Confidential - Copyright © 2006 Fidelis Security Systems, Inc. All Rights Reserved Mitigate the Risks of Data Leakage

What is Data Leakage and How Do I Stop It? What is data leakage / loss? When protected or sensitive information inadvertently or intentionally crosses an organizational boundary in a methods inconsistent with information sharing policies How is this different than previous security technologies? (e.g. intrusion, firewalls…) About the information Sender, recipient, channel/service relevant, but incomplete Solutions go by many names: Data Leakage Prevention Extrusion Prevention Exfiltration Prevention Data Leakage Protection Data Loss Prevention Data Loss Protection Content Monitoring & Filtering Anti-data Leakage Information Leakage Prevention Information Leakage Protection Information Loss Prevention Information Loss Protection

3 2008: The Year of DLP Seeing significant budgeted projects for DLP for the first time

Data Security is a Paradigm Shift “The Year of DLP” marks the beginning of a secular trend: Data Security 4 Access Control 1970s1980s System Security 1990s Network Security 2000s Threat Mitigation Data Security and beyond

Extrusion Prevention: Addressing Federal Problems Organizational Objectives Control channels of communication to mitigate the risk of data leakage Prevent proxy circumvention Prevent use of unapproved network applications Manage IM, Webmail & P2P, including attachments and file types Protect intellectual property including Classified information Source code Design documents And other digital assets requiring protection under FISMA Protect employee, student, patient, taxpayer, and other identity information Manage compliance with privacy regulations including Privacy Act of 1974, HIPAA,OMB directives, PCI, and other privacy regulations Privacy Compliance Digital Asset Protection Insider Internet Management

Key Market Driver—Preventing Leakage of Identity Information The Agriculture Department announced Friday it has publicly exposed the personal information of up to 63,000 citizens.

Impact of Information Leakage on Federal Organizations Security—potential National Security implications Legal—regulatory non-compliance Political damage—loss of trust, negative career implications Operational—Congressional oversight, investigation, remediation Financial—cost of notifications & monitoring

Unmonitored and uncontrolled outbound communications on 65,535 ports Extrusion Prevention for Federal Markets: Organizational Risks Threat+Vulnerability=Risk Hacker Malicious Insider Uneducated User Unauthorized disclosure of Personal Identity information (PII) Compromised confidentiality of protected information Compromised national security Protected information Actors Personal Identity Information Classified National Security Information Digital assets requiring confidentiality

Key Market Drivers 1.Preventing network leakage of Personal Identity Information 2.Preventing network leakage of including national security and FISMA protected information 3.Defend computer networks from rogue applications to prevent risk of data leakage Extrusion Prevention for Federal Markets: Market Drivers Use Cases Lists of PII National security information OPSEC Assets requiring confidentiality (FIPS 199 / NIST ) Control rogue applications including IM, P2P, Webmail and rogue encryption Only solution to meet these requirements—Fidelis XPS Requirements Accurately Identify PII Accurately identify protected digital assets Zero data registration Prevention on all 65,535 ports on the network Gigabit speed Port-independent application monitoring with tunnel recognition Common Criteria Evaluation Supporting requirement

Confidential - Copyright © 2006 Fidelis Security Systems, Inc. All Rights Reserved Methods for Identifying Information for Data Leakage Prevention Confidential - Copyright © 2006 Fidelis Security Systems, Inc. All Rights Reserved

Goals of Content Analysis Algorithms Analyze all network traffic –At network speed –All ports and protocols Detect and Prevent Leakage Zero False Negatives Zero False Positives Performance is Critical Finding the Right Balance Analysis of Identification Methods Must Consider: Performance Probability of False Results

Further Considerations Deployment Effort –Are supporting processes required? –Installation time –Time to ROI –Maintenance requirements Scalability –Does the solution scale to hundreds or thousands of documents? –Does the solution apply to undocumented data? False Positives vs. False Negatives –False Positive : false detection of a violation –False Negative: false non-detection of a violation Total Cost Of Ownership

Key Methods for Identity Identification Registration (enrollment) Exact Matching Partial Document Recognition Keyword or Expression Matching “Smart Identity Profiling” Description (profiling) Rule sets that profile information of a certain type Uses statistical, pattern and/or key attributes to describe potential information “Find the transfer of data that matches specified patterns” Rule sets that match to information provided to the system Uses exact matching algorithms (i.e., hashing) to identify documents “Find the transfer of specified (registered) documents”

