Optimize Your Data Protection Investment for Bottom Line Results

1
Optimize Your Data Protection Investment for
Bottom Line Results
2
DATA LOSS PREVENTION EXPERTISE
Providing DLP Since 2002
Completed 500 Assessments
Manage DLP Solutions in 22 Countries
Deployed 400 DLP Projects
Provide Daily Management of 1,000,000 Users
Globally
QUICK FACTS
Symantec Master Specialization DLP Partner RSAs
Only Authorized Managed DLP Partner 1st Managed
DLP Services Provider (2008) Localized Chinese
DLP Practice (2011) Global Support in 130
countries Data Mining, Custom Policies,
Scripting
3
WHAT WE WILL COVER TODAY
SYMANTEC DLP COMPONENTS

• Endpoint Prevent
• Symantec Data Loss Prevention Endpoint Prevent
  monitors files downloaded to local drives
  transferred over email, IM, Web or FTP copied to
  USB, CompactFlash, SD, or other removable media
  burned to CD/DVD copied or pasted captured via
  Print Screen and printed or faxed
  electronically. With Symantec Data Loss
  Prevention, you can monitor and block
• Instant messages sent to a partner containing
  confidential MA information
• Web mail with product plans attached going to a
  competitor
• Customer lists being copied to USB or other
  removable media devices
• Email containing PII sent via hosted email
  security services
• Source code that is copied to a local drive
• Mobile devices for email sent containing
  confidential data
• Product design documents being burned to CD/DVD
• Price lists being printed or faxed to a competitor

4
HOW TO GET STARTED WITH DLP
Developing the DLP Program Scope
Processes
Understanding Work Place Monitoring Requirements
Designing and Implementing the DLP Program

Measuring the DLP Program
5
USE CASE 1 INCIDENTS DETECTED 2 MONTHS INTO DLP
PROGRAM
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors,
Reviewers, others?
Report accuracy tied into QA process?
6
USE CASE 1 OBTAINING BUSINESS BUY-IN
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors,
Reviewers, others?
Report accuracy tied into QA process?
7
USE CASE 2 INCIDENTS DETECTED 14 DAYS INTO DLP
PROGRAM
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors,
Reviewers, others?
8
USE CASE 1 OBTAINING BUSINESS BUY-IN
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors,
Reviewers, others?
Report accuracy tied into QA process?
9
USE CASE 3 INCIDENTS DETECTED 72 HOURS INTO DLP
PROGRAM
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors,
Reviewers, others?
Report accuracy tied into QA process?
10
USE CASE 3 OBTAINING BUSINESS BUY-IN
What incidents or events are retained?
Who develops reports?
Are DLP system generated reports adequate?
Who drives report requirements? Requestors,
Reviewers, others?
Report accuracy tied into QA process?
11
USE CASE DLP PRE-PROJECT STATE
Organization Overview 40,000 employees
globally, Manufacturing DLP Scope Protection
of Intellectual Property (General) DLP Primary
Issue Customer overwhelmed with inaccurate
incident data, no meaningful information Applicat
ion Management Operated and managed by IT
Security with limited input from
business. Policy Governance Failure to use a
lifecycle software development process for policy
construction Incident Triage Infrequently
reviewed by IT with little to no review by
business owners. Event Management Hard to
accomplish due to large of false positives. No
gold nuggets. Reporting and Metrics Zero
customized reports. No relevant business analysis
provided. Status System generates 25,000
incidents/day / 750,000 incidents/month
12
MANAGING WORKPLACE PRIVACY
13
IDENTIFY PURPOSE FOR MONITORING

• Generally Acceptable Business Reasons Include
• Monitor maximize employee productivity
• Protect against unauthorized use, disclosure or
  transfer of PII
• Monitor employee compliance with employer
  workplace policies
• Investigate complaints of employee misconduct
• Prevent industrial espionage
• Prevent or respond to unauthorized access to
  employers computer systems
• Protect computer networks from becoming
  overloaded
• Prevent or detect unauthorized utilization of
  employers computer system for criminal
  activities terrorism
• Help prepare employers defense to lawsuits or
  administrative complaints
• Respond to discovery requests in litigation
  related to electronic evidence

