dss itsec 2013 conference 07.11.2013 - searchinform
DESCRIPTION
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.TRANSCRIPT
![Page 1: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/1.jpg)
DLP Systems
Preventing data leaks via encrypted protocols:
preventing leaks via Skype.
![Page 2: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/2.jpg)
About SearchInform Ltd.
Working since 1995
More than 200 employees
10 offices
Main product: SearchInform Information Security Perimeter (SISP)
1
2
3
4
![Page 3: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/3.jpg)
We help our customers tune information security based on the experience of tackling similar challenges.
Useful tips on how to:
set up security policies (alerts);
protect sensitive data;
restrict access to sensitive data, etc.
Customer Support Center
123
![Page 4: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/4.jpg)
Working with Colleges
SearchInform Ltd. takes an active interest in training information security officers.
We provide our DLP solution to colleges free of charge to train students in real-life environment.
![Page 5: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/5.jpg)
Types of Data Leaks
Unintentional
Carelessness
Lack of knowledge
![Page 6: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/6.jpg)
Three Pillars of Information Security
Prevention of data leaks
Working with employees
Work optimization
1
2
3
![Page 7: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/7.jpg)
DLP Key Requirements
DLP system should promote business and not hinder it. All data channels must be available to employees,
Full database of intercepted documents is an essential requirement for incidents analysis,
Intercepted data is useless unless you have efficient analysis tools,
Integration with Windows domain structure allows accurate identification of users,
Controlling laptops,
Revealing malicious intent.
1
2
3
4
5
6
![Page 8: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/8.jpg)
System Architecture
In our solution server part is either SearchInform NetworkSniffer or EndpointSniffer data interception platform, and client applications used to work with the database and make data breach investigations.
Single search-analytical engine allows using all of the above-mentioned search possibilities in full.
Up to date DLP systems have a client-server architecture.
Network traffic Endpoint
Mirror switch Agent
![Page 9: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/9.jpg)
SearchInform NetworkSniffer is a platform used to intercept data on the level of mirrored traffic, i.e. NetworkSniffer processes traffic not interfering with corporate LAN processes.
System Architecture
SearchInform NetworkSniffer
Mirror switch
IMHTTP Mail
![Page 10: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/10.jpg)
SearchInform EndpointSniffer
is a platform that uses agents installed on user workstations
to intercept traffic.
The main advantage of IMSniffer and MailSniffer working on EndpointSniffer platform is high failure tolerance (data is intercepted even if servers are not available). Interception of data transmitted over secure protocols is also supported.
System Architecture
IM SnifferHTTP Sniffer Mail Sniffer
Print Sniffer Monitor Sniffer Device Sniffer File Sniffer
FTP SnifferSkype Sniffer
![Page 11: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/11.jpg)
System Architecture
![Page 12: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/12.jpg)
E-mailSMTP, POP3, MAPI, and IMAP protocols are supported
HTTPSocial networks, web blogs, forums, web applications used to send e-mails and SMS, web chats, etc.
FTP
SISP Components
![Page 13: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/13.jpg)
MonitorSnifferMonitorSniffer controls visual data displayed on one or several screens in real time. You can also monitor users working via RDP.
DeviceSniffer Files copied to removable media (flash drives, CD/DVD, and portable hard disks).
SISP Components
PrintSnifferLocal and network printers
![Page 14: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/14.jpg)
Indexing Workstations helps you find out if sensitive data appeared, were deleted or copied to user computers.
FileSniffer controls users working with shared network resources.
SISP Components
![Page 15: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/15.jpg)
Skype control
Skype - Encrypted data transmit protocol
Types of possible data leaks over Skype:
1. Voice message2. Text message3. File transfer
![Page 16: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/16.jpg)
Skype control
Preventive measures
1. Skype use policy2. Informing employees of skype data analysis3. Understanding risks and risk groups
Control of Skype requires installation of so called “agent” on the endpoint.
![Page 17: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/17.jpg)
Risk Group:1. Employees who breached data security policies even
once, through other channels2. Employees who rename sensitive files, send password-
protected archives, etc., 3. Employees who post negative comments about
company, top managers, etc., 4. Employees for some reason ignoring their work,5. Employees whose work is closely related to cash flows.
Data Leaks and Preventive Measures
![Page 18: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/18.jpg)
Skype intercepted data mininig
SearchInform Client
SearchInform Client is the main data breach investigation tool for Skype. It allows searching data in manual mode.
![Page 19: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/19.jpg)
Intercepted data analysis
AlertCenter
If the database of intercepted Skype data contains key words, phrases or text extracts that match a search query AlertCenter will send a notification to the specified e-mail address.
![Page 20: DSS ITSEC 2013 Conference 07.11.2013 - SearchInform](https://reader035.vdocuments.mx/reader035/viewer/2022081414/54bce9a74a7959815b8b45d4/html5/thumbnails/20.jpg)
Control your information!