Research

Managing DLP tends to not be overly time consuming unless you are running off badly defined policies. Most of your time in the system is spent on incident handling, followed by policy management. To give you some numbers, the average organization can expect to need about the equivalent of one full time person for every 10,000 monitored employees. This is really just a rough starting point – we’ve seen ratios as low as 1/25,000 and as high as 1/1000 depending on the nature and number of policies. Managing Incidents After deployment of the product and your initial policy set you will likely need fewer people to manage incidents. Even as you add policies you might not need additional people since just having a DLP tool and managing incidents improves user education and reduces the number of incidents. Here is a typical process: Manage incident handling queue The incident handling queue is the user interface for managing incidents. This is where the incident handlers start their day, and it should have some key features: Ability to customize the incident for the individual handler. Some are more technical and want to see detailed IP addresses or machine names, while others focus on users and policies. Incidents should be pre-filtered based on the handler. In a larger organization this allows you to automatically assign incidents based on the type of policy, business unit involved, and so on. The handler should be able to sort and filter at will; especially to sort based on the type of policy or the severity of the incident (usually the number of violations – e.g. a million account numbers in a file versus 5 numbers). Support for one-click dispositions to close, assign, or escalate incidents right from the queue as opposed to having to open them individually. Most organizations tend to distribute incident handling among a group of people as only part of their job. Incidents will be either automatically or manually routed around depending on the policy and the severity. Practically speaking, unless you are a large enterprise this cloud be a part-time responsibility for a single person, with some additional people in other departments like legal and human resources able to access the system or reports as needed for bigger incidents. Initial investigation Some incidents might be handled right from the initial incident queue; especially ones where a blocking action was triggered. But due to the nature of dealing with sensitive information there are plenty of alerts that will require at least a little initial investigation. Most DLP tools provide all the initial information you need when you drill down on a single incident. This may even include the email or file involved with the policy violations highlighted in the text. The job of the handler is to determine if this is a real incident, the severity, and how to handle. Useful information at this point is a history of other violations by that user and other violations of that policy. This helps you determine if there is a bigger issue/trend. Technical details will help you reconstruct more of what actually happened, and all of this should be available on a single screen to reduce the amount of effort needed to find the information you need. If the handler works for the security team, he or she can also dig into other data sources if needed, such as a SIEM or firewall logs. This isn’t something you should have to do often. Initial disposition Based on the initial investigation the handler closes the incident, assigns it to someone else, escalates to a higher authority, or marks it for a deeper investigation. Escalation and Case Management Anyone who deploys DLP will eventually find incidents that require a deeper investigation and escalation. And by “eventually” we mean “within hours” for some of you. DLP, by it’s nature, will find problems that require investigating your own employees. That’s why we emphasize having a good incident handling process from the start since these cases might lead to someone being fired. When you escalate, consider involving legal and human resources. Many DLP tools include case management features so you can upload supporting documentation and produce needed reports, plus track your investigative activities. Close The last (incredibly obvious) step is to close the incident. You’ll need to determine a retention policy and if your DLP tool doesn’t support retention needs you can always output a report with all the salient incident details. As with a lot of what we’ve discusses you’ll probably handle most incidents within minutes (or less) in the DLP tool, but we’ve detailed a common process for those times you need to dig in deeper. Archive Most DLP systems keep old incidents in the database, which will obviously fill it up over time. Periodically archiving old incidents (such as anything 1 year or older) is a good practice, especially since you might need to restore the records as part of a future investigation. Managing Policies Anytime you look at adding a significant new policy you should follow the Full Deployment process we described above, but there are still a lot of day to day policy maintenance activities. These tend not to take up a lot of time, but if you skip them for too long you might find your policy set getting stale and either not offering enough security, or causing other issues due to being out of date. Policy distribution If you manage multiple DLP components or regions you will need to ensure policies are properly distributed and tuned for the destination environment. If you distribute policies across national boundaries this is especially important since there might be legal considerations that mandate adjusting the policy. This includes any changes to policies. For example, if you adjust a US-centric policy that’s been adapted to other regions, you’ll then need to update those regional policies to maintain consistency. If you manage remote offices with their own network connections you want to make sure policy updates pushed out properly and are

