RISK MANAGEMENT AND DATA LOSS PREVENTION: TALES FROM THE

1
Risk Management and Data Loss Prevention Tales
from the Trenches

• Andy Stokes

2
Risk Management and Data Loss Prevention

• Problem Definition
• Benefits
• Project update
• Length of project
• Cost of project

3
Problem Definition

• Your employer has a lot of data but most controls
  are detective.
• You rely heavily upon people to do the right
  things
• No use of the local hard drive
• Delete or archive files that have not been used
  in a long time
• Know where data is, who the owners are, and who
  has access and what kind of access

4
Zero Tolerance vs. Risk Mitigation

• Current organizational thinking is based on Zero
  Tolerance
• Would require getting rid of all tools, including
  Big Chief Tablet and stubby pencil
• Extremely rigid
• Detrimental to business,
• Hard to align to business
• Complexity is too great to completely eliminate
  risk
• Data exists in three states At rest, in motion,
  in computation
• The determined thief/spy problem
• We need to shift to a risk based approach
• How much can we absorb or tolerate?

Solution is to manage or mitigate the risk as
much as possible
5
Risk Based Approach

• To move to a risk based approach you must employ
  a risk analysis scheme to properly categorize
  your risks.
• What are our risks?
• What is the probability of their occurrence?
• When are they most likely to occur?
• What is the severity of their consequence?

6
Causes of Breaches
Source Ponemon Institute
7
What are your risks ?

• Laptops
• Printouts
• Thumb drives, CDs, DVDs
• Email
• File Transfers
• Trade shows
• Lost or stolen
• Mobile devices
• Voice
• Face to face
• Telephone
• Scanned images

Hardware and Software Controls
Human Behaviors
8
When are they most likely to occur?
9
What is the probability/consequence?
10
Goal is to move the riskdown the scale
11
Cost of a Data Leak

• Organizations that rely on intellectual property
  (IP) for sale and use are subject to more
  long-term and far-reaching costs when leaked. IP
  is the heart of todays technology,
  manufacturing, pharmaceutical, and even financial
  firms, and their most coveted sustainable
  advantage. When lost, it can have a direct and
  immediate impact on both the RD costs associated
  with the asset, and the revenue estimates for the
  full lifecycle of the asset.

12
Direct Costs from a Data Leak

• Intellectual Property
• Fees for legal recourse to address who leaked the
  data and discover if it is being used
  inappropriately
• Short-term impact to RD cost recuperation
• Long-term impact to profitability/revenue
  projections
• System and process audits to identify and correct
  the source of the leak

Forrester Research and Ponemon Institute peg the
cost of the average data leak at 1.5M to
4.8M. Ultimately, the cost of the leak is
determined by the size and nature of the
organization, the sensitivity of the data leaked,
and the size of the leak itself.
13
Direct Costs from a Data Leak

• Personally Identifiable Information and Personal
  Health Information
• Average cost per record associated with a leak to
  make affected parties whole
• Fees for legal representation
• Engaging a PR firm to minimize damage and restore
  reputation
• Consumer credit monitoring
• Up to 5 years of system and process audits
  conducted by an independent third party

14
Effectiveness of Mitigation Strategies
Printing

• Control ability to print document with DLP

• Secure copier/printers in dispersed data centers

Effectiveness
Impact

• Secure copier/printers in one centralized data
  center

• Train users on SecurePrint

Cost
Risk

• Hard copies (Printouts) are susceptible to being
  picked up by unintended recipients, visitors,
  guests, corporate spies and can lead to data
  spills, and highly sensitive data leaving
  unchecked.
• Mitigation strategies
• Train users on SecurePrint features of
  copier/printers
• Secure copier/printers in dispersed data centers
• Secure copier/printers in one centralized data
  center
• Control ability to print document with DLP

15
Effectiveness of Mitigation Strategies
Thumb drives, CDs, DVDs

• Use controlled by DLP

• Training

Impact
Effectiveness

• CD/DVD Burning controlledby Support Center

• Encryption

• Thumb drives withBiometrics

• Company Issued Thumb Drives

Risk
Cost

• Unencrypted data on thumb drives, CDs, and DVDs
  are a great risk to the enterprise as they are
  highly mobile, easily lost or misplaced, targeted
  by thieves, heavily targeted by foreign
  intelligence services, can carry a lot of
  sensitive data, can easily be lost or misplaced,
  can pick up viruses and other malware
• Mitigation strategies
• Data - Data encryption, Company issued thumb
  drives, USB device use controlled by Data Loss
  Prevention solution
• Physical CD and DVD burning only done by
  Support Center, use thumb drives with biometrics
• Training on dangers of thumb drives, CDs, and DVDs

