Protecting your information assets Eoin Farrer ILP Sales Manager Northern Europe 21 November 2008
Information security is a people issue Once access is granted, what happens to your data? Are your IT systems equipped to deal with people issues?
What you are telling us 95% of organisations would not be confident theywould know if a data leak occurs*Survey of 105 international security professionals at at eCrime Congress London, 2007
Sensitive Information is everywhere Finance HR Employee data Payroll IT Investor information E-Banking records Budgets Intranets Extranets Network Designs Confidential plans Designs Client databases M&A Strategic plans & designs Client data Forecasts Management Sales Marketing
Channels: Exploits, HTTP/S, P2P, IM, FTP Channels: SMTP, IM, P2P, FTP, HTTP/S, Print The Landscape Inbound Inappropriate content Malcode Fraud Productivity inhibitors Outbound Confidential information Customer data Intellectual property Regulated information Fundamental Business Issues Regulatory Compliance & Risk Management Productivity and Corporate Governance Business Continuity and Competitive Advantage
Trojan horse captured data on 2,300 Oregon taxpayers By Todd Weiss, Computerworld, 06/15/06 People issues put content at risk The Oregon Department of Revenue has been contacting some2,300 taxpayers this week to notify them that their names,addresses or Social Security numbers may have been stolen by a Trojan horse program downloaded accidentally by a former worker who was surfing pornographic sites while at work in January. their names, addresses or Social Security numbers may have been stolen Trojan horse program downloaded surfing pornographic sites
Why is this a hot issue all of a sudden? EJS Ráðgjöf | Nóv. 2007 • We hear of information leaks every day • Are incidents on the rise or more being disclosed? • Both! • Regulatory Compliancy is a key driver • As is protecting Brand and Intellectual assets • CISO’s know the value of thier data assets • So do the bad guys!
How is Data Being Leaked? HTTP Email Networked Printer Endpoint Internal Mail Corporate Webmail IM Other What Type of Data is Leaked? Non Public Information Confidential Information Intellectual Property Protected Health Information
Unintentional leaks: Accidental/Ignorant Customer_Info.xls Customer_Intel.xls Unintentional leaks: Malicious Spyware orKeylogger Site Un/Intentional:Broken Business Process Data in Motion Data at Rest Intentional:Malicious
How big is the malicious issue? Unintentional/Accidental (77%) Malicious Intent (23%) - Infowatch 2007 EJS Ráðgjöf | Nóv. 2007 • Accidental or unintentional is the biggest leak source • Malicious activity on the increase • Targeted trojans, Spyware, Greyware
Managing the malicious risk EJS Ráðgjöf | Nóv. 2007 • ILP solutions have not focused heavily on this problem, it needs IT Security and Infosec awareness • Websense offer a Total Content Security approach • Brings best of breed content filtering and web security together • Full content and context awareness
Malicious activity – Destination Awareness • Gay or Lesbian or Bisexual Interest • Hobbies • Personals and Dating • Restaurants and Dining • Social Networking and Personal • Sport Hunting and Gun Clubs • Travel • Special Events • Vehicles • Violence • Weapons • Internet Radio and TV • Internet Telephony • Peer-to-Peer File Sharing • Personal Network Storage and Backup • Streaming Media • Advertisements • Freeware and Software Downloads • Instant Messaging • Pro-Choice • Pro-Life • Adult Content • Financial Data and Services • Educational Institutions • Educational Materials • Reference Materials • MP3 and Audio Download Services • Gambling • Games • Military • Political Organizations • Health • Hacking • Proxy Avoidance • Search Engines and Portals • URL Translation Sites • Web Hosting • Web Chat • General Email • Organizational Email • Text and Media Messaging • Job Search • Content Delivery Networks • Dynamic Content • File Download Servers • Image Servers • Images (Media) • Alternative Journals • Religious • Internet Auctions • Real Estate • Professional and Worker Organizations • Service and Philanthropic Organizations • Social and Affiliation Organizations • Alcohol and Tobacco • Message Boards and Forums • Online Brokerage and Trading • Pay to Surf • Bot Networks • Keyloggers • Malicious Websites • Phishing and Other Frauds • Potentially Unwanted Software • Spyware • Potentially Damaging Content • Elevated Exposure • Emerging Exploits • User Defined EJS Ráðgjöf | Nóv. 2007
Destination Categories Financial Data and Services Forbes, CNNMoney, Bloomberg Search Engines and Portals Google, Yahoo, MSN, Dogpile General and Organizational Email Corp. Webmail, Hotmail, Gmail Social Networking and Personal Wikipedia, MySpace, LinkedIn Bot Nets, Spyware, Keyloggers, etc. The Power of Destination Awareness
EJS Ráðgjöf | Nóv. 2007 But... it’s important to know that fighting determined intent can be very difficult...
