Top

 

No hassle, no obligation
DLP Project Review

Just tell us a bit about your project.

  We'll get back to you within 24 hours, usually the same day

  You'll get up to two hours with our principal consultant to discuss your project

  Let us show you how we can help.

This form does not yet contain any fields.
    CATEGORIES
    TAGS

    DLP.HQ

    This forum, DLP.HQ, is open to all visitors to read, post and comment. 

    Announcing the recent release of DLP.BOX, a free subscription service providing information on DLP, including a  DLP User-Only Forum, the first of its kind.  Alread a member of DLP.BOXLogin or sign up here.

     

    Friday
    Dec232011

    Preventing Data Loss = DLP + ICAP Proxy

    DateFriday, December 23, 2011 at 11:58AM

    Aside from a few new features each year, the core of the Data Loss Prevention marketplace has been pretty well baked for a number of years. That's why it surprises me still to hear new buyers of DLP frustrated to find that they will need to have an ICAP-capable proxy in order to block sensitive data leakage via HTTP (and HTTPS, FTP). This is true of leading DLP vendors Symantec, RSA, McAfee, Websense and Code Green Networks, among many others.

    Some of these vendors have their own proxy solutions, while others rely on one of many available proxy solutions that support ICAP (Internet Content Adaptation Protocol). ICAP, simply put in DLP terms, is a protocol that allows a proxy to communicate with a DLP solution to provide visibility and blocking for HTTP/S and FTP. ICAP is a feature found on many commercial (and even open source) proxy solutions.

    So, why does blocking HTTP require an ICAP-capable proxy? The proxy accepts and holds the request to be inspected by the DLP solution. The proxy uses ICAP to pass the request to the DLP solution for inspection and the DLP solution returns its response via ICAP. If sensitive data is detected per DLP policies, the proxy does not forward the request. If sensitive data is not found, the proxy sends the request along normally. All this happens in milliseconds with no perceivable latency to the end user.

    The proxy also provides two additional and critical features for the DLP solution:

    • Username. The proxy passes the Microsoft Active Directory username to the DLP solution so the incident shows the end user information rather than an IP address. This saves precious time and energy in handling a data breach.
    • HTTPS. Most ICAP proxies have the ability to open SSL-encrypted communications. This allows the DLP solution to not only inspect communication with websites such as Gmail.com, but also facilitates blocking when sensitive data is detected. 

    For companies with an existing proxy in place, adding data loss prevention technologies presents little added concern. But what if your organization is proxy-free? Will you have to pony up budget dollars for a proxy in addition to DLP? Probably so, if you intend to block sensitive data leakage via the web. But, before you get too bothered, consider these points:

    • Companies rarely come out of the DLP gate blocking. It's recommended to run in monitor-only mode for a period of time prior to blocking. This allows you to tune policies for accuracy in anticipation of blocking in the future. What this means is that most companies have a time lag between the monitoring and blocking phases of their DLP project. So, don't stress it if you can't put the DLP and Proxy purchases in the same budget period. The ICAP proxy purchase can still be made down the road.
    • Proxies provide other benefits. Most major proxies now provide full Secure Web Gateway (SWG) protection and provide plenty of benefit outside of DLP. In fact, many companies are considering SWG solutions for their non-DLP capabilities. URL filtering is delivered very competently using a proxy. And given that malicious code is often delivered via the web, it can be a huge benefit to have this additional protection at the gateway, making DLP integration just a nice plus.
    • An ICAP proxy doesn't have to be expensive. A number of open source proxies are available that support ICAP for DLP integrations. If you're not averse to Linux and open source, one of these may meet your requirements. In my experience, however, open source proxy solutions are not as full-featured as their commercial counterparts. This is especially true when considering the full breadth of Secure Web Gateway solution capabilities. You get what you pay for, right?

    Given the need to secure the gateway, for my money it's best to go with an ICAP-capable proxy that supports full SWG capabilities. Below are some of the leading ICAP proxy vendors in the space. Keep in mind that while these vendors support ICAP, the specific implementations may differ, resulting in varying results with different DLP vendors.  

    • Blue Coat. By far the leading proxy/SWG solution on the market. Not only do 85% of FORTUNE Global 500 companies use Blue Coat, the company also provides solutions that scale downward to support very small installations.
    • Cisco IronPort. Cisco's IronPort Web Security Appliance supports ICAP.
    • M86 Security. M86's Secure Web Gateway solution is best known for protecting against malware with its real-time code analysis technology. Company sources say they plan to support ICAP for DLP by Q1 of 2012.
    • McAfee. The McAfee Web Gateway (Webwasher) supports ICAP.
    • Symantec. The newest version of Symantec Web Gateway provides SSL visibility.
    • Websense. While Websense can provide their SWG as a standalone solution, the company promotes TRITON, providing a single intergrated solution for DLP, SWG and email security.  

    Before delving into a data loss prevention project, consider whether you intend to block HTTP/S and FTP. If so (and most companies do), be sure to plan and budget for an ICAP-compatible proxy. By selecting a proxy that provides critical web gateway security, you'll be able to address DLP blocking while also improving network security. 

    AuthorDLPX | CommentPost a Comment |
    tagged , , , , , in , , , , , , , , , , , , , ,
    Monday
    Dec052011

    2011 Gartner Magic Quadrant for Content-Aware Data Loss Prevention

    DateMonday, December 5, 2011 at 11:33AM

    Since "gartner dlp" is one of the leading search terms at DLP Experts, we've decided to provide links to sources for downloading the 2011 Gartner Magic Quadrant for Content-Aware Data Loss Prevention. Please be sure your copy is the most recent given the document was revised to correct some vendor information (for more details see the Gartner Corrections page and the section dated 13 September 2011).

    We've included more than a single source for access to this report. In fact, we've listed each of the Gartner leaders in the 2011 Magic Quadrant for Content-Aware DLP.

    RSA

    Surprisingly, we were unable to find a link from RSA to the Gartner MQ on DLP. We found links to other Gartner Magic Quadrant reports for Web Fraud Detection and SIEM, but nothing but the 2009 and 2010 MQ for DLP.

    McAfee

    McAfee provides a brief introduction to the report highlighting the positive feedback from Gartner, just to get your techno-juices flowing.  This introduction is followed by a download link where the user must register by completing a brief web form with first/last name, company name, job role and email address.

    Websense

    From a Websense press release, a link is provided to a web form requiring first/last name, phone number, email address, number of users, company and country.

    Verdasys

    Verdasys offers access to the Gartner MQ from their Analyst Papers page. From there, either of the two links takes you to a web form which requires first/last name, title, company, phone and email.

    Symantec and CA

    Both Symantec and CA provide the same direct link to the report (no annoying forms to complete). Since this link goes directly to the Gartner reprint of the article, you can be sure that this version is the most recent.

