Technology Blueprint. Protecting Intellectual Property in . Guarding against information-stealing malware and outbound data loss

Transcription

1 Technology Blueprint Protecting Intellectual Property in Guarding against information-stealing malware and outbound data loss

2 LEVEL SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL Security Connected The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for SECURITY CONNECTED centralized, efficient, and REFERENCE ARCHITECTURE effective risk mitigation. Built on LEVEL more than two 1decades 2 3 of 4 5 proven security practices, the Security Connected approach helps organizations of all sizes and segments across all geographies improve security postures, optimize security for greater cost effectiveness, and align security strategically SECURITY with business CONNECTED initiatives. The REFERENCE Security Connected ARCHITECTURE Reference Architecture provides a concrete LEVEL path from 1 ideas 2 3 to 4 5 implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe. Guarding against information-stealing malware and outbound data loss The Situation Your company s Intellectual Property (IP) source code, blueprints, design diagrams, and planning documents is usually more valuable than your company s physical assets. Shouldn t this property be as closely guarded as your building? One of the most prevalent paths of IP loss and theft is your company s system. Whether the loss comes from someone accidentally sending data unencrypted, intentionally sending out company information just prior to resigning, or falling prey to a targeted spear phishing campaign, the vector is one of the most important to protect. Many businesses scan for spam, viruses, and malicious attachments and some restrict release of personally identifiable information in compliance with privacy regulations. However, most do nothing to restrict the loss of crucial and unique intellectual property assets through . Driving Concerns The majority of valuable and confidential intellectual property is ed at some point packaged in notes, design files, spreadsheets, presentations, and reports. Typical enterprise users think that is a protected form of communication and simply do not understand what data should or should not be sent over . To these users, encryption seems like a needless hassle. At the same time that honest employees are placing IP at risk, thieves and disgruntled employees are embracing as a tool for penetrating defenses and exfiltrating valuables. An is the first salvo in spear phishing and other targeted attacks. Today s complex and mission-critical environment requires extra attention to protect IP. Enterprises must equip themselves to handle these IP-specific challenges: Identifying the correct information. IP is usually unstructured data without the simple strings or signature patterns that enable filtering of personally identifiable information (PII) and malware Enforcement of policies based on content. Why is someone in customer service sending out information about payroll? Some users should not be allowed to send out sensitive information. Some information can be sent if it is processed correctly. Enterprises need an automated enforcement system they can count on to apply policies consistently. Protecting the business without impeding the business. Corporate information should be prevented from getting into the wrong hands without slowing down or unduly hindering normal business processes Protection against malicious outsiders. Custom and targeted phishing attacks known as spear phishing use and social engineering to infect systems belonging to privileged users. Ideally, your users should never receive these s. If they receive the malicious message, they should be blocked from responding to (or having an infected system respond to) that phishing message with an containing confidential data. Integration with DLP, encryption, and security management tools. To minimize operational costs as well as user and policy management effort, IP protection should supplement and team with other software systems already in place 2 Protecting Intellectual Property in

