© 2011 verdasys, inc. all rights reserved. confidential and proprietary - do not reproduce....
TRANSCRIPT
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Enterprise Information Protection
When DLP is Not Enough?
Graham HowtonChannel Manager, EMEA
Agenda
• Introduction to Verdasys
• Gartner
• The Insider Threat and APT’s
• Enterprise Information Protection (EIP)
• Importance of user-awareness
• Use-Cases
© 2011 Verdasys Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY
FIN
AN
CIA
LIN
SU
RA
NC
EH
I-TE
CH
&
OU
TSO
UR
CIN
GR
ETA
IL &
TE
LEC
OM
LIFE
SC
IEN
CE
S &
M
AN
UFA
CTU
RIN
GG
OV
ER
NM
EN
T
EN
ER
GY &
D
EFE
NSE
FIN
AN
CIA
LEnterprise Information Protection
— Data-centric, risk based protection of structured and unstructured data
— Secure business processes not infrastructure
— Enable ownership & control independent of network infrastructure
— Uniquely satisfy an expanding set of critical use cases
— Scale from the desktop to the cloud
Verdasys: The Leader in EIP
Gartner Magic Quadrant 2011
4
Force Business Process to Change
Traditional Approaches Have Failed
Increasing Complexity, Cost and Risk
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
User Productivity Impacted
New Threat = New Product, Vendor
Numerous Control Panels, Interfaces
Multiple disparate Policies, Reports
Expensive Deployments, Support
PROBLEM N… / VENDOR N…HOST IPS / VENDOR 6
AUDIT & FORENSICS / VENDOR 5
DATA CLASSIFICATION / VENDOR 4
EDRM & ENCRYPTION / VENDOR 3
CONTENT MONITORING / VENDOR 2DEVICE CONTROL / VENDOR 1
US National Security Agency
Experts from the US National Security Agency and government labs said America had to change the way it thought about protecting Department of Defense (DoD) computer networks."We've got the wrong mental model here," said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. "I think we have to go to a model where we assume that the adversary is in our networks.“
That change would mean spending less time shoring up firewalls and gateways and more time ensuring data was safe, he said.Dr Kaigham Gabriel, current head of the Defense Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean.All that did was slightly delay the day when the DoD drowned under the weight of maintaining its network defences, he said. The DoD oversees 15,000 networks that connect about seven million devices.
Federal Bureau of Investigation
10 years worth of research and development, valued at more than $1 billion, was stolen by hackers
unidentified company?
The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.
Companies need to do more than just react to intrusions!
Source: Mar. 28, 2012, on page B1 in The Wall Street Journal, with the headline: U.S. Outgunned in Hacker War
Shawn Henry - “Top Cyber Cop”
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Top Data Security Challenges
Insider Threats
Insider Threat
• Privileged user data management is the “last mile” of data security
• Insiders are trusted with IP, but it is difficult to hold them accountable for its use
• When incidents occur, investigations are costly, time-consuming, and don’t necessarily provide smoking guns to prosecute
• So far, WikiLeaks has not been a game-changer for privileged user management in banks or insurers, but APT has taken the Insider Threat to another level
• Solution value dependent on potential damages caused if insider steals IP
Defining Insider Threat Types
• Malicious– Motivation = anger, dissatisfaction– Threat = attack systems and network
• Theft– Motivation = money, economic gain– Includes corporate & state espionage– Threat = data theft
• Hacktivits (e.g. Anonymous)
– Motivation = anger & dissatisfaction or belief– Threat = data theft
What Happens When Cyber Espionage Succeeds
The vicious cycle of compromiseData compromise occurs in market leader
Competitor launches new product or service- Time to market is equal or ahead- Competitive product is offered at a lower price
- Greatly reduced R&D costs
Company or business unit financials become negative - Margins on sales & volume of sales begin to drop
Company can no longer compete and exits market where it was once a leader- Sale of business loses money for company & investors
Bad guys use profits to define and enter new markets
Insider Threat Incident: LG
Joeng (only known name)
• Copied 1,182 top secret plasma display design files onto his personal
drive and went to Changhong-Orion PDP
– Changhong, reportedly paid Joeng $300,000 per year, an apartment and
a car (while he still collecting his LG salary)
• LG was unaware Jeong had left, leaving his access to the network
open
– Stole file: plasma display panel production
– Stole files: plant’s power system and construction blueprints
• LG was made aware of thefts by a distributor in SE Asia
• Joeng was extradited, Prosecutors in Seoul indicted Joeng for spying
• Cost to LG - estimated at more than $1 Billion
– Changhong has not returned any of the stolen secrets
Lessons Learned
• How was Joeng caught?
