2015 - April Meeting - DLP - Lokesh Yamasani PDF
2015 - April Meeting - DLP - Lokesh Yamasani PDF
2015 - April Meeting - DLP - Lokesh Yamasani PDF
Practices
Data Leakage Prevention and its objective
Elements of DLP
Recommendations
Data Leakage Prevention and its Objective
With dynamicity comes the challenge to manage the organization and its
customers data which may be managed on and off premises.
With increasing Cyber threat landscape, data must be protected at all times
from unauthorized use, modification and storage. Protecting the data ,
especially sensitive data is getting challenging given the sophistication of
Cyberattacks.
Roadmap and
DLP Strategy Data Mapping Data Protection
Policies
DLP Architecture
DLP Technical
and DLP Placement
Policies
Implementation
Security Incident
and Event DLP Monitoring Data Breaches
Management
4
What Data needs to be protected
Department Data
Legal Contracts
Intellectual Property (Patent portfolio development and
management materials (e.g., invention disclosures,
unpublished patent applications, invention presentations,
Legal related communications, etc.).
Memos, communications, presentations and notes pertaining
to litigation, pre-litigation, internal investigation, corporate
Legal governance, M & A information.
Legal Internal legal presentations.
Roadmap, business plans, forecasts, competitive data that
Marketing gives edge against competitors, M & A Information.
Customer Pricing, Customer Volumes, Customer sales
Sales quotations.
IT Network diagrams.
Configuration files (Networks, systems, application and
IT database).
IT Wireless access keys.
Pre-earnings release, financial statements, 10-Ks, 10-Qs,
Finance payroll and equity data.
Software Source Code, Intellectual Property etc.
Personally identifiable information (all employee data), 5
HR recruiting lists, organization reporting structure.
Potential Data Leakage Points
6
Elements of DLP
7
Elements of DLP
8
DLP Strategy Considerations
DLP Strategy -Data Mapping
Potential keywords in sensitive Authorized Authorized Authorized
Department data to monitor for Data Classification internal/external internal/external internal/external
Legal
Legal
Legal
Legal
Advanced Technology
Advanced Technology
Engineering
Technology and
Worldwide
manufacturing
Marketing
Sales
IT
IT
IT
Finance
Software
HR
DLP Architectural Considerations
DLP Implementation Considerations – Data at Rest
Using Websense DLP as an example:
Discover where the sensitive data is.
Sensitive data could be on your corporate file shares, servers, database servers, laptops,
workstations and removable media.
Use predefined policy templates available within Websense to discover where the
sensitive data is (E.g., Scan all systems on XYZ network for xyz confidential data).
Under “Discovery policies’ Choose ‘Regulatory and Compliance policy’ if you are unsure
of what kind of data breach should be considered a DLP event. Else, proceed with
“Policy from scratch’ option to specifically define rules and conditions that will consider
it as a potential data breach and trigger a DLP event.
There are two types of discovery tasks available: a) Network Discovery Tasks b)
Endpoint discovery tasks. Based on where you want to search, choose either ‘Add
network task’ or ‘Add endpoint task’ option.
Choose one of the following remediation options with the discovery results: a)
“CopyFiles’ (Copies files that are in breach of corporate directory b) “MoveFiles” that
are in breach of corporate policy to another directory for quarantine. You may also
write your own remediation script.
DLP Implementation Considerations – Data in Motion
Using Websense DLP as an example:
Create a custom policy to govern the data in motion across the network or on
endpoint machines starting with policy to apply to all sources and destinations of
data with a permissive action. Later, you can permit or block certain sources and
destinations and apply more restrictive actions.
The policy should contain rules. The rules should have conditions, classifiers that
should govern who should send/receive certain data. (e.g., If “SSN” and “income’
is matched, the data should go to HR department).
Every condition within the rule should have a condition severity (Low, Medium,
High) assigned to it. Choose the Action plan based on the condition severity. Best
practice is to have action plan based on the severity. The most common action
plan is “Audit and notify manager”. “Block all” option can be used for repeat
violators of the policy.
14
Recommendations - Continued
Data Format Controls to Prevent Data Breach
Physical Controls:
15
Recommendations - Continued
Data Format Controls to Prevent Data Breach
16
Recommendations - Continued
Data Format Controls to Prevent Data Breach
Digital Media (Data-at-Rest) Administrative Controls:
Physical Controls:
Technical Controls:
Physical Controls:
18
Recommendations - Continued
Data Format Controls to Prevent Data Breach
Digital Media Administrative Controls:
(Portable/Remova
ble Media) i) Portable/Removable Media should be used by authorized personnel based
on the approval from stakeholders inline with the information security
policy.
