ] (Social Security numbers, names, addresses, and other personal information inappropriately accessed) [archive] Bank of Ireland - [ ] (Account information, addresses, and medical information of 10,000 on stolen laptops) [archive] Central Collection Bureau - [ ] (Social Security numbers and names of 700,000 on stolen server) [archive] University of Miami - [ ] (Stolen tapes containing names, addresses, and medical records of 2.1 million patients) [archive]

22 Attrition.org – March of 2008 (1 month)
Connecticut State University System / Buffalo State / Northwest Missouri State University - [ ] (Stolen laptop contains names and Social Security numbers of 20,500 students) [archive] University of Virginia - [ ] (Social Security numbers and names of over 7,000 on stolen laptop) [archive] Stokes County High Schools - [ ] (Stolen computer exposes 800 student names and Social Security numbers) [archive] University of Toledo - [ ] (Name, address, and Social Security numbers for 6,488 exposed on internal server) [archive] West Seneca School District - [ ] (Students hack school district computer system 1,800 employees notified) [archive] Bowdoin College - [ ] (Student Social Security numbers, names, addresses, insurance information left exposed on server) [archive]

23 Attrition.org – March of 2008 (1 month)
New York-Presbyterian Hospital/Weill Cornell Medical Center - [ ] (Names, phone numbers and some Social Security numbers of 40,000 stolen by employee) [archive] Joliet West High School - [ ] (Names and Social Security numbers of "about every student enrolled" accessed) [archive] Wellcare - [ ] (71,000 insurance records including Social Security numbers exposed on internet) [archive] WellPoint - [ ] (Social Security numbers and medical information for about 128,000 exposed on internet) [archive] Pfizer - [ ] (Stolen laptop contains names and credit card numbers of about 800) [archive] University of California, Irvine - [ ] (Up to 7,000 affected - very few details available) [archive] Okemo Mountain Resort - [ ] (Computer network breach exposes tens of thousands of credit card transactions) [archive]

24 Managing the Societal Impact of High-Tech Crime
And those were only the incidents that were reported, and for which someone bothered to make an entry in the database Obviously, this is a problem that is costly both to the people affected and to the economy in general “Computer Economics” estimates $13 Billion world-wide in 2006, and its getting worse To mitigate this, government (through regulations and laws) and industries (through self-regulation) are starting to develop standards and controls Some standards are proactive, some reactive We will discuss a couple – the Payment Card Industry (PCI) and Gramm-Leach-Bliley Act (GLBA)

25 The Payment Card Industry (PCI)
A consortium of credit card companies including Visa and Mastercard Has implemented the PCI Data Security Standard (PCI DSS) This affects anyone who stores or processes credit card information, though there are different categories: “According to payment brand rules, all merchants and service providers are required to comply with the PCI Data Security Standard in its entirety.”

26 The Payment Card Industry (PCI)
There are numerous requirements as part of the PCI standard These are partially based on what type of data you process or store, namely the Primary Account Number (which means you must comply) There are some items that you can never store:

27 PCI Requirements – The “Big 12”
Cisco ASA firewalls are well accepted way to meet Requirement #1 Use of IPSEC VPN (e.g. in ASA and ISR routers) can meet Requirement #4 Use of Cisco’s CSA agent can help meet Requirements #3 and #6 A well designed network and regular security assessments can also help to meet Requirement #6

28 PCI Requirements – The “Big 12”
Cisco’s MARS Appliance can help to meet Requirement #10 Regular vulnerability assessments (e.g. Analysts ISAS, OSAS and WASA services) can help address Requirement #11 Analysts policy development services can help to address Requirement #12 OF COURSE a mature and well-run organization with proper practices and procedures is the essential glue that pulls together all of the external products and services, and is without a doubt the MOST important part

29 The Gramm-Leach Bliley Act (GLBA)
Includes three primary components: The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions. The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."

30 The GLBA Privacy Rule 313 Is primarily concerned with how you process and use information, and most notably that organizations have implemented a privacy policy and protection plan Past analysis by Analysts International has identified several specific provisions as part of our Security Needs Analysis Service (but you should consult your own legal counsel before accepting these as gospel): A formal information privacy policy has been created The information privacy is regularly communicated to internal and external stakeholders The privacy policy includes an inventory of existing data collection practices The privacy policy makes a distinction between Consumers (e.g. any NON-individual seeking a financial product or service) and a Customer (e.g. any individual with an established relationship)

31 The GLBA Protection Rule 314
Is concerned with how you protect sensitive data Encrypt the data Properly dispose of it (and require outsourced service providers to do so as well) Have a formal incident response plan to detect and respond to threats Have a formal risk assessment program is in place and someone designated to maintain it A formal “administrator termination” process is used to remove all access rights from former employees Safeguards are regularly monitored and tested

