Video Screencast Help
Security Community Blog

Presentations from 12/1 NY User Forum

Created: 03 Dec 2010 • Updated: 03 Jan 2011 • 1 comment
Dave Gadue's picture
0 0 Votes
Login to vote

While I was not able to attend this time around, feedback was that we had another terrific event!  I believe we may have set another record for the largest one yet.  Congratulations.

Attached are the presentations.  Thanks goes out to Jeremy, Fabio, Curtis, and Harold for presenting.

Finally, a special thanks goes out to Tim and Bank of America for hosting.

On behalf of the Board, we want to wish everyone a Happy Holiday season and safe New Years!


Minutes captured by Eric Buvron. Thanks, Eric!

NY DLP User Group Meeting Minutes:  12-1-10

Meeting Agenda:

12:30 pm- Lunch

01:00 pm- Announcements & Introductions

01:15 pm- User Group Presentations by CompuShare and HSBC

02:15 pm- Symantec Presentations

03:30 pm- Discussion / Q & A

04:15 pm- Prizes & Planning

05:00 pm- Cocktail Reception

2011 Meeting Schedule:

-       Twice a year: June and December

-       Breakout sessions: 1 half of the meeting as a breakout sessions and the 2nd half of the meeting for roadmaps and reviews.

-       User presentations very important.

-       Fabio will host the next DLP session in June.

Meeting Minutes Sections:

1. Topics of Interests and Challenges

2. Customer Presentations (HSBC and CompuShare)

3. Symantec DLP11 and Data Insight Presentation (Harold Byun)

1. Topics of Interests and Challenges

UPS, Al Carvalho

- Data-at-Rest Implementation

- Challenges - Remediation and show value add from DLP

Societe Generale

- SAM (Only implemented for several months)


- Network monitor for email for the past 5 years

- Starting to look at DAR and starting the remediation phase

- Endpoint protecting - future

PNC, John Pollock

- Interest in V11

- Future challenges

Municipal Board of Education

- Network monitor, endpoint

- Challenges: integration of SIM, endpoint

Sloan Kettering

- DAR, prevent web email, FTP (monitor)

- Next steps for endpoint

NYC Department of Education

- DLP Workflow


- Monitor, Prevent and Discover


- Monitor mode, SMTP Prevent

- Challenges: Endpoint, International Issues

Morgan Stanley

- SIM integration and logging


- DAR, expanding

Ernest and Young

- Interested in the service by Symantec

Bank of America

- Data in Motion and DAR


- Interested in the Data Insight product and web prevent

- Remediation team solutions

The Hartford

- Interested in Data Insight

- Project proxy solution with web prevent

- Rolling out the endpoint solutions

Time, Inc

- Rolled out monitor and protect

- Interested in DAR

Goldman Sachs

- Interested in tighter integration with other alerting framework

- SMTP monitoring and interested with other services

- Update the DLP installation

New YorkLife

2005 - Monitoring

2007 - SMTP Prevent

2011 - Endpoint

Other Interests and Challenges:

-       What other people are doing?

-       Data Insight

-       Endpoint deployment

-       DLPPolicies: Interaction with business units

-       Network monitor mode, DAR for PII

-       SIMintegration

-       Challenges: HTTPS monitor, DLP Lite products

2. Customer Presentations:

2.1 First Customer Presentation: Jeremy R Ensweiler from HSBC.

DLPHistory at HSBC:

-       Started out with DAR instead of email monitoring

-       Upgrades issues are more problematic from version 8 to 9 than from version 9 to 10 / 10.5

Upgrade Horry stories / concerns:

-       Oracle issues

-       Wrong Character Set

-       Automatic upgrader only works for monitor/prevents that are on the same OS as the Enforce box.

1st Slide, HSBC Presentation

- North America

- Evaluated in 2006/07

- New evaluation of 3 vendors in 2008

- Thorough testing of 2 vendors in 2008/9

- Selected and deployed Symantec in 2009

- Began DIM 2010


What Challenges did you have for deploying outside the US?

-       No templates for working with other countries however there are agreements between countries

-       Need to work with legal and business units

-       The first response team is offshore vs local response teams

-       Some challenges also include business units who want separate dlp deployments within their country.