Physical Controls:
19
Appendix A
20
Recommendations – Data Protection Considerations
before traveling to High risk countries
Since encryption products can be used for illegal purposes, taking encrypted laptop to the
countries that you may visit may ban or severely regulate the import, export and use of
encryption products. Taking your encrypted laptop without proper authorization could
violate U.S. export laws or the import regulations of the country to which you are traveling.
Under “Wassenaar Arrangement”, one of its provisions allows traveler to freely enter a
participating country with an encrypted device under a “personal use exemption” as long as
the traveler does not create, sell, enhance, share or otherwise distribute the encryption
technology while visiting.
The countries that support the personal use exemption include: Argentina, Australia, Austria,
Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia,
Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United
States.
21
Data Protection Considerations - Export and Import
Export Controls: Controls
Encryption functionality within McAfee’s Data Protection Suite, has been granted an
“ENC/Unrestricted” license exception within the U.S. Department of Commerce. If you must travel
to one of the five embargoed countries listed below with encrypted laptops, Customer must obtain
the appropriate export license, but the process can take, on average, a ninety days for review which
is managed by Department of Commerce’s Bureau of Industry and Security and the Office of
Foreign Assets Control (OFAC) within Department of Treasury.
Import Controls:
The following countries do not recognize a “personal use exemption” (i.e., Before traveling to these
countries with an encrypted laptop, you will need to apply for their specified governmental agency
for an import license:
Belarus - a license issued by the Belarus Ministry of Foreign Affairs or the State Center for
Information Security of the Security Council is required.
Burma (Myanmar) - a license is required, but licensing regime documentation is unavailable. Contact
the US State Department for further information.
22
Export Controls and Import Controls - Continued
Import Controls:
China - a permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
You can either apply for the permit on your own. The laws in China vary from province to province
where the customs officers or border guards exact their own interpretation of what encryption
means. It is advised that your travel laptop is not encrypted.
Hungary - an International Import Certificate is required. Contact the US State Department for
further information.
Iran - a license issued by Iran's Supreme Council for Cultural Revolution is required.
Israel - a license from the Director-General of the Ministry of Defense is required. For information
regarding applicable laws, policies and forms, please visit the following website.
23
Export Controls and Import Controls - Continued
Import Controls:
Morocco - a license is required, but licensing regime documentation is unavailable. Contact the US
State Department for further information.
Russia - licenses issued by both the Federal Security Service (Federal'naya Sluzhba Bezopasnosti –
"FSB") and the Ministry of Economic Development and Trade are required. License applications
should be submitted by an entity officially registered in Russia. This would normally be the
company that is seeking to bring an encryption product into Russia.
Saudi Arabia - it has been reported that the use of encryption is generally banned, but research
has provided inconsistent information. Contact the US State Department for further information.
Tunisia - a license issued by Tunisia's National Agency for Electronic Certification (ANCE) is
required.
24
Recommendations – Before traveling to High risk
Countries
In Countries like China, data protection is a different ball game. Some of the Recommendations
may not be implemented or may have to be removed. Below are some of the considerations to
protect Customer sensitive data before traveling to high risk countries:
1 Preparing your laptop/mobile device i) Install updates for your operating system
and other software to plug known
security holes and make sure your
security software is up to date ii) Turn off
your device’s Bluetooth function iii) Lock
your device with a PIN or password, and
use whole disk encryption to protect
stored data (if you can’t obtain license to
carry encrypted laptops to the countries
that doesn’t allow personal use
exemption, don’t encrypt the laptops) iv)
Install and configure a personal firewall
and anti-malware.
25
Recommendations – Before travelling to High risk
Countries - Continued
No. Action item Recommendations
2 Stripping unneeded data from your i) Customer should consider using only travel-
laptop/mobile device before travel only devices with minimal or no amount of
sensitive data stored on them.
26
Recommendations – While in High risk Countries
1 Using Corporate VPN to connect to the i) Use Corporate VPN to connect to the
Internet. Internet, which creates an encrypted tunnel
for internet traffic so it can’t be read or
tampered with by interlopers.
2 Do not download any sensitive data while i) While connected to corporate VPN should
connected to corporate VPN. not download any Customer sensitive data
onto their laptops/mobile devices.
3 Keep your laptop/mobile device secured at i) Laptops/mobile devices should be locked
all times. with a lock screen, while unattended ii)
Laptops should be physically secured with a
cable lock iii) Mobile devices should be
secured in a file cabinet, while unattended.
27
Recommendations – Returning from High risk
Countries
No. Action item Recommendations
1 Securely wipe laptops/mobile devices after i) Treat all returning devices from high risk
returning from High Risk Countries. countries as compromised. Wipe and
reformat laptops/mobile devices before
using them at home or work, or securely
dispose of them using Customer approved
secure disposal guidelines.
28
Contact
Lokesh Yamasani
Manager, IT Compliance and Advisory – SOAProjects Inc
Cell: 408-636-8268
Email: [email protected]
29
Q&A