rsa data loss prevention (dlp) suite · pdf fileend point leak via print/copy e-mail leak or...

RSA Data Loss Prevention (DLP) Suite

Brian de Lemos

Discover and Migrate Business Risk from Sensitive Data

1© Copyright 2008 EMC Corporation. All rights reserved.

RSAData LossPrevention Th Ch llPreventionSolutions

The ChallengeThe SolutionTop 5 Success FactorsCase Studies


2

How RSA Can Help

Why is Information Security So Difficult?…because sensitive information is always moving and transforming

EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork

Customers

WWW

PrivilegedUsers

PrivilegedUsers

PrivilegedUsers

PrivilegedUsers

WWW

WAN

eCommerceApplications

ProductionDatabase Backup

Tape

DiskArrays

InternalEmployees

RemoteCampuses

LAN

VPN

EnterpriseApplications File Server Disk

ArraysBackupSystem

ProductionDatabase

VPNBusiness Analytics Replica

BackupDisk

Portals DiskArraysRemote

Employees


Partners

Outsourced Dev.

StagingCollaboration &Content Mgmt

SystemsDisk

Arrays

We Are Exposed At Every Point


Customers

WWW

PrivilegedUsers

PrivilegedUsers

PrivilegedUsers

PrivilegedUsersPrivileged User

BreachPrivileged User

Breach

Endpoint theft/loss

Network LeakEmail-IM-HTTP-

FTP-etc.

WWW

WAN



Tape

DiskArrays

InternalEmployees

Tapes lost or stolen

File Server / CMSApp, DB or

Encryption Key

End Point Leakvia print/copy

E-mail leak or

RemoteCampuses

LAN

VPN


ArraysBackupSystem

ProductionDatabase

Discarded disk exploited

File Server / CMS Hack

Encryption Key Hackpackets sniffed

in transit

VPNBusiness Analytics Replica

BackupDisk


Employees(Semi)

Trusted UserMisuse

UnintentionalDistribution

Public Infrastructure Access Hack

IP Sent to non trusted user


Partners

Outsourced Dev.

StagingCollaboration &Content Mgmt

SystemsDisk

Arrays

A Landscape of Point Tools…at each of these points of infrastructure

Patients / Privileged PrivilegedPrivileged PrivilegedPatients /E-Pharmacy

WWW

eCommerce Data

PrivilegedUsers

PrivilegedUsers

Disk

PrivilegedUsers

PrivilegedUsers

EmployeesTape

Encryption

FileEncryption

ApplicationEncryption

MobileEncryption

EmailEncryption

WAN

LAN

eCommerce

Enterprise

Warehouse BackupTape

File Server

DiskArrays

Di k BackupProduction

Employees yp

CMS/FSAccess ControlsDLP DLP Database

Encryption

Remote CampusesLAN

VPNBusinessAnalytics

pApplications

Replica

File Server

Portals

DiskArrays

Di k

BackupSystem

Database

Disk

ActivityMonitoring

NetworkEncryption

FileEncryption eDRM

Analytics

Outsourced Dev

Staging

BackupDisk

Collaboration &

Portals DiskArraysPartners

Encryption

DLPApp/DBDiscoveryeDRM eDRM

5© Copyright 2009 EMC Corporation. All rights reserved.EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork

Customers

Dev.Content Mgmt

SystemsDisk

Arrays

How Can DLP Solutions Help?


Customers

WWW

PrivilegedUsers

PrivilegedUsers

PrivilegedUsers

PrivilegedUsers• Monitor and protect egress points (network,

endpoints, removable media)WWW

WAN



Tape

DiskArrays

InternalEmployees

endpoints, removable media)

• Identify and address sources of risk

RemoteCampuses

LAN

VPN


ArraysBackupSystem

ProductionDatabase• Monitor information security policies to assure

corporate complianceVPN

Business Analytics Replica

BackupDisk


Employees• Identify broken business processes

• Educate employees on policy and risk

6© Copyright 2009 EMC Corporation. All rights reserved.6Partners

Outsourced Dev.

StagingCollaboration &Content Mgmt Systems

DiskArrays

• Educate employees on policy and risk

The Business Case for DLPReduce Risk | Minimize Cost | Avoid Disruption

Reduce Risk

1. What can you catch? Where?

2. What can you do about it?

3. Time to Value

Mi i i C A id Di i1. Product2 People

Minimize Cost

1. Consider the “who” not just “what”

Avoid Disruption

2. Peoplea) Setup/Maintainb) Investigationsc) Remediation

3 Infrastructure

2. Make controls transparent to users

3. Involve the data owners


3. Infrastructure




8

How RSA Can Help

RSA Data Loss Prevention Suite

DLP Enterprise ManagerUnified Policy Mgmt & Incident Dashboard & User & System

Enforcement Workflow Reporting Administration

Discover Local drives, PST files, Office files, 300+ file types

MonitorEmail, webmail, IM/Chat, FTP, HTTP/S TCP/IP

Discover File shares, SharePoint sites, Databases SAN/NAS

DLP Datacenter DLP Network DLP Endpoint

EnforceAllow, Notify, Block, Encrypt

EnforceAllow, Justify, Block on Copy, Save As, Print, USB, Burn, etc.

