赛门铁克DLP方案介绍

Symantec™

Confidenceinaconnectedworld

Symantec数据防泄密技介

海波

Haibo_yan@

Agenda,Symantec,

Vontu的及争分析

Vontu的硬件配置需求

?如何排除常异

LiveDemo&BestPracticePolicy

2

It'sAboutTheDataSymantec.

DataLossPrevention力,Symantec™

/

CustomerDataCorporateDataIntellectualProperty

机密数据・型NationalIDNumbersFinancialsSourceCode

CreditCardNumbersMergersandAcquisitionsDesignDocuments

ProtectedHealthInfoEmployeeDataPricing

内部的威

失争

■力

信誉/公的尬

失

"Ifseparatecategoriesconcernedwiththelossofcustomerandproprietarydataarelumped

together,however,thenthatcombinedcategorywouldbethesecondworsecauseoffinancialloss."

Source:CSIComputerCrimeandSecuritySurvey2007

,Symantec,

-每400封件中就有1封包含机密信息

-每50份通ra的文件中就有1份包含机密数据

-50%的USB中包含机密信息

-80%的公司在失笔本后会生泄密事件

在美国平均每次数据泄密事件致的失高达630万美金

(PonemonInstitute,2007)

-数据泄漏致客流失的比例正在以每年11%的速率上升

SOX,HIPPA,PCI以及中国的企内控基本范都要求企保机密信息

信息保正日益成安全管理和控制的核心内容

OOOOOOOOOOOOOO

Askyourself,Symantec™

Where机密数据存放在那里？

How机密数据是怎被使用的？

How我是如何防止数据失的？

Agenda,Symantec™

Vontu可以帮助您…,Symantec™

A

机密信息在什位置数据在网中如何流？如何来防止数据泄漏？

▼

DISCOVERYMONITORINGENFORCEMENT

DATALOSSPREVENTION(DLP)

8

VontuDLP8ArchitectureSymantec.

Vontu

Network

DiscoverVontu

Network

Vontu

Monitor

Network

Protect

FileserversMonitor:9

DatabasesSMTP

CollaborationplatformsVontu

EnforceHTTP

WebsitesPlatformIM

、Laptops/desktopsFTP

AnyTCP-based

Policies

Vontu

EndpointWorkflow

DiscoverVontu

ReportingNetwork

VontuPrevent

EndpointAdministration

Prevent

DiscoverdataMonitor/block:

MonitordatadownloadsSMTP

Monitor/blockUSB,HTTPandHTTPS

CD/DVD

FTP

SecuredCorporateLANDMZ

，Symantec.

Confidenceinaconnectedworld.

HowItWorks?

DataLossPolicies,Symantec™

Vontu

Network

Discover

Vontu

Network

Protect

Vontu

Enforce

Platform

Vontu

Endpoint

Discover

Vontu

Endpoint

Prevent

Disconnected

SecuredCorporateLAN

11

数据防泄密策略Symantec.

DataLossPolicy

・自定・策略或者从60

+策略模板中・取

保存在Enforce月艮■

器上，并且及■推送

到Detection服,器

响・・・

1.两方法探,通知

字，数据符，正表达式，文件•送件到件人，上理，IT管理

型

・屏幕出消息框

2.指数据

匹配到的文件

•构化数据

•系日志告警

・机密数据，件人和收件人•阻止

•非利化数据•SMTP,HTTP/S,FTP,USB,CD/DVD等

・相似度匹配■修改

•And/or/if运算，包括exception・修改机密信息文件

,档文件

12

网控和保,Symantec,

取I・

Broadprotocolcoverage

TrueMatch™detection

Integratedreporting

■控阻止

全面控，包括email,web,IM,FTP,PTP,■全面的防，包括SMTP,HTTP/S,andFTP

和通常的TCP•可的件路由和加密

基于名的（不根据文件型）,与Web2.0websites和用无交互

自的sender/manager通矢u•MTA以及WebProxy集成（MTA:SMTP

准）

,再教育工

更新中断的流程（其他的数据安全管理方

式都会中断流程）

能

,Symantec™

Vontu

Network

Discover

Vontu

Network

Protect

Vontu

EnfoPlatf

ormrce

Vontu

Endpoint

Discover

Vontu

Endpoint

Prevent

Disconnected

SecuredCorporateLAN

HowNetworkPreventforEmailWorks,Symantec™

Vontu

行件，如果件反Network

了策略籽会被修改Prevent

MTA将件Vontu服器将

路由到件送回MTA

Vontu服器©

件服器将件到

MTA

端用送件

Internet

MTA

端用Email服器

如果件没有被修改，MTA会将他送到外

部。如果header被修改了，MTA会作出反

：隔离，重路由，告警或者弃

CorporateLANDMZ

HowNetworkPreventforWebWorks,Symantec™

v9-EnforceDemo-BetalVM▼W▼-&

个uhttps://enforg&x

VVontuDataLossPreventionAdministratorlogoutIprofllelhelp

AllRepo版]Netwofl'

