© 2011 verdasys, inc. all rights reserved. confidential and proprietary - do not reproduce....

© 2011 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.

Enterprise Information Protection

When DLP is Not Enough?

Graham HowtonChannel Manager, EMEA

Agenda

• Introduction to Verdasys

• Gartner

• The Insider Threat and APT’s

• Enterprise Information Protection (EIP)

• Importance of user-awareness

• Use-Cases

© 2011 Verdasys Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY

FIN

AN

CIA

LIN

SU

RA

NC

EH

I-TE

CH

&

OU

TSO

UR

CIN

GR

ETA

IL &

TE

LEC

OM

LIFE

SC

IEN

CE

S &

M

AN

UFA

CTU

RIN

GG

OV

ER

NM

EN

T

EN

ER

GY &

D

EFE

NSE

FIN

AN

CIA

LEnterprise Information Protection

— Data-centric, risk based protection of structured and unstructured data

— Secure business processes not infrastructure

— Enable ownership & control independent of network infrastructure

— Uniquely satisfy an expanding set of critical use cases

— Scale from the desktop to the cloud

Verdasys: The Leader in EIP

http://www.gsk.com/index.htm

Gartner Magic Quadrant 2011

4

Force Business Process to Change

Traditional Approaches Have Failed

Increasing Complexity, Cost and Risk


User Productivity Impacted

New Threat = New Product, Vendor

Numerous Control Panels, Interfaces

Multiple disparate Policies, Reports

Expensive Deployments, Support

PROBLEM N… / VENDOR N…HOST IPS / VENDOR 6

AUDIT & FORENSICS / VENDOR 5

DATA CLASSIFICATION / VENDOR 4

EDRM & ENCRYPTION / VENDOR 3

CONTENT MONITORING / VENDOR 2DEVICE CONTROL / VENDOR 1

US National Security Agency

Experts from the US National Security Agency and government labs said America had to change the way it thought about protecting Department of Defense (DoD) computer networks."We've got the wrong mental model here," said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. "I think we have to go to a model where we assume that the adversary is in our networks.“

That change would mean spending less time shoring up firewalls and gateways and more time ensuring data was safe, he said.Dr Kaigham Gabriel, current head of the Defense Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean.All that did was slightly delay the day when the DoD drowned under the weight of maintaining its network defences, he said. The DoD oversees 15,000 networks that connect about seven million devices.

Federal Bureau of Investigation

10 years worth of research and development, valued at more than $1 billion, was stolen by hackers

unidentified company?

The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.

Companies need to do more than just react to intrusions!

Source: Mar. 28, 2012, on page B1 in The Wall Street Journal, with the headline: U.S. Outgunned in Hacker War

Shawn Henry - “Top Cyber Cop”


Top Data Security Challenges

Insider Threats

Insider Threat

• Privileged user data management is the “last mile” of data security

• Insiders are trusted with IP, but it is difficult to hold them accountable for its use

• When incidents occur, investigations are costly, time-consuming, and don’t necessarily provide smoking guns to prosecute

• So far, WikiLeaks has not been a game-changer for privileged user management in banks or insurers, but APT has taken the Insider Threat to another level

• Solution value dependent on potential damages caused if insider steals IP

Defining Insider Threat Types

• Malicious– Motivation = anger, dissatisfaction– Threat = attack systems and network

• Theft– Motivation = money, economic gain– Includes corporate & state espionage– Threat = data theft

• Hacktivits (e.g. Anonymous)

– Motivation = anger & dissatisfaction or belief– Threat = data theft

What Happens When Cyber Espionage Succeeds

The vicious cycle of compromiseData compromise occurs in market leader

Competitor launches new product or service- Time to market is equal or ahead- Competitive product is offered at a lower price

- Greatly reduced R&D costs

Company or business unit financials become negative - Margins on sales & volume of sales begin to drop

Company can no longer compete and exits market where it was once a leader- Sale of business loses money for company & investors

Bad guys use profits to define and enter new markets

Insider Threat Incident: LG

Joeng (only known name)

• Copied 1,182 top secret plasma display design files onto his personal

drive and went to Changhong-Orion PDP

– Changhong, reportedly paid Joeng $300,000 per year, an apartment and

a car (while he still collecting his LG salary)

• LG was unaware Jeong had left, leaving his access to the network

open

– Stole file: plasma display panel production

– Stole files: plant’s power system and construction blueprints

• LG was made aware of thefts by a distributor in SE Asia

• Joeng was extradited, Prosecutors in Seoul indicted Joeng for spying

• Cost to LG - estimated at more than $1 Billion

– Changhong has not returned any of the stolen secrets

Lessons Learned

• How was Joeng caught?

