IBM Data Security Services Data Security Services Network Data Leakage Prevention Powered by Fidelis...
Transcript of IBM Data Security Services Data Security Services Network Data Leakage Prevention Powered by Fidelis...
© 2009 IBM Corporation
IBM Data Security Services
Network Data Leakage PreventionPowered by Fidelis XPS
Johan CelisSecurity Solutions Architect, PCI QSAIBM ISS EMEA
IBM Data Security Services
© 2009 IBM Corporation
Enterprise Content Protection (ECP)� Automated discovery of sensitive content, classifying / tagging of files
� Policy-based enforcement of data protection policy (prevent, allow, encrypt, etc.)
� Close the gap between user action and automated policy-enforced action
� Endpoint – Network – Server / Data Center
� Key Business Partners: – Fidelis Security Systems
– Verdasys
IBM Data Security Services
© 2009 IBM Corporation
How we got here� Selection Process
� Lab Evaluation– Multiple Products
– 8+ months
– Functional Approach vs. Use Case
– 107 data types
– 129 protocol variations
– 306 data operations
– Normal, Advanced and Expert categories
� Presented Methodology
� Single Focus Solutions Outperform– Focus on being best at single solution
– Prevents resource : technology dilution
0
10
20
30
40
50
60
70
80
90
100
Normal Advanced Expert Overall(w eighted)
nDLP - Categories
Vendor-1
Vendor-2
Vendor-3
IBM Data Security Services
© 2009 IBM Corporation
Extent of DLP Coverage Meets Your Requirements
• Network DLP Solution– Advantages
• Provides wide coverage quickly• Covers all network traffic, regardless of
application, channel, and endpoint devices.• Stop data leakage in real time, even on
gigabit networks.– Challenges
• Does not provide coverage of devices outside the network
• Endpoint DLP Solution– Advantages
• Wide coverage across a variety of endpoints• Provides coverage outside the network• Automated discovery of sensitive content,
classifying / tagging of files– Challenges
• More challenging and time consuming to implement.
• Enabling all endpoint devices with sensitive data, and managing addition of new endpoint devices
• Enterprise DLP Solution– Best of both worlds
– Holistic solution with provides a layered security approach
– Enables a targeted approach –focusing on endpoint in some areas of the business, network focus in others, and a combined approach where needed.
IBM Data Security Services
© 2009 IBM Corporation
Deployment Coverage Table
Yes
Yes
No
All Platforms
Rapid for existing
Proventia Moderate Otherwise
Rapid
Moderate to Slow
Deployment Timeline
No
YesBinary and
Partial
Limited
RegisteredData
No
No
Yes
Removable Media
Protects devices
"visible" to Deployed
Device
Granular, CentralizedYesNoYes
Network DLPFidelis
Gives visibility to
magnitude of policy
violations
LimitedLimitedNoYes
IPS Proventia Content Analyzer
Protects Deployed
Device
Granular, CentralizedYesYesPartially
Endpoint DLPVerdasys
Coverage Model
Policy-DrivenContextual Awareness
Outside Corp.
Network
Server Farm / Intranet
IBM Data Security Services
© 2009 IBM Corporation
All Things Being Equal…..or not !
�Endpoint ≠ Network
�Network DLP ≠ IDS/IPS
�Endpoint DLP ≠ AV/Firewall
�Content ≠ Context
IBM Data Security Services
© 2009 IBM Corporation
IBM Network DLP OverviewFidelis Security Systems gives organizations the power to protect their brand, intellectual property and resources by stopping data leakage
� Network Sensor
� Award Winning
� Real-Time
� Low Latency
� Performance
� Prevention
� Profiling
� Accuracy
� Visibility
� Deployment Flexibility
� Integration
� External Validation
IBM Data Security Services
© 2009 IBM Corporation
Deployment
UsersProxy Server
XPS-Proxy
Proxied Traffic (incl. HTTPS)
Servers
Users
Mail Servers
Mail Traffic (incl. TLS)
XPS-Internal
XPS-Internal
XPS-Mail
XPS-Direct
ICAP
SMTP
SMTP
Milter
ANY TRAFFIC
Mail Gateway
Internal Traffic
CommandPost
XPS Direct plus: Intranet protocols, control DB2,
Oracle, LDAP, CIFS, SMB on the wire, in real-time
TAP/SPAN or In-LineAlert, Prevent, Throttle
Handles SSL allowing proxy server to decode (e.g.
