Data Protection McAfee s Endpoint and Network Data Loss Prevention Dipl.-Inform. Rolf Haas Principal Security Engineer, S+, CISSP rolf@mcafee.com January 22, 2013 for ANSWER SA Event, Geneva
Position Features and Live-Demo Questions & Answers 2
Latest McAfee Facts 125 million McAfee users 83% Fortune 100 companies using McAfee 100+ million mobile devices shipped with McAfee 5 million single largest McAfee deployment 8Gartner Magic Quadrants that feature McAfee 480+ McAfee patents, more pending 80+ McAfee Security Innovation Alliance partners 8,000 McAfee employees globally 120 countries that make up McAfee s global footprint Intel Now a 100% Intel Subsidiary
McAfee s Extensible Platform for Security Risk Management Industry Leadership to Drive Better Protection, Greater Compliance, and Lower TCO SIA Associate Partner SIA Technology Partner (McAfee Compatible)
Two Drivers For Data Security REGULATION HIPAA, PCI, SOX Thousands of regional privacy laws SENSITIVE DATA Product designs, IP M&A, Financials, Legal
Data Communication Channels How Does Data Leak? Data Sources User Actions At rest Data Discover Network Data Encryption Removable Media Encryption Move files Access shares In use Data Copy Discover to Endpoint Device device Control Print Removable Media Encryption Cut, copy, paste In motion Data Monitoring Outbound Data Blocking email Data Encryption Web posting IM, blogs 6
McAfee Data Protection Solution Architecture Endpoint DLP Device Control Endpoint Encryption Encrypted Media Endpoint DLP Device Control Endpoint Encryption Network DLP Discover Network DLP Monitor SPAN Port or Tap Network DLP Prevent Disconnected Central Management epolicy Orchestrator (epo) Unified Policy Network and Endpoint DLP Secured Corporate LAN MTA or Proxy Network Egress/DMZ
Discover Data with DLP Endpoint DLP Endpoint DLP Discover DLP Endpoint Crawl local drives & Tag Application, location or content Outlook files (PST/OST) Remediate Move, delete or encrypt What It Does Find and protect sensitive information on hard drives. 9
Monitor Data with DLP Endpoint DLP Endpoint Switches/Routers DLP Monitor What It Does Monitor data as it leaves the endpoint. DLP Endpoint Provide content-aware detection Over 300 content types Outlook, webmails IM/FTP/HTTP(S) I/O channels (USB, media, devices) 10
Protect Data with DLP Endpoint DLP Endpoint Email/Web Gateway DLP Prevent What It Does Protect against data loss via outbound email, web postings, and endpoints such as laptops, USBs and other devices. DLP Endpoint Provide content-aware device control Move or block Integrated with Endpoint Encryption File, folder, or USB DRM support Adobe, MS RMS 11
Unified Rules/Policies Create unified rules and policies across all vectors (data-in-motion, data-at-rest, data-inuse, Device-Control) Example: Protect credit card numbers from leaving the organization Implementation: One click distribution Send to network components for protection at egress points Send to host agent for protection at endpoint, including download to removable media Consolidate incidents from all vectors Single location for incidents Common framework for incident workflow Create reports, escalate to cases Comprehensive view of data loss profile Built-in investigation and remediation
McAfee Data Protection Phase Concept You cannot do everything at once... PHASE 4 Activate Full DLP across the Enterprise Monitor, Control and Prevent what the user is allowed to do with your data PHASE 3 Data Classification Use Monitoring and Discovery engine of Network- and Endpoint DLP Capture Database to tune policies PHASE 2 Control the Removable Media Disaster Device Control to (block), monitor and educate Encrypt all devices transparently with Endpoint Encryption for Removable Media, hence less blocking PHASE 1 Encryption Full Disk Encryption of Laptops / Desktops to protect against external threats (ROI because no HHD destruction needed) File&Folder Encryption to protection data wherever it goes (Persitent)
User Awareness instead of Blocking Educate your Endusers to reduce internal Incidents User behavior change with implementation of different DLP phases Monitoring and Logging Announcement Event based User Pop up s (no blocking)
Technology Architecture for Security How Connected Is Your Security? Host IPS Agent DLP Agent Encryption Antivirus Agent NAC Audit Agent Systems Management Agent EVERY SOLUTION HAS AN AGENT EVERY AGENT HAS A CONSOLE EVERY CONSOLE REQUIRES A SERVER EVERY SERVER REQUIRES AN OS/DB EVERY OS/DB REQUIRES PEOPLE, MAINTENANCE, PATCHING WHERE DOES IT END?