– Third party distributor recognized technical manuals were copied

and alerted LG

• Lessons Learned

– Data monitoring: location, access and movement related to

sensitive data must be understood

– De-provisioning process at the network, application and data

levels needs to be in place an effective.

– Business Managers and HR must work with Security

– USB device usage monitoring and controls, as well as other

channels need to be in place

Insider Threat Mitigation: Best Practices

1. Create integrated processes Business, HR and Security

– Create standard on-boarding and off-boarding processes

– Increase data usage monitoring for incidents & departures

2. Distribute trust amongst multiple parties to force collusion

– Most insiders act alone

3. Link Policy Training w/ Risk and Compliance Analysis

– Real-time education, alerting & justification prompts

– Allow self-compliance; create clear deterrence


• Assess insider risks by content and context

– Not just “what”, but “who, where, when, & how”

– Using a sliding response scale; risk based approach

• Create Data Identification & Classification

– Automatic or manual tagging (w/ auditing)

– Files using previously tagged content inherit classification

• Use Identity-based Data Controls

– Based on user rights, file sensitivity, source & destination, etc

– Use encryption for data access - closes “super user” loopholes


• Implement integrated physical and logical (technical) security controls to cover more risks effectively

– Camera monitoring, linked with data usage and movement controls

• Put Data Usage Monitoring & Control in Place

– Host based monitoring is a requirement

– Establish data usage norms, watch for behavioral changes

• Forensically Log Events

– Assure all data transactions are user-attributable

– Logs must be evidentiary grade and tamper proof

EIP: The Balance of Enablement and Security

Implementing both technology and process to maximize the “left” while minimizing the “right”

Productivity

Flexibility

Mobility

Creativity

Simplicity

Ease of Use

Transparency

Value Return

Cost

Information Security

Operational Security

Data Loss Prevention

Regulatory Compliance

User Education & Awareness

Trust but Verify

LEFT RIGHT

BALANCE

Build a unified and collaborative information governance program

All DLP solutions are

not the same!!!!!!

Beware!!!!



EIP is an information centric platform and methodology– Enables efficient data exchange

– Protects sensitive information

– Improves data governance, risk mitigation and compliance

– Empowers the individual

– Allows Business to function

Distinct Information Protection Strategies

© 2009 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE. 21

Distributed Data Discovery

Automated Classification and Tagging

Host Content & Context Monitoring & Control

Unified Encryption (file, email, disk)

Removable Media / Device Mgt

Application Based Email Monitoring & Control

VDI/Virtual Environment Controls

Logical Network Segmentation

Secure Collaboration

Export Data Controls

Application Vaulting

Application Data Management

eDiscovery & Forensics

Host Based Network Control

Information Policy Awareness & Training

Legacy Application Remediation

Process Compliance Enforcement & Auditing

Network Monitoring & Control

Data Discovery

Email Monitoring & Control

Host Monitoring & Control



EIP focuses on business value creation not on the risks it mitigates

– Enables the implementation of value building business drivers, by enforcing the proper, secure and compliant use of information

EIP

Core Business Processes

OutsourcedProcesses

Supply ChainProcesses

Third PartyProcesses

Reporting

PolicyDefinition

Configuration

AlertManagement

Digital GuardianManagement Server

Content &Control Policies

Data Usage& Alerts

VirtualizationInfrastructure

(Citrix, VMware)

