building a security program that protects … presenations/b… · endpoint prevent symantec data...
TRANSCRIPT
![Page 1: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/1.jpg)
BUILDING A SECURITY PROGRAM THAT PROTECTS AN ORGANIZATION’S MOST CRITICAL ASSETS
![Page 2: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/2.jpg)
Consulting Services
Managed Services
Product Services
Technical Services
Security Assessments
Training Services
ABOUT BEW GLOBAL
Focused Expertise
Global Service Delivery Founded 2002
Quality Management
SOLUTION OFFERINGS
![Page 3: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/3.jpg)
Deployed 400+ DLP Projects
Completed 500+ Assessments
Manage DLP Solutions in 22 Countries
DATA LOSS PREVENTION EXPERTISE
QUICK FACTS
Symantec Master Specialization DLP Partner
RSA’s Only Authorized Managed DLP Partner
1st Managed DLP Services Provider (2008)
Localized Chinese DLP Practice (2011)
Global Support in 130 countries
Websense Certified TRITONs – More than any other partner, 7 Olympians &
1 Gladiator
Daily Management of 1,000,000+ Users
![Page 4: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/4.jpg)
INTELISECURE MANAGED SERVICES
IMS POD STRUCTURE
Information Security Engineer
Information Security Analyst
Business Analyst
Technical optimization & health of all system components
Daily incident event review & workflow management
Translate system and event data into reports & analytics
Event
Management
Reporting &
Metrics
Incident
Triage
Application
Management
Scope & Policy
Governance
![Page 5: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/5.jpg)
SYMANTEC DLP COMPONENTS
Endpoint Prevent
Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred
over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to
CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec
Data Loss Prevention, you can monitor and block:
• Instant messages sent to a partner containing confidential M&A information
• Web mail with product plans attached going to a competitor
• Customer lists being copied to USB or other removable media devices
• Email containing PII sent via hosted email security services
• Source code that is copied to a local drive
• Mobile devices for email sent containing confidential data
• Product design documents being burned to CD/DVD
• Price lists being printed or faxed to a competitor
WHAT WE WILL COVER TODAY
Developing the DLP Program
DLP Use Cases – How Did They Get There?
Developing the DLP Program
Avoiding Common DLP Pitfalls
Open Q&A
![Page 6: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/6.jpg)
CRITICAL ASSET PROTECTION PROGRAM (CAPP)
A Critical Asset Protection Program
(CAPP) clearly defines what assets are
deemed most important to the
organization based on the concepts of
revenue, income, reputation and core
operational impact.
Most organizations fail at their Data Loss
Protection programs due to the lack of
developing a Critical Asset Protection with
a documented scope.
![Page 7: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/7.jpg)
CAPP METHODOLOGY
Most information and network security programs are doomed from their
inception due to the common pitfalls of failing to develop a program
scope that is accepted, acknowledged and supported by senior
leadership. Through a comprehensive interview and information
gathering process, BEW Global and our customers develop a realistic
Critical Asset Protection Program Scope that defines the assets and
the core attributes of the asset in regards to the following:
Creation
Storage
Usage
Transmission
![Page 8: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/8.jpg)
CAPP – CRITICAL ASSET LIFECYCLE MAPPING
Critical Asset
Creation
The point in time when the
asset is created. This
could be the first swipe of
a credit card, the initial
lines of code for a new
application or the
acquisition of a new VM
Cluster. Today, asset
creation can be the
product of multiple groups
or systems making the
need for a laser focused
scope imperative for a
successful protection
program.
Critical Asset
Storage
Once the asset has been
created the asset is
stored. For intangible
assets this may be in
RAM, on a hard disk,
NAS, SharePoint or other
types of data storage.
Tangible assets like
servers, routers or laptops
may be racked in a
datacenter, placed in a
remote office closet or
placed on a home office
desk.
Critical Asset
Use
Mapping the authorized
use of the critical asset is
very important when
developing the Critical
Asset Protection Program.
By mapping the
authorized usage
characteristics of the
assets within the CAPP
scope, applying the
optimal combination of
people, process and
technology to successfully
protect the critical assets
becomes a more
manageable endeavor.
Critical Asset
Transmission
The assessment of how
critical asset information is
shared within and outside
the organizations provides
key insight to the required
protection mechanisms.
The transmission threat
vector is utilized for
authorized operations
constantly and in parallel
presents some of the
greatest challenges to
inadvertent or malicious
asset exposure.