RemediateDelete, Move, Quarantine

300+ file typesHTTP/S, TCP/IPDatabases, SAN/NAS

eDRMeDRM EncryptionEncryption Access ControlsAccess Controls


eDRMeDRM EncryptionEncryption Access ControlsAccess Controls

DLP: Enabling Information-Centric Policy

Policy

Regulatory/Non-regulatory Drivers

Dept/LOB Security Drivers

Retail Ops PCI SB 1386

Information Types

High BizImpact

Medium BizImpact

Low BizImpact

Retail Ops PCI, SB 1386

Finance SarBox, GLBA

International Basel II, PIPEDA

R&D High Value IP

Classification Policy: Description of sensitive data

Legal Contractual Obligations

Sales/Marketing

Pipeline Data, Customer Perception

HR PII

Handling Policy: Appropriate handling in different contexts


Microsoft and RSA: Building common policy and classification framework to secure data throughout the infrastructure…

EndpointEndpoint Network/E-mail

Network/E-mail Apps/DBApps/DB FS/CMSFS/CMS StorageStorage

g

Centralized Policy

Internal Enterprise Production File Serverk

LAN

Policies Pushed intoInfrastructure

Policies Pushed intoInfrastructure

Employeesp

ApplicationsProductionDatabase Disk Arrays Backup

TapeWAN

VPNIdentify and Classify Data

ced

RemoteEmployees

Business Analytics

Replica File ServerBackupSystemDisk Arrays

VPN

e ad

vanc

orkf

low

PartnersOutsourced

DevStaging

Collaboration &Content Mgmt

Backup DiskDisk ArraysLeverage Controls to Protect Data

Access Control Block/Warn Encrypt ERM E

nabl

e wo


Dev. Systems

EndpointEndpoint Network/E-mail

Network/E-mail Apps/DBApps/DB FS/CMSFS/CMS StorageStorage

Control yp

Reducing Your Sources of Risk: Data at Rest

Discover Analyze Remediate

Rescan sources to measure and manage risk

Fil h S L t D t b & R it i R di ti300 Fil tFile shares, Servers, Laptops Databases & Repositories

•Windows file shares•Unix file shares•NAS / SAN storage•Windows 2000, 2003

•SharePoint•Documentum•Microsoft Access•Oracle, SQL*

Remediation

•Delete•Move•Quarantine•Notifications

300+ File types

•Microsoft Office Files•PDFs•PSTs•Zip files


•Windows XP, Vista •Content Mgmt systems

*Roadmap features expected in 1H 09

•eDRM

Policy + Classification1

Effort involved in building policies, content types & classifying dataCritical Factors Ability to look for and correlate combinations of content

Resulting accuracy of the overall solution

SolutionPolicy Research Team provides finely-tuned policies, content types and classification libraries -- yield highest accuracy ratings in the industryC t t l ti ll l k f d l t bi ti f d tContent correlation allows you look for and correlate combinations of data

ValueFaster time to value Less to setup and tuneLower TCO Fewer false alerts to drain your people


Protecting Data in the Network: Data in Motion

Monitor Analyze Enforce

Email Web Traffic

•SMTP email•Exchange, Lotus, etc.•Webmail

•FTP•HTTP•HTTPS

Remediation

•Audit•Block•Encrypt

Instant Messages

•Yahoo IM•MSN Messenger•AOL Messenger


•Text and attachments •TCP/IPyp

•Logg

Protecting Data at the Endpoint: Data in Use

Monitor Analyze Enforce

Print & Burn Copy and Save As

•Local printers•Network printers•Burn to CDs/DVDs

•Copy to Network shares•Copy to external drives•Save As to external

Actions & Controls

•Allow•Justify•Block

USB

•External hard drives•Memory sticks•Removable media


drives •Audit & Log




16

How RSA Can Help

Identity Aware: Policy and Response2

CriticalIdentity-based Policy: E.g. data x ok in the hands of group y

Critical Factors Identity-based notification: E.g. Notify the persons manager

Identity-based control: E.g. lock this data so only group x can open

SolutionWe can leverage AD groups for policy and notificationOur integration with Microsoft RMS provides group specific controls, and enables protection beyond the boundaries of your company p y y p y

ValueLower Risk We can catch things specific to a given groupLower TCO Involve the business/data to resolve their own problemsLess Disruption BU/data owners will understand impact better


Incident Response Workflow3

C iti lWill you get lots of alerts for the same incident?

