Data Leakage Prevention (DLP)
Understanding The Concept
George Ntontos
External Threats: •Viruses •Hackers •Blackmail •Spamming •Trojans Company Perimeter: • Corporate Network • Office Space • Mobile Computers • Removable Devices Internal Threats: •Data Leakage •Unauthorized access to information
The most dangerous incident possible is a DATA LEAK
•irreversible
•
pursued by regulators
•damages reputation
•
leads to direct financial loss
70-80%
of all losses from IT-incidents comes from authorized
In 2008 the losses because of data leak contained from
$400K to $32M
Sources: Ponemon “The 2008 Annu al Study: Cost o f a Data Breach”Biggest part of losses is
lost profit:
• Lost clients
• Lost partners
• Lost market share
• Lost confidence
How much a data leak may cost?
Customer
Incident
Possible loss, EU*
Universal bank Reliable debtor registry 30 M Retail bank A list of a 1000 persons, checked by
company security department 15 M IT-Company Malefactor communication 0.5 M Oil & gas company Purchase commission demands 0.2 M Oil & gas company Tender application 200 M
}
Companies internal employees
}
Temporary employees: translators, trainees, etc
}
Outsourced employees: data-centers, call-centers
}
Transportation companies: couriers
}
Employees of other companies that have access to information within
}
Copies on removable media
} Forwarding and sending emails
} Web access (web-mail, blogs, messengers, etc)
} Printing and carrying away the printed copy
Channels of data leakage
Channels of data leakage
} Only 20% of information is structured *
} >10% of information is changing every day **
} 10% of information is ‘zero day documents’ **
} 30% of documents are not ‘absolute confidential’ **
IT MEANS THAT IT IS IMPOSSIBLE TO PROTECT DYNAMIC INFORMATION WITH STATIC DOCUMENT-BASED METHODS ONLY
*) Autonomy 2008 **) InfoWatch 2009
Company Perimeter: • Corporate Network • Office Space • Mobile Computers • Removable Devices Removable Devices Leaks: • USB/Flash disks/cards • Printers • Bluetooth, WiFi • CD/DVD Portable Storage: • Loss • Theft Network Leaks: • Web • Mail • Instant Messages • Network Printing
INTERCEPTION ANALYSIS DECISION-MAKING STORING • Agents on workstations • Universal traffic interceptors • Server plug-ins • Formal attributes • Linguistics • “Fingerprints” • Tags • Allow • Block • Process further • In file system • In DB (+ full-text search)
All modern DLP-systems allow to:
}
Control network traffic
}Control network printing
}
Control the connection of external devices to work-station
}Integrate with encryption tools
Not all modern DLP-systems allow to:
}
Effectively protect both static and dynamic data
Technology
Features and advantages
Stop-words and
regular expressions Detection of leaks of information formed by a certain pattern, for example credit cards numbers, passports numbers, SSN, bank accounts, etc.
Linguistic and
context analysis Proactive protection (works with dynamic data, new or changed documents)of confidential data right after its creation
Digital
fingerprinting and watermarks
Protection of rarely changing data, which was preliminary found and indexed (works well to protect static data, for example,
Stop words Regular expressions Digital Water-marks Digital Finger-printing Hybrid Analysis Context Analysis Dictionaries Linguistic Analysis
Hybrid analysis is
more efficient
thanks to merging
of several
different
technologies
} Interceptors’ number and quality
Controlled channels
Ability to block suspicious objects
} Analysis methods
Analyzed formats Encryption detection
Classification method: probabilistic (linguistics and/or hash), deterministic (tags and/or attributes)
} Abi
lity to collect evidence for investigation Including full-text search} The money is allocated from other budget item
} They are required by regulations and standards
} Every company has experienced a security incident
} Information security is overbudgeted + F.U.D.
} Many related services except installing and configuring
• Audit and change of data storage and circulation methods • Audit and change of juridical base
} High resource intensity
• Several servers + DBs + a system for archiving and storing • Related products: URL-filters, anti-spam, print-servers, etc.
} The majority of the projects are first implemented
• Nothing to compare
• The project may not be successful and this will not affect anyone
} Low-competitive market
• Several market players with different technologies
Thank you for attention!
Your questions are most welcome.
Learn more :