Notkun ILP lausna EJS Ráðgjöf | Nóv. 2007
In a nutshell... * Educated guess EJS Ráðgjöf | Nóv. 2007 • ILP Solutions can with high degree of certainty • Stop accidental/ignorant/negligent user incidents • Stop the “average” malicious user (sales guy posting customer db to webmail account) • Malicious information stealing trojan • But this could account for 90-100%* of leaks for a given company • Also ... It is one of the most effective solutions for ensuring compliance with regulations such as PCI, SOX etc • ILP solutions do not offer 100% information security • But significantly reduce the risk of data loss • Are rapidly becoming a key part of information risk management
So how do we go about solving the problem? EJS Ráðgjöf | Nóv. 2007
Hvað er til ráða? EJS Ráðgjöf | Nóv. 2007
Best Practice • 7 Steps to Success – It’s about process, people and technology! • Identify and find data • Classify data • Monitor the flow of data inside the network • Control who distributes data • Control where data is distributed to • Prevent leaks via non-business channels • Protect data at all times
Your Data Best Practice • Step 1: Identify and find data • Define what is actually “confidential” data • Discover data anywhere in your network • Desktops • Laptops • File Servers • Databases • eVaults • Other… • Automate the process • Review regularly
Best Practice • Step 2: Classify data • Use technology to build on previous step • watermark, signature, fingerprint, hash – whatever! • It has to be… • Accurate • Robust • Secure • Automate the process - Do you see a pattern here?
Custom Channels IM HTTP Print FTP Email Best Practice • Step 3: Monitor the flow of data inside the network • Inbound, Outbound, Internal • Which business channels are used for information flow? • Email, HTTP, IM, FTP, Printing etc. • This must be Real-Time!
Best Practice • Step 4: Control who distributes data • Who actually does what in the organisation? • Do you have an org chart? • Finance, Marketing, R&D, HR, Customer Services • Do you have a directory service? • You must make use of this information • Essential for any forensics investigations • Remember, it’s about people!
Allowed Information Organization Network Blocked Information Trusted Destination Spyware Authorized User Phishing File Server Hacker Trusted Protocol Network Users Infected Remote User Spyware Infected User Best Practice • Step 5: Control where data is distributed to • Do you have any idea where data is sent? • HTTP, is it a Business Partner or Web-Mail?
Best Practice • Step 6: Prevent leaks on non-business channels • Are you monitoring other channels? • USB • Removable HDDs • iPods • Cameras • P2P • Hosted Storage • Evasion applications • RealTunnel • GhostSurf
Best Practice • Step 7: Protect data at all times • We all need to learn to focus on the data, not just the threat • Recognise these? • Trojans, Worms, Spyware, Bots • What about these? • Stupidity, Naivety, Laziness, Willingness to “work around” policy, Broken business process • Bottom line is your security will fail at some point due to one or more of the above!