    AuthorDLPX | Comments Off |
    tagged , , in , , , , , , , , , , , ,
    Wednesday
    Jun292011

    Predictions: 2011 Gartner Magic Quadrant for Data Loss Prevention

    DateWednesday, June 29, 2011 at 2:38PM

    Recent trends show an increase in organizations searching for information on the Gartner Magic Quadrant for Data Loss Prevention (DLP).  That tells us it's that time of year again.  Time for Gartner's annual report on Content-Aware Data Loss Prevention, which, according to Gartner's Magic Quadrant and MarketScopes information page has been slated for release Q2 11.  Since Q2 11 has come and gone and we’ve yet to see the released report, I figured I'd make my own predictions on what the good folks at Gartner will have to say about the DLP space for 2011.

    Let's start with the coveted Leaders quadrant which in years past has included quite a varied list of vendors, from Vericept (now Trustwave), Websense, Vontu (now Symantec), RSA, to Reconnex (now McAfee).  2011 is unlikely to bring us any surprises among the current leaders of McAfee, RSA, Symantec and Websense.  While Symantec still boasts the most advanced feature-set of any vendor, all of the leaders maintain the basic feature-sets required to keep them in leadership contention.

    CA DLP

    CA has just recently added some critical DLP fingerpriting functionality features to bring them in line with many of the leaders and visionaries. CA is desperately trying to redirect buyer focus to identity and access management combined with DLP in an effort to provide a unique feature set on which to compete and use for their own customer base. Otherwise, CA has a very average DLP offering.  

    CA Strengths

    •  Big company name.  (Some might consider that a weakness for CA.)

    CA Weaknesses

    • Cannot compare feature for feature with other big-name DLP vendors.

    Code Green Networks

    Code Green's approach stands apart from most of the Leaders, with a simplified, appliance-based architecture that streamlines deployment and reduces the management overhead associated with traditional, multi-server DLP architectures.

    Code Green Networks Strengths

    • Single appliance architecture.
    • Ease of use in deployment, configuration and management.

    Code Green Networks Weaknesses

    • Limited brand awareness.
    • Appliance cost represents a disproportionately high cost in deployments of 250-1000 users.

    Fidelis Security Systems

    Fidelis has had a DLP identity crisis from day one, calling itself not DLP, but Extrusion Prevention. Not one to be led, Fidelis' founder has bucked the system at every turn. While I like that style, the company's insistence on a network-only approach has excluded them from every major commercial opportunity. Instead the company's focus is APT Protection, which tends to resonate more loudly with federal gov't than does DLP. In speaking with a marketer at Fidelis last year, we were told that DLP is "just one of our use cases," and that they are a network security tool. That's a shame, because they have some interesting DLP technology that will rarely get used as such.

    Fidelis Security Systems Strengths

    • Multi-Gbps throughput appliance.
    • In-line blocking capability.

    Fidelis Security Systems Weaknesses

    • Lack of commercial focus (for us fans of commercial business).
    • No in-house endpoint solution. Instead, weak marketing partnerships with Verdasys, Safend and other now-defunct endpoint DLP players.

    McAfee DLP

    McAfee is likely to remain one of four vendors in the Leaders quadrant, although recognized by many as a laggart behind Symantec, RSA and Websense.  McAfee DLP provides a multi-appliance solution that is managed through the company's widely-used ePolicy Orchestrator. 

    McAfee DLP Strengths

    • Big company name.
    • Unique network monitoring approach allows for monitoring and categorizing *all* network traffic rather than just policy violations.

    McAfee DLP Weaknesses

    • Multi-appliance approach can be complex and requires separate appliances for network monitor, prevent, discovery and management.
    • Many customers report difficulty in deploying and configuring the solution.

    Palisade Systems

    Despite Palisade Systems' deep DLP roots, the company has struggled to find success. One of very few remaining DLP independent software vendors, Palisade has run through three top executives in as many years. Until very recently, the company claimed a network-only focus and only this year have they released an endpoint component to complement their DLP suite. The appliance-based solution provides web filtering, among other non-DLP features. 

    Palisade Systems Strengths

    • Unique non-DLP feature set desirable for small business or education.
    • Aggressive pricing structure.

    Palisade Systems Weaknesses

    • DLP road map and development resources lag behind many DLP leaders.
    • Company's viability is in question.

    RSA

    RSA is one of the four current Leaders and we predict they will remain. RSA is one of few vendors to leverage their technology through high-profile licensing agreements with Microsoft and Cisco. RSA is one of the most widely-considered solutions among DLP projects. While RSA has made attempts to simplify DLP architecure by leveraging multiple virtual machines on a single server, many customers still complain of deployment complexities. 

    RSA Strengths

    • Big name player.
    • OEM licensing agreements position RSA among non-DLP projects (DRM, email security, etc.).

    RSA Weaknesses

    • Architectural complexity.
    • Many customers report problems in deploying and configuring the solution.

    Symantec DLP

    Symantec has enjoyed its well-deserved position of leadership since the inception of the Gartner Magic Quadrant for the space in 2006 (then known as "Content Monitoring and Filtering").  Symantec's acquisition of Vontu, the leading DLP vendor in the space, positioned Symantec squarely in the leaders quadrant from day one.  Vontu was already well into the development of its own endpoint agent, making it one of the first to recognize and execute on this need.  Since that time, Symantec has taken a leadership role in shaping the DLP space with its innovative features to address the growing market requirements.  

    Symantec DLP Strengths

    • Big name player and market leader.
    • Most feature-rich DLP offering.

    Symantec DLP Weaknesses

    • Multi-server architectural complexity.
    • High cost.

    Trend Micro

    Trend Micro's DLP reach is limited largely to small endpoint deployments. We have never come across an organization giving them serious consideration. They are currently squarely positioned in the niche player quadrant and we could see them slipping further down and to the far left since their DLP vision is very limited.

    Trend Micro Strengths

    • Convenient for current Trend customers looking to check the DLP box.

    Trend Micro Weaknesses

    • Very weak DLP feature set.

    Trustwave

    Trustwave made the most recent acquistion in the DLP space, gobbling up Vericept, one of the early DLP leaders. Along with the DLP acquisition, Trustwave has acquired a number of other under-acheiving technologies. Since that time, however Trustwave has apparently done little to improve the DLP offering and have actually stopped marketing their endpoint DLP agent.  We predict Trustwave will be one of few vendors that actually slip in 2011 from its former position of challenger to niche player. 

    Trustwave Strengths

    • Trustwave provides a full suite of security services and DLP may be an easy add-on for current Trustwave customers.

    Trustwave Weaknesses

    • Functionality has regressed with loss of endpoint.
    • Trustwave may not be able to reach beyond their limited customer base and expand their DLP marketshare.

