BUILDING A SECURITY PROGRAM THAT PROTECTS AN ORGANIZATION’S MOST CRITICAL ASSETS

Consulting Services

Managed Services

Product Services

Technical Services

Security Assessments

Training Services

ABOUT BEW GLOBAL

Focused Expertise

Global Service Delivery Founded 2002

Quality Management

SOLUTION OFFERINGS

Deployed 400+ DLP Projects

Completed 500+ Assessments

Manage DLP Solutions in 22 Countries

DATA LOSS PREVENTION EXPERTISE

QUICK FACTS

Symantec Master Specialization DLP Partner

RSA’s Only Authorized Managed DLP Partner

1st Managed DLP Services Provider (2008)

Localized Chinese DLP Practice (2011)

Global Support in 130 countries

Websense Certified TRITONs – More than any other partner, 7 Olympians &

1 Gladiator

Daily Management of 1,000,000+ Users

INTELISECURE MANAGED SERVICES

IMS POD STRUCTURE

Information Security Engineer

Information Security Analyst

Business Analyst

Technical optimization & health of all system components

Daily incident event review & workflow management

Translate system and event data into reports & analytics

Event

Management

Reporting &

Metrics

Incident

Triage

Application

Management

Scope & Policy

Governance

SYMANTEC DLP COMPONENTS

Endpoint Prevent

Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred

over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to

CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec

Data Loss Prevention, you can monitor and block:

• Instant messages sent to a partner containing confidential M&A information

• Web mail with product plans attached going to a competitor

• Customer lists being copied to USB or other removable media devices

• Email containing PII sent via hosted email security services

• Source code that is copied to a local drive

• Mobile devices for email sent containing confidential data

• Product design documents being burned to CD/DVD

• Price lists being printed or faxed to a competitor

WHAT WE WILL COVER TODAY

Developing the DLP Program

DLP Use Cases – How Did They Get There?

Developing the DLP Program

Avoiding Common DLP Pitfalls

Open Q&A

CRITICAL ASSET PROTECTION PROGRAM (CAPP)

A Critical Asset Protection Program

(CAPP) clearly defines what assets are

deemed most important to the

organization based on the concepts of

revenue, income, reputation and core

operational impact.

Most organizations fail at their Data Loss

Protection programs due to the lack of

developing a Critical Asset Protection with

a documented scope.

CAPP METHODOLOGY

Most information and network security programs are doomed from their

inception due to the common pitfalls of failing to develop a program

scope that is accepted, acknowledged and supported by senior

leadership. Through a comprehensive interview and information

gathering process, BEW Global and our customers develop a realistic

Critical Asset Protection Program Scope that defines the assets and

the core attributes of the asset in regards to the following:

Creation

Storage

Usage

Transmission

CAPP – CRITICAL ASSET LIFECYCLE MAPPING

Critical Asset

Creation

The point in time when the

asset is created. This

could be the first swipe of

a credit card, the initial

lines of code for a new

application or the

acquisition of a new VM

Cluster. Today, asset

creation can be the

product of multiple groups

or systems making the

need for a laser focused

scope imperative for a

successful protection

program.

Critical Asset

Storage

Once the asset has been

created the asset is

stored. For intangible

assets this may be in

RAM, on a hard disk,

NAS, SharePoint or other

types of data storage.

Tangible assets like

servers, routers or laptops

may be racked in a

datacenter, placed in a

remote office closet or

placed on a home office

desk.

Critical Asset

Use

Mapping the authorized

use of the critical asset is

very important when

developing the Critical

Asset Protection Program.

By mapping the

authorized usage

characteristics of the

assets within the CAPP

scope, applying the

optimal combination of

people, process and

technology to successfully

protect the critical assets

becomes a more

manageable endeavor.

Critical Asset

Transmission

The assessment of how

critical asset information is

shared within and outside

the organizations provides

key insight to the required

protection mechanisms.

The transmission threat

vector is utilized for

authorized operations

constantly and in parallel

presents some of the

greatest challenges to

inadvertent or malicious

asset exposure.

