prevention loss Data loss strategies, data practices and tools are more important than ever. Here s what you need to know. i n s i d e p DLP: It s

Transcription

1 A S E A R C H C O M P L I A N C E. C O M / S E A R C H S E C U R I T Y. C O M E - B O O K Dt loss prevention strtegies, dt prctices prevention nd tools re more importnt thn ever. loss Here s wht you need to know. i n s i d e p DLP: It s Not Just for Big Firms Anymore p Protecting Your Secret Suce p Where Dt Lives p Mndting Encryption 1 DLP ESSENTIALS loss

2 » DLP: It s Not Just for Big Firms Anymore Rules of thumb to keep informtion sfe nd move towrd complince. NEW REGULATIONS FROM Msschusetts nd Nevd re forcing orgniztions of ll kinds to tke dt protection seriously. Msschusetts Generl Lw Chpter 93H nd its ssocited regultion 201 CMR prescribe riskbsed pproch tht requires orgniztions possessing identity informtion to implement both dministrtive nd technicl controls to protect the informtion. Mny orgniztions tht hve never considered themselves the trget of ttck or the focus of privcy regultions re now finding tht they re every bit s responsible for complince with dt protection regultions s bnks, hospitls nd orgniztions tht hndle pyment crd dt. The new regultions require orgniztions to plce stringent governnce nd technicl controls in plce. In fct, Nevd requires ll orgniztions tht store or process pyment crds to comply with the Pyment B Y R I C H A R D E. M AC K E Y Crd Industry Dt Security Stndrd (PCI DSS) even those tht do not hve contrctul requirements to comply with it. This is good news for consumers, but bd news for orgniztions hoping to void the high cost of documenttion, ssessments nd technicl controls required by PCI DSS becuse they didn t fit netly into the ctegory of merchnt or service provider. The good news for compnies is tht these regultions will typiclly pply only when informtion is compromised. Why is this good news? Becuse if you tke common sense steps to protect the dt, you cn reduce the likelihood of dt being compromised, nd thus reduce the likelihood tht you will be udited for complince. All compnies cn improve their security by following these rules: Reduce or eliminte unnecessry libility. The first step ny orgniz- 2 DLP ESSENTIALS

3 » tion should consider in dt protection is eliminting dt tht is not bsolutely required for the business. It my sound odd, but with some cretive thinking, mny compnies cn eliminte the need for regulted dt. For exmple, online merchnts cn The first step ny orgniztion should consider in dt protection is eliminting dt tht is not bsolutely required for the business. sometimes store only the trnsction ID for credit crd purchse nd void storing the primry ccount number long term. Helth cre compnies cn sometimes void storing Socil Security numbers of ptients by replcing them with other identifiers tht re not covered by regultions. This kind of sensitive dt elimintion cn be prcticed to vrying degrees throughout n orgniztion. It my not men tht you eliminte ll instnces where complince is required, but it cn reduce the number of plces where sensitive dt is used nd mke the next step reducing your profile esier to complete. Reduce your profile. One of the key PCI DSS requirements nd one of the fundmentl rules of dt protection is to confine the protected dt to smll nd well-defined environment. This prctice not only simplifies complince by reducing the environment where controls need to be implemented, but it lso fcilittes ccess control, dt movement monitoring, ccess logging, testing nd just bout every other security prctice. The ide is to centrlize dt in s few systems nd s smll network environment s possible. Once your dt is centrlized, you cn restrict ccess to the dt to specific group of users nd pplictions. If possible, you should provide mechnisms to llow the dt to be operted on while residing on the centrlized system. In other words, void copying it or llowing it to move. Tools like dt loss prevention pckges cn monitor nd restrict dt movement to mke your continment even more effective. To further restrict the environment, deploy firewlls tht restrict connectivity to specific protocols from only prticulr ddresses or zones. Finlly, monitor ll ccess nd dt movement (even within the environment). This will help ensure tht only the right people hve ccess nd help to meet regultory requirements s well. Shre only wht you must. These dys, very few orgniztions ctully 3 DLP ESSENTIALS

4 » go it lone. Most enlist the help of service providers in vriety of wys. Unfortuntely, shring dt complictes dt protection nd brings with it dditionl complince ctivities. For exmple, Msschusetts regultions, PCI DSS nd the Helth Insurnce Shring dt complictes dt protection nd brings with it dditionl complince ctivities. If you cn, void shring ltogether. Portbility nd Accountbility Act ll require orgniztions to ssess the security prctices of prtners with which they shre protected informtion. This cn be n expensive process nd is best voided. Borrowing n ide we discussed erlier, if you cn, void shring ltogether. A prudent step before hnding ny sensitive informtion to prtner is to nlyze the informtion you need to shre nd replce ny identifying informtion with other types of identifiers. For exmple, replce Socil Security numbers with hshes or IDs tht you cn mp to the ctul number, nd replce ccount IDs with similrly obfuscted numbers. Even if you cn t eliminte ll the sensitive informtion, you my be ble to reduce your exposure by removing unnecessry dt nd mpping other fields. If fter your nlysis, obfusction nd mpping you still need to shre, you hd better understnd how well your prtner will cre for the dt. Know your prtners. As we discussed bove, ll the ltest regultions require you to ssess the prctices of orgniztions to which you hve entrusted protected dt. Fortuntely for orgniztions tht hndle pyment crd dt, PCI DSS describes the stndrd tht must be met nd set of procedures for ssessment. The sitution is not so cler cut for other regultions. Some orgniztions conduct their own ssessments, some hire consultnts, nd some trust the ssessments nd udits done by third prties. When either conducting ssessments yourself or using third prty s ssessment, you should ensure tht the ssessment is: 1. Performed with respect to your complince requirements. 2. Frmed round the prctices nd environment tht will ffect your dt. 3. Repeted nnully. Following these rules will help you void ccepting SAS 70 udits for vilbility nd opertions when your concern is protection of the confiden- 4 DLP ESSENTIALS

