Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISO/IEC27000: Data Leakage Monitoring

by Cody Dumont
June 20, 2016

ISO/IEC27000: Data Leakage Monitoring

One of the biggest challenges that organizations face today regarding data leakage are employees that deliberately or unknowingly leak confidential information. Although some data loss occurs from external breaches, the majority of data leakage stems from employees engaging in behaviors that place the organization at risk. The ISO/IEC27000 Data Leakage Monitoring dashboard can assist organizations in identifying potential data leakage, which can aid in reducing risk, protect customer privacy, and keep confidential data secure. 

The ISO/IEC 27002:2013 framework is a global security standard that provides best practice solutions in support of the controls found in Annex A of ISO/IEC 27001:2013. The framework establishes guidelines and general principles for initiating, implementing, maintaining, and improving Information Security Management Systems (ISMS).  Each security controls and objectives provided within the standard can be tailored to specific business and regulatory objectives, and assist with maintaining overall compliance. This dashboard focuses on the ISO/IEC 27002 14.1 control, which can help to strengthen security controls by monitoring multiple network endpoints for data leakage activity.

Many organizations are not aware of the amount of data that is being transferred in and out of a network on a daily basis. Collaboration tools, instant messaging, cloud services, and peer-to-peer applications are frequently used within organizations to enhance productivity and performance. However, many applications are often left unmonitored and can introduce serious risks. Some organizations will deploy monitoring and Data Loss Prevention (DLP) solutions to protect confidential data, however this may not cover all of the potential endpoints where data loss may occur on a network. Implementing proper security controls at every endpoint, and educating employees on policies and procedures can help to protect confidential data.

The components within this dashboard will monitor data leakage activity from multiple network endpoints and highlight areas of interests for security teams and analysts. Cloud and peer-to-peer (P2P) events will help to identify employee activity and behavior that could be damaging to an organization. The Nessus Network Monitor (NNM) can analyze and detect data traversing the network such as credit card numbers, Social Security numbers, and other sensitive information. Organizations using DLP solutions can forward logs to the Log Correlation Engine (LCE), which can provide targeted information for security teams. Keywords that detect potential data leakage activity are identified through Nessus scans. Security teams will find the information on this dashboard highly valuable, as this will help to identify potential areas of interest that are reporting potential leakage.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

  • Tenable.sc 5.3.2
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. Tenable’s Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. NNM provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities. Tenable.sc CV is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Using Tenable.sc CV, the organization will obtain the most comprehensive and integrated view of its network devices and sources of potential data leakage.

Components

ISO/IEC27000 - Cloud and P2P Events (Last 7 Days): This component presents Cloud and Peer-to-Peer (P2P) activity on a network over the last 7 days. Both the “Cloud Services” and “Peer-To-Peer File Sharing” NNM plugin families are utilized in this component. The table is sorted by the highest number of vulnerabilities at the top of the list. This component will provide insight into users engaging in unauthorized activity that could leak to data leakage and/or malware infection. Analysts can use the data provided in this component to modify or block specific cloud or P2P services.

Data Leakage Monitoring - Top 10 Most Prevalent Events (Last 72 Hours): This table presents the most prevalent logged data leakage events in the last 72 hours. The logged events are reported by LCE under the 'data-leak' event type, and include events forwarded via syslog from NNM. A count of occurrences is given for each logged event; the list is ordered so that the event that occurred most often is at the top. A trend graph is also given for each event.

Data Leakage Monitoring - Activity with Potential for Data Leakage: This component presents indicators for activity detected on the network that has the potential for data leakage. The indicators are based on events logged in the last 72 hours and on actively and passively detected vulnerabilities. Indicators are included for such things as cloud interaction, outbound traffic to external IP addresses, peer-to-peer file sharing vulnerabilities, and USB usage. A purple indicator highlights a vulnerability/event detection. Clicking on a highlighted indicator will bring up the analysis screen to display details on the vulnerabilities/events. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities/events are present. This component can be used to investigate the potential for data leakage.

Data Leakage Monitoring - Indicators: This component presents warning indicators to draw attention to types of data that may have been leaked and methods whereby data may be leaking. These indicators make use of both passive detections and events logged within the last 72 hours. A purple indicator highlights a vulnerability/event detection. In two cases (Credit Card Number and Social Security Number), there are two indicators: one to highlight data leakage detected passively and one to highlight data leakage detected through logged events. Clicking on a highlighted indicator will bring up the analysis screen to display details on the vulnerabilities/events. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities/events are present. This component can be used to further investigate any data leakage.

Data Leakage Monitoring - Top 10 Most Prevalent Passive Detections: This table presents the top 10 most prevalent passive detections of data leakage. These passive detections are vulnerabilities reported by NNM in the 'Data Leakage' plugin family. A count of detections is given for each vulnerability; the list is ordered so that the vulnerability with the greatest number of detections is at the top. The severity of the vulnerability and a count of hosts on which the vulnerability was observed are also given for each vulnerability.

Verizon DBIR - Outbound Activity and Data Leakage: The Verizon DBIR advocates monitoring outbound connections to prevent data exfiltration. This matrix assists the organization in monitoring its outbound activity. The External Connect indicator is highlighted purple if outbound connections are passively detected from a system inside the network (as defined by the 'Monitored Network IP Addresses and Ranges' NNM configuration parameter) to a system outside the network. The Outbound Spike indicator is highlighted purple if a large spike in outbound connections was detected in the last 72 hours. The Out to Threatlist indicator is highlighted purple if traffic outbound to a known bad IP address was detected in the last 72 hours. The Data Leakage and Data Leak Event indicators are highlighted purple if data leakage was detected passively or via events, respectively. Clicking on a highlighted indicator will bring up the analysis screen to display details on the detections and events and allow further investigation.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training