SAMPLE CAPP PROGRAM SCOPE

Critical Assets Management Concerns:

Priority Security Concern Category Program Scope Supported Response

1

Disclosure of customer and employee PII data

Customer and

Employee Data

Symantec Network Discover – File Share scanning to

gain visibility into storage locations

Symantec Network Monitor– Email monitoring to gain visibility into transmission

2 Disclosure of PCI data Customer

Data

Symantec Network Discover – File Share scanning to gain visibility into storage locations

Symantec Network Monitor– Email monitoring to gain visibility into transmission

3 Disclosure and unauthorized use of customer “ARM Logs”

Proprietary Customer

Data

Symantec Network Discover – File Share scanning to

gain visibility into storage locations Symantec Network Monitor– Email monitoring to

gain visibility into transmission

4 Disclosure of Proprietary and Licensed source code

Intellectual Property

Symantec Network Discover – File Share scanning to

gain visibility into storage locations

Symantec Network Monitor– Email monitoring to gain visibility into transmission

SAMPLE CAPP PROGRAM SCOPE

Targeted Data Elements:

Category Data Element Description / Requirement Data Identifiers

Personally Identifiable Information

(PII)

Social Security

Numbers

The Human Resources, Finance, and Legal departments identified SSN as a key piece of PII to be protected by the Critical Asset Protection Program.

SSNs store on customers and employees

9 numeric characters

Customer Data

TSN

[client name] Serial Number – Numbers are assigned to and uniquely identify each [client name] set top box. These numbers are associated to records (ARM logs) collected on each [client name] device containing sensitive customer information.

15 Digit Hexadecimal number First 3 digits represent the

TSN prefix The following 11 represent

the unit ID Final digit is a checksum

Payment Card

Industry Data

Credit Card Numbers

During regular transactions with customers [client name] collects and stores Credit Card Numbers. [client name] is currently categorized as a PCI level 2 vendor but strives for level 1 compliance.

All major national and international credit card vendors

Source Code

Copyrighted/Proprieta

ry Code

Proprietary source code and copyrighted source code

Adobe Copyright Broadcom Copyright Microsoft Copyright [client name] Copyright

SAMPLE CAPP PROGRAM SCOPE

Service Milestone Timeline: Milestone Description Target Date

Data Loss Prevention System Technical Install

Data Loss Prevention system technically installed, tested and prepared to monitor all

communications

Complete

Critical Asset Protection Program

Implemented

Resources in place to manage Critical Asset Protection application, policies, triage incidents,

develop analytics, and work with business to remediate events

07/2013

Critical Asset Protection Program Kick-off

Actively monitor production traffic with first crafted production policies targeted at specific data

elements/client information ensuring data is going to the correct clients

07/2013

Critical Asset Protection System and Program

Tuning

Working with the business to review incidents and leverage data to improve policy accuracy within

the Critical Asset Protection system

08/2013

Policy Accuracy Target – 90% +

Tuning the Critical Asset Protection policies to the point of 90% or greater accuracy on outbound

email communications, allowing for initial testing of prevention controls

09/2013

Blocking Pilot – Select User Group

Identification of first user group set-up for blocking or quarantine of unauthorized communications

flagged by the DLP system

09/2013

Blocking – Full Production roll-out

Phased roll-out of remaining business units to be included within the email blocking and

quarantine scope of the Critical Asset Protection system

09/2013

Phase # 1 Completion

Program in place for constant refinement of policies as the business evolves, communication with

business units on violations, business analytics delivered, and unauthorized communications

blocked

09/2013

USE CASE: DLP PRE-PROJECT STATE

Organization Overview: Manufacturing firm of 30,000 employees operating in 50 countries globally

DLP Scope: Protection of Intellectual Property (General)

DLP Primary Issue: Lack of staff and buy-in from business owners who handle critical assets

Application Management: Most information security tools operated and “managed” by IT or networks

Policy Governance: No internal resources with any experience with DLP policy construction

Incident Triage: Lean staff of Infosec staff already buried by SIEM and other tools output

Event Management: Informal event management process with little feedback to the business

Reporting and Metrics: Zero customized reports. Very little business analysis provided

Status: Charged with implementing DLP to protect Critical Assets, specifically product IP

APPLICATION SUPPORT & INTEGRATION

Primary System DLP Management =

Human Resource / Expertise Requirements

Integrated System Management =

Cross Department Collaboration Processes

Health Check & System Validation Management =

System Resource Requirements

Vendor Management =

Primary and Integrated Technology Vendor Relationships

POLICY & RULE GOVERNANCE

Who requests rules & policy

requirements?

Are business owners engaged?

Who reviews rule requests?

Criteria for approved rule?

What’s the process for

converting a rule request into a

policy?

Who’s responsible for converting

a rule into technical policy?

Do they have technical policy

authoring expertise?

What is the formal policy

development process?

First drafts rarely work as

expected!

Is there a process to relay

production policy metrics to

stakeholders?

WORKFLOW DEVELOPMENT & MANAGEMENT

Who develops & manages policy

“buckets”?

False positive, inbound partner,

outbound employee

Who defines thresholds that

determine response rules for

each “bucket”?

Are 10 SSNs a high, medium or

low severity incident?

Who designs & sets the policy

response triggers?

Malicious, Inadvertent,

Suspicious, above threshold.