32 Summary – Data Loss Prevention
Data disclosures are bad, and getting worse It is difficult to identify requirements, to whom and how they apply, and how to address them in a cost effective manner Difficult to manage and monitor large I.T. infrastructures, products are needed Expertise in security and regulatory compliance is difficult to come by, and Subject Matter Experts are expensive to hire, train and keep on staff A high level of organizational maturity is required to pass audits, let alone truly comply with the “spirit” if the laws

33 Section 2 – Threat Vectors and Internal Controls
Mark Lachniet, Solutions Architect – Analysts International Lansing, MI July 15th, 2008

34 Data Loss Threat Vectors and Controls
Many controls are best done internally, such as creating a formal I.T. security management framework, or identifying the type of data you need to protect Some controls are most efficient when automated with products – for example aggregating logs from a large number of systems and analyzing them for incidents Some controls require significant security expertise, or require “third party independence” such as doing security audits, and may need to be outsourced for cost reasons In the next section, we will discuss a number of threats (though not a complete list) that pertain to DLP and propose some appropriate controls that can be done internally, with Cisco Products, or Analysts’ services

35 Intentional Misconduct by Insiders

36 Misconduct by Partners, Service Providers and Clients

37 Conventional Hack Attacks

38 Targeted Attacks

39 Contracted Malware

40 Stolen or Lost Data

41 Awareness of Sensitive Data

42 Not Prepared for a Breach

43 Limited Budget and Resources

44 Encourage Maturity In Operations
In general, the more organized you are, the better your security will be, the less likely you are to suffer a breach, and the less expensive I.T. will be to the organization! Consider adopting the ITIL standards in areas such as documentation, change control, etc. Also formally define your security polices, expectations, procedures (e.g. server hardening, application development, database security, remote access, etc.) Consider the Capability Maturity Model – where are you on security?

45 Manage Employees Do regular background checks of applicants
Have strong, documented linkages between H.R. and I.T. Require sign-off on Acceptable Use Policies (AUP) and Non-Disclosure Agreements (NDA) Provide training and awareness on security issues, recommended at 1week/year per I.T. employee, less for end users Regularly monitor employee activity

46 Formalize Risk Management
I.T. Risk Management should be a formal process in your organization Consider creating a workgroup tasked with managing security that is responsible for: Promoting awareness of Information Security issues within the organization Identifying and managing strategic, operational and financial I.T. risks Identifying and managing I.T. regulatory compliance requirements and controls Identify security needs, budgetary and staffing requirements, etc. Act as an interface to other departments within the organization to provide guidance and assistance on information security issues

47 Create an Information Classification System
Identify the types of critical data you have in use through self-assessments, interviews, external audits Classify this data into some logical but maintainable types Determine how each of these categories must be handled from creation to disposal: Physical Storage: Locked rooms, clean desk policies Logical Storage: Approved file shares, encrypted tape / USB flash, on encrypted hard drives if taken outside of the organization Disclosure: Who is allowed to have the information? Is it on a “need to know” basis? Destruction: Must it be shredded? Completely wiped before resale?

48 Create an Incident Response Plan
Have a formal plan, that people are aware of and can use, on how to respond to an incident Consider items such as: How will you identify a breach? What is the appropriate response, based on the type of information? What information will you record about the incident? Who is allowed to talk to whom? What types of incidents will require an “oops letter” to go out? Who makes the call on this? Will you have to file a Suspicious Activity Report (SAR) with an oversight agency?

49 Forensic Readiness Forensic readiness is related to incident response, but focuses on taking steps to accumulate forensic data before an incident happens Do you have log files from all of your network devices? Servers? Would they be available if the device was wiped? Do you have the ability to do log analysis with software such as Sawmill in an ad-hoc basis for data mining? Do you have processes, procedures and tools to analyze and preserve data? Do you know who to call if you are out of your depth? Do you have legal help? Are you covering your data retention requirements?

50 Privacy Policy Do you have a written privacy policy?
Does it match the regulatory requirements that you may be subject to? Does it align with your information classification and incident response procedures? Has your lawyer reviewed it?

51 Section 3 – Managing Data Loss - Cisco Solutions
Bret Straffon, PSS Security Lansing, MI July 15th, 2008

52 IronPort Gateway Security Products
Internet IronPort SenderBase Security Appliance WEB Security Appliance Provides opty to discuss the range of services and products that IronPort offers. Network security has moved beyond simple packet filters, and stateful firewalls to truly understand the application. From the X1000, designed for demanding ISP environments to the C100 for companies starting at five users. ESA: Protects port 25. Spam, Viruses, Outbreaks, Phishing and Spoofing inbound. Policy enforcement and encryption outbound. SMA: Protects port 80. Spyware and malware inbound. Acceptable use policy outbound. SMA: ties it all together. Today it acts as a centralized quarantine, in the future it is the centralized reporting and tracking device across both platforms. Security MANAGEMENT Appliance 52

