McAfee Data Protection

McAfee Confidential
Why Data Protection Matters

2
New Compliance Laws Draw Boardroom Attention

Collection Use

68% of data breaches

GDPR
Data
Security
required public disclosures1 Lifecycle
Destruction Disclosure

Retention

McAfee Data Exfiltration Study: Actors, Tactics, and Detection, September 2016
3
4

Impacting Company Bottom Line

$3.6M is the average cost

of a data breach1

Costly fines Damaged Loss of customers

reputation and revenue

2017 Cost of Data Breach Study: Global Analysis, Ponemon Institute, June2017

4
Understand Data Exfiltration

Who wants the data? How are thieves getting data out?

47% 53% 60% 40%

External actors Internal actors Electronic means Physicalmeans

Where is data being taken from?

2/3 1/3
of breachesoccur occur in cloud
on traditional infrastructures
networks

5
 Comprehensive Portfolio

Cloud

File
DLP Encryption
Common
Policy,
Console
and Keys
Device Disk
Control Encryption

Extensive, effective, and integrated

7
DLP Business Profile
Key Stats andFacts

• 2600+ Enterprise Customers;

• > 12 million nodes deployed

• Financially profitable and growing in revenue

• The top area of “new product” interest for CISOs

8
 Award Winning Technology

Gartner Magic QuadrantEnterprise

DLP

8 Consecutive Years as a Leader

9
Framing the Data Loss Problem

Data Types Data Loss Vectors Solution

DLP Prevent
Data-in-Motion
DLP Monitor McAfee Skyhigh
101101100110101001
Email/I Web Post Network Traffic Cloud
M

DLP Discover
Data-at-Rest McAfee Skyhigh
011001101010011011 Drive Encryption
File Share Database Desktop/Laptop Cloud Storage

DLP Endpoint
Data-in-Use
File and removable McAfee Skyhigh
1011011001101001
Removable/Devices Email/IM Cloud Apps File & Clipboard Media Encryption

Device Control

10
McAfee DLP solution McAfee ePolicy Orchestrator
Cover Endpoints, Networks, and Cloud Environments
• Central web based administration console for all
McAfee products
McAfee ePO • Enterprise class – highly scalable - RBAC
• DLP Policy is created here and pushed out to
DLPEndpoint
various control points
• Incidents are aggregated here for and available
for analysis
• Powerful reporting engine

Endpoint Data Protection

DLPDiscover

DataRepositories Discover via Cloud API

DLPPrevent Email &Web Gateway

Network Data Protection

DLPMonitor Switch Firewall Internet

11
McAfee DLP solution DLP Endpoint Agent
Cover Endpoints, Networks, and Cloud Environments • Covers Windows and Macintosh platforms
• Policy is enforced even when system is
disconnected.
McAfee ePO • Vectors Covered: Email, Web, Cloud, Removable
storage, Network transfers, Printing, Clipboard,
DLPEndpoint
Screen Capture
• Local discovery of File system and Mailboxes
• Provides for User Coaching dialogs
• Provides more visibility &Control than network
can, due to proximity to data origin.
Endpoint Data Protection
DLPDiscover

DataRepositories Discover via Cloud API

DLPPrevent Email &Web Gateway

Network Data Protection

DLPMonitor Switch Firewall Internet

12
McAfee DLP solution DLP Prevent
Cover Endpoints, Networks, and Cloud Environments • Network appliance (Hardware or VM)
• Inspects out bound email and Web traffic against
your DLP Policy and passes Allow / Block decision
McAfee ePO to outbound Mail and Web Gateways
• Feeds DLP incidents back to ePO
DLPEndpoint • Works with any ICAP capableProxy
• Works with any SMTP mail Gateway
• Can receive SSLDecrypted Session from Proxy for
inspection

Endpoint Data Protection

DLPDiscover

DataRepositories Discover via Cloud API

DLPPrevent Email &Web Gateway

Network Data Protection

DLPMonitor Switch Firewall Internet

13
McAfee DLP solution
Cover Endpoints, Networks, and Cloud Environments DLP Monitor
• Network Appliance (Hardware or VM)
• Passive device that monitors traffic and generates
McAfee ePO incidents, but can not block.
DLPEndpoint • Receives copy of outbound traffic from switch via
a SPAN or TAP.
• Monitors more protocols than Web/Email
• Last line of defense (Belt and suspenders)
• Can not decrypt SSL