5 » tility of identity dt. Trin your employees. While shring your dt represents thret, one of the most frequent cuses of dt exposure is humn error. Regultions require you to ensure tht your employees understnd their responsibility in protecting informtion. Tht mens understnding policies, using strong psswords, keeping psswords privte nd voiding exposure by copying, trnsmitting or storing dt in insecure wys. Protect your portble devices. The Msschusetts regultion is the first to specificlly trget portble devices in its requirements. However, regrdless of whether your compny needs to comply with 201 CMR 17.00, you should tke steps to protect dt on ny device or medium tht cn be lost or stolen. Tht mens lptops, thumb drives, externl hrd drives nd ll removble medi (including bckup tpes). This chpter is too short to provide detiled guidnce on even one of these res, but the following re some rules of thumb tht orgniztions should follow: 1. Write policies tht clerly specify wht types of dt cn or cnnot be stored on removble medi or portble systems. 2. Designte specific devices for storge of sensitive dt (lbel thumb drives, portble drives, etc.). 3. Employ file system encryption on ll lptops nd dedicted removble medi. 4. Trck medi used for storge of sensitive dt. 5. Develop medi disposl procedure to ensure tht devices tht hve been tken out of use do not fll into the wrong hnds. 6. Either encrypt or provide strong physicl controls for ll bckup medi. Complince with dt protection regultions nd contrcts hs brodened from finncil nd helth cre orgniztions to every compny. However, these new requirements should not cuse orgniztions to pnic. It is time for ll orgniztions to understnd their responsibilities nd the risks of compromise, nd tke prudent steps to reduce the risk. By following some firly strightforwrd rules (s outlined here), n orgniztion cn gretly reduce the risk of compromise nd eventully chieve complince with both the current nd future regultions. Richrd E. Mckey is vice president of System- Experts Corp. nd leding uthority on enterprise security rchitecture nd complince. 5 DLP ESSENTIALS

6 Let them rom lose surf udit cut lptops budgets who cres You do! Liberting your people nd freeing up time nd resources mkes productive sense. Sophos security nd dt protection solutions deliver: Instll, set nd forget. Esy on your time, esy on your system nd esy on your business, everything from Endpoint to Complince, Emil, Web nd Encryption is covered nd ll ccessed nd controlled with refreshing simplicity. Now, with security tken cre of, you ve got the rest of the dy to do ll the other things tht cn t wit. See for yourself lern more bout Sophos tody.

7 » Protecting Your Secret Suce Theft of intellectul property is on the rise. Here re some do s nd don ts for keeping your trde secrets sfe. B Y RU S S E L L J O N E S A N D R E N A M E A R S IT S A COLD dy in lte November. Two men re getting redy to bord plne bound for Southest Asi t Sn Frncisco Interntionl Airport. In their luggge is millions of dollrs worth of stolen trde secrets. These pilfered project designs, mnuls, CDs, floppy disks nd third-prty licensed mterils will llow nefrious foreign buyers to unlock the secrets of the most innovtive U.S. compnies nd ggressively compete with them on the open mrket. But just s the men re bout to step onto the plne, they re rrested by joint FBI/Computer Hcking nd Intellectul Property (CHIP) investigtive tem. It sounds like n episode of television crime drm. Yet this ctully hppened in 2001, when two men tried to flee the country with trde secrets stolen from few of the biggest nmes in Silicon Vlley. In this cse, the criminls were stopped in their trcks, but theft of trde secrets is growing nd evolving problem, It s growing in terms of the number nd types of trde secret cses we re prosecuting. MATT PARELLA ASSISTANT U.S. ATTORNEY sys Mtt Prrell, ssistnt U.S. ttorney nd chief of the Sn Jose brnch of the U.S. Deprtment of Justice s CHIP unit. It s growing in terms of the number nd types of trde secret cses we re prosecuting, he sys. Three to five yers go we sw physicl mnuls being stolen, wheres tody digitl versions of schemtics, dt sheets, mnufcturing processes nd source code re t risk. And the number of complints being filed nd investigtions pursued re drmticlly on the rise. According to 2006 report from 7 DLP ESSENTIALS

8 » the Office of the United Sttes Trde Representtive, U.S. businesses re losing pproximtely $250 billion nnully from trde secret theft. Federl lw enforcement officils sy the most trgeted industries include NINE TRADE SECRET TIPS 1. Identify chmpion within the C-suite who cn provide the credibility nd support you will need in implementing n enterprise-wide progrm. 2. Crete n inventory of your compny s trde secrets nd the form they tke (pper-bsed, electronic, undocumented employee knowledge). 3. Prioritize the trde secrets ccording to their vlue to your orgniztion bsed on the risk of loss, compromise or theft. To keep things simple, consider using scle of high, medium or low to rnk likelihood nd impct. 4. Anlyze how your compny s trde secrets mp to orgniztionl business processes throughout their entire lifecycle. 5. Perform risk ssessment ginst the mpped trde secrets to determine which ones re exposed to vulnerbilities tht hve high likelihood of hppening, nd the impct their exposure would hve on your orgniztion. 6. Bsed on the risk ssessment, estblish clerly documented enterprisewide dt protection frmework supported by specific ctions lid out in processes nd procedures, roles nd responsibilities, nd monitoring nd enforcement ctivities employees cn esily follow. 7. Perform gp nlysis to determine how well your existing prctices protect your trde secrets vs. the dt protection frmework. 8. Address gps using combintion of security nd dt protection policies nd procedures, process-level controls, technology controls, physicl controls nd eduction nd wreness. 9. Estblish metrics to continully ssess the effectiveness of your protection progrm. R.L.J. AND R.M. 8 DLP ESSENTIALS