BES or EASServerAgent

eDiscoveryAgent

Repository Remote Scanning- File shares- Sharepoint

MobileUsers

ServerAgents

Desktop/Laptop Agents

Network Agents

Digital Guardian System Architecture

VDI Agents

Actionable Data Classification

Increased Flexibility, Adoption and Accuracy

Automatic Tamper Proof

InheritancePersistence

Drives policyMeta & NTFS Tags

Content

Context

User

• Three levels of data definition

– Context

– Content

– User

• Classification travels with the data

– Meta Tag

– NTFS Tag

• Multi-level & multifaceted classification

– Sensitivity level & data type tags

– Tag verification & propagation

– Data movement audit and tracking

Incident Alert Detection

Prompt User Intent/Educate

Warn Users Awareness

Encrypt Data Protection Access Control

Block Action Prevention

Mask Data Need to know

Servers

Devices

Networks

Applications

Printers

IP Addresses

Recipients

Files Move Copy/Paste Burn/Print Upload/IM

Email Attach Copy/Paste Compose/Send

Application Data View Delete Modify Export

IT Admin DBA Desktop Network

Privileged Executives Hi-Value

Rights Access Usage

Context Location Wireless LAN VPN

Classification Persistent Inheritance

Context Application Location Type

Content Expression Similarity Keyword Dictionary

ACTIVITYWhat is the UserDoing With It?

DISCOVERMONITOR

What & where isSensitive Data?

DESTINATIONWhere Is theData Going?

CONTROLWhat action is appropriate?

IDENTITYWho is

using the Data?

Continuous Logging, Auditing – Summary, Inventory, Trending & Forensic Reporting

The Context of Data-Centric Security

Digital Guardian Enforces A Virtual Information Protection Perimeter

PartnerSite

PartnerSite

Corporate Email

Web Email

File Server

Outsourcer B

Outsourcer A

CitrixServer

Password _ _ _ _ _ _

DG

Digital GuardianServer

Trust Verification

Agent

PartnerSite

Use-Case - Social Networking Risks

• With the tremendous power of social networking, comes a myriad of associated risk:

• IP Protection

• Privacy Protection

• Risks to Reputation

• National Security Risk• Key location and movement information

• IT Risk • Apps written quickly by unknown parties,

• Security and intrusion vulnerabilities,

• Inability to control apps contained within browser

• User ability to install unauthorized apps.

• Incident – Soldier posts operational details on Facebook!

© 2010 Verdasys, Inc. All Rights Reserved. CONFIDENTIAL AND PROPRIETARY - DO NOT REPRODUCE.27

http://www.cnn.com/2010/WORLD/meast/03/03/israel.raid.facebook/index.html

Digital Guardian End Point & Server Data Monitoring and Control

Data Monitoring

• Visibility into data usage

• Audit and logging

• Data Life Cycle Management

– Records management…data retention

Data Usage Control

• Enforce acceptable use policies through real-time controls

– Mask

– Prompt, warn and justify

– Alert and incident escalation management

– Block

Logging (default)

Accountability

Alert AdminDetection

Warn UserAwareness

Prompt UserIntent

Encrypt DataProtection

Block ActionPrevention

Mask DataNeed to Know

Non-Company Network

myaccess.company.com

company

company

company

company


Login Warning Prompt


Pasting Data


Report Capability

• Logins by site (When Possible)

• Uploads by site

• Uploads by file extension

• Downloads by site

• Downloads by file extension

• ADE attempts by site

• ADE attempts by extension


PA

31

Secure Perimeter

Typical APT Attack Lifecycle: Example

MemoryAppUser

Network

IP

MachineNetwork

Network IP

Server

Machine

Spear Phishing

Network

(?)

Internet

Final Destination

DG APT Defense in Depth: Many opportunities to Detect, Alert and Stop

! ! !

STOP

Core(App Control)

APTModule Core

Core

Network Agent

DG Server

Core + AFE

Network AgentCore+ Network AgentCore

Network Agent

!!

#@%&!