Exact Matching Database Record or Document Extract Database of Enrolled Fingerprints Hash or Checksum Can only detect an exact match Any data modification eludes detection Very high rate of false negatives Zero false positives (well, maybe not) Very fast on small database of enrolled files Linear degradation in performance The Only Method that can attempt to claim Zero False Positives (though doesn’t work that way in the real world) False Negatives are a major problem

Partial Document Matching: Slow, High False Negatives 0x9678A 0x59A06 Detect: Does Content Contain A Registered Chunk? Outbound Content Extract Algorithmic Conversion One-way Mathematical Representation 0x5BD41 0x190C1 0x x1678A 0x461BD 0x66A1A 0x6678A 0x4D181 0xB678A Database Record or Document Algorithmic Conversion One-way Mathematical Representation Fingerprint: But what if you don’t? 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x x590A9 0xA0001 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x x590A9 0xA0001 Extract Fingerprint Storage & Indexing Fingerprint Creation Real-Time Fingerprint Comparison Represent Data In Stored Chunks

Partial Document Matching : High False Positives Too Database Record or Document Algorithmic Conversion One-way Mathematical Representation 0xB6751 0xB61C1 0x37CB2 0x5BD41 0x190C1 0x x590A9 0xA0001 Extract Fingerprint Storage & Indexing 0x461BD 0x66A1A 0x4D181 0xB678A Size of the Chunk has Consequences: Too Small Too Big High False Positive Problem High False Negative Problem The Ideal Choice Differs Per File

Simple Profiling: High False Positives Simple Profiling based on Regular Expressions 0xB678A Expressions Entered By System Administrator No Data Registration Involved Identity Information Consists of: –Numbers –Names Internet traffic contains many numbers and names Unverified numbers = High false positives Names out of context = High false positives Zero False Negatives Database size is small Performance is Excellent Smarter Approach Needed To Reduce False Positives While Maintaining Zero Negatives

Smart Identity Profiling™: algorithmic filtering minimizes false positives…

Granularity of Profile is Important Further reduction of false positives achieved by: –Statistical analysis of data –Combination of other profiling techniques: Keywords, regular expressions Identification of corporate logos, document formats Who, What, Where, When, and How It’s not just about What! (i.e. content) Example: –Block all PII data except that transferred from HR to Medical Provider over approved FTP site, Mon-Fri, 8am-5pm

Deployment Considerations Time Fingerprinting Profiling Have I seen this before? Is this sensitive? How Often Do I Update My Documents?

TCO Comparison 1.Deploy sensor to network 2.Enable pre-built policies 3.Configure policy 4.Deploy 1.Deploy sensor to network 2.Enable pre-built policies 3.Plan integration project 4.Obtain integration solution 5.Deploy integration resources 6.Initial data registration 7.Deploy 8.Design process to keep registration current 9.Resource re-registration process 10.Add registration with all new IT systems Smart ProfilingExact Matching Time and Effort Hours Months Customization requirements shown in red italics

Scalability Considerations Data Registration Database of Enrolled Fingerprints Database Size for Non-Trivial Implementation = GB to TB Requires expensive disk storage Comparing network traffic to large Disk array equals slow performance Prevention cannot be considered Except in trivial instances Smart Identity Profiling Profile description is very small Can be stored in RAM Comparing network traffic to RAM equals lookup in real time Prevention is a user decision, not a technical barrier

Summary of Approaches Registration (enrollment) Description (profiling) Zero False PositivesZero False Negatives Technology improvements try to reduce false negatives Partial Document Recognition Requires Data Registration: High TCO External Processes Needed Low Scalability Performance Problems Technology improvements and tuning reduce false positives Smart Identity Profiling Requires Granular Policies: Low TCO Minor Administrator Effort High Scalability High Performance

Profiling FAIL Registration Which Method? Predictability of Information Access to Information CEO memo Personal Identity Information Source Code Classified Data Design Docs

Confidential - Copyright © 2006 Fidelis Security Systems, Inc. All Rights Reserved Questions? David Etue, VP Product Management (301) , Robert Deitz – Government Technology Solutions / Exclusive GSA/ICPT contract holder for Fidelis Security