Data Protection
McAfee’s Endpoint and Network
Data Loss Prevention
Dipl.-Inform. Rolf Haas
Principal Security Engineer, S+, CISSP rolf@mcafee.com
2 2
Position
Features and Live-Demo
Latest McAfee Facts
McAfee users
125 million
Fortune 100 companies using McAfee
83%
mobile devices shipped with McAfee
100+ million
single largest McAfee deployment
5 million
McAfee patents, more pending
480+
McAfee Security Innovation Alliance partners
80+
McAfee employees globally
8,000
countries that make up McAfee’s global footprint
120
Gartner Magic Quadrants that feature McAfee
8
Now a 100% Intel Subsidiary
McAfee’s Extensible Platform for Security Risk Management
Industry Leadership to Drive Better Protection, Greater Compliance, and Lower TCOSIA Associate Partner SIA Technology Partner (McAfee Compatible)
Two Drivers For Data Security
REGULATION
• HIPAA, PCI, SOX
• Thousands of regional privacy laws
SENSITIVE DATA
• Product designs, IP
• M&A, Financials, Legal
Data Communication Channels
How Does Data Leak?
Data Sources
At rest
In use
In motion
User Actions
Copy to device Cut, copy, paste Print Outbound email 6 Move files Access shares IM, blogs Web postingData Discover Network
Data Encryption
Removable Media Encryption
Data Discover Endpoint
Device Control
Removable Media Encryption
Data Monitoring
Data Blocking
Data Encryption
McAfee Data Protection
Solution Architecture
Secured Corporate LAN Network Egress/DMZ
MTA or Proxy SPAN Port or Tap
Disconnected • Network DLP Monitor • Network DLP Prevent • Network DLP Discover • Endpoint DLP • Device Control • Endpoint Encryption • Endpoint DLP • Device Control • Endpoint Encryption • Encrypted Media Central Management
• ePolicy Orchestrator (ePO)
Discover Data with DLP Endpoint
Find and protect sensitive information on hard drives.
What It Does
9
DLP Discover
DLP Endpoint
• Crawl local drives & Tag Application, location or content Outlook files (PST/OST)
• Remediate
Move, delete or encrypt
DLP Endpoint
• Provide content-aware detection Over 300 content types
Outlook, webmails IM/FTP/HTTP(S)
I/O channels (USB, media, devices)
Monitor data as it leaves the endpoint.
What It Does
Monitor Data with DLP Endpoint
10 Switches/Routers
DLP Endpoint
DLP Endpoint
• Provide content-aware device control
Move or block
• Integrated with Endpoint Encryption
File, folder, or USB
• DRM support Adobe, MS RMS
Protect against data loss via outbound
email, web postings, and endpoints such as laptops, USBs and other devices.
What It Does
Protect Data with DLP Endpoint
11 Email/Web Gateway
DLP Prevent
Unified Rules/Policies
• Create unified rules and policies across all vectors (motion, data-at-rest, data-in-use, Device-Control)
– Example: Protect credit card numbers from leaving the organization – Implementation: One click distribution
• Send to network components for protection at egress points
• Send to host agent for protection at endpoint, including download to removable media
• Consolidate incidents from all vectors – Single location for incidents
– Common framework for incident workflow
• Create reports, escalate to cases – Comprehensive view of data loss
profile
– Built-in investigation and remediation
McAfee Data Protection Phase Concept
You cannot do everything at once...
PHASE 2 – Control the Removable Media „Disaster“
Device Control to (block), monitor and educate
Encrypt all devices transparently with Endpoint Encryption for Removable Media, hence less blocking
PHASE 3 – Data Classification
Use Monitoring and Discovery engine of Network- and Endpoint DLP Capture Database to tune policies
PHASE 1 – Encryption
Full Disk Encryption of Laptops / Desktops to protect against external threats (ROI because no HHD destruction needed)
File&Folder Encryption to protection data wherever it goes (Persitent)
PHASE 4 – Activate Full DLP across the Enterprise
Monitor, Control and Prevent what the user is allowed to do with „your“ data
User Awareness instead of Blocking
Educate your Endusers to reduce internal Incidents
Event based User Pop up‘s
(no blocking) Monitoring and
Logging Announcement
Technology Architecture for Security
How Connected Is Your Security?
Host IPS Agent Systems Management Agent Audit Agent Antivirus Agent Encryption NAC DLP Agent EVERY SOLUTION HAS AN AGENT EVERY AGENT HAS A CONSOLE EVERY CONSOLE REQUIRES A SERVER EVERY SERVER REQUIRES AN OS/DB EVERY OS/DB REQUIRES PEOPLE, MAINTENANCE, PATCHING WHERE DOES IT END?