– Third party distributor recognized technical manuals were copied
and alerted LG
• Lessons Learned
– Data monitoring: location, access and movement related to
sensitive data must be understood
– De-provisioning process at the network, application and data
levels needs to be in place an effective.
– Business Managers and HR must work with Security
– USB device usage monitoring and controls, as well as other
channels need to be in place
Insider Threat Mitigation: Best Practices
1. Create integrated processes Business, HR and Security
– Create standard on-boarding and off-boarding processes
– Increase data usage monitoring for incidents & departures
2. Distribute trust amongst multiple parties to force collusion
– Most insiders act alone
3. Link Policy Training w/ Risk and Compliance Analysis
– Real-time education, alerting & justification prompts
– Allow self-compliance; create clear deterrence
Insider Threat Mitigation: Best Practices
• Assess insider risks by content and context
– Not just “what”, but “who, where, when, & how”
– Using a sliding response scale; risk based approach
• Create Data Identification & Classification
– Automatic or manual tagging (w/ auditing)
– Files using previously tagged content inherit classification
• Use Identity-based Data Controls
– Based on user rights, file sensitivity, source & destination, etc
– Use encryption for data access - closes “super user” loopholes
Insider Threat Mitigation: Best Practices
• Implement integrated physical and logical (technical) security controls to cover more risks effectively
– Camera monitoring, linked with data usage and movement controls
• Put Data Usage Monitoring & Control in Place
– Host based monitoring is a requirement
– Establish data usage norms, watch for behavioral changes
• Forensically Log Events
– Assure all data transactions are user-attributable
– Logs must be evidentiary grade and tamper proof
EIP: The Balance of Enablement and Security
Implementing both technology and process to maximize the “left” while minimizing the “right”
Productivity
Flexibility
Mobility
Creativity
Simplicity
Ease of Use
Transparency
Value Return
Cost
Information Security
Operational Security
Data Loss Prevention
Regulatory Compliance
User Education & Awareness
Trust but Verify
LEFT RIGHT
BALANCE
Build a unified and collaborative information governance program
All DLP solutions are
not the same!!!!!!
Beware!!!!
Enterprise Information Protection
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
EIP is an information centric platform and methodology– Enables efficient data exchange
– Protects sensitive information
– Improves data governance, risk mitigation and compliance
– Empowers the individual
– Allows Business to function
Distinct Information Protection Strategies
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE. 21
Distributed Data Discovery
Automated Classification and Tagging
Host Content & Context Monitoring & Control
Unified Encryption (file, email, disk)
Removable Media / Device Mgt
Application Based Email Monitoring & Control
VDI/Virtual Environment Controls
Logical Network Segmentation
Secure Collaboration
Export Data Controls
Application Vaulting
Application Data Management
eDiscovery & Forensics
Host Based Network Control
Information Policy Awareness & Training
Legacy Application Remediation
Process Compliance Enforcement & Auditing
Network Monitoring & Control
Data Discovery
Email Monitoring & Control
Host Monitoring & Control
Enterprise Information Protection
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
EIP focuses on business value creation not on the risks it mitigates
– Enables the implementation of value building business drivers, by enforcing the proper, secure and compliant use of information
EIP
Core Business Processes
OutsourcedProcesses
Supply ChainProcesses
Third PartyProcesses
Reporting
PolicyDefinition
Configuration
AlertManagement