9 » biotechnologies nd phrmceuticl reserch, dvnced mterils, notyet-clssified wepons systems, communictions nd encryption technologies, nnotechnology nd quntum computing. Wht compnies her bout in the medi is probbly just the tip of the iceberg, sys Rndy Sbett, prtner t Sonnenschein Nth & Rosenthl LLP in Wshington, D.C., nd member of the firm s informtion security nd intellectul property prctice group. There re probbly fir number of situtions where people don t even relize their trde secrets hve been stolen. THE CROWN JEWELS Intellectul property (IP) is extremely importnt to the U.S. economy. As of 2003, IP ccounted for pproximtely 33% of the vlue of U.S. corportions, or more thn $5 trillion, ccording to Stephen Siwek, principl t Economists Inc., consulting firm bsed in Wshington, D.C. Yet mny compnies re ill-prepred to dequtely protect their IP in the fce of incresed ttempts to stel it. At lest prt of the problem is due to economic pressure on U.S. firms to control costs, sys Abe Michel Smith, chief security officer (CSO) t Xilinx Inc., digitl progrmmble logic device mker bsed in Sn Jose, Clif. As more enterprises outsource prt or even ll of their reserch nd development (R&D) nd product development ctivities to overses prtners, there is fr greter risk tht importnt informtion cn slip through the crcks. And estblishing Blncing the need for improving profit mrgins with the kind of security required to dequtely protect IP cn be very difficult. ABE MICHAEL SMITH CSO, XILINX INC. overses divisions tht ply significnt role in developing IP cn be risky when strong IP lws do not exist within those countries. Blncing the need for improving profit mrgins with the kind of security required to dequtely protect IP cn be very difficult, Smith sys. Moreover, the unique chrcteristics of trde secrets mke compnies prticulrly vulnerble to their loss. Once trde secret is out of the bg you cn t get it bck in, Sbett sys. If you re tlking bout something like source code, tht represents the crown jewels of the compny. And when its sttus s trde secret is gone, it s gone. Worse, it cn tke yers until trde secret theft is detected, Smith 9 DLP ESSENTIALS

10 » sys. You wouldn t even know it [your IP] ws missing for five yers, when competitor would suddenly introduce product tht sold for one third to one fifth of the price of yours. And it is importnt to note tht trde secrets re vulnerble to not just mlicious theft, but lso ccidentl lekge in the norml course of business. For exmple, n engineer who hs not been properly trined in wht constitutes trde secrets might include some in seemingly innocuous conference presenttion. PUTTING THE SECRET IN TRADE SECRET Prt of the reson U.S. firms re struggling to protect IP is widespred misunderstnding of wht trde secret is, nd wht legl protection it possesses. A trde secret is type of intellectul property tht represents n orgniztion s intngible ssets. Unlike tngible ssets such s lnd, buildings, office equipment or mnufcturing equipment, intngible ssets cnnot be seen or touched nd re creted not by physicl mterils but by humn lbor or thought. According to the Uniform Trde Secrets Act (UTSA), trde secrets include formuls, ptterns, compiltions, progrm devices, methods, techniques or processes. They lso cn be digrms nd flow chrts, supplier dt, pricing dt nd strtegies, source code, mrketing plns nd customer informtion. So vried re the things tht cn be considered trde secrets tht your employees my not even know when they re hndling them. Prt of the reson U.S firms re struggling to protect IP is widespred misunderstnding of wht trde secret is, nd wht legl protection it possesses. For orgniztions tht depend hevily on commercilizing the product of their R&D ctivities, trde secrets re prticulrly importnt. Ptents re eqully importnt, but trde secrets differ from ptents in significnt wy. They re s their nme implies secret. Wheres ptents represent set of exclusive rights grnted by the government in exchnge for the public disclosure of n invention, trde secret is internl informtion or knowledge tht compny clims it lone knows, nd which is vluble intngible sset. While ptent owners hve certin legl protections from nyone using their ptents without permission, compnies re responsible for prov- 10 DLP ESSENTIALS

11 » ing they hve the right to legl protection of their trde secrets. According to the UTSA, your compny must demonstrte tht the specific informtion or knowledge is not generlly known to the public, therefore it derives independent economic vlue, A trde secret s vlidity cn be proven only vi litigtion. Ironiclly, trde secret must be stolen or compromised before you cn ttempt to demonstrte it is leglly trde secret. nd tht you hve mde resonble efforts to mke sure the knowledge remins secret. A trde secret s vlidity cn be proven only vi litigtion; there s no utomtic protection just becuse your compny believes it possesses one. Ironiclly, trde secret must be stolen or compromised before you cn ttempt to demonstrte it is leglly trde secret. Once in litigtion, your compny must convince the court of three points: secrecy, vlue nd security. Inevitbly, the most difficult element to demonstrte is tht your compny hd resonble controls in plce to protect the secrecy of the IP in question. A successful prosecution requires tht you prove you took sufficient steps to protect your trde secrets, sys Joseph Schdler, n FBI specil gent. This includes everything from putting bnners on computers, to hving secure logons, to requiring NDAs [nondisclosure greements], to controlling physicl ccess to room. UNSECURED SECRETS Why re mny compnies not sufficiently protecting their trde secrets? Aside from not fully understnding wht trde secret is, mny hve not identified their own trde secrets. Even if they hve, lot hve not determined where in the orgniztion their secrets re, in wht form they exist (such s digitl or pper) nd by whom they re used. If your employees don t know wht to protect, how cn they protect it? sks Christopher Burgess, senior security dviser to the CSO t Sn Jose, Clif.-bsed Cisco Systems Inc. Additionlly, some compnies put priority on innovtion rther thn security. The smller tech compnies in prticulr need to be very nimble, so the focus in the executive suite is on product development nd customer service, rther thn protecting IP, sys Prrell of the CHIP unit. Even with the IP protections mny Fortune 500 compnies hve in 11 DLP ESSENTIALS

