Symantec DLP: Detection Innovation And Expanded Coverage
2y ago
79 Views
1 Downloads
1.47 MB
31 Pages
Report/dmca
Download PDF

Transcription

Symantec DLP:Detection Innovation andExpanded CoverageErnie Simmons, Tory GilbertIIP Technical Field EnablementDLP: Detection Innovation and Expanded Coverage1

Topics DLP and Detection Overview Vector Machine Learning (VML) Email Prevent and VML Endpoint Prevent and VML DLP for Tablets and VML SummaryDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 20122

DLP and Detection OverviewDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 20123

Data Loss Prevention Threat CoverageWebmailPrint/FaxUntrustednetworksStored dataDLP for Tablets:New in V11.5EmailUSB/CD/DVDInstantMessageDLP PolicyMonitoring & PreventionDiscovery & ProtectionFile ServersFTPWeb serversSharePoint/ LotusNotes /ExchangeDatabasesSYMANTEC VISION 20124

Data Loss PoliciesData Loss PolicyBuild from scratch or60 policy templatesDetection RulesResponse Rules Described Data (DCM) – keywords, dataidentifiers, regular expressions, file type Notification – by email, onscreen notification,marker file, syslog alert Fingerprinted Data Blocking – SMTP, HTTP/S, FTP, IM,USB/CD/DVD, Print/fax, Copy/paste Structured data (EDM) Unstructured data (IDM)Introducedin V11.1 Vector Machine Learning Group-based rules (AD user groups,senders/recipients) Additional detection features Match count threshold Boolean logic (and/or/if) ExceptionsDLP: Detection Innovation and Expanded Coverage File Copy or Quarantine – for NetworkDiscover (quarantine also for EndpointDiscover) Modification (SMTP) – for conditionalencryption, for example FlexResponse (Storage, Endpoint) – API forcustom responses, such as applying digitalrights, encrypting files in place, and so onSYMANTEC VISION 20125

Detection Innovation and Expanded Coverage Vector Machine Learning– Lets you detect confidential documents that can proliferate across theenterprise. Such documents often are difficult to fingerprint or describe. DLP for Tablets– Extends DLP coverage, providing the DLP suite’s robust policy andreporting features for iPad security.DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 20126

Vector Machine Learning (VML)DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 20127

Vector Machine Learning: OverviewChallenges of detecting unstructured data:Keywords How to identify relevant keywords? How to tune policies?DLP: Detection Innovation and Expanded CoverageIDM What if I can’t access allconfidential docs? How to I account for new docs?SYMANTEC VISION 20128Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality

Vector Machine Learning: Overview (cont’d)The solution:MachineLearningIDMKeywords Automates policy creation using sample docs Improves accuracy with remediation Detects new or similar contentDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 20129Symantec Proprietary & Confidential - This information is not a commitment, promise or legal obligation to deliver any material, code or functionality

Top VML Use CasesCreate highly accurate policies around SourceCode – wherever it residesDetect Insurance Claim Forms that resideoutside the grasp of IT SecurityAutomatically create policies based on VMLfeature extractionImprove accuracy for PII policies by usingVML to tune out certain categories of dataDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201210

VML: Definition and Uses VML detects unstructured data by determining whether analyzedcontent is similar to docs in a training set (collection of exampledocuments). VML represents a third type of detection – learning – inaddition to describing (DCM) and fingerprinting (EDM / IDM). When to use:YesNoUnstructured and textualUnstructured and binaryData set highly distributed,difficult to collectData set centralized and/or smallVery difficult to describeEasy to describeDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201211

VML: Example DataSource codeProtect proprietary source code for a product,trading models, or actuarial algorithmsReports and formsMonthly or weekly sales reports, loan applications,and resumesLegal contractsLicensing, partnerships, and sales agreementsHIPAA and HITECHPatient Health Information in the form of insuranceclaims, billing and procedure codes, emails topatientsITAR (International Traffic Intellectual Property and unstructured data thatmay be restrictedin Arms Regulations)DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201212

VML: Selecting Sample Docs (Training Sets)NarrowCategoryPositive Training Setrepresents narrowcategory(ex., Endpoint DLPsource code)Broader CategoriesNegative Training Setrepresents relatedbroader categories(ex., Open source C code or Endpoint DLPAPI Guides)Both training sets: Stored on Enforce host, minimum 50 docs each (minimum 250recommended), roughly same size, docs in ZIP (recommended), no docs 30 MB.DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201213

VML: How It Works Positiveexamples?DetectionTraining Select Features generate model calculateaccuracyProfileSimilarity ScoreNegativeexamplesDLP: Detection Innovation and Expanded Coverage0.0 through 10.0SYMANTEC VISION 201214

Vector Machine Learning: Demo Review Training Sets Configure Profile Train and Accept Profile Add Profile to PolicyDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201215

Network Prevent for Email VMLDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201216

Network Prevent for Email VML4NetworkPrevent(Email)Email inspected,then blocked ormodified if inviolation ofpolicy31End usersends email2Email forwardedto MTAMTAroutesemail toPrevent5Preventsendsemail backto MTAInternetEnd UsersMTAEmail Server6Corporate LANIf email is unmodified, MTA sendsit downstream. If header ismodified, MTA takes appropriateaction (typically, rerouting).DMZThe above diagram is for reflecting mode.DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201217