3 Solution Description To protect against IP loss through , your solution will need to detect and protect IP sent outside the company and also inspect inbound messages for phishing content and malware. Linked together, these outbound and inbound filtering systems can dramatically reduce your exposure to IP theft and loss, without driving up operational costs. By building on existing security infrastructure, they can also be deployed without disruption of this critical communication system. An effective solution will address each of the concerns described earlier: Identifying the correct information. All outbound must be inspected for intellectual property. Since IP is different in each business, the system needs flexibility and rich tools for detecting both structured strings and custom unstructured data. The solution must be able to scan and identify such data in both the body and the attachment of an . Policies for IP property should work easily alongside or integrate with DLP and other systems that filter for personally identifiable information (PII) and regulated data. Enforcement of policies based on content. The system should use rules to make a decision on what to do in the event it identifies an containing IP. Resulting actions should include options to encrypt, block, allow, and quarantine. It is helpful to have notifications so that the administrator and the end user understand that a policy was enforced. Rules should match action to risks and roles to ensure the system performs the right action. Imagine a scenario where a backup tape operator has access to sensitive data but does not have the authority to this data outside of the company. Silent and automated encryption of this mail would simply aid in the employee theft of this data. Instead, an appropriate enforcement action would have been to quarantine and notify a security officer. The solution should allow a range of actions triggered by policies and content detected: Decision Elements These factors could influence your architecture: What regulations for content security apply to your company? How can these be enforced for ? Does your need to be archived for compliance? How many egress points do you have today? How many mail exchanger (MX) records do you have? Each MX record needs to have at least one device. Do you currently use a cloud-based protection service? Do you require distributed or centralized management? Do you already have a DLP solution today? What are your requirements for encryption? Encrypting a message only when the sender/recipient is authorized to read the Blocking or quarantining a message when the sender/recipient is not authorized to read the , while simultaneously notifying a security officer Rerouting a message to an archival system for long term storage Detection of desktop encryption. Users determined to bypass security checks will encrypt the message at the desktop. The system should detect, prevent, and notify of any unauthorized use of desktop encryption. Protecting the business without impeding the business. Encryption provides a simple way to preserve the confidentiality of documents sent through . Organizations should adapt encryption controls to their business requirements: Gateway to gateway encryption. Basic S/MIME, OpenPGP, and TLS encryption are standards in the world, but sender and recipient gateways may not support the same techniques. For guaranteed encryption, security must enforce encryption using any of these protocols, based on sender or recipient or combination of the two. Gateway to end user encryption. There are situations when the receiving party often a business partner simply cannot receive an encrypted message using standard gateway encryption. The gateway device must be intelligent enough to realize gateway to gateway encryption will not work and be able to automatically encrypt the data in a manner that can be accepted by the recipient of the message. This automation ensures end users will not opt out of required encryption. One option, push encryption, sends recipients a secure message as an attachment to an otherwise standard . The recipient can view and respond to the message using any web browser. Alternatively, pull encryption uses a secure staging server and notifies the recipient to collect the message from a secure web-based mailbox. The recipient logs into a secure web page to retrieve, view, and reply to any encrypted messages. Both pull and push encryption have uses in the world and should be supported. Protecting Intellectual Property in 3

4 Protection against malicious outsiders, including spammers and phishing attacks. Signaturebased inbound screening must be enhanced to deal with malicious s containing custom-crafted attachments and using multiple stages. Reputation-based defenses, both inbound and outbound. Any technology you consider must include both inbound and outbound protection that has been enriched to combat modern blended and targeted attacks. Inbound protection should include a reputation-based technology for antivirus, antispam, and antiphishing. Antiphishing is especially valuable since Advanced Persistent Threats (APTs) quite frequently start as an inbound phishing . Reputation technology assesses the risk and intent of the based on historical information where history could be the sender s actions as recently as a minute ago. As a security professional, you must research and understand the data sources underlying this reputation-based protection. Is the data source looking at just one vector ( for example), or is the data source looking at all aspects of an attack ( , web, network, file level, message level, even country level)? If a reputation is deemed risky, then the system should enforce the appropriate action (usually block or quarantine). Enforcement of corporate executable, file, and media policies. To minimize damage from malware and spear phishing, policies should specify that certain users not be allowed to receive and run executable files. However, this control requires effective policies for the restriction of executable content downloaded via , coupled with tools that look beyond basic file extension. The latter feature is important because attackers anticipate basic blocking of.exe files and simply rename executables to something that is likely to be allowed at the gateway, such as JPG or GIF file extensions. Tools must validate that a file is true to its type and then enforce the appropriate action. Integration with DLP, encryption, and security management tools. Intellectual property protection may start with , but it certainly should not stop there. Policy-based enforcement in should strengthen other gateway tools, including data loss prevention and encryption gateways. Tight integration eliminates enforcement loopholes and minimizes integration and maintenance costs. For example, if there is already a DLP policy in place to protect against printing or copying information, do you have to duplicate the policy again when trying to integrate with ? Integrated systems will share policies, avoiding the errors and loopholes introduced by replication and helping to ensure consistent policy enforcement (one policy to maintain). 4 Protecting Intellectual Property in