12 » plce, trde secrets continue to lek out. Weknesses in security procedures, inherent vulnerbilities within business processes, disjointed risk mngement progrms nd ineffective eduction nd wreness progrms ll contribute to this problem. All too often, senior mngement tems, bords of directors nd senior executives re lulled into flse sense HOW YOUR DATA CAN LEAK An executive of n Ohio hydrulic pump mker ws convicted of steling his compny s trde secrets by hnding over finncil nd confidentil mrketing mterils to South Africn-bsed competitor. A Kentucky mn ws convicted in 2006 of conspiring to stel nd sell trde secrets belonging to Corning. While n employee, the mn stole drwings of Corning s thin filter trnsltor liquid crystl disply glss nd sold them to n offshore-bsed business. A Durcell employee downloded sensitive dt bout top-selling product from compny computers onto his home PC nd sent it to two Durcell competitors; he ws convicted erlier this yer. A mgzine publisher kept its entire pricing strtegy, competitive intelligence, finncing informtion nd mrketing plns for new, unrelesed mgzine stored within hidden file shre on its public Web server. Due to misconfigurtion on its website, these trde secrets were exposed to the public through Google hcking. A lrge technology compny, s norml prt of its request for proposl process, sent detiled specifictions, drwings nd subssembly informtion to potentil suppliers without obtining signed NDAs or confidentility greements in dvnce. Engineers working for globl technology orgniztion moved between employee nd contrctor sttus s individul projects required. Although bsed out of offshore loctions in countries without strong IP lws, they were not required to re-sign the NDA/confidentility greements t the onset of ech new project. R.L.J. AND R.M. 12 DLP ESSENTIALS

13 » of security bout trde secrets. This is lrgely due to misunderstnding the legl protection for trde secrets, coupled with being orgniztionlly buffered from the dily opertions security mngers fce. Mny orgniztions believe they mitigte the risk of trde secret vi contrctul greement such s NDAs nd confidentility greements, but this simply isn't the cse. When we spek to victims, we re finding out tht the people responsible for security on R&D projects re not t the C-suite level, so tht mgnitude of the risk is filtered out by the time it gets to the top of the orgniztion, Prrell sys. Furthermore, mny orgniztions believe they mitigte the risk of trde secret theft vi contrctul greements such s NDAs nd confidentility greements, but this simply isn t the cse. Although importnt to hve in plce from prosecution stndpoint, these greements re not prticulrly effective t preventing theft, Schdler sys: The sort of people who wnt to stel the trde secrets re not going to feel bound by n NDA. And while compny might hve strong IP protection progrm on pper, it cn get in the wy of employees doing their jobs effectively. A relted problem is tht the corporte culture my be t odds with IP security directives nd employees simply ignore them. Intellectul property protection done wrong cretes brrier to cretivity, which is wht mkes U.S. compnies such gret innovtors. TECHNLOGICAL SOLUTIONS Essentilly, trde secret is just nother piece of corporte informtion. Like ll informtion, it hs lifecycle it is creted, used, shred, stored nd eventully destroyed. Wht mkes protecting trde secret chllenging is how it chnges form nd prolifertes through the orgniztion during its lifecycle. It my strt s chemicl process written in lb notebook, t some point be recorded in n electronic document, become set of discrete tsks in mnufcturing process nd eventully be combined with other IP to form product. Ech of these forms mnul, digitl, process, product my hve different lifecycle. At ech point, the IP my fce different risks tht must be exmined nd, where pproprite, mitigted. Vrious products cn help protect 13 DLP ESSENTIALS

14 » trde secrets nd IP dt tht exist in digitl form, during certin points in the dt s lifecycle. There re emerging technologies tht monitor the movement of structured nd unstructured dt nd enforce ctions on the dt bsed on custom policies. These products work t the network nd desktop levels nd cn monitor movement, prevent dt from being copied from the originting ppliction to externl sources for exmple, USB drives nd help clssify dt s requiring more or less protection. EMC Corp. s Infoscpe cn help inventory unstructured dt, such s Microsoft Word documents, Adobe.pdf files nd vrious spredsheets, nd lso clssify it bsed on compny s dt clssifiction scheme. Complementry EMC products offer secure storge nd rchiving of dt. Sun Microsystems Inc. s Identity Mnger cn provide foundtion for controlling wht systems people re given ccess to nd wht roles they re given within n ppliction bsed on compny-defined policy. Sun lso offers integrted solutions for secure dt storge. In ddition, there re products from compnies such s PGP Corp. nd Entrust Inc. to protect mobile dt with combintions of file-level encryption nd ccess controls on physicl interfces to the mobile device. Finlly, vendors such s Adobe Systems Inc. hve developed enterprise rights mngement products designed to provide dt protection specificlly IP cross business processes nd orgniztionl boundries. Adobe offers products tht securely cpture, process, trnsfer nd rchive informtion, both online nd offline. John Lndwehr, Adobe s director of security solutions nd strtegy, sys he believes the best protection of sensitive dt hppens t the document level: Given the rnge of devices tht IP cn live on from desktops to lptops to PDAs nd mobile phones we think tht the only vible wy to persistently protect tht informtion is if the protection trvels with the document. However, word of cution bout some of these products designed to protect confidentil dt: Becuse the vst mjority re bsed on rule setdriven engines, the number of flse positives they generte cn be significnt. PROTECTIVE STEPS Despite the incresing sophistiction of technology, there s no mgic bullet for protecting IP. There is no bsolute, 100 percent, foolproof wy to protect trde secrets, Sbett sys. You could spend ll your time nd money on technologicl protections, nd yet your trde secrets could be flowing out of the orgniztion in ll sorts of other wys. 14 DLP ESSENTIALS