14
DETERMINE IF COUNTRY LAWS APPLY TO YOU
15
INTERNATIONAL PRIVACY LAWS BUSINESS IMPACT
Must comply with privacy laws in countries where
have operations, where laws can be significantly
more restrictive than in the US Transfer of
personal information can be blocked in other
countries unless specific requirements are
met Countries across the globe are adopting
privacy laws
16
UNDERSTAND GENERAL PRINCIPLES SAFE HARBOR
17
APPLICATION SUPPORT INTEGRATION
Primary System DLP Management Human Resource /
Expertise Requirements
Integrated System Management Cross Department
Collaboration Processes
Health Check System Validation Management
System Resource Requirements
Vendor Management Primary and Integrated
Technology Vendor Relationships
18
POLICY RULE GOVERNANCE
Who requests rules policy requirements? Are
business owners engaged?
Who reviews rule requests? Criteria for
approved rule?
Whats the process for converting a rule request
into a policy?
Whos responsible for converting a rule into
technical policy? Do they have technical
policy authoring expertise?
What is the formal policy development
process? First drafts rarely work as expected!
Is there a process to relay production policy
metrics to stakeholders?
19
WORKFLOW DEVELOPMENT MANAGEMENT
Who develops manages policy buckets? False
positive, inbound partner, outbound employee
Who defines thresholds that determine response
rules for each bucket? Are 10 SSNs a high,
medium or low severity incident?
Who designs sets the policy response triggers?
Malicious, Inadvertent, Suspicious, above
threshold.
Whos responsible for building alerts, alarms
notifications? Has business been engaged on
event management?
Triage response options Human
notification System notification (auto) Hybrid?
Who manages the DLP policy rules repository?
Why recreate the wheel?
20
INCIDENT TRIAGE EVENT MANAGEMENT
How does DLP fit in overall incident/event
management process? Can this be mapped to DLP
system?
Who reviews volume yield of incidents
events? Whats the review frequency?
How are events/incidents routed? Who owns the
incident/event?
How will integrated systems be tied together to
yield valued info? Secure mail, web gateway,
GRC, SIEM
What metrics are developed to measure success of
rules related policy? Who s responsible for
developing metrics?
Revision of rules based on quality of policy
results. Who manages policy optimization
process?
21
BUSINESS ANALYTICS
Who drives report requirements? Requestors,
Reviewers, others?
Who develops reports?
Do they have the expertise with 3rd party
reporting tools?
Are DLP system generated reports adequate?
Are the metrics valuable driving meaningful
change?
Report accuracy tied into QA process?
22
PITFALL 1 NO PLAN OF ATTACK
23
PITFALL 2 FAILURE TO ENGAGE THE BUSINESS
24
PITFALL 3 INADEQUATELY TRAINED RESOURCES
25
DATA-IN-MOTION PITFALLS
Missing the Target False Sense of Security
Mis-configured Tap or Port Span
Encryption The Masked Data
Misfire of Network Discovery Scans
Network versus Endpoint Discovery
ProblemMissing segments of network traffic or
protocols Solution Comprehensive test plan that
maps to in scope business processes and related
data types transmitted from various network
locations to ensure all relevant data streams are
being captured.
Problem Analysis of data DID NOT take place
prior to encryption. SolutionComprehensive
test plan that proves ALL DLP data assessment
takes place prior to the gateway encryption
implement managed test DLP policies that
identify encrypted transmissions as part of the
test plan.
Problem Locations of sensitive data never
targeted by the organization for scanning due to
lack of an effective policy governance process.
SolutionIdentify potential data stores by
discussing the DLP program with staff to
understand process.
Problem Running DAR scans using a combo of
network endpoint without thinking about which
policy types detection methods are not the
same. SolutionPrior to acquiring DLP solution,
have an understanding of the data types that make
up your target environment then, decide on
scanning method. .
26
DATA-IN-MOTION (ENDPOINT) PITFALLS
The Pandoras Box of DLP
Environment Assessment
Staying in Contact
User Performance Impacts
Network/System Performance Impacts
27
USE CASE POST PROJECT STATE
Organization Overview Defined specific
business units to initiate program DLP Scope
Focused on 3 specific product lines linked to
highest revenue earnings DLP Primary Goal
Identification of unauthorized movement of
specific elements of IP Application Management
Operated by a combination of IT, messaging
desktop management teams Policy Governance
100 customized policies based on data
collected from business unit Incident Triage
Daily review of incidents by Information
Security Event Management Incidents
meeting severity criteria routed to business unit
for investigation Reporting and Metrics
Behavioral pattern analysis leading to
preventive actions Status RD teams have
high-level of confidence in ability to identify
leakage of IP.
28
QMS SAMPLE QUARTERLY REPORT
29
BEW GLOBAL HQ
BEW GLOBAL EMEA
BEW GLOBAL APAC
5613 DTC Parkway Suite 1250 Greenwood Village, CO
80111 USA (ph) 1 720 227 0990 (fax) 1 720 227
0984 www.bewglobal.com
3 Albany Court Albany Park Camberley GU16
7QR England (ph) 44 (0) 845 481 0882(fax) 44
(0) 871 714 2170 www.bewglobal.com
520 Oxford Street Level 23, Tower 1 Bondi
Junction Sydney 2022 (ph)  61 (2) 9513
8800(fax) 61 (2) 9513 8888 www.bewglobal.com