Data Protection

McAfees Endpoint and Network

Data Loss Prevention

Dipl.-Inform. Rolf Haas

Principal Security Engineer, S+, CISSP
rolf@mcafee.com

January 22, 2013 for ANSWER SA Event, Geneva

 Position

Features and Live-Demo

Questions & Answers

2
2
Latest McAfee Facts

125 million McAfee users

83% Fortune 100 companies using McAfee
100+ million mobile devices shipped with McAfee
5 million single largest McAfee deployment
8 Gartner Magic Quadrants that feature McAfee
480+ McAfee patents, more pending
80+ McAfee Security Innovation Alliance partners
8,000 McAfee employees globally
120 countries that make up McAfees global footprint
Intel Now a 100% Intel Subsidiary
McAfees Extensible Platform for Security Risk Management
Industry Leadership to Drive Better Protection, Greater Compliance, and Lower TCO

SIA Associate Partner

SIA Technology Partner
(McAfee Compatible)
Two Drivers For Data Security

REGULATION
HIPAA, PCI, SOX
Thousands of regional privacy laws

SENSITIVE DATA
Product designs, IP
M&A, Financials, Legal
 Data Communication Channels
How Does Data Leak?

Data Sources User Actions

Data Discover Network

At rest Data Encryption
Move Access
Removable Media
files Encryption shares

Data Discover
Copy to Endpoint Cut, copy,
In use Device Control
device Print
paste
Removable Media Encryption

Data Monitoring
In motion Outbound Web
Dataemail
Blocking IM, blogs
posting
Data Encryption

6
McAfee Data Protection
Solution Architecture

Network DLP Network DLP

Endpoint DLP Monitor
Discover
Device Control
Endpoint Encryption
Endpoint DLP
Device Control
Endpoint Encryption
Encrypted Media SPAN Port or Tap

Network DLP
Prevent

MTA or Proxy
Central Management
ePolicy Orchestrator (ePO)
Unified Policy Network and Endpoint DLP

Disconnected Secured Corporate LAN Network Egress/DMZ

Discover Data with DLP Endpoint

DLP Endpoint DLP Discover

DLP Endpoint
Crawl local drives & Tag
Application, location or content
Outlook files (PST/OST)
Remediate
Move, delete or encrypt

What It Does
Find and protect sensitive information on
hard drives.

9
 Monitor Data with DLP Endpoint

DLP Endpoint

Switches/Routers

DLP Endpoint
DLP Monitor Provide content-aware detection
Over 300 content types
Outlook, webmails
IM/FTP/HTTP(S)
I/O channels (USB, media, devices)
What It Does
Monitor data as it leaves the endpoint.

10
 Protect Data with DLP Endpoint

DLP Endpoint

Email/Web Gateway

DLP Endpoint
Provide content-aware device
control
DLP Prevent Move or block
Integrated with Endpoint
Encryption
File, folder, or USB
What It Does
DRM support
Protect against data loss via outbound
email, web postings, and endpoints such as Adobe, MS RMS
laptops, USBs and other devices.

11
 Unified Rules/Policies
Create unified rules and policies across all vectors (data-in-motion, data-at-rest, data-in-
use, Device-Control)
Example: Protect credit card numbers from leaving the organization
Implementation: One click distribution
Send to network components for protection at egress points
Send to host agent for protection at endpoint, including download to removable
media

Consolidate incidents from all vectors

Single location for incidents
Common framework for incident
workflow

Create reports, escalate to cases

Comprehensive view of data loss
profile
Built-in investigation and
remediation
McAfee Data Protection Phase Concept
You cannot do everything at once...

PHASE 4 Activate Full DLP across the Enterprise

Monitor, Control and Prevent what the user is allowed to do with
your data

PHASE 3 Data Classification

Use Monitoring and Discovery engine of Network- and Endpoint DLP
Capture Database to tune policies

PHASE 2 Control the Removable Media Disaster

Device Control to (block), monitor and educate
Encrypt all devices transparently with Endpoint Encryption for
Removable Media, hence less blocking

PHASE 1 Encryption
Full Disk Encryption of Laptops / Desktops to protect against external
threats (ROI because no HHD destruction needed)
File&Folder Encryption to protection data wherever it goes (Persitent)
User Awareness instead of Blocking
Educate your Endusers to reduce internal Incidents

User behavior change with implementation of different DLP phases

Event based
Monitoring and User Pop ups
Logging Announcement (no blocking)
Technology Architecture for Security
How Connected Is Your Security?

DLP
Agent
Host IPS Encryption
Agent

Antivirus
Agent NAC

Systems
Audit Management
Agent Agent

EVERY EVERY EVERY EVERY EVERY OS/DB

SOLUTION AGENT HAS CONSOLE SERVER REQUIRES PEOPLE, WHERE DOES
HAS AN A CONSOLE REQUIRES REQUIRES MAINTENANCE, IT END?
AGENT A SERVER AN OS/DB PATCHING
Technology Architecture for Security
How Connected Is Your Security?

