Information Risk Management. Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

Transcription

1 Information Risk Management Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

2 Agenda Data Breaches Required Capabilities of preventing Data Loss Information Risk Information Incident Root Cause Building a Comprehensive Information Risk Management Platform Summary

3 Information Loss/Data Breach Questions What information? Who did this? How did they get the information? How do we ensure this never happens again? What is the exposure to the organization? How do we prevent this from happening again?

4 Analysis of a Data Breach [T+180] days [T-15] days [T-1] days T [T+.2] minutes [T+.5] minutes Bob ed the sales pipeline data out to a competitor Newly hired PM, Bob, is provisioned a profile similar to that of Deb s Deb joined Product Management from sales but still has access to sales file shares Bob realized that he can access the sales file share The is identified as violation of a policy The is blocked The security analyst and Bob s boss are alerted Data Loss Event Happens here Data Loss Prevention Starts Here

5 Data Losses

6 Data Exposure

7 Data Loss

8 Required Capabilities for Preventing Data Loss Discover Respond Fix Information Risk Accurate discovery Scalable discovery Risk assessment Efficient process Information Incidents Incident Mgmt. Business context Workflow/ticketing Metrics Dashboards Root Cause Business/IT context Control procedures Integration and Questionnaires Metrics & Dashboards RSA Data Loss Prevention Workflow and Surveys Risk Dashboards RSA Data Loss Prevention RSA Security Incident & Event Management Dashboards and Workflow Reactive Controls RSA Archer IT GRC SIEM Proactive Controls

9 Required Capabilities for Preventing Data Loss Discover Respond Fix Information Risk Accurate discovery Scalable discovery Risk assessment Efficient process Information Incidents Incident Mgmt. Business context Workflow/ticketing Metrics Dashboards Root Cause Business/IT context Control procedures Integration and Questionnaires Metrics & Dashboards RSA Data Loss Prevention Datacenter and endpoint Workflow and Surveys Risk Dashboards DLP network and endpoint SIEM Dashboards and Workflow Reactive Controls IT GRC SIEM. SSCM and VA Proactive Controls

10 Real-life Use Case 11/ Owners in 43 Countries Identified 12/19 90% of files remediated Repeatable and continuously monitored Process time reduced by 400% 11/2 30K files discovered by RSA Data Loss Prevention 11/19 RSA Archer IT GRC Platform Sends questionnaire to data owners

11 Evaluate and Reduce Risk at Datacenter Discover Analyze Remediate FS, Server, Laptop 300+ File Types Databases Remediation Windows file shares Unix file shares NAS / SAN storage Windows 2000, 2003 Windows XP, Vista Microsoft Office Files PDFs, PSTs Zip files CATIA files SharePoint Documentum Microsoft Access Oracle, SQL Content Mgmt systems Secure Delete Manual/Auto Move Manual/Auto Quarantine Notifications edrm

12 RSA Data Loss Prevention & Data Governance RSA DLP Datacenter List of sensitive files Content of sensitive files Risk level of the files + Data Governance List Users of sensitive who have files access Content Users accessing do sensitive the files files Risk Owners level of of the the files files Identify files/folders at risk Identify true business owners Change permissions

13 RSA Archer Risk Management Consistent and flexible approach for identifying, evaluating and responding to risks Overview Capture and relate risk to corporate objectives, mitigating controls and enterprise objects. Maintain a repository of risk metrics. Track financial losses as risk intelligence. Build and deliver online assessments. Score assessments automatically and generate findings for incorrectly answered questions. Understand your organization s inherent and residual risk through real-time reporting capabilities.

