Guide to Successful Data Loss Prevention Risk Reduction Part 2

Transcription

1 WHITE PAPER: SYMANTEC DATA LOSS PREVENTION RISK REDUCTION Guide to Successful Data Loss Prevention Risk Reduction Part 2 Who should read this paper Symantec Data Loss Prevention customers who are in the process of deploying or have already deployed the solution in their organization, and are ready to begin the Symantec Data Loss Prevention Risk Reduction process

2

3 Content Introduction and Purpose Phase 3: Baseline Establish Meeting Schedules Tune Policies and Procedures Organize Incidents to Understand Risk Drivers Phase 4: Remediation Fix Broken Business Processes Build an Efficient Response "Library" Monitor and Communicate Metrics Phase 5: Notification Alert Employees Configure, Test, and Enable Notifications Monitor and Communicate Metrics Phase 6: Prevention/Protection Configure and Test Prevention/Protection Alert Employees Enable Protection/Prevention Monitor and Communicate Metrics Conclusion

4 Introduction and Purpose This document assumes that you have read Getting Started with Symantec Data Loss Prevention (Part 1), are in the process of deploying or have already deployed the Symantec Data Loss Prevention solution in your organization, and are ready to begin the Symantec Data Loss Prevention Risk Reduction process. Risk reduction is organized into four phases and designed to allow identification and remediation of key risk areas while minimizing potential disruption to employees and the business. In the first phase, Baseline, you will focus on tuning policies, understanding the causes of incidents, discovering broken business processes, identifying data and files that should be moved from their exposed locations, and defining and validating the remediation, reporting, and communications procedures you plan to use. In the next phase, Remediation, you will begin deploying those procedures and addressing broken business processes with the appropriate business units. It is important to give the business units a chance to improve their processes before you start the next phase, Notification, in which the Symantec Data Loss Prevention solution is configured to automatically notify employees, in real-time, of violations to compel behavior change. When you move to Notification, you want to be sure you are addressing employee oversight issues, which are most effectively handled by automated notification. The Notification phase is typically where the biggest drop in incidents is observed. When you have achieved the desired drop, it is time to move on to the Prevention/Protection phase. By now, you should have addressed the major business process issues and changed employee behavior through notifications, so that the risk of disrupting business by blocking communications or moving files is minimal. Prevention/Protection addresses anything that may have fallen through the cracks or that might be malicious. Please note that Phase 1, Planning, and Phase 2, Deployment, are covered in Getting Started with Symantec Data Loss Prevention (Part 1). The Approach (Part 2) begins with Phase 3, Baseline, and covers all four phases in more detail, including the key tasks in each phase. Depending on the services you purchased, Symantec Data Loss Prevention staff may provide support on site or on an advisory basis. Phase 3: Baseline The focus of the Baseline Phase is gathering data, understanding where your risk is, and tuning your policies and procedures in preparation for taking action in the Remediation, Notification, and Prevention/Protection phases. Symantec recommends staying in the Baseline Phase for two to four weeks for each policy that is deployed. That length of time typically provides enough data for an organization to make sure policies are accurate, get a high-level understanding of where their risk is greatest, confirm that their approach to incident remediation will work, and set some risk reduction goals. Some organizations stay in the Baseline Phase for longer, up to six months. The benefit of staying in the Baseline Phase for longer is that you will catch processes that may happen only on a quarterly, semi-annually, or annual basis. The downside is that you are still just gathering data on your risk, instead of doing something about it. Key Baseline tasks include: Establish Meeting Schedules Tune Policies and Procedures Organize Incidents to Understand Risk Drivers Begin Tracking Metrics Establish Meeting Schedules There are three main groups involved in ongoing operation of the Symantec Data Loss Prevention system and risk reduction. Table 1, below, describes these three key groups. 1