    Verdasys

    Verdasys was an early entry to DLP and one of few who started with an endpoint focus. Unlike other vendors who have branched out to include all three DLP components (network, endpoint, discovery), Verdasys has not and remains largely endpoint focused. Verdasys maintains marketing partnerships with IBM and a technology partnership with Fidelis, though we don't know how beneficial either of those is.  

    Verdasys Strengths

    • Leading endpoint-only DLP solution.

    Verdasys Weaknesses

    • Limited true DLP capabilities.
    • Very expensive endpoint-only solution.

    Websense

    As a DLP Leader, Websense has done a good job marketing its single solution for web security, email security and DLP under the TRITON moniker. The concept appeals to many buyers of DLP, especially current Websense filtering or secure web gateway customers looking to add DLP. Unlike some of the other appliance DLP vendors, the Websense platform uses virtual machines to pull everything into a single appliance/server.  

    Websense Strengths

    • Single vendor solution for web security, email security and DLP.

    Websense Weaknesses

    • Subscription pricing can become more expensive than traditional perpetual license after a few years – and the subscription remains indefinitely.
    • Under the TRITON solution, sharing of server resources for web and email security can have a negative impact on resources needed for critical DLP function.
    AuthorDLPX | CommentPost a Comment |
    tagged , , in , , , , , , , , , , , , , , ,
    Wednesday
    Jun082011

    New Urgency in DLP Leads to Rush to DLP Silver Bullet?

    DateWednesday, June 8, 2011 at 9:48PM

    A new article from banktech.com says that companies in the financial services industry "are finding that data loss prevention is taking on a new urgency."  With the daily laundry list of new data breaches and the never-ending media coverage, it's no wonder financial services companies--and those in many other industries--are taking note. At DLP Experts we have seen this same level of urgency with many security professionals being ordered from the top to address the problem.  Quickly.

    I'm a proponent of DLP technologies.  Some have even called me a DLP bigot.  However, I don't believe that the answers lie just in DLP technologies.  DLP technologies are, after all, only tools to enforce the data protection policies that should already exist in every organization. 

    At the risk of sounding like a broken record, it's critical for every organization to recognize that data protection is a process and that DLP technologies are one step in that process--step four, to be exact.  To deploy DLP without having completed steps one, two and three, will leave an organization vulnerable to situations that DLP technologies cannot address.

    So, with this newly-found sense of urgency to protect data, my fear is that companies will run straight to the nearest Office Depot, pull a can of extra-strength DLP off the shelf, come back to the office, pop the top and... let the sun shine in on data protection nirvana!  Sorry folks.  I was being facetious; that isn't going happen.  

    First, DLP is not a silver bullet and can actually provide a false sense of security.  This false sense of security is what gets companies into trouble.

    So, before you reach up for that can of extra-strength DLP, think about steps one, two and three (and all that goes with them):

    1. Do I know exactly what data I need to protect?  Where it resides?  Who owns it?  Who touches it and why?  Do I have the input of all data owners in the company?  If you don't know what you're trying to protect, you'll have a heck of time protecting it.
    2. Do I have policies in place that explain what we need to protect and why we need to protect it?  If so, are they updated to reflect our current data and environment?  If not, you'd better get cracking and develop those policies.  Steps one and two will drive how you eventually implement DLP enforcement technologies.
    3. Do your employees know how to protect sensitive data?  Do they know what constitutes sensitive data and why it needs to be protected?  Have they been given detailed data protection policy and sensitive data awareness training? Have they signed on the dotted line acknowledging that they could lose their job for not complying with these policies?  Are they counseled when they do something stupid that puts sensitive data at risk?

    These three steps are critical, yet the tendency is to rush out for a does of DLP.  Don't let the urgency of the situation cause you to forget the first critical steps!

     

    AuthorDLPX | CommentPost a Comment |
    Monday
    Jan172011

    DLP Product Guide for RSA Conference Expo 2011

    DateMonday, January 17, 2011 at 8:16AM

    With Gartner estimating the Data Loss Prevention (DLP) market to reach $400 million in 2011[1] and with adoption of DLP technologies moving quickly down to the small to medium enterprise, DLP is no longer an unknown quantity.  In spite of this progress, DLP remains a market shrouded by confusion over everything from the definition of DLP to the right way to address the problem--whether that's at the endpoint or the gateway.  Many vendors show they're suffering from a severe identity crisis as they try to wedge their way into the DLP space by blunt force marketing.

    The RSA Conference Expo (Expo) is not immune to this confusion; in fact, in some respects the Expo may add as much confusion to the mix as it resolves.  By way of example, an organization recently contacted me to seek guidance on DLP vendors at the Expo.  This particular organization has an active DLP initiative and has committed the financial and personnel resources to send a delegation to the RSA Conference to research potential vendors.  However, when my contact used the Security Keyword Search feature for the search term “data loss prevention,” he was presented a list of no less than 37 vendors at the Expo who have chosen to associate themselves with the term[2]

    Upon further research, of those 37 vendors, the vast majority have very little or nothing to do with DLP, effectively nullifying the benefit of being able to narrow your DLP search at the Expo.

    This is not an indictment of these vendors or the RSA Conference as a whole.  Most well-meaning vendor marketing departments want to align themselves with many security keyword listings in order to drive as much traffic as possible to their site.  It’s an unfortunate byproduct of the Expo.

    The DLP Product Guide for RSA Conference Expo 2011 is an effort to help potential buyers of DLP enforcement technologies.  The guide will list all 37 vendors with the designation of “data loss prevention,” however, it will also provide key details that should prove helpful in maximizing Expo time.

    Download the DLP Product Guide for RSA Conference Expo 2011.

    [1] Gartner Magic Quadrant for Content-Aware Data Loss Prevention, June 2, 2010

    [2] http://www.mapyourshow.com/shows/index.cfm?show_id=RSA11 - security keyword “data loss prevention”

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , , , , , ,
    Monday
    Sep062010

    DLP Myth #6: The "perfect" DLP solution exists

    DateMonday, September 6, 2010 at 7:09PM

    Again, I'll take some heat from a number of vendors because of this post, but it's something I've said before and DLP buyers need to be aware of it.  In the past, I've spoken of the "perfect" DLP solution, but it's unfair of me to use that word.  So, I'll retract the word "perfect" and simply say there is no DLP technology that addresses all of what I consider to be key requirements of DLP.  But if there were a perfect DLP product, it would meet all of the following:  