15 » An effective protection progrm must include number of strtegies, such s educting employees, contrctors nd prtners bout wht constitutes trde secrets; estblishing the right governnce model (policies, roles nd responsibilities, enforcement); nd setting process-level, procedurl, physicl nd technicl controls to minimize risk to level cceptble by mngement. The first step to protecting your trde secrets is to identify them through interviews with the business process owners nd then document them. Next, estimte how much these trde secrets re worth. Although this is just snpshot tht will chnge over time, it s essentil for building business cse to obtin the funding to put protections in plce. Hving this vlution is lso importnt should theft ctully occur. It s complicted process to do this, but criticl element for prosecutors, Schdler sys. Then, rnk the trde secrets ccording to their vlue s well s the threts, vulnerbilities nd resulting risk. A comprehensive eduction nd wreness progrm is criticl step; some experts rgue tht it s the most importnt one. Eduction nd wreness is your first nd foremost prcticl solution for protecting trde secrets, sys Cisco s Burgess. Adobe s Lndwehr grees: Whtever technology you decide to implement, it won t be effective unless you lso hve pln to educte users. Finlly, your compny should define progrmmtic, complince nd opertionl metrics to mesure the performnce of your trde secret protections ginst key indictors. Without Eduction nd wreness is your first nd foremost prcticl solution for protecting trde secrets. CHRISTOPHER BURGESS SENIOR SECURITY ADVISOR TO THE CSO, CISCO SYSTEMS INC. the metrics, you will not know whether you re effectively protecting your trde secrets. Everyone grees: Not doing nything to protect your compny s trde secrets is simply not n option nymore. The U.S. Deprtment of Justice is mking it first order of business. The prosecution of IP theft cses specificlly trde secret theft nd economic espionge is priority for the CHIP unit nd is criticl to the economy of Silicon Vlley nd, indeed, to the ntion s security, Prrell sys. Russell L. Jones nd Ren Mers re prtners in the security nd privcy services t Deloitte & Touche LLP. 15 DLP ESSENTIALS

16 Could you use little direction when choosing DLP solution? One compny is redy to guide you. Visit nd downlod Five Considertions for Selecting Dt Loss Prevention Solution.

17 » Where Dt Lives Your brnd s reputtion could be t risk when sensitive informtion leks outside your orgniztion. Dt loss prevention tools cn mitigte incidents nd offer clrity on where this dt resides. B Y R I C H M O G U L L IT S THE CALL you ve fered. The phone rings t 9.m. on Sundy. You re the chief informtion security officer of medium-sized retiler, nd weekend clls ren t ll tht unusul. But within 30 seconds of picking up the phone, you know your weekend, if not your job, is over. One of the customer service mngers ccidentlly emiled n Excel file of ll the clients cquired lst qurter to n externl distribution list while trying to send it to his personl Gmil ccount to work on over the weekend. Worse yet, the file contins full credit crd nd verifiction numbers. The relly bd news? You recently signed off on your self-ssessment for your Pyment Crd Industry Dt Security Stndrd udit nd ffirmed tht you don t keep crd numbers in n unencrypted formt. No one told you bout the nightly dtbse extrct the customer reltions tem runs with the credit crd number s the primry key. Your externl udit is scheduled for next month, mking this bout the worst time possible for n ccidentl disclosure. It s not like you cn blme this one on evil hckers. This sitution is hypotheticl, but it illustrtes the pressures compnies re under. Dt protection grows more criticl every dy s our sensitive informtion fces incresing scrutiny from regultors nd business prtners. It s no longer just mtter of keeping the bd guys wy from dt. Businesses now re expected to hndle it responsibly, often in ccordnce with contrctul or legl requirements. Yet the verge orgniztion typiclly hs little ide of where its sensitive dt is, never mind how it s relly being used. During the pst five yers, new ctegory of tools emerged to ddress this problem. Dt loss prevention (DLP) products help compnies understnd where their sensitive dt is locted, where it s going nd how 17 DLP ESSENTIALS

18 » it s being used, nd they cn sometimes enforce protective policies. The technology my not lwys stop evil hckers, but it offers considerble help in protecting business from internl mistkes nd in cost-effectively mnging complince. Knowing where sensitive content is locted protects the orgniztion nd my reduce the time nd cost of udits; compny cn prove tht its dt is ppropritely secured nd show rel-time controls to detect violtions. By gining considerble insight into how dt is communicted internlly nd externlly, odds re tht n orgniztion will identify number of risky business processes like the bove nightly dtbse dump nd use of personl emil ccounts. It lso gins the bility to prevent ccidents nd eliminte bd hbits, like improper use of USB drives. DLP won t mke you complint, but its combintion of risk reduction, insight nd potentil udit cost reduction is compelling. Yet, while DLP tools hve significnt potentil to reduce n orgniztion s risk of unpproved disclosures of sensitive informtion, they re mong the lest understood nd most overhyped security technologies on the mrket. Orgniztions tht tke the time to understnd the technology, define their processes nd set pproprite expecttions will see significnt vlue from their DLP investments, while those tht mke snp purchses or set their expecttions inppropritely high will struggle with this powerful collection of tools. DEFINING DLP DLP is one of dozen or so nmes for this mrket; others re informtion lek prevention nd content monitoring nd filtering. To further complicte mtters, dt loss prevention is so generic term it could esily pply to ny dt protection technology; everything from encryption to portblocking tools is hopping on the DLP bndwgon. While erly tools were tightly focused on preventing dt leks on the network, the mrket is rpidly evolving towrd robust solutions tht protect dt in motion on the network, t rest in storge nd in use on the desktop, ll bsed on deep content inspection nd nlysis. So DLP is clss of products tht, bsed on centrl policies, identify, monitor nd protect dt t rest, in motion nd in use, through deep content nlysis. Other defining chrcteristics re: Brod content coverge cross multiple pltforms nd loctions. Centrl policy mngement. Robust workflow for incident hndling. It s importnt to recognize tht DLP solutions re very effective t reduc- 18 DLP ESSENTIALS