5 Technologies Used in the McAfee Solution The McAfee Protection solution defends against the latest -borne threats and helps guard against data loss. It integrates data loss prevention technology, content-based policies, encryption, and continuity services with advanced antivirus and antispam. Your choice of deployment options lets you focus on implementing the security where you need it without deployment restrictions. For the most rigorous protection of intellectual property, McAfee Protection can be used with McAfee Data Loss Prevention. We provide a direct integration with McAfee Network DLP Prevent, offering fine-grained fingerprinting integrated with policy enforcement. The broader set of McAfee Data Loss Prevention functions is also available for comprehensive protection of data at rest, data in motion, and data in use. McAfee Global Threat Intelligence (GTI) McAfee Protection Remote User Cloud-based threat and spam protection McAfee Protection Firewall Fine-tuned security and Server LAN User policy enforcement Continuity Services McAfee Network Data Loss Prevention McAfee and data loss prevention solutions integrate for strong inbound and outbound IP controls McAfee Protection McAfee Protection provides two tiers (on-premises and in the cloud) of antimalware and antispam for inbound traffic, to guard against data stealing malware, phishing, and other threats. These layers both reduce the chance of infection by malicious content and free the resources of your onpremises security for other tasks. For outbound traffic, McAfee Protection integrates content filtering for structured and regulated data, as well as some forms of intellectual property. Before traffic leaves your site, fingerprinting, lexical analysis, and clustering techniques supplement keyword and pattern matching to reliably detect and enforce data usage policies on regulated data (such as credit card and social security numbers) and certain unstructured data that you have fingerprinted, or which has searchable words, phrases, or regular expressions. Advanced document fingerprinting technology enables you to train your security to determine which documents are policy controlled. By creating and storing digital fingerprints of selected documents, the solution learns what kind of content needs to be controlled by policy. Policies can be enforced for whole or partial content matches in and attachments. Policy enforcement can include quarantining, blocking, or encryption. In addition, operating in the cloud, McAfee SaaS offers templates for outbound screening of structured and regulated data. This service helps you protect remote users and ensure your content policies cover your entire user community. Protecting Intellectual Property in 5

6 At your site, policy-based encryption uses a combination of B2B (TLS, S/MIME, and OpenPGP) and B2C (push and pull) technologies to ensure that even recipients without encryption capabilities can receive and reply to secure . Optional McAfee SaaS Encryption can help enforce encryption policies as well. To block information-stealing malware hidden inside legitimate seeming files, McAfee performs full file type and media verification. Reputation scrutiny also enables McAfee Protection to block or quarantine more efficiently and accurately, making the solution extremely effective with maximized performance. McAfee uses cloud-based network reputation provided by McAfee Global Threat Intelligence. Reputational analysis applies intelligence from sensors in more than 100 countries and thousands of devices around the globe. Correlated web, , and network reputation scores of the message sender enable the solution to make rapid decisions about the , dropping unwanted at the connection level, saving bandwidth, and consuming minimal system resources. In addition to the network information, the message headers and content itself is inspected by reputation. This enables known spam and other unwanted to be instantly identified, even if comes from a reputable source, such as an infected system within a whitelisted company (such as Yahoo! Mail or Gmail). McAfee Global Threat Intelligence also provides real-time, cloud-based file reputation services. File reputation enables McAfee Protection to protect customers against both known and emerging malware-based threats attached to . File reputation is compiled based on billions of file queries each month. McAfee Global Threat Intelligence file reputation responds with a score that reflects the likelihood that the file in question is malware, enabling the identification of malicious files, even if a signature is not available. McAfee Protection integrates with McAfee epolicy Orchestrator (McAfee epo ), as well as Splunk and ArcSight, for better enterprise visibility and streamlined reporting. McAfee Data Loss Prevention For detection, inspection, and enforcement actions on unstructured intellectual property, the McAfee solution integrates with McAfee DLP Prevent. The idea is to identify the intellectual property once, then simply turn on the rules of protection. DLP Prevent is not required for McAfee Protection to perform content policy enforcement, but if an existing DLP policy is already in use, then leveraging DLP Prevent can remove the need to rewrite existing DLP policies for use by . Also, DLP Prevent can be used when expanding DLP policy from structured data to unstructured data. Supplementing the content dictionaries built into McAfee Protection, McAfee Data Loss Prevention provides templates covering a broad range of intellectual property types, such as CAD files. You can customize these formats easily. Once you have defined policies and fingerprinted the IP you want to protect, you direct your traffic through McAfee DLP Prevent. When sensitive data is found, the DLP system instructs the McAfee Gateway to take the appropriate enforcement action. Many organizations are not sure what specific data and files they should consider to be intellectual property. You can choose to adopt the full McAfee Data Loss Prevention product set to discover, monitor, and protect your IP throughout your network. For example, McAfee DLP Discover offers crawling of data at rest throughout your network, including your servers, endpoints, and file shares. It creates a historical database of data usage with business context. This system can help you decide what data is in use, by whom, and build unique rules for filtering and enforcement that align with how data is really used in your business. McAfee DLP includes other advantages for intellectual property protection. Automated tagging and classifications can apply policies based on the source application, the storage location, group and organizational data, and business-specific triggers, such as a finite number of customer names. For example, any data created by a software development application or stored on a software development file server could be marked as company confidential, internal only, or for access only by members of the development team. These controlled classifications help companies protect data and can be adjusted over time. 6 Protecting Intellectual Property in