Does your company have a policy / standard that requires external email monitoring?

  - General DLP protection requires; no general requires but requirements for record retention (E Grossman)

  - Everyone gets monitored however what is monitor and actioned varies (E Grossman)

Who drives the policy?

-       Mandate from CEO requires protecting sensitive data; and state of MA for "inspiration" (E Grossman)

-       Structured information classification helped with what to monitor and remediation what needs to be protected.

What are the drivers for detection criteria?

-       Pattern match rule for baseline and EDM for blocking.  Pattern matching is reviewed. (E Grossman) 

-       Will block personal SSN for user purposes (e.g. user tax preparation).  Responsible for protecting SSNs regardless of the usage.


-       Enterprisegateway for email encryption has minimized the need for desktop encryption solutions which would prevent DLP from be monitoring (E Grossman)


-       TLSvs Enterprise Gateway: use monitor for TLS for enterprise to enterprise SMTP communication.

-       Endpoint can capture the data before encryption and bypass the proprietary encryption tools; HSBC scan and monitors TLS and gateway encryption.

2nd Slide, HSBC Presentation

DIM Violation - Handling the workflow

Events Policy violations - violations are sent to business recipient

- Incidents (potential breaches): violations sent to personal / non-business recipient

Key Responsible Parties:

- Incident management

- Investigation Team

- Business unit information Security Officers

- DLP team looks at incident below thresholds however this is more for QA.

- Investigation team works with the business units.

- North American team is 4 members and there are 40K employers in NA.

- 15 people are offshore and a few onshore.

- Security team is between 10-20 members.

- Looking at PII with data identifiers with threshold at 100 and since lowered to 50.

- Credit card loss is set at 1 match for thresholds

- Overall: lowered the threshold after 5 to 6 months.

- Comment: match count at 1-5 is several magnitudes higher than 5 and above (E Grossman).

Challenges: Setting Thresholds

-       Email block at New York Life is to threshold to 1 (E Grossman)

-       Enhancement request:unique matches only vs duplicate matches; unique match counting potentially in next version after DLP11.

3rd Slide, HSBC Presentation


Are additional controls in place for individuals with DLP System access?

  - Only the DLP Team has access to DLP.

  - Integration with AD to lockout the account.

  - DLP team is in locked rooms with restricted access.

  - DLP team is monitored like everyone (e.g. email)


- DLP team does not have access to work from home.

Auditing of DLP Analyst

- Auditing of DLP Analyst - querying one of the tables in SQL monitor who modified what (Morgan Stanley)

4th Slide, HSBC Presentation

- No exclusions for DIM

5th Slide, HSBC Presentation

Presently for DAR: Windows servers and LAN Shares

- Targeted scans at key locations [business units]

Two basic types of scans:

- Privileged access - scanning everything

- Non-privileged access - scanning for the low hanging fruit.


- Currently with DAR, HSBC does not have the ability to scan the entire environment; working with other teams: security, storage, server team, and data owners

Detection Method for DAR

- Looking for similar data as in Email monitoring such as PII.

- Longest monitoring for DAR has site of 30 shares with a recent location at 100 shares.

DARRemediation Method:

- Relying on the business units and their SROs; target areas for privileges areas [e.g audit areas].

- Initial scans have a lot of data analysis and classification on the part of the business unit and dlp analyst.

- Non-privilege scans are currently remediated via file lockdowns, etc.

2.2 2nd Customer Presentation

- Fabio Recine from CompuShare


- Recently beta tested DLP 11

- Global Transfer Agent and Share Registry

- DLP in 2008 - Email Prevent

- Headquarter in Australia

- Centralized DLP in North America


Email Prevent (13), Endpoint Prevent (7), Network Discover (16)

Regional Polices (160)

-       Big challenge -> large number of policies; polices are also specific for countries

-       Polices by detection type (considered a mistake) and policy by region (another perceived mistake)

DLP11 Testing:

-       Full UAT environment using Windows VM

DLP11 Upgrade

-       10.5 to 11 Upgrade

-       Flex Upgrade (staged install allowing mixed 10.5 and 11.0 environment).