19 » ing the risk of ccidentl disclosures or dt lekge through bd business process, but they offer miniml protection ginst mlicious ttcks. A smrt internl or externl ttcker cn esily circumvent most DLP tools, but the risk of indvertent exposure is usully greter thn tht of trgeted ttck. GETTING STARTED Long before contcting DLP vendors, set expecttions nd decide wht content needs protection nd how to protect it. Pull together project tem with representtives from mjor stkeholders including security, messging, desktop mngement, networking, humn resources (HR) nd legl, nd define protection gols, including content nd enforcement ctions. This is when you set expecttions; educting project members on wht s relistic with DLP cn help void pitflls tht deril deployment. These protection gols help determine required fetures. They ll estblish needs for content nlysis techniques, bredth of coverge (network/storge/endpoint), infrstructure integrtion, workflow nd enforcement requirements. You cn decide if you need full suite, dedicted DLP solution or just the DLP fetures of n existing product. Then, trnslte these requirements into request for informtion or drft request for proposl nd strt contcting vendors. Most orgniztions find tht content nlysis techniques, rchitecture, infrstructure integrtion nd workflow re the top priorities in selecting product. CONTENT ANALYSIS The most importnt chrcteristic of DLP solutions is content nlysis. This llows the tools to dig into network trffic nd files, unwrp lyers (like spredsheet embedded in.pdf in.zip file) nd identify content bsed on policies. While DLP products use different content nlysis techniques, they tend to fll into few ctegories tht lso use contextul informtion, such s sender/recipient, loction nd destintion. Content description techniques use regulr expressions, keywords, lexicons nd other ptterns to identify content. They include rules/regulr expressions for pttern mtching, conceptul nlysis involving preset combintions of words nd rules to mtch specific concept like insider trding, nd preset ctegories such s personlly identifible informtion (PII), HIPAA nd PCI. Content registrtion techniques rely on content you provide the system tht then becomes policy. They include full or prtil document mtching using hshes of files to identify content; dtbse fingerprinting by hshing live dtbse content in com- 19 DLP ESSENTIALS

20 » bintions to identify mtches; nd sttisticl techniques tht use lrge repository of relted content to identify consistencies nd crete policies. All the leding products cn combine different nlysis techniques into single policy to improve ccurcy. The content nlysis technique will directly determine wht products mke the short list, but compnies should mke sure to ccount for future needs. Although most of the mrket 90%, by some estimtes is focused on protecting PII, bout 30% to 40% of those orgniztions re lso interested in protecting unstructured dt. They strt by using DLP to protect PII to reduce their complince risk, nd then slowly dd other content generlly trde secrets nd intellectul property once they get comfortble with their tools. The lst mjor component of DLP solutions is n endpoint gent to monitor use of dt on the user s desktop. A complete gent theoreticlly monitors network, file nd user ctivity such s cut nd pste, but few rel-world tools provide full coverge. Most products strt with file monitoring for endpoint content discovery nd to detect (nd block) sensitive dt trnsfers to portble storge. Rther thn completely blocking USB thumb drives to protect dt, n orgniztion cn use these tools to CONTENT DISCOVERY HELPS CREDIT UNION WITH PCI THE MAJORITY OF orgniztions first deploy DLP for network dt loss prevention, since it s the quickest wy to identify their risk exposure. But from complince stndpoint, DLP for dt t rest or content discovery is often more vluble since it helps quickly identify stored dt in violtion of policy, which is especilly useful for PCI DSS. For exmple, medium-sized credit union strted with network monitoring nd user eduction to reduce its risk of n indvertent brech. It then moved into content discovery to ensure tht no PCI dt ws stored unencrypted, followed by bsic emil filtering. The compny s vendor recently strted bet testing n endpoint gent, which the client plns to use for endpoint discovery nd blocking PII trnsfer to portble storge. Executives t the credit union estimte it will tke two to three yers for full deployment of ll DLP components, bsed lrgely on internl politicl issues nd budget. R.M. 20 DLP ESSENTIALS

21 » restrict file trnsfers bsed on content. Endpoint DLP tools re strting to dd more dvnced protection, such s limiting cut nd pste, detecting sensitive content in unpproved pplictions such s certin encryption tools, nd utomticlly encrypting items bsed on content. Over time, they will increse the type nd number of policies they cn enforce nd integrte more deeply into common endpoint pplictions. ARCHITECTURE AND INTEGRATION DLP rchitectures re defined by where they protect the content: dtin-motion network monitoring, dtt-rest file storge scnning nd dtin-use monitoring of the endpoint. Full-suite solutions include components for ech of these res, while prtil suite tools cover only portion, such s n endpoint DLP tool with n emil-only gtewy. There re lso single-chnnel products nd non-dlp tools tht bundle some DLP fetures, like n emil gtewy tht cn block messges with credit crd numbers. In the long run, most orgniztions especilly lrge enterprises will prefer full-suite solutions, but prtil-suite nd DLP-s--feture tools often meet tcticl needs where complete coverge isn t necessry. The DLP mrket strted with pssive network monitoring tools focused on detecting informtion lekge over communictions chnnels such s emil, instnt messging (IM), FTP nd HTTP. These simple monitoring nd lerting tools evolved into more comprehensive solutions, dding emil integrtion nd gtewy/proxy integrtion for Web, FTP nd IM. This llows orgniztions to block trffic before the dt escpes, rther thn just being lerted when it s lredy gone. (See Network Monitoring Tips ). For emil, DLP vendors embed mil trnsport gent, which is then dded s nother hop in the emil pth to block, qurntine, encrypt or even bounce messges bck to the user. Since emil is store-nd-forwrd protocol, integrtion is firly strightforwrd. A few tools support similr ctions on internl mil by integrting with Exchnge nd other mil servers. Other chnnels, such s Web, FTP nd IM, re more difficult to block since tht trffic uses synchronous protocols. By integrting with proxies, session nlysis cn be performed to reconstruct nd evlute content before it s relesed. Few DLP tools provide proxies nd insted prtner with mjor gtewy/proxy vendors, or use the Internet Content Adpttion Protocol. When integrted with tool tht proxies Secure Sockets Lyer trffic, you gin the bility to sniff encrypted trffic. DLP for dt t rest is often eqully if not more vluble thn network 21 DLP ESSENTIALS

