rsa data loss prevention (dlp) suite · pdf fileend point leak via print/copy e-mail leak or...
TRANSCRIPT
RSA Data Loss Prevention (DLP) Suite
Brian de Lemos
Discover and Migrate Business Risk from Sensitive Data
1© Copyright 2008 EMC Corporation. All rights reserved.
RSAData LossPrevention Th Ch llPreventionSolutions
The ChallengeThe SolutionTop 5 Success FactorsCase Studies
2© Copyright 2009 EMC Corporation. All rights reserved.
2
How RSA Can Help
Why is Information Security So Difficult?…because sensitive information is always moving and transforming
EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork
Customers
WWW
PrivilegedUsers
PrivilegedUsers
PrivilegedUsers
PrivilegedUsers
WWW
WAN
eCommerceApplications
ProductionDatabase Backup
Tape
DiskArrays
InternalEmployees
RemoteCampuses
LAN
VPN
EnterpriseApplications File Server Disk
ArraysBackupSystem
ProductionDatabase
VPNBusiness Analytics Replica
BackupDisk
Portals DiskArraysRemote
Employees
3© Copyright 2009 EMC Corporation. All rights reserved.
Partners
Outsourced Dev.
StagingCollaboration &Content Mgmt
SystemsDisk
Arrays
We Are Exposed At Every Point
EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork
Customers
WWW
PrivilegedUsers
PrivilegedUsers
PrivilegedUsers
PrivilegedUsersPrivileged User
BreachPrivileged User
Breach
Endpoint theft/loss
Network LeakEmail-IM-HTTP-
FTP-etc.
WWW
WAN
eCommerceApplications
ProductionDatabase Backup
Tape
DiskArrays
InternalEmployees
Tapes lost or stolen
File Server / CMSApp, DB or
Encryption Key
End Point Leakvia print/copy
E-mail leak or
RemoteCampuses
LAN
VPN
EnterpriseApplications File Server Disk
ArraysBackupSystem
ProductionDatabase
Discarded disk exploited
File Server / CMS Hack
Encryption Key Hackpackets sniffed
in transit
VPNBusiness Analytics Replica
BackupDisk
Portals DiskArraysRemote
Employees(Semi)
Trusted UserMisuse
UnintentionalDistribution
Public Infrastructure Access Hack
IP Sent to non trusted user
4© Copyright 2009 EMC Corporation. All rights reserved.
Partners
Outsourced Dev.
StagingCollaboration &Content Mgmt
SystemsDisk
Arrays
A Landscape of Point Tools…at each of these points of infrastructure
Patients / Privileged PrivilegedPrivileged PrivilegedPatients /E-Pharmacy
WWW
eCommerce Data
PrivilegedUsers
PrivilegedUsers
Disk
PrivilegedUsers
PrivilegedUsers
EmployeesTape
Encryption
FileEncryption
ApplicationEncryption
MobileEncryption
EmailEncryption
WAN
LAN
eCommerce
Enterprise
Warehouse BackupTape
File Server
DiskArrays
Di k BackupProduction
Employees yp
CMS/FSAccess ControlsDLP DLP Database
Encryption
Remote CampusesLAN
VPNBusinessAnalytics
pApplications
Replica
File Server
Portals
DiskArrays
Di k
BackupSystem
Database
Disk
ActivityMonitoring
NetworkEncryption
FileEncryption eDRM
Analytics
Outsourced Dev
Staging
BackupDisk
Collaboration &
Portals DiskArraysPartners
Encryption
DLPApp/DBDiscoveryeDRM eDRM
5© Copyright 2009 EMC Corporation. All rights reserved.EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork
Customers
Dev.Content Mgmt
SystemsDisk
Arrays
How Can DLP Solutions Help?
EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork
Customers
WWW
PrivilegedUsers
PrivilegedUsers
PrivilegedUsers
PrivilegedUsers• Monitor and protect egress points (network,
endpoints, removable media)WWW
WAN
eCommerceApplications
ProductionDatabase Backup
Tape
DiskArrays
InternalEmployees
endpoints, removable media)
• Identify and address sources of risk
RemoteCampuses
LAN
VPN
EnterpriseApplications File Server Disk
ArraysBackupSystem
ProductionDatabase• Monitor information security policies to assure
corporate complianceVPN
Business Analytics Replica
BackupDisk
Portals DiskArraysRemote
Employees• Identify broken business processes
• Educate employees on policy and risk
6© Copyright 2009 EMC Corporation. All rights reserved.6Partners
Outsourced Dev.
