Tuesday, October 23, 2012

CISSP DLP - The missing part in IT security

length: 01:45:00
webinar with Joerg Buckbesch, Juniper ASCE.

DLP - The missing part in IT security

physical things : entering (access control) - leaving (locks, alarm, localization)

data/code: entering (FW, IPS, AV) - leaving (DLP)

Up to today - many companies do not have DLP :(

Why it is needed?
* Protection equipment: secret, IP, personal data (law), customer's data.
* Cause of Risk: espionage, data theft, disgruntled employee, thoughtless action.

Why is DLP missing?

The past: network as simple & clearly define boundaries
Now: everything is connected & boundaries becomes blurred - Complexity.

What is DLP? Data Leakage Prevention

What is NOT DLP?
-pure encryption,
-focus end to end

What makes up DLP solution: 3 Cs
C: context and context awareness.
C: Coverage.
C: Centralized management.

1. Technology
2. Regulatory Compliance (mandatory - prohibited)
3. Implementation & Operation
4. Cost

DPL process is repetitive:
Assess >  Plan > Implement > Activate > Maintain

DLP tech:
storage (servers) - network (file transfer) - end device (storage media)

search - monitor - protect - administer

Functional area:
* Storage: desktop, database, fileserver, content management system, mail server, webserver..
Access to the data: R/W account for DLP
Scheduled scan
handling of encrypted data

Network: various protocol,
performance impact consideration
handling of data encryption
conditional blocking
Blocking Network traffic requires some kind of chasing -not possible for FTP, but works well for email.

End device:
DLP agent
Blocking of violation actions
Scanning of local storage: email, copy data, burn cd/dvd, print, copy & past new file.
Online-Offline operation

Data detection:

CDM: Content data matching
search for certain keywords
lexical / statistical analysis
regular expression
data label & format

Indexing of structured data
Indexing of unstructured data

Policies, incidents, response rule, report.

Operation flow:
* Storage:
config & activate
identify & find scan target
search for confidential/protected

config & activate
detect attempts to send confidential
react on transmission
report on the incident

End device:
install DLP endpoint agent
configure & activate DLP rules
detect send, copy, print
react on activities violating DLP rules
report on incident

Administration Role:
Project manager
incident response team
policy management
steering group

Labels: , ,