53 IronPort – Gateway Solutions
Security (C-Series) Protection from External Attacks Spam Virus Denial of Service Phishing Directory Harvesting Misdirected Bounces Protection of Internal Property Compliance Data Leakage Encryption Brand Protection Authentication Web Security (S-Series) Control Web Traffic High performance web proxy Web Policy & URL Filtering Fully integrated complete content inspection L4 traffic monitor protects all network ports Protect from Web Threats Adware Virus Phishing Browser Hijackers Keyloggers Trojans and more 53

54 Data Loss Prevention Deployment IronPort Reduces Complexity
Before IronPort After IronPort Internet Internet Firewall Firewall Encryption Platform DLP Scanner DLP Policy Manager MTA Anti-Spam Anti-Virus Policy Enforcement Mail Routing IronPort Security Appliance Note to speaker: This is one of the most important slides to present when describing our integrated DLP offering. Another compelling aspect to IronPort’s DLP offering is integrating encryption, supported by IronPort PXE secure envelope technology. In this slide, we’ve listed some legacy solutions and their shortcomings: which include multiplatform deployment models the need for administrators to manage complex certificate requirements the need for center receiver plug-ins IronPort PXE is a single integrated platform with no certificate complexity and no plug-ins are required. Groupware Groupware Users Users

55 Combines Email & Web Traffic Analysis
The IronPort SenderBase® Network Global Reach Yields Benchmark Accuracy 30B+ queries daily 150+ and Web parameters 25% of the World’s Traffic Cisco Network Devices Combines & Web Traffic Analysis View into both & Web traffic dramatically improves detection 80% of spam contains URLs is a key distribution vector for Web-based malware Malware is a key distribution vector for Spam zombie infections SenderBase is one of our strongest assets. SenderBase is the world’s largest and web traffic monitoring network. We have visibility into a wide range of parameters and we see a great deal of the world’s network traffic. 30 billion plus queries to SenderBase daily. In the future, we will also be seeing more data from Cisco Network Devices, including firewalls, routers, and switches. A unique aspect of SenderBase is that it has visibility into AND web traffic. 80% of spam contains URLs, this gives us a key data feed for powering our Web Reputation technology that feeds both the C-Series and S-Series product lines. IronPort SenderBase IronPort Security Appliances IronPort WEB Security Appliances

56 IronPort Reputation Filters Dell Case Study
Dell’s challenge: Dell currently receives 26 million messages per day Only 1.5 million are legitimate messages 68 existing gateways running Spam Assassin were not accurate IronPort’s solution: IronPort Reputation Filters block over 19 million messages per day 5.5 million messages per day scanned by IronPort Anti-Spam Replaced 68 servers with 8 IronPort appliances “IronPort has increased the quality and reliability of our network operations, while reducing our costs.” — Tim Helmstetter Manager, Global Collaborative Systems Engineering and Service Management, DELL CORPORATION The benefits of IronPort Reputation Filtering are captured nicely in this Dell case study. Dell was receiving 26 million messages a day with only 1.5 million being legitimate. They had approximately 70 servers running Spam Assassin and a variety of other commercial and open source technologies, trying to deal with the spam volumes, virus, as well as policy enforcement. Dell employed IronPort and Reputation Filtering blocked around 20 million messages daily, the rest of the messages being scanned by the anti-spam scanner. This allowed us to reduce their server footprint from 68 servers to 8 IronPort appliances. The overall accuracy of the spam filtering increased dramatically. And the total cost of ownership was also substantially reduced. Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced by 75% MAILBOXES PROTECTED 100,000+

57 IronPort Email Encryption The Easiest Path to Protecting Confidential Email
Universal Reach: send to any user Auditable Policy Enforcement Content scanning at gateway drives encryption Does not rely on or require user action Easiest to use Transparent to sender No client software for sender or receiver, no certificates needed Easiest to Deploy and Manage No client software Hosted key management infrastructure IronPort Encryption solves these problems, providing the easiest-to-use, easiest-to-deploy encryption solution for regulatory compliance and protection of sensitive information. Send to any inbox: supports all enterprise clients, e.g. Outlook, Notes, Groupwise; as well as all webmail clients, e.g. Yahoo! Mail, AOL Mail, GMail, etc. No client software to install: all it requires is a web browser No certificates: all managed automatically through an IronPort hosted service C-Series Compliance Filters and content filters ensure that the encryption policy is consistently enforced without relying on sender action—perfect for compliance audits Receive Enter password View secure message

