WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Every day, data is leaking out of your network. You may not know it; you may even pretend to ignore it. But doing so carries high risk: a batch of stolen credit card numbers can be instantly published on a hacking Web site, and more targeted attacks can compromise your employees' banking information or other identity thefts. Disgruntled terminated employees may decide to leave the premises with your customer or confidential data on their last day. And the threat of potential lawsuits has never been higher, especially with the economy in free-fall in the past year.
Luckily, there are more than ten different data loss prevention (DLP) products that are available, some from the major security vendors, including McAfee, Symantec, and Trend Micro. These products offer a wide range of protective features, and some even integrate with endpoint security products, proxy/caching servers, and network intrusion protection appliances.
Ten Popular DLP products:
- Code Green Content Inspector 1500
- Fidelis Security Systems XPS
- GTB Technologies Inspector
- McAfee Host DLP
- Palisade Systems Packetsure
- RSA DLP Suite
- Safend Protector
- Symantec/Vontu DLP v10
- Sophos Endpoint Security and Data Protection
- Trend Micro DLP
What to look for
To help narrow the field, ask these questions before you choose your DLP product:
- Where does the product sniff out your data across your network? Does it find sensitive data just traversing your network, on your database and file servers, or does it inspect local desktops for stored Word documents on personal hard drives, as well? Can it look inside encrypted data streams too?
- Can the product search for data without any endpoint agents installed, or can it be as thorough as it can with these agents installed? As an example, Symantec/Vontu's solution can scan a lot of different file systems and a lot of different endpoint sources.
- Can the DLP agents accomplish other security-related things on the endpoints? Some of the vendors offer port-blocking or can turn off USB connectors to block someone with a thumb drive from walking away with all of your customer data in their pocket. Others can control which applications can and can't be run on your endpoints.
- What protocols can be blocked or analyzed? Certainly the ones involving e-mail (SMTP, POP and IMAP), but what about Web and file transfers and Instant Messaging too?
- How hard is it to create and then change protection rules? Some products, such as Palisade, have wizards for easy creation, but then fall down when it comes time to change them outside the wizard. Others, such as the Code Green appliance, have more intuitive and graphical rules creation screens to make it easy to zero in on what you are trying to protect. Others like GTB Inspector have a comparatively very difficult rule creation process.
- What happens when a rule is violated? Can you figure out who did the deed, where the offending information is stored, and what kinds of automated responses can be kicked off? Does the product come with lots of pre-set templates to make all of this easier?
- Is the content analysis portion a separate or integrated piece of the product? In some cases, such as McAfee's DLP solution, you are going to need several different products to be installed to enable a complete solution.
- How fast can data pass through the appliance? Typically, you trade off effectiveness for performance. Some of the products can scale to fairly large networks, some can't.
- What kinds of reports are available, and how easy are they to interpret or import into your existing reporting systems? Does the product offer any real-time reporting capabilities, and how flexible are these reports anyway?
- How is the DLP solution integrated with endpoint security and proxying solutions? Some of the products in this list, such as Safend, began their lives as primarily endpoint protection solutions and have added DLP features to their protective measures. Others work hand-in-hand with the vendor's endpoint products or proxies. Some will even integrate with third-party security products to varying degrees, such as Code Green, which works with Blue Coat's Web proxy products.
To get an idea of how these products work in general, watch my video here about how Code Green's True DLP solution can be implemented.
David Strom is an international authority on network and Internet technologies based in St. Louis, MO. He has written extensively on these topics for more than 20 years for a wide variety of print publications and Websites, including as editor-in-chief at Network Computing, DigitalLanding.com, and Tom's Hardware.com. You can find him online at Strominator.com and e-mail him email@example.com.