Title: RISK MANAGEMENT AND DATA LOSS PREVENTION: TALES FROM THE
1Risk Management and Data Loss Prevention Tales
from the Trenches
2Risk Management and Data Loss Prevention
- Problem Definition
- Benefits
- Project update
- Length of project
- Cost of project
3Problem Definition
- Your employer has a lot of data but most controls
are detective. - You rely heavily upon people to do the right
things - No use of the local hard drive
- Delete or archive files that have not been used
in a long time - Know where data is, who the owners are, and who
has access and what kind of access
4Zero Tolerance vs. Risk Mitigation
- Current organizational thinking is based on Zero
Tolerance - Would require getting rid of all tools, including
Big Chief Tablet and stubby pencil - Extremely rigid
- Detrimental to business,
- Hard to align to business
- Complexity is too great to completely eliminate
risk - Data exists in three states At rest, in motion,
in computation - The determined thief/spy problem
- We need to shift to a risk based approach
- How much can we absorb or tolerate?
Solution is to manage or mitigate the risk as
much as possible
5Risk Based Approach
- To move to a risk based approach you must employ
a risk analysis scheme to properly categorize
your risks. - What are our risks?
- What is the probability of their occurrence?
- When are they most likely to occur?
- What is the severity of their consequence?
6Causes of Breaches
Source Ponemon Institute
7What are your risks ?
- Laptops
- Printouts
- Thumb drives, CDs, DVDs
- Email
- File Transfers
- Trade shows
- Lost or stolen
- Mobile devices
- Voice
- Face to face
- Telephone
- Scanned images
Hardware and Software Controls
Human Behaviors
8When are they most likely to occur?
9What is the probability/consequence?
10Goal is to move the riskdown the scale
11Cost of a Data Leak
- Organizations that rely on intellectual property
(IP) for sale and use are subject to more
long-term and far-reaching costs when leaked. IP
is the heart of todays technology,
manufacturing, pharmaceutical, and even financial
firms, and their most coveted sustainable
advantage. When lost, it can have a direct and
immediate impact on both the RD costs associated
with the asset, and the revenue estimates for the
full lifecycle of the asset.
12Direct Costs from a Data Leak
- Intellectual Property
- Fees for legal recourse to address who leaked the
data and discover if it is being used
inappropriately - Short-term impact to RD cost recuperation
- Long-term impact to profitability/revenue
projections - System and process audits to identify and correct
the source of the leak
Forrester Research and Ponemon Institute peg the
cost of the average data leak at 1.5M to
4.8M. Ultimately, the cost of the leak is
determined by the size and nature of the
organization, the sensitivity of the data leaked,
and the size of the leak itself.
13Direct Costs from a Data Leak
- Personally Identifiable Information and Personal
Health Information - Average cost per record associated with a leak to
make affected parties whole - Fees for legal representation
- Engaging a PR firm to minimize damage and restore
reputation - Consumer credit monitoring
- Up to 5 years of system and process audits
conducted by an independent third party
14Effectiveness of Mitigation Strategies
Printing
- Control ability to print document with DLP
- Secure copier/printers in dispersed data centers
Effectiveness
Impact
- Secure copier/printers in one centralized data
center
- Train users on SecurePrint
Cost
Risk
- Hard copies (Printouts) are susceptible to being
picked up by unintended recipients, visitors,
guests, corporate spies and can lead to data
spills, and highly sensitive data leaving
unchecked. - Mitigation strategies
- Train users on SecurePrint features of
copier/printers - Secure copier/printers in dispersed data centers
- Secure copier/printers in one centralized data
center - Control ability to print document with DLP
15Effectiveness of Mitigation Strategies
Thumb drives, CDs, DVDs
Impact
Effectiveness
- CD/DVD Burning controlledby Support Center
- Thumb drives withBiometrics
- Company Issued Thumb Drives
Risk
Cost
- Unencrypted data on thumb drives, CDs, and DVDs
are a great risk to the enterprise as they are
highly mobile, easily lost or misplaced, targeted
by thieves, heavily targeted by foreign
intelligence services, can carry a lot of
sensitive data, can easily be lost or misplaced,
can pick up viruses and other malware - Mitigation strategies
- Data - Data encryption, Company issued thumb
drives, USB device use controlled by Data Loss
Prevention solution - Physical CD and DVD burning only done by
Support Center, use thumb drives with biometrics - Training on dangers of thumb drives, CDs, and DVDs
16Effectiveness of Mitigation Strategies
Email
- Content controlled by DLP
Impact
Effectiveness
Risk
Cost
Emails have a high risk potential since once they
leave the company email server, they can be
easily intercepted at any point on the way to
their intended recipient. They are analogous to a
postcard sent through the regular mail service.