    1. Provided by a stable and viable company.  It's critical for a DLP buyer to be confident of a vendor's ability to support their product in the long term.  DLP costs are generally too high to make a switch a year or two into it.  I'll admit that this is much less a concern today than it was a year or two ago as most of the major indepedent DLP vendors are now part of much larger organizations, the latest is Vericept being acquired by Trustwave (when Vericept was really on the ropes).  However, there are still two independent DLP vendors listed in the 2010 Gartner Magic Quadrant that haven't seemed to be able to generate any acquisition interest and that I don't see often enough in the marketplace to believe they have the revenue to be self-sustaining.  I won't mention their names in this post, but it's not Fidelis or Code Green. 
    2. Includes coverage for all three main DLP components:  gateway (data-in-motion), endpoint (data-in-use) and discovery (data-at-rest).  There are some great DLP core technologies out there, but unless these are combined with all three DLP components through a single web interface, I wouldn't recommend them.  This puts vendors like Palisade, Fidelis (both gateway) and Verdasys (endpoint) at a real disadvantage.  All the technology partnerships in the world--Fidelis + Safend, Verdasys + Fidelis (explain that one to me)--just won't cut it.
    3. Provides a single web-based user interface to manage all three components, including data registration, policies, reporting and administration.  As mentioned above, this is a critical component which can't be overstated.  I've never had a client who has been accepting of registering data, creating policy, running reports and managing the solution through two or more interfaces.  When we talk about duplication of efforts, this is it!
    4. Includes prevention capabilities across all protocols, not just select protocols of Web, FTP and email.  I believe this to be the single largest deficiency of the major DLP products.  It's a tough one; the marketplace largely has come to accept that the only protocols you can actually block are SMTP, FTP, HTTP, HTTP (and some IM).  Take note, however, there are a couple of products in the marketplace that have the ability to block any/all protocols, including some widely-used ones like P2P and IM or even unknown TCP.  Both Fidelis and GTB make this claim and if either vendor did not suffer from other deficiencies on this list, I might be able to back them.
    5. Provides a combination of data registration and content analysis techniques that are accurate and effective.  While most of the majors provide these data detection techniques, there are a few who are still working on one or the other.  In order to be fully effective, a DLP solution must provide a combination of these detection techniques.  And watch out for the "channel DLP" and "add-on DLP" vendors.  Many of them are limited in their detection capabilities. 
    6. Has a simple architecture which does not require a server/appliance for each component (monitor, prevention, manager, etc.).  Again, this is an area where the marketplace has come to accept the fact that DLP is just complex.  But it doesn't have to be.  Among full-suite vendors (gateway, endpoint, discovery) who have taken a simplified architectural approach are Code Green and GTB (both single appliance approaches).  Even the more traditional DLP solutions (read: complex) like Symantec and RSA are looking for ways to simplify their architectures in leveraging virtual machines.  Be careful with the VM approach, however.  Remember that these multiple components (monitor, email prevention, web/FTP prevention, endpoint, discover, etc.), even as virtual instances still act as standalone servers and must communicate/integrate with each other.  They may reduce the number of devices on your network, but may not really simplify the complete package.
    7. Does not utilize expensive modular pricing approach for each component (monitor, email prevention, web/FTP prevention, endpoint, discover, etc.).  DLP has proven to be an expensive technology, especially among the elite solutions.  However, there are effective and reputable solutions that do charge buyers for each individual component.  These solutions provide a simplified licensing approach that also happens to provide greater cost savings.

    So, these are my big seven requirements.  To date, no one company meets them all.  There may be two vendors who could rise to meet them, either by becoming more financially viable (acquisition?) or by simply putting some effort into developing the one component they may be lacking. 

    In fact, I'm surprised by a couple of vendors who fought the marketplace at a critical juncture and stubbornly held to a gateway-only or endpoint-only approach.  I remember conversations at RSA 2008 with the VP sales at one endpoint vendor and the Founder/CEO at a gateway vendor where I was told emphatically, "We will not build a gateway component; everything can be done through the endpoint," and "We will not build an endpoint; everything can be done throught the gateway," respectively.  As much as I understand (and appreciate) the desire to believe in your product and direction, if one of these vendors had given in and built the missing component a few years back, they might be sitting in the catbird seat today, in the far upper-right of the Gartner MQ enjoying a revenue-leader position.  Then again, maybe not.

    AuthorDLPX | CommentPost a Comment |
    tagged , , , , , , , in , , , , , , , , , , , , ,
    Friday
    Sep032010

    Employees Are More Apt to Take Company Data than a Stapler

    DateFriday, September 3, 2010 at 8:45AM

    The title of this post is taken from the headline of a press release from SailPoint as reported in NetworkWorld.  While it is a great headline, more importantly it should tell us that no organization's data is safe, especially for those laying off employees. 

    For me the takeaway from SailPoint's survey is that companies should not trust their employees, especially when layoffs are on the horizon.  I have spoken to many companies in the past three years who have laid off workers.  Some have implemented some strategy to protect that data (technology or otherwise), but most have proceeded with the layoffs without any method for ensuring the safety of their sensitive data. 

    In the SailPoint survey, they found that 29% of US workers admitted they would take customer data.  This is consistent with my recent personal experience.  A banking customer confessed to me that many of the home lending staff they had laid off apparently took the bank's customer list to use as a sales prospecting list--presumably along with personally identifiable information (PII).  One trucking company that contacted me for data loss prevention was concerned that their competitors would somehow gain access to their customer contacts (read:  "from their former employees"). 

    The problem could be exacerbated by a bad economy and the personal impact on individual finances.  While the survey did indicate that 45% of the US respondents claimed this tendency to steal from an employer was not influenced by the recession, there were slightly less than .5% of US respondents who said they would try to sell confidential data.  Using these stats, one out of every 200 employees, would try to sell your confidential data.  All it takes is one to end up like TJX.

    This is not the first survey of its kind with similar findings.  For me, this confirms what I've felt for years:  that data loss prevention technologies will eventually become part of every network security plan.

    AuthorDLPX | CommentPost a Comment |
    tagged , , , , , , in ,
    Thursday
    Sep022010

    DLP Myth #5: DLD is the same thing as DLP

    DateThursday, September 2, 2010 at 8:58PM

    It may surprise you to find that many DLP enforcement technology implementations are not even DLP--they're DLD, data loss detection.  Too many companies forget that the "P" stands for prevention.  Blocking.  Frankly, it's not really the end user's fault, rather the responsibility of the vendors.  There are a couple critical elements at play in this discussion:

    • Inaccuracy often is the cause for failing to enable blocking.  If a vendor's DLP technology does not prove accurate, to turn on blocking is far too risky for the end user.  This will impede normal business process.  Unfortunately, a DLP vendor is only as good as their capacity for accurate detection.  Keep in mind that not all DLP detection is create equal.  (We'll discuss this topic in a later post).
    • Most DLP enforcement technologies are limited in what they can block:  SMTP, FTP, HTTP, HTTPS and other proxiable protocols.  This is true of the biggest names in DLP and is not something that's commonly known among buyers of DLP technologies.  Since this is the case among most vendors,  analysts accept it as a limitation of DLP, and since the analysts help shape the expectations of the marketplace, most buyers accept the limitation (once they finally know about it).  The limitation lies in the core technologies of these vendors which depend on proxy devices to do the dirty work of blocking.  There are two vendors I'm aware of that have the ability to block all protocols and not just proxiable ones:  Fidelis Security Systems and GTB Technologies.  However, in my opinion, each have their own deficiencies in other areas that may cancel out the blocking benefit.  There is no perfect DLP enforcement technology (and we'll discuss this in a later post also).