McAfee ePO Server

(AV, DLP, NAC,
Encryption,
PA, Site Advisor)

SINGLE SINGLE
AGENT CONSOLE
 Security Management Platform: ePO
REAL TIME SECURITY ACTIONABLE
PROTECTION
THREAT FEEDS METRICS INFORMATION

Executive

Risk
Endpoint Encrypt. Mgmt Security
Email Firewall
Security
Admin
ePO Management
White
Listing DLP Platform
Web IPS SIA
IT
Architect

Integrates with
IT Operations Platforms
 ePO Integration Strategy
Automation of monitoring, reporting, and auditing Reduces Costs!

McAfee
Endpoint Encryption

1
Single console, single McAfee Endpoint
agent endpoint deployment
and management Encryption for
Removable Media

2
Single consolidated source for
incident response and reporting McAfee
Network DLP
and Endpoint
3
Comprehensive incident views,
case management and workflow
Data Loss via Social Media

Block design information posting on facebook

19
Unencrypted USB Access

Prevent patient data from being copied onto USB

January 22, 20
Unauthorized Clipboard Access to Data

Prevent sensitive information from being copied

21
McAfee Device Control and Host DLP Client
Disable block
Full Local
protection x
Deploy agent via communication uninstallation only
minutes via
ePO Server through one with challange
challange
agent strategy response
response

User Watchdog
Driver based Can be active
notification for prevents that
software in windows
monitor or services are
protection safe mode
block action stopped
McAfee Device Control Device Definition
USB Class
Connected
Configure Windows Code,
Port (USB,
devices per Device Guid Serialnumber,
Firewire etc)
Device Name.

Whitelist Run report and

Group device
Windows Guids register
definitions for
e.g: Keyboard own/new
easy usage
and Mouse Windows Guids
McAfee Device Control Device Rules
User based Configure
Management assignment
Machine based Monitor, Read
through
policy assignment (OU, memberOf, Only, Block per
webbased ePO
single User) Policy

Configure
Block running Run security
Create device Hyperlink and
executables awareness
exemptions text for user
from usb programm
notification
McAfee Device Control Management
Management Export from Redaction of
Automatic
through reports device sensitive
reports send
webbased definitions for fields in
via Mail
ePO whitelisting reports

Verify device
For Eyes only
Monitor status of details for Configure active
principle to open
agent deployment connected modules/driver
reports
devices on clients
 Implementation example

H-DLP

Phase 1 Phase 2 Phase 3 Phase 4

Phase 1: Silent Monitor mode: Analysing the risks, report to management

Phase 2: Monitor Mode and user notification for devices. Security

awareness campaign

Phase 3: Read Only Mode, e.g. for all unencrypted media.

Phase 4: Block Mode, e.g. For all foreign (unencrypted) Devices.

DLP Increases Control

Without DLP With DLP

Encrypt everything
Encryption Selectively encrypt
Encrypt on-demand

Block USB devices

Removable Content based coaching
Media Block based on origin

Block Cut, Copy, Paste

Device Content aware blocking
Control Content based coaching

Content aware enforcement delivers greater control & reduces costs,

only applying protection where its needed
McAfee Host data Loss Prevention
Content Classification
Manual
Copy and Location and
Persistent classification
paste of text application
classification (explorer
recognized based
integration)

File details Filetype

own created information based regular
dictionaries including own (header and expressions
created fields extension)
McAfee Host data Loss Prevention
Content Classification with Registered
Documents
Register document Schedule ePO Server
share Task for inventoring
Example: Example: Create fingerprint of
\\fileserver01\sensitive_files% the content of all files within
the document share

Deploy fingerprint to the Schedule in the Data

clients
Example: Fingerprint is
distributed like a Virus Scan
signature to the clients
Loss Prevention policy
a discovery scan
Example: Report all found
documents, encrypted them,
delete them.

Configure Encrypting Apply Adobe

folder which local found Right Quarantine the
shouldnt be files with EEFF Management Files
scanned locally Key policy
McAfee Host Data Loss Prevention
Protection Rules
Application File
Clibboard E-Mail Web Post
File Access System
Protection Protection Protection
Protection Protection

Network Removable
Printing Screen Capture
Communication Storage
Protection Protection
Protection Protection
McAfee Host data Loss Prevention
Management
Enable only challange
Central
required response Policy
Management
handler on code Analyzer
from ePO
the clients generation

View Machine and

Configure Policy based
evidence and user based
your own evidence path
hits policy
reports configuration
highlighting assignment
Thank you! Any questions?

rolf@mcafee.com