StagingCollaboration &Content Mgmt Systems
DiskArrays
• Educate employees on policy and risk
The Business Case for DLPReduce Risk | Minimize Cost | Avoid Disruption
Reduce Risk
1. What can you catch? Where?
2. What can you do about it?
3. Time to Value
Mi i i C A id Di i1. Product2 People
Minimize Cost
1. Consider the “who” not just “what”
Avoid Disruption
2. Peoplea) Setup/Maintainb) Investigationsc) Remediation
3 Infrastructure
2. Make controls transparent to users
3. Involve the data owners
7© Copyright 2009 EMC Corporation. All rights reserved.
3. Infrastructure
RSAData LossPrevention Th Ch llPreventionSolutions
The ChallengeThe SolutionTop 5 Success FactorsCase Studies
8© Copyright 2009 EMC Corporation. All rights reserved.
8
How RSA Can Help
RSA Data Loss Prevention Suite
DLP Enterprise ManagerUnified Policy Mgmt & Incident Dashboard & User & System
Enforcement Workflow Reporting Administration
Discover Local drives, PST files, Office files, 300+ file types
MonitorEmail, webmail, IM/Chat, FTP, HTTP/S TCP/IP
Discover File shares, SharePoint sites, Databases SAN/NAS
DLP Datacenter DLP Network DLP Endpoint
EnforceAllow, Notify, Block, Encrypt
EnforceAllow, Justify, Block on Copy, Save As, Print, USB, Burn, etc.
RemediateDelete, Move, Quarantine
300+ file typesHTTP/S, TCP/IPDatabases, SAN/NAS
eDRMeDRM EncryptionEncryption Access ControlsAccess Controls
9© Copyright 2009 EMC Corporation. All rights reserved.
eDRMeDRM EncryptionEncryption Access ControlsAccess Controls
DLP: Enabling Information-Centric Policy
Policy
Regulatory/Non-regulatory Drivers
Dept/LOB Security Drivers
Retail Ops PCI SB 1386
Information Types
High BizImpact
Medium BizImpact
Low BizImpact
Retail Ops PCI, SB 1386
Finance SarBox, GLBA
International Basel II, PIPEDA
R&D High Value IP
Classification Policy: Description of sensitive data
Legal Contractual Obligations
Sales/Marketing
Pipeline Data, Customer Perception
HR PII
Handling Policy: Appropriate handling in different contexts
10© Copyright 2009 EMC Corporation. All rights reserved.
Microsoft and RSA: Building common policy and classification framework to secure data throughout the infrastructure…
EndpointEndpoint Network/E-mail
Network/E-mail Apps/DBApps/DB FS/CMSFS/CMS StorageStorage
g
Centralized Policy
Internal Enterprise Production File Serverk
LAN
Policies Pushed intoInfrastructure
Policies Pushed intoInfrastructure
Employeesp
ApplicationsProductionDatabase Disk Arrays Backup
TapeWAN
VPNIdentify and Classify Data
ced
RemoteEmployees
Business Analytics
Replica File ServerBackupSystemDisk Arrays
VPN
e ad
vanc
orkf
low
PartnersOutsourced
DevStaging
Collaboration &Content Mgmt
Backup DiskDisk ArraysLeverage Controls to Protect Data
Access Control Block/Warn Encrypt ERM E
nabl
e wo
11© Copyright 2009 EMC Corporation. All rights reserved.
Dev. Systems
EndpointEndpoint Network/E-mail
Network/E-mail Apps/DBApps/DB FS/CMSFS/CMS StorageStorage
Control yp
Reducing Your Sources of Risk: Data at Rest
Discover Analyze Remediate
Rescan sources to measure and manage risk
Fil h S L t D t b & R it i R di ti300 Fil tFile shares, Servers, Laptops Databases & Repositories
•Windows file shares•Unix file shares•NAS / SAN storage•Windows 2000, 2003
•SharePoint•Documentum•Microsoft Access•Oracle, SQL*
Remediation
•Delete•Move•Quarantine•Notifications
300+ File types
•Microsoft Office Files•PDFs•PSTs•Zip files
12© Copyright 2009 EMC Corporation. All rights reserved.