Digital GuardianManagement Server
Content &Control Policies
Data Usage& Alerts
VirtualizationInfrastructure
(Citrix, VMware)
BES or EASServerAgent
eDiscoveryAgent
Repository Remote Scanning- File shares- Sharepoint
MobileUsers
ServerAgents
Desktop/Laptop Agents
Network Agents
Digital Guardian System Architecture
VDI Agents
Actionable Data Classification
Increased Flexibility, Adoption and Accuracy
Automatic Tamper Proof
InheritancePersistence
Drives policyMeta & NTFS Tags
Content
Context
User
• Three levels of data definition
– Context
– Content
– User
• Classification travels with the data
– Meta Tag
– NTFS Tag
• Multi-level & multifaceted classification
– Sensitivity level & data type tags
– Tag verification & propagation
– Data movement audit and tracking
Incident Alert Detection
Prompt User Intent/Educate
Warn Users Awareness
Encrypt Data Protection Access Control
Block Action Prevention
Mask Data Need to know
Servers
Devices
Networks
Applications
Printers
IP Addresses
Recipients
Files Move Copy/Paste Burn/Print Upload/IM
Email Attach Copy/Paste Compose/Send
Application Data View Delete Modify Export
IT Admin DBA Desktop Network
Privileged Executives Hi-Value
Rights Access Usage
Context Location Wireless LAN VPN
Classification Persistent Inheritance
Context Application Location Type
Content Expression Similarity Keyword Dictionary
ACTIVITYWhat is the UserDoing With It?
DISCOVERMONITOR
What & where isSensitive Data?
DESTINATIONWhere Is theData Going?
CONTROLWhat action is appropriate?
IDENTITYWho is
using the Data?
Continuous Logging, Auditing – Summary, Inventory, Trending & Forensic Reporting
The Context of Data-Centric Security
Digital Guardian Enforces A Virtual Information Protection Perimeter
PartnerSite
PartnerSite
Corporate Email
Web Email
File Server
Outsourcer B
Outsourcer A
CitrixServer
Password _ _ _ _ _ _
DG
Digital GuardianServer
Trust Verification
Agent
PartnerSite
Use-Case - Social Networking Risks
• With the tremendous power of social networking, comes a myriad of associated risk:
• IP Protection
• Privacy Protection
• Risks to Reputation
• National Security Risk• Key location and movement information
• IT Risk • Apps written quickly by unknown parties,
• Security and intrusion vulnerabilities,
• Inability to control apps contained within browser
• User ability to install unauthorized apps.
• Incident – Soldier posts operational details on Facebook!
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.27
Digital Guardian End Point & Server Data Monitoring and Control
Data Monitoring
• Visibility into data usage
• Audit and logging
• Data Life Cycle Management
– Records management…data retention
Data Usage Control
• Enforce acceptable use policies through real-time controls
– Mask
– Prompt, warn and justify
– Alert and incident escalation management
– Block
Logging (default)
Accountability
Alert AdminDetection
Warn UserAwareness
Prompt UserIntent
Encrypt DataProtection
Block ActionPrevention
Mask DataNeed to Know
Non-Company Network
myaccess.company.com
company
company
company
company
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Login Warning Prompt
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.29
Pasting Data
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.30
Report Capability
• Logins by site (When Possible)
• Uploads by site
• Uploads by file extension
• Downloads by site
• Downloads by file extension
• ADE attempts by site
• ADE attempts by extension
© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
PA
31
Secure Perimeter
Typical APT Attack Lifecycle: Example
MemoryAppUser
Network
IP
MachineNetwork
Network IP
Server
Machine
Spear Phishing
Network
(?)
Internet
Final Destination
DG APT Defense in Depth: Many opportunities to Detect, Alert and Stop
! ! !
STOP
Core(App Control)
APTModule Core
Core
Network Agent
DG Server
Core + AFE
Network AgentCore+ Network AgentCore
Network Agent
!!
#@%&!
