2. DATA LOSS PREVENTION EXPERTISE
Providing DLP Since 2002 Completed 500+ Assessments
Deployed 400+ DLP Projects Manage 40+ DLP Solutions in 22 Countries
Provide Daily Management of 1,000,000+ Users Globally
Q U I C K FA C T S
Symantec Master Specialization DLP Partner
RSA’s Only Authorized Managed DLP Partner
1st Managed DLP Services Provider (2008)
Localized Chinese DLP Practice (2011)
Global Support in 130 countries
Data Mining, Custom Policies, & Scripting
3. MARKET EVOLUTION - 2005/2006 GARTNER RESULTS
BEW Global forms partnership with
Vericept in 2002. At the time of this
report, BEW had 38 deployments of
Vericept in the US and UK.
BEW Global and Vontu form a
partnership. BEW Global is the first
Vontu reseller.
Vidius changes name to PortAuthority
and accelerates product development
and US presence.
Reconnex enters market with forensics
approach.
5. MARKET EVOLUTION - 2008 GARTNER RESULTS
Vontu acquired by Symantec. ($350M)
Tablus acquired by RSA. ($40M Approx.)
McAfee acquires Reconnex for network
DLP ($46M) and Onigma ($20M) for Host
DLP.
Verdasys and Fidelis announce strategic
partnership.
6. MARKET EVOLUTION - 2009 GARTNER RESULTS
CA acquires Orchestria, January 2009.
GTB struggles to gain a significant
customer base.
Palisade Systems and Code Green
Networks target SMB DLP market.
Workshare late entry into DLP market
lacks functionality.
Vericept acquired by Trustwave.
7. MARKET EVOLUTION - 2010 GARTNER RESULTS
Symantec releases 10.5 and
DataInsight to enhance DAR
capabilities.
RSA releases 8.0 with enhanced
endpoint capabilities. Strategic
partnership with Varonis.
Websense releases 7.5 with
upgraded management interface.
Claims DLP in 30-minutes….
McAfee releases 9.0 with greater
integration with network and host
DLP into ePO console.
10. BEW GLOBAL METHODOLOGY
Risk Assessment
ASSESS QUANTIFY IMPLEMENT OPTIMIZE REVIEW
BEW GLOBAL‟S CORE DIFFERENTIATORS
Methodology based on the cornerstones of ISO Plan-Do-Check-Act
Leverage our proven Quality Management System (QMS) to drive continuous improvement
Reduce risk and increase operational efficiencies
11. USE CASE: DLP PRE-PROJECT STATE
Organization Overview: Medical Device & Pharmaceutical Manufacturer, 40,000 employees globally
DLP Scope: Protection of Intellectual Property (General)
DLP Primary Issue: Customer overwhelmed with inaccurate incident data, no meaningful information
Application Management: Operated and managed by IT Security with limited input from business.
Policy Governance: Failure to use a lifecycle software development process for policy construction
Incident Triage: Infrequently reviewed by IT with little to no review by business owners.
Event Management: Hard to accomplish due to large # of false positives. No “gold nuggets.”
Reporting and Metrics: Zero customized reports. No relevant business analysis provided.
Status: System generates 25,000 incidents/day / 750,000 incidents/month
12. APPLICATION SUPPORT & INTEGRATION
Primary System DLP Management =
Human Resource / Expertise Requirements
Integrated System Management =
Cross Department Collaboration Processes
Health Check & System Validation Management =
System Resource Requirements
Vendor Management =
Primary and Integrated Technology Vendor Relationships
13. POLICY & RULE GOVERNANCE
Who requests rules & policy
Who reviews rule requests? What‟s the process for
requirements?
converting a rule request into a
Criteria for approved rule? policy?
Are business owners engaged?
Who‟s responsible for converting What is the formal policy
a rule into technical policy? development process? Is there a process to relay
production policy metrics to
Do they have technical policy First drafts rarely work as stakeholders?
authoring expertise? expected!
14. WORKFLOW DEVELOPMENT & MANAGEMENT
Who develops & manages policy Who defines thresholds that
“buckets”? Who designs & sets the policy
determine response rules for response triggers?
each “bucket”?
False positive, inbound
partner, outbound employee Malicious, Inadvertent,
Are 10 SSNs a high, medium or Suspicious, above threshold.
low severity incident?
Who‟s responsible for building
Triage response options: Who manages the DLP policy &
alerts, alarms & notifications?
Human notification rules repository?
System notification (auto)
Has business been engaged on
Hybrid? Why recreate the wheel?
event management?
15. INCIDENT TRIAGE & EVENT MANAGEMENT
Who reviews volume & yield of How are events/incidents How does DLP fit in overall
incidents & events? routed? incident/event management
process?
What‟s the review frequency? Who owns the incident/event?
Can this be mapped to DLP
system?
What metrics are developed to Revision of rules based on quality How will integrated systems be
measure success of rules & of policy results. tied together to yield valued info?
related policy?
Who manages policy optimization Secure mail, web
Who „s responsible for developing process? gateway, GRC, SIEM
metrics?
16. BUSINESS ANALYTICS
Who drives report requirements? Requestors, Reviewers, others?
Who develops reports?
Do they have the expertise with 3rd party reporting tools?
Are DLP system generated reports adequate?
Are the metrics valuable & driving meaningful change?
Report accuracy tied into QA process?
17. APPLICATION MANAGEMENT PITFALL
Inadequately Trained Infrastructu re Resources
Inadequate Planning & Resources
Problem: Current IT infrastructure management is often inadequately
trained for planning, deployment and ongoing operational
management of DLP operation system. (Oracle vs. SQL, etc.)
Solution: Better internal planning & cross functional involvement. In
addition to outsourced 3rd party management of on premise solution or
fully managed cloud-based delivery. This provides you with instance
expertise reducing the need for staffing and providing higher
availability.