    The bottom line is, as much as you may like to, you'll likely not be able to block everything that needs to be.  However, if you choose a vendor with the right detection capabilities, it will go a long way toward being able to flip the switch to turn your data loss detection into true data loss prevention!

    AuthorDLPX | CommentPost a Comment |
    tagged , , , , in , , , , , ,
    Wednesday
    Sep012010

    DLP Myth #4: DLP is Expensive

    DateWednesday, September 1, 2010 at 8:41AM

    The topic of Data Loss Prevention enforcement technology expense is a difficult one to address.  DLP technologies have long been considered very expensive and in fact, many still are.  But the idea of DLP technologies can be sliced and mixed and mashed in so many ways, it is possible to purchase DLP enforcement technologies without breaking the bank.  And considering the amount of risk mitigation that comes with effective DLP strategies, I believe the cost to be well worth it.

    I've outlined below a number of key points related to DLP expense, any of which may apply directly to your organization.

    Some Vendors Just Cost More

    As in any marketplace, there are expensive vendors and their are cheap vendors.  DLP technologies are no different.  You have your high-cost leaders who may set the standard in complete coverage and expansive feature lists, targeting the large enterprise and your low-cost vendors who may only cover basic features and target small companies.  Even among the leaders in the space who provide very comparable levels of coverage, there can be drastic cost differences.  Want to save some money?  Do your homework and don't fall into the trap of thinking all vendor costs are the same.  They are not.

    Retail Price vs. Street Price

    Even after you get the list price quotes from DLP vendors, keep in mind there is always a retail price and a street price.  DLP street price can get surpisingly competitive with a couple vendors in the mix.  To get the best price, don't hone in on a single vendor, even if you're convinced they're the only one that can meet your unique requirements.  Keep a couple of vendors involved, preferably a mix of leaders and challengers and play your cards close to your vest.  Only reveal just enough to keep your preferred vendor on their toes and ready to negotiate. 

    Differing DLP Cost Models

    Data loss prevention is one of those newer spaces where vendors and buyers are still trying to figure out the best way to charge for DLP.  There are two basic cost models:  perpetual and term (subscription).  The marketplace has not completely moved to one or the other and in fact, many vendors can provide either/or. The differences in price can be very significant, both in the first year and also looking out over a number of years.  Perpetual license models require a front-loaded payment on all license and support fees, plus any hardware, with a percentage paid annually for maintenance and support (usually around 15%-25%).  In this case you "own" the right to use the product perpetually, assuming you pay the required annual support fees.  Term models (aka annually-renewable subscription) are typcially less initial cost and often look really good when compared with the first-year cost of a perpetual license.  This cost savings may be short-lived, however; annual renewals can really add up!  In the end, it's important to consider what the total costs will be over the course of multiple years.

    Phased Implementation

    Another way to approach DLP to keep costs down is to implement the solution in a phased approach.  This may mean starting with network coverage and then adding other coverage in the coming months.  This can cut initial costs by as much as a third, but some vendors provide discounts if the complete suite is purchased up front.  For many companies, this approach makes good sense and allows them to roll out the DLP enforcement at their own pace.

    One word of caution with a phased approach.  Depending on the product, many vendors have architectures that require you add additional appliances or servers as you roll out new components.  A few vendors have architectures that combine the full suite into a single appliance, so adding a service is as simple as flipping a switch in the UI.

    Channel DLP

    There's some buzz around "channel DLP," which are DLP products that provide limited coverage, say for monitoring email only.  These channel DLP products can be an inexpensive way to "break in" to data protection, but are considered by many to be "good enough" approaches that may not address a company's long term DLP needs.  Popular channel DLP products include:

    • Endpoint (content-aware)
    • Device Control
    • Email
    • Network

    Be sure to note that while channel DLP can address short-term needs in one particular area (say email), adding to your DLP enforcement technologies may require you to ditch that channel DLP product for one that provides the all-critical single user interface.  Managing multiple DLP products, incidents, rules, etc., means multiple interfaces which can easily double or triple management times.

    Hardware vs. Software

    Finally, when it comes to DLP technologies being expensive, be sure you understand all the costs involved.  An appliance-based solution typically includes the appliance in the cost quote, while many leading software solutions require multiple servers be purchased along with operating systems, databases, etc., and are not included in the costs.

    AuthorDLPX | CommentPost a Comment |
    tagged , , , , , , in ,
    Wednesday
    Sep012010

    New DLP Experts White Paper: "The Evolution of Data Loss Prevention: Reducing Complexity"

    DateWednesday, September 1, 2010 at 7:41AM

    DLP Experts has released a new white paper addressing the issue of architectural complexity--and the movement among some vendors to simplify DLP enforcement technologies.  The white paper is entitled, The Evolution of Data Loss Prevention:  Reducing Complexity, and can be accessed from the links below.

    Summary

    The evolution of DLP technologies has come full circle from simple, low-value data loss detection to highly-complex, multi-server architectures and finally evolving to multi-function appliances within a unified DLP architecture that provide comprehensive data loss prevention.

    Leveraging a simplified, unified architecture, prospective buyers can integrate all necessary DLP components into a single, hardened multi-function appliance, thereby reducing complexity and cost of the overall solution.

    The white paper can be requested directly from DLP Experts or downloaded from WebBuyersGuide (user account required).

    AuthorDLPX | CommentPost a Comment |
    Tuesday
    Aug312010

    DLP Myth #3: You can "buy" DLP

    DateTuesday, August 31, 2010 at 7:27PM

    Many organizations considering data loss prevention focus on technology to address the need.  While you can "buy" DLP enforcement technologies, data loss prevention is more than a product.  Data loss prevention is a process and one step in that process is the purchase and deployment of technologies to enforce an organization's data protection strategy.

    Some people think I'm splitting hairs with this thinking, however, after having seen dozens of good and bad DLP strategies, I'm convinced my argument is sound.

    Since DLP is a process it's important not to get caught up only in the technology side.  For many companies, this is a real tendency because many DLP projects are handed off to IT to deal with as an IT problem.  The reality is that data loss prevention is a risk management and compliance problem that happens to utilize technology as a major method of policy enforcement.  