16
Effectiveness of Mitigation Strategies
Email

• Content controlled by DLP

Impact
Effectiveness

• Training

• Encryption

Risk
Cost
Emails have a high risk potential since once they
leave the company email server, they can be
easily intercepted at any point on the way to
their intended recipient. They are analogous to a
postcard sent through the regular mail service.
They can be sent anywhere in any language and
once sent, they are hard to get back. Emails are
also subject to Discovery in court cases and are
treated as documents. Mitigation
Strategies Encryption confidentiality and
non-repudiation are ensured but hard to
implement, train users, and does not lend itself
to content monitoring General training inform
users on a regular basis of risks of
emails Content control achievable through DLP
17
Effectiveness of Mitigation Strategies
Mobile Devices (PDAs/BlackBerrys)

• Content and connections controlled by DLP

Effectiveness
Impact

• Encryption

Device Loss and Theft
Data

• Training

Risk
Cost
Mobile devices are at high risk of being lost or
stolen. They often contain sensitive data such as
emails, passwords to other systems, spreadsheets,
phonelists, and other documents. Mobile devices
are small, slide into a pocket easily, can be
attached to computers easily, and often have
Wi-Fi and bluetooth capabilities. Mitigation
Strategies Encryption confidentiality and
non-repudiation are ensured but hard to
implement, train users, and does not lend itself
to content monitoring. Users forget passwords too
and may forget to secure the device. General
training inform users on a regular basis of
risks of mobile devices Content control
achievable through DLP Connection to other
computers - controlled by DLP
18
iPods/MP3 players
Effectiveness of Mitigation Strategies
Data Exposure
Impact
Effectiveness

• Limit ability to connect devices, data transfer

• Training

Risk
Cost
As portable media players have become
inexpensive, hold more and more data and are able
to be used easily as mass storage devices, the
risks they pose to the Enterprise have
grown. Mitigation Strategies Limit device use
in the workplace Control ability to connect
devices via DLP Train employees on risks
associated with use of iPods/MP3 players
19
Risk Mitigation Strategy

• Once our risks are categorized how do we begin
  to move them to the low category?

20
Risk Mitigation Strategy

• Data Loss Prevention (DLP) gives us most bang
  for the buck
• Comprehensive solution that allows us to
• Identify Know where the data resides
• Monitor What is happening, who did it and when
• Warn User is cautioned when trying to move
  sensitive data
• Prevent Unauthorized actions are prevented
• Control Only approved devices can be used
• Report Ease of reporting for SOX, Dept of
  State, other USG entities
• Covers/Monitors all sites on the network

21
Big Picture
DLP
Focus Mobile
Encrypted Thumbdrives
Focus Endpoint
SEP 12
VontuFocus Data
22
Big Picture
People
DLP
Focus Mobile
Focus Endpoint
Process
Technology
DLP ProductFocus Data

23
Length of Project

• 7-12 months
• Bake-off of products 1 to 3 months
• Each gets one month to run on live data, block
  use of USB devices
• Results analyzed
• Decision made on product
• Deployment across WAN
• Education of users
• Demonstration to stakeholders/customers (USG,
  DSS, SOX auditors)

24
Cost of Project
Cost of inadvertent disclosure of proprietary,
company sensitive, Unclassified Controlled
Information, Personally Identifiable Information,
Health Care information, loss of goodwill, loss
of confidence by business partners, attorneys
fees, fines and even jail

• DLP Solution
• 500k

Or
On October 16, 2007 President Bush signed into
law the International Emergency Economic Powers
(IEEPA) Enhancement Act to enhance administrative
and criminal penalties that can be imposed under
the IEEPA. The Enhancement Act amends the current
IEEPA by clarifying that civil penalties may be
assessed against those who conspire to violate,
or cause violation of any license, order,
regulation or prohibition of the United States
Code. Violators can now be fined up to 1,000,000
and/or up to 20 years in prison for criminal
penalties. Criminal liability will also be
included, and is described as anyone who
"willfully conspires to commit, or aids or abets
in the commission of" an unlawful act. Any
criminal enforcement actions commenced on or
after October 16, 2007 will be subject to the new
penalties. Civil penalties will result in a fine
amounting to the greater of 250,000 or twice the
value of the transaction that is the basis of the
violation.
25
Direct costs

