gtb dlp & irm solution product and deployment overview

GTB Data Loss Prevention and Information Rights Management Solution

Product and Deployment Overview

GTB Technologies, Inc - Confidential - 2012

Table of Contents

Description Page

GTB Technologies – What we do? 3

GTB DLP Suite - An Overview 4 - 5

GTB's Key Competitive Differentiators 6

GTB DLP Suite Architecture 7

Elements of the GTB DLP SUITE 8 - 13

Deploying the GTB DLP Suite 14

The GTB Inspector – Optional Integration 15

GTB’s DLP Project Lifecycle Phases 16 - 17

GTB – Product Support Structure 18

GTB – Sample Customers 19

2


GTB Technologies – What we do? Insider Threat Protection - Accuracy on all ports and protocols

The Gartner Group estimates that 70 percent of security incidents which actually cause financial losses to enterprises involve insiders. 60% of those are unintentional. The Federal Bureau of Investigation asserts that "Insider threats to data security, which have received considerably less notice than external security risks, need more attention". Identity Theft incidents are increasing in an alarming rate. Such incidents are not only embarrassing, but actually cause financial harm to companies.

Federal and States' Governments enforce laws and regulations designed to protect such data: Sarbanes Oxley, FISMA, GLBA, HIPAA, CA SB1386, CA AB1950, CNPI, Payment Card Industry (PCI) Data Security Standard, The Patriot Act, FERC/NERC and other. In any modern enterprise, core assets reside in Intellectual Property. In fact, your IP resides in many different digital forms on your network. That includes customers’ data, financial reports, business plans, internal memos, technical designs, source code etc. And all of it is only a few clicks away from exposure by a sloppy or a disgruntled employee. Your confidential content may be transmitted through many different Internet Protocols and through several means: E-Mail, Instant Messengers, Web Servers, Private Blogs, Hacker Tools, Spyware and many other applications. Installing the GTB Reverse Content-Aware Firewall Inspector on your network would prevent any attempt to transmit confidential data in violation of your security policy. Independent evaluations confirm GTB's AccuMatch™ detection algorithms are the most accurate and fastest detection algorithms on the market. Unlike competitive solutions that require risky changes to network architecture to prevent data breaches, the GTB solution works out of the box and requires no changes to your network.

3


GTB DLP Suite, accurately prevents data leakage, secures business processes, and manages compliance and risk. The system discovers data on file shares and users’ machines and automatically applies IRM Policies for such files. Organization may also fingerprint pertinent tables form Databases (any database) for PII or PHI protection. GTB DLP Suite is the only data loss prevention (DLP) solution that provides content, context, detailed sources and destination awareness, allowing administrators to manage the DLP like a “Content-Aware Reverse Firewall”. There are many use-cases for DLP and we list some of them here:

GTB DLP Suite includes four, fully integrated modules. All modules share the same powerful Inspection engines as well as Policies. Policies may be modified for each component without affecting others. GTB Inspector The GTB Inspector is a dual mode device which can be connected either in passive or in-line (bridge mode). It monitors all business communications including Web, email, FTP, instant messaging and more. Once a data violation is identified, it automatically enforces the security policy including Log, Encrypt, Quarantine or Block. GTB eDiscovery GTB Data eDiscovery discovers the location of confidential information on laptops, desktops and fileservers. Utilizing Microsoft’s File Classification, it can also classify data based on content. Additionally it can call on GTB IRM to enforce Identity Rights policies on detected files. Most importantly, GTB eDiscovery can monitor such computers and report file’s violations in real-time. This avoids lengthy quarterly scan of machines. GTB IRM GTB IRM enforces Identity Rights policies on protected files: Control WHO- which information owners can control the information i.e. people, groups. Control WHAT- actions are allowed on such files, i.e., view, edit, print, copy-paste, screen capture (print screen, screen grabbing tools, screen sharing tools), macros and offline controls. Control WHEN- information usage can start and stop based on time i.e. dates, timespans... Control WHERE- information can be locked to networks and locations i.e. office, branches and/or specific customer locations. The system provides full reporting on the chain of custody for any file for forensics and security purpose.