![Page 9: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/9.jpg)
SAMPLE CAPP PROGRAM SCOPE
Critical Assets Management Concerns:
Priority Security Concern Category Program Scope Supported Response
1
Disclosure of customer and employee PII data
Customer and
Employee Data
Symantec Network Discover – File Share scanning to
gain visibility into storage locations
Symantec Network Monitor– Email monitoring to gain visibility into transmission
2 Disclosure of PCI data Customer
Data
Symantec Network Discover – File Share scanning to gain visibility into storage locations
Symantec Network Monitor– Email monitoring to gain visibility into transmission
3 Disclosure and unauthorized use of customer “ARM Logs”
Proprietary Customer
Data
Symantec Network Discover – File Share scanning to
gain visibility into storage locations Symantec Network Monitor– Email monitoring to
gain visibility into transmission
4 Disclosure of Proprietary and Licensed source code
Intellectual Property
Symantec Network Discover – File Share scanning to
gain visibility into storage locations
Symantec Network Monitor– Email monitoring to gain visibility into transmission
![Page 10: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/10.jpg)
SAMPLE CAPP PROGRAM SCOPE
Targeted Data Elements:
Category Data Element Description / Requirement Data Identifiers
Personally Identifiable Information
(PII)
Social Security
Numbers
The Human Resources, Finance, and Legal departments identified SSN as a key piece of PII to be protected by the Critical Asset Protection Program.
SSNs store on customers and employees
9 numeric characters
Customer Data
TSN
[client name] Serial Number – Numbers are assigned to and uniquely identify each [client name] set top box. These numbers are associated to records (ARM logs) collected on each [client name] device containing sensitive customer information.
15 Digit Hexadecimal number First 3 digits represent the
TSN prefix The following 11 represent
the unit ID Final digit is a checksum
Payment Card
Industry Data
Credit Card Numbers
During regular transactions with customers [client name] collects and stores Credit Card Numbers. [client name] is currently categorized as a PCI level 2 vendor but strives for level 1 compliance.
All major national and international credit card vendors
Source Code
Copyrighted/Proprieta
ry Code
Proprietary source code and copyrighted source code
Adobe Copyright Broadcom Copyright Microsoft Copyright [client name] Copyright
![Page 11: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/11.jpg)
SAMPLE CAPP PROGRAM SCOPE
Service Milestone Timeline: Milestone Description Target Date
Data Loss Prevention System Technical Install
Data Loss Prevention system technically installed, tested and prepared to monitor all
communications
Complete
Critical Asset Protection Program
Implemented
Resources in place to manage Critical Asset Protection application, policies, triage incidents,
develop analytics, and work with business to remediate events
07/2013
Critical Asset Protection Program Kick-off
Actively monitor production traffic with first crafted production policies targeted at specific data
elements/client information ensuring data is going to the correct clients
07/2013
Critical Asset Protection System and Program
Tuning
Working with the business to review incidents and leverage data to improve policy accuracy within
the Critical Asset Protection system
08/2013
Policy Accuracy Target – 90% +
Tuning the Critical Asset Protection policies to the point of 90% or greater accuracy on outbound
email communications, allowing for initial testing of prevention controls
09/2013
Blocking Pilot – Select User Group
Identification of first user group set-up for blocking or quarantine of unauthorized communications
flagged by the DLP system
09/2013
Blocking – Full Production roll-out
Phased roll-out of remaining business units to be included within the email blocking and
quarantine scope of the Critical Asset Protection system
09/2013
Phase # 1 Completion
Program in place for constant refinement of policies as the business evolves, communication with
business units on violations, business analytics delivered, and unauthorized communications
blocked
09/2013
![Page 12: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/12.jpg)
USE CASE: DLP PRE-PROJECT STATE
Organization Overview: Manufacturing firm of 30,000 employees operating in 50 countries globally
DLP Scope: Protection of Intellectual Property (General)
DLP Primary Issue: Lack of staff and buy-in from business owners who handle critical assets
Application Management: Most information security tools operated and “managed” by IT or networks
Policy Governance: No internal resources with any experience with DLP policy construction
Incident Triage: Lean staff of Infosec staff already buried by SIEM and other tools output
Event Management: Informal event management process with little feedback to the business
Reporting and Metrics: Zero customized reports. Very little business analysis provided
Status: Charged with implementing DLP to protect Critical Assets, specifically product IP
![Page 13: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/13.jpg)
APPLICATION SUPPORT & INTEGRATION
Primary System DLP Management =
Human Resource / Expertise Requirements
Integrated System Management =
Cross Department Collaboration Processes
Health Check & System Validation Management =
System Resource Requirements
Vendor Management =
Primary and Integrated Technology Vendor Relationships
![Page 14: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/14.jpg)
POLICY & RULE GOVERNANCE
Who requests rules & policy
requirements?
Are business owners engaged?
Who reviews rule requests?
Criteria for approved rule?
What’s the process for
converting a rule request into a
policy?
Who’s responsible for converting
a rule into technical policy?
Do they have technical policy
authoring expertise?
What is the formal policy
development process?
First drafts rarely work as
expected!
Is there a process to relay
production policy metrics to
stakeholders?
![Page 15: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/15.jpg)
WORKFLOW DEVELOPMENT & MANAGEMENT
Who develops & manages policy
“buckets”?
False positive, inbound partner,
outbound employee
Who defines thresholds that
determine response rules for
each “bucket”?
Are 10 SSNs a high, medium or
low severity incident?
Who designs & sets the policy
response triggers?
Malicious, Inadvertent,
Suspicious, above threshold.
Triage response options:
Human notification
System notification (auto)
Hybrid?
Who’s responsible for building
alerts, alarms & notifications?
Has business been engaged on
event management?
