Strategies and Best Practices to Implement a Successful Data Loss Prevention Program Sebastian Brenner, CISSP Principal Systems Engineer Symantec LAMC
Agenda 1 What DLP is and its purpose 2 Challenges for a sustainable data protection program 3 Common attributes in a successful implementation 4 Achieve greater risk reduction
What is Data Loss Prevention (DLP)? Definition: Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer. (1) Where is your confidential data? How is it being used? How best to prevent its loss? (1) http://whatis.techtarget.com/definition/data loss prevention DLP
Protect what s Important Customer Information Company Information Credit Card Info Intellectual Property Medical Records M&A and Strategy SSNs and Government IDs Internal Auditing Financials HR Records
Some Data Loss Prevention Use Cases Better Visibility Discover Data Theft Risk Reduction Legal and Regulatory Compliance
Features to Consider in a Data Loss Prevention Solution Office 365 ios Android USB Hard Drives Removable Storage Network Shares Print/Fax Cloud & Web Apps Unified Management Email Web FTP IM File Servers Exchange, Lotus SharePoint Databases Web Servers
Features to Consider in a Data Loss Prevention Solution Route Incidents to Right Responder High Severity of Incidents First Quick Detection & Response Visibility and Metrics Automation Integration High Accuracy & Low False Positives Multiple Detection Technologies Extensive Formats Localization Unified Management Flexibility Membership Granular Management Limit Data and Incident Access Exceptions Detect/Alert/Block Built in policies templates Alerts based on Risk and Severity
Who are the Main Players in the DLP Arena? Source: Gartner, Inc., Magic Quadrant for Content Aware Data Loss Prevention, Eric Ouellet, December 12, 2013 This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Symantec. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purposed
Recognize challenges for a sustainable data protection program
Implementing the DLP Product Suite Typical Customer Challenges Implementing the entire DLP suite without a plan ( I bought it all, I want to install it all; right now ) Not involving all affected areas of IT ( We are IT /Security and we don t need to engage others for our projects ) Not anticipating changing IT environment Database upgrades Migrations Email system upgrades Underestimating infrastructure needs and set up timeframes (unrealistic goals)
Developing the DLP Program Typical Customer Challenges Unclear or unfocused DLP program goals IT centered implementation with no Business Unit involvement Let s just see what happens approach Lack of knowledge about the information to protect (customer needs to define what is sensitive in their environment) No effort toward developing procedures for the long term
Operating a DLP Program Typical Customer Challenges Lack of resources Lack of data analysis No cooperation from business units Adhoc changes to policies and response rules Inability to show risk reduction progress (ROI)
Common attributes in a successful DLP implementation 13
Want success? Think differently. Traditional Approach Technology focused Incident and event centric Broad coverage approach Successful Approach People, Process, & Technology Comprehensive Prioritized and focused Typical Results Unpredictable Typical Results Predictable Technology Incomplete Scalable Inefficient Costly Technology Efficient Cost Effective People Process
Characteristics of Successful DLP Programs Architect / Design Executive Level Involvement Install Employee Education Technology Dedicated Experienced Resources Metrics Connection Trained Incident Response Team People Process Implement Prioritized Approach Optimize Operate Business Owner Involvement
How a comprehensive, clearly defined, business focused DLP program achieve greater risk reduction
Three Step Implementation Approach Plan for Success Target Most Sensitive Data First Begin Risk Reduction Begin Risk Reduction 17
Step 1: Plan for Success Assign a dedicated team to own project success Determine requirements, order and configure hardware Set expectations with proactive communication to employees Schedule training for System Administrator and Incident Response Team Select 1 2 key metrics for risk reporting Obtain executive buy in on initial roll out strategy
Step 2: Target Most Sensitive Data First Recommended Starting Points: Strategically add policies Network: High volume, high risk protocols and exit points Strategically add protocols and exit points Greatest Potential for Loss Strategically add repositories Storage: High access, highvolume repositories Endpoint: 19 Strategically add users and endpoints Users with access to highly sensitive data At risk employees
Step 3: Begin Risk Reduction 1000 Baseline Enable Lookups Remediation Refine Policies Notification Prevention/Protection 800 600 Enable Advanced Detection Employee and Business Unit Communication Refine Policies Identify Broken Business Processes Fix Broken Business Processes 400 200 0 Incidents Per Week Risk Reduction Over Time Business Unit Risk Scorecard Sender Auto Notification Business Unit Risk Scorecard Refine Policies Months 0 1 to 3 4 to 6 7 to 9 10 to 12 20
Visibility and Metrics Example (2) (2) Screenshots from Symantec Data Loss Prevention Solution 21
Keys to Success People & Process Engage business units and data owners to define data protection priorities Define and gain consensus on project goals and success metrics Determine awareness and communication program for DLP Focus initial deployment on 3 5 key policies Endpoint: target users with access to highly sensitive data and at risk employees (high turnover) Network: target high volume and high risk protocols (SMTP, HTTP, FTP) Storage: target high access, high volume repositories Train team prior to implementation Configure policies and define incident response workflow based on team capacity Regularly report results to key stakeholders and executives
Keys to Success DLP Technology Optimize system performance Filters, server management, scheduling scans and reports Precisely tune policies early Detection Technologies, Exceptions Automate to minimize resources Workflow, remediation, notification, prevention, protection, encryption Integrate with security infrastructure LDAP, encryption, messaging systems, forensics, SEMs
Data Loss Prevention Maturity Model (3) Increased Automation Lower TCO Greater Risk Reduction 5 4 Resource/ TCO 3 DLP Maturity 2 1 1 3 6 9 12+ (3) Based on Symantec DLP Maturity Model Time/Months
Thank you! Sebastian Brenner Sebastian_brenner@symantec.com Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.