• Software
• Installation and configuration
• Ongoing system administration and management

26
Costs of DLP

• Direct costs for VONTU
• Subscription based Hardware and Software
  licensing and maintenance 170K/year for 3
  years if renewed every year OR 508K for 3 years
  if purchased at once
• License purchase 465K initial 71K per year
  607K over 3 years

Pricing is based on full retail and does not
include any incentives
27
Costs of DLP

• Direct costs for WEBSENSE
• Software 175k/year
• Installation and configuration (i.e. professional
  services for the first year) 175k
• Administration and management (first year) 35k
• Total first year investment 385k

Pricing is based on full retail and does not
include any incentives Pricing is also based on
10,000 employees
28
Costs of DLP

• Soft costs
• Assume 50/hour per employee during selection and
  analysis phase average of salaries of the
  employees involved
• Currently 12 employees involved, 15 hours
  expended
• Installation at 4 sites (40 hours x 2 employees)
  travel
• Training of administrative employees (0.5 hours
  x 1500 x 30)
• Training includes introduction of technology,
  what to do if message, device or copy is
  blocked
• Delivered in person, online
• Training of employees to support DLP (4 hours x
  12 x 50)
• 4 FSOs, 4 TCOs, 4 IT personnel
• Ongoing support through Support Center/Help Desk
  - 30k
• Assume higher volume of calls during 1st quarter
  of use, or until employees adjust to using
  technology
• Handouts, materials, other items - 8k
• Total 50k

29
Example Incident Remediation Workflow
Further investigation required?
New Incident
Escalation Team
Compliance Officer
NO
IT Security or Business Unit Manager
Resolved
Human Resources
YES
Facility Security Officer
30
Notional Example Proposal/ECTD/HR/Legal/
Proprietary Data

• Employee or consultant tries to email
  export-controlled proposal file to outside email
  domain.

Proposal Data
Escalation Team
No
Proposal Center Manager
Vontu
NOTE This decision step will require alookup
table with License and TAA numbers OR a human to
processevery email
Employee tries to send data out in EMAIL
Compliance Officer
Is there a license or TAA in place?
Further investigation required?
No
IT Security or Business Unit Manager
Vontu pauses email
Resolved(Email Released or Stopped)
Yes
Human Resources
Yes
Facility Security Officer
31
Use Cases Data In Motion
Control of Rogue Business Processes Monitor
unauthorized leaks over FTP transfers
Investigate Unknown Leaks Investigate all
communications of an employee leaking trade
secrets to competition
Regulatory Compliance PII sent to personal
webmail accounts by HR employees for working at
home
Acceptable Use Determine if questionable images
or materials are being sent
Employee Education Auto-Notify employees and/or
management when a corporate policy is violated
Encryption Automatically encrypt sensitive data
destined for a business partner or client
Monitor and/or Block SSL Channels Visibility into
SSL-encrypted web mail transmissions or PGP emails
Conditional Blocking or Quarantine Hold review
emails sent to competitors that contain company
financials or Intellectual Property
32
Use Cases Data at Rest
Compliance (HIPAA, SOX, FDA) PII and health data
stored unencrypted on disks
Investigate Users Search all contents of an
employees hard drive
eDiscovery Discover and index content stored on
systems or repositories such as SharePoint
Laptop and Back-up Tape Loss Manifest of contents
stored on a particular system
Data Classification/Categorization Determine
where sensitive data exists and the type of data
it is
Data Access Audit Search for payroll or HR data
33
Use Cases Data at the Endpoint
Data Protection While Disconnected Mobile
employee sending out sensitive data while in
public places
Confidential Data Abuse/Theft Protect information
leaving through USB or Wi-Fi, etc.
Employee Education Inform employees in real-time
about policy violations as they occur on their
systems and ask for justification
34
Look what happens to your project schedule

• Buy the product
• Scope the hardware
• Buy the hardware
• Re-scope the hardware
• Install both
• Have your network admin go on vacation
• Find out there is a major version upgrade in the
  middle of installation
• Push agents out to desktops and laptops
• Have a major incident at a remote facility
• Tune the product