Data Protection McAfee s Endpoint and Network Data Loss Prevention

Data Protection

McAfee’s Endpoint and Network

Data Loss Prevention

Dipl.-Inform. Rolf Haas

Principal Security Engineer, S+, CISSP rolf@mcafee.com

2 2

Position

Features and Live-Demo

Latest McAfee Facts

McAfee users

125 million

Fortune 100 companies using McAfee

83%

mobile devices shipped with McAfee

100+ million

single largest McAfee deployment

5 million

McAfee patents, more pending

480+

McAfee Security Innovation Alliance partners

80+

McAfee employees globally

8,000

countries that make up McAfee’s global footprint

120

Gartner Magic Quadrants that feature McAfee

8

Now a 100% Intel Subsidiary

McAfee’s Extensible Platform for Security Risk Management

Industry Leadership to Drive Better Protection, Greater Compliance, and Lower TCO

SIA Associate Partner SIA Technology Partner (McAfee Compatible)

Two Drivers For Data Security

REGULATION

• HIPAA, PCI, SOX

• Thousands of regional privacy laws

SENSITIVE DATA

• Product designs, IP

• M&A, Financials, Legal

Data Communication Channels

How Does Data Leak?

Data Sources

At rest

In use

In motion

User Actions

Copy to device Cut, copy, paste Print Outbound email 6 Move files Access shares IM, blogs Web posting

Data Discover Network

Data Encryption

Removable Media Encryption

Data Discover Endpoint

Device Control

Removable Media Encryption

Data Monitoring

Data Blocking

Data Encryption

McAfee Data Protection

Solution Architecture

Secured Corporate LAN Network Egress/DMZ

MTA or Proxy SPAN Port or Tap

Disconnected • Network DLP Monitor • Network DLP Prevent • Network DLP Discover • Endpoint DLP • Device Control • Endpoint Encryption • Endpoint DLP • Device Control • Endpoint Encryption • Encrypted Media Central Management

• ePolicy Orchestrator (ePO)

Discover Data with DLP Endpoint

Find and protect sensitive information on hard drives.

What It Does

9

DLP Discover

DLP Endpoint

• Crawl local drives & Tag Application, location or content Outlook files (PST/OST)

• Remediate

Move, delete or encrypt

DLP Endpoint

• Provide content-aware detection Over 300 content types

Outlook, webmails IM/FTP/HTTP(S)

I/O channels (USB, media, devices)

Monitor data as it leaves the endpoint.

What It Does

Monitor Data with DLP Endpoint

10 Switches/Routers

DLP Endpoint

DLP Endpoint

• Provide content-aware device control

Move or block

• Integrated with Endpoint Encryption

File, folder, or USB

• DRM support Adobe, MS RMS

Protect against data loss via outbound

email, web postings, and endpoints such as laptops, USBs and other devices.

What It Does

Protect Data with DLP Endpoint

11 Email/Web Gateway

DLP Prevent

Unified Rules/Policies

• Create unified rules and policies across all vectors (motion, data-at-rest, data-in-use, Device-Control)

– Example: Protect credit card numbers from leaving the organization – Implementation: One click distribution

• Send to network components for protection at egress points

• Send to host agent for protection at endpoint, including download to removable media

• Consolidate incidents from all vectors – Single location for incidents

– Common framework for incident workflow

• Create reports, escalate to cases – Comprehensive view of data loss

profile

– Built-in investigation and remediation

McAfee Data Protection Phase Concept

You cannot do everything at once...

PHASE 2 – Control the Removable Media „Disaster“

Device Control to (block), monitor and educate

Encrypt all devices transparently with Endpoint Encryption for Removable Media, hence less blocking

PHASE 3 – Data Classification

Use Monitoring and Discovery engine of Network- and Endpoint DLP Capture Database to tune policies

PHASE 1 – Encryption

Full Disk Encryption of Laptops / Desktops to protect against external threats (ROI because no HHD destruction needed)

File&Folder Encryption to protection data wherever it goes (Persitent)

PHASE 4 – Activate Full DLP across the Enterprise

Monitor, Control and Prevent what the user is allowed to do with „your“ data

User Awareness instead of Blocking

Educate your Endusers to reduce internal Incidents

Event based User Pop up‘s

(no blocking) Monitoring and

Logging Announcement

Technology Architecture for Security

How Connected Is Your Security?

Host IPS Agent Systems Management Agent Audit Agent Antivirus Agent Encryption NAC DLP Agent EVERY SOLUTION HAS AN AGENT EVERY AGENT HAS A CONSOLE EVERY CONSOLE REQUIRES A SERVER EVERY SERVER REQUIRES AN OS/DB EVERY OS/DB REQUIRES PEOPLE, MAINTENANCE, PATCHING WHERE DOES IT END?

Technology Architecture for Security

How Connected Is Your Security?