18. POLICY GOVERNANCE PITFALL
No Plan of Attack
Inadequate Planning & Resources
Problem: A survey of 50 DLP customers in 2010 said 83% of firms
did not consider the overall DLP system cycle & the necessary
resources for optimal system usage prior to solution acquisition.
Inadequate or lack of resources leads to poor policy construction &
unmanageable incidents.
Solution: A well thought out DLP scope with a supporting policy
governance process that is VERY inclusive of business unit input
as well as involvement with the triage & event management process.
There must be people budgeted for any DLP project as well as
preparation for business unit buy-in.
19. POLICY GOVERNANCE PITFALL
Failure to Engage the Business
Stuck in the IT Department
• Problem: A survey of 50 DLP customers in 2010 said 76% of firms stated
the DLP system technical management & daily operations were the
responsibility of a group directly involved with IT. In these cases it is very
rare to find heavy involvement from business owners directly involved with
the creation & usage of the data targeted for protection.
• Solution: Designation of a primary business owner of the DLP solution, in
conjunction with technical management, is the best recipe for success on
the front-end planning phase of the project. Without direct & serious
involvement from the business, it is very likely that the entire DLP will
never get more than mediocre results.
20. POLICY GOVERNANCE PITFALL
Lack of Rule Customization
Inaccuracy of Out-of-Box (OOB) Policies
• Problem: The reliance of organizations to use OOB policies as the
primary detection criteria for their DLP scope. In many cases data
identifiers in OOB policies may never capture unique attributes of a
organizations information targets, yielding a combination of false
positives and false negatives which lead to an unmanageable incident
yield.
• Solution: Prior to enabling ANY managed production policies, it is
highly recommended to select one primary data criteria to focus initial
efforts. Once agreed upon, use business process mapping to capture
how the data is used and stored, obtain examples, and then construct
policies based on the collected data.
21. DATA-IN-MOTION PITFALLS:
M i s s i n g t h e Ta r g e t – F a l s e S e n s e o f S e c u r i t y
Mis-configured Tap Encryption – The Misfire of Network Network versus
or Port Span Masked Data Discovery Scans Endpoint Discovery
Problem Problem Problem Problem
Missing segments of Analysis of data DID not Locations of sensitive Running DAR scans
network traffic or protocols take place prior to data never targeted by using a combo of
encryption. the organization for network & endpoint
Solution Comprehensive scanning due to lack of without thinking about
test plan that maps to in Solution an effective policy which policy types &
scope business processes Comprehensive test plan governance process. detection methods are
and related data types that proves ALL DLP data not the same.
transmitted from various assessment takes place Solution
network locations to prior to the gateway Identify potential data Solution
ensure all relevant data encryption & implement stores by discussing the Prior to acquiring DLP
streams are being managed “test” DLP DLP program with staff solution, have an
captured. policies that identify to understand process. understanding of the
encrypted transmissions data types that make up
as part of the test plan. your target environment
& then, decide on
scanning method.
.
22. DATA-IN-MOTION (ENDPOINT) PITFALLS:
T h e P a n d o r a ‟s B o x o f D L P
Environment Staying in User Performance Network/System
Assessment Contact Impacts Performance Impacts
• Problem • Problem
• Problem • Problem
No rigorous endpoint Failure to monitor
Implementing same Failure to calculate &
environment endpoint population &
policies for network measure the impact of
assessment prior to the their frequency of
based & endpoint endpoint policy traffic
selection of the “checking-in” to the
assessments without across wide & local
application & management server
testing or modification. area network
enablement. with validated results.
connections.
• Solution • Solution
• Solution • Solution
Address age of Phased deployment of
Utilize a Thorough assessment
environment, performa endpoint with
comprehensive test of endpoint policies
nce validation via test plan
plan outlining specific that addresses all of
capabilities, technical & on initial success of
metrics (time to open the concerns including
human issues, & load ALL agents & on-
files, open/send policy design
of applications, in going endpoint agent
emails, open requirements, timing, fr
conjunction with health reports.
applications) prior to equency & delivery
education on the DLP deployment. methods.
endpoints.
24. USE CASE –POST PROJECT STATE
Organization Overview: Medical Device & Pharmaceutical Manufacturer, 40,000 employees globally
DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings
DLP Primary Goal: Identification of unauthorized movement of specific elements of IP
Application Management: Operated by a combination of IT, messaging & desktop management teams
Policy Governance: 100% customized policies based on data collected from business unit
Incident Triage: Daily review of incidents by Information Security
Event Management: Incidents meeting severity criteria routed to business unit for investigation
Reporting and Metrics: Behavioral pattern analysis leading to preventive actions
Status: R&D teams have high-level of confidence in ability to identify leakage of IP.
25. BEW GLOBAL SALES CONTACT
Cole Harter
Regional Account Manager
720.775.6984 | charter@bewglobal.com
BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC
5613 DTC Parkway 3 Albany Court 520 Oxford Street
Suite 810 Albany Park Level 23, Tower 1
Greenwood Village, CO 80111 Camberley GU16 7QR Bondi Junction
USA England Sydney 2022
(ph) +1 720 227 0990 (ph) +44 (0) 845 481 0882 (ph) +61 (2) 9513 8800
(fax) +1 720 227 0984 (fax) +44 (0) 871 714 2170 (fax) +61 (2) 9513 8888
www.bewglobal.com www.bewglobal.com www.bewglobal.com
Notas do Editor
No IT/IS/PMO coordination – treating DLP like an install rather than a project.
No project mgmt… no project team…
Treating DLP like a less powerful and invasive tool…
User MRN / Healthcare, banking and account number, and State Data Privacy examples.