-       Important: You do not need upgrade all the detection servers at once if the Enforce is upgraded to version 11.

-       Note: There are known issues upgrading from 8.0 to 9.0.  DLP11 documentation has a step by step upgrade guide.

DLP11 Features of Note:

-       Data Identifier Modification: the ability to modify the default settings for built-in identifiers.  You can modify the regex and algorithm for the data identifiers.

-       DLPstill needs proximity detection and data owner exception.  Note: EDM currently has proximity detection.

-       Exchange Discover Scanning: No Longer requires use of a "scanner."

-       DLP11 works with Notes 8 by installing a Notes client.

-       SharePoint server does require software installation using a web solution installation. Elevated user access on the backend is not required for SharePoint.

Incremental Scanning:

-       Failed scans can be "restarted" to pick up where it left off.

-       Is there better logging on what failed?  Does not tell you what file failed or where it left off and other metrics.

-       File systems only in DLP11 and DLP12 for all the clients.

-       Challenge: the level access required on the file shares does not do a credential validation test to prevent lockout of accounts in DLP11.

-       CAN provide logs on what data cannot be scanned based on access denial (e.g. encryption, etc).

-       EFSencrypted content can be cracked to scan content

-       PGP encrypted content today and fully certify going forward.

Data Owner Exception: Enables users to send their own personal data.

User Groups:Endpoint user group definitions introduced in 10.5 now extended to the server side detection for Email Prevent.

Keyword Proximity Detection- pulled out of DLP11 (TBD confirmed when Proximity Detection will be available)

o   Proximity detection applies only to keywords you define.

o   Cannot be used with keywords and data identifiers (e.g. SSN, and SSN and keywords)

o   Question: HIPAA / Regex - Can keywords be added in the templates (question from EG)?

VML (Vector Machine Learning)- used to provided automated detection using positive and negative sets of documents.

o   Current uses cases: source code, M&A documents

o   There is a need to have at least 50 - 250 documents for the positive and negative sets.

o   After testing and refining the positive and negative sets, Cisco was able to achieve false positive rate similar to IDM fingerprinting at 4% for ISO routers.

o   VML Works on the endpoint as wells

o   Does not have the same memory footprint as IDM.

o   Efficient with no lag time with regex the most costly for DLP.

EnterpriseVault Classification


o   Local Disk and network share monitoring: Local to/from network prevent as well as network to network prevent

o   Agent only on the Endpoint required.

o   Endpoint Discover Quarantine: Supports both a local directory OR remote share directory and more importantly - it works!

  New EndPoint Agent management Features

-       Change the Endpoint server

-       Disable, enable, restart and shutdown endpoint agents

-       For new features to take into effect the Endpoint agent and server have to be at the same level for DLP 11.

-       Cannot schedule endpoint agent scans yet.

-       Can pull logs beneficial for troubleshooting.

Endpoint Device ID

-       Only for USB devices

-       Question: Can you specify specific printers? (Enhancement Request)

Application Monitoring

Endpoint Agent Configuration:

-       Endpoint configurations are applied to the endpoint server rather than configuring the agent per Endpoint server


-       How does network share monitoring work?  Answer: Only Window2s Explorer driven (e.g. unc paths)>  For example, documents are only scan with the explorer operations (e.g. can detect if a document is resaved in a different locations).

-       How do you do the oracle backups for the DLP database?


CompuShare has very little EDM. Credit card  credit card numbers had lots of false positives on the SSN however the polices were tweaked overtime.

Challenges for CompuShare:

-       Canadian SSN need to use a custom regex instead of using the native data identifier (i.e. format of the Canadian SSN is the issue).

-       HIPAA Template - ssn pattern matching and medical keywords and set the proximity detection in HIPAA template.

3.  Symantec Presentations:

Data Insight 2 and DLP 11 by Harold Byun

Symantec DLP v11:

-       Real-time Compliance use cases

-       Data classification via reporting API - send incident and asses information to CCS  **

-       DLP/ IAM – 3rd Party Reporting

-       Integrated workflow / Altiris workflow product to send alert to enduser and response to web portal / workflow

-       Data Owner workflow Testing - SQL / servers

Data Classification and Management:

-       Version 11.1 will VML (Approximately in April)

-       CCSSuite Integration

Content-ware Enterprise Integration:

-       Content classification service for EV integration


-       Whitelists are maintained on the agent not on the Enforce server.  There is  another project to do global whitelist configuration.