    Because it's a process, it's important to complete each step.  Like the proverbial three-legged stool, to leave out one step can lead to serious negative consequences.

    At DLP Experts, we promote a five step process to our customers for a successful data loss prevention initiative:

    1. Assess.  Assess current situation, identifying critical data and major concerns. –What data should be protected? –Where is the data located? –Who should have access to this data? –What are the major data leakage points?
    2. Create.  Create a comprehensive data protection plan and written data protection policy. –Use the data from the assessment as a guide. –Prioritize your critical data and start with a policy to protect that first, building to other key data. –Your data protection plan is dynamic and you can always update it in the coming months.
    3. Promote.  Promote the data protection plan and policy among all employees, contractors and vendors.  –This is the single most important step in protecting critical data. Most data breaches are unintentional, so getting staff to be vigilant is key. –Get signed acknowledgement from employees that they understand the policy—and the consequences for failing to follow it! –Consider formal training.
    4. Enforce.  Implement technologies to enforce the data protection plan and policy.  –Consider all existing technologies in your network. You likely have some elements of DLP in your arsenal:  encryption and email content filtering are fairly common. Make use of them. –Configure enforcement technologies to best mirror your new policies. 
    5. Maintain.  Maintain and update plans and policies based on changing business needs. –Monitor enforcement technology reports. –Conduct regular extrusion testing. –Provide annual data protection training.

    The next time someone in your organization says, "We need to buy DLP," make sure they read this! ;)

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , ,
    Monday
    Aug302010

    DLP Myth #2: DLP is Architecturally Complex

    DateMonday, August 30, 2010 at 3:02PM

    A common misconception is that DLP must always be archtiecturally complex.  This myth has roots in reality; traditional DLP techonologies have been architecturally complex.  However, as DLP technologies evolve, there is a move toward greater archtitectural simplicity.

    To understand how we go to the architectural complexity, consider the origins of data loss prevention:  built for the world's largest enterprises and with an immature roadmap that was a moving target in early years.  Original DLP technologies were really DLD, data loss detection.  They were designed first as passive network monitors looking for patterns matching simple expressions such as for social security and credit card numbers, but there was no blocking involved.  As companies saw data leaving the organization, it didn't take long for the next requirement to come to light:  blocking.  Then came discovery, endpoint and so on. 

    Most early vendors employed a modular, multi-server architecture, which is typical among the .  This gave them the ability to develop one server component at a time as market demand required, rather than bring everything together under a single server.  The results were shortened development times.  Plus, it allowed early adopters to get their feet wet with the new technology, one component at a time. 

    A key side benefit of the modular approach was that it spread the load among many servers, keeping the network monitor free for the all-critical task of identifying sensitive information.  It was an unspoken concern that an overloaded network monitor could "slip," allowing sensitive data to get by without being seen.  This was an especially important concern to address among the early adopting large enterprise, who have a tendency to run at bandwidths that can overload packet filters.

    This evolution resulted in DLP architectures that require many servers:  management server, network monitor, database server, email blocking server, web blocking server, discovery server, endpoint management, etc.  Couple this mult-server approach with separate integrations for mail transfer agents, ICAP proxies, databases, active directory, etc., and you end up with a very complex architecture.

    Contrast this traditional DLP architecture with the concept of a single appliance that combines everything required for a complete DLP suite:  network monitor, management interface, incident database, web and email blocking, discovery and endpoint management.  This is the approach of a couple of DLP vendors.  And even the traditional DLP vendors normally requiring 4-5 servers are reconizing the need to simplify with single appliances running 2-3 DLP components as virtual machines.

    DLP does not have to be architecturally complex.  Some vendors have developed simple architectures combining components in single appliance, while others are leveraging virtual machines to make their architectures more steamlined and easy to deploy.

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , , , , ,
    Thursday
    Aug262010

    DLP Myth #1: You can get DLP as an add-on to an existing solution.

    DateThursday, August 26, 2010 at 8:10AM

    I read a blog post today from Midwest IT Professional entitled Myths of Data Loss Prevention (DLP).  The post didn't really address the kind of thing I consider to be myths about DLP, but it did get my thought process going.  So, over the coming days, I'll present a series of myths related to Data Loss Prevention.

    The first myth I'd like to address came in the form of a firewall/UTM vendor announcement about the growing demand for DLP.  The quote that accompanied the press release stated:  "Today, customers can have both state of the art multifunction firewall protection and unbeatable Web, messaging and DLP security that is affordable, powerful, highly reliable and easy to use."  

    From this, I pull myth number one:  You can get effective DLP as an add-on to your firewall, web or email security solution.  While some rudimentary data loss prevention functionality can be added to most any network security device, its effectiveness may often do more harm than good.  

    Most add-on DLP functionality comes in the form of scanning network traffic (web, email, other) and looking for simple regular expression pattern matches for social security numbers, credit card numbers, etc.  This content monitoring capability has been around for many, many years, however in my experience it has been ineffective and in many cases counterproductive.  

    I had one client, for example, who tried to use their leading email security solution to identify and block incidents of sensitive data leakage using regular expression patterns.  They went this route initially to avoid having to buy a purpose-built DLP technology--trying to save some money in this tough economy.  What they found was that the rudimentary content monitoring and filtering technologies did a poor job of identifying *true* incidents of data leakage.  They ended up with more incidents each day than they could keep up with and since the vast majority of the incidents were false positives, they stopped looking at them altogether.  I won't go into detail about why this just doesn't work.  Just give it a try with your own email security solution and see the results for yourself.  

    In addition to the fact that regex patterns alone are ineffective, consider the fact that in most cases, an SSN alone does not constitute a data breach.  Most regulatory or legal mandates state an SSN when accompanied by other data points that together make an individual "personally identifiable" (hence the term PII--personally identifiable information).  True DLP technologies have the ability to do much more than just pattern matching.  In fact, a key feature of most every major DLP technology includes the ability to do "exact matching" of specific individual data fields.  This means that a rule can be established that when an SSN combined with other data fields *from the same database record* are seen in a single communication, this will trigger an incident.  So if it's my SSN along with the name Steve Smith (not my name), that won't trigger.  However, if it's my SSN along with my name, it will trigger.  This exact matching capability is critical to effective data loss prevention and adding "DLP" to your basic firewall, web or email security device just may do more harm than good.

    Other data loss prevention (DLP) myths to follow! 