GTB DLP Suite - An Overview

Control a broken business process

Demonstrate Compliance Automate Email EncryptionDetect or Block encrypted

content

Who is sending, what data and to whom?

I have no way of enforcing data loss compliance regulation

How do I automate encrypting emails which require it?

Should I allow encrypted data to leave without content

inspection?

Severity Blocking Visibility to SSLDetect/Block TCP from Non-

trusted usersEmployees' Education

Some breaches are so severe that I prefer to altogether block

them!

I have no visibility to SSL in general and HTTPS in

particular!

How do I detect transmissions from non-trusted users

(Malware/Viruses/Trojans)

My employees are not complying with the Written Information Security Policy

(WISP)

4


GTB DLP Suite - An Overview

GTB Endpoint Protector GTB Endpoint Protector provides data loss prevention at the endpoint with full USB and removable Media controls: Discovers devices, Protects devices, Audits devices, Controls devices, Content-Aware. The system is also able to automatically encrypt files saved to USB media as well as maintaining a copy of saved file in a shadow location. Administrators have complete visibility to actual files that were blocked by the Endpoint Protector. The GTB DLP Suite prevents data loss, demonstrates compliance and secures business processes. Each of the four integrated modules provides unparalleled visibility into communications, compliance auditing and measures and mitigates the risk of data loss.

Communication Visibility - GTB DLP Suite’s provides administrators with full control and visibility for secure content. It controls who is able to send, what data and to who. Complete reporting provides Sources, Destinations, Protocols, Ports, and File Owners with Active Directory integration for reporting usernames. The system also reports the username of the webmail violator for better forensics.

Detection Accuracy - Utilizing Recursive Transitional GapsTM, the GTB DLP Suite provides unparalleled accuracy for detecting sensitive data. Intellectual Property such as Source Code, Engineering designs, Audio and Video files are accurately identified and classified by any of the DLP components.

Solution Coverage - GTB DLP Suite monitors all outbound transmission form trusted and non-trusted users on all 65,535 ports. It is file format agnostic and can identify data in any file type including images, audio and video files.

Management and Reporting - Enterprise Management and Reporting provides analysis tools and searches as well as complete work-flow for events remediation.

5


GTB's key competitive differentiatorsThe highest precision of breach detection: offering virtually no false positives and nearly a 100% catch rate and data modification resiliency.

1GB speed Can detect and prevent sensitive data in all kind of languages Can detect and prevent all kind of data , structure, un-structure, binary files – which depending on the model, GTB's Content Aware Reverse Firewall, the Inspector appliance, can protect up to 700 million elements of stored data in databases and up to 5 terabyte of source data across more than 600 different file formats, including Microsoft Office documents, CSV files, CAD drawings, image files, rich media and other industry-specific application formats. Support for ALL protocols including Email, Instant Messengers, FTP and even unknown protocols such as RDP (any terminal server), Telnet and any Unknown TCP Protocol. Monitoring and blocking in real time all the 65,535 ports :

The Well Known Ports - from 0 through 1023. The Registered Ports - from 1024 through 49151 The Dynamic and/or Private Ports - from 49152 through 65535

Virtually no false positive OR no false negatives** for detecting both Personal Identifiable Information and partial file matching (**on fingerprinted data) - thus allowing customers to Block content from exiting! Multi-language support Detection of Encrypted Content Scalability to outbound and inbound network bandwidth Workflow for event remediation – no one can delete the event from the central consul management Multi-location Central Management Console – being protected from hacking SIEM integration No need to re-write the rules and policy from the beginning whenever there is any update and upgrade of the system. Designed for unattended, maintenance free operation Available as a Portable "all-in-one " device - to quickly move the appliance between networks (internal or external) Changes in the network architecture are not required 6


GTB DLP Suite ArchitectureThe GTB DLP Suite is best known for operating with a Minimum Change requirement that is able to translate into Maximum Accuracy and Efficiency!Which means: The GTB DLP Suite deployment requires minimum infrastructure changes. The GTB Inspector itself is a Plug and Play device that runs on any VM Image and sits on the edge of the network. The Endpoint Protector and eDiscovery agents are easily deployed via Microsoft Active Directory or any other LDAP’s. Endpoint and eDiscovery Agents are installed through Domain via Group Policies or GTB Console and is available as a service for all users of the PC. It will work even for local users.

