DLP Rolling Review: Wrap-up

Rolling Review

Data Loss Prevention

Data-Loss Prevention Rolling Review Kick-Off

Vendors offer more options for protecting data throughout its travels. We'll put their claims to the test.

Reviewed so far:

DLP Rolling Review: RSA Takes Classification Up A Notch
The RSA Data Loss Prevention Suite sports a stellar user interface and an uncanny ability to sniff out sensitive data wherever it resides.

DLP Rolling Review: Safend Safeguards At The Endpoint
Safend estimates that 60% of corporate data resides on endpoints, and that's where Safend Protector Endpoint aims its DLP resources.

DLP Rolling Review: Code Green's DLP Appliance
The CI 1500 performed well in many areas and not so well in others.

DLP Rolling Review: Symantec's DLP-9
We tip our hats toSymantec for bringing to market almost everything we look for in a comprehensive data loss prevention suite via its DLP-9, formerly from Vontu.

DLP Rolling Review: TrendMicro Leakproof
Trend seems to have fully integrated Provilla's DLP technology into its core offerings.

DLP Rolling Review: Sophos Endpoint Security
Sophos has made strategic acquisitions in an attempt to round out its range of endpoint security capabilities.

DLP Rolling Review Wrap-Up
We've got interesting results and observations that will help you decide if DLP fits your risk management strategy, and if so, which vendors you should be talking to.

In January of 2009, we launched a rolling review of enterprise Data Loss Prevention (DLP) solutions to see how well they tackle enterprise data security. Six months and six vendors later we've got interesting results and observations that will help you decide if DLP fits your risk management strategy, and if so, which vendors you should be talking to.

The most significant reason to bring a DLP product into the organization is its enterprise data discovery capabilities. Sensitive information, whether it's customer credit card numbers, next quarter's financial projections or the schematics for a new tech gadget, sits in various file systems, databases and employee laptops across the enterprise.

Traditional security tools have a significant blind spot when it comes to protecting data because they have little visibility into all the places where such information resides. Before you can stop a potentially damaging leak, you have to know where the data are--and that's where DLP shines.

The ability to discover critical information across almost every conceivable data source was a major factor in our testing and grading methodology. We tested each vendor's ability to unearth data such as credit card social security numbers and other personally identifiable information within Office documents, e-mail, PST files, and structured databases.

Three vendors—RSA, Symantec and Code Green—all performed enterprise-wide data discovery. Of those three, our editor's choice goes to both RSA and Symantec. Yes, we're hedging here, but we must. RSA provides rich detail, and a more elegant management interface than Symantec's. It also offers a well-designed dashboard that let us quickly scrutinize various data discovery incidents. However, Symantec gets credit for its ability to perform data discovery against IBM DB2 and Lotus Notes databases, something RSA was unable to do at the time of testing.Both RSA and Symantec offer agentless and agent-based discovery capabilities. The agentless approach lets IT scan remote machines over the network without having to install software. However, to facilitate scanning large numbers of computers, both solutions also provide agents, which can be deployed on a server that sits in close proximity to the data sources, or on the data sources themselves. As a result, IT can scan Tbytes of data relatively quickly. Symantec has the edge in the sheer number of file systems it can scan, both structured and unstructured data sources.

The last important item on our data discovery checklist was the ability to take action on a particular piece of data that violated policy, such as an Excel file full of Social Security numbers being saved to an employee's laptop. RSA and Symantec each shined here. As data are flagged against a particular discovery policy, both solutions report where the file is, who owns it, what contents within the file raised the red flag and the severity of the incident. Both solutions can also employ a range of automated responses, including the ability to alert an administrator, delete the file, digitally shred it, or stub the file to an encrypted file system.

Endpoint security is a major component of a successful DLP strategy. That's because today's employees have a host of tools at their disposal for violating privacy policies, accidently or otherwise. If a disgruntled employee walking out the door with your sales leads (or patient records or application source code) on a laptop is your greatest nightmare, you need to deploy the most robust endpoint protection you can.

