RSA Data Loss Prevention (DLP) Understand business risk and mitigate it effectively

Transcription

1 RSA Data Loss Prevention (DLP) Understand business risk and mitigate it effectively Arrow ECS DLP workshop, Beograd September 2011 Marko Pust 1

2 Agenda DLP in general What to expect from DLP and what not Challanges with DLP RSA DLP solution Logical arhitecture Physical arhitecture RSA DLP 8.8 : what s new? Demo 2

3 3

4 4

5 Definition of DLP technology that helped us build technology DLP is a process people a to protect our from leaking sensitive data -CISO, Healthcare Company RSA subscribes to this philosophy and encourages customers to focus on people and process and to take a risk based approach in building DLP projects 5

6 Knowing The D In DLP: Sensitive Data Regulatory Data Corporate Secrets Credit card data Privacy data (PII) Health care information Intellectual property Financial information Trade secrets 6

7 RSA DLP Methodology You Can Follow Policy Framework Based on Governance, Risk & Compliance DISCOVER MONITOR EDUCATE ENFORCE Sensitive Data User Actions Users & Mgmt Security Controls? RISK RISK Reduce Risk Understand Risk TIME 7

8 DLP Covers Your Entire Infrastructure RSA DLP Enterprise Manager RSA DLP Network RSA DLP Datacenter RSA DLP Endpoint DISCOVER MONITOR EDUCATE ENFORCE Web File shares SharePoint Databases Connected PCs Disconnected PCs 8

9 Risk Based Policy Management Enforce security controls based on the risk of a violation User Action Data Sensitivity User Identity Defined in DLP Policy LOW ALLOW NOTIFY QUARANTINE JUSTIFY RISK MOVE BLOCK HIGH ENCRYPT SHRED Manual or Automated AUDIT COPY DELETE RMS (DRM) 9

10 10

11 RSA DLP Data Classification Techniques RSA DLP Classification Framework File Attributes Identity Analysis Described Content Fingerprinting File metadata Headers, etc. Usage data* File owner Device owner Data owner 170+ policies Keywords Regex Entities Pluggable entities Binary Full text match Partial-text match Database match Logical rule sets Contextual Analysis Content Analysis 11

12 RSA DLP Policy Library & Methodology 170+ built-in in policies you can use Knowledge Engineering Retail PCI DSS Healthcare HIPAA Telecom/Tech CPNI Sample Profile of a Knowledge Engineer MA CMR 201 Caldicott (UK) Source Code CA AB 1298 PIPEDA Design Docs Work Exp: 12 years Certifications: 18 regulations Manufacturing ITAR Patent Apps EAR Financial Serv GLBA FCRA NASD Other NERC Global PII 401k & 403b Languages : Four Background: Linguistics, artificial intelligence, search technologies Education: Library sciences, Computer science Dedicated Knowledge Engineering team develops and maintains DLP policies 12

13 In-Depth Data Analysis Framework Attributes & Identity Analysis header data Attachment type, size, etc. Content in body & Attachment General keywords Specialized keywords Patterns and strings Proximity analysis negative rules 13

14 You Scan for Sensitive Data. Then What? Result Sensitive files discovered by DLP X IT decides on remediation IT does not have business context Potential of disruption to business Involve end-user in remediation Who to contact? What to ask? How to track responses? How to follow up? How to orchestrate? How to manage the process? 14

15 Remediating Risk From Unstructured Data RSA Datacenter Solution What s in it? Classify files to identify important ones Who really owns it? Monitor file activity to identify owners A file in a file share What to do with it? Establish a workflow to involve the file owner 15

16 RSA Risk Remediation Manager (RRM) SharePoint Grid Business Users Databases Apply DRM Virtual Grid Encrypt NAS/SAN RSA DLP Datacenter RSA DLP RRM Delete / Shred Temp Agents Change Permissions File Servers Agents File Activity Tools GRC Systems Policy Exception Endpoints Discover Sensitive Data Manage Remediation Workflow Apply Controls 16

17 Policy Development for Corporate Secrets DLP Policy Requirements Best Practices What data is sensitive? How long is it sensitive? Who can do what? Who should the alerts go to? Who are the policy approvers? Enable business to take ownership Develop an approval process Avoid s/calls based approach Record all communications Establish a repeatable workflow We can figure it out for compliance data. But for our company s IP only business knows the latest and greatest. It s crucial to involve them for (DLP) policy definition - A DLP project owner, Enterprise Organization 17