Endpoint Data Protection

DLPDiscover

DataRepositories Discover via Cloud API

DLPPrevent Email &Web Gateway

Network Data Protection

DLPMonitor Switch Firewall Internet

14
McAfee DLP solution
DLP Discover
Cover Endpoints, Networks, and Cloud Environments
• Software based server.deployed to a windows
server OS via ePO
McAfee ePO • Scans large Data repositories looking for files that
match your DLP policy
DLPEndpoint • Supports CIFS shares, Sharepoint, MS-SQL,
MySQL, Oracle and Cloud repositories
• Remediation actions include Report, Copy, Move,
Apply Rights Management, Fingerprint, and apply
classification (Tag)
Endpoint Data Protection
DLPDiscover

DataRepositories Discover via Cloud API

DLPPrevent Email &Web Gateway

Network Data Protection

DLPMonitor Switch Firewall Internet

15
Coach and Monitor End-user behavior
Educates employees; alleviate administrative burden; reduce risky behavior

Manual Classification Self Remediation Real-time Feedback

ScanDetails Enter Justification

Public My manager approved
Scan Name: Local File System thistransmission
Confidential Scan Date: 15-Jul-2016 18:04:53
This content is not
Files Scanned: 31
sensitive
Partner Files Monitored:31
Files Quarantined: 2 Sorry, I didn’t
know

Over ~75% reduction in risky behavior

16
Protecting Data Moving To/From the Cloud

Uploading Downloading

Cloud Protection Rule Application Tagging

Web Protection Rule Location Tagging

17
 ePO

Email Prevent Workflow

5
Prevent
2
3
1
Exchange
Users 4
Email Gateway

Usersends Policy onthe Prevent: MTAexamines Incidents are

1 message via
2 MTA directs
3 Inspects msg 4 X-Headers,and 5 generated for
Exchange to the specific adds X-Headers takes the any DLP action,
outbound Email (outbound) (if necessary) appropriate and a copy is
gateway (MTA) messages to and action. sent to ePO
McAfee Email returns message (Block,Bounce,
Prevent for back to the MTA Encrypt,
Quarantine,
inspection
Redirect)

18
 ePO

Web Prevent Workflow

5
Prevent
2
3
1
Users 4
Web Proxy

1 User’sWeb 2 Proxy server 3 Inspectsthe

Prevent Proxy Server
4either presents a
5 generated
Incidentsare
for
browsingsession optionally
is directed to an performs SSL payload and custom block any DLP action,
outbound web decryption, then returns either an page to the end and a copy is
proxy appliance forwards a copy Allow or Block user, or allows sent to ePO
of the traffic to message in the the traffic
Web Prevent via ICAP Response through
an ICAPrequest. depending on
the response

19
 ePO
DLP Monitor Workflow
4
1. The switch receives network DLP Monitor
packets from internal users
and servers
2
2. McAfee DLP Monitor receives
copies of network packets via
Span/TAP and analyzes them. Span / Tap

1 3
3. The switch also sends packets
through firewall to internet. Users / Servers EgressSwitch Firewall

4. Any resulting incidents

Generated by Monitor are
reported to ePO.

20
 Main Office

Sharepoint

OneDrive
Endpoints
DLPe File Servers, DLP Discover
Sharepoint, Box
Databases

SystemsManagement
Network Devices
ePolicy Orchestrator
Switches DLP Prevent Web WebGateway

SPAN / Tap

Internet
Exchange DLP Prevent Email EmailGateway
CloudServices
DLPMonitor

DLP Prevent Mobile MobileIron

21
DLP Policy Construction elements
Definitions Classifications Protection Rules
Building blocks for policy creation Use definitions to build out Tie classifications to specific protection
customized logic for identifyingdata vectors (email, web, clipboard, Print
DATA: Screen, Printing, Cloud, Network, etc)
RegEx, Dictionary, Doc properties, File • Automatic Classification based on
Extension, File information, True File type, • Application • Condition – Match condition for the
Validation Algorithms • File location rule
• Content Inspection • Exception – Exceptions to the match
• Manual Classification conditions
SOURCE / DESTINATION:
• Content fingerprinting • Reaction - Expected outcome for the
Application, Network Share, URL List, Email
rule
List, User list, Device, File Repositories

Rule Sets DLP Policy Assigned to systems

Top level DLP Policy Object associated
Collection of related protection rules with a managed system
• Multiple rules sets can be created • Can be Assigned to systems or groups
and Shared across different DLP via the System Tree.
Policies. • Multiple DLP Policies can be
• Geo specific, Production,Test, configured in ePO
Lockdown, Watch list, etc… • Can be re-assigned dynamically to a
system via System Tags and Policy
assignment Rules
22
McAfee, the McAfee logo are trademarks or registered trademarks of McAfee LLCor its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2017 McAfee LLC.