Don't Be The Next Data Loss Story

Transcription

1 Don't Be The Next Data Loss Story

2 Data Breaches Don t Discriminate DuPont scientist downloaded 22,000 sensitive documents as he got ready to take a job with a competitor Royal London Mutual Insurance Society loses eight laptops and the personal details of 2,135 people SC Magazine The FSA has fined Nationwide 980,000 for a stolen laptop Personal data of 600,000 on lost laptop ChoicePoint to pay $15 million over data breach Data broker sold info on 163,000 people

3 Increasing Risk of Information Theft 19 people a minute become new victims of identity theft due to data breaches1 During a 3 year period, over 217 million Americans were victims of identity theft or exposure2 Each data breach costs an average of $6.3 million3 A typical Fortune 1000 company can t locate 2% of their PC s4 A typical Fortune 1000 financial institution loses 1 laptop a day5

4 Understanding the risk Market value of your sensitive data $980-$4,900 Trojan to steal account information $147 Birth certificate $490 Credit Card Number with PIN $78-$294 Billing data $98 Social Security card $6-$24 Credit card number $147 Driver's license $6 PayPal account logon and password

5 Anyone else been caught with one of these?

6 Full Disclosure and what s your data worth?

7 Is Your Data in the Wild? 80% 73% 77% of CISOs see employees as the greatest data threat of data breaches come from internal sources unable to audit or quantify loss after a data breach

8 The Problem is Rapidly Escalating 300% Security Breach Increase

9 Innocent But Risky Actions DID YOU EVER......Send an to the wrong recipient? Print a confidential document on the wrong printer?...send company confidential data to your private account? Copy data to an non-encrypted USB device?

10 User is a Four Letter Word PEBKAC Problem Exists Between Keyboard And Chair (an uncomplimentary way to indicate that a computer problem is the fault of the user) 86% 26% 83% 26% Regularly forward documents via corporate Sent customer information using web-based such as Yahoo or Hotmail Admitted printing out customer records to remove from the business Admit regularly using USB flash drives to take confidential information out of the company...but are they IT security experts or employees?

11 USA Today 29 Sep 2010

12 1 Use Case: Insider Threat and The Internet Scenario An employee disagrees with company policy or action Has access to evidence of perceived issues or abuse Uploads this data to a web-based whistleblower site DLP can stop unauthorized uploads Set policies to protect your sensitive data or communications Either block or require explicit permission to upload such data

13 Data Protection Challenges Regulated Data Easily comply with multiple regulations Reduce costs associated with audit Protect reputation & reduce penalties Enabling Business 2.0 Support supply chain & partner integration Support safe, flexible use of business data Enable safe, two-way, B2B/B2C communication Sensitive Data Protect sensitive data & intellectual property Maintain competitive advantage Ensure appropriate chain of custody

14 Managing Risk Access + Mobility = Risk Protection needed 24/7/365 Not just during business hours Data is constantly on the move, replicating and changing organically Imperative to be both legally compliant and protect your most precious assets your data, your competitive position, and your brand Holistic thinking required Networks, laptops, mobile devices, etc.

15 Securing Data Requires Different Thinking

16 Today s Security Solution Gap Most security products don t actually secure information Anti-virus They are designed to protect networks and servers They do little to protect the confidentiality and integrity of information Authentication Clients LAN VPN Change/Patch Management Threat Detection Anti-virus Information is in constant motion making it difficult to lock down Anti-spyware Web Filtering Firewall Servers

17 Data Protection Requires Different Thinking Data is not static, so security cannot be static it must persist with the data itself. This is Data-Centric Protection. Encryption Strong Authentication Data Loss Prevention Device Control

18 Data Protection Requires Different Thinking Easy to Lose Easy to Transfer Enticing to Steal $490 $147 $147 $98 Cybercrime Black Market Value Data must be protected regardless of: Usage Location Device Access

19 Data Protection Platforms Network DLP Discover Endpoint Encryption Encrypted USB Network DLP Monitor Network DLP Prevent Host DLP Host DLP Device Control Encrypted USB Data-at- Rest Data-in- Motion Data-in- Use Identify, Classify, and Protect Full endpoint management and deployment Monitor, Notify, and Prevent DLP Manager Enforce, Audit, and Respond Incident and case management Workflow and reporting

20 What is DLP? Data Sources User Actions Policy Actions Enforced to Destination At rest Copy to device Burn to disc Encrypt Move Send via net In use Cut, copy, paste Block Post to web Print Educate In motion Web IM Monitor Take home

21 DLP - Learning and Data Mining Instant Manual

22 What DLP Leverages Capture Makes Data Possible Data Define Policy Mine Data Tune Rules Violations Data Analytics Capture Search Fast, accurate policy creation and rapid, in-depth investigations

23 DLP is the Enabler DLP integrates all data protection It is the coordinating technology of a comprehensive data protection solution DLP provides data workflow oversight It responds to events & coordinates the responses of other components DLP is the one tool that enables the safe and flexible use of data Stop having to say NO to your users and start enabling YES DLP provides integrated workflows & flexibility resulting in simplified processes, lower costs and more comprehensive protection for your business without constraining your employees!

24 WikiLeaks APRIL Publishes classified Baghdad airstrike video showing 2007 attacks by U.S. helicopter that killed a dozen people. JULY Publishes 91,000 documents, majority secret U.S. military files about war in Afghanistan, back to 2004 OCTOBER Releases 400,000 classified U.S. military files from Iraq War ( ) NOVEMBER Releases 250,000 classified U.S. diplomatic cables with assessments of world leaders and Iran s nuclear missile program NOVEMBER Forbes reports that WikiLeaks plans to release tens of thousands of internal documents from major U.S. banks in early 2011 Julian Assange DECEMBER 2 Amazon.com ceases hosting WikiLeaks website DECEMBER 7 Internet activists attack PayPal, Mastercard and Visa which have withdrawn services from WikiLeaks DECEMBER 21 Apple removes WikiLeaks apps from App Store JANUARY 8 U.S. relocates some people named in WikiLeaks cables JANUARY 17 Swiss whistleblower hands over data on hundreds of offshore bank acct. holders to WikiLeaks FEBRUARY WikiLeaks still online, but DNS records removed

25 Where to start? Discover data. Desktop Laptop Database NFS Web Server SharePoint Build Policies. Documentum If (ConfidentialData(){PreventSendTo() Prevent data leakage. 25

26 Thank you. 26