18 RSA DLP Policy Workflow Manager (PWM) + Step 1 Identify files & set business rules Step 3 DLP Policy is routed for approval Business Managers Step 2 Create DLP Policy & check for feasibility Step 4 Approved DLP policy DLP Admin End Users Policy applied across the enterprise 18

19 Get More by Using DLP & SIEM Together Reports RSA DLP Enterprise Manager Risk Heat Maps Asset Collector Alerts RSA DLP Network RSA DLP Datacenter RSA DLP Endpoint DLP Events Collector Services Forensics Incidents Correlations RSA DLP Suite RSA envision Identify hidden risk by correlating DLP events with all other IT events in real-time Prioritize alerts in envision by identifying devices/assets with sensitive data Monitor a single dashboard for all incidents (alerts from DLP and infrastructure) 19

20 RSA DLP architecture 20

21 In Motion At Rest In Use NETWORK DATACENTER ENDPOINT Fileservers HTTP/S CD/DVD IM Desktop/Laptop USB Storage Databases Dear mom, PRINT FTP/S Portals COPY/SAVE Block Audit Quarantine Encrypt - Access Controls Notify - Justify Dashboards Incidents Reports Policies Admin Enterprise Manager 21

22 DLP SUITE In Motion At Rest In Use NETWORK DATACENTER ENDPOINT Fileservers HTTP/S CD/DVD IM Desktop/Laptop USB Storage Databases Dear mom, PRINT FTP/S Portals COPY/SAVE Block Audit Quarantine Encrypt - Access Controls Notify - Justify Dashboards Incidents Reports Policies Admin Enterprise Manager 22

23 DLP SUITE - Physical In Motion At Rest In Use NETWORK DATACENTER ENDPOINT Controller Required Sensor Audits Interceptor ICAP HTTP/S FTP Switch / Tap Mail Encryption Proxy Enterprise Coordinator (Win) Site Coordinators (Win) Agents (Local/Grid) Perm Temp DLP Appliances Customer Systems Dashboards Incidents Reports Policies Admin Enterprise Manager (Windows) MS SQL 23

24 RSA DLP Product Architecture Third Party Elements AD RMS Policies Active Directory IT GRC Platforms RSA DLP RSA DLP Enterprise Manager System Policy & Classification Incident Administration Library Management Web Interface Reporting & Workflow Engine SIEM Policies Incidents RSA DLP SDK Embedded in Partner Platforms Classification Policies Incidents Network Network Controller Controller Network Classification Enforcement Incidents Grids & Agents Controller Datacenter Classification Enforcement Incidents Agents Agents Controller Controller Endpoint Classification Enforcement Incidents CUSTOMER DATA ELEMENTS 24

25 RSA Data Discovery Architecture Database Main Data Center DLP Administrator Secondary Data Center SharePoint RSA Agents Note: All RSA Data Discovery components are offered as software Remote Offices 25

26 RSA DLP Endpoint Functionality Monitor Educate Enforce Connected or Disconnected from Corporate Network Connected to Corporate Network RSA DLP Endpoint Agent Not Connected to Corporate Network 26

27 RSA DLP Network Monitor Deployment Mail Servers SMTP SMTP Outbound Relay SPAN TAP Corporate Users IM, HTTP, HTTPS, FTP Proxy Server DLP Administrator Note: All RSA Network components except for RSA DLP Network Sensors can be deployed as virtual appliances 27

28 RSA DLP Network Enforce Deployment Encryption Server Mail Servers SMTP SMTP Outbound Relay Corporate Users IM, HTTP, HTTPS, FTP Proxy Server DLP Administrator Note: All RSA Network components except for RSA DLP Network Sensors can be deployed as virtual appliances 28

29 RSA DLP Network Deployment Architecture Encryption Server Mail Servers SMTP SMTP Outbound Relay SPAN TAP Corporate Users IM, HTTP, HTTPS, FTP Proxy Server DLP Administrator Note: All RSA Network components except for RSA DLP Network Sensors can be deployed as virtual appliances 29