Attacker

US Department of Justice

Eliminated physical security paradigms• Eliminated $12M in alternative building

hardware & software costs

Reduced investigative costs• Cut investigation costs by $8M per

annum

Reduced Potential Classified Breach Costs

• Estimated $100 Million per annum


“…our critical requirements are persistent classification,

global visibility and complete data usage audit. Verdasys

uniquely delivers those capabilities and partnered with us to

extend their platform to do more… ”

Chad Fulgham, CISO DOJClassified information protection, audit and investigation on an unprecedented scale

Use Case Coverage• Classified information protection• Privileged user monitoring and control• Mobile workforce enablement

Future Coverage• Legacy application monitoring & audit

Critical Differentiators• Actionable & persistent data classification• Audit and forensic case management• Hardened & Stealthy agent

ING BANK

Protecting PII while supporting an open and collaborative working environment

Use Case Coverage• PII protection• User policy awareness & training• Remote media control and encryption• Social networking control

(Face Book & Linked in)

Future Coverage• Email encryption

Critical Differentiators• Social Networking upload controls • Workers Council approval

“Our security goal is to create more collaborative environments. Digital Guardian mitigates the risk of data loss in our open work places and supports are partnership

with Workers Councils ” Eric Luiken, Chief Architect


ROI: Reduced Software CostsDisplaced USB device and Email gateway & monitoring software reducing licenses and support costs by $2.5M

Ferrari Formula-1 Racing

Current Use Case Coverage• Race car design and racing strategy IP protection• Privileged user monitoring & Control• eDiscovery and Forensics

Future Platform Development•Unified encryption (email, file and full disk)

Critical Differentiators• Real-time Privileged user monitoring and audit• Forensic case management


Securing critical design IP across the enterprise and at 20 race tracks around the globe.

“Digital Guardian has grown to be one of the pillars of our security strategy and our foremost tool for insider threat

prevention and protection.”Davide Ferrari,

Direzione Operazioni

Secure collaboration at race sites• Save $2M per annum in alternative

security costs

Decreased administrative staff• Reduce FTE costs by $4M per annum

Prosecuted Insider Compromise• $100 Million fine to F-1 Racing• Default victory of Constructor Cup $500M

Data-Centric Questions?

• How do you know where your sensitive data is right now?

• How do you know how data moves within your business processes and what your employees are actually doing with the data they access to do their jobs?

• What are your employees doing with your data when they are off or outside the network?

• How do you manage data on mobile devices and BYOPC?

More Data-Centric Questions?

• What is the 3rd line of your corporate security policy?

• How many of your employees actually know it?

• How do you effectively train your employees on data security polices and ensure they are in compliance - in real-time?

• What would the benefit be to the organization if security enabled the business instead of security controls or policies hindering business processes?

Force Business Process to Change No Change to Business Process

Comprehensive Data Security, Lowest TCO

Lower TCO, Complexity & RiskIncreased Complexity, Cost and Risk

User Productivity Impacted User Productivity Not Impacted

New Threat = New Product, Vendor New Threat = New Policy, Control

Numerous Control Panels, Interfaces Single Control Panel & Interface

Multiple Policies, Reports Unified Policies, Integrated Reports

Expensive Deployments, Support Single Vendor, Lower Costs

PROBLEM N… / VENDOR N…HOST IPS / VENDOR 6

AUDIT & FORENSICS / VENDOR 5

DATA CLASSIFICATION / VENDOR 4

EDRM & ENCRYPTION / VENDOR 3

CONTENT MONITORING / VENDOR 2DEVICE CONTROL / VENDOR 1


Proven EIP Success

Lower TCO, Complexity & Risk

No Change to Business Process

User Productivity Not Impacted

New Threat = New Policy, Control

Single Control Panel & Interface

Unified Policies, Integrated Reports

Single Vendor, Lower Costs


USG agrees settlement with Lafarge

Mon, 07 Dec 2009

Under the agreement USG will receive USD105m

“Rival Racing Team Fined $100 Million in Spy Scandal”

The Four Seminal Ideas of Data Security

1. Data is the correct unit of measurement• Requirement is data-centric not Network or Device centric• Visibility, monitoring, control

2. Operate close to the user• The desktop is today’s data router• Understand full-context of data type, content & user action

3. Take a risk based approach to protection• Automated, persistent discovery & classification of data• Classification-driven information monitoring and policy enforcement

4. Flexibility to support and enhance business processes• No one response/control is appropriate to all risks• Shaping user behavior through warnings/prompts of greatest value• Encryption as an integrated control safeguards data; establishes trust

Thank You

© 2011 verdasys, inc. all rights reserved. confidential and proprietary - do not reproduce....

Documents

data theft slide

eip slide

emea slide

data classification

new threat

cyber cop slide

insider steals ip slide

insider threat incident