•Windows XP, Vista •Content Mgmt systems
*Roadmap features expected in 1H 09
•eDRM
Policy + Classification1
Effort involved in building policies, content types & classifying dataCritical Factors Ability to look for and correlate combinations of content
Resulting accuracy of the overall solution
SolutionPolicy Research Team provides finely-tuned policies, content types and classification libraries -- yield highest accuracy ratings in the industryC t t l ti ll l k f d l t bi ti f d tContent correlation allows you look for and correlate combinations of data
ValueFaster time to value Less to setup and tuneLower TCO Fewer false alerts to drain your people
13© Copyright 2009 EMC Corporation. All rights reserved.
Protecting Data in the Network: Data in Motion
Monitor Analyze Enforce
Email Web Traffic
•SMTP email•Exchange, Lotus, etc.•Webmail
•FTP•HTTP•HTTPS
Remediation
•Audit•Block•Encrypt
Instant Messages
•Yahoo IM•MSN Messenger•AOL Messenger
14© Copyright 2009 EMC Corporation. All rights reserved.
•Text and attachments •TCP/IPyp
•Logg
Protecting Data at the Endpoint: Data in Use
Monitor Analyze Enforce
Print & Burn Copy and Save As
•Local printers•Network printers•Burn to CDs/DVDs
•Copy to Network shares•Copy to external drives•Save As to external
Actions & Controls
•Allow•Justify•Block
USB
•External hard drives•Memory sticks•Removable media
15© Copyright 2009 EMC Corporation. All rights reserved.
drives •Audit & Log
RSAData LossPrevention Th Ch llPreventionSolutions
The ChallengeThe SolutionTop 5 Success FactorsCase Studies
16© Copyright 2009 EMC Corporation. All rights reserved.
16
How RSA Can Help
Identity Aware: Policy and Response2
CriticalIdentity-based Policy: E.g. data x ok in the hands of group y
Critical Factors Identity-based notification: E.g. Notify the persons manager
Identity-based control: E.g. lock this data so only group x can open
SolutionWe can leverage AD groups for policy and notificationOur integration with Microsoft RMS provides group specific controls, and enables protection beyond the boundaries of your company p y y p y
ValueLower Risk We can catch things specific to a given groupLower TCO Involve the business/data to resolve their own problemsLess Disruption BU/data owners will understand impact better
17© Copyright 2009 EMC Corporation. All rights reserved.
Incident Response Workflow3
C iti lWill you get lots of alerts for the same incident?
Critical Factors Will you get the relevant info to remediate without digging for it?
Can you get the alert to the right person/people in the right order?
SolutionWe correlate and group events so you get a single alert for an incidentWe provide all relevant information for the eventSolution pWe leverage AD groups for notification get the incident to the right people
Value
Less Disruption Involving data owners and giving them the right info, results in better responsesLess People Less effort on incident handling. Fewer alerts to sort through. Alert routes all pertinent info to the right person
18© Copyright 2009 EMC Corporation. All rights reserved.
routes all pertinent info to the right person
Scale: Distributed Environments with Large Data Stores
Distributed sites: will you need dedicated h/w and setup?Critical Factors
y pScan optimization: Is this manual or automated?Large data stores: will this be a bottleneck with each policy change?
Grid workers & temporary agents Use your existing hardware
Solution Automatic scan optimization: Figures out how to leverage your hardwareGrid Scanning: Analyze large repositories in parallel – 10x
ValueLower TCO: Less h/w to buy. No time spent configuring/optimizingFaster time to value Get actionable results soonerLess Risk Faster scanning means smaller risk windows
19© Copyright 2009 EMC Corporation. All rights reserved.
Less Risk Faster scanning means smaller risk windows
Single Policy Framework for Infrastructure5
Create a single policy set for a given regulation or class of data, and Critical Factors
g p y g g ,leverage that throughout the infrastructureLeverage your existing infrastructure versus adding more point tools
Solution
DLP Suite uses a common policy framework for all components including integrationsMicrosoft: Building RSA DLP into their products. AD RMS in Dec ‘08
SolutionCisco: Integrating with Cisco products at the NW, datacenter and end pointEMC: Integrating with Documentum, Celerra, SourceOne, etc.