5 Table 1: Staffing for Ongoing Operation and Risk Reduction Key Role DLP Project Team (system owners) Description Responsible for maintaining system functionality and performance; configuring and managing policies, response rules, reports, users, roles, scans, and agents Staffed from Risk, Privacy, Information Security Drive on-going system tuning and expansion from the policy, exit point, and exposure point as risk is reduced; monitor operational metrics Incident Response Team (system users) Responsible for effective incident remediation, including notifying the DLP Project Team when policies, severity thresholds, response rules, scans, and reports should be adjusted. Staffed from Information Security, Human Resources, Legal, Compliance, Risk, Investigations, Forensics, other key Business Units Incident Response Team (IRT) Lead should be assigned to make sure that incident remediation processes are followed and adjusted as needed and that the team meets regularly Steering Committee Responsible for setting the strategic direction for expanding coverage, as well as risk reduction goals; monitoring risk reduction metrics; and ensuring priorities are correct, resources are sufficient, and Business Units are monitoring metrics Executive representatives from Human Resources, Legal, Compliance, Privacy, Risk, key business stakeholders DLP Executive Sponsor (CISO, CIO) should lead the Steering Committee, including driving Business Unit involvement in monitoring metrics, remediating incidents, and adding/expanding policies Team Membership Standard recommended roles for the DLP Project Team, responsible for ongoing operation of the Symantec Data Loss Prevention system, are outlined in Table 2, below. Table 2: DLP Project Team Staffing Key Role DLP System Manager Description Responsible for driving ongoing system tuning and expansion as risk is reduced by managing policies, incident response enablement, reporting, and roles. Staffed from Risk Management, Privacy, Compliance, or Information Security May also lead the Incident Response Team DLP System Administrator Responsible for ensuring smooth system operation, including monitoring operational metrics, and adjusting the system to improve performance or in response to organizational environment changes. Staffed from System Administration, Information Technology, or Information Security 2

6 Database Administrator Responsible for managing the Symantec Data Loss Prevention database, including monitoring operational metrics and adjusting the system to maintain or improve performance. Staffed from System Administration, Information Technology, or Information Security. Recommended for large enterprises Supporting Team Provide as-needed support when infrastructure or organizational system changes impact the Symantec Data Loss Prevention system; provide expertise and access to critical infrastructure Representatives from Network Infrastructure, Server Management, Desktop Management, Storage Management, Access Control, Messaging Please note that one person can hold multiple roles within the DLP Project Team. In fact, it is very common in smaller organizations for one person to fulfill the three main roles described above. The primary roles within the IRT were discussed in the Planning section of Getting Started with Symantec TM Data Loss Prevention (Part 1), and include the First Responder, Escalation Responder, and Investigation Responder. The typical initial IRT is one to three people. And typically, only one to two people within the IRT are full-time incident responders. Additional IRT members provide incident response on a defined parttime (e.g. reviewing incidents for 1 hour daily) or ad hoc (e.g. when alerted to an incident) basis. The DLP System Manager, described above, often leads the IRT. Ideally, the Steering Committee should consist of executives from the Information Security, Human Resources, Legal, Privacy, Compliance, and Risk Management departments as well as executives from key business units to represent their interests. The DLP Executive Sponsor, who drove the decision to purchase the software, should lead the Steering Committee. Many companies, particularly large enterprises, already have existing Steering Committees. In that case, making sure that DLP is a topic or that the DLP Executive Sponsor is involved will suffice to provide strategic direction for the DLP initiative. Recommended Meeting Schedules Symantec recommends that the DLP Project Team meet daily for at least the first two weeks of Baseline to assess performance and tune the system (policies, response rules, users, roles, reports) and then move to a weekly meeting for the remainder of the Risk Reduction phases. We recommend that the IRT meet weekly for the first 90 days of Risk Reduction to ensure that critical incidents are expeditiously addressed, refine processes, and build relationships within the team and with other organization stakeholders as they carry out incident response activities. Strong relationships will facilitate effective incident response that positively impacts risk reduction without negatively impacting achievement of business goals. Once the IRT and its processes and relationships are established, the team should move to a monthly meeting schedule. Symantec recommends that the Steering Committee meet quarterly to review risk reduction metrics, identify new areas for protection, and set new risk reduction goals. Tune Policies and Procedures During the Planning Phase, the initial policies and plan for incident response are sketched out so that they can be configured in the software at deployment. In Baseline, organizations see how these initial plans actually work and adjust them as needed. 3