They can be sent anywhere in any language and
once sent, they are hard to get back. Emails are
also subject to Discovery in court cases and are
treated as documents. Mitigation
Strategies Encryption confidentiality and
non-repudiation are ensured but hard to
implement, train users, and does not lend itself
to content monitoring General training inform
users on a regular basis of risks of
emails Content control achievable through DLP
17Effectiveness of Mitigation Strategies
Mobile Devices (PDAs/BlackBerrys)
- Content and connections controlled by DLP
Effectiveness
Impact
Device Loss and Theft
Data
Risk
Cost
Mobile devices are at high risk of being lost or
stolen. They often contain sensitive data such as
emails, passwords to other systems, spreadsheets,
phonelists, and other documents. Mobile devices
are small, slide into a pocket easily, can be
attached to computers easily, and often have
Wi-Fi and bluetooth capabilities. Mitigation
Strategies Encryption confidentiality and
non-repudiation are ensured but hard to
implement, train users, and does not lend itself
to content monitoring. Users forget passwords too
and may forget to secure the device. General
training inform users on a regular basis of
risks of mobile devices Content control
achievable through DLP Connection to other
computers - controlled by DLP
18iPods/MP3 players
Effectiveness of Mitigation Strategies
Data Exposure
Impact
Effectiveness
- Limit ability to connect devices, data transfer
Risk
Cost
As portable media players have become
inexpensive, hold more and more data and are able
to be used easily as mass storage devices, the
risks they pose to the Enterprise have
grown. Mitigation Strategies Limit device use
in the workplace Control ability to connect
devices via DLP Train employees on risks
associated with use of iPods/MP3 players
19Risk Mitigation Strategy
- Once our risks are categorized how do we begin
to move them to the low category?
20Risk Mitigation Strategy
- Data Loss Prevention (DLP) gives us most bang
for the buck - Comprehensive solution that allows us to
- Identify Know where the data resides
- Monitor What is happening, who did it and when
- Warn User is cautioned when trying to move
sensitive data - Prevent Unauthorized actions are prevented
- Control Only approved devices can be used
- Report Ease of reporting for SOX, Dept of
State, other USG entities - Covers/Monitors all sites on the network
21Big Picture
DLP
Focus Mobile
Encrypted Thumbdrives
Focus Endpoint
SEP 12
VontuFocus Data
22Big Picture
People
DLP
Focus Mobile
Focus Endpoint
Process
Technology
DLP ProductFocus Data
23Length of Project
- 7-12 months
- Bake-off of products 1 to 3 months
- Each gets one month to run on live data, block
use of USB devices - Results analyzed
- Decision made on product
- Deployment across WAN
- Education of users
- Demonstration to stakeholders/customers (USG,
DSS, SOX auditors)
24Cost of Project
Cost of inadvertent disclosure of proprietary,
company sensitive, Unclassified Controlled
Information, Personally Identifiable Information,
Health Care information, loss of goodwill, loss
of confidence by business partners, attorneys
fees, fines and even jail
Or
On October 16, 2007 President Bush signed into
law the International Emergency Economic Powers
(IEEPA) Enhancement Act to enhance administrative
and criminal penalties that can be imposed under
the IEEPA. The Enhancement Act amends the current
IEEPA by clarifying that civil penalties may be
assessed against those who conspire to violate,
or cause violation of any license, order,
regulation or prohibition of the United States
Code. Violators can now be fined up to 1,000,000
and/or up to 20 years in prison for criminal
penalties. Criminal liability will also be
included, and is described as anyone who
"willfully conspires to commit, or aids or abets
in the commission of" an unlawful act. Any
criminal enforcement actions commenced on or
after October 16, 2007 will be subject to the new
penalties. Civil penalties will result in a fine
amounting to the greater of 250,000 or twice the
value of the transaction that is the basis of the
violation.
