BUILDING A SECURITY PROGRAM THAT PROTECTS AN ORGANIZATION S MOST CRITICAL ASSETS

Transcription

1 BUILDING A SECURITY PROGRAM THAT PROTECTS AN ORGANIZATION S MOST CRITICAL ASSETS

2 ABOUT BEW GLOBAL Founded 2002 Global Service Delivery Focused Expertise Quality Management S O L U T I O N O F F E R I N GS Consulting Services Managed Services Product Services Technical Services Security Assessments Training Services

3 DATA LOSS PREVENTION EXPERTISE Daily Management of 1,000,000+ Users Completed 500+ Assessments Deployed 400+ DLP Projects Manage DLP Solutions in 22 Countries Q U I C K FAC T S Symantec Master Specialization DLP Partner RSA s Only Authorized Managed DLP Partner 1st Managed DLP Services Provider (2008) Localized Chinese DLP Practice (2011) Global Support in 130 countries Websense Certified TRITONs More than any other partner, 7 Olympians & 1 Gladiator

4 INTELISECURE MANAGED SERVICES Event Management Reporting & Metrics Application Management IMS POD STRUCTURE Information Security Engineer Technical optimization & health of all system components Information Security Analyst Incident Triage Scope & Policy Governance Daily incident event review & workflow management Business Analyst Translate system and event data into reports & analytics

5 WHAT WE WILL COVER TODAY SYMANTEC DLP COMPONENTS Endpoint Prevent Developing the DLP Program DLP Use Cases How Did They Get There? Developing the DLP Program Symantec Data Loss Prevention Endpoint Prevent monitors files downloaded to local drives; transferred over , IM, Web or FTP; copied to USB, CompactFlash, SD, or other removable media; burned to CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec Data Loss Prevention, you can monitor and block: Avoiding Common DLP Pitfalls Instant messages sent to a partner containing confidential M&A information Web mail with product plans attached going to a competitor Customer lists being Open copied Q&A to USB or other removable media devices containing PII sent via hosted security services Source code that is copied to a local drive Mobile devices for sent containing confidential data Product design documents being burned to CD/DVD Price lists being printed or faxed to a competitor

6 CRITICAL ASSET PROTECTION PROGRAM (CAPP) A Critical Asset Protection Program (CAPP) clearly defines what assets are deemed most important to the organization based on the concepts of revenue, income, reputation and core operational impact. Most organizations fail at their Data Loss Protection programs due to the lack of developing a Critical Asset Protection with a documented scope.

7 CAPP METHODOLOGY Most information and network security programs are doomed from their inception due to the common pitfalls of failing to develop a program scope that is accepted, acknowledged and supported by senior leadership. Through a comprehensive interview and information gathering process, BEW Global and our customers develop a realistic Critical Asset Protection Program Scope that defines the assets and the core attributes of the asset in regards to the following: Creation Storage Usage Transmission

8 CAPP CRITICAL ASSET LIFECYCLE MAPPING Critical Asset Creation Critical Asset Storage Critical Asset Use Critical Asset Transmission The point in time when the asset is created. This could be the first swipe of a credit card, the initial lines of code for a new application or the acquisition of a new VM Cluster. Today, asset creation can be the product of multiple groups or systems making the need for a laser focused scope imperative for a successful protection program. Once the asset has been created the asset is stored. For intangible assets this may be in RAM, on a hard disk, NAS, SharePoint or other types of data storage. Tangible assets like servers, routers or laptops may be racked in a datacenter, placed in a remote office closet or placed on a home office desk. Mapping the authorized use of the critical asset is very important when developing the Critical Asset Protection Program. By mapping the authorized usage characteristics of the assets within the CAPP scope, applying the optimal combination of people, process and technology to successfully protect the critical assets becomes a more manageable endeavor. The assessment of how critical asset information is shared within and outside the organizations provides key insight to the required protection mechanisms. The transmission threat vector is utilized for authorized operations constantly and in parallel presents some of the greatest challenges to inadvertent or malicious asset exposure.