Network Prevent for Email: Demo Send email with legal attachment (non-Medicaid-related) Send email with Medicaid-related legal attachment Review email notifications Review incident snapshot and send manager notificationDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201218

Endpoint Prevent VMLDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201219

Endpoint Prevent VMLEndpointServer(EndpointPrevent)12Agent inspects files/datato internal drives, USB,CD/DVD, supported emailclients / IM clients /browsers, FTP, print/fax,clipboard, and networkshares (Windows Exploreronly)3Any blocking, onscreennotification, orFlexResponse rulesrules are initiated locallyAgent sends incidentdata to EndpointServerEnd UsersAgent functionswhen disconnectedand stores incidentdataDisconnectedCorporate LANDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201220

Endpoint Prevent: Demo Copy non-Medicaid-related file to USB Copy Medicaid-related file to USBDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201221

DLP for Tablets and VMLDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201222

DLP for Tablets: OverviewComprehensiveCoverageCorporate EmailMost UserFriendlyLowest TCOPersonal EmailSocial MediaCloud Apps Works over Wi-Fi and 3G Enables full use & productivity of the device. Our approach does NOTo Require a restrictive “sandbox” approach, oro Break business processes by restricting what data can go to the iPadSymantec DLP for Tablets is tightly integrated w/ Symantec DLP Suite: Common, advanced technologies for detecting confidential information Consistent application of DLP policy, and Seamless, integrated reporting & analyticsDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201223

Data Loss Prevention for Tablets: ArchitectureCorporate NetworkTabletNetwork Traffic Email Web Popular AppsProxyVPN at alltimesDirect access toInternetInternetSymantec Data LossPrevention TabletPrevent ServerKey Benefits Reduce risk of data loss from iPads, while giving users access to sensitive data Supports consumerization- coverage for personal and corporate use casesDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201224

Mobile Device Management DLP for Tablets MDM not required, but it delivers VPN profile and mayoptionally enforce VPN profile MDM solution needs ability to:– Set VPN profile– Push certificates. Certificates required for DLP: User certificate (for VPN authentication) Proxy root certificate (to be added to iPad’s list of trusted certs)– Prevent tampering with VPN profile setting (optional)– Enforce remediation/action if the user turns off VPN (optional)DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201225

Symantec Mobile Management (Optional) Symantec MobileManagement (SMM)enforces VPN settings.It is optional.– Symantec Mobile Management7.1 SP1 (DLP release) can beconfigured to monitor and alertif the user attempts to shut offVPN – this is not done by mostMDM solutionsDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201226

DLP for Tablets: Demo Dropbox FTP Facebook Twitter Incident ReviewDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201227

DLP for Tablets: Benefits Balances protection with usability: Reduce data loss risk,preserve access to confidential data Supports consumerization: Coverage for personal andcorporate use cases Preserves iPad app performance: Common apps work asexpected Works with any Mobile Device Management (MDM) solution:Customer uses their preferred solutionDLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201228

Summary Vector Machine Learning (VML) lets you detect confidentialdocuments that proliferate across the enterprise. DLP for Tablets extends coverage, providing the DLP suite’sexcellent policy and reporting features for iPad security.DLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201229

Q&ADLP: Detection Innovation and Expanded CoverageSYMANTEC VISION 201230

Thank you!Ernie Simmons, Tory GilbertIIP Technical Field Enablementernest simmons@symantec.comtory gilbert@symantec.comSYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLYCopyright 2012 Symantec Corporation. All rights reserved.DLP: Detection Innovation and Expanded Coverage31

DLP: Detection Innovation and Expanded Coverage 14 Positive examples Negative examples Select Features generate model calculate accuracy - Profile ? Training Similarity Score 0.0 through 10.0 Detection . SYMANTEC VISION 2012 Vector Machine Learning: Demo Review Training Sets Configure Profile Train and Accept Profile Add Profile to Policy DLP: Detection Innovation and .

Related Books

Symantec White Paper - Symantec Endpoint Suite Product

Symantec White Paper - Symantec Endpoint Suite Product

Innovation Commercializing Innovation

Innovation Commercializing Innovation

PRIVATE PLACEMENT MEMORANDUM - DLP Capital Partners

PRIVATE PLACEMENT MEMORANDUM - DLP Capital Partners

Best Practices for Endpoint DLP-final - Securosis

Best Practices for Endpoint DLP-final - Securosis

dlp 10 overview - Northwestern University

dlp 10 overview - Northwestern University

DLP - Who is Amy Winehouse?

DLP - Who is Amy Winehouse?

Detection and Analysis of Subsurface Objects and Phenomena

Detection and Analysis of Subsurface Objects and Phenomena

Forensic audit, fraud detection and Investigation techniques

Forensic audit, fraud detection and Investigation techniques

Gearbox Typical Failure Modes, Detection and Mitigation .

Gearbox Typical Failure Modes, Detection and Mitigation .

Text Detection and Character Recognition in Scene Images .

Text Detection and Character Recognition in Scene Images .

Unsupervised and nonparametric detection of information flows

Unsupervised and nonparametric detection of information flows

DeepInspect: A Black-box Trojan Detection and Mitigation .

DeepInspect: A Black-box Trojan Detection and Mitigation .

PopularTags

Recent Views