7 Impact of the Solution Many companies are exploring controls for the intellectual property that distinguishes and supports each business. Deploying McAfee Protection and McAfee Data Loss Prevention will enable you to protect your business without impeding your business. Policy-based controls and advanced fingerprinting help ensure accurate rules enforcement without false positives that get in the way of the smooth flow of communications. Important processes such as sensitive data identification and encryption of data happen automatically, without burdening the end user. Since most is safe to transmit without encryption, accurate application of this technology provides a good balance of security and user convenience. Integration between controls and with other enterprise infrastructure helps you gain visibility and efficiencies throughout your security and compliance environment. To block outsiders attempting to steal your valuables, McAfee offers robust antispam and antimalware, with real-time threat assessments by McAfee Global Threat Intelligence, minimizing the chance that your users will receive or click on phishing s or malicious attachments that could open your infrastructure to a targeted attack. Protecting from these threats is one more line of defense for protecting your intellectual property. McAfee solutions match the requirements of business today. Flexible, scalable deployment options allow you to implement the right controls for each user community, while consolidating systems to reduce hardware and maintenance costs. By having the proper checks and balances in place, McAfee helps ensure proper security controls, significantly reduces your attack surface, and minimizes the chance your competitive advantage will disappear because of communications. Q&A If I m using McAfee Gateway, do I still need to have a separate McAfee DLP Component? It depends on the format of your IP. McAfee Gateway has built in tools for searching for structured data such as social security numbers, credit card numbers, as well as word/phrases and regular expressions (regex). McAfee DLP Prevent can be added to look for unstructured data such as diagrams, blueprints, and source code. McAfee DLP Prevent can also be used for centralizing DLP across multiple platforms, , web, host, and network, without rewriting policy for each platform. Does the SaaS component of McAfee Protection also include antispam, antivirus, and DLP? Yes it does. This extra layer provides screening and flexibility to support more users and more implementation models, depending on your business. Do I need a separate management appliance to manage multiple gateways? No, you do not. Centralized management is included in the appliance, including enterprise class features such as centralized AV updates and policy changes. If you wish to deploy an appliance in a separate VLAN or management section, this implementation can be facilitated with either a virtual or physical appliance. Am I required to deploy any agents to leverage Active Directory authentication for the McAfee Gateway? McAfee Gateway can query any LDAP-compatible system, including Active Directory. Do I need a separate encryption server? No, the ability to encrypt is built right into the product at no extra charge. Do I have to manage external accounts for my customers to retrieve encrypted messages? No, McAfee Gateway allows the end user to be completely self sufficient with self registration and password management. Protecting Intellectual Property in 7

8 Additional Resources For more information about the Security Connected Reference Architecture, visit: About the Author Gene Moore is a McAfee Systems Engineer with 15 years of IT experience, primarily working with and web security products. After several years with large enterprises including Pepsi, MCI Systemhouse, and CompUSA, he joined CipherTrust, which became Secure Computing, which was later acquired by McAfee. Moore attended the University of North Texas and is based in Plano, Texas, today. The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance Mission College Boulevard Santa Clara, CA McAfee, McAfee Data Loss Prevention, McAfee epolicy Orchestrator, McAfee epo, McAfee Gateway, McAfee Protection, McAfee Global Threat Intelligence, and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2011 McAfee, Inc bp_protecting-ip- -L3_1011