ValueLess Risk Enterprise wide coverage. Catching things anywhereLess Cost Leverage your existing infrastructure. Less things to buy, deploy and manage
20© Copyright 2009 EMC Corporation. All rights reserved.
Microsoft and RSA Building Information Protection Into Infrastructure
Add-on RSA DLP Enterprise ManagerRSA
Policies Microsoft
E mail/UCEndpoint Network Apps FS/CMS Storage
Microsoft Information Protection Management
E-mail/UCEndpoint Network Apps FS/CMS Storage
Built‐in DLPClassificationClassificationand RMS Controls
Microsoft Environment and Applications
ComplementaryRSA DLPEndpoint
ComplementaryPlatforms andfunctionality
RSA DLPNetwork
RSA DLPDatacenter
• Future ready: Seamless upgrade path for current DLP customers
21© Copyright 2009 EMC Corporation. All rights reserved.
Future ready: Seamless upgrade path for current DLP customers• Common policies throughout infrastructure• Built‐in approach to protect data based on content, context, identity
First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)
Microsoft AD RMS Legal Department
Outside law firm Others Legal
Contracts
1. RMS admin creates RMS templates for data
View, Edit, Print View No Access
ContractsRMS
Find Legal Contracts Contracts2 RSA DLP admin designs
pprotection
RSA DLP
Apply Legal Contracts RMS DLP Policy2. RSA DLP admin designs policies to find sensitive data and protect it using RMS
3. RSA DLP discovers and classifies sensitive files
4. RSA DLP applies RMS
5. Users request files ‐ RMS provides policy
Legal department
Outside law firmL t /d ktcontrols based on policy based accessOutside law firm
Other
Laptops/desktops
File shares SharePoint
22© Copyright 2009 EMC Corporation. All rights reserved.
• Automate the application of AD RMS protection based on sensitive information identified by RSA DLP Datacenter and DLP Endpoint Discover
• Leverage AD Groups with DLP Network and Endpoint Enforce for identity or group aware data loss prevention
s
Key Takeaways from RSA Microsoft Partnership Announcement
RSA DLP is best in class today and
f t d
• Customers can protect data today with best in class solution and can leverage their RSA DLP investment in future
• All RSA DLP solutions today will work with Microsoft products
Microsoft’s choice
future ready
• As a customer, Microsoft chose RSA DLP to discover PCI, PII, and IP data for thousands of file share and SharePoint sites
y pthat integrate our DLP technology in the future
in RSA reaffirms our DLP leadership
and IP data for thousands of file share and SharePoint sites• As a partner, Microsoft again chose RSA because of our
leadership in the areas of classification, policies, and scalability.
RSA only DLP solution being built into infrastructure
• RSA redefining DLP landscape by embedding DLP classification throughout the infrastructure via Microsoft
• No other DLP vendors are embedding their DLP solution into the entire infrastructure, end-to-end
RSA only vendor to i t t ith RMS
• With DLP 6.5, customers can automate application of RMS using DLP Datacenter and DLP Endpoint Discover based on data sensitivity
• AD Group integration with DLP Network and DLP Endpoint Enforce
,
23© Copyright 2009 EMC Corporation. All rights reserved.
integrate with RMS • AD Group integration with DLP Network and DLP Endpoint Enforce enables identity or group aware data loss prevention
RSAData LossPrevention Th Ch llPreventionSolutions
The ChallengeThe SolutionTop 5 Success FactorsCase Studies
24© Copyright 2009 EMC Corporation. All rights reserved.
24
How RSA Can Help
Case Study: Technology Company
Minimized risk by discovering all HBI data from 106K users
• DLP Datacenter with site coordinators in
• Selected for scalability, performance accuracy
• 100 TB of data in file shares
• Protect High Business Impact (HBI) Data
Driver Situation Solution Results
site coordinators in Redmond, & India
• 12 machine Grid System
performance, accuracy
• Incremental scans in ½ day
• Managed by 2 people
shares
• 30,000 file shares
• 120,000 SharePoint sites
Impact (HBI) Data
• PCI, PII and Intellectual Property
26© Copyright 2009 EMC Corporation. All rights reserved.