58 Data Loss Prevention Foundation Integrated Scanning
Compliance Dictionaries Custom Content Filters Users Outbound Mail Smart Identifiers Our customized content folders give the administrator the ability to write rules that are specific to their organizational needs. We also provide compliance dictionaries that give Administrators a turn-key solution for HIPPA and GLBA dictionaries so they won’t have to go out and do the research themselves. We also have smart identifiers which with the checkbox allow administrators to scan for specific numerical strings. These identifiers are unique because they automatically look for expression patterns. The smart identifiers also have the intelligence embedded in them to look for the check sums, or whether or not it is a valid social security number. IronPort also provides a very wide range of attachment scanning feature that allows for scanning text in over 400 different attachment types. We also have a weighted content dictionary that provides an extension of our existing functionality. Instead of having a binary yes or no, indicating existence of that word, we give administrators the ability to put a numerical weighting on each word triggered; therefore as the sum of those weights exceeds a threshold the filter action is enabled. Integrated Scanning Makes DLP Deployments Quick & Easy Weighted Content Dictionaries Attachment Scanning

59 Data Loss Prevention Foundation Integrated Remediation
Remediation: Encryption Remediation: Notification Users Outbound Mail This slide captures the integrated remediation features. After the administrator has set up scanning policies, you want to make sure the remediation is representative of the work flow that makes sense for the Admin. Our features will do things like notify, notify either the sender, the recipient or even the Admin of someone else when a DOP violation takes place. Also, it will provide a robust report that has a great deal of information on what DOP rules are being violated and by whom. Lastly, is the quarantine feature. Quarantine represents the location of where a message that violates the DLP policy is stored for further review by the administrator. Our quarantine allows the administrator to log in and easily see which words violated the policy. Additionally, the quarantine has the ability to delegate access to the quarantine to someone other than the staff. (Some organizations want a compliance team to review the content that violates a policy and our quarantine gives them the ability to do that.) Integrated Remediation Eases Work Flow Burden Remediation: Reporting Remediation: Quarantine

60 How It Works: Recipient Experience
Notification Envelope

61 Business Class Email Enhanced Visibility and Control
Guaranteed Read Receipt Guaranteed Recall Guaranteed Read receipts provides non-repudiation – I know you opened the message at this date and time…”please don’t say you didn’t get the invoice” Guaranteed recall provides ability to keep a message from being opened if it was inadvertently delivered; e.g. fat fingered an to someone and concerned that critical information may have gone to the wrong person. We call this the “diving save”. This available to every sender individually for messages that they’ve sent; and at an administrator level for all messages sent by the organization.

62 Categories: by Domain, Username, or LDAP
IronPort Security Manager Single view of policies for the entire organization Categories: by Domain, Username, or LDAP IT Encrypt New Passwords SALES Identify & Encrypt POs One thing that is true in this business is that one size does not fit all when it comes to security policies. Customers want to have a unique policy depending upon who the user is, what LDAP group they are in or even what domain they belong to. The IronPort Security Manager provides end-users that level of policy assignment. The administrator can determine based off of a variety of settings what policies they end-user is going to get from anti-spam, anti-virus, content filters and virus outbreak filters. This is all made possible in one easy to use, easy to manage dashboard. LEGAL Archive all mail Encrypt mail With Outside Counsel “IronPort Security Manager serves as a single, versatile dashboard to manage all the services on the appliance.” – PC Magazine

63 Regulatory Compliance IronPort
Pre-Defined Filters Compliance Dictionaries Pre-Defined Filters Smart Identifiers Encryption (Message Based & TLS) Compliance Dictionaries IM, Skype, P2P Encryption (Message Based & TLS) As you know, the primary goal of smart lexicons and content dictionaries is to filter any outgoing message that contains sensitive personal information. Let’s discuss IronPort’s content dictionaries using HIPAA as an example (because HIPAA has one of the most ‘strict’ set of rules for compliance). <<The rest of the notes focus on HIPAA specifically>> The Challenge: The real answer for 100% security is to simply encrypt ALL outgoing messages. However, this is not a viable option. Therefore, the challenge is to create an effective solution that mitigates risk, but also: Interoperates with existing technology Does not over encrypt (false positives) Has minimal maintenance requirements The natural tendency (and currently accepted model) is to use brute force and attempt to build an “all inclusive” medically related word list. This is not effective because: The list could never be truly all inclusive Would require constant maintenance Takes an inordinate amount of CPU time to process HIPAA does not require protection of the information simply because it is “medical” in nature, but does require it when that medical information could reasonably be tied to a single “identifiable” individual Notes on the lexicons: Personal Identifiers – based on the 18 classification for patient identifiers as outlined in Each of these is assigned a weight of “2” Crossover Words – common words you would expect to find between an identifier and a medical condition flag. Assigned a weight of “3” Medical Condition Flags – common medical condition flags that when standing alone do not require protection. Assigned a weight of “1 or 2” depending on its frequency of use in non-medical conversation. The Lexicon itself is not the all-inclusive safety net, but rather a best practices methodology and tool for adhering to the core premise of compliance – taking reasonable and appropriate action. IM, Skype, P2P Smart Identifiers