We’ve renamed this section from “Virtualization and Cloud Security” to simply “Cloud Security” since if you listen to any of the marketing messages, you can’t tell the difference, even though it’s a big one. And virtualization is a hassle to type, so buh bye! Overall, as we mentioned in the key themes post, cloud security will be one of the biggest trends to watch during the conference and it also happens to be one area where you should focus since there is some real innovation, and you probably have real problems that need some help. New Kids on the Cloud Security Block (NKOTCSB) Hiding in the corners will be some smaller vendors you need to pay attention to. Instead of building off existing security tools designed for traditional infrastructure (we’re looking at you Big Security), they’ve created new products built from the ground up specifically for the cloud. Each of them focuses on a different cloud computing problem that’s hard to manage using existing tools – identity management (federated identity gateways), instance security, encryption, and administrative access. Many of these have a SaaS component, but if you corner them in a back room and have enough cash they’ll usually sell you a stand-alone server you can manage yourself. NKOTCSB FTW. Cloudwashing vs. the Extreme Cloud Makeover If you haven’t heard the term before, “cloudwashing” refers to making a virtual appliance of a product ready to run on Amazon Web Services, VMWare, or some other cloud platform without really changing much in the product. This is especially amusing when it comes from vendors who spent years touting their special hardware secret sauce for their physical appliance. Consider these transitional products, typically better suited for private cloud IaaS. It might help, but in the long run you really need to focus on cloud-specific security controls. But some vendors are pushing deeper and truly adapting for cloud computing. It might be better use of cloud APIs, redesigning software to use a cloud architectural model, or extending an existing product to address a cloud-specific security issue that’s otherwise not covered. The best way to sniff the cloudwashing shampoo is to see if there are any differences between the traditional product and the virtual appliance version. Then ask, “do you use the //cloud platform// APIs or offer any new APIs in the product?” and see if their faces melt. Virtual Private Data We also cover this one in the data security post so we won’t go into much more detail here, but suffice it to say data security is pretty high on the list of things people moving to the cloud need to look at. Most encryption vendors are starting to support cloud computing with agents that run on cloud platforms as an extension of their to their existing management systems (thus requiring a hybrid model), but a couple are more cloud-specific and can deploy stand-alone in public cloud. CloudOps Most of the practical cloud-specific security, especially for Infrastructure as a Service comes from the (relatively) new group of cloud management vendors. Some might be at RSA, but not all of them since they sell to data center operations teams, not CISOs. Why? Well, it just might be the big wads of cash that Ops teams have in comparison. Keep an eye on these folks because aside from helping with configuration management automation, some are adding additional features like CloudAudit support, data protection/encryption, and network security (implemented on a virtualized host). While the NKOTCSB are totally focused on security innovation, the management and operations platforms concentrate on cloud operational innovation, which obviously has a big security component. We’ll be posting the assembled guide within the next day or so, so you’ll have it in plenty of time for your pilgrimage to San Francisco. Share:

It’s here. No, not the new iPad. Not those test results. And most definitely not that other thing you were thinking about. We’re talking about RSA. And for the majority of you who don’t run to the Moscone Center every February or March, you may not care. But love it or hate it, the RSA Conference is the main event for our industry, and a whole lot of things get tied up with it that have nothing to do with sessions and panels. Our friends Josh Corman and Andrew Hay have written up their survival guides, and after this preamble I’m going to link you to our 2012 Securosis Guide to RSA with an insane amount of information in it, much of which has more to do with what you will see in our industry over the next 12 months than with the conference itself. The RSA Conference is the World Series of Security Insider Baseball. The truth is most of you