22 » monitoring. This is clled content discovery; these tools scn enterprise repositories nd file shres for sensitive content. Imgine knowing the identity of every server storing credit crd informtion, nd being lerted to unpproved ones. Content discovery flls into three ctegories: network scnning, locl gents nd ppliction integrtion. With network scnning, the DLP tool connects to file shres for nlysis, which provides wide coverge but limited performnce. A locl gent my be vilble on mjor pltforms to scn directly on the server rther thn cross the network, which is more effective for lrge repositories but requires more mngement. Some tools integrte directly with document mngement systems nd other repositories to leverge ntive fetures. Enforcing this kind of policy requires integrtion with enterprise directories nd dynmic host configurtion protocol servers to identify the user s loction (system nd IP ddress) criticl feture to look for in the evlution process. Role-bsed dministrtion nd hierrchicl mngement ese mngement overhed nd re prticulrly importnt in lrge deployments. DLP policy violtions re extremely sensitive nd usully require dedicted workflow. Unlike virus infections or intrusion detection system lerts, these incidents led to employee dismissl or legl ctions. The hert of the DLP mngement system is the incident hndling queue, where incident hndlers see open violtions ssigned to them, tke ction nd NETWORK MONITORING TIPS WHEN SHOPPING FOR network monitoring tools for dt loss prevention, don t get hung up on high performnce. Since outbound communictions trffic is the only concern, even if compny is running gigbit Ethernet, it will likely monitor only frction of tht trffic. Lrge enterprises typiclly need to monitor bout 300 Mbps to 500 Mbps t most, while midsized enterprises fll below the 100 Mbps rnge, nd smll enterprises s low s 5 Mbps. Also, mke sure to determine if product monitors ll protocols, or just subset, nd if it requires hrd-code port nd protocol combintions or cn detect trffic on nonstndrd ports. The stronger tools lso detect tunneled trffic, like IM over HTTP. R.M. 22 DLP ESSENTIALS

23 » mnge workflow for investigtions. A good workflow interfce eses identifiction of criticl incidents nd reduces incident hndling time, mngement overhed nd totl cost of ownership. Recently, DLP customer chose its product ultimtely on workflow. After nrrowing the field to two vendors it considered equl in terms of technicl fetures, the compny selected the product with the workflow nd interfce its nontechnicl users (legl, HR nd complince) preferred. Beyond policy mngement nd incident hndling, look for tool tht integrtes well with existing infrstructure nd includes robust mngement tools like incident rchiving, bckup nd performnce monitoring. Since senior mngement nd uditors might be interested in DLP ctivities, robust reports re needed for this nontechnicl udience nd complince support. TESTING, DEVELOPMENT AND THE FUTURE After bringing in vendors for sles pitches nd demonstrtions, nrrow the field to three or four nd strt proof-of-concept tril. Preferbly, plce the tools side by side in pssive monitoring mode on the network nd test them with representtive policies. This llows user to directly compre results for flse positives nd negtives, but it s tougher to do with endpoint tools. Also test enforcement ctions nd integrtion into the infrstructure, especilly directory integrtion. Finlly, run the workflow pst the business units involved with enforcement to ensure it meets their needs. Orgniztions report tht DLP deployments tend to go more smoothly thn other security instlltions from technicl level, but it my tke up to six months to tune policies nd djust workflow, depending on the complexity. Mny find they need only prttime resources to mnge incidents, but this vries bsed on the intriccy nd grnulrity of policies. A 5,000- person orgniztion, on verge, needs only hlf-time incident hndler nd dministrtor to mnge incidents nd keep the system running. DLP tools re still firly dolescent, which mens they provide good vlue but re not s polished s more mture product ctegories. This shouldn t slow down deployments if you hve dt protection needs, but you should understnd tht the tools will evolve rpidly. Alredy, the mrket is trnsitioning from dt loss prevention, focused on plugging leks, to more robust content monitoring nd protection (CMP), designed to protect dt throughout its lifecycle. CMP will eventully become one of the most importnt tools in the security rsenl. Rich Mogull is CEO of Securosis LLC. 23 DLP ESSENTIALS

24 Co m p l e t e A p p l i c tion nd D t b s e S e c u r i t y L i fe c yc l e Imperv, the Dt Security leder, enbles complete security lifecycle to provide visibility nd control for business dtbses nd the pplictions tht use them. Dt is under ttck from multiple points of vulnerbility. Without the bility to trck the dtbses, pplictions, nd users ccessing dt, orgniztions will never solve their dt security nd udit requirements. Imperv delivers complete lifecycle for orgniztions to secure their dt in n utomted nd repetble process, thus providing full visibility nd control of the dt driving their business. Free Guide: Register for the Essentil Series The Role of Dtbse Activity Monitoring in Dtbse Security. This guide outlines the best prctices for dtbse ctivity monitoring nd describes how to implement this incresingly importnt technology. Divided into three rticles:» Article 1: Dt Discovery nd Clssifiction in Dtbse Security» Article 2: Dtbse Assessment nd Mngement in Dtbse Security» Article 3: Mitigting Risks nd Monitoring Activity for Dtbse Security Downlod your copy tody: Toll Free (U.S. only): or Copyright 2009, Imperv All rights reserved. Imperv nd SecureSphere re registered trdemrks of Imperv.