Technology Architecture for Security
How Connected Is Your Security?
SINGLE CONSOLE SINGLE
AGENT
McAfee ePO Server (AV, DLP, NAC,
Encryption, PA, Site Advisor)
PROTECTION REAL TIME THREAT FEEDS ACTIONABLE INFORMATION SECURITY METRICS ePO
DLP Web IPS SIA Endpoint
White Listing
Encrypt. MgmtRisk Email Firewall
Security Management Platform: ePO
Executive Security Admin IT Architect
Security
Management
Platform
Integrates with IT Operations PlatformsSingle console, single agent endpoint deployment and management
1
Single consolidated source for incident response and reporting
2
Comprehensive incident views, case management and workflow
3
ePO Integration Strategy
Automation of monitoring, reporting, and auditing Reduces Costs!
McAfee Endpoint Encryption McAfee Endpoint Encryption for Removable Media McAfee Network DLP and Endpoint
Data Loss via Social Media
Block design information posting on facebook
Unencrypted USB Access
January 22,
Prevent patient data from being copied onto USB
Unauthorized Clipboard Access to Data
Prevent sensitive information from being copied
McAfee Device Control and Host DLP Client
Deploy agent via ePO Server Full communication through one agent strategy Local uninstallation only with challange response Disable block protection x minutes via challange response User notification for monitor or block action Driver based software protection Can be active in windows safe mode Watchdog prevents that services are stopped
McAfee Device Control Device Definition
Configure devices per Connected Port (USB, Firewire etc) Windows Device Guid USB Class Code, Serialnumber, Device Name. Group device definitions for easy usage Whitelist Windows Guids e.g: Keyboard and MouseRun report and register own/new Windows Guids
McAfee Device Control Device Rules
Management through webbased ePO Machine based policy assignment User based assignment (OU, memberOf, single User) Configure Monitor, Read Only, Block perPolicy Create device exemptions Block running executables from usb Run security awareness programm Configure Hyperlink and
text for user notification
McAfee Device Control Management
Management through webbased ePO Automatic reports send via Mail Export from reports device definitions for whitelisting Redaction of sensitive fields in reportsFor Eyes only principle to open reports Monitor status of agent deployment Verify device details for connected devices on clients Configure active modules/driver
Implementation example
• Phase 1: Silent Monitor mode: Analysing the risks, report to management
• Phase 2: Monitor Mode and user notification for devices. Security
awareness campaign
• Phase 3: Read Only Mode, e.g. for all unencrypted media.
• Phase 4: Block Mode, e.g. For all foreign (unencrypted) Devices.
Phase 1
Phase 2
Phase 3
Phase 4
DLP Increases Control
Content aware enforcement delivers greater control & reduces costs, only applying protection where it’s needed
Without DLP
Without DLP
With DLP
With DLP
Encryption
Encryption
Removable
Media
Removable
Media
Device
Control
Device
Control
Encrypt everything
Encrypt everything
Selectively encrypt
Selectively encrypt
Encrypt on-demand
Encrypt on-demand
Block USB devices
Block USB devices
Content based coaching
Content based coaching
Block based on origin
Block based on origin
Block Cut, Copy, Paste
Block Cut, Copy, Paste
Content aware blocking
Content based coaching
Content aware blocking
Content based coaching
Without DLP
With DLP
Encryption
Removable
Media
Device
Control
Encrypt everything
Selectively encrypt
Encrypt on-demand
Block USB devices
Content based coaching
Block based on origin
Block Cut, Copy, Paste
Content aware blocking
Content based coaching
McAfee Host data Loss Prevention
Content Classification
Persistent classification Copy and paste of text recognized Manual classification (explorer integration) Location and application based own created dictionaries File details information including own created fields Filetype based (header and extension) regular expressionsMcAfee Host data Loss Prevention
Content Classification with Registered
Documents
Register document
share
• Example:
\\fileserver01\sensitive_files%
Schedule ePO Server
Task for inventoring
• Example: Create fingerprint of the content of all files within the document share
Deploy fingerprint to the
clients
• Example: Fingerprint is distributed like a Virus Scan signature to the clients
Schedule in the Data
Loss Prevention policy
a discovery scan
• Example: Report all found documents, encrypted them, delete them. Configure folder which shouldn‘t be scanned locally Encrypting local found files with EEFF
Key Apply Adobe Right Management policy Quarantine the Files