9 SAMPLE CAPP PROGRAM SCOPE Critical Assets Management Concerns: Priority Security Concern Category Program Scope Supported Response 1 Disclosure of customer and employee PII data Customer and Employee Data Symantec Network Discover File Share scanning to gain visibility into storage locations Symantec Network Monitor monitoring to gain visibility into transmission 2 Disclosure of PCI data Customer Data Symantec Network Discover File Share scanning to gain visibility into storage locations Symantec Network Monitor monitoring to gain visibility into transmission 3 Disclosure and unauthorized use of customer ARM Logs Proprietary Customer Data Symantec Network Discover File Share scanning to gain visibility into storage locations Symantec Network Monitor monitoring to gain visibility into transmission 4 Disclosure of Proprietary and Licensed source code Intellectual Property Symantec Network Discover File Share scanning to gain visibility into storage locations Symantec Network Monitor monitoring to gain visibility into transmission

10 SAMPLE CAPP PROGRAM SCOPE Targeted Data Elements: Category Data Element Description / Requirement Data Identifiers Personally Identifiable Informatio n (PII) Social Security Numbers The Human Resources, Finance, and Legal departments identified SSN as a key piece of PII to be protected by the Critical Asset Protection Program. SSNs store on customers and employees 9 numeric characters Customer Data TSN [client name] Serial Number Numbers are assigned to and uniquely identify each [client name] set top box. These numbers are associated to records (ARM logs) collected on each [client name] device containing sensitive customer information. 15 Digit Hexadecimal number First 3 digits represent the TSN prefix The following 11 represent the unit ID Final digit is a checksum Payment Card Industry Data Credit Card Numbers During regular transactions with customers [client name] collects and stores Credit Card Numbers. [client name] is currently categorized as a PCI level 2 vendor but strives for level 1 compliance. All major national and international credit card vendors Source Code Copyrighte d/proprieta ry Code Proprietary source code and copyrighted source code Adobe Copyright Broadcom Copyright Microsoft Copyright [client name] Copyright

11 SAMPLE CAPP PROGRAM SCOPE Service Milestone Timeline: Milestone Description Target Date Data Loss Prevention System Technical Install Data Loss Prevention system technically installed, tested and prepared to monitor all communications Complete Critical Asset Protection Program Implemented Resources in place to manage Critical Asset Protection application, policies, triage incidents, develop analytics, and work with business to remediate events 07/2013 Critical Asset Protection Program Kick-off Actively monitor production traffic with first crafted production policies targeted at specific data elements/client information ensuring data is going to the correct clients 07/2013 Critical Asset Protection System and Program Tuning Working with the business to review incidents and leverage data to improve policy accuracy within the Critical Asset Protection system 08/2013 Policy Accuracy Target 90% + Tuning the Critical Asset Protection policies to the point of 90% or greater accuracy on outbound communications, allowing for initial testing of prevention controls 09/2013 Blocking Pilot Select User Group Identification of first user group set-up for blocking or quarantine of unauthorized communications flagged by the DLP system 09/2013 Blocking Full Production roll-out Phased roll-out of remaining business units to be included within the blocking and quarantine scope of the Critical Asset Protection system 09/2013 Phase # 1 Completion Program in place for constant refinement of policies as the business evolves, communication with business units on violations, business analytics delivered, and unauthorized communications blocked 09/2013

12 USE CASE: DLP PRE-PROJECT STATE Organization Overview: DLP Scope: DLP Primary Issue: Application Management: Policy Governance: Incident Triage: Event Management: Reporting and Metrics: Status: Manufacturing firm of 30,000 employees operating in 50 countries globally Protection of Intellectual Property (General) Lack of staff and buy-in from business owners who handle critical assets Most information security tools operated and managed by IT or networks No internal resources with any experience with DLP policy construction Lean staff of Infosec staff already buried by SIEM and other tools output Informal event management process with little feedback to the business Zero customized reports. Very little business analysis provided Charged with implementing DLP to protect Critical Assets, specifically product IP

13 APPLICATION SUPPORT & INTEGRATION Primary System DLP Management = Human Resource / Expertise Requirements Integrated System Management = Cross Department Collaboration Processes Health Check & System Validation Management = System Resource Requirements Vendor Management = Primary and Integrated Technology Vendor Relationships

14 POLICY & RULE GOVERNANCE Who requests rules & policy requirements? Are business owners engaged? Who reviews rule requests? Criteria for approved rule? What s the process for converting a rule request into a policy? Who s responsible for converting a rule into technical policy? Do they have technical policy authoring expertise? What is the formal policy development process? First drafts rarely work as expected! Is there a process to relay production policy metrics to stakeholders?