25Direct costs
- Software
- Installation and configuration
- Ongoing system administration and management
26Costs of DLP
- Direct costs for VONTU
- Subscription based Hardware and Software
licensing and maintenance 170K/year for 3
years if renewed every year OR 508K for 3 years
if purchased at once - License purchase 465K initial 71K per year
607K over 3 years
Pricing is based on full retail and does not
include any incentives
27Costs of DLP
- Direct costs for WEBSENSE
- Software 175k/year
- Installation and configuration (i.e. professional
services for the first year) 175k - Administration and management (first year) 35k
- Total first year investment 385k
Pricing is based on full retail and does not
include any incentives Pricing is also based on
10,000 employees
28Costs of DLP
- Soft costs
- Assume 50/hour per employee during selection and
analysis phase average of salaries of the
employees involved - Currently 12 employees involved, 15 hours
expended - Installation at 4 sites (40 hours x 2 employees)
travel - Training of administrative employees (0.5 hours
x 1500 x 30) - Training includes introduction of technology,
what to do if message, device or copy is
blocked - Delivered in person, online
- Training of employees to support DLP (4 hours x
12 x 50) - 4 FSOs, 4 TCOs, 4 IT personnel
- Ongoing support through Support Center/Help Desk
- 30k - Assume higher volume of calls during 1st quarter
of use, or until employees adjust to using
technology - Handouts, materials, other items - 8k
- Total 50k
29Example Incident Remediation Workflow
Further investigation required?
New Incident
Escalation Team
Compliance Officer
NO
IT Security or Business Unit Manager
Resolved
Human Resources
YES
Facility Security Officer
30Notional Example Proposal/ECTD/HR/Legal/
Proprietary Data
- Employee or consultant tries to email
export-controlled proposal file to outside email
domain.
Proposal Data
Escalation Team
No
Proposal Center Manager
Vontu
NOTE This decision step will require alookup
table with License and TAA numbers OR a human to
processevery email
Employee tries to send data out in EMAIL
Compliance Officer
Is there a license or TAA in place?
Further investigation required?
No
IT Security or Business Unit Manager
Vontu pauses email
Resolved(Email Released or Stopped)
Yes
Human Resources
Yes
Facility Security Officer
31Use Cases Data In Motion
Control of Rogue Business Processes Monitor
unauthorized leaks over FTP transfers
Investigate Unknown Leaks Investigate all
communications of an employee leaking trade
secrets to competition
Regulatory Compliance PII sent to personal
webmail accounts by HR employees for working at
home
Acceptable Use Determine if questionable images
or materials are being sent
Employee Education Auto-Notify employees and/or
management when a corporate policy is violated
Encryption Automatically encrypt sensitive data
destined for a business partner or client
Monitor and/or Block SSL Channels Visibility into
SSL-encrypted web mail transmissions or PGP emails
Conditional Blocking or Quarantine Hold review
emails sent to competitors that contain company
financials or Intellectual Property
32Use Cases Data at Rest
Compliance (HIPAA, SOX, FDA) PII and health data
stored unencrypted on disks
Investigate Users Search all contents of an
employees hard drive
eDiscovery Discover and index content stored on
systems or repositories such as SharePoint
Laptop and Back-up Tape Loss Manifest of contents
stored on a particular system
Data Classification/Categorization Determine
where sensitive data exists and the type of data
it is
Data Access Audit Search for payroll or HR data
33Use Cases Data at the Endpoint
Data Protection While Disconnected Mobile
employee sending out sensitive data while in
public places
Confidential Data Abuse/Theft Protect information
leaving through USB or Wi-Fi, etc.
Employee Education Inform employees in real-time
about policy violations as they occur on their
systems and ask for justification
34Look what happens to your project schedule
- Buy the product
- Scope the hardware
- Buy the hardware
- Re-scope the hardware
- Install both
- Have your network admin go on vacation
- Find out there is a major version upgrade in the
middle of installation - Push agents out to desktops and laptops
- Have a major incident at a remote facility
- Tune the product