Building a Security Program that Protects an Organizations Most Critical Assets

Building a Security Program that Protects an Organizations

Most Critical Assets

WHAT WE WILL COVER TODAY

What is a Critical Asset Protection Program

Data Loss Prevention & Other Technology Tools

Use Cases

Avoiding Common Pitfalls

Open Q&A

BEW GLOBAL’S DLP EXPERTISE

•

Daily Management of 1,000,000+ Users

•

Global Support in 130 countries

•

Manage DLP Solutions in 22 Countries

•

Deployed 400+ DLP Projects

•

Completed 500+ Assessments

•

Localized Chinese DLP Practice (2011)

•

1st Managed DLP Services Provider (2008)

Symantec Master Specialization DLP Partner

Websense Certified TRITONs – More than any

other partner, 10 Olympians & 5 Gladiators

RSA’s Only Authorized Managed DLP Partner

VENDOR RECOGNITION

BEW GLOBAL’S PROVEN

APPROACH

BEW Global works in cooperation with customers to plan, implement and

maintain a Critical Asset Protection Program (CAPP) that clearly defines

what assets are deemed most important to the customer organization based on

CRITICAL ASSET

LIFECYCLE MAPPING

Critical Asset

Creation

The point in time when the asset is created. This could be the first swipe of a credit card, the initial lines of code for a new application or the acquisition of a new VM Cluster. Today, asset creation can be the product of multiple groups or systems.

Critical Asset

Storage

Once the asset has been created the asset is stored. For intangible assets this may be in RAM, on a hard disk, NAS, SharePoint or other types of data storage. Tangible assets like servers, routers or laptops may be racked in a

datacenter, placed in a remote office closet or placed on a home office desk.

Critical Asset Use

Protecting the critical assets becomes a more manageable endeavor by mapping the authorized usage

characteristics of the assets within the CAPP scope, and then applying the optimal combination of people, process and technology.

Critical Asset

Transmission

The transmission threat vector is utilized for authorized operations. Assessing how critical asset information is shared within and outside the organization provides key insight to the required protection mechanisms necessary to protect against inadvertent or malicious asset exposure.

SAMPLE CAPP PROGRAM

SCOPE

CRITICAL ASSET MANAGEMENT CONCERNS

Priority Security Concern Category Program Scope Supported Response

1 Disclosure of customer and _{employee PII data}

Customer and Employee

Data

• Symantec Network Discover – File Share scanning to gain visibility into storage locations

• Symantec Network Monitor– Email monitoring to gain visibility into transmission

2 Disclosure of PCI data Customer _Data

• Symantec Network Discover – File Share scanning to gain visibility into storage locations

• Symantec Network Monitor– Email monitoring to gain visibility into transmission

3 Disclosure and unauthorized _{use of customer “ARM Logs”} Proprietary Customer Data

• Symantec Network Discover – File Share scanning to gain visibility into storage locations

• Symantec Network Monitor– Email monitoring to gain visibility into transmission

4 Disclosure of Proprietary and _{Licensed source code} Intellectual _Property

• Symantec Network Discover – File Share scanning to gain visibility into storage locations

• Symantec Network Monitor– Email monitoring to gain visibility into transmission

SAMPLE CAPP PROGRAM SCOPE

Category _ElementData Description / Requirement Data Identifiers

Personally Identifiable Informatio n (PII) Social Security Numbers

The Human Resources, Finance, and Legal departments identified SSN as a key piece of PII to be protected by the Critical Asset Protection Program.

• SSNs store on customers and employees

• 9 numeric characters

Customer

Data TSN

[client name] Serial Number – Numbers are assigned to and uniquely identify each [client name] set top box. These numbers are associated to records (ARM logs) collected on each [client name] device containing sensitive customer information.