15 WORKFLOW DEVELOPMENT & MANAGEMENT Who develops & manages policy buckets? False positive, inbound partner, outbound employee Who defines thresholds that determine response rules for each bucket? Are 10 SSNs a high, medium or low severity incident? Who designs & sets the policy response triggers? Malicious, Inadvertent, Suspicious, above threshold. Triage response options: Human notification System notification (auto) Hybrid? Who s responsible for building alerts, alarms & notifications? Has business been engaged on event management? Who manages the DLP policy & rules repository? Why recreate the wheel?

16 INCIDENT TRIAGE & EVENT MANAGEMENT Who reviews volume & yield of incidents & events? What s the review frequency? How are events/incidents routed? Who owns the incident/event? How does DLP fit in overall incident/event management process? Can this be mapped to DLP system? What metrics are developed to measure success of rules & related policy? Who s responsible for developing metrics? Revision of rules based on quality of policy results. Who manages policy optimization process? How will integrated systems be tied together to yield valued info? Secure mail, web gateway, GRC, SIEM

17 BUSINESS ANALYTICS Who drives report requirements? Requestors, Reviewers, others? Who develops reports? Do they have the expertise with 3 rd party reporting tools? Are DLP system generated reports adequate? Are the metrics valuable & driving meaningful change? Report accuracy tied into QA process?

18 USE CASE: POST-PROJECT STATE Organization Overview: DLP Scope: DLP Primary Goal: Application Management: Policy Governance: Incident Triage: Event Management: Reporting and Metrics: Status: Defined specific business units to initiate program Focused on 3 specific product lines linked to highest revenue & earnings Identification of unauthorized movement of specific elements of IP Operated by a combination of IT, messaging & desktop management teams 100% customized policies based on data collected from business unit Daily review of incidents by BEW Global Intelisecure Managed Services team Incidents meeting severity criteria routed to business unit for investigation Behavioral pattern analysis leading to preventive actions R&D teams have high-level of confidence in ability to identify leakage of IP

19 Number of Hours QMS SAMPLE QUARTERLY REPORT Intelisecure DLP QMS: Six Month Trend Application Management Policy Governance Incident Triage Event Management Reporting & Analytics Time

20 PITFALL 1: NO PLAN OF ATTACK

21 PITFALL 2: FAILURE TO ENGAGE THE BUSINESS 5 Pieces of DLP Advice You Can t Afford to Ignore 21

22 PITFALL 3: INADEQUATELY TRAINED RESOURCES 5 Pieces of DLP Advice You Can t Afford to Ignore 22

23 DATA LOSS PROTECITON PITFALLS: M i s s i n g t h e Ta r g e t F a l s e S e n s e o f S e c u r i t y Mis-configured Tap or Port Span Encryption The Masked Data Misfire of Network Discovery Scans Network versus Endpoint Discovery Problem Missing segments of network traffic or protocols Solution Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured. Problem Analysis of data DID NOT take place prior to encryption. Solution Comprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed test DLP policies that identify encrypted transmissions as part of the test plan. Problem Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process. Solution Identify potential data stores by discussing the DLP program with staff to understand process. Problem Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same. Solution Prior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method..

24 DATA LOSS PROTECITON PITFALLS: T h e P a n d o r a s B o x o f D L P Environment Assessment Staying in Contact User Performance Impacts Network/System Performance Impacts Problem No rigorous endpoint environment assessment prior to the selection of the application & enablement. Problem Failure to monitor endpoint population & their frequency of checking-in to the management server with validated results. Problem Implementing same policies for network based & endpoint assessments without testing or modification. Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections. Solution Address age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints. Solution Phased deployment of endpoint with validation via test plan on initial success of ALL agents & ongoing endpoint agent health reports. Solution Utilize a comprehensive test plan outlining specific metrics (time to open files, open/send s, open applications) prior to deployment. Solution Thorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods.

25 B E W G L O B AL H Q B E W G L O B AL E M E A B E W G L O B AL A P A C 5613 DTC Parkway Suite 1250 Greenwood Village, CO USA (ph) (fax) Albany Court Albany Park Camberley GU16 7QR England (ph) +44 (0) (fax) +44 (0) Oxford Street Level 23, Tower 1 Bondi Junction Sydney 2022 (ph) +61 (2) (fax) +61 (2)