30 Scanning SharePoint with RSA DLP Employees RSA DLP Enterprise Manager DLP Administrator Partners Vendors Microsoft SharePoint RSA DLP Datacenter SharePoint API Use RSA DLP to: 1) Identify all sites 2) Scan all data objects 3) Locate sensitive data 30

31 Challenges With Data Protection SharePoint Repositories Apply DRM Encrypt NAS/SAN File Servers Delete / Shred Change Permissions Endpoints Policy Exception Where is the sensitive data? Who is accessing the data? What controls to apply to reduce risk? 31

32 RSA DLP and Imperva Better insight into Data at Rest for more effective remediation process DISCOVER MONITOR EDUCATE ENFORCE DLP DLP DLP DLP What data is sensitive? How is it being used? What to educate on? What do I enforce? Where is it? Where do I enforce? Imperva Imperva Imperva Imperva Who has access to it? Where to start discovery? Who is accessing it? Who shouldn t have access? Who do I educate? Who should be alerted of violations? How can I enforce? 32

33 RSA DLP Scan Data Into Imperva PC I PII 2) Import RSA DLP classification into Imperva Imperva File Activity Monitoring Credit Card #s Social Security # s PH I Credit Card #s 1) RSA DLP discovers and classifies sensitive data 3) Based on classification, Imperva can: Monitor access Limit user access rights Alert/block unauthorized activity 33

34 VMware vshield App: Built-in Data Classification Through RSA DLP Content Aware Infrastructure DMZ 1 DMZ 2 Secured VMware vsphere 5+ vshield App with Data Security Classify files within VMs RSA DLP classification technology embedded into VMware vshield App with Data Security No agents or 3 rd party software Includes 80+ expert RSA policies out of the box Consistent classification across both physical and virtual environments 34

35 RSA DLP: Solution for Outbound s Internal s Outlook Web Access RSA DLP Network Audit Notify Encrypt Block Educate Justify Quarantine Enterprise Use Analyze Content for Policy Violations Enforce Controls 35

36 New ICAP Functionality: Response Modification Corporate Network Access s from OWA Third Parties External Employees Vendors Download attachment from OWA Download files from SharePoint Access files from internal FTP server x RSA DLP Incoming requests Allow non-sensitive content Block sensitive content Outgoing response OWA SharePoint FTP 36

37 New Feature: DLP for Internal Internal among employees NEW: With DLP V8.8 you can monitor exchanged within the organization Exchange Server DLP can monitor, block, quarantine or encrypt all going out 37

38 RSA DLP Network Deployment Architecture 2 Encryption Server Mail Servers SMTP 3 SMTP Outbound Relay SPAN TAP Corporate Users IM, HTTP, HTTPS, FTP Proxy Server 1 Monitor only all outbound and web traffic Monitor & enforce all outbound SMTP s Monitor & enforce all internal s 4 Monitor & enforce all web traffic, including HTTPS DLP Administrator Note: All RSA Network components except for RSA DLP Network Sensors can be deployed as virtual appliances 38

39 Thank You The Security Division of EMC 39

40 Tools for Organizations Interested in DLP What stage are you in today? We can help you: Better understand DLP Develop a DLP project internally Develop a framework to evaluate and select the right DLP vendor Considering DLP Scoping DLP Project Evaluating DLP Vendors Risk Assessment DLP Miniscan DLP Workshop DLP Demo (RVC) Free Scan DLP Workshop EMC CIRC Tour DLP TCO Tool DLP Sizing Guide DLP RFP Templates DLP POC Consideration Metrics 40

41 RSA DLP for Virtualized Environments Virtualized Servers Run RSA DLP management software on virtual machines Deploy RSA DLP Network hardware* as virtual appliances Leverage virtual servers for RSA DLP grid scanning * Except for RSA DLP Network Sensor Virtualized Desktops Use RSA DLP Endpoint agent on virtual desktops Both Citrix XenDesktop and VMware View are supported Scan Home Drives without interfering with the desktop Strategic partnership with major virtualization vendors 41

42 RSA DLP Partner Ecosystem Infrastructure Partners Embedded DLP Centralized Mgmt AD RMS Technology Partners Control tools SMS ISA Proxy solutions Mgmt platforms ACLs Mgmt tools 42

43 RSA DLP Worldwide Adoption 1000 Customers worldwide Retail Financial Healthcare + Technology Insurance Others 43