64 Acceptable Use IronPort
URL Filtering / Webmail Control Custom Filter Creation URL Filtering / Webmail Control Custom Filter Creation AUP Dictionaries Granular Policy Management AUP Dictionaries As you know, the primary goal of smart lexicons and content dictionaries is to filter any outgoing message that contains sensitive personal information. Let’s discuss IronPort’s content dictionaries using HIPAA as an example (because HIPAA has one of the most ‘strict’ set of rules for compliance). <<The rest of the notes focus on HIPAA specifically>> The Challenge: The real answer for 100% security is to simply encrypt ALL outgoing messages. However, this is not a viable option. Therefore, the challenge is to create an effective solution that mitigates risk, but also: Interoperates with existing technology Does not over encrypt (false positives) Has minimal maintenance requirements The natural tendency (and currently accepted model) is to use brute force and attempt to build an “all inclusive” medically related word list. This is not effective because: The list could never be truly all inclusive Would require constant maintenance Takes an inordinate amount of CPU time to process HIPAA does not require protection of the information simply because it is “medical” in nature, but does require it when that medical information could reasonably be tied to a single “identifiable” individual Notes on the lexicons: Personal Identifiers – based on the 18 classification for patient identifiers as outlined in Each of these is assigned a weight of “2” Crossover Words – common words you would expect to find between an identifier and a medical condition flag. Assigned a weight of “3” Medical Condition Flags – common medical condition flags that when standing alone do not require protection. Assigned a weight of “1 or 2” depending on its frequency of use in non-medical conversation. The Lexicon itself is not the all-inclusive safety net, but rather a best practices methodology and tool for adhering to the core premise of compliance – taking reasonable and appropriate action. Granular Policy Management

65 Intellectual Property Protection IronPort
Remediation: Reporting Data Leakage Dictionaries Custom Filter Creation Data Leakage Dictionaries Remediation: Notification Remediation: Quarantine Remediation: Notification Remediation: Reporting Custom Filter Creation Remediation: Quarantine

66 CA Dept. of Alcohol & Drug Programs Data Loss Prevention via IronPort’s Email Security Appliances
“The selection of the IronPort and encryption system fulfilled the need for a secure electronic messaging system as the department requires a secure transmission method to meet HIPAA guidelines as well as other administrative requirements...” — Gary Hummel, CISSP Information Security Officer Dept. of Alcohol & Drug Programs ADP’s Challenge: State mandated outbound content filtering Encryption to meet HIPAA and similar regulations Prevent accidental disclosures of state data, including patient records and SSNs Secure messaging with outside partners Other needs: phishing protection, easy message retention, improved system management The IronPort Solution: IronPort C-Series security appliance Encryption Envelope Server, IronPort Anti-Spam, IronPort Virus Outbreak Filters, Sophos Anti-virus IronPort Results: Rapid deployment of Data Loss Prevention technology Ensures compliance with state and federal laws Set and forget management; little to no administrative intervention Industry leading anti-spam and anti-virus protection at the network perimeter, providing a first line of defense for Exchange servers

67 IronPort Encryption Use Cases
Government Tax forms Land registry Defense procurement Benefit statements Health Care Patient Appointments Invoices Prescriptions Treatment plans Test results Pharmaceutical Drug research collaboration FDA Submissions Financial Services Trade Confirmations Broker/Agent Networks Insurance Policies Bank Statements Credit Card Statements Account Service Requests Loan/Account Applications General Operations / Finance Order confirmations Invoices Purchase Orders Payment details PCI Compliance Sales Quotes Product Presentations Business Development M&A discussions Deal negotiation Legal Contracts Patents Attorney-Client Privilege IT Password seeding Live password resets Voic transcription HR Benefits statements Offer / pay letters Stock option grants Time cards Pay slips Marketing Product roadmaps Price lists Promotion codes Engineering / R&D Design collaboration Header One Copyright © Cisco Systems, Inc. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. All other trademarks are the property of Cisco Systems, Inc. or their respective owners. While every effort is made to ensure the information given is accurate, Cisco does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice.

68 IronPort Security Appliances Integrated Security Appliances For The Network Perimeter
• L4 traffic monitor inspects all traffic • Web reputation for preventive filtering • Integrated complete content inspection • Data Loss Prevention Multi Layer Spam Protection Industry Leading Virus Protection Data Loss Prevention Unmatched Performance IronPort S-Series WEB SECURITY APPLIANCE IronPort C-Series SECURITY APPLIANCE