The GTB DLP Suite architecture is comprised of five main components: Central Console – Runs on any VM image. The GTB Inspector – a 1U server based on Dell PowerEdge R210 or higher. (Also available as VM image). GTB Endpoint Protector Agent[s]GTB eDiscovery Agent[s]GTB IRM

The GTB Inspector works with any ICAP clients such as Blue Coat or Microsoft ISA/TMG. It also includes its own SSL Proxy for inspecting SSL traffic. Inspecting multiple egress points require at least one GTB Inspector at each location. Events from each location are reported in the Central Console.

More than 2,000 user accounts are advised to Deploy 2 Inspectors, one for MTA and one for inspection of all other traffic. The GTB Inspector is a full MTA and a Smart Host.

7


Elements of the GTB DLP SUITE

The GTB Central Console

The GTB Central Console is based on Red Hat Linux and is available in any Virtual Machine Image. As such, it runs on any server that VM runs on. The Central Console includes management, reporting and a full work-flow for any incident. The Console is a Role Based and is fully integrated with Active Directory for defining Administrators, Event Reviewers and Event Handlers. It receives events from any all of the DLP Suite and provides alerts to special security respondents and events reviewers. The Console provides unparalleled search capabilities for events correlation and detailed events data for any incident.

The GTB Inspector – A Content-Aware Reverse Firewall

Based on patent pending, proprietary technology; GTB's Inspector, a "Reverse Content-Aware Firewall" TM scans and analyzes ALL outbound data transmissions from your network in real time. Once a threshold amount of protected data is detected, it stops the violating transmission and/or alerts the designated security officer or administrator.

New programs requiring the use of unconventional protocols are becoming increasingly more prevalent. Furthermore, despite company policies forbidding the practice, employees frequently utilize peer to peer applications. Microsoft Networks and similar protocols, initially designed for LAN, are perfectly capable of working over the Internet.

Malicious applications (e.g., viruses and worms) can be utilized to transfer data across a broad variety of protocols. So supporting just SMTP, HTTP, FTP and IM is a real limitation for the majority of DLP Solutions and is not DLP.

Protected data may include bank accounts, credit card numbers, and passwords. The Data Loss Prevention (DLP) device is completely opposite to the secure location. It is installed on the network edge and more than one device can be installed if necessary. The Reverse Content-Aware Firewall offers mass communication features and is compatible with multiple devices and multiple protocols.

8


Data-in-Motion is all traffic on the network. GTB's "Reverse Content-Aware Firewall" TM Inspector analyzes this traffic for pieces of source code; all communication channels are scanned, such as: e-mails, instant messages, web logs, etc. If a violation is attempted, the transmission is blocked and then logged on the security report. You can also elect to have the network administrator notified through an alert email.


Accuracy and Precision • Virtually zero false positives • Virtually 100% detection rate • Resilient to data manipulation, including: • Data extracting – only a small part of a file or a subset of a database table is copied and pasted from one document to another • File format conversion • Compression • Embedding – the data from a protected file is inserted into another file • File extension changes • Re-typing – text is re-typed from a printed document • Language encoding changes, especially conversion between Unicode and plain English • Different representation -, i.e., a social security number may be represented in the form ‘777-77-7762', ‘777 77 7762' or ‘777777762''

Protects ALL Protocols •SMTP • HTTP • HTTPS • Web Mail • HTTP Server • POP3 • FTP • SSL (capable of decryption) • Instant Messengers • Yahoo Messenger

