CISSP DLP - The missing part in IT security
length: 01:45:00
webinar with Joerg Buckbesch, Juniper ASCE.
webinar with Joerg Buckbesch, Juniper ASCE.
DLP - The missing part in IT security
physical things : entering (access control) - leaving
(locks, alarm, localization)
data/code: entering (FW, IPS, AV) - leaving (DLP)
Up to today - many companies do not have DLP :(
Why it is needed?
* Protection equipment: secret, IP, personal data (law), customer's data.
* Protection equipment: secret, IP, personal data (law), customer's data.
* Cause of Risk: espionage, data theft, disgruntled
employee, thoughtless action.
Why is DLP missing?
The past: network as simple & clearly define boundaries
Now: everything is connected & boundaries becomes blurred
- Complexity.
What is DLP? Data Leakage Prevention
What is NOT DLP?
-pure encryption,
-pure encryption,
-focus end to end
What makes up DLP solution: 3 Cs
C: context and context awareness.
C: Coverage.
C: Centralized management.
Challenges?
1. Technology
2. Regulatory Compliance (mandatory - prohibited)
3. Implementation & Operation
4. Cost
DPL process is repetitive:
Assess > Plan > Implement > Activate > Maintain
DLP tech:
storage (servers) - network (file transfer) - end device
(storage media)
search - monitor - protect - administer
Functional area:
* Storage: desktop, database, fileserver, content
management system, mail server, webserver..
Access to the data: R/W account for DLP
Scheduled scan
handling of encrypted data
Network: various protocol,
performance impact consideration
handling of data encryption
conditional blocking
Blocking Network traffic requires some kind of chasing
-not possible for FTP, but works well for email.
End device:
DLP agent
Blocking of violation actions
Scanning of local storage: email, copy data, burn cd/dvd,
print, copy & past new file.
Online-Offline operation
Data detection:
CDM: Content data matching
search for certain keywords
lexical / statistical analysis
regular expression
data label & format
Indexing of structured data
Indexing of unstructured data
Policies, incidents, response rule, report.
Operation flow:
* Storage:
config & activate
config & activate
identify & find scan target
search for confidential/protected
..
Network:
config & activate
config & activate
detect attempts to send confidential
react on transmission
report on the incident
End device:
install DLP endpoint agent
configure & activate DLP rules
detect send, copy, print
react on activities violating DLP rules
report on incident
Administration Role:
Project manager
system-admin
incident response team
policy management
steering group