Data Protection Advances:

- Folder Risk scoring and remediation


- Data owner remediation - aggregation of alerts to data owners.

IPAD Interest:

-       How much of an impact is the iPad and the scope for DLP?

-       Huge push: search and block data on ipad preferred

-       C-level executives typical want all Mac devices.  One MAC IOS workaround: Critix solution with Macs

-       iPad: The loss of stuff of great interest that would need to be protected (E Grossman)

Question: blocking content on the iPad or controlling device loss?

-       Droids are outselling iPhones and Droid tablets are coming soon...

-       Application monitoring (e.g. iTunes)

-       RIMMwith email prevent and/or bricking the device.


If RIMM is a lockdown device, then corporate DLP solution will suffice. However, Execs do not what the iPhone locked down and

therefore needs to be a control layer (e.g. quaranting, monitoring, blocking or bricking the device).

Content Extraction API:

-       Common file type (embedded charts using spreadsheets) - write customized rule set for the xml


-       Cisco leverage VML for legal briefs and source code

-       Words and regex are high false positive and IDM is high accuracy.

-       VML lowers the overhead vs IDM but with the same high accuracy (e.g. use cases such as plagiarism in University)

-       Automatic rule creation based on a document set.

-       Some VML Candidates: PII and standardized reports, documents with consistency of format.

Other Use Cases:

-       ITAR - arms trafficking as a use case

-       SARS Reports

Potential Enhancement:DLP 11.1 FlexResponse copy to use false positives to feed the negative set in VML to lower the false positive ratio.

Cisco Use Case:

-       Cisco achieved 4.4% for false positives by using false positives for the negative set on the source code.

Additional DLP / Data Insight V11 Key Features:

-       DLP- Coverage for Email in the Cloud as a service offering.

-       DLP11 - Content Classification for EV with Exchange Email archiving scheduled for Journaling only (inline)

-       DLP12 - Content Classification for File and SharePoint archiving (Important Enhancement)

Question:DLP integration with PGP ?

DLPv11.1 Features

-       VML

-       FIPS and common criteria certification

-       Win2k8 R2 support

-       Critix support

-       Automated FlexResponse

-       FlexResponse copy and whitelist

-       IDM Fingerprint via WebDav

-       SSO / CAC support

DLPv12 Features:


1.  Tokenization of rules for policy

2.  Order of precedence

3.  Enterprise search to leverage the hits and use DLP

4.  Policy Authoring Workflow

5.  CCS integration

6.  Incident archiving

7.  Content-aware entitlements - Dataowner workflow (e.g. need a Write-back API)

8.  Decrypt PGP

9.  Detect on encrypted content

10. DI for SharePoint and NFS

11. Additional Parallel Scanning for higher scalability for DAR (e.g grid / cloud DAR server farm)

12. Load balanced scanning (again grid / cloud DAR server farm using load balancer potentially)

13. IDM on the endpoint

14. Proximity and unique match count

15. Full multi-version N-1 support

16. Scan Invocation API - immediate clean but not a block

17  Resource based incident

Security Information Manager (SIM)


- SIM adds value to integrate security events and provide event coloration.

- Use cases: DLP incidents, virus, and firewalls detects the number of ports being open by a particular asset and provide a true risk.

SSIM and DLP Complimentary Roles:

- DLP identify the sensitive data

-       SSIM can perform forensic analysis and combine the incidents from DLP to get a true risk.

-       NYC Dept of ED / DLP incident related to the ip address for event correlation.

-       DLPcorrelation among separate events: network monitor (ftp, https), email prevent, DAR and endpoint to correlation events

-       within DLP.

-       Target device protection for SIM event collaboration.

-       repeat offender within DLP

Comments 1 CommentJump to latest comment

kishorilal1986's picture

Thanks for sharing this.



Login to vote