• Microsoft Messenger • ICQ • AIM • Google Talk • Jabber • Peer-to-Peer applications (20+ applications and protocols) • All protocols, sending data in clear • Capable of blocking on all protocols

Reporting • Built in table reports • Built in Crystal Reports

• MS Access format for exporting

9


Elements of the GTB DLP SUITEGTB Endpoint Protector - Agent(s) GTB's Endpoint Protector is an innovative DLP solution addressing the growing problem of secure data leaving the organization through removable media devices such as iPods, CD/DVD's, or USB Drives. Rather than restricting devices that connect to the network and passively auditing data transfers, the GTB Endpoint Protector offers organizations the ability to control what content can be transferred between the network and removable media devices. The GTB Endpoint Protector has four main functions: controlling removable media devices connecting to the network, providing detailed removable media auditing of hardware and file transactions, protecting data by selective encryption of specific file types or protected content, and optionally integrating with the GTB Inspector to monitor and control data before it is transferred to removable media.

Provides complete access control addressing all removable media Manages detailed file auditing Offers both online and offline protection mode

Result: The GTB Endpoint Protector client monitors any I/O activity on a PC for all removable media activity, enforcing access policies created in the management console. All data sent to removable media is intercepted and inspected by the GTB inspection engine. Various enforcement actions can then be taken, such as blocking, alerting, encryption, etc.

Data-in-Use is data that is saved on removable media devices. GTB's Endpoint Protector scans data for sensitive content before it is saved and then can block unauthorized transfers. The Endpoint Protector can also detect activities such as copy and paste, or use of sensitive data in an unapproved application, such as someone encrypting the data in an attempt to bypass the Endpoint Protector's block.

Supported Devices • USB Drives • iPod, other mp3 players • CD/DVD • Fire wire • SD Cards • Floppy Drives • Other I/O devices

Access Control • Individual Users • User Group • Computer Group • Port • Device Type • File Type • Drive Serial Number

Features • LDAP Integration

• Files Encryption • Detailed File Auditing • Detailed Hardware Auditing • Two way file control• Online and Offline modes

Actions • Block • Log • Audit • Encrypt

Reporting • Built in Table Reports • Built in Crystal Reports • MS Access format exporting

10


Elements of the GTB DLP SUITEGTB eDiscovery/GTB IRM - Agent(s) Accurate Scans provide Accelerated review time and Lower Costs Utilizing the most state-of-the-art detection algorithms; GTB eDiscovery, is an eDiscovery tool for data at rest protection, data classification, categorization, early case assessment (ECA) and search for Enterprises and SMB organizations.

GTB eDiscovery can scan every location on the network, including file servers, desktops and laptops. Confidential data is discovered with the same precision and performance of the GTB Inspector. GTB eDiscovery is fully integrated with the GTB DLP suite, providing a complete DLP suite.

GTB eDiscovery scans the whole hard drive and finds files even in the Recycle Bin, ensuring that what is expected to be deleted was actually deleted. Accurately monitor, protect and report violations any time a file is saved and/or blocked from saving; essentially eliminating the necessity to endlessly scan machines for data violations.

GTB eDiscovery reports detailed information for each violating file, including location, actual content, context, file owner, file name, last accessed/modified time, policy violation and more. It includes a complete Workflow functionality which allows to simultaneously respond to multiple violations.

Enterprise wide scans can be performed on demand or on a batch schedule for continuous compliance.

Using the GTB AccuMatchTM technology, eDiscovery firms can now focus on reviewing the most relevant ESI (electronically stored information), providing accelerated review times & early case assessment (ECA) amounting to lower costs.

Combined with GTB IRM, eDiscovery is able to automatically enforce information Rights policies on files that violate corporate policies or industry data regulations.

Result. GTB eDiscovery detects potential violations of data security and compliance before it becomes a security incident. This mitigates consequences of laptop loss, intrusions and potential malware. GTB's technology is unique in that it not only exposes confidential data but also positively establishes its absence.

