nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
Download as PPTX, PDF0 likes309 views
The document discusses enterprise information security and data leakage prevention. It outlines shortcomings of readymade DLP solutions and essentials of an effective data leakage prevention framework. The document advocates adopting an incident-based approach (IBA) instead of a risk-based approach (RBA) for enterprise information security. It also discusses the role of digital forensics in incident triage, investigation, analysis and prevention. Finally, the document predicts increasing sophistication of cybercrimes and malware in the future, posing ongoing challenges for information security.
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
- 1. Enterprise Information Security... a Different viewNullcon (Dwitiya)Goa26 Feb 2011Deepak Rout
- 2. Agenda Data Leakage Prevention …a new paradigm
- 3. IBA instead of RBA …turning ‘The Standard’ around
- 4. What’s in store for us!
- 5. Q & AShortcomings of a Readymade DLP SolutionVery high false positives Long gestation period Data Leakage due to the DLP solutionSeveral data leakage avenues left outMass storage devicesUnmonitored Internet accessUncontrolled Exception ManagementToo many Admins/Super-UsersDiffering Legal/Regulatory provisions - GloballyResult:Unintentional data loss gets detected, while planned Data Theft or Corporate Espionage agent remains a step ahead of DLP policies.
- 6. Data Leakage Preventions - EssentialsBusiness/Management Concerns on Security of Data
- 7. Statutory and Regulatory Imperatives
- 9. Data Protection - a Security Manager’s KPI
- 10. Avoiding the Silver Bullet Syndrome
- 11. Holistic & Proactive Data Protection FrameworkHolistic Approach to Reduce Data LeakageClosing data leak channels not required for business Proactively monitoring channels required to be opened for business Focus on known/suspected leak channelsAdhering to ‘need to know’Controlling leakage by authorized users (e.g. End point solution) Controlling leakage to unauthorized users (e.g. Rights management)Using technology as well as process controlsPhased deployment approachStrong management intent and business involvement Educating users on DLP program and consequences of violationEffective Consequence Management and exemplary treatmentDoing PDCA, if a DLP solution is deployedKnowing limitations of DLP controls/tools, brief management to accept risk Accepting that even after all controls, data leak incidents may happen:Capability to audit user actions Tools to investigate data leak incidents
- 12. Suggested Data Leakage Prevention Framework
- 13. DLP - Do Not & DoDo NotAs a remedial measure in the aftermath of a particularly nasty incidentBusiness doing well &security gets to push through security investment Getting entangled with a silver bullet DLP solution Pure selling by DLP solution providers As a mail filtering mechanismDoDeploy a comprehensive set of DLP technologies and processes as a risk mitigation measure which emerges from a systematic Risk Assessment based on business and security objectives
- 14. Agenda Data Leakage Prevention …a new paradigm
- 15. IBA instead of RBA …turning ‘The Standard’ around
- 16. What’s in store for us!
- 17. Q & AIBA instead of RBA for EIS 'Risk Based Approach' (RBA) - PDCA approach of identifying & mitigating risks
- 18. 'Incident based approach' (IBA) is an alternate to RBA - PDCA cycle based on incident prevention
- 19. On occurrence follow steps - Triage, Investigate, CAPA, RCA, Implement
- 20. Digital Forensics play a anchoring role in all stages:
- 21. Triage - Preserve incident parameters
- 22. Investigation, CAPA & RCA - Diagnostics & Analysis
- 23. Prevention - Designing Enterprise Controls
- 24. Typical Chronology of Digital Investigation....1Prepare a clean destination hard drive: Difficult to distinguish between old data and new
- 25. Suspect can claim that incriminating evidence was planted
- 26. Specialised tools to wipe off past data (e.g. DriveWiperVoom)
- 27. Also generates reports to demonstrate that hard disk is clean2. Digitally image data from suspect system to target drive: Bit-by-bit clone of original hard drive using specialized tools
- 28. Includes all files (OS, deleted, encrypted, password protected & hidden)
- 29. Data hidden surreptitiously within other files is also retrieved
- 30. OS independent tools, do not require a dedicated drive
- 31. Rapid imaging
- 32. Original hard drive is then sealedACQUIRE
- 33. Typical Chronology of a Digital Investigation....23. Fingerprint: To ensure that data copied from source drive to cloned drive is the same
- 34. Unique fingerprint created for each hard drive (hashing)
- 35. Suspect hard drive is seized along with hash value, known to suspect
- 36. Same hash value demonstrated on seized drive4. Write-protect data: Using write-protect bridges
- 37. Then onwards, the drive can only be read but not written to
- 38. Guarantees purity of evidence5.Analyse/Investigate: Specialised tools to scan hard drive and classify files as per category (encrypted files, password protected files, misnamed files, image files, compressed files etc).
- 39. Password-cracking tools are used on password-protected files
- 40. Steganography (camouflaging files within another file) can be countered with tools conforming to judicial and evidential requirements (analysed for hidden messages) AUTHENTICATEANALYSE
- 41. Enterprise Capability Model for Digital Forensics Highly developed internal capability not desirable
- 42. Minimum & potent internal capability (imaging, packet capture, logging etc)
- 43. Advanced capabilities on-demand (image analysis, link analysis, heuristics etc):
- 44. As appropriate for specific industry
- 45. Pre-configured per management/regulatory requirement
- 46. Pre-negotiated & with SLA
- 47. RoI & industry considerations for configuring model
- 48. Optimum model - limited internal & bulk outsourced capability
- 49. After Forensics, What???A View of the Future!!!New criminal business models & malware sophistication:Criminal organizations worldwide are increasingly migrating business models online. Complexity of threats will increase & digital crimes will be more.
- 50. The problem will not disappear:Criminals online activities will continue to be hosted in distributed servers worldwide.New targets:Newer attack methodologies including targeting of SCADA systems that control key infrastructure and economy sectors (petrol, gas, electricity, water, nuclear etc). Economic impact.World economy’s relationship with online services is so strong that any failure could lead to complete chaos. Criminals know this and will take full advantage of it.Ubiquitous Malware.Citizens will continue to depend on technology and ubiquitous online services (mobiles, PDA, laptops, 3G etc). We will see more attacks targeting these technologies.It’s a very profitable business; returns exceed stock markets (3 digit growth)…Security will be in Business!