    AuthorDLPX | CommentPost a Comment |
    tagged , , , , in , , , , , , ,
    Tuesday
    Jul062010

    Data Loss Prevention (DLP) Interest Increasing

    DateTuesday, July 6, 2010 at 4:57PM

    I've been hearing about how data loss prevention (DLP) would someday explode on the security scene since I first heard a security analyst claim that 2007 would be the "year of DLP."  Then I heard the same analyst claim that 2008 would be the "year of DLP."  The economy single-handedly proved that wasn't going to happen.  Even then, I heard a number of people (admittedly mostly positive-thinking vendors) claim that 2009 would be the "year of DLP."  Now, when it didn't happen in 2009, I didn't hear anyone make the claim that 2010 would be that blessed year, when DLP would finally–FINALLY–hit its stride and explode.  But that may be just what's happening.

    I think I can safely say that interest in data loss prevention (DLP) appears to be on the rise, even if the indicators aren't very scientific.  Many DLP vendors are quietly reporting significant DLP enforcement technology revenue increases in the first half of 2010 over the same period in 2009.  From personal experience at DLP Experts, I can safely say that interest has turned from a passive and tentative DLP tire-kicking to active research for deployment in 2010 or 2011.  Many organizations that first discussed with me the topic of DLP a number of years ago have just now begun to make DLP active, budgeted projects.

    So, to hear that the Data Loss Prevention session at the recent Gartner Security Summit was "bigger than ever" is really no surprise.  For those of us (vendors, VARs, integrators, etc.) who have committed ourselves, companies and resources to DLP, I say it's about time.

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , , ,
    Monday
    Jul052010

    Yet Another DLP Player

    DateMonday, July 5, 2010 at 11:59AM

    For a number of years, Lumension has skirted the DLP space with its device control capabilities.  In fact, it's been a number of years since the company first started touting the "DLP" capabilities of its device control product (SecureWave acquisition). 

    Well, now Lumension is ready to really move into DLP with the recent announcement of a relationship with RSA's DLP solution.  Lumension will license the RSA DLP SDK in order to bring these DLP features to its solution.  This move is not surprising as many of Lumension endpoint control competitors have already signed on to increase true DLP functionality. 

    It does make me wonder how the face of DLP may change in coming years.  With so many endpoint solutions adding real DLP features, will they be able to significantly compete and win marketshare from the DLP suites that include network and discovery?

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , , , ,
    Wednesday
    Jun302010

    Single Channel DLP "Excluded" from Gartner DLP MQ?

    DateWednesday, June 30, 2010 at 4:05PM

    There is some chatter in and out of DLP circles about "single channel DLP" solutions.  The question is, should these solutions be included in that exclusive fraternity of solutions known as DLP or should the definition of DLP be altered to allow their inclusion? 

    By way of definition, single channel DLP would be solutions that do not address the generally-accepted DLP requirements of network, endpoint and discovery (aka data in motion, in use and at rest).  Specifically, there have been some mentions of single channel DLP in the following articles/posts on the Internet:

    Network World article by Ellen Messmer in which "Single Channel DLP" is mentioned

    and

    LinkedIn Data Loss Prevention (DLP) Forum post

    In the Network World article, the term single channel DLP is attributed to Gartner and described as "a second track for DLP...which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used." Eric Ouellet is quoted as saying, "What we've learned over five or six years is that organizations overall seem to be buying more DLP than they need for the real-world case.  Routinely, they do not deploy all of the components within the two- to three-year timeframe."

    My interpretation of Ouellet's comments combined with the reference to single-channel DLP, is that such a solution may be suitable for some companies, given the fact that some organizations do not deploy all channels (network, endpoint and discovery) during the course of a two- to three-year deployment.

    The LinkedIn DLP Forum post includes a comment from Joshua Block, vp bizdev at Safend, lamenting the fact that to use a definition of DLP as solutions that cover *all* channels (unfairly?) excludes "a large number of vendors."  Single channel DLP vendors were, in fact, left out of the recently-released 2010 Gartner Magic Quadrant for Content-Aware DLP.  One requirement for inclusion in this MQ is that solutions be able to "detect sensitive content in any combination of network traffic, data at rest or endpoint operations."  The simple fact is that single channel DLP solutions do not provide this functionality.

    Joshua goes on to say that many single-channel DLP solutions partner and/or OEM in order to provide complete coverage of network, endpoint and discovery. I say vendors who partner or OEM in order to provide complete DLP channel coverage should be included in future DLP comparisons, however, these vendors will need to keep in mind, they'll be going up against solutions with full integration between all channels.  Sometimes no showing at all in an analyst review is better than a poor showing.

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , , ,
    Thursday
    Jun242010

    Gartner Data Loss Prevention (DLP) Magic Quadrant - SMB DLP?

    DateThursday, June 24, 2010 at 9:47AM

    I was waiting to digest the recent DLP MQ before I posted my thoughts and comments, but just read the Network World article reporting on Gartner analyst Eric Ouellet's presentation at the Gartner Security & Risk Management Summit this week.  (My full response to the new MQ will be forthcoming.)  There was one section that promoted Gartner's "dividing line" between enterprise and SMB DLP solutions.  Below is my post on the subject:

    No one will contest the fact that Gartner's data loss prevention leaders (Symantec, RSA, et al) were designed architecturally to support the world's largest enterprise environments. However, I think it's inaccurate to pigeonhole all remaining vendors as suitable only for SMB. Especially considering the fact that some of these remaining vendors have created proven DLP architectures that scale more easily and cleanly than others.

    I have experience working with some of the vendors referred to in this report (and the Gartner MQ) as good fits "...for SMBs mainly concerned with a basic compliance need..." While I agree that a couple of them are best-suited to smaller environments, I disagree with the inference that the others are SMB-only solutions. I know two of these vendors have customers with tens of thousands of users--hardly SMB--and one of the others supports multi-gigabit speed networks.

    Gartner lists Websense among vendors "suitable for large enterprises" while also listing them as a "good fit for SMBs" in the same sentence. I have to believe that's a simple mistake. But, just in case it wasn't a mistake and we want to confuse the issue further, this report leaves out the Gartner DLP MQ comment that shows Code Green as much more than an SMB solution: "It is very easy to deploy and use for up to 50,000 users, making the overall offering attractive to price-sensitive enterprise buyers."

    I have a couple take-aways from this exercise: be sure to do your DLP homework and consider the idea that some vendors may actually be well-suited for and scale from the SMB to the large enterprise.

    AuthorDLPX | CommentPost a Comment |
    tagged , in , , , , , , ,
    Tuesday
    Jun222010

    Blue Coat Enters the DLP Fray

    DateTuesday, June 22, 2010 at 4:38PM

    In a move that failed to surprise many, Blue Coat announced Monday that it has officially entered the data loss prevention (DLP) space.  Given archrival Websense’s acquisition of DLP vendor PortAuthority more than three years ago, some may consider Blue Coat to be the “Johnny-come-lately” of DLP.  While it’s true that Blue Coat is a few years late to the party, the good news for them is that Websense has largely failed to deliver on its original DLP revenue expectations. 