SINGLE CONSOLE SINGLE

AGENT

McAfee ePO Server (AV, DLP, NAC,

Encryption, PA, Site Advisor)

PROTECTION REAL TIME THREAT FEEDS ACTIONABLE INFORMATION SECURITY METRICS ePO

DLP Web IPS SIA Endpoint

White Listing

Encrypt. _MgmtRisk Email Firewall

Security Management Platform: ePO

Executive Security Admin IT Architect

Security

Management

Platform

Integrates with IT Operations Platforms

Single console, single agent endpoint deployment and management

1

Single consolidated source for incident response and reporting

2

Comprehensive incident views, case management and workflow

3

ePO Integration Strategy

Automation of monitoring, reporting, and auditing Reduces Costs!

McAfee Endpoint Encryption McAfee Endpoint Encryption for Removable Media McAfee Network DLP and Endpoint

Data Loss via Social Media

Block design information posting on facebook

Unencrypted USB Access

January 22,

Prevent patient data from being copied onto USB

Unauthorized Clipboard Access to Data

Prevent sensitive information from being copied

McAfee Device Control and Host DLP Client

Deploy agent via ePO Server Full communication through one agent strategy Local uninstallation only with challange response Disable block protection x minutes via challange response User notification for monitor or block action Driver based software protection Can be active in windows safe mode Watchdog prevents that services are stopped

McAfee Device Control Device Definition

Configure devices per Connected Port (USB, Firewire etc) Windows Device Guid USB Class Code, Serialnumber, Device Name. Group device definitions for easy usage Whitelist Windows Guids e.g: Keyboard and Mouse

Run report and register own/new Windows Guids

McAfee Device Control Device Rules

Management through webbased ePO Machine based policy assignment User based assignment (OU, memberOf, single User) Configure Monitor, Read Only, Block per

Policy Create device exemptions Block running executables from usb Run security awareness programm Configure Hyperlink and

text for user notification

McAfee Device Control Management

Management through webbased ePO Automatic reports send via Mail Export from reports device definitions for whitelisting Redaction of sensitive fields in reports

For Eyes only principle to open reports Monitor status of agent deployment Verify device details for connected devices on clients Configure active modules/driver

Implementation example

• Phase 1: Silent Monitor mode: Analysing the risks, report to management

• Phase 2: Monitor Mode and user notification for devices. Security

awareness campaign

• Phase 3: Read Only Mode, e.g. for all unencrypted media.

• Phase 4: Block Mode, e.g. For all foreign (unencrypted) Devices.

Phase 1

Phase 2

Phase 3

Phase 4

DLP Increases Control

Content aware enforcement delivers greater control & reduces costs, only applying protection where it’s needed

Without DLP

Without DLP

With DLP

With DLP

Encryption

Encryption

Removable

Media

Removable

Media

Device

Control

Device

Control

Encrypt everything

Encrypt everything

Selectively encrypt

Selectively encrypt

Encrypt on-demand

Encrypt on-demand

Block USB devices

Block USB devices

Content based coaching

Content based coaching

Block based on origin

Block based on origin

Block Cut, Copy, Paste

Block Cut, Copy, Paste

Content aware blocking

Content based coaching

Content aware blocking

Content based coaching

Without DLP

With DLP

Encryption

Removable

Media

Device

Control

Encrypt everything

Selectively encrypt

Encrypt on-demand

Block USB devices

Content based coaching

Block based on origin

Block Cut, Copy, Paste

Content aware blocking

Content based coaching

McAfee Host data Loss Prevention

Content Classification

Persistent classification Copy and paste of text recognized Manual classification (explorer integration) Location and application based own created dictionaries File details information including own created fields Filetype based (header and extension) regular expressions

McAfee Host data Loss Prevention

Content Classification with Registered

Documents

Register document

share

• Example:

\\fileserver01\sensitive_files%

Schedule ePO Server

Task for inventoring

• Example: Create fingerprint of the content of all files within the document share

Deploy fingerprint to the

clients

• Example: Fingerprint is distributed like a Virus Scan signature to the clients

Schedule in the Data

Loss Prevention policy

a discovery scan

• Example: Report all found documents, encrypted them, delete them. Configure folder which shouldn‘t be scanned locally Encrypting local found files with EEFF

Key Apply Adobe Right Management policy Quarantine the Files

McAfee Host Data Loss Prevention

Protection Rules

Application File Access Protection Clibboard Protection E-Mail Protection File System Protection Web Post Protection Network Communication Protection Printing Protection Removable Storage Protection Screen Capture Protection

McAfee Host data Loss Prevention

Management

Central Management from ePO Enable only required handler on the clients challange response code generation Policy Analyzer Configure your own reports View evidence and hits highlighting Policy based evidence path configuration Machine and user based policy assignment

Thank you! Any questions?

rolf@mcafee.com