n this Security technology workshop for IT and network security practitioners, we will teach you a three step process you can use for selecting the right data security technology for your business at the best price. In this session we’ll have a free discission of the do’s and don’ts and the pros and cons of different technologies such as agent DLP, network DLP and DRM.
Writing An Effective Security Procedure in 2 pages or less and make it stick
Selecting Data Security Technology
1. Selecting Data security
Technology
Licensed under the Creative Commons Attribution License
Danny Lieberman
dannyl@controlpolicy.com http://www.controlpolicy.com/
2. Agenda
• Introduction and welcome
• What is data security?
• Defining the problem
• Select by threat
• Building threat cases
• Three threat cases
• Data security taxonomy
• Selection process
4. What the heck is data security?
• Security
– Ensure we can survive & add value
• Physical, information, systems, people
• Data security
– Protect data directly in all realms
5. Defining the problem
• You can't improve what you can't measure(*)
– Little or no monitoring of data flows
• Perimeter protection, access control
– Firewall/IPS/AV/Content/AD
– Disconnect between HR, IT
Lord Kelvin
(*)
6. We're not in Transylvania anymore
• Threat scenario circa 1993
– Bad guys outside
– Lots of proprietary protocols
• Threat scenario circa 2009
– Bad guys inside
– Everything runs on HTTP
– Vendors decide threats
7. Model of a crime
• Means
– Access rights
• Opportunity
– With rights, insider can exploit
vulnerabilities in people, systems
• Intent
– Uncontrollable
Enterprise integration
Discovery
Regulators
Gartner
8. Building a threat case
Value at Risk
Metrics =Threat Damage to
Asset value, Asset x Asset Value x
Threat damage to asset, Threat Probability
Threat probability
(*)PTA Practical threat analysis risk model
9. M&A threat case
Asset has value, fixed over time or variable
Plans to privatize, sell 50% of equity
Threat exploits vulnerabilities & damages assets.
IT staff read emails and files of management board
Employee leaks plans to press
Buyer sues for breach of contract.
Vulnerability is a state of Countermeasure has a cost
weakness mitigated by a fixed over time or recurring.
countermeasure. Monitor abuse of privilege &
IT staff Prevent leakage of
have access management board documents
to mail/file servers on all channels.
10. Service provider threat case
Asset has value, fixed over time or variable
Internal pricing of service packages
Threat exploits vulnerabilities & damages assets.
Outsourcing DBA has SQL access to pricing schema.
Competitor gets pricing
and undercuts company.
Company loses reputation and revenue.
Vulnerability is a state of
Countermeasure has a cost
weakness mitigated by a
fixed over time or recurring.
countermeasure.
Monitor abuse of privilege &
Outsource DBA
Prevent internal data leakage
may gain access
on Oracle database.
during end of month close
11. Media threat case – Israeli Trojan
Asset has value, fixed over time or variable
New product marketing campaign
Threat exploits vulnerabilities & damages assets.
Competitors distributed custom attack on a CDROM
Got terms of new product
undercut company.
Company loses revenue > $20M
Vulnerability is a state of
Countermeasure has a cost
weakness mitigated by a
fixed over time or recurring.
countermeasure.
Employees
Prevent leakage of data
may take a CDROM
to unauthorized channels
and insert it in their PC
12. Data security taxonomy
Management
Provisioning
Events
Reporting
Policies
Data Document Forensics
Warehouse Server
Detection point
Interception
Received: from
Session [172.16.1.35]
(80230224
Decoders Message
ID:<437C5FDE.9080>
Policies
“Send me more
Countermeasures files today.
13. Selecting a data security technology
• Prove 2 hypotheses:
– Data loss is currently happening.
– A cost effective solution exists that
reduces risk to acceptable levels.
14. H1: Data loss is happening
• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?
15. H2: A cost-effective solution exists
• What keeps you awake at night?
• Value of information assets on PCs, servers & mobile devices?
• What is the value at risk?
• Are security controls supporting the information behavior you want
(sensitive assets stay inside, public assets flow freely, controlled
assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security
controls?
16. Match technology to threat case
Threat case Agent DLP Network DLP DRM
The Israeli Install agent on every PC Install appliance at gateway None
Trojan
Intercept Win32 calls Intercept Layer 2 traffic
Content, context and Content, channel and
organizational policy organizational policy
Monitor, block, prompt Monitor, block, quarantine
Execute policy even Execute policy for endpoints
when PC is off network on network
17. Coming attractions
• Sep 17: Selling data security technology
• Sep 24: Write a 2 page procedure
• Oct 1: Home(land) security
• Oct 8: SME data security
http://www.controlpolicy.com/workshops
18. Learn more
• Presentation materials and resources
http://www.controlpolicy.com/data-security-workshops