As we made our way through the review, we quickly discovered that each vendor approaches the endpoint in their own way. For example, RSA doesn't offer physical port control in its endpoint DLP agent. As a result, you can't do things such as completely disable a USB port to protect against leakage via removable media. That's by design, because RSA's approach is to protect the actual data, not the physical port. This makes it incumbent on IT to have the right kinds of policies in place (for example, data type X is never allowed to be copied to removable media).  However, this isn't a satisfactory solution for security administrators that demand physical port control. We spoke with many IT pros who simply want the ability to disable WiFi, infrared, physical ports, screen captures and the printing of sensitive documents on their systems. For those IT shops, the endpoint-oriented DLP vendors in our participant pool make more sense, namely Safend, Trend Micro and Sophos.

Application control is another core facet of data loss prevention. Preventing users from loading toolbars into their browsers or running peer to peer applications are just a few of the things that harden your infrastructure against potential data loss. Some vendors might argue that application control is outside the scope of a DLP solution, but many IT professionals don't see it that way. They want comprehensive solutions that address a wide range of potential data loss vectors.

We challenged our endpoint vendors in the lab with a series of tests designed to discover the range of features and functionality offered to protect against the most common endpoint data leakage attacks. Simulated scenarios included the inappropriate e-mailing of sensitive data to the outside world, copying data to removable media and printing sensitive information.

Our top pick for device and port control goes to Safend Protector, while Sophos Endpoint Security stands out for its application control features. Safend shines for the robustness of its device and port control options. It stopped every physical port attack we threw at it, and then some. It also did a good job on the application control side.That said, we felt Sophos has the best turn key application control capability. While not terribly customizable, the out-of-the-box application database was extensive. A quick policy tweak allowed us to block a tremendous number of applications across all of our test clients.

Searching For Fingerprints
Have you followed the recent Goldman Sachs saga? Alex Berenson of the NY Times recently reported on the arrest of former Goldman Sachs employee Sergey Aleynikov. Mr. Aleynikov was a key developer of advanced stock trading software. When Aleynikov jumped ship to a new company, he allegedly downloaded and transferred a portion of the software to a server in Germany. Goldman detected the breech and notified law enforcement. Would you have been able to detect the leakage of vital source code at your organization?

Digital fingerprinting technology is a staple of many DLP solutions, and it allows IT to create a digital hash of the contents of a particular data source, which serves as a fingerprint that the DLP system can use to track the data. The fingerprint travels with the data, so any attempt to copy/paste, email, print, copy to removable media, or manipulate the information in any form or fashion can be logged and blocked by IT.

In the lab, we didn't see a tremendous degree of differentiation between the accuracy of the fingerprinting techniques deployed by our participants, so we can't call a clear winner on the digital fingerprinting contest. They all worked well in the lab and prevented some of the rudimentary attacks we threw at them.

Does Your Network Leak?
Laptops and flash drives are one source of data loss, but not the only one. An employee sitting in a cubicle can do serious damage using the business tools IT provides, including e-mail, FTP, instant messing and Web 2.0 applications. IT can turn the tables with network DLP capabilities to assist in the risk mitigation effort. Through integration with ICAP proxies, network DLP appliances can interrogate the content of data streams before they exit the LAN. Using custom or pre-defined policies, a network DLP product can determine whether a certain communications should be logged, blocked, or audited.On the network DLP side, we felt that Symantec's DLP 9 came to the table with the most robust offering, beating out RSA and Code Green in several key areas. For one, Symantec supports more Instant Messaging clients. For another, its policies work offline, where RSA's agent, for example, could only apply policy if connected to the corporate LAN. Symantec's monitoring and enforcement features are also delivered as software, so if IT has the hardware and wants to deploy without having to purchase an appliance, it can do so.

DLP tools fill in some gaping data-centric security holes for organizations with critical information or intellectual property to protect. And organizations can approach DLP one step at a time because many DLP vendors offer their products as components. For example, if you really just need data discovery, or you just need strong endpoint protection, you buy those components a la carte and scale up as your security needs evolve.

There's good reason that DLP is a hot topic. Insider threats and government/industry regulatory requirements are driving new installations at a rapid pace. While we're technically wrapping up our rolling review, we're not shutting down the DLP labs. Gear from other players in the DLP space is always arriving at our door, so stay tuned for future reviews.