GTB eDiscovery allows businesses, government and educational organizations to secure data and demonstrate compliance with GLBA, Sarbanes Oxley, PCI DSS, HIPAA, HITECH Act, FISMA, FERC/NERC and other regulations. Additionally, it provides a much less expensive way to perform legal discovery and react to data loss incidents.

11



GTB eDiscovery – Features and benefits

12


Elements of the GTB DLP SUITEGTB IRM Network Architecture (Deployed Model)

13


Deploying the GTB DLP Suite This section is based on best practices as achieved in many banks, industrial companies and government accounts. The goal of the initial deployment is to create custom policies, fingerprint, monitor, and report on specific data violations. Such behavior is reported in the Central Console with details on Locations, Protocols, Port, User-name (or IP, or DNS machine name), Destinations, Severity level, Action taken, Remediation status, Data Classification, Policy violated and Email status if the MTA is used. See Figure 1 below:

Figure 1 – Central Console Network incidents

14


The GTB Inspector – Optional Integration Additional integration into the corporate infrastructure is also available: Integration in to the Active Directory domain structure, Directory Services via LDAP, SIEM, Web URL Filtering systems and web proxies supporting ICAP.

Figure 2 – Additional optional integration

Exchange/Email gateway – Emails may be received from any SMTP source to the MTA of the GTB Inspector. Such emails may be quarantined or rerouted to an encryption gateway, a new host, or to the Cloud.

Proxy Server (ICAP Client) – ICAP handoffs from any Proxy server may be routed to the GTB Inspector for full HTTPS visibility. DKSH may use the GTB SSL Proxy (inside the GTB Inspector) for the same purpose.

SIEM – The GTB Inspector may send all events to a syslog enabled SEIM.

Active Directory/LDAP - DKSH may run the Network Resource Helper script using GPO to integrate with Active Directory. This way the Inspector will report the actual username at the time of the violation. Without the NRH, the GTB Inspector will report the IP Address and the Reverse DNS lookup of the LAN host.

Secure Mail Gateway – The GTB Inspector is a Smart Host and can route emails to the Encryption gateway for those email that require encryption.

15


GTB’s DLP Project Lifecycle Phases The Data Lifecycle represents various risks at each stage-

DLP Area Data in Motion Data in Use Data at Rest

Risk

Sensitive data may be sent over any channel to the internet by trusted or untrusted users

An employee/consultant copies sensitive data to USB storage on his/her own computer

Sensitive Data resides on file-shares and is accessed by authorized users, who may leak the file(s) by sending them to the Internet (Data in Motion) or copying it (Data in Use)

Relative Risk Level

High Medium Low

GTB’s multi-phased approach to deploying DLP has been proven to be the most effective across many deployments:

Phase 1: Monitoring – GTB recommends monitoring outbound network traffic with Administrator notifications to start. Step 1: Connect the GTB Inspector to a span/mirror port and move the GTB Central Console to your VM inventory. Step 2: Define what data is considered sensitive/confidential in your organization. This is a process and not a project. Depending on your COMPANY’s business you may be interested in protecting Personal Identifiable information or Health Information, etc. You may be interested in protecting Intellectual Property, Source Code Images, or audio and video. A GTB Senior DLP engineers will be able to consult with you on the best practices to define policies for your data. Step 3: Fingerprint your Data (can be also part of Step 2). Data fingerprinting provides the most accurate and efficient detection of policy violations.

Database fingerprinting (Structured data sources): Content policies are defined for specific data table or combinations thereof. Policies are configured as combinations of fields and thresholds for a given number of matches. A HIPAA violation may be defined as the combination of both the Last_Name and the Social Security Number. Higher severity levels may be defined for such policies since such detection does not have false positives. Files Fingerprinting- (Unstructured data sources) GTB’s Security Manager utilizes the most advanced detection engine for file fingerprinting. Any file type may be fingerprinted or entire Directories. Such Directories may be set as “Lock Box” where anytime a file is dropped the data shall automatically be fingerprinted. The detection engine shall identify any partial data match in any file format even if the data was modified. Some limitations apply for changed images.