Critical Factors Will you get the relevant info to remediate without digging for it?

Can you get the alert to the right person/people in the right order?

SolutionWe correlate and group events so you get a single alert for an incidentWe provide all relevant information for the eventSolution pWe leverage AD groups for notification get the incident to the right people

Value

Less Disruption Involving data owners and giving them the right info, results in better responsesLess People Less effort on incident handling. Fewer alerts to sort through. Alert routes all pertinent info to the right person


routes all pertinent info to the right person

Scale: Distributed Environments with Large Data Stores

Distributed sites: will you need dedicated h/w and setup?Critical Factors

y pScan optimization: Is this manual or automated?Large data stores: will this be a bottleneck with each policy change?

Grid workers & temporary agents Use your existing hardware

Solution Automatic scan optimization: Figures out how to leverage your hardwareGrid Scanning: Analyze large repositories in parallel – 10x

ValueLower TCO: Less h/w to buy. No time spent configuring/optimizingFaster time to value Get actionable results soonerLess Risk Faster scanning means smaller risk windows


Less Risk Faster scanning means smaller risk windows

Single Policy Framework for Infrastructure5

Create a single policy set for a given regulation or class of data, and Critical Factors

g p y g g ,leverage that throughout the infrastructureLeverage your existing infrastructure versus adding more point tools

Solution

DLP Suite uses a common policy framework for all components including integrationsMicrosoft: Building RSA DLP into their products. AD RMS in Dec ‘08

SolutionCisco: Integrating with Cisco products at the NW, datacenter and end pointEMC: Integrating with Documentum, Celerra, SourceOne, etc.

ValueLess Risk Enterprise wide coverage. Catching things anywhereLess Cost Leverage your existing infrastructure. Less things to buy, deploy and manage


Microsoft and RSA Building Information Protection Into Infrastructure

Add-on RSA DLP Enterprise ManagerRSA

Policies Microsoft

E mail/UCEndpoint Network Apps FS/CMS Storage

Microsoft Information Protection Management

E-mail/UCEndpoint Network Apps FS/CMS Storage

Built‐in DLPClassificationClassificationand RMS Controls

Microsoft Environment and Applications

ComplementaryRSA DLPEndpoint

ComplementaryPlatforms andfunctionality

RSA DLPNetwork

RSA DLPDatacenter

• Future ready: Seamless upgrade path for current DLP customers


Future ready: Seamless upgrade path for current DLP customers• Common policies throughout infrastructure• Built‐in approach to protect data based on content, context, identity

First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)

Microsoft AD RMS Legal Department

Outside law firm Others Legal

Contracts

1. RMS admin creates RMS templates for data

View, Edit, Print View No Access

ContractsRMS

Find Legal Contracts Contracts2 RSA DLP admin designs

pprotection

RSA DLP

Apply Legal Contracts RMS DLP Policy2. RSA DLP admin designs policies to find sensitive data and protect it using RMS

3. RSA DLP discovers and classifies sensitive files

4. RSA DLP applies RMS

5. Users request files ‐ RMS provides policy

Legal department

Outside law firmL t /d ktcontrols based on policy based accessOutside law firm

Other

Laptops/desktops

File shares SharePoint


• Automate the application of AD RMS protection based on sensitive information identified by RSA DLP Datacenter and DLP Endpoint Discover

• Leverage AD Groups with DLP Network and Endpoint Enforce for identity or group aware data loss prevention

s

Key Takeaways from RSA Microsoft Partnership Announcement

RSA DLP is best in class today and

f t d

• Customers can protect data today with best in class solution and can leverage their RSA DLP investment in future

• All RSA DLP solutions today will work with Microsoft products

Microsoft’s choice

future ready

• As a customer, Microsoft chose RSA DLP to discover PCI, PII, and IP data for thousands of file share and SharePoint sites

y pthat integrate our DLP technology in the future

in RSA reaffirms our DLP leadership

and IP data for thousands of file share and SharePoint sites• As a partner, Microsoft again chose RSA because of our

leadership in the areas of classification, policies, and scalability.

