2015 - April Meeting - DLP - Lokesh Yamasani PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 30

Data Leakage Prevention: Best

Practices
 Data Leakage Prevention and its objective

 Data Leakage Prevention Lifecycle

 What Data needs to be protected

 Potential Data Leakage Prevention points

 Elements of DLP

 DLP Strategy considerations

 DLP Architectural considerations

 DLP Implementation considerations

 Recommendations
Data Leakage Prevention and its Objective

 Organizations are increasingly getting dynamic on how they conduct their


business.

 With dynamicity comes the challenge to manage the organization and its
customers data which may be managed on and off premises.

 With increasing Cyber threat landscape, data must be protected at all times
from unauthorized use, modification and storage. Protecting the data ,
especially sensitive data is getting challenging given the sophistication of
Cyberattacks.

 Objective of Data Leakage/Loss Prevention is to minimize the data loss and


business impact at all times due to a data breach event that could potentially
become an incident.
Data Leakage Prevention Lifecycle

Roadmap and
DLP Strategy Data Mapping Data Protection
Policies

DLP Architecture
DLP Technical
and DLP Placement
Policies
Implementation

Security Incident
and Event DLP Monitoring Data Breaches
Management

4
What Data needs to be protected
Department Data
Legal Contracts
Intellectual Property (Patent portfolio development and
management materials (e.g., invention disclosures,
unpublished patent applications, invention presentations,
Legal related communications, etc.).
Memos, communications, presentations and notes pertaining
to litigation, pre-litigation, internal investigation, corporate
Legal governance, M & A information.
Legal Internal legal presentations.
Roadmap, business plans, forecasts, competitive data that
Marketing gives edge against competitors, M & A Information.
Customer Pricing, Customer Volumes, Customer sales
Sales quotations.
IT Network diagrams.
Configuration files (Networks, systems, application and
IT database).
IT Wireless access keys.
Pre-earnings release, financial statements, 10-Ks, 10-Qs,
Finance payroll and equity data.
Software Source Code, Intellectual Property etc.
Personally identifiable information (all employee data), 5
HR recruiting lists, organization reporting structure.
Potential Data Leakage Points

6
Elements of DLP

Data Format Description Example Probability of Data


Leakage
Printed Sensitive information used Documents left High
in hard documents and on unattended on
whiteboards. shared printers.
Electronic Data All three forms of digital
media mentioned below are
vulnerable to potential data
leakage:
Data-in- Motion Refers to data that is moving Wired High
through a network, transmission,
including wireless wireless
transmission. transmission –
email traffic,
application
traffic, and peer
to peer sessions.

7
Elements of DLP

Data Format Description Example Probability of Data


Leakage
Data-at-Rest Refers to data that Oracle/SQL High (Since the
resides in databases, Databases, Customer sensitive
file systems, share SharePoint and data may reside on
point, file share servers application data endpoints as well
and other structured files. without
storage methods. encryption).

Data-in-Use Endpoints of the Laptops, Hard High


network where data is drives, flash drives,
being used. other mobile and
removable media.

8
DLP Strategy Considerations
DLP Strategy -Data Mapping
Potential keywords in sensitive Authorized Authorized Authorized
Department data to monitor for Data Classification internal/external internal/external internal/external
Legal
Legal

Legal
Legal
Advanced Technology
Advanced Technology
Engineering
Technology and
Worldwide
manufacturing

Marketing
Sales
IT
IT
IT

Finance
Software

HR
DLP Architectural Considerations
DLP Implementation Considerations – Data at Rest
Using Websense DLP as an example:
 Discover where the sensitive data is.

 Sensitive data could be on your corporate file shares, servers, database servers, laptops,
workstations and removable media.

 Use predefined policy templates available within Websense to discover where the
sensitive data is (E.g., Scan all systems on XYZ network for xyz confidential data).

 Data Discovery should be performed in two steps: a) Creating a Discovery policy b)


Scheduling Discovery tasks.

 Under “Discovery policies’ Choose ‘Regulatory and Compliance policy’ if you are unsure
of what kind of data breach should be considered a DLP event. Else, proceed with
“Policy from scratch’ option to specifically define rules and conditions that will consider
it as a potential data breach and trigger a DLP event.

 There are two types of discovery tasks available: a) Network Discovery Tasks b)
Endpoint discovery tasks. Based on where you want to search, choose either ‘Add
network task’ or ‘Add endpoint task’ option.

 View the discovery results under “Reporting’  “Discovery’ tab.

 Choose one of the following remediation options with the discovery results: a)
“CopyFiles’ (Copies files that are in breach of corporate directory b) “MoveFiles” that
are in breach of corporate policy to another directory for quarantine. You may also
write your own remediation script.
DLP Implementation Considerations – Data in Motion
Using Websense DLP as an example:
 Create a custom policy to govern the data in motion across the network or on
endpoint machines starting with policy to apply to all sources and destinations of
data with a permissive action. Later, you can permit or block certain sources and
destinations and apply more restrictive actions.