Who manages the DLP policy &
rules repository?
Why recreate the wheel?
![Page 16: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/16.jpg)
Who reviews volume & yield of
incidents & events?
What’s the review frequency?
How are events/incidents
routed?
Who owns the incident/event?
How does DLP fit in overall
incident/event management
process?
Can this be mapped to DLP
system?
What metrics are developed to
measure success of rules &
related policy?
Who ‘s responsible for developing
metrics?
Revision of rules based on quality
of policy results.
Who manages policy optimization
process?
How will integrated systems be
tied together to yield valued info?
Secure mail, web gateway, GRC,
SIEM
INCIDENT TRIAGE & EVENT MANAGEMENT
![Page 17: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/17.jpg)
BUSINESS ANALYTICS
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors, Reviewers, others?
Do they have the expertise with 3rd party reporting tools?
Are the metrics valuable & driving meaningful change?
Report accuracy tied into QA process?
![Page 18: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/18.jpg)
USE CASE: POST-PROJECT STATE
Organization Overview: Defined specific business units to initiate program
DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings
DLP Primary Goal: Identification of unauthorized movement of specific elements of IP
Application Management: Operated by a combination of IT, messaging & desktop management teams
Policy Governance: 100% customized policies based on data collected from business unit
Incident Triage: Daily review of incidents by BEW Global Intelisecure Managed Services team
Event Management: Incidents meeting severity criteria routed to business unit for investigation
Reporting and Metrics: Behavioral pattern analysis leading to preventive actions
Status: R&D teams have high-level of confidence in ability to identify leakage of IP
![Page 19: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/19.jpg)
QMS SAMPLE QUARTERLY REPORT
Nu
mb
er
of
Ho
urs
Time
Intelisecure DLP QMS: Six Month Trend
Application Management
Policy Governance
Incident Triage
Event Management
Reporting & Analytics
![Page 20: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/20.jpg)
PITFALL 1: NO PLAN OF ATTACK
![Page 21: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/21.jpg)
5 Pieces of DLP Advice You Can’t
Afford to Ignore 21
PITFALL 2: FAILURE TO ENGAGE THE BUSINESS
![Page 22: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/22.jpg)
5 Pieces of DLP Advice You Can’t
Afford to Ignore 22
PITFALL 3: INADEQUATELY TRAINED RESOURCES
![Page 23: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/23.jpg)
DATA LOSS PROTECITON PITFALLS: Miss ing the Target – Fa lse Sense o f Secur i ty
Mis-configured Tap
or Port Span
Problem
Missing segments of
network traffic or protocols
Solution
Comprehensive test plan
that maps to in scope
business processes and
related data types
transmitted from various
network locations to
ensure all relevant data
streams are being
captured.
Encryption – The
Masked Data
Problem
Analysis of data DID NOT
take place prior to
encryption.
Solution
Comprehensive test plan
that proves ALL DLP data
assessment takes place
prior to the gateway
encryption & implement
managed “test” DLP
policies that identify
encrypted transmissions
as part of the test plan.
Misfire of Network
Discovery Scans
Problem
Locations of sensitive
data never targeted by
the organization for
scanning due to lack of
an effective policy
governance process.
Solution
Identify potential data
stores by discussing the
DLP program with staff
to understand process.
Network versus
Endpoint Discovery
Problem
Running DAR scans
using a combo of
network & endpoint
without thinking about
which policy types &
detection methods are
not the same.
Solution
Prior to acquiring DLP
solution, have an
understanding of the
data types that make up
your target environment
& then, decide on
scanning method.
.
![Page 24: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/24.jpg)
The Pandora ’s Box o f DLP
Environment
Assessment
Staying in
Contact
User Performance
Impacts
Network/System
Performance Impacts
• Problem No rigorous endpoint environment assessment prior to the selection of the application & enablement.
• Solution Address age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints.
• Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results.
• Solution Phased deployment of endpoint with validation via test plan on initial success of ALL agents & on-going endpoint agent health reports.
• Problem Implementing same policies for network based & endpoint assessments without testing or modification.
• Solution Utilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment.
• Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections.
• Solution Thorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.
DATA LOSS PROTECITON PITFALLS:
![Page 25: BUILDING A SECURITY PROGRAM THAT PROTECTS … Presenations/B… · Endpoint Prevent Symantec Data Loss ... Priority Security Concern Category Program Scope Supported Response 1](https://reader031.vdocuments.mx/reader031/viewer/2022022600/5b43c3777f8b9a64608b694c/html5/thumbnails/25.jpg)
BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC
5613 DTC Parkway
Suite 1250
Greenwood Village, CO 80111
USA
(ph) +1 720 227 0990
(fax) +1 720 227 0984
www.bewglobal.com
3 Albany Court
Albany Park
Camberley GU16 7QR
England
(ph) +44 (0) 845 481 0882
(fax) +44 (0) 871 714 2170
www.bewglobal.com
520 Oxford Street
Level 23, Tower 1
Bondi Junction
Sydney 2022
(ph) +61 (2) 9513 8800
(fax) +61 (2) 9513 8888
www.bewglobal.com