CISO Roundtable: Effective Implementation of

DLP and Data Security

©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.

Venkatasubramanian RamakrishnanDirector- Global Information SecurityCognizant Technology Solutions

Information Security and Data Protection Strategy

| ©2013, Cognizant 3

Contents

2 Inflection Point

3 Key Disrupting Factors

4 Role of Information Security Function

5 Data Security Strategy

6 Key Points

7 Big Picture

8 Threat Modeling

9 Sample Threat Modeling

| ©2013, Cognizant 4

Inflection Point

| ©2013, Cognizant 5

Key Disrupting Factors

1. Greater Business Partner Responsibility for Technology Projects

2. Workplace of the Future

3. Sharper Executive Focus on Risk Management

4. Core Responsibility Overlap with the Legal Function

5. Sophistication of External Threat Vectors

| ©2013, Cognizant 6

Role of Information Security Function

2000-2004 2005-2012 2012 & Beyond

Control Owner

Decision Owner

Decision Facilitator

Ris

k M

an

ag

em

en

t P

hilo

sop

hy

| ©2013, Cognizant 7

Data Security Strategy

| ©2013, Cognizant 8

Key Points

1. New Era requires information security system design with a counter-intelligence mind set!

2. Competitive economic pressures and national security issues drive various entities to seek information and Intellectual Property

3. Counterintelligence awareness of the security leaders is the first step to improve the protection of proprietary information

| ©2013, Cognizant 9

Big Picture

THREATS

BUSINESS MODEL

Strategy, people, process, technology and infrastructure in place to drive towards objectives

OPPORTUNITIES OBJECTIVES

strategic, operational ,

customer, compliance objectivesOPPORTUNITIES

MANDATORY BOUNDARY (laws, government regulations and other

mandates)

VOLUNTARY BOUNDARY (organizational values, contractual obligations,

internal policies and other promises )

| ©2013, Cognizant 10

Threat Modeling

Capabilities

Competition

Strategic Plans Political, Economic & Social Forces

Markets Customers

Technology Developments

Industry Structure

Competitive intelligence Collectors

Terrorists

“Ethically Flexible”

Employees

Critical Elements of Business Intelligence

State Sponsored Attack

Resource Poaching

Threats

Economic or Industrial Espionage

Monitor External Environment• Monitor social media for any chatter on new methods or targets of

attacks.• Engage in peer conversations to share knowledge and stay up-to-date

on threat vectors, new techniques, known bad IP addresses, etc.• Understand what kinds of activities and news reports are likely to

increase the chances of an incident.

| ©2013, Cognizant 11

Sample Threat Modeling

List of data or information that may be under threat

Who may want itHow motivated are they to get it(Ask these questions)

Priority for Incident Response Planning(Determined by the previous three factors)

Client credit card numbers

Hacker-thieves Etc.

What kind of clients do you have?

Etc.Low/Med/High

Intellectual property data

Competitors Foreign

governments interested in a particular IP or technology

Etc.

Will this IP significantly alter the market share landscape on the industry?

Is the IP capable of providing extensive competitive advantage?

Are there ideological reasons for stealing such information?

Etc.

Low/Med/High

Manage Potential Threats• Determine what assets, data, information, etc. the organization owns that

may be of particular interest to attackers. Also determine how important this information or data is to the business.

• Determine who may want such information, how sophisticated they are, and what channels they may use to attempt to cause an incident.

• Determine how motivated potential attackers may be.

©2013, Cognizant | All rights reserved. The information contained herein is subject to change without notice.

Thank you

13

Data Leakage Prevention (DLP) Project

14

Agenda

Enterprise – Growing ChallengesBusiness Drivers for DLPDLP Specific Challenges & MisnomerSolution Decision MakingApproaches / Solutions to solve Data Security

ChallengesApproach & MethodologyCritical Success FactorProject OutcomeKey Learning’s

15

Enterprise - Growing Challenges

Growing Employee base and across locations Enabling Employee friendly environment to keep them

motivated & achieve work-life balance Governed by different regulations and compliance

requirement Data Residing in multiple locations Multiple Stakeholders Involved & lack of understanding Everyone thinks all their data is critical and important (not so

important) Evolving Dynamic threat landscape (Government agencies,

Fortune 100 companies, Enterprises are being constantly targeted & some of them successful too)

Outsourcing & its related discrete requirements / commitments

Growing adoption of public cloud / infrastructure / networks

16

Drivers Why it matters?