 The policy should contain rules. The rules should have conditions, classifiers that
should govern who should send/receive certain data. (e.g., If “SSN” and “income’
is matched, the data should go to HR department).

 Every condition within the rule should have a condition severity (Low, Medium,
High) assigned to it. Choose the Action plan based on the condition severity. Best
practice is to have action plan based on the severity. The most common action
plan is “Audit and notify manager”. “Block all” option can be used for repeat
violators of the policy.

 Events will be generated based on the rules, conditions, classifiers, condition


severity and action plan chosen.
Recommendations
Recommendations
Data Format Controls to Prevent Data Breach
Printed Controls:

i) Emphasis about Data Protection should be throughout


employment/contract lifecycle as part of Employment/contract
agreement, Information Security Policy. Since business may be
conducted in multiple countries, Data Protection responsibilities
must be in line with local, state and federal laws.
ii) Do not leave sensitive data unattended on
desks, printers, fax machines, copiers and other common access
areas . Please lock them in a secure file cabinet, when
unattended.
iii) Do not leave sensitive data visible to the public in
the car and other public places.
iv) Shred sensitive paper records using Customer
authorized shredding bins.
v) Do not send paper mail that displays Individual’s Personally
Identifiable Information (PII) such as Driver’s License ID, Social
Security Number etc.

14
Recommendations - Continued
Data Format Controls to Prevent Data Breach

Digital Media (Data-in- Administrative Controls:


Motion)
i) Sensitive Data should be sent and received from authorized
personnel inline with the Information Security Policy. Such
data flow (including data sent within the organization or
external to the organization) should be authorized and
approved by authorized stakeholders.

Physical Controls:

i) Laptops that process sensitive data should be


locked with a physical cable lock, when unattended.
ii) Infrastructure assets that process sensitive data such as
Networks, Systems, Applications and Databases should be
segregated and physical access managed by controlling and
restricting access to authorized personnel only.

15
Recommendations - Continued
Data Format Controls to Prevent Data Breach

Digital Media (Data-in-Motion) Technical Controls:

i) Sensitive Data in Motion sent outside the organization premises


should be encrypted using one of the FIPS 140-2 approved
encryption algorithms for the following:
a) Site-to-Site VPN with business partners/third parties.
b) Sensitive data in emails using Opportunistic TLS
that are sent outside of Customer network.

ii) Assets that send/receive Customer sensitive data should


have critical patches and fixes installed up-to-date. (i.e., Formal
Patch Management process).

16
Recommendations - Continued
Data Format Controls to Prevent Data Breach
Digital Media (Data-at-Rest) Administrative Controls:

i) Sensitive data should be stored only in authorized locations as


approved by stakeholders based on a valid business reason in
line with the Information security policy.

Physical Controls:

i) Physical access to assets that store sensitive data should be


controlled and restricted to authorized personnel only.

Technical Controls:

i) Sensitive Data at rest in authorized locations such as database


servers within Customer network or external to organization
network should be encrypted.
ii) Sensitive Data in Backup and storage should be encrypted.
iii) Endpoints that are authorized to store sensitive data should be
encrypted. (This will be very useful in scenarios where McAfee
DLP can’t support non-windows endpoints such as Mac books
etc.).
17
Recommendations - Continued
Data Format Controls to Prevent Data Breach
Digital Media (Data-in-Use) Administrative Controls:

i) Sensitive Data should be accessed and used by authorized


personnel inline with the Information Security Policy.

Physical Controls:

i) Laptops that access sensitive data should be


locked with a physical cable lock.
ii) Infrastructure assets that are used to access sensitive data such
as Networks, Systems, Applications and Databases should be
segregated and physical access controlled and restricted to
authorized personnel only.

18
Recommendations - Continued
Data Format Controls to Prevent Data Breach
Digital Media Administrative Controls:
(Portable/Remova
ble Media) i) Portable/Removable Media should be used by authorized personnel based
on the approval from stakeholders inline with the information security
policy.

Physical Controls:

i) Portable/Removable media should be secured in a file cabinet when not in


use or unattended.

19
Appendix A

20
Recommendations – Data Protection Considerations
before traveling to High risk countries
 Since encryption products can be used for illegal purposes, taking encrypted laptop to the
countries that you may visit may ban or severely regulate the import, export and use of
encryption products. Taking your encrypted laptop without proper authorization could
violate U.S. export laws or the import regulations of the country to which you are traveling.

 Under “Wassenaar Arrangement”, one of its provisions allows traveler to freely enter a
participating country with an encrypted device under a “personal use exemption” as long as
the traveler does not create, sell, enhance, share or otherwise distribute the encryption
technology while visiting.