7 Tuning Policies Policies using advanced technologies, including exact data matching, indexed document matching, and directory group matching, usually need less tuning than policies using described content matching, such as keywords and regular expressions. Policy tuning involves adding exceptions, adjusting data identifier breadth, modifying detection rules and layering detection rules by using 'and' and 'or' qualifiers to create more sophisticated policies. Symantec recommends tracking each policy's false positive rate as a measure of operational success and to give you a sense of when your policies are "tuned." Tuning Workflow Workflow tuning involves assessing how well the initial severity thresholds are working and modifying those so that the incident responders are not overwhelmed with incidents, as well as confirming that the right incident responders are reviewing the right incidents. As previously discussed, most organizations start with a very simple workflow involving one to three people, and some general assumptions for how many incidents they should be able to handle. Primary means of workflow tuning include adjusting: Severity setting within policies to control how many incidents a responder reviews and to ensure critical incidents are given top priority Role-based access control (RBAC) to control which incidents a responder reviews Response rule actions to control how incidents are routed DGM, if applied to the policy to control which incidents a responder reviews Custom attributes and/or custom attribute population to control which incidents and how many incidents a responder reviews Detection rules to control how many incidents are captured and therefore require review Adjusting match count thresholds is a key technique for tuning workflow. Symantec Data Loss Prevention allows you to manage the number of incidents generated via match count thresholding within the policies. All policies are based on matches instances where a communication or file contains data that matches what has been identified as confidential in the policy itself (e.g. social security number). One incident can have many matches. For example, a communication with 100 social security numbers will create an incident with 100 matches. The two most commonly used methods for leveraging this functionality to keep the numbers of incidents at a manageable level for your IRT are: Increase the number of matches that create an incident (the default is one) or Create severity levels within the policy, direct the IRT to remediate only high-severity incidents, and configure Symantec Data Loss Prevention to automatically resolve all medium, low, and info severity incidents. The first option is preferable if your organization is required to address any deficiencies that are identified. The second allows you to get a fuller picture of your risk areas, yet focus on the most severe incidents first. Both allow you to keep incidents at a manageable level for your team. If you choose the second option, Symantec recommends beginning with high match count thresholds for example, setting high severity match count to be greater than 500, medium severity to be between 100 and 499, low severity to be between 25 and 99, and info severity to be less than 25. In the Baseline phase, validate that these severities are generating a manageable level of high-severity incidents for your IRT. In the beginning, assume that one full-time person can remediate approximately 100 incidents per day and adjust the severity levels accordingly. As the IRT works through the high severity incidents, fixing broken business processes and educating employees, the number of high-severity incidents will decrease and the match count thresholds can be re-set to lower levels for example, high severity match count reset to greater than 250 and so on. 4

8 Tune workflow only after tuning policies this ensures you are adjusting workflow and workload on real incidents and not noise. Tuning Procedures In the Planning Phase, you should have determined the initial incident response structure and workflow. In Baseline, as incidents come in, you assess how well those procedures fit the kind of incidents that you are seeing. You may find that you need to modify your escalation criteria, or consult with others in the organization to determine the seriousness of an incident. Organize Incidents to Understand Risk Drivers After tuning the policies to capture only incidents of interest and adjusting the workflow and incident load to sustainable levels, the next step is to look more closely at the incidents themselves and begin to identify their underlying causes. Symantec recommends organizing incidents into at least three categories: Broken Business Process Employee Oversight Potentially Malicious Once you have organized the incidents broadly, you can focus on addressing each in the remaining risk reduction steps. The Remediation Phase is focused on addressing incidents caused by broken business processes by bringing these to the attention of the business owners and working with them to make processes more secure. The Notification Phase is focused on addressing incidents caused by employee oversight by immediately informing employees when an action violates policies. The Prevention/Protection phase will prevent some actions that are potentially malicious; although Symantec Data Loss Prevention is designed to identify the sources of the greatest risk, broken business processes and employee oversight (approximately 96 percent of incidents, according to data collected during Symantec Data Loss Prevention Risk Assessments). Begin Tracking Metrics Operational metrics will give you a sense of how well the Symantec Data Loss Prevention system is functioning. It is best to exit Baseline with an optimally functioning system. For example, you should have hit your false positive percentage goals for each policy, if that was one of the operational metrics you selected to track. Take a baseline snapshot of risk after you have tuned your policies and begun to understand the primary sources of your risk. This risk snapshot will serve as an important benchmark against which to measure your risk reduction progress going forward. Taking the baseline snapshot after policy tuning will ensure that you are measuring progress against actual risk, not risk inaccurately elevated by false positives. You are now ready to move on to the Remediation Phase. Phase 4: Remediation The focus of this phase is changing the high-risk business processes identified in the Baseline Phase and further developing the remediation plan for all incidents. The key steps include: Fix Broken Business Processes Build an Efficient Incident Response "Library" Monitor and Communicate Metrics 5