14 Required Capabilities for Preventing Data Loss Discover Respond Fix Information Risk Accurate discovery Scalable discovery Risk assessment Efficient process Information Incidents Incident Mgmt. Business context Workflow/ticketing Metrics Dashboards Root Cause Business/IT context Control procedures Integration and Questionnaires Metrics & Dashboards DLP Datacenter Workflow and Surveys Risk Dashboards RSA DLP network and endpoint RSA Security Incident & Event Mmanagement Dashboards and Workflow Reactive Controls IT GRC SIEM. SSCM and VA Proactive Controls

15 A Solution for DLP Incident Management Enterprise and Policy Mgr envision alerts are put in context with enterprise assets, risk, process, teams, etc. Context Policy Data Feed Mgr Correlated alerts are integrated into Archer Archer shares enterprise context with envision Security Incident & Event Management RSA envision picks up a DLP action as an event which it can correlate with other events Risk Mgr, Dashboards and Workflow Incidents are assigned in work queues, workflow automates the case management process. Risk and Compliance metrics are rolled up into an executive level dashboard RSA Data Loss Prevention SMTP HTTP, HTTPS, FTP Mail Servers Proxy Server

16 Monitor & Enforce User Actions at Egress Monitor Educate Enforce Instant Message Web Traffic Enforce SMTP Exchange, Lotus, etc. Webmail Text and attachments Yahoo AOL Microsoft FTP HTTP HTTPS TCP/IP Audit Block Encrypt Log

17 Monitor & Enforce User Actions on Endpoints Monitor and mitigate risk from end user actions on endpoints Monitor Educate Enforce Connected or Disconnected from Corporate Network Connected to Corporate Network RSA DLP Endpoint Monitor Agent Not Connected to Corporate Network

18 RSA Archer Incident Management Reduce incident response times Overview Centralize incident data and control access to assure data integrity. Track incidents and ethics violations in real-time through a customizable and easy-to-use web interface. Manage the investigation process. Implement response procedures and track incident resolution using built-in workflow. Maintain a detailed incident audit trail. Monitor incident status and impact, and identify trends and incident relationships.

19 Required Capabilities for Preventing Data Loss Discover Respond Fix Information Risk Accurate discovery Scalable discovery Risk assessment Efficient process Information Incidents Incident Mgmt. Business context Workflow/ticketing Metrics Dashboards Root Cause Business/IT context Control procedures Integration and Questionnaires Metrics & Dashboards DLP Datacenter Workflow and Surveys Risk Dashboards DLP network and endpoint SIEM Dashboards and Workflow Reactive Controls RSA Archer IT GRC SIEM. SSCM and VA Proactive Controls

20 What is Enterprise Context? Divisions Facilities Prod./Services People Processes Applications Devices Information Context Policy Business initiatives Industry standards Federal regulations Best practices Contractual obligations evidence SIEM DLP Vulnerability Configurations Surveys Assessments Physical and Virtual IT Infrastructure

21 Connecting Enterprise Context to IT Evidence Data Loss w/ Business Context Users from Client Services Group in Boston Facility is copying tier 1 data (SSNs) from customer support application to partner s platform in UK for quarterly reporting process. Context Policy Integration evidence Data Loss w/o Business Context User kpbrady from AD group Corp243 violated a policy on 3/8/2010 called PII-CMR 201 by attempting to ftp SSNs from ip address to The action was blocked by DLP. SIEM DLP Vulnerability Configurations Surveys Assessments Physical and Virtual IT Infrastructure

22 Process for Managing Risk Workflow for incident management Workflow Views and Reports Visibility and Context for prioritizing incidents and improving insight into risk Context Policy Enforce Policy with workflow, reports and by connecting to detailed controls that are, in turn tied to IT assets Detailed Controls Integration Correlated incidents and Scan results evidence check Control procedures tied directly to IT Assets SIEM DLP Vulnerability Configurations Surveys Assessments Physical and Virtual IT Infrastructure

23 Summary Information Risk Management starts from day 1 Information Risk Information Incident Root Cause Analysis Information Risk Management Platform RSA Data Loss Prevention RSA Security Incident & Events Management RSA Archer IT Governance Risk & Compliance Platform

24 Thank You Alvin Ow RSA, The Security Division of EMC