25 » Mndting Encryption Stte lws nd industry stndrds re forcing orgniztions to encrypt or fce penlties. Here re the options they cn use. BY BR IE N POSEY FOR YEARS, ws something compnies could choose to use if they wnted n extr degree of security for their dt. However, the dys of optionl encryption re gone forever. Tody, compnies in vriety of industries re subject to regultions tht mndte encryption nd other security mesures, nd they fce stiff penlties for filure to dequtely protect their dt. Even if compny is not subject to these types of regultions, mny sttes hve lws requiring compnies to disclose security breches in which unencrypted customer dt hs been compromised. Consequently, it is no longer question of whether compny should use encryption, but rther how compny should encrypt dt. The first step in plnning n encryption strtegy is to understnd the primry types of encryption solutions: storge, network nd pplictionlevel. While ech offers benefits, there re lso drwbcks to tke into ccount. STORAGE Storge encryption is simply mechnism tht encrypts files stored on hrd drive or other medi such s bckup tpes. This type of encryption is used primrily s contingency ginst physicl security brech such s stolen lptop contining sensitive dt. In such sitution, the Windows operting system will provide t lest some protection. Assuming tht the hrd drive is using the NT file system nd the pproprite file system permissions re being used, the thief shouldn t be ble to ccess the user s dt unless he knows the user s pssword. However, computer-svvy thief could use one of the mny utilities vilble to reset the locl dministrtor s pssword s mens of ccessing the dt, or he could just remove the hrd drive, instll it into nother computer nd bypss Windows ltogether. Unless the dt on the drive is encrypted, both of these methods will llow the thief to quickly 25 DLP ESSENTIALS

26 » ccess the user s dt. Storge-level encryption is designed to protect dt in these types of situtions, but some encryption technologies work better thn others. For exmple, the Windows Encrypting File System (EFS) cn encrypt volume contining dt, but it cnnot encrypt the system volume the disk volume tht contins the hrdwre-specific files needed to strt Windows. This mens EFSencrypted dt cn remin protected only if physicl security is gurnteed. If computer is stolen, EFS encryption will prevent dt from being compromised if n encrypted hrd drive is removed nd then instlled into nother mchine. However, since the system volume is unprotected there is nothing stopping thief from using utility to reset the dministrtive pssword, booting Windows, logging in with the new pssword nd gining ccess to the dt. Windows Vist nd Windows Server 2008 solve this problem by offering BitLocker, which uses the Trusted Pltform Module to encrypt the system volume. Since this is BIOS-level encryption mechnism, it will protect ginst pssword reset ttcks (ssuming the system volume is encrypted). If you re considering using storge-level encryption, it is importnt to crefully pln for key mngement nd to hve mechnism in plce for key recovery. Encryption key loss is n extremely common problem. When the key is lost, the encrypted dt becomes unredble unless bckup key is vilble. The result is permnent dt loss. If you re considering using storge-level encryption, it is importnt to crefully pln for key mngement nd hve mechnism in plce for key recovery. Most third-prty storge encryption products on the mrket work similrly to EFS but offer better mngebility. One importnt difference between EFS nd some of the other products (besides the vrying encryption lgorithms they use) is how they store the encryption keys. Windows stores the EFS encryption keys on the system drive, which cn led to couple of problemtic situtions. First, if the system drive fils, the encryption keys re lost, which results in permnent dt loss unless bckup key is vilble (Windows worksttions tht re prt of domin lwys designte the domin dministrtor s key recovery gent). Second, if lptop is stolen, skilled hcker my be ble to extrct the encryption keys from the system 26 DLP ESSENTIALS

27 » drive nd use them to unlock the encrypted dt. Mny third-prty encryption products protect ginst this by storing the encryption keys on USB flsh drives or on network servers. NETWORK Encryption t the storge level does good job of protecting files residing on storge medi, but it does nothing to protect dt in trnsit. Dt flowing cross network or the Internet is unprotected unless the session is encrypted. A hcker cn esily use pcket sniffer to cpture copy of individul pckets s they flow cross the network, technique used in recent high-profile credit crd thefts from retilers. These pckets cn then be ressembled nd the dt within them extrcted. At one time this ws considered firly dvnced type of ttck. Tody, though, utilities exist tht tke ll the work out of network sniffing ttck. Even n unskilled hcker cn use such utility to stel dt. There re countless mechnisms vilble for protecting dt s it flows cross network. Windows Server provides IPSec encryption. Mobile users ccessing Windows network through Windows-bsed virtul privte network cn be protected by Point-to-Point Tunneling Protocol, Lyer 2 Tunneling Protocol or Secure Sockets Lyer encryption. Of course, these re just softwrebsed encryption solutions ntive to Windows. There re lso third-prty encryption solutions tht work t the hrdwre nd softwre levels. Network encryption hs trditionlly been difficult to implement. The other mjor drwbck is it cn degrde performnce. There re two mjor drwbcks to encrypting network trffic. First, network encryption hs trditionlly been difficult to implement. For exmple, using IPSec encryption usully requires n orgniztion to instll n enterprise certificte uthority. An dministrtor will lso hve to understnd the key mngement process nd know how to set group policies tht require network computers to use IPSec encryption. Additionlly, IPSec encryption will fil unless network clients re using operting systems tht support IPSec. The other mjor drwbck to network trffic encryption is tht it cn degrde performnce. Every time client needs to communicte over the network, the client must estblish session nd encrypt the dt tht is to be trnsmitted. The recipient must 27 DLP ESSENTIALS