9 The involvement of business unit representatives is critical during this phase to identify and modify these business processes to make them more secure, without negatively impacting normal business workflow. In addition, a fully-functioning IRT is essential to effectively moving through this phase. The Baseline work of tuning policies and procedures and understanding and organizing incidents should have helped solidify and focus the team. The response planning completed in this phase is the basis for the violation notifications key to the next phase, Notification. Fix Broken Business Processes The primary way to remediate risk is to begin to address faulty business processes that allow confidential data to reside in the clear in public file shares or travel back and forth in messages between your employees, your customers, and your partners. Of incidents uncovered by the Symantec Data Loss Prevention solution, approximately half are due to broken business processes. They are a major contributor to risk and the most time intensive to remediate. Fixing broken business processes can be as simple as disabling the auto-reply that sends your customer's account information back out of the organization or as challenging as convening the members of a work group to discuss how their processes for responding to customer inquiries can be changed to be more secure. Fixing broken business processes usually requires going outside of the IRT to engage with business unit and department leads. Strong executive support at the Steering Committee level can make or break this effort. It is needed to get the right people to the table to discuss the changes that need to be made, to make sure that the process changes happen and all involved employees are trained on the new processes, and to make sure that the business units are held accountable for improving their processes to reduce risk. Symantec recommends focusing on understanding and communicating to business units about these broken business processes prior to the Notification Phase. The last thing you want to do is start notifying employees that the processes that they've been following for several years are suddenly in violation of company policy. By notifying business unit leads of risky processes and giving them a chance to correct them, you help build ongoing support for the program and evangelize the importance of every employee in protecting the organization's confidential information. Build an Efficient Response "Library" Symantec Data Loss Prevention's response actions are the building blocks of the response rules. There are 15 "automated" response actions, which can be configured to fire automatically, based on certain conditions, such as severity and incident type. Commonly used automated response actions include Send Notification, Block, and Quarantine. There are 5 "smart" or manual responses, which require a person to execute them from within the system. Commonly used smart response actions include Send Notification, Set Status, Log to Syslog Server. Additionally, the FlexResponse Application Programming Interface (API) allows development of custom response actions. The FlexResponse API can only be leveraged to create additional smart response actions. Several automated response actions can be combined into one automated response rule that can then be applied to one or more policies. This automated response rule will execute immediately after Symantec Data Loss Prevention detects the incident, with no human intervention. Several smart response actions, including those developed by leveraging the FlexResponse API, can be combined into one smart response rule that can then be applied to one or more policies. When incident responders are reviewing incidents, they can execute this smart response rule, which will carry out all the associated response actions. By building an efficient incident response library, we mean creating both automated and smart response rules that can be applied to a variety of policies. Without this approach in mind, it is very easy to develop specific response rules to address specific situations and end up with so 6

10 many possible responses to choose from that it becomes overwhelming. Taking the time to carefully plan your response rules and how you will use them will maximize their effectiveness and help ensure your IRT responds to incidents in a consistent manner. The ability to author response rules can be restricted via the roles-based access settings by the system administrator. To facilitate effective response rule development, we recommend restricting the ability to develop response rules to the DLP System Manager or IRT lead. The IRT should be meeting weekly during the Remediation Phase to review and adjust the response rules as needed. Response rule review should be a standard agenda item at every IRT meeting. It makes sense to focus on smart responses when you are starting the risk reduction process since you are just beginning to get a handle on the extent of your data loss risk. However, as mentioned above, there are three times as many automated response rules as smart response rules. As you move through the risk reduction phases, add more policies, and extend coverage of exit and exposure points throughout the organization, focus on transitioning the smart responses, requiring human action, to automated responses that can be carried out by the Symantec Data Loss Prevention system. Customers who follow this approach are able to expand their policy, exit point, and exposure point coverage faster and with the same or fewer resources involved. Monitor and Communicate Metrics As you move through the Remediation phase, it is important to continue tracking both operational and risk reduction metrics. At this point, we recommend adding a metric for capturing how many incidents are due to broken business processes and how many of those business processes are being adjusted to reduce risk. Phase 5: Notification The focus of this phase is notifying employees of corporate policy violations to prompt behavior change. For network incidents, this means automated notifications providing employees an immediate "slap on the hand" for policy violations. For endpoint incidents, this means an automated pop-up screen notifying them of the violation and giving them the option for justifying the action. For storage incidents, this means a marker file, left in place of a violating file, notifying the employee of the reason that the file was moved and who to contact for more information. For those customers who have opted not to disclose their DLP initiative to employees, this means identifying the oversight areas and developing education and awareness programs targeted to the groups that pose the greatest risk. Symantec recommends customers be transparent and open with their employees about their DLP program initiative. This open communication involves employees in the program, and encourages proactive risk reduction by everyone in the organization. The key steps include: Alert Employees Configure, Test, and Enable Notifications Monitor and Communicate Metrics Customers see a dramatic reduction in incidents once notifications are enabled. All the work accomplished in the Planning phase around employee communications helps make this the shortest of the phases as well. Alert Employees Before enabling the automated notifications, remind employees and managers of the previously-communicated data protection policies and set expectations for the notifications, pop-ups, and/or marker files, what they mean, and where to go for additional information. Ensure the notifications, pop-ups, and file markers align with and reinforce the company's overall messaging around data protection. 7