Managed by 2 peoplesites
Case Study: Healthcare Provider
Monitors transmissions for HIPAA and to prevent risk
D i Sit ti S l ti R lt• DLP Network: Monitor
email and web traffic• Identified broken
business processes & • Concerns over USB,
misdirected emails, • Protect privacy of
patient information
Driver Situation Solution Results
• DLP Datacenter: Discover sensitive file share data
• DLP Endpoint: Monitor d i l
pprioritized efforts
• Out of box Templates. Quick “go-live” after PoC.
blogs, remote users, mobile workforce and webmail
• 4K email users and 11k l / h i i
p
• FDA, GLB, HIPPA, SOX, PCI
• Proactive Approach to
27© Copyright 2009 EMC Corporation. All rights reserved.
data in use on laptopsemployees/physiciansData Protection
Case Study: A Fortune 50 Retailer
Identify and encrypt all emails containing credit card data
Driver Situation Solution Results• DLP Network
integrated with Voltage IBE for encryption
Hi h il bilit
• Higher accuracy than the competition with 2-3 False Positives per day
• Transmit 1 million plus emails per day
• ~2,000 contain
• Protect credit card data
• Payment Card Industry • High availability
configuration
• Installed in-between Exchange & Internet gateways
day
• No additional headcount allocated
,sensitive data
y y(PCI) Level 1 credit card processor
28© Copyright 2009 EMC Corporation. All rights reserved.
gateways
Case Study: Financial Services
Protection of Credit Card Data Across Distributed Environment
Driver Situation Solution Results
• RSA DLP Endpoint is able to execute a distributed scan across all networked
• DLP Endpoint located sensitive data on endpoints, providing increased visibility and stronger controls over
• Internet banking services organization needed to assure online users that all front- and backend transactional
• Protect credit card data of online customers
N d t t f d all networked computers to analyze content in place without adding a client to the machine
gsensitive data stored on Digital Insight’s equipment
• Remediated high risk endpoints
backend transactional processes are secure
• Required monitoring across distributed computing environment
• Need to prevent fraud brought about internal “Deep Defense” project
• Competitive pressure
29© Copyright 2009 EMC Corporation. All rights reserved.
p g• Competitive pressure
RSAData LossPrevention Th Ch llPreventionSolutions
The ChallengeThe SolutionTop 5 Success FactorsCase Studies
30© Copyright 2009 EMC Corporation. All rights reserved.
30
How RSA Can Help
RSA Professional Services and Training
Security experts providing comprehensive coverage– Security practitioners from RSA and EMC– Plan, design and implementation
Best Practices– Deployment best practices– Identify business drivers, define risk threshold– Phased approach for risk mitigation
Training– Policy development– DLP solution management
31© Copyright 2009 EMC Corporation. All rights reserved.
How Can We Help
Off
We Can HelpYour Current StatusBy Offering
1. Risk Advisor to discover current risk
2. Free Scan to support business case
Gathering Information
1. Investigating DLP in general2. Identifying business drivers
3. ROI/TCO analysis for DLP
4. DLP workshop
3. Developing a business case4. Identifying a Project Sponsor
By Providing
1. A framework for DLP evaluationPlanning to Procure and Deploy
1. Have a defined DLP project2. An evaluation environment
3. A detailed DLP proposal
4. Deployment architecture
2. Developing a detailed DLP project
3. Evaluating DLP vendors
32© Copyright 2009 EMC Corporation. All rights reserved.
DLP Free Scan Overview
Network Free Scan Datacenter Free Scan
Monitor email and/or HTTP trafficSingle egress point and locationNo enforcement
Scan data at rest for sensitive dataUp to 10 Win file shares or 1 TBEndpoints are not supportedNo enforcement
Engagement duration: 1 weekEndpoints are not supportedEngagement duration: 1 week
Up to two policies from the three options of pre-built policy packsUp to two policies from the three options of pre-built policy packsPCI PII GLBA
Deliverables to CustomerDeliverables to Customer
PCICredit Card Content Blades
PIIUS SSN Blades Credit Card, SSN, U.S. Driver’s Lic,
and Custom Acct Number Blades
33© Copyright 2009 EMC Corporation. All rights reserved.
Deliverables to Customer Deliverables to Customer Up to six standard (out-of-the-box) reports
Presented to key decision maker(s); no report customization