• 15 Digit Hexadecimal number • First 3 digits represent the

TSN prefix

• The following 11 represent the unit ID

• Final digit is a checksum Payment Card Industry Data Credit Card Numbers

During regular transactions with customers [client name] collects and stores Credit Card Numbers. [client name] is currently categorized as a PCI level 2 vendor but strives for level 1 compliance.

• All major national and international credit card vendors Source Code Copyrighte d/Proprieta ry Code

Proprietary source code and copyrighted source code

• Adobe Copyright • Broadcom Copyright • Microsoft Copyright • [client name] Copyright

SAMPLE CAPP PROGRAM

SCOPE

SERVICE MILESTONE TIMELINE

Milestone Description Target Date

Data Loss Prevention System Technical Install

Data Loss Prevention system technically installed, tested and prepared to monitor all communications

Complete

Critical Asset Protection Program Implemented

Resources in place to manage Critical Asset Protection application, policies, triage incidents, develop analytics, and work with business to remediate events

07/2013

Critical Asset Protection Program Kick-off

Actively monitor production traffic with first crafted production policies targeted at specific data elements/client information ensuring data is going to the correct clients

07/2013

Critical Asset Protection System and Program Tuning

Working with the business to review incidents and leverage data to improve policy accuracy within the Critical Asset Protection system

08/2013

Policy Accuracy Target – 90% +

Tuning the Critical Asset Protection policies to the point of 90% or greater accuracy on outbound email communications, allowing for initial testing of prevention controls

09/2013

Blocking Pilot – Select User Group

Identification of first user group set-up for blocking or quarantine of unauthorized communications flagged by the DLP system

09/2013

Blocking – Full Production roll-out

Phased roll-out of remaining business units to be included within the email blocking and quarantine scope of the Critical Asset Protection system

09/2013

Phase # 1 Completion

Program in place for constant refinement of policies as the business evolves, communication with business units on violations, business analytics delivered, and unauthorized communications blocked

USE CASE: PRE-PROJECT STATE

Organization Overview: Manufacturing firm of 30,000 employees operating in 50 countries globally

DLP Scope:

Protection of Intellectual Property (General)

DLP Primary Issue: Lack of staff and buy-in from business owners who handle critical assets

Application Management: Most information security tools operated and “managed” by IT or networks

Policy Governance: No internal resources with any experience with DLP policy construction

Incident Triage:

Lean staff of Infosec staff already buried by SIEM and other tools output

Event Management: Informal event management process with little feedback to the business

Reporting and Metrics: Zero customized reports. Very little business analysis provided

APPLICATION

SUPPORT & INTEGRATION

Primary System DLP Management =

Human Resource / Expertise Requirements

Integrated System Management =

Cross Department Collaboration

Processes

Health Check & System Validation Management =

System Resource Requirements

Vendor Management =

POLICY & RULE GOVERNANCE

•

Who requests rules & policy

requirements?

•

Are business owners engaged?

•

Who reviews rule requests?

•

Criteria for approved rule?

•

What’s the process for

converting a rule request

into a policy?

•

Who’s responsible for converting

a rule into technical policy?

•

Do they have technical policy

authoring expertise?

•

What is the formal policy

development process?

•

First drafts rarely work as

expected!

•

Is there a process to relay

production policy metrics to

stakeholders?

WORKFLOW DEVELOPMENT &

MANAGEMENT

•

Who develops & manages

policy “buckets”?

•

False positive, inbound partner,

outbound employee

•

Who defines thresholds that

determine response rules for

each “bucket”?

•

Are 10 SSNs a high, medium or

low severity incident?

•

Who designs & sets the

policy response triggers?

•

Malicious, Inadvertent,

Suspicious, above

threshold.

•

Triage response options:

•

Human notification

•

System notification (auto)

•

Hybrid?

•

Who’s responsible for

building alerts, alarms &

notifications?

•

Has business been engaged

on event management?

•

Who manages the DLP policy &

rules repository?