69 Cisco Data Loss Prevention Portfolio Extend the value of your investment, leverage functionality
Data Center Tape Devices Storage Media Encryption Prevent unauthorized access and loss of data at rest Fully integrated with SAN fabric and management Secure, highly available service IronPort Prevent Data Loss at Network Perimeter Multi-Protocol Scanning Leverage Existing Anti-Spam and Anti-Spyware Infrastructure Application Server MDS 9000 Network Edge Corporate Network Employees Security Appliance WEB Security Appliance Internet Partners Cisco Security Agent Prevent endpoint data loss Prevents bypass of IronPort network protection Content classification similar to IronPort in a future release Remote Employees Customers

70 Concern: Endpoint Data is Mobile
How is data mobile? USB, Floppy, CD Burner SSL encrypted transfers – Webmail, p2p, IM Cut and Paste Dial-up modem, Bluetooth, IRDA interfaces What’s the concern? Protecting Intellectual Property stored on the endpoint Demonstrating that regulated data is properly controlled Auditing and enforcing corporate use policies for data on laptops

71 CSA Prevents Data Loss on the Endpoint
Restrict copying sensitive data to removable media USB, floppy disk, CD Burner Restrict sending sensitive data via unauthorized interfaces Modem, Bluetooth, IRDA; printer (6.0) Block sending sensitive data via webmail, p2p, IM No cut & paste clipboard abuse Security Appliance WEB Security Appliance Content scanning on endpoint available in an upcoming release

72 Removable Media Controls
Controls for USB drives, CD, iPod Monitor usage Confidential file controls Authorized user controls Location-based controls End user Business Justification for audits Consolidated event reporting of USB usage

73 Identify Sensitive Data – Content or Context
File Content – certain data patterns are recognized File Context – data written by certain applications is known to be sensitive

74 Educate the End User Reinforce Acceptable-Use Policies
Educate & Modify end user behavior Justification window provides audit trail Allows timely access to data without sacrificing productivity Localized in 11 different languages 74

75 Data Loss Prevention Logs & Reports
Comprehensive repository of DLP events Stores justification responses for audit trail Provides single audit log & activity reports

76 Concern: Endpoint Users are Mobile
When are users mobile? Working from home During trips at hotels and business partners Daily with public and retail hotspots What’s the concern? Continuity of data mobility controls when not in the office Ensuring corporate network data security protections cannot be bypassed

77 CSA Enforces Policy for Mobile Users
CSA can require the use of VPN for remote users CSA can block SSL sessions not sent via corporate proxy These ensure IronPort corporate network mail & web protections are not bypassed Corporate Network /Web VPN Internet Remote Employees

78 Colorado State Employees Credit Union Data Loss Prevention via Cisco Security Agent
“USB ports are disabled using the Cisco Security Agent, so only certain people such as IT can write to flash drives. We usually don’t encrypt the entire drive on users’ laptops, but do provide secure storage areas so that end users can just save the files to that location and they will always be encrypted.” — Tom Gonzales, Senior Network Administrator Colorado State Employees Credit Union Colorado State’s Challenge: Concerned about Data Loss Prevention Needed a way to secure employee laptops, disk drives, USB flash drives and CD-ROMs The Cisco Security Agent Solution: Cisco Security Agent deployed on their endpoints Cisco Security Agent disables the usage of USB ports Cisco Security Agent allows only authorized users such as IT to write to flash drives Cisco Security Agent mandates that all file storage must be done in secure encrypted partitions Cisco Security Agent Results: Mandates compliance to Colorado State’s established security policy Ensures compliance to State and federal laws for credit unions

79 Intrusion Prevention “Zero Update” Track Record
CSA has a proven track record of stopping brand new exploits, botnets, targeted attacks, worms, and viruses over past 7 years: 2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner) 2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer 2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049) 2005 – Internet Explorer Command Execution Vulnerability, Zotob 2006 – USB Hacksaw, IE VML exploit, WMF, IE Textrange, RDS Dataspace 2007 – Rinbot, Storm Trojan, Big Yellow, Word(MS07-014), MS ANI 0Day, MS DNS 0Day CSA core value - ability to stop new malware with the default policies No signatures, or configuration updates required 79

80 Integrated Agent with ClamAV™ Open Source Antivirus
ClamAV virus scanning engine packaged with CSA, as single installable agent Protects Windows desktops & servers at no additional cost accurately identifies malware prevents malware execution quarantines or deletes malware CSA Management Center manages agent policies, signature updates Provides a true single agent - single console endpoint security solution All other trademarks mentioned in this document are the property of their respective owners.

81 Integrated Agent with Clam Antivirus
ClamAV is widely deployed on UNIX/Linux servers Scrubs traffic for malware Protects millions of Windows desktops Database contains over 200,000 unique signatures Shadowserver Foundation independent research: ClamAV™ has high degree of malware detection accuracy. Source: Shadowserver.org wild testing All other trademarks mentioned in this document are the property of their respective owners.

82 Single Integrated Management
CSA Management Center provides enterprise class security management Agents poll the CSAMC periodically for security updates CSAMC distributes daily AV signature updates Due to CSA’s best-in-class protection - agents are always protected, even out of office – without immediate sig updates Relying on CSA protection allows more sensible management of antivirus and patching updates All other trademarks mentioned in this document are the property of their respective owners.