Gartner Magic Quadrant for M&F&DLP, 2Q07 Symantec (PortAuthority) Trend Micro / Provilla EMC McAfee / Onigma Gartner Disclaimer: This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated In the context of the entire report. EJS Ráðgjöf | Nóv. 2007
How can Websense help here? EJS Ráðgjöf | Nóv. 2007 The leading ILP solution Dominating the Web Security market with 42% market share 42,000 customers, solid revenues and stable company
Quarantine Remediate Block Encrypt Notify Custom Channels IM HTTP Print FTP Email File Server Laptop Database Desktop Best Practice for Protecting Data
Content Protection Suite Architecture Data In Motion Data Learning Data at Rest Data In Use
Technology Barrier Technology Barrier 1stGeneration Fingerprints Regular Expression withDictionaries Regular Expression Keywords Technology Platform:- PreciseID™ There are multiple techniques to classify and identify information, but only PreciseID™ NLP offers the most accurate and granular information leak prevention High 3rdGeneration PreciseID Detection Accuracy Low Detection Granularity
Why Accurate Identification Is Critical False Positives Cost Resources and Time 1 >160 false positives/day = 1 FTE False Positives Reduce Employee Productivity 2 False Negatives Can Damage Brand, Reputation and Competitive Advantage $5-20 million per incident 3 Accurate Identification Enables Smooth Workflow and Incident Remediation 4
0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 PreciseID™ Fingerprinting: Learn Data Fingerprints database Phase I: Fingerprint data at rest 0x59A06 01011100110100110000101100 100100 1000111 011 0110011 0111101 0x66A1A 0x1678A 0x461BD 0x6678A 0x4D181 Extract 0xB678A 0x9678A 0xB6751 0xB61C1 Database Record or Document Algorithmic Conversion One-way Mathematical Representation Fingerprint Storage & Indexing 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 Example: 01011100110100110000101100 100100 1000111 011 0110011 0111101 Algorithmic Conversion One-way Mathematical Representation Fingerprint Storage & Indexing
0x5BD41 0x190C1 0x93005 PreciseID™ Technology at Work: Detection Fingerprint database Real Time Data Detection 0x59A06 0x66A1A 0x1678A 0x461BD 0x6678A 01011100110100110000101100 100100 0x4D181 0xB678A 0x9678A 0xB6751 0xB61C1 Algorithmic Conversion One-way Mathematical Representation Fingerprint Creation Outbound Content (E-mail, Web, Fax, Print, etc.) 0x37CB2 0x5BD41 0x190C1 0x93005 0x590A9 0xA0001 Real-Time Fingerprint Comparison Policy Action
Using Websense PreciseID™ Database Server Document Management System File Server Policy Enforcement 1 Data location defined using easy-to-use GUI Websense Appliance 2 Database and DMS crawlers read only the data to be protected 3 PreciseID engine generates data fingerprints and stores in database 4 Original data is not altered or copied 5 Audit and reporting
Protecting Data • Websense protects any data: Structured and unstructured, maintained in any container • 370 file formats • Content based detection • File content is always inspected • CAD/CAM • Any database • Automatic or manual learning of data including database content updates • Document Management Systems
Websense Use Cases • Pattern Policies • PCI, SEC, HIPAA etc • Customer data protection • Data fields in a record in a database • Confidential information protection • Unstructured data in different file formats
1234567891234567 1234 0207 123 John Hancock 1234567891234568 1234567 0307 1234 Samuel Adams 1234567891234569 0207 0207 124 John Adams Please check activity w/ credit card number 1234567891234567 Please check activity w/ credit card number 1234567891234567 David Flinter, manager Please check activity w/ credit card number 1234567891234567 belongs to Mr. John Hancock David Flinter, manager Use Case: Customer Data Protection • Records management: built to protect structured data • Example: Database with credit cards data Card Number 15 or 16 Digits Long PIN 4 to 12 Digits CVC 3 or 4 Digits Expiration Other Data • Content filters can easily identify credit card numbers and point to probable leaks • But for prevention purposes it is not enough to identify a credit card number, it is also critical to get the relevant data elements correlated
Use Case: Confidential Data Protection • Multi selection folders for unstructured document fingerprinting • Unlimited number of policies • Any file system File Server 1 File Server N Crawlers Policy properties
Step 1: Configure monitoring on network • Setup: 2 hours Step 2:Select the policies that reflect the crown jewels you want to protect DataatRest DatainUse Step 3:Wait a week and find out who is sending what information where Spyware orKeylogger Site DatainMotion Step 4:Create a monitoring and enforcement policy based on results 4 STEPS TO GETTING STARTED
Summary EJS Ráðgjöf | Nóv. 2007 Information Leaks are happening every day, ILP solutions are the way to combat the problem. Integrated with Web Security provides the highest level of inbound and outbound control ILP solutions are easy to deploy and cheaper than you might think. If you are responsible for highly sensitive data, losing that data is going to have a major impact on your business and your job.
PROTECT YOURDATAPROTECT YOURCUSTOMERS PROTECT YOURBUSINESS Register for a free risk assessment at: websense.com/CPS