Attacker
US Department of Justice
Eliminated physical security paradigms• Eliminated $12M in alternative building
hardware & software costs
Reduced investigative costs• Cut investigation costs by $8M per
annum
Reduced Potential Classified Breach Costs
• Estimated $100 Million per annum
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
“…our critical requirements are persistent classification,
global visibility and complete data usage audit. Verdasys
uniquely delivers those capabilities and partnered with us to
extend their platform to do more… ”
Chad Fulgham, CISO DOJClassified information protection, audit and investigation on an unprecedented scale
Use Case Coverage• Classified information protection• Privileged user monitoring and control• Mobile workforce enablement
Future Coverage• Legacy application monitoring & audit
Critical Differentiators• Actionable & persistent data classification• Audit and forensic case management• Hardened & Stealthy agent
ING BANK
Protecting PII while supporting an open and collaborative working environment
Use Case Coverage• PII protection• User policy awareness & training• Remote media control and encryption• Social networking control
(Face Book & Linked in)
Future Coverage• Email encryption
Critical Differentiators• Social Networking upload controls • Workers Council approval
“Our security goal is to create more collaborative environments. Digital Guardian mitigates the risk of data loss in our open work places and supports are partnership
with Workers Councils ” Eric Luiken, Chief Architect
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
ROI: Reduced Software CostsDisplaced USB device and Email gateway & monitoring software reducing licenses and support costs by $2.5M
Ferrari Formula-1 Racing
Current Use Case Coverage• Race car design and racing strategy IP protection• Privileged user monitoring & Control• eDiscovery and Forensics
Future Platform Development•Unified encryption (email, file and full disk)
Critical Differentiators• Real-time Privileged user monitoring and audit• Forensic case management
© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Securing critical design IP across the enterprise and at 20 race tracks around the globe.
“Digital Guardian has grown to be one of the pillars of our security strategy and our foremost tool for insider threat
prevention and protection.”Davide Ferrari,
Direzione Operazioni
Secure collaboration at race sites• Save $2M per annum in alternative
security costs
Decreased administrative staff• Reduce FTE costs by $4M per annum
Prosecuted Insider Compromise• $100 Million fine to F-1 Racing• Default victory of Constructor Cup $500M
Data-Centric Questions?
• How do you know where your sensitive data is right now?
• How do you know how data moves within your business processes and what your employees are actually doing with the data they access to do their jobs?
• What are your employees doing with your data when they are off or outside the network?
• How do you manage data on mobile devices and BYOPC?
More Data-Centric Questions?
• What is the 3rd line of your corporate security policy?
• How many of your employees actually know it?
• How do you effectively train your employees on data security polices and ensure they are in compliance - in real-time?
• What would the benefit be to the organization if security enabled the business instead of security controls or policies hindering business processes?
Force Business Process to Change No Change to Business Process
Comprehensive Data Security, Lowest TCO
Lower TCO, Complexity & RiskIncreased Complexity, Cost and Risk
User Productivity Impacted User Productivity Not Impacted
New Threat = New Product, Vendor New Threat = New Policy, Control
Numerous Control Panels, Interfaces Single Control Panel & Interface
Multiple Policies, Reports Unified Policies, Integrated Reports
Expensive Deployments, Support Single Vendor, Lower Costs
PROBLEM N… / VENDOR N…HOST IPS / VENDOR 6
AUDIT & FORENSICS / VENDOR 5
DATA CLASSIFICATION / VENDOR 4
EDRM & ENCRYPTION / VENDOR 3
CONTENT MONITORING / VENDOR 2DEVICE CONTROL / VENDOR 1
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
Proven EIP Success
Lower TCO, Complexity & Risk
No Change to Business Process
User Productivity Not Impacted
New Threat = New Policy, Control
Single Control Panel & Interface
Unified Policies, Integrated Reports
Single Vendor, Lower Costs
© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.
USG agrees settlement with Lafarge
Mon, 07 Dec 2009
Under the agreement USG will receive USD105m
“Rival Racing Team Fined $100 Million in Spy Scandal”
The Four Seminal Ideas of Data Security
1. Data is the correct unit of measurement• Requirement is data-centric not Network or Device centric• Visibility, monitoring, control
2. Operate close to the user• The desktop is today’s data router• Understand full-context of data type, content & user action
3. Take a risk based approach to protection• Automated, persistent discovery & classification of data• Classification-driven information monitoring and policy enforcement
4. Flexibility to support and enhance business processes• No one response/control is appropriate to all risks• Shaping user behavior through warnings/prompts of greatest value• Encryption as an integrated control safeguards data; establishes trust
Thank You