    Blue Coat is positioning its DLP offering to compete against the major DLP vendors known for their complexity (Symantec, RSA, McAFee, to name just a few), in a move not unlike GTB Technologies, Palisade Systems and Code Green Technologies.  According to reports, the Blue Coat DLP product is appliance-based and can be deployed in a matter of “hours rather than weeks or months.”  The solution supports fingerprinting of both structured and unstructured data, provides both network and discovery components, but lacks integration of a Blue Coat-provided endpoint solution.  Instead, according to the Blue Coat website, they partner with Code Green Networks to provide endpoint coverage.

    Blue Coat has been used to leading the pack, at least when it comes to its renowned ProxySG appliances for web security and WAN optimization.  That landscape is much different in the DLP space as they compete against leading DLP solutions backed by the world’s most recognizable security firms.  With Blue Coat’s customer base of over 60 million users, it will be interesting to see the level of DLP penetration in the coming months.

    AuthorDLPX | CommentPost a Comment |
    tagged , in , , ,
    Wednesday
    Jun022010

    Do Data Loss Prevention (DLP) Architectures Matter?

    DateWednesday, June 2, 2010 at 7:39PM

    I just found a post in another DLP group asking users for installation graphics in order to understand a particular vendor's deployment methodology.  The resulting comments included things like, "why study the installation of the technologies instead of just the capabilities?"

    I found that response to be nearly idiotic.  I don't usually respond in these forums for fear of offending some poor soul, but I couldn't help myself. 

    I find xxxxxx's question very useful and an appropriate discussion topic. No one questions the need to cover critical requirements and I assume xxxxxxx's smart enough to know that.

    One of the criticisms of DLP is that it's complex. Just ask any company that has tested two or more DLP technologies and they'll tell you some are more complex than others. Depending on an organization's tolerance for complexity, their technical skill level or even just their desire to minimize time spent overseeing four, five or six DLP boxes (whether appliances or software), a vendor's architectural approach is as important as how well a feature list mirrors requirements. (In fact, shouldn't architecture itself be a requirement?)

    I agree that deployments are easy, at least conceptually. However, in practice, that's not always the case. I spoke with two companies in the past week who complained of complications during PoC installs--being done by the vendors themselves. In one case, the vendor never got it to work to spec. In both cases the vendors were Gartner MQ leaders.

    AuthorDLPX | CommentPost a Comment |
    tagged , in ,
    Monday
    May312010

    False Positive "Rates" of Data Loss Prevention (DLP) Solutions

    DateMonday, May 31, 2010 at 7:45PM

    I saw an interesting request posted in a DLP discussion group today asking for the false positive rates for some of the top DLP products in the marketplace.  (Just the question itself, I think, goes to prove that the DLP space is still misunderstood by a lot of would-be DLP users.)

    Oh, that it were that easy to have someone provide the "official" false positive rates of each vendor and go and buy the vendor with the lowest false positive rate.  Not only are false positive rates of DLP vendor products impossible to effectively and fairly determine, but the question seems to oversimplify the whole idea of DLP as it discounts dozens of other critical criteria for selecting the right DLP product.

    A Note About False Positive Rates

    The question of false positives was one of the early complaints about first-to-market DLP technologies.  False positives cast a negative shadow on DLP technologies because of user experience with other commonly-used security technologies.  What added more to the concern was the idea that a false positive could have the unintended effect of hobbling business efficiency.  I have heard horror stories of business production being shut down single-handedly by DLP enforcement technologies.  While the effect is possible, it's hardly likely if today's legitimate DLP technologies are configured and used effectively in the enterprise.  (Maybe a specific post on that at a later time...?)

    Unfortunately, while false positives still occur with DLP, many DLP detractors beat that drum with the assumption that false positives will undermine the effectiveness of DLP in general.  Too often, these detractors make such accusations without first-hand experience with legitimate, comprehensive DLP technologies.  

    By way of example, many of my customers have used content monitoring technologies of various email security platforms in what they then considered to be DLP.  You can't really blame them for expecting these solutions to effectively prevent sensitive data from leaving the network since almost all email security platforms use the term "Data Loss Prevention (DLP)" in marketing literature.  The difference is that these solutions are limited in how they detect sensitive data.  They rely almost wholly on regular expression patterns for identifying this data, so throw in a pattern for a US SSN and lo and behold, you get a bunch of false positives.  (That's why I hate how the term DLP is so loosely applied to all kinds of security technologies.)

    The good news is that today's legitimate DLP technologies rely on far more effective means of sensitive data detection, including exact data matching.  This methodology makes a fingerprint of the known sensitive data (whether that's sensitive database fields or complete documents) and detects actual matches to these fingerprints.  This, along with a number of other detection methods, effectively reduce false positives to next to nothing when used correctly.  This is *the* advantage of legitimate DLP technologies over technologies that include DLP as a feature.

    My recommendation is to let legitimate DLP technologies do what they do best:  detect and deal with sensitive data.  Let the email security solutions of the world do what they're good at.

    Determining False Positive Rates

    I also contend that it's terribly difficult, if not impossible, to get fair and accurate data on the false positive rates of the major DLP vendors.  Here's why:

    Legitimate DLP vendors use very similar data detection methods.  Not all, but, most combine a) regular expression patterns (SSN or credit card number pattern matches); b)  data fingerprinting (hashes of specific known sensitive data, database fields, files, etc.) and c)  content analysis techniques (in its many varied forms).  Between a combination of these technologies, it's likely that each DLP technology can be tuned to accurately detect the same stuff as the next guy.  The problem for fair and accurate testing, however, requires that tuning be performed over a period of time longer than most test are willing to run.

    This also means that users will likely be forced to rely on the studies paid for by the DLP vendors themselves.  Not exactly what I would consider to be fair and accurate reporting of fales positive rates.

    In the end, because every customer has different data, they will need to test and determine the best solution for their specific needs.  There are DLP vendors that, because of their specific detection methods, may handle certain data types better than others.  That's why it's critical to always understand your sensitive data and then seek a solution that matches your needs.

    What Could Be More Important Than Accuracy?

    Really, sensitive data detection accuracy is the most critical component of effective DLP.  However, there are so many other criteria for selecting the right solution, including coverage areas (gateway, endpoint, discovery), appliance versus software, tolerance for architectural complexity, etc.

    All the effectiveness in the world won't do a bit of good if the platform is too complex for your organization to manage or if it doesn't provide the coverage you need.

    Ultimately, do your homework.  But do not get bogged down with this idea of having to know false positive rates of each vendor.  If you wait to move on your DLP project until you get this data, you'll be waiting a long, long time.

    AuthorDLPX | CommentPost a Comment |
    tagged , , in , ,
    Page 1 2 Next 20 Entries »