Scribd Logo
Upload

Welcome to Scribd!

  • Forcepoint - Dynamic Data Protection Overview

    Uploaded by

    Henrique Oliveira
    10 views24 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views24 pages

    Forcepoint - Dynamic Data Protection Overview

    Uploaded by

    Henrique Oliveira

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Overview

    Stefano Artioli
    Forcepoint Offers A Broad Set of Converged Capabilities

    © 2019 Forcepoint | 2
    Data Protection Point of View
    Data Discovery & Classification

    dule

    Deep Forensics
    Unified Endpoint API Integration
    Insider Threat Inline Cloud Proxy
    Cloud Apps Infrastructure
    Data in motion, in use, at rest

    © 2019 Forcepoint | 3
    The Current Mission for Data Security

    Protect important data


    wherever it

    resides
    without

    © 2019 Forcepoint | 4
    card data and the DLP

    Is this employee a risk?

    © 2019 Forcepoint | 5
    Better Understanding of Intent
    What if your employee tries to print a tries to send it to a personal email customer’s
    credit card data? DLP blocks address. DLP blocks it, but then he…
    it, but then he…

    tries to upload it to Dropbox. DLP


    tries to FTP it outside the blocks it, but then he… organization. DLP blocks it.

    tries to copy the data to USB. DLP


    tries to upload it to Google Drive. DLP allows it prompting the user, but then
    blocks it, but then he…
    he…

    Is this employee a risk? How would you know without


    connecting the dots ?
    © 2019 Forcepoint | 6
    Protection Works

    Risk-adaptive protection

    Risk levels are driven up and down based

    © 2019 Forcepoint | 7
    Introducing Dynamic Data Protection (DDP)
    Delivering Risk-Adaptive Protection

    © 2019 Forcepoint | 8
    Automatically

    activity

    © 2019 Forcepoint | 9
    DDP – What Do We Analyze ? F1E Feeds
    • Endpoint Incidents
    • Endpoint Web (HTTP/HTTPS)
    • Endpoint Email
    • Endpoint Removable Media
    • Endpoint Printing
    • Endpoint Applications
    • Endpoint LAN

    • Endpoint Events
    • Web Activities (URL Visited)
    • Email (Sent and Received)
    • File Copy to Removable Media
    • Printing Operations

    © 2019 Forcepoint | 10
    DDP – What Do We Analyze ? DDP Analytical Models
    • DLP Incidents Analytics
    • DDP Matches Sum - More DLP incident matches than usual, across all DLP incidents and policies
    • DDP Incident Score Higher incident risk score across all DLP Incidents. We score different “features” of the DLP
    Incident like the hour of the day, the day of the week, bytes, type of policy, number of matches, severity, etc.
    Differently from the previous model this model looks for specific flavours of the incident rather than just
    “counting”

    • Event Analytics
    • DDP Flight Risk - Browsing and searching job-searching related sites more than usual. Precursor behaviour that
    often comes before exfiltration events
    • DDP Bytes Sum – Sending out more raw bytes than usual, across all monitored channels. Highlights large sums of
    data leaving the network on any given day (which may or may not be DLP incidents !)
    • DDP Event Count - More exfiltration events than usual, across all monitored channels. Highlights smaller “low and
    slow” exfiltration incidents, instead of uploading large sums at once (which may or may not be DLP incidents !)

    © 2019 Forcepoint | 11
    • DDP Event Score - Higher average event risk score across all exfiltration events (which may or may not be DLP
    incidents !). We score different “features” of the events like the hour of the day, the day of the week, bytes, number
    of attachments, webmail uploads, storage web uploads, etc. Differently from the previous two models this model
    looks for specific flavours of the event rather than just “counting”

    DDP - Better Understanding of Intent


    Let’s try that again, but with Forcepoint’s Dynamic Data Protection….

    © 2019 Forcepoint | 12
    Tries to print customer’s credit card data. DLP
    blocks it, but then…

    Tries to FTP it outside the organization. DLP


    blocks it.