RSA only DLP solution being built into infrastructure

• RSA redefining DLP landscape by embedding DLP classification throughout the infrastructure via Microsoft

• No other DLP vendors are embedding their DLP solution into the entire infrastructure, end-to-end

RSA only vendor to i t t ith RMS

• With DLP 6.5, customers can automate application of RMS using DLP Datacenter and DLP Endpoint Discover based on data sensitivity

• AD Group integration with DLP Network and DLP Endpoint Enforce

,


integrate with RMS • AD Group integration with DLP Network and DLP Endpoint Enforce enables identity or group aware data loss prevention




24

How RSA Can Help

Customers From A Wide Range of Industries


Case Study: Technology Company

Minimized risk by discovering all HBI data from 106K users

• DLP Datacenter with site coordinators in

• Selected for scalability, performance accuracy

• 100 TB of data in file shares

• Protect High Business Impact (HBI) Data

Driver Situation Solution Results

site coordinators in Redmond, & India

• 12 machine Grid System

performance, accuracy

• Incremental scans in ½ day

• Managed by 2 people

shares

• 30,000 file shares

• 120,000 SharePoint sites

Impact (HBI) Data

• PCI, PII and Intellectual Property


Managed by 2 peoplesites

Case Study: Healthcare Provider

Monitors transmissions for HIPAA and to prevent risk

D i Sit ti S l ti R lt• DLP Network: Monitor

email and web traffic• Identified broken

business processes & • Concerns over USB,

misdirected emails, • Protect privacy of

patient information


• DLP Datacenter: Discover sensitive file share data

• DLP Endpoint: Monitor d i l

pprioritized efforts

• Out of box Templates. Quick “go-live” after PoC.

blogs, remote users, mobile workforce and webmail

• 4K email users and 11k l / h i i

p

• FDA, GLB, HIPPA, SOX, PCI

• Proactive Approach to


data in use on laptopsemployees/physiciansData Protection

Case Study: A Fortune 50 Retailer

Identify and encrypt all emails containing credit card data

Driver Situation Solution Results• DLP Network

integrated with Voltage IBE for encryption

Hi h il bilit

• Higher accuracy than the competition with 2-3 False Positives per day

• Transmit 1 million plus emails per day

• ~2,000 contain

• Protect credit card data

• Payment Card Industry • High availability

configuration

• Installed in-between Exchange & Internet gateways

day

• No additional headcount allocated

,sensitive data

y y(PCI) Level 1 credit card processor


gateways

Case Study: Financial Services

Protection of Credit Card Data Across Distributed Environment


• RSA DLP Endpoint is able to execute a distributed scan across all networked

• DLP Endpoint located sensitive data on endpoints, providing increased visibility and stronger controls over

• Internet banking services organization needed to assure online users that all front- and backend transactional

• Protect credit card data of online customers

N d t t f d all networked computers to analyze content in place without adding a client to the machine

gsensitive data stored on Digital Insight’s equipment

• Remediated high risk endpoints

backend transactional processes are secure

• Required monitoring across distributed computing environment

• Need to prevent fraud brought about internal “Deep Defense” project

• Competitive pressure


p g• Competitive pressure




30

How RSA Can Help

RSA Professional Services and Training

Security experts providing comprehensive coverage– Security practitioners from RSA and EMC– Plan, design and implementation

Best Practices– Deployment best practices– Identify business drivers, define risk threshold– Phased approach for risk mitigation

Training– Policy development– DLP solution management


How Can We Help

Off

We Can HelpYour Current StatusBy Offering

1. Risk Advisor to discover current risk

2. Free Scan to support business case

Gathering Information

1. Investigating DLP in general2. Identifying business drivers

3. ROI/TCO analysis for DLP

4. DLP workshop

3. Developing a business case4. Identifying a Project Sponsor

By Providing

1. A framework for DLP evaluationPlanning to Procure and Deploy

1. Have a defined DLP project2. An evaluation environment

3. A detailed DLP proposal

4. Deployment architecture

2. Developing a detailed DLP project

3. Evaluating DLP vendors


DLP Free Scan Overview

Network Free Scan Datacenter Free Scan

Monitor email and/or HTTP trafficSingle egress point and locationNo enforcement

Scan data at rest for sensitive dataUp to 10 Win file shares or 1 TBEndpoints are not supportedNo enforcement

Engagement duration: 1 weekEndpoints are not supportedEngagement duration: 1 week

Up to two policies from the three options of pre-built policy packsUp to two policies from the three options of pre-built policy packsPCI PII GLBA

Deliverables to CustomerDeliverables to Customer

PCICredit Card Content Blades

PIIUS SSN Blades Credit Card, SSN, U.S. Driver’s Lic,

and Custom Acct Number Blades


Deliverables to Customer Deliverables to Customer Up to six standard (out-of-the-box) reports

Presented to key decision maker(s); no report customization


34

rsa data loss prevention (dlp) suite · pdf fileend point leak via print/copy e-mail leak or...

Documents