Business Confidentiality

Regulatory Compliance

Business Drivers for DLP

To comply with Regulatory and Compliance requirements

Avoid penalties for non-compliance Prevent data breaches / infiltration

Protect business interests, including customer confidence

Protect Company & Customer IPR Protect Brand Value

17

DLP Specific Challenges & Misnomer

“All” our data is critical and confidential IT department should be able to identify and classify critical

business information Lets fingerprint all our data Lets configure DLP to protect all data Lets block all sensitive information from going out and allow

information transfer only on senior management approvals We have defined 200 policies but the DLP solution is not

raising any meaningful alerts

18

Approaches to solve Data Security Challenges

There are multiple solutions available in the market to address the Data Security requirement and most of them work in complementary fashion to one another.

DLP solution to be adopted to address the missing piece / gap created in other data security solutions as highlighted below.

Solutions Area it Covers Missing PieceFull Disk Encryption Works on the Disk level to

encrypt the drive

All these solutions cannot differentiate the data (i.e.) the classified information –

Private / Confidential & Public data

Device Control Works on the device level again to either allow or disallow the drive

Access Control & RMS Works based on rights / privileges enabled for user / IP or User Intervention is required

Email Encryption Works based on user / domain as per policy

DLP Works on the ClassifiedInformation to enable protection as per policy

19

Solution Decision Making

Adopt solution which is easy to understand and implement DLP solution deployment should not call for architectural /

design / product changes for existing services like email & web rather it should integrate seamlessly with minimum or no changes

Proper Categorization of vanilla DLP policy based on Industries & Countries

Solution should be scalable & reliable from architecture standpoint

Support for multitude of systems used in the Corporate environment

Easy and straight-forward integration should be possible with existing internal systems (Directory Services, Monitoring Services & SIEM etc)

Vendor support & good Roadmap / vision is the key Availability of Reliable Partner for the vendor in the local

country with good deployment and process experience in rolling out DLP

20

Approach & Methodology

Act on all the Outcome coming from analysis Initiate work on long term strategy Enable custom policy as per

requirement Fine tune policy Make Deployment inline Expand the coverage and footprint Repeat entire cycle (Continuous Process)

Establish Policy, Process & Procedure Review Identified & Classified Data Establish Infrastructure Enable shortlisted default policy to

create visibility Deploy DLP for identified channel Role Segregation Enable Console Access for different

stakeholder to create impact Enable Incident Monitoring &

Response Delivery weekly & monthly report for

management & stakeholder visibility Establish Governance

Initiation Establish Objective & goals (short

& long term) Plan Infrastructure Establish Design Identify Matching Default Policies Identify Critical Channels Stakeholder Analysis

Communicate Awareness & Training Define Ownership Establish Procedure for

Critical Data Identification & Classification

List Actions to be performed

Analysis whether Data classification procedure is being followed Analysis the need for more trainings Analysis the visibility created by default policy Analysis effectiveness of existing policy

enabled Check whether short term goal is met and

analysis triggering of strategy for long term goal

Analysis stakeholder involvement & support obtained

Decide whether enabling protection or inline mode can be done

Check

Act

Plan

Do

DLP Approach

21

Critical Success Factor

IT is a facilitator and not the business data owner of the DLP project

DLP Project Success is directly proportionate to business user involvement, buy in, contribution and approvals

Enable DLP in Monitor mode First & then Block Later based on monitoring outcome

Understand Data Classification & Policy Definition is not an one time exercise. Repeat PDCA principle (Plan, Do, Check & Act) on a defined periodicity

Realize that DLP can not eliminate security breaches but helps reduce the risk by detecting and preventing incidents

22

Project Outcome

All Critical Channels like web, email & mobile devices are being covered & monitored

Data movement within Organization is getting tracked better 365*24*7 monitoring in place to handle high / medium severity

incidents reported in DLP Awareness among Employees Improved and this resulted in

improved compliance & reduction in data related incidents Happy Customers & Auditors

23

Key Learning’s

DLP Approach should be chosen based on the Culture of the Organization

Establishing frequent connects with stakeholders & employees is the key to success

Enabling visibility for Business stakeholders resulted in quicker adoption

DLP Journey will not be an One Time exercise / project rather it will be ongoing process / operation to be strictly followed & adhered by all stakeholders

Establishing an Governance Organization dedicated to DLP Journey helped in driving & communicating change to wow’s

Understanding of Technology Architecture and Solutions for Data Security.

Maheswaran.S, Manager, Sales Engineering, SAARC

25

Data Security Technologies

Data Security

DRMDLP GRC/SOC

Access Control EncryptionFAM

26

Data Types & DLP Approach

Source : www.oxford-consulting.com

DLP – Key Capabilities

28

Identification Methods

Described RegisteredDescribed Registered Learned

Image Detection

Detects Sensitive Text within Images

Screen capturesScanned checksScanned receiptsApplications which has image outputsFax pagesetc.

