Practical DLP Deployment

Transcription

1 Practical DLP Deployment Practical DLP Deployment for your Organization Jon Damratoski, DLP Architect

2 DLP Basics Overview A few items discussed today What is DLP? Define a DLP program using business driven approach DIM, DIU and DAR details DLP incident triage, reporting and remediation DLP use cases

3 What is DLP? Context aware analysis of data at the network, endpoint and storage levels with the ability for preventative actions Key here is Data Loss Prevention Business driven the business has to work with the DLP team to identify the sensitive information that is valuable to the organization this becomes the requirements for DLP Policies

4 Business Driven Approach Key steps with all DLP programs Conduct DLP Workshops to identify the following: Discuss current business processes to identify sensitive content you would like to protect with DLP Discuss acceptable use cases of sensitive content Gather sample sensitive content to design and tune DLP policies Determine where to apply DLP Policies to monitor SMTP/HTTP (DIM), Endpoint USB (DIU), NAS Shares (DAR), etc. As confidence with DLP grows, slowly introduce preventative actions such as block , modify HTTP sessions or even block copy to unapproved USB devices

5 DLP Policies Area of DLP where you define the sensitive data (context) to filter on - includes both out of the box and custom policies Can be combination of multiple detection technologies including keywords, regular expressions (DCM), file indexing (EDM/IDM), file type, etc. Multiple rules can be combined in policy logic to increase the accuracy and reduce the false positive rate of DLP incidents

6 DLP Deployment Planning Crawl, Walk then Run works best Start slow with one vector such as Network or Endpoint Pick 3-5 policies in audit only mode to assess leakage scope As DLP program matures, slowly add additional policies, vectors and proactive actions such as block or quarantine You can only protect sensitive information you have identified moving forward DLP can t look backwards!

7 Data in Motion (Network) Monitors SMTP, HTTP, HTTPS* and other clear text protocols SMTP is most common starting point as most organizations already have web filtering in place via proxy servers Can be inline or passive Inline is most common for SMTP DLP can connect to existing proxy servers via ICAP Passive monitoring is common for internal to internal network monitoring via network tap or spanning port Inline is required if you plan on implementing preventative actions such as block, modify, etc. * HTTPS breakdown would occur on proxy servers and not DLP servers

8 Data in Use (Endpoint) Monitors data at the endpoint such as local disk, copy to USB, printing, etc. Allows context driven analysis of both stored data and actions such as copy to local disk and USB storage devices, printing, application monitoring Can be configured to monitor both on and off the network Logic can be built into Endpoint policies to allow copy to approved USB devices while blocking copy to unapproved USB storage devices

9 Data at Rest (Storage) Monitors stored data on NAS, SharePoint, Exchange and Databases NAS is most common starting point as most organizations struggle to identify where sensitive data is stored Supports multiple vendors such as NetApp, EMC and Win NAS SharePoint is rapidly become more common in DAR Lack of user access control and organization leads to proliferation of sensitive data on SharePoint sites Database scanning supports Oracle, SQL server, DB2 and other common formats

10 DLP Incident Triage This is where the DLP analyst reviews each incident to verify accuracy and determine follow up actions Dedicated, full time resources here will quickly recognize broken business processes, potential security violations and provide much more ROI with DLP than shared resources Don t create an incident unless you can review and follow up in timely fashion!

11 DLP Reporting While DLP does a great job of explaining incident details, manual analysis of exported incident data is usually required for trending Reports detailing trending analysis of users, increase/decrease of DLP incidents over time and incidents by business units are common Consider third party tools such as IT Analytics, SIEM, etc. to improve reporting capabilities

12 Use Case Large Healthcare Large healthcare company providing medical services Primary goal is protection of PHI and PII custom index (IDM) policies created from PHI & PII databases, additional regular expressions/keywords (DCM) PHI & PII policies DIM for HTTP and SMTP, DAR for PII and PHI stored on unsecured network shares and external facing SharePoint sites DIU for endpoint copy to USB with exception for copy to approved USB, quarterly scans for PHI and PII data stored on local disk

13 Use Case Small Manufacturing Small manufacturing company with engineering designs in various file formats Custom index (EDM/IDM) policies for all design documents, additional regular expression/keywords (DCM) policies for similar design documents Unique situation with Office 365 in use for SMTP Endpoint SMTP monitoring via Outlook application monitoring*, endpoint copy to USB and printing * Verify application monitoring support with your vendor

14 Recap What did we cover today? What is the difference between DLP and other security tools? Context Business driven approach Deployment details on DIM, DIU and DAR Incident triage and reporting DLP use cases

15 Questions?

16 Contact Information Jon Damratoski, DLP Architect, Black Diamond Technology Office (615) Chris Mitchell, Senior Security Solutions Engineer, TN, Symantec Office (901)