don’t need to care about any of that stuff. Sure, a lot of people will be on Twitter talking about parties and the hallway track, but that’s all a bunch of crap. They’re fun, and I enjoy seeing my friends, but none of it really matters if you are trying to keep the bad guys out. So here’s my advice for RSA 2012 – whether you attend or not: If you don’t go to RSA there are still important things you can pick up. A lot of the better presentations end up online and many vendors release major updates of products you might have… or at least announce their strategies. Even the marketing fluff can be useful, by giving you an idea of what’s coming over the next year (or two – shipping dates always slip). The hallway track is for social butterflies and business development – not security professionals. Not all sessions are of the same quality, but there is plenty of good content, and you are better served checking out product demos or finding some of the better presentations. Skip most of the panels. If it starts with bios that last more than a few lines, walk out. If any panelist tries to show their own slides rather than the preset decks RSA requires, walk faster. Not all vendor presentations suck, but many of them do. Given a choice, try to find end users talking about something they’ve done in the real world. If a presentation description starts with “we will examine the risks of…” skip it. You don’t need more FUD. Most presentations on policies and governance also suck. But as a techie I’m biased. Ignore the party scene. Yes, the parties can be fun and I enjoy hanging out with my friends, but that’s because I have a lot of people I consider real friends who are scattered across the world and work for different companies. If you aren’t tied into that social group, or roaming with a pack of friends, you are drinking alone in a room full of strangers. It wouldn’t bother me one bit if most of the parties stopped and I could have a few quiet dinners with people I enjoy chatting with. Use the expo floor. You will never have an opportunity to see so many product demos. Never sit in one of the mini-auditoriums with a hired actor giving a pitch – seek out the engineers hovering by the demo stations. You can learn a hell of a lot very quickly there. Get rid of the sales guy by asking a very technical question, and he or she will usually find the person you can dig in with. Never let anyone scan your badge unless you want the sales call – which you may. You are there to work. I’m there to work. Even at the social events I tend to moderate so I can function well the next day. I won’t say I’m perfect, but I can’t afford to sleep in past 6:30 or 7am or take a break during the day. Go to sessions. Talk to vendors. Have meetings. You’re there for that, nothing else. The rest is what Defcon is for 🙂 It’s really easy to be turned off by a combination of all the insider garbage you see on blogs like ours and the insanity of car giveaways on the show floor. But peel the superficial layers off and you have a show floor full of engineers, sessions full of security pros working every day to keep the bad guys out, and maybe even a self-described expert spouting random advice and buying you a free breakfast… or three. -Rich On to the Summary: Where to see us at the RSA Conference We keep busy schedules at RSA each year. But the good news is that we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us: Speaking Sessions DAS-108: Big Data and Security: Rich (Tuesday, Feb 28, 12:30pm) EXP-304: Grilling Cloudicorns: Rich (Thursday, March 1, 12:45pm) Flash Talks Powered by PechaKucha Mike will be presenting “A Day in the Life of a CISO, as told by Shakespeare” (Thursday, March 1, 5:30pm) Other Events e10+: Rich, Mike, and Adrian are the hosts and facilitators of the RSA Conference’s e10+ program, targeting CISO types. That’s Monday (Feb 27) from 8:30am until noon. America’s Growth Capital Conference: Mike will be moderating a panel at the AGC Conference on cloud management and security with folks from Afore Solutions, CipherCloud, Dome9, HyTrust, and Verizon. The session is Monday afternoon, Feb 27 at 2:15pm. And the 2012 Disaster Recovery Breakfast. Don’t forget to download the entire Securosis Guide to the RSA Conference 2012. Webcasts, Podcasts, Outside Writing, and Conferences The RSA Network Security Podcast. Other Securosis Posts Implementing DLP: Ongoing Management. Implementing DLP: Deploy. Implementing DLP: Deploying Storage and Endpoint. RSA Conference 2012 Guide: Cloud Security. RSA Conference 2012 Guide: Data Security. RSA Conference 2012 Guide: Security Management and Compliance. RSA Conference 2012 Guide: Email & Web Security. RSA Conference Guide 2012:

Managing DLP tends to not be overly time consuming unless you are running off badly defined policies. Most of your time in the system is spent on incident handling, followed by policy management. To give you some numbers, the average organization can expect to need about the equivalent of one full time person for every 10,000 monitored employees. This is really just a rough starting point – we’ve seen ratios as low as 1/25,000 and as high as 1/1000 depending on the nature and number of policies. Managing Incidents After deployment of the product and your initial policy set you will likely need fewer people to manage incidents. Even as you add policies you might not need additional people since just having a DLP tool and managing incidents improves user education and reduces the number of incidents. Here is a typical process: Manage incident handling queue The incident handling queue is the user interface for managing incidents. This is where the incident handlers start their day, and it should have some key features: Ability to customize the incident for the individual handler. Some are more technical and want to see detailed IP addresses or machine names, while others focus on users and policies. Incidents should be pre-filtered based on the handler. In a larger organization this allows you to automatically assign incidents based on the type of policy, business unit involved, and so on. The handler should be able to sort and filter at will; especially to sort based on the type of policy or the severity of the incident (usually the number of violations – e.g. a million account numbers in a file versus 5 numbers). Support for one-click dispositions to close, assign, or escalate incidents right from the queue as opposed to having to open them individually. Most organizations tend to distribute incident handling among a group of people as only part of their job. Incidents will be either automatically or manually routed around depending on the policy and the severity. Practically speaking, unless you are a large enterprise this cloud be a part-time responsibility for a single person, with some additional people in other departments like legal and human resources able to access the system or reports as needed for bigger incidents. Initial investigation Some incidents might be handled right from the initial incident queue; especially ones where a blocking action was triggered. But due to the nature of dealing with sensitive information there are plenty of alerts that will require at least a little initial investigation. Most DLP tools provide all the initial information you need when you drill down on a single incident. This may even include the email or file involved with the policy violations highlighted in the text. The job of the handler is to determine if this is a real incident, the severity, and how to handle. Useful information at this point is a history of other violations by that user and other violations of that policy. This helps you determine if there is a bigger issue/trend. Technical details will help you reconstruct more of what actually happened, and all of this should be available on a single screen to reduce the amount of effort needed to find the information you need. If the handler works for the security team, he or she can also dig into other data sources if needed, such as a SIEM or firewall logs. This isn’t something you should have to do often. Initial disposition Based on the initial investigation the handler closes the incident, assigns it to someone else, escalates to a higher authority, or marks it for a deeper investigation. Escalation and Case Management Anyone who deploys DLP will eventually find incidents that require a deeper investigation and escalation. And by “eventually” we mean “within hours” for some of you. DLP, by it’s nature, will find problems that require investigating your own employees. That’s why we emphasize having a good incident handling process from the start since these cases might lead to someone being fired. When you escalate, consider involving legal and human resources. Many DLP tools include case management features so you can upload supporting documentation and produce needed reports, plus track your investigative activities. Close The last (incredibly obvious) step is to close the incident. You’ll need to determine a retention policy and if your DLP tool doesn’t support retention needs you can always output a report with all the salient incident details. As with a lot of what we’ve discusses you’ll probably handle most incidents within minutes (or less) in the DLP tool, but we’ve detailed a common process for those times you need to dig in deeper. Archive Most DLP systems keep old incidents in the database, which will obviously fill it up over time. Periodically archiving old incidents (such as anything 1 year or older) is a good practice, especially since you might need to restore the records as part of a future investigation. Managing Policies Anytime you look at adding a significant new policy you should follow the Full Deployment process we described above, but there are still a lot of day to day policy maintenance activities. These tend not to take up a lot of time, but if you skip them for too long you might find your policy set getting stale and either not offering enough security, or causing other issues due to being out of date. Policy distribution If you manage multiple DLP components or regions you will need to ensure policies are properly distributed and tuned for the destination environment. If you distribute policies across national boundaries this is especially important since there might be legal considerations that mandate adjusting the policy. This includes any changes to policies. For example, if you adjust a US-centric policy that’s been adapted to other regions, you’ll then need to update those regional policies to maintain consistency. If you manage remote offices with their own network connections you want to make sure policy updates pushed out properly and are