Triage response options:

Human notification

System notification (auto)

Hybrid?

Who’s responsible for building

alerts, alarms & notifications?

Has business been engaged on

event management?

Who manages the DLP policy &

rules repository?

Why recreate the wheel?

Who reviews volume & yield of

incidents & events?

What’s the review frequency?

How are events/incidents

routed?

Who owns the incident/event?

How does DLP fit in overall

incident/event management

process?

Can this be mapped to DLP

system?

What metrics are developed to

measure success of rules &

related policy?

Who ‘s responsible for developing

metrics?

Revision of rules based on quality

of policy results.

Who manages policy optimization

process?

How will integrated systems be

tied together to yield valued info?

Secure mail, web gateway, GRC,

SIEM

INCIDENT TRIAGE & EVENT MANAGEMENT

BUSINESS ANALYTICS

Who develops reports?

Are DLP system generated reports adequate?

Who drives report requirements? Requestors, Reviewers, others?

Do they have the expertise with 3rd party reporting tools?

Are the metrics valuable & driving meaningful change?

Report accuracy tied into QA process?

USE CASE: POST-PROJECT STATE

Organization Overview: Defined specific business units to initiate program

DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings

DLP Primary Goal: Identification of unauthorized movement of specific elements of IP

Application Management: Operated by a combination of IT, messaging & desktop management teams

Policy Governance: 100% customized policies based on data collected from business unit

Incident Triage: Daily review of incidents by BEW Global Intelisecure Managed Services team

Event Management: Incidents meeting severity criteria routed to business unit for investigation

Reporting and Metrics: Behavioral pattern analysis leading to preventive actions

Status: R&D teams have high-level of confidence in ability to identify leakage of IP

QMS SAMPLE QUARTERLY REPORT

Nu

mb

er

of

Ho

urs

Time

Intelisecure DLP QMS: Six Month Trend

Application Management

Policy Governance

Incident Triage

Event Management

Reporting & Analytics

PITFALL 1: NO PLAN OF ATTACK

5 Pieces of DLP Advice You Can’t

Afford to Ignore 21

PITFALL 2: FAILURE TO ENGAGE THE BUSINESS

5 Pieces of DLP Advice You Can’t

Afford to Ignore 22

PITFALL 3: INADEQUATELY TRAINED RESOURCES

DATA LOSS PROTECITON PITFALLS: Miss ing the Target – Fa lse Sense o f Secur i ty

Mis-configured Tap

or Port Span

Problem

Missing segments of

network traffic or protocols

Solution

Comprehensive test plan

that maps to in scope

business processes and

related data types

transmitted from various

network locations to

ensure all relevant data

streams are being

captured.

Encryption – The

Masked Data

Problem

Analysis of data DID NOT

take place prior to

encryption.

Solution

Comprehensive test plan

that proves ALL DLP data

assessment takes place

prior to the gateway

encryption & implement

managed “test” DLP

policies that identify

encrypted transmissions

as part of the test plan.

Misfire of Network

Discovery Scans

Problem

Locations of sensitive

data never targeted by

the organization for

scanning due to lack of

an effective policy

governance process.

Solution

Identify potential data

stores by discussing the

DLP program with staff

to understand process.

Network versus

Endpoint Discovery

Problem

Running DAR scans

using a combo of

network & endpoint

without thinking about

which policy types &

detection methods are

not the same.

Solution

Prior to acquiring DLP

solution, have an

understanding of the

data types that make up

your target environment

& then, decide on

scanning method.

.

The Pandora ’s Box o f DLP

Environment

Assessment

Staying in

Contact

User Performance

Impacts

Network/System

Performance Impacts

• Problem No rigorous endpoint environment assessment prior to the selection of the application & enablement.

• Solution Address age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints.

• Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results.

• Solution Phased deployment of endpoint with validation via test plan on initial success of ALL agents & on-going endpoint agent health reports.

• Problem Implementing same policies for network based & endpoint assessments without testing or modification.

• Solution Utilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment.

• Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections.

• Solution Thorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.

DATA LOSS PROTECITON PITFALLS:

BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC

5613 DTC Parkway

Suite 1250

Greenwood Village, CO 80111

USA

(ph) +1 720 227 0990

(fax) +1 720 227 0984

www.bewglobal.com

3 Albany Court

Albany Park

Camberley GU16 7QR

England

(ph) +44 (0) 845 481 0882

(fax) +44 (0) 871 714 2170

www.bewglobal.com

520 Oxford Street

Level 23, Tower 1

Bondi Junction

Sydney 2022

(ph) +61 (2) 9513 8800

(fax) +61 (2) 9513 8888

www.bewglobal.com