Top
Share |

DLP Experts News

...................................................

All-New Q2 Webinar Series

We have developed a new series of DLP webinars designed to provide relevant and practical guidance that can be acted upon for immediate impact in any organization. Topics include DLP Complexities: Unplugged and DLP Technical Requirements ReviewClick here for info and to register!

...................................................

Listen to the rebroadcast of DLP Experts, CA and Capella University in the (ISC)² ThinkTank on Integrated Data Governance: Identity Aware Data Protection and Control from December 14, 2010.

...................................................

DLP Experts' Jared Thorkelson visits once again with Tom Field of BankInfoSecurity.com for a podcast entitled The True Value of Data Loss Prevention.

...................................................

Read the new feature article by DLP Experts on infosecurity.com Simplifying Data Loss Prevention....................................................

Download the new DLP Experts White Paper sponsored by Blue Coat entitled, The Evolution of Data Loss Prevention:  Reducing Complexity.

...................................................

Jared Thorkelson of DLP Experts presented at the recent (ISC)²® e-Symposium, Assets vs. Liabilities - Managing the Insider Threat, on the topic of Effective Employee Management for Better Data Protection

Also see these DLP Experts archived events:

Effective Employee Management for Better Data Protection - "This e-Symposium was, without a doubt, superior to many others...These topics cannot be overly emphasized. Thanks a ton - Keep preaching it!"

The Truth About DLP

Building a Solid Foundation for DLP

Understanding the Limitations of DLP

...................................................

See DLP Experts in the recent BrightTALK Data Loss Prevention Summit. View the archived event

...................................................

DLP Experts' interview and podcast with founder, Jared Thorkelson, on BankInfoSecurity.com. Listen to the archived event.

CATEGORIES
TAGS

DLP.HQ

This forum, DLP.HQ, is open to all visitors to read, post and comment. 

Announcing the recent release of DLP.BOX, a free subscription service providing information on DLP, including a  DLP User-Only Forum, the first of its kind.  Alread a member of DLP.BOXLogin or sign up here.

 

Entries in Data Loss Prevention (20)

Friday
Dec232011

Preventing Data Loss = DLP + ICAP Proxy

DateFriday, December 23, 2011 at 11:58AM

Aside from a few new features each year, the core of the Data Loss Prevention marketplace has been pretty well baked for a number of years. That's why it surprises me still to hear new buyers of DLP frustrated to find that they will need to have an ICAP-capable proxy in order to block sensitive data leakage via HTTP (and HTTPS, FTP). This is true of leading DLP vendors Symantec, RSA, McAfee, Websense and Code Green Networks, among many others.

Some of these vendors have their own proxy solutions, while others rely on one of many available proxy solutions that support ICAP (Internet Content Adaptation Protocol). ICAP, simply put in DLP terms, is a protocol that allows a proxy to communicate with a DLP solution to provide visibility and blocking for HTTP/S and FTP. ICAP is a feature found on many commercial (and even open source) proxy solutions.

So, why does blocking HTTP require an ICAP-capable proxy? The proxy accepts and holds the request to be inspected by the DLP solution. The proxy uses ICAP to pass the request to the DLP solution for inspection and the DLP solution returns its response via ICAP. If sensitive data is detected per DLP policies, the proxy does not forward the request. If sensitive data is not found, the proxy sends the request along normally. All this happens in milliseconds with no perceivable latency to the end user.

The proxy also provides two additional and critical features for the DLP solution:

  • Username. The proxy passes the Microsoft Active Directory username to the DLP solution so the incident shows the end user information rather than an IP address. This saves precious time and energy in handling a data breach.
  • HTTPS. Most ICAP proxies have the ability to open SSL-encrypted communications. This allows the DLP solution to not only inspect communication with websites such as Gmail.com, but also facilitates blocking when sensitive data is detected. 

For companies with an existing proxy in place, adding data loss prevention technologies presents little added concern. But what if your organization is proxy-free? Will you have to pony up budget dollars for a proxy in addition to DLP? Probably so, if you intend to block sensitive data leakage via the web. But, before you get too bothered, consider these points:

  • Companies rarely come out of the DLP gate blocking. It's recommended to run in monitor-only mode for a period of time prior to blocking. This allows you to tune policies for accuracy in anticipation of blocking in the future. What this means is that most companies have a time lag between the monitoring and blocking phases of their DLP project. So, don't stress it if you can't put the DLP and Proxy purchases in the same budget period. The ICAP proxy purchase can still be made down the road.
  • Proxies provide other benefits. Most major proxies now provide full Secure Web Gateway (SWG) protection and provide plenty of benefit outside of DLP. In fact, many companies are considering SWG solutions for their non-DLP capabilities. URL filtering is delivered very competently using a proxy. And given that malicious code is often delivered via the web, it can be a huge benefit to have this additional protection at the gateway, making DLP integration just a nice plus.
  • An ICAP proxy doesn't have to be expensive. A number of open source proxies are available that support ICAP for DLP integrations. If you're not averse to Linux and open source, one of these may meet your requirements. In my experience, however, open source proxy solutions are not as full-featured as their commercial counterparts. This is especially true when considering the full breadth of Secure Web Gateway solution capabilities. You get what you pay for, right?

Given the need to secure the gateway, for my money it's best to go with an ICAP-capable proxy that supports full SWG capabilities. Below are some of the leading ICAP proxy vendors in the space. Keep in mind that while these vendors support ICAP, the specific implementations may differ, resulting in varying results with different DLP vendors.  