INCIDENT TRIAGE & EVENT

MANAGEMENT

•

Who reviews volume & yield of

incidents & events?

•

What’s the review frequency?

•

How are events/incidents

routed?

•

Who owns the

incident/event?

•

How does DLP fit in

overall incident/event

management process?

•

Can this be mapped to

DLP system?

•

What metrics are developed to

measure success of rules &

related policy?

•

Who ‘s responsible for developing

metrics?

•

Revision of rules based on

quality of policy results.

•

Who manages policy

optimization process?

•

How will integrated systems be

tied together to yield valued info?

•

Secure mail, web gateway, GRC,

BUSINESS ANALYTICS

Who drives report requirements? Requestors, Reviewers, others?

Who develops reports?

Do they have the expertise with 3rd party reporting tools?

Are DLP system generated reports adequate?

Are the metrics valuable & driving meaningful change?

Report accuracy tied into QA process?

USE CASE: POST-PROJECT

STATE

Organization Overview: Defined specific business units to initiate program

DLP Scope:

Focused on 3 specific product lines linked to highest revenue & earnings

DLP Primary Goal: Identification of unauthorized movement of specific elements of IP

Application Management: Operated by a combination of IT, messaging & desktop management teams

Policy Governance: 100% customized policies based on data collected from business unit

Incident Triage:

Daily review of incidents by Intelisecure Managed Services team

Event Management: Incidents meeting severity criteria routed to business unit for investigation

Reporting and Metrics: Behavioral pattern analysis leading to preventive actions

QMS SAMPLE QUARTERLY

REPORT

Intelisecure DLP QMS: Six Month Trend

Application Management Policy Governance Incident Triage Event Management Reporting & Analytics

5 Pieces of DLP Advice You Can’t

Afford to Ignore 21

5 Pieces of DLP Advice You Can’t

Afford to Ignore 22

DATA LOSS PROTECITON

PITFALLS

Mis-configured

Tap

or Port Span

Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured.

Encryption – The

Masked Data

Analysis of data DID NOT

take place prior to encryption. Solution

Comprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan.

Misfire of

Network

Discovery Scans

Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process. Solution

Identify potential data stores by discussing the DLP program with staff to understand process.

Network versus

Endpoint

Discovery

Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same.

Solution

Prior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method. .

DATA LOSS PROTECITON

PITFALLS

The Pandora’s Box of DLP

Environment

Assessment

Staying in

Contact

User Performance

Impacts

Network/System

Performance

Impacts

• Problem

No rigorous endpoint environment

assessment prior to the selection of the application & enablement. • Solution Address age of environment, performance

capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints. • Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results.

• Solution

Phased deployment of endpoint with

validation via test plan on initial success of ALL agents & on-going endpoint agent health reports.

• Problem

Implementing same policies for network based & endpoint assessments without testing or modification.

• Solution

Utilize a

comprehensive test plan outlining specific metrics (time to open files, open/send emails, open

applications) prior to deployment.

• Problem

Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections.

• Solution

Thorough assessment of endpoint policies that addresses all of the concerns including policy design

requirements, timing, frequency & delivery methods.

CLIENTS INCLUDE

BEW GLOBAL IS THE CHOICE OF MARKET LEADERS

MANUFACTURING

OIL & GAS

CLIENTS INCLUDE

UNIVERSITIES

INSURANCE

HEALTHCARE

FINANCE

A Fortune TOP 50 COMPANY

UPCOMING WEBINARS

For more information visit www.bewglobal.com/events_webinars

•

DLP Technical Deep Dive Series – 90-minute RSA DLP Advanced

Features Demo

4/17 @ 1pm ET / 10am MT

•

ISO 27001 Webinar Series: Real-World Case Study - BEW Global

Review ing our Successful ISO 27001 Certification Audit

5/8 @ 1pm ET / 10am MT

•

Security Strategy Webinar Series: Bridging the Gap betw een InfoSec

and the Profit & Loss Statement