ReportsReportRun7/6/09-1:20AM区西

IncidentSnapshot00003142

SavedReports

Status•INew▼ISeverityHigh▼\VP曲i「后|Report▼

MainDashboard

BusinessUnitthenPolicyRemediation改由恬JLaunchIny^tigati咀jNo的蜘and炽J

GlobalNetworkIncidents

Policy的\比卜

HighestRiskEndpoints

_JEmail/SMTPCustomerDataProtection260•

UserJustificationsByPoky(SSN$)[viewuoIlM

VIncidentContext

机宓

ServerVontuMonErOne

NetworkAgentResponse•MessageBlocked

CorrelationsFind聊ar

Exec.Summary-NetworkOccurredOn9/15/07-11:55AM

ReportedOn3/15/07-11:55AMValue#Ina&nh伸da”/7/30All

Incidents•All

Incidents•NewMachineIPS«rickf

(Corporate)

PolicySummaryiuser@>acme,com0027

Senderluser@

PolicyRecipientlNrr@anothen:cmpany,cc>mRKipieni

larry@anothercompany.com0025

PoliciesSubject$$n

AttachmentsSublet

ResponseRules

苞CustomersForPfocessinqWest,xkssn004

DiscoverTargets

、MessageBody

DiscoverServersCustornersForProcessing-West.xl0011-

ProtectedContent

Policy

ExactDatariirknmftrRabaDr^erUnnfUGIr'?Q-<

。口enOriqinXMe$56qe

IndexedDocumentsAttributesQuS

AttributeValue

,CListomersForProcessing„West.xls159Matches

AdministrationEmployeeInfo

EtnployeeID63M21

...420-08-353030809RAULPA5HAL46844519864999308000...om

System(930)750-079153395-9820dOIeNxBJcB650-22-089330811ORALEISURELastWsme蚂

4132673384929420G006...om(293)561-780729795-8233ZEUtDkPkNj

OverviewFirstN轴eJoe

561-97-251430812JAMESHINTZ48033316978195400004...om(714)803-9738

Events03706-1340kelcCsttij203-36-929330813GOLDIEPURVIS4409094843938080PtioneNuirib&r415M55-7662

E0…om(693)473-072215222-7590HwbwUgKGqD373-18-266030814SUSAN

AlertsEmptoy.eeEmail

WILLIAMS4083121379497770E...rg(795)656-890635020-5521DHaNHERKoc

Traffic

156-65-870330816MEITOKAR4915759347313980H00658...rg(503)627-1556VHistory例

WebArchive54724-8334KlssvmSnob627-12-928830817DANIELSMITH4718214769659850

FOO...om(288)878-261652330-7274vjhqstGEan178-52-615130818HAZEL3/15/07AdministratorNotificationSent上

HANSEN4836195836003030G00...om(751)998-894946561-9934ExrcVIkyUT-11:57Incidentnotificationsentto

Agents098-01-826330819JOSEPHNICHOLS4468381105299690A...om(463)501-6809AMjmanager@.

22348-6262BxUsvEZkAe501-15-659230820VIRGINIACAMACHO

AgentManagementConsole3/15/07AdministratorNotificationSent

4855420530088610...om(792)972-188090980-4172JHYkcHEhJs572-85-3278

Overview30821JOHNTHOMPSON4501523428889320E0...om(278)469-618141334-0064-11:55Incidentnotificationsentto

kvJGGusOfP469-94-073630822PETERCLARK4608121971967830B002..,omAMrTSecurity@.

Events

(936)554-446448795-6024ucaTOWOLHY354-83-196430823OSCARFERGUSON

3/15/07AdministratorNotificationSent

4029460039835530A...om(964)205-188499656-5757uBEckPdYim405-61-0672

-11:55Incidentnotificationsentto

Settings30824BESSIEHOLZHAUER4270959499061360...rg(472)947-823627894-6559

titccccr・.c、.♦♦-tcr,c—JAMnKAr(?h.arrnprnrn

VontuDataLossPreventionfroaSyMantccWindowsInternetExplorer匚洞区

v

ho.P：://iOSS1.243/ProtectMono<er7Inci<ientDet&ildo?value(v*riablol)=incident,id&value(operatorl)=ixt&v«lue(op«randl)=63.e证书罐误▼，公

女件(E)翱蜴CE)查看9收就夹(A)工具d)帮助(M)

6VontuDataLossPravontionfromSynantoc号■"，•-页面9，工具©)▼

VontuDataLossPreventionAdmini«tr«toclogoutIprofileIMo

AURcpoQ]上午必3)

ReportsIncidentSnapshot00000063teportRun9/13/03-7:57

SavedReportsStatus♦PrsvIJfaext)1Rjeport

INYD

Remediation

VNetwork

Exec.Summary-Network

IDO

Inodents•Al・HTTP

100

Incidents-NewVIncidentContext

PokeySummarymcidenr..mor»tot.id厘Htortor

StatusbyPokyVCorreiations

incident*date9/18/08-7:28上午

HighRskSenders•Last30DaysV»lu*"Ino