  • Blue Coat. By far the leading proxy/SWG solution on the market. Not only do 85% of FORTUNE Global 500 companies use Blue Coat, the company also provides solutions that scale downward to support very small installations.
  • Cisco IronPort. Cisco's IronPort Web Security Appliance supports ICAP.
  • M86 Security. M86's Secure Web Gateway solution is best known for protecting against malware with its real-time code analysis technology. Company sources say they plan to support ICAP for DLP by Q1 of 2012.
  • McAfee. The McAfee Web Gateway (Webwasher) supports ICAP.
  • Symantec. The newest version of Symantec Web Gateway provides SSL visibility.
  • Websense. While Websense can provide their SWG as a standalone solution, the company promotes TRITON, providing a single intergrated solution for DLP, SWG and email security.  

Before delving into a data loss prevention project, consider whether you intend to block HTTP/S and FTP. If so (and most companies do), be sure to plan and budget for an ICAP-compatible proxy. By selecting a proxy that provides critical web gateway security, you'll be able to address DLP blocking while also improving network security. 

AuthorDLPX | CommentPost a Comment |
tagged , , , , , in , , , , , , , , , , , , , ,
Monday
Dec052011

2011 Gartner Magic Quadrant for Content-Aware Data Loss Prevention

DateMonday, December 5, 2011 at 11:33AM

Since "gartner dlp" is one of the leading search terms at DLP Experts, we've decided to provide links to sources for downloading the 2011 Gartner Magic Quadrant for Content-Aware Data Loss Prevention. Please be sure your copy is the most recent given the document was revised to correct some vendor information (for more details see the Gartner Corrections page and the section dated 13 September 2011).

We've included more than a single source for access to this report. In fact, we've listed each of the Gartner leaders in the 2011 Magic Quadrant for Content-Aware DLP.

RSA

Surprisingly, we were unable to find a link from RSA to the Gartner MQ on DLP. We found links to other Gartner Magic Quadrant reports for Web Fraud Detection and SIEM, but nothing but the 2009 and 2010 MQ for DLP.

McAfee

McAfee provides a brief introduction to the report highlighting the positive feedback from Gartner, just to get your techno-juices flowing.  This introduction is followed by a download link where the user must register by completing a brief web form with first/last name, company name, job role and email address.

Websense

From a Websense press release, a link is provided to a web form requiring first/last name, phone number, email address, number of users, company and country.

Verdasys

Verdasys offers access to the Gartner MQ from their Analyst Papers page. From there, either of the two links takes you to a web form which requires first/last name, title, company, phone and email.

Symantec and CA

Both Symantec and CA provide the same direct link to the report (no annoying forms to complete). Since this link goes directly to the Gartner reprint of the article, you can be sure that this version is the most recent.

AuthorDLPX | Comments Off |
tagged , , in , , , , , , , , , , , ,
Wednesday
Jun292011

Predictions: 2011 Gartner Magic Quadrant for Data Loss Prevention

DateWednesday, June 29, 2011 at 2:38PM

Recent trends show an increase in organizations searching for information on the Gartner Magic Quadrant for Data Loss Prevention (DLP).  That tells us it's that time of year again.  Time for Gartner's annual report on Content-Aware Data Loss Prevention, which, according to Gartner's Magic Quadrant and MarketScopes information page has been slated for release Q2 11.  Since Q2 11 has come and gone and we’ve yet to see the released report, I figured I'd make my own predictions on what the good folks at Gartner will have to say about the DLP space for 2011.

Let's start with the coveted Leaders quadrant which in years past has included quite a varied list of vendors, from Vericept (now Trustwave), Websense, Vontu (now Symantec), RSA, to Reconnex (now McAfee).  2011 is unlikely to bring us any surprises among the current leaders of McAfee, RSA, Symantec and Websense.  While Symantec still boasts the most advanced feature-set of any vendor, all of the leaders maintain the basic feature-sets required to keep them in leadership contention.

CA DLP

CA has just recently added some critical DLP fingerpriting functionality features to bring them in line with many of the leaders and visionaries. CA is desperately trying to redirect buyer focus to identity and access management combined with DLP in an effort to provide a unique feature set on which to compete and use for their own customer base. Otherwise, CA has a very average DLP offering.  

CA Strengths

  •  Big company name.  (Some might consider that a weakness for CA.)

CA Weaknesses

  • Cannot compare feature for feature with other big-name DLP vendors.

Code Green Networks

Code Green's approach stands apart from most of the Leaders, with a simplified, appliance-based architecture that streamlines deployment and reduces the management overhead associated with traditional, multi-server DLP architectures.

Code Green Networks Strengths

  • Single appliance architecture.
  • Ease of use in deployment, configuration and management.

Code Green Networks Weaknesses

  • Limited brand awareness.
  • Appliance cost represents a disproportionately high cost in deployments of 250-1000 users.

Fidelis Security Systems

Fidelis has had a DLP identity crisis from day one, calling itself not DLP, but Extrusion Prevention. Not one to be led, Fidelis' founder has bucked the system at every turn. While I like that style, the company's insistence on a network-only approach has excluded them from every major commercial opportunity. Instead the company's focus is APT Protection, which tends to resonate more loudly with federal gov't than does DLP. In speaking with a marketer at Fidelis last year, we were told that DLP is "just one of our use cases," and that they are a network security tool. That's a shame, because they have some interesting DLP technology that will rarely get used as such.

Fidelis Security Systems Strengths

  • Multi-Gbps throughput appliance.
  • In-line blocking capability.

Fidelis Security Systems Weaknesses

  • Lack of commercial focus (for us fans of commercial business).
  • No in-house endpoint solution. Instead