83 Increased Security thru Better Visibility
What do I have installed? CSA tracks which applications are installed on which systems in the network Better visibility = Increased Security What do I use? Is it at risk or malicious? This visibility gives customers the ability to implement a workflow, with analysis of the current state of the application infrastructure leading to analysis of application usage and dataflow, leading to better analysis of where the most critical security issues are, leading to a more effective, targeted remediation. The information from CSA can help customers implement this workflow, and lower their security and administrative costs by better focusing security administration tasks. How do I control it? CSA reports where malware, spyware, unauthorized applications may be installed

84 Policy Control – Application Trust Levels
CSA monitors & controls all applications and processes Trust Levels offer flexible, easy to manage control White List : Trusted Business Apps (permissive controls) Grey List: Permitted Applications (more restrictive controls) Black List: Undesired Applications (block use) Provides robust security without sacrificing ease of management & deployment

85 Regulatory Compliance Benefits for PCI Compliance
Provides compliance solution for 9 out of 12 PCI requirements Predefined PCI Policies offer ease of management & audit 26 Rule Modules, 150 rules Validated by Cybertrust (official PCI auditor) Runs on Servers, Point-Of-Sale terminals, desktops and laptops CSA can be customized for other compliance mandates

86 Predefined CSA PCI Policies

87 Inform NIPS of Hostile Hosts
2. Global Correlation is invoked and the CSAMC updates all the CSA agents with threat information 4. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the hacker Desktops CSA MC 3. All connection attempts by the hacker to CSA protected devices are dynamically blocked Here, you see how CSA can interact with a network IPS. Hacker is trying to do recognizance, scanning servers for vulnerabilities. Now, Global Correlation kicks in, and CSA Management Center updates all agents with data on the threat. The attacker is blocked by CSA agents that received a dynamically generated signature. The network IPS was also informed to raise the risk rating for the source of the attack. As you can see, the network IPS benefits from a correlation of events registered by multiple end-hosts using a CSA agent. Servers 1. Hacker scans internal servers for vulnerabilities 87

88 DSCP Marking by Application or OS
Per-Application QoS Example: CSA and QoS Desktop DSCP Marking by Application or OS DSCP Marking by CSA Class-Based Weighted Fair Queuing (CB-WFQ) Low-Latency Queuing (LLQ) Internet Explorer Default AF11 BitTorrent AF11 Default Cisco IP Communicator EF EF AF11: 50% (CB-WFQ) EF: 15% (LLQ) Default: 10% (CB-WFQ) This figure illustrates the architecture of an operation system using a CSA agent when generating and marking IP packets. Initially it is at the discretion of an application to mark packets with the desired DiffServ Code Point (DSCP) value. Or, it is set based on the OS defaults. This approach allows end-hosts to set arbitrary DSCP values. For example, a user might want to set DSCP AF41 to all packets knowing that the QoS implementation favors this class and gives it more bandwidth. Or, an attacker might want to perform a denial-of-service attack on the IP telephony infrastructure by flooding a link with EF-marked packets which will consume all network resources given to IP telephony using Low-Latency Queuing (LLQ) on a bottleneck link even though the flooding packets are not in the VoIP VLAN/VPN. FTP Client Default AF11 “Bad” software can mark packets to: Get a better service from the network To perform an attack (e.g. flooding with EF-marked packets can cause DoS for IP telephony) Use CSA to remark packets according to QoS design 88

89 Network Integrated Solutions CSA with NAC, DLP and IronPort
NAC Appliance Verifies CSA version and if it’s running Check systems states like “insecure boot detected” and if sensitive data exists Check user identity if CSA reports sensitive data is on system IronPort Prevent Data Loss at Network Perimeter Multi-Protocol Scanning Leverage Existing Anti-Spam and Anti-Spyware Infrastructure Internet ASA NAC Appliance IronPort Intranet Cisco Security Agent Prevent loss of sensitive data: Scan data files for sensitive data Prevent copying to external media (USB flash and disk, IR/Bluetooth devices) Prevent using with (inter)network applications ( , IM, browser) Prevents bypass of IronPort network protection Now, we’re looking at a solution in which CSA is used in combination with the NAC and IronPort appliances. CSA is configured for DLP and enforces the usage of IronPort for web and traffic. NAC ensures that CSA is running and up-to-date and prevents access to enterprise resources if the security posture is not healthy. IronPort is used to enforce DLP at network perimeter, for web and , as well as to minimize spam and spyware leakage into the network. 89

90 Operational Efficiency Administrator Dashboard
The dashboard helps the administrator see what needs to be done today Quick access to common tasks Centralized visibility into the effectiveness of your endpoint protection 90

