Data Leakage Prevention (DLP) Understanding The Concept George Ntontos Partner,
External Threats: Viruses Hackers Blackmail Spamming Trojans Company Perimeter: Corporate Network Office Space Mobile Computers Removable Devices Internal Threats: Data Leakage Unauthorized access to information
70-80% of all losses from IT-incidents comes from authorized internal users, not external threats or hackers (!) The most dangerous incident possible is a DATA LEAK irreversible pursued by regulators damages reputation leads to direct financial loss
In 2008 the losses because of data leak contained from $400K to $32M Sources: Ponemon The 2008 Annual Study: Cost of a Data Breach
Biggest part of losses is lost profit: Lost clients Lost partners Lost market share Lost confidence Sources: Ponemon The 2008 Annual Study: Cost of a Data Breach
How much a data leak may cost? Customer Incident Possible loss, EU* Universal bank Reliable debtor registry 30 M Retail bank A list of a 1000 persons, checked by company security department 15 M IT-Company Malefactor communication 0.5 M Oil & gas company Purchase commission demands 0.2 M Oil & gas company Tender application 200 M * customer s estimations
Companies internal employees Temporary employees: translators, trainees, etc Outsourced employees: data-centers, call-centers Transportation companies: couriers Employees of other companies that have access to information within your company: auditing service companies, controlling units
Copies on removable media Forwarding and sending emails Web access (web-mail, blogs, messengers, etc) Printing and carrying away the printed copy Back up copies are carried away physically
Channels of data leakage Source: InfoWatch Data leaks in 2008 report
Sources: public leaks cases for year 2008, InfoWatch
Only 20% of information is structured * >10% of information is changing every day ** 10% of information is zero day documents ** 30% of documents are not absolute confidential ** IT MEANS THAT IT IS IMPOSSIBLE TO PROTECT DYNAMIC INFORMATION WITH STATIC DOCUMENT-BASED METHODS ONLY *) Autonomy 2008 **) InfoWatch 2009
Protection is required for all major risk vectors Removable Devices Leaks: USB/Flash disks/cards Printers Bluetooth, WiFi CD/DVD Company Perimeter: Corporate Network Office Space Mobile Computers Removable Devices Network Leaks: Web Mail Instant Messages Network Printing Portable Storage: Loss Theft
INTERCEPTION ANALYSIS DECISION- MAKING STORING Agents on workstations Universal traffic interceptors Server plug-ins Formal attributes Linguistics Fingerprints Tags Allow Block Process further In file system In DB (+ full-text search)
All modern DLP-systems allow to: Control network traffic Control network printing Control the connection of external devices to work-station Integrate with encryption tools Not all modern DLP-systems allow to: Effectively protect both static and dynamic data Analyze the details of incidents and investigate
Technology Stop-words and regular expressions Features and advantages Detection of leaks of information formed by a certain pattern, for example credit cards numbers, passports numbers, SSN, bank accounts, etc. Linguistic and context analysis Digital fingerprinting and watermarks Proactive protection of confidential data right after its creation (works with dynamic data, new or changed documents) Protection of rarely changing data, which was preliminary found and indexed (works well to protect static data, for example, protection of author s rights on media-content or initial codes)
Digital Fingerprinting Hybrid Analysis Digital Watermarks Regular expressions Dictionaries Linguistic Analysis Context Analysis Hybrid analysis is more efficient thanks to merging of several different technologies Stop words
Interceptors number and quality Controlled channels Ability to block suspicious objects Analysis methods Analyzed formats Encryption detection Classification method: probabilistic (linguistics and/or hash), deterministic (tags and/or attributes) Ability to collect evidence for investigation Including full-text search
The money is allocated from other budget item They are required by regulations and standards Every company has experienced a security incident Information security is overbudgeted + F.U.D. The projects are continuously growing
Many related services except installing and configuring Audit and change of data storage and circulation methods Audit and change of juridical base High resource intensity Several servers + DBs + a system for archiving and storing Related products: URL-filters, anti-spam, print-servers, etc. The majority of the projects are first implemented Nothing to compare The project may not be successful and this will not affect anyone Low-competitive market Several market players with different technologies It is easy to bookmark the product technical specification
Thank you for attention! Your questions are most welcome. Learn more : www.infowatch.com E-mail us : info@infowatch.com and georgedo@inttrust.gr