Policies for Fingerprinted Data of both Databases and Files are available to all the GTB Components: Network, Endpoint, eDiscovery and IRM.

16


GTB’s DLP Project Lifecycle Phases Phase 2: Monitoring with user Notifications – at this stage, GTB recommends enabling email notifications to various stakeholders in the organization. You may want to alert Security Administrators, Violators, Manager of Violators, and special Security Respondents. Alerting the Violator will decrease the number of incidents over time as user become much more aware of data security in their transmissions.

Phase 3: Tuning (ongoing) – The key to successful DLP deployment is to reduce the number of incidents to a minimum by tuning the system to report only pertinent violations. Many DLP systems fail in accurately detecting incidents, and instead, reporting thousands of irrelevant events. To make sure all incidents are relevant and manageable, you may:•Make sure the selected protocols are relevant for specific policies and detection engines •Identify authorized transactions and make appropriate changes for Users, Channels and Data (e.g., allowing specific transmissions from certain sources to certain destinations and for specific user/groups) This is a good phase to assign a Special Security Responders for specific policy violations. For example, HR Manager receives alerts to handle HR violations and the Compliance Officer receives an alert to handle a PCI violation.

Phase 4: Enforcement – Most GTB customers move to this phase after 2 to 3 weeks. Enforcement options are available for different protocols and Severity levels of incidents.•Email – You may start using the Inspector Mail Transport Agent (MTA) to Quarantine emails. You may have users remediated low severity violation and only have Administrators remediate high severity ones. •Email Encryption – You may route emails to your Encryption Gateway (locally or in the cloud). •You may define specific actions for any protocol. The GTB Inspector works as a Reverse Firewall for Content). As such, you may define Objects such as Encrypted Files. Then set rules to Block such files for specific users/groups. A GTB Engineer may advise on additional examples.

Phase 5: Data Discovery/IRM (can start in phase 1) – Run the GTB eDiscovery agents on any computer you want to protect. The eDiscovery agents shall identify policy violations in files and automatically assign Information Right Policies on such files. Such policies are pre-defined in the GTB IRM policy Server. They include Read, write, Forward, Print etc. Specific on-site training is available for this phase.

Phase 6: Endpoint DLP Deployment (can start in phase 1) – this phase is designed to control data in motion to Removable Media (any USB devices, Fire wire, I pads etc. Agents may be deployed in stealth (invisible) mode through GPA or any agent installer program. All data policies previously define will automatically propagate to the endpoint agents. Agents support off-line policies as well for users disconnected from network.

17


GTB – Product Support Structure First and Second Level Support

CLIENT

GTB Technologies - Local Office:

First and Second Level Support

1. On-Site Support (Office Hours Only)

2. Telephone (Office Hours Only) 3. Email - 24 Hours

4. Annual Maintenance Support and Upgrade.

Assigned to: DLP Expert

GTB Technologies - Online Support:

First and Second Level Support

1. Telephone and Email -24 / 7 / 365

2. Remote Assistance3. Annual Maintenance Support

and Upgrade. Assigned to: DLP Expert

GTB Certified Local Partner:

First Level Support1. On-Site Support (Office Hours

Only)2. Telephone (Office Hours Only)

3. Email Support4. Annual Maintenance Support

and Upgrade. Assigned to: Product

Engineer/Support Engineer

18


Apple, Inc. 60,000 users

American Greetings 8,000 users

Bureau of Indian Affairs (US Government DOI) 7,500 users

CITGO Oil Company 4,500 users

ESL Federal Credit Union 1,200 users

SAFE Credit Union 750 users

San Mateo Credit Union 650 users

GTB – Sample Customers

19

gtb dlp & irm solution product and deployment overview

Documents

gtb dlp suite8

confidential data

gtb ediscovery

gtb data loss prevention

data breaches

data violation

data leakage

encrypted data