91 Network Admission Control
Using the network to enforce policies ensures that incoming devices are compliant. Authenticate & Authorize Enforces authorization policies and privileges Supports multiple user roles Quarantine & Enforce Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level Scan & Evaluate Agent scan for required versions of hotfixes, AV, etc Network scan for virus and worm infections and port vulnerabilities Update & Remediate Network-based tools for vulnerability and threat remediation Help-desk integration

92 Cisco NAC Partnerships
Cisco NAC is committed to protecting customer’s investments in partner applications Cisco NAC Supports Policies for 300+ Applications, Including these Vendors:

93 Cisco NAC – Available Appliances and Network Modules
Users = online, concurrent Super Manager manages up to 40 Enterprise and Branch Servers Standard Manager manages up to 20 Enterprise and Branch Servers Manager Lite manages up to 3 3500 users Branch Office or SMB Servers 2500 users 1500 users Profiler Server Appliance NAS Models 100 users 250 users 500 users License on NAS - Not additional Appliance 50 users NM 100 users NM Extended Guest Services - Appliance

94 Section 4 – Managing Data Loss – Analysts Solutions
Mark Lachniet, Solutions Architect – Analysts International Lansing, MI July 15th, 2008

95 Analysts International Security Services
Analysts International staffs engineers and consultants dedicated entirely to security services This includes a wide range of functions including policy development, incident response/forensics, security assessments, hardware and software installation and configuration, etc. Includes both preventative and reactive services, should they be necessary Analysts International’s security engineers/consultants specialize in various compliance areas such as PCI, HIPPA, GLBA and DIACAP

96 Policy and Procedure Development
If you are interested in getting help with developing your policies, practices and procedures, Analysts can assign a consultant who can work with you to help Every organization is different, and one size does not fit all We have helped other organizations create the same procedures (e.g. Information Classification, Incident Response, Log Review) that are discussed in this seminar In addition, we have worked with many organizations to create security policies such as: Acceptable Use Policies Remote access policies Security device minimum standards / baseline configs Wireless security policies And many more

97 Incident Response Services
In the unfortunate event that you suspect you have been hacked or had a breach, Analysts can help you to determine the scope of an incident and its possible ramifications Tracking attacks through multiple firewalls, routers, Windows and UNIX servers, databases and applications is time consuming and technically demanding We can assist you with to: Minimize the disruption to your organization Find out what happened Identify short-term recovery and mitigation strategies Create reports on the scope and nature of the incident Identify long-term improvements that will reduce future risk Interface with Law enforcement and legal counsel as needed

98 Administrator Termination Services
In the event that you need to terminate an I.T. employee with significant levels of access Often used in “hostile” departures such as employees being fired Also used by organizations as a best practice to create a re-usable termination procedure in low-risk departures Analysts’ staff will work with you to: Evaluate the risk posed by the departing employee Participate in exit interviews if desired Identify physical and intellectual property to be retrieved Identify systems that the individual may have had access to Create a list of tasks that will need to be performed such as changing passwords, contacting vendors and partners, updating software, etc. Analyze systems for “time bombs” or other evidence of abuse Change passwords on servers, network devices, remote access systems, telephony systems, etc.

99 Vulnerability Assessments
Internet Security Assessment Service (ISAS) used to scan Internet-accessible servers for security flaws that could be used to breach security On-Site Assessment Service (OSAS) used to scan Internal servers for security flaws that could be used by a malicious employee or partner, or exploited by automated systems such as worms Web Application Security Assessment (WASA) used to analyze web applications for security flaws that could lead to a hack of sensitive back-end databases or trusted systems Customized assessments of products and systems such as security appliances, Citrix systems, wireless devices, etc. can also be performed as needed

100 Security Needs Assessment Service (SNAS)
The SNAS process is intended to be a wide-ranging review of security practices and procedures Primarily based on discussions and reviews of documentation Often used when an organization wants to get a “check up” on their current posture, or wants to identify the most important areas to focus on for security Yearly third-party security audits are frequently required by financial auditors Often customized to address specific concerns such as compliance with a specific regulation such as GLBA, NCUA, Michigan Gaming Control Board, etc. Provides a detailed deliverable with a security ranking matrix that maps each recommendation on a cost vs. gain matrix, so you can quickly identify the “low hanging fruit”

101 Security Needs Assessment Service (SNAS)
The above is an example of the ranking matrix – with the “sweet spot” (cheap and high-gain) in the upper right-hand corner

102 Questions, Comments and Discussion
Contacts Analysts International Cisco Systems Mark Lachniet Bret Straffon Solutions Architect PSS - Security (517) (office) (248) (office) Lance Miller Scott Maxwell Security Practice Director CAM – Cisco Channel (248) (office) (614) (office)


Download ppt "Data Loss – Prevention and Controls"

Similar presentations


Ads by Google