    Tries to upload it to Google Drive. DLP blocks it,


    but then…

    Tries to send it to a personal email address. DLP


    blocks it, but then…

    © 2019 Forcepoint | 13
    DLP Evolution (Next-gen DLP)

    Compliance (DLP) Security (DDP)

    • Manual Tuning• Automated Tuning


    • One to many Policy• Individual User based policy
    • Good users are punished • Good users are able to their for the
    badjob
    • Heavy Business Process • Reduces Business process for
    exceptions and and maintains security as
    excessive whitelisting behavior is learned
    • Reactive• “Realtime”

    © 2019 Forcepoint | 14
    DDP - Moving Beyond Auditing Alerts (Path to Block !)

    Problem DLP implementers are concerned with being viewed as a strain on


    user productivity in the event their policies result in too many false positives.

    The Security Having the ability to forensically audit their alerts if important data
    Requirements leaks.

    Result Many large enterprises have deployed DLP in audit only mode. The
    security team can mine alerts to identify data exfiltration, but they don’t actively block it.
    DDP solves this !

    © 2019 Forcepoint | 15
    DDP - Moving Beyond Auditing Alerts
    Business as usual riskiest users

    Result
    Large enterprises can still deploy DLP in audit only mode for low Risk Levels
    The security team can still mine alerts to identify data exfiltration
    They can now leverage analytics to not only identify, but also block their riskiest users

    © 2019 Forcepoint | 16
    Benefits of Dynamic Data Protection

    Reduce the amount of DLP alerts Provide greater flexibility in Detect and respond to
    that need to be triaged as the policies, and adapt high-impact events in a
    Analytics triage Incidents on our enforcement based on shorter amount of time.
    behalf ! calculated risk. Data Security teams can
    Transition DLP from broad to Less need for whitelisting and finally be proactive !
    individual policies. exceptions !

    © 2019 Forcepoint | 17
    Real World Stats – Results On The Field
    Like many DLP Customers DLP was deployed in “Audit Mode”
    only, not even with Endpoint confirmation !

    • Active since Feb 3, statistics taken on March 31


    • 1000+ Endpoints deployed
    • 130 Million events (Incidents + monitored events)
    • 800+ Thousands DLP Incidents
    • 25 Unique Business Units
    • 93 Unique Departments
    • 177 Unique Titles
    • 11 Risk Level 4’s produced

    © 2019 Forcepoint | 18
    • 1 Risk Level 5’s produced
    Improved Visibility and Reduction of Noise
    DLP DLP + DDP

    • Total Incidents (30 Days) - ~400,000 • Total Incidents (30 Days) - ~165,000
    • Top 2 Policies ~ 65% of incidents • Visibility into all file types

    © 2019 Forcepoint | 19
    • Office Files Sent over Time ~170,000 • Visibility into all file sizes
    • Large Files ~74,000 • Simplification of DLP policies
    • Required lots of thresholds

    © 2019 Forcepoint | 20
    Real World Examples
    Instructions for delivering a DDP Demo
    The DDP demo can be delivered entirely through a video, or through the first portion of the video and a live environment on Go4Labs.

    DDP Sharepoint Page:


    https://forcepointcml.sharepoint.com/sites/SEDemoResources/SitePages/DDP-Demo-1.0.aspx DDP
    Video:
    https://forcepointcml.sharepoint.com/:v:/r/sites/SEDemoResources/Shared%20Documents/UEBA/DDP%20Demo%20Vide
    o%20.mp4?csf=1&e=lL3tng
    DDP Live Demo Walkthrough Video:
    https://forcepointcml.sharepoint.com/:v:/r/sites/SEDemoResources/Shared%20Documents/UEBA/DDP%20Live%20Demo
    %20Setup%20Walkthrough.mp4?csf=1&e=tYHppT DDP Live Demo Instructions:
    https://forcepointcml.sharepoint.com/:b:/s/SEDemoResources/EW8q6273zmBJlVUeU8es7UkBiaGMtMY31aGeJDGHKDC
    m9A?e=AtjFsP
    DDP YouTube Demo:
    https://www.youtube.com/watch?v=NjMjaV2rjpo

    You might also like