Professional Documents
Culture Documents
Forcepoint - Dynamic Data Protection Overview
Forcepoint - Dynamic Data Protection Overview
Stefano Artioli
Forcepoint Offers A Broad Set of Converged Capabilities
© 2019 Forcepoint | 2
Data Protection Point of View
Data Discovery & Classification
dule
Deep Forensics
Unified Endpoint API Integration
Insider Threat Inline Cloud Proxy
Cloud Apps Infrastructure
Data in motion, in use, at rest
© 2019 Forcepoint | 3
The Current Mission for Data Security
resides
without
© 2019 Forcepoint | 4
card data and the DLP
© 2019 Forcepoint | 5
Better Understanding of Intent
What if your employee tries to print a tries to send it to a personal email customer’s
credit card data? DLP blocks address. DLP blocks it, but then he…
it, but then he…
Risk-adaptive protection
© 2019 Forcepoint | 7
Introducing Dynamic Data Protection (DDP)
Delivering Risk-Adaptive Protection
© 2019 Forcepoint | 8
Automatically
activity
© 2019 Forcepoint | 9
DDP – What Do We Analyze ? F1E Feeds
• Endpoint Incidents
• Endpoint Web (HTTP/HTTPS)
• Endpoint Email
• Endpoint Removable Media
• Endpoint Printing
• Endpoint Applications
• Endpoint LAN
• Endpoint Events
• Web Activities (URL Visited)
• Email (Sent and Received)
• File Copy to Removable Media
• Printing Operations
© 2019 Forcepoint | 10
DDP – What Do We Analyze ? DDP Analytical Models
• DLP Incidents Analytics
• DDP Matches Sum - More DLP incident matches than usual, across all DLP incidents and policies
• DDP Incident Score Higher incident risk score across all DLP Incidents. We score different “features” of the DLP
Incident like the hour of the day, the day of the week, bytes, type of policy, number of matches, severity, etc.
Differently from the previous model this model looks for specific flavours of the incident rather than just
“counting”
• Event Analytics
• DDP Flight Risk - Browsing and searching job-searching related sites more than usual. Precursor behaviour that
often comes before exfiltration events
• DDP Bytes Sum – Sending out more raw bytes than usual, across all monitored channels. Highlights large sums of
data leaving the network on any given day (which may or may not be DLP incidents !)
• DDP Event Count - More exfiltration events than usual, across all monitored channels. Highlights smaller “low and
slow” exfiltration incidents, instead of uploading large sums at once (which may or may not be DLP incidents !)
© 2019 Forcepoint | 11
• DDP Event Score - Higher average event risk score across all exfiltration events (which may or may not be DLP
incidents !). We score different “features” of the events like the hour of the day, the day of the week, bytes, number
of attachments, webmail uploads, storage web uploads, etc. Differently from the previous two models this model
looks for specific flavours of the event rather than just “counting”
© 2019 Forcepoint | 12
Tries to print customer’s credit card data. DLP
blocks it, but then…
© 2019 Forcepoint | 13
DLP Evolution (Next-gen DLP)
© 2019 Forcepoint | 14
DDP - Moving Beyond Auditing Alerts (Path to Block !)
The Security Having the ability to forensically audit their alerts if important data
Requirements leaks.
Result Many large enterprises have deployed DLP in audit only mode. The
security team can mine alerts to identify data exfiltration, but they don’t actively block it.
DDP solves this !
© 2019 Forcepoint | 15
DDP - Moving Beyond Auditing Alerts
Business as usual riskiest users
Result
Large enterprises can still deploy DLP in audit only mode for low Risk Levels
The security team can still mine alerts to identify data exfiltration
They can now leverage analytics to not only identify, but also block their riskiest users
© 2019 Forcepoint | 16
Benefits of Dynamic Data Protection
Reduce the amount of DLP alerts Provide greater flexibility in Detect and respond to
that need to be triaged as the policies, and adapt high-impact events in a
Analytics triage Incidents on our enforcement based on shorter amount of time.
behalf ! calculated risk. Data Security teams can
Transition DLP from broad to Less need for whitelisting and finally be proactive !
individual policies. exceptions !
© 2019 Forcepoint | 17
Real World Stats – Results On The Field
Like many DLP Customers DLP was deployed in “Audit Mode”
only, not even with Endpoint confirmation !
© 2019 Forcepoint | 18
• 1 Risk Level 5’s produced
Improved Visibility and Reduction of Noise
DLP DLP + DDP
• Total Incidents (30 Days) - ~400,000 • Total Incidents (30 Days) - ~165,000
• Top 2 Policies ~ 65% of incidents • Visibility into all file types
© 2019 Forcepoint | 19
• Office Files Sent over Time ~170,000 • Visibility into all file sizes
• Large Files ~74,000 • Simplification of DLP policies
• Required lots of thresholds
© 2019 Forcepoint | 20
Real World Examples
Instructions for delivering a DDP Demo
The DDP demo can be delivered entirely through a video, or through the first portion of the video and a live environment on Go4Labs.