Data Drip Detection

Detects multiple instances of small data leaks over time

John DoeJoe Smith

3:01 PM

Customer Information

Joe,

Here is a customer information:

John DoeJoe Smith

3:14 PM

Customer Information

Joe,

Here is a customer information:

John DoeJoe Smith

3:17 PM

Customer Information

Joe,

Here is a customer information:

John Doe

Joe Smith4:45 PM

Customer Information

Joe,

Here is a customer information:Mike McDonald CCN: 1111-2222-3333-4444

John DoeJoe Smith

4:50 PM

Re: Customer Information

Joe,

Here is another customer information:Jane Brown CCN: 1234-2345-3456-4567

John DoeJoe Smith

3:01 PM

Customer Information

Joe,

Here is a customer information:

Low Impact IncidentHigh Impact Event

Within 2 Hours

31

Data in Motion – Network DLP

•Look - Don’t Touch •See’s unencrypted Outbound Traffic

Port-Span

•Look AND Touch•Proxy for Web & FTP•MTA for Email•ActiveSync for Mobile

In-Line

•Network Printers

Agent

32

Channel Detection and Response

Network DLP

Web

Audit*BlockAlertNotify

Email

AuditBlockQuarantineEncryptAlertNotify

FTP

AuditBlockAlertNotify

Network Printer

Audit Block AlertNotify

Active Sync

AuditBlockAlertNotify

IM &Custom Channels

AuditBlockAlertNotify

RESPONSE OPTIONS BY CHANNEL

33

SSL Decryption

SSL Dynamic Content Control

Dynamic Threat

Protection

SSL

Web Security

DLP

39 percent of malicious Web attacks included data-stealing

code

Data in Use - Endpoint DLP Channels

USB Drives

Local Printer

LAN Storage

Internet

Print Server

Network Printer 2

Network Printer 1

Removable Media

Applications

35

Detection and Response

Endpoint DLP

Applications

PermitConfirmBlockEmail QuarantineAlertNotify

Removable Media

PermitConfirmBlockEncrypt to USBAlertNotify

Storage

Alert/LogScripts - Encrypt - Tombstone - Quarantine - EDRM

RESPONSE OPTIONS

36

Data at Rest - Discovery

- Network-based Discovery - Conducted over LAN/WAN- Manage by Schedule and/or bandwidth- Leverage VM’s as Multipliers

- Perform Discovery Locally- Fastest Discovery- Manage by Schedule, CPU Utilization, Power Supply

- The Best of Both Worlds- Leverage any combination

Agentless

Agent

Hybrid

Advanced Remediation Capabilities Discovery

• Remediation Scripts– Several predefined scripts available – Customizable for highest flexibility

• Common Remediation Action

** Requires 3rd Party

Move/Quarantine Encrypt** Classification Tag(Microsoft FCI)

Apply EDRM** Purge/Delete

DLP - Management & Reporting

Business Intelligent Policy Framework

Who

Human Resources

Customer Service

Finance

Accounting

Legal

Sales

Marketing

Technical Support

Engineering

What

Source Code

Business Plans

M&A Plans

Employee Salary

Patient Information

Financial Statements

Customer Records

Technical Documentation

Competitive Information

Where

Benefits Provider

Personal Web Storage

Blog

Customer

USB

Spyware Site

Business Partner

Competitor

Analyst

How

File Transfer

Instant Messaging

Peer-to-Peer

Print

Email

Web

Audit

Notify

Remove

Quarantine

Encrypt

Block

Removable Media

Copy/Paste

Print Screen

Action

Confirm

Enforce Policy by Geo Location

Email-based Incident Workflow

Options to Click within the email notification to:

change severityescalateassignignoreetc.

42

Demonstrating Risk Reduction

Web Email FTP IM Network Printing

90-Day Risk Reduction 0.7 0.493333333333333

0.9 0.8 0.666666666666667

Mar 60 76 5 2 15

Feb 100 100 15 5 30

Jan 200 150 50 10 45

5%

15%

25%

35%

45%

55%

65%

75%

85%

95%

60

76

5

2 15

100

100

15

5

30

200 150 50 10 45

90-Day (High Impact) Risk Reduction

Like

lihoo

d of

Dat

a Lo

ss

Incident Management & Reporting Dashboards

43

The following are samples of our weekly and monthly dashboards on incident management.

Thank You

Questions and Answers

45