2. Agenda
Introduction
Data Leakage Scenario
Cases
Real-world impacts
Vulnerabilities
Building the Business Case
Demystifying DLP Solutions
Implementation Challenges
w w w .niiconsulting.com
3. Speaker Introduction
Founder & Principal Consultant, Network
Intelligence
Certified as CISA, CISSP and CISM
Speaker at Blackhat 2004, Interop 2005, IT
Underground 2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework
(Syngress), Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus,
IT Audit, IS Controls (ISACA)
Conducted numerous pen-tests, application
security assessments, forensics, etc.
w w w .niiconsulting.com
5. Gonzalez, TJX and Heart-break-land
>200 million credit card number stolen
Heartland Payment Systems, 7-Eleven, and
2 US national retailers hacked
Modus operandi
Visit retail stores to understand workings
Analyze websites for vulnerabilities
Hack in using SQL injection
Inject malware
Sniff for card numbers and details
Hide tracks
w w w .niiconsulting.com
6. The hacker underground
Albert Gonzalez
a/k/a “segvec,”
a/k/a “soupnazi,”
a/k/a “j4guar17”
Malware, scripts and hacked data hosted on servers in:
Latvia Ukraine
New Jersey
Netherlands
California
IRC chats
March 2007: Gonzalez “planning my second phase against
Hannaford”
December 2007: Hacker P.T. “that’s how [HACKER 2]
hacked Hannaford.”
w w w .niiconsulting.com
7. Where does all this end up?
IRC Channels
#cc
#ccards
#ccinfo
#ccpower
#ccs
#masterccs
#thacc
#thecc
#virgincc
Commands used on IRC
!cardable
!cc, !cclimit, !chk, !cvv2, !exploit, !order.log,
!proxychk
w w w .niiconsulting.com
8. TJX direct costs $200 million in
fines/penalties
$41 million to
Visa
$24 million to
MasterCard
w w w .niiconsulting.com
13. Back of the envelope
SECURITY ROI
w w w .niiconsulting.com
14. Cost of an incident
$6.6 million average cost of a data breach
From this, cost of lost business is $4.6
million
More than $200 per compromised record
On the other hand:
Fixing a bug costs $400 to $4000
Cost increases exponentially as time lapses
w w w .niiconsulting.com
15. Direct Costs
Fees for legal recourse to address and
forensics
Short-term impact to R&D cost
recuperation
Long-term impact to profitability/revenue
projections
System and process audits
Fines
Regulatory audit fees
Strategy consulting fees
w w w .niiconsulting.com
19. The Legal Angle
Computer Crimes Act, 1997
Electronic Commerce Act, 2006
PCI DSS
Central Bank of Malaysia Act, 2009
Personal Data Protection Bill, ??
Guidelines on Internet Insurance
Other regulations
w w w .niiconsulting.com
21. What does it stand for?
Data Leakage Prevention
Data Loss Protection
Information Loss Protection
Extrusion Prevention
Content Monitoring and Filtering
Content Monitoring and Protection
w w w .niiconsulting.com
22. DLP Solutions
Options
Vendors
Network
End-point
Content-aware
Context-aware
w w w .niiconsulting.com
28. Under the hood
1. Rule-based Regular
Expressions
2. Database Fingerprinting
3. Exact File Matching
4. Partial Document
Matching
5. Statistical Analysis
6. Conceptual/Lexicon
7. Categories
w w w .niiconsulting.com
29. Protecting Data
Data in motion
Network monitor
Email integration
Filtering/blocking and proxy integration
Internal networks
Distributed and Hierarchical deployments
Data at rest
Content discovery techniques
Remote scanning / Agent-Based Scanning /
Memory-Resident Agent Scanning
Data in use
Endpoint protection
w w w .niiconsulting.com
30. Coverage
Network
End-point
Bluetooth
Blackberry/iPhones/Smartphones
Operating systems
Virtualized servers
Integration with AD/LDAP
Integration with DRM
w w w .niiconsulting.com
32. Challenges
User resistance – yet another solution
Over-optimism – this is it!
Under-estimation of effort involved
Lack of trained resources
Absence of policy and procedure framework
Ownership resides with IT
Expensive
False positives
Legal & regulatory framework
w w w .niiconsulting.com
33. Implementation Plan
What matters to you – listing of assets
How important is it – classification of assets
Where does it reside?
Who should be able to do what with it – access
rights policy
Strategy
Network Focused
Endpoint Focused
Storage Focused
Integration with existing infrastructure
Monitoring and fine-tuning
w w w .niiconsulting.com
34. Is it working?
Number of people/business groups contacted about incidents --
tie in somehow with user awareness training.
Remediation metrics to show trend results in reducing
incidents
Trend analysis over 3, 6, & 9 month periods to show how the
number of events has reduced as remediation efforts kick in
Reduction in the average severity of an event per user,
business group, etc.
Trend: number of broken business policies
Trend: number of incidents related to automated business
practices (automated emails)
Trend: number of incidents that generated automatic email
Trend: number of incidents that were generated from service
accounts -- (emails, batch files, etc.)
Reference : http://securosis.com/blog/some-dlp-metrics/, Rich Mogull
w w w .niiconsulting.com
35. Questions?
Thank you! kkmookhey@niiconsulting.com
Information Security Information Security
Consulting Services Training Services
w w w .niiconsulting.com