 The countries that support the personal use exemption include: Argentina, Australia, Austria,
Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia,
Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United
States.

21
Data Protection Considerations - Export and Import
Export Controls: Controls
 Encryption functionality within McAfee’s Data Protection Suite, has been granted an
“ENC/Unrestricted” license exception within the U.S. Department of Commerce. If you must travel
to one of the five embargoed countries listed below with encrypted laptops, Customer must obtain
the appropriate export license, but the process can take, on average, a ninety days for review which
is managed by Department of Commerce’s Bureau of Industry and Security and the Office of
Foreign Assets Control (OFAC) within Department of Treasury.

a) Cuba b) Iran c) North Korea d) Sudan e) Syria

Import Controls:

 The following countries do not recognize a “personal use exemption” (i.e., Before traveling to these
countries with an encrypted laptop, you will need to apply for their specified governmental agency
for an import license:

Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for
Information Security of the Security Council is required.

Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable. Contact
the US State Department for further information.

22
Export Controls and Import Controls - Continued
Import Controls:

China - a permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
You can either apply for the permit on your own. The laws in China vary from province to province
where the customs officers or border guards exact their own interpretation of what encryption
means. It is advised that your travel laptop is not encrypted.

Hungary - an International Import Certificate is required. Contact the US State Department for
further information.

Iran - a license issued by Iran's Supreme Council for Cultural Revolution is required.

Israel - a license from the Director-General of the Ministry of Defense is required. For information
regarding applicable laws, policies and forms, please visit the following website.

Kazakhstan - a license issued by Kazakhstan's Licensing Commission of the Committee of National


Security is required.

Moldova - a license issued by Moldova's Ministry of National Security is required.

23
Export Controls and Import Controls - Continued
Import Controls:

Morocco - a license is required, but licensing regime documentation is unavailable. Contact the US
State Department for further information.

Russia - licenses issued by both the Federal Security Service (Federal'naya Sluzhba Bezopasnosti –
"FSB") and the Ministry of Economic Development and Trade are required. License applications
should be submitted by an entity officially registered in Russia. This would normally be the
company that is seeking to bring an encryption product into Russia.

Saudi Arabia - it has been reported that the use of encryption is generally banned, but research
has provided inconsistent information. Contact the US State Department for further information.

Tunisia - a license issued by Tunisia's National Agency for Electronic Certification (ANCE) is
required.

Ukraine - a license issued by the Department of Special Telecommunication Systems and


Protection of Information of the Security Service of Ukraine (SBU) is required.

24
Recommendations – Before traveling to High risk
Countries
In Countries like China, data protection is a different ball game. Some of the Recommendations
may not be implemented or may have to be removed. Below are some of the considerations to
protect Customer sensitive data before traveling to high risk countries:

No. Action item Recommendations

1 Preparing your laptop/mobile device i) Install updates for your operating system
and other software to plug known
security holes and make sure your
security software is up to date ii) Turn off
your device’s Bluetooth function iii) Lock
your device with a PIN or password, and
use whole disk encryption to protect
stored data (if you can’t obtain license to
carry encrypted laptops to the countries
that doesn’t allow personal use
exemption, don’t encrypt the laptops) iv)
Install and configure a personal firewall
and anti-malware.

25
Recommendations – Before travelling to High risk
Countries - Continued
No. Action item Recommendations

2 Stripping unneeded data from your i) Customer should consider using only travel-
laptop/mobile device before travel only devices with minimal or no amount of
sensitive data stored on them.

26
Recommendations – While in High risk Countries

No. Action item Recommendations

1 Using Corporate VPN to connect to the i) Use Corporate VPN to connect to the
Internet. Internet, which creates an encrypted tunnel
for internet traffic so it can’t be read or
tampered with by interlopers.
2 Do not download any sensitive data while i) While connected to corporate VPN should
connected to corporate VPN. not download any Customer sensitive data
onto their laptops/mobile devices.
3 Keep your laptop/mobile device secured at i) Laptops/mobile devices should be locked
all times. with a lock screen, while unattended ii)
Laptops should be physically secured with a
cable lock iii) Mobile devices should be
secured in a file cabinet, while unattended.

27
Recommendations – Returning from High risk
Countries
No. Action item Recommendations

1 Securely wipe laptops/mobile devices after i) Treat all returning devices from high risk
returning from High Risk Countries. countries as compromised. Wipe and
reformat laptops/mobile devices before
using them at home or work, or securely
dispose of them using Customer approved
secure disposal guidelines.

28
Contact

Lokesh Yamasani
Manager, IT Compliance and Advisory – SOAProjects Inc
Cell: 408-636-8268
Email: [email protected]

29
Q&A

You might also like