Technology Architecture for Security How Connected Is Your Security? McAfee epo Server (AV, DLP, NAC, Encryption, PA, Site Advisor) SINGLE AGENT SINGLE CONSOLE
Security Management Platform: epo REAL TIME THREAT FEEDS SECURITY METRICS ACTIONABLE INFORMATION PROTECTION Executive Security Admin IT Architect epo Endpoint White Listing Encrypt. Security Management Platform Risk Mgmt Email Firewall DLP Web IPS SIA Integrates with IT Operations Platforms
epo Integration Strategy Automation of monitoring, reporting, and auditing Reduces Costs! McAfee Endpoint Encryption 1 2 3 Single console, single agent endpoint deployment and management Single consolidated source for incident response and reporting Comprehensive incident views, case management and workflow McAfee Endpoint Encryption for Removable Media McAfee Network DLP and Endpoint
Data Loss via Social Media Block design information posting on facebook 19
Unencrypted USB Access Prevent patient data from being copied onto USB January 22, 20
Unauthorized Clipboard Access to Data Prevent sensitive information from being copied 21
McAfee Device Control and Host DLP Client Deploy agent via epo Server Full communication through one agent strategy Local uninstallation only with challange response Disable block protection x minutes via challange response User notification for monitor or block action Driver based software protection Can be active in windows safe mode Watchdog prevents that services are stopped
McAfee Device Control Device Definition Configure devices per Connected Port (USB, Firewire etc) Windows Device Guid USB Class Code, Serialnumber, Device Name. Group device definitions for easy usage Whitelist Windows Guids e.g: Keyboard and Mouse Run report and register own/new Windows Guids
McAfee Device Control Device Rules Management through webbased epo Machine based policy assignment User based assignment (OU, memberof, single User) Configure Monitor, Read Only, Block per Policy Create device exemptions Block running executables from usb Run security awareness programm Configure Hyperlink and text for user notification
McAfee Device Control Management Management through webbased epo Automatic reports send via Mail Export from reports device definitions for whitelisting Redaction of sensitive fields in reports For Eyes only principle to open reports Monitor status of agent deployment Verify device details for connected devices on clients Configure active modules/driver
Implementation example H-DLP Phase 1 Phase 2 Phase 3 Phase 4 Phase 1: Silent Monitor mode: Analysing the risks, report to management Phase 2: Monitor Mode and user notification for devices. Security awareness campaign Phase 3: Read Only Mode, e.g. for all unencrypted media. Phase 4: Block Mode, e.g. For all foreign (unencrypted) Devices.
DLP Increases Control Without DLP With DLP Encryption Encrypt everything Selectively encrypt Encrypt on-demand Removable Media Block USB devices Content based coaching Block based on origin Device Control Block Cut, Copy, Paste Content aware blocking Content based coaching Content aware enforcement delivers greater control & reduces costs, only applying protection where it s needed
McAfee Host data Loss Prevention Content Classification Persistent classification Copy and paste of text recognized Manual classification (explorer integration) Location and application based own created dictionaries File details information including own created fields Filetype based (header and extension) regular expressions
McAfee Host data Loss Prevention Content Classification with Registered Documents Register document share Example: \\fileserver01\sensitive_files% Schedule epo Server Task for inventoring Example: Create fingerprint of the content of all files within the document share Deploy fingerprint to the clients Example: Fingerprint is distributed like a Virus Scan signature to the clients Schedule in the Data Loss Prevention policy a discovery scan Example: Report all found documents, encrypted them, delete them. Configure folder which shouldn t be scanned locally Encrypting local found files with EEFF Key Apply Adobe Right Management policy Quarantine the Files
McAfee Host Data Loss Prevention Protection Rules Application File Access Protection Clibboard Protection E-Mail Protection File System Protection Web Post Protection Network Communication Protection Printing Protection Removable Storage Protection Screen Capture Protection
McAfee Host data Loss Prevention Management Central Management from epo Enable only required handler on the clients challange response code generation Policy Analyzer Configure your own reports View evidence and hits highlighting Policy based evidence path configuration Machine and user based policy assignment
Thank you! Any questions? rolf@mcafee.com