11 Configure, Test,, and Enable Notifications Notifications are most appropriate for incidents caused by employee oversight. They can cause confusion if applied to incidents due to broken business processes. The IRT's ongoing incident organization work, begun in Baseline, should help identify which policies are most appropriate for notification response rules. Always test the notifications using a test policy before enabling them to make sure they work as expected. Monitor and Communicate Metrics The Notification phase is typically where the greatest reduction in risk happens. Incidents can decrease up to 90 percent. Communicating results to the Steering Committee is strongly recommended at this point to highlight the risk reduction successes. Phase 6: Prevention/Protection Preventing incidents, malicious or unintentional, is the end goal of any data loss prevention initiative. This phase culminates in autoenforcement of your security policies, including blocking network communications, file transfers and file copying, quarantining network communications and exposed files, encrypting communications, and initiating forensics investigations. The key steps include: Configure and Test Prevention/Protection Alert Employees Enable Prevention/Protection Monitor and Communicate Metrics Customers that have devoted appropriate resources to the prior five phases are much more likely to reach this milestone on schedule. On average, customers who purchase Prevention enable it between 6 and 12 months of the initial deployment. The major concern with Prevention/Protection is potentially blocking or preventing traffic or moving files that are not actually in violation of company policy. False positives that are blocked or moved result in negative business impact, and should be avoided at all costs. In fact, policies that have not reached your false positive goal should not have prevention or protection response rules applied. Customers who go through the previous five phases have extremely high confidence in the accuracy of the system, which allows them to actively block, quarantine, and encrypt messages and files. Configure and Test t Prevention/Protection At the start of this phase, workers receive another notification, warning them that, in addition to triggering an alert, their unauthorized communications may now be blocked. As with earlier phases, it's important to continue generating reports to demonstrate continuous risk reduction. Several important requirements that help you avoid any pitfalls in this phase are outlined below. Alert Employees Remind employees and managers of the previously-communicated data protection policies and set expectations for blocking, file copy prevention, and file quarantine. Ensure the notifications, pop-ups, and file markers align with and reinforce the company's overall messaging around data protection. 8

12 Enable Protection/Prevention Once you are confident that enabling blocking, copy prevention, and/or file quarantine will not disrupt business process: For Symantec Data Loss Prevention Network Prevent for or Web, change from pass-through mode to active blocking or content removal For Symantec Data Loss Prevention Network Protect, change the response rule from copy file to quarantine file For Symantec Data Loss Prevention Endpoint Prevent, change the response rule to block These changes will enable blocking, copy prevention, and file quarantine. Monitor and Communicate Metrics Use your metrics reports to communicate the types of data that could have been transmitted, accessed, or copied, where the data was headed, and who could have accessed it. Communicate these results to the Steering Committee to demonstrate how the Symantec Data Loss Prevention solution is protecting the organization. Conclusion After progressing through the six phases described in Getting Started with Symantec TM Data Loss Prevention (Part 1) and Symantec TM Data Loss Prevention Risk Reduction (Part 2), you should be confident that: Your initial policies are successfully protecting your organization's confidential information You have built good working relationships between the DLP Team and the business unit leads and are working to address the faulty business processes uncovered by the DLP solution You have leveraged auto-notification to change employee behavior, and You have solid metrics to demonstrate your results. With the success of this first phase, you should be well positioned to continue expanding policy and exit/exposure point coverage and continuing to drive your organization's DLP risk down. 9

13

14 About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1(650) (800) Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/