Bluecoat). Provide Educational Feedback
Deploy as ServerAlert, Prevent, Re-Direct
SMTP Based as part of MX/MTA chain or using Milter
API
Deploy as ServerAlert, Prevent, Quarantine,
Re-Route
Real-time, High Performance port agnostic control of the
insider threat
TAP/SPAN or In-LineAlert, Prevent, Throttle
IBM Data Security Services
© 2009 IBM Corporation
Performance Prevention
Mbps
1000
100
10
Gen 1.x Fidelis XPS
Ports
65,535
50
Gen 1.x Fidelis XPS
Time to Value
Time
Gen 1.x
Fidelis XPS
Profiling vs. Registration• Legacy’s IP is in data registration algorithms
• Data registration is expensive• Unregistered data create false
negative/type II errors• DLP owner doesn’t own integration
• Fidelis XPS focused on accurate profiling technologies
• Low false positives AND low false negatives
0 2 weeks 6+ Months
Legacy typically fail between 50-100MbpsLegacy typically fail between 50-100Mbps Limited Mitigation—prevention for 1-4 portsLimited Mitigation—prevention for 1-4 ports
IBM Data Security Services
© 2009 IBM Corporation
Session Architecture
In real-time in-memory on partial sessions
Fidelis built document decoders support partial
files: requirement for prevention of direct-to-
Internet traffic
10 different content analyzers – all can be logically
combined
Mitigates risk of data leakage with channels control
including IM, P2P, Webmail, encryption and other rogue
channels
IBM Data Security Services
© 2009 IBM Corporation
Detection Techniques
1.Smart Identity Profiling (SIP)2.Keyword 3.Keyword in sequence4.Regular expressions5.Binary signature6.Session and decoding path
7. Exact file matching 8. Partial Content 9. Embedded image file10. File name
Profiling Registration
Boolean combination of analyzerspersonal identify information, (1. SIP)
AND “Billing,” (2. Keyword)
AND protocol is NOT FTP (channel – not shown)
AND recipient is NOT Approved_Organization_List
IBM Data Security Services
© 2009 IBM Corporation
Gen 1.5 Extrusion: Limited PreventionGen 1.0 was Sniffer Only
IBM Data Security Services
© 2009 IBM Corporation
Fidelis XPS – First Gen 2.0: Comprehensive PreventionHas MTA and Proxy too (not shown)
IBM Data Security Services
© 2009 IBM Corporation
14
FIDELIS XPS COMMANDPOST COMMANDPOST+
• Web-based enterprise administration
• Integrated with SiteProtector
FIDELIS XPS INTERNAL
FIDELIS XPS PROXY PROXY+
FIDELIS XPS MAIL
FIDELIS XPS SCOUT
FIDELIS XPS 1000 DIRECT 100 DIRECT
• Prevention across all 65,535 ports
• Port independent application & protocol monitoring
• Gigabit speed performance without sampling
• Only network DLP to address Internal traffic
• Gain visibility and control of information leaving data centers and between divisions
• Standard ICAP interface to proxy servers
• SSL inspection (when supported by the proxy)
• Policy –based user notification
• Graceful control of corporate e-mail
• Flexible deployment – MTA or Milter support
• Quarantine/redirect to secure e-mail gateways
Fidelis Appliances to Address the Needs of Your Unique Environment
• All-in-one portable network appliance brings DLP to audit, assessment, and incident response teams
IBM Data Security Services
© 2009 IBM Corporation17
Detection AND Prevention
� All Ports, All Protocols, All Products
� Inline and Out-of-band
� Real-Time not Spool and Analyze
IBM Data Security Services
© 2009 IBM Corporation18
Building A Policy
� Rule = What Action to take when we discover particular ContentContent flowing, or with attributes of, a particular ChannelChannel going to or from a LocationLocation.
� Policy = Logical collection of (related) Rules
� Assignment = Allocation of policies to sensors
� Operate Right to Left
� Simple Boolean combination– Content: 11 Engines
– Channels: Numerous
– Locations: Addresses, Directory, Country
– Actions: Alert, Prevent, Throttle, Quarantine, Reroute, Re-Direct
Location
Channel
SRC IP DST IP Country Directory
SRC Port DST Port
Application Protocol
Client, User, Encryption
Session (size, duration)
Time (Day, Week etc.)
Subject, Headers, Mode, Method……..
Content
Meta Data
Additional informationData Content
Policy Rule: Action
Rule: Action
Rule: Action
IBM Data Security Services
© 2009 IBM Corporation19
Content Fingerprinting
� Profiling:– Smart Identity Profiling (US)
– Smart Identity Profiling (Intl.)
– Keyword
– Keyword in sequence
– Regular expressions
– Binary signature
– Session and decoding path
� Registration (and Hybrid) – Exact file matching
– Partial Content
– Embedded image file
– File name
IBM Data Security Services
© 2009 IBM Corporation20
Performance
� Partial Decoding Decoders – Not 3rd Party
� 1.4 Gbps of DLP throughput – not just wire speeds
� Competition stop at about 80-150 Mbps– Requires multiple devices + L7 Switch to achieve same speed
� IBM tested on corp. network at 600 Mbps (10min age) saturated Gigabit peaks
– No data lost, full inspection
� Competition:– Began SAMPLING DATA at 80 Mbps
– Dropped data
– Lost TERABYTES of data per day
– Already had fewer protocols to look at !
� Reduces cost
IBM Data Security Services
© 2009 IBM Corporation21
Detection AND Prevention
– All Ports, All Protocols, All Products
– Inline and Out-of-band
– Real-Time not Spool and Analyze
� Performance– Partial Decoding Decoders – Not 3rd Party
– 1.4 Gbps of DLP throughput – not just wire speeds
– Competition stop at about 80-150 Mbps
– Requires multiple devices + L7 Switch to achieve same speed– IBM tested on corp. network at 600 Mbps (10min age) saturated Gigabit peaks
– No data lost, full inspection– Competition:
– Began SAMPLING DATA at 80 Mbps– Dropped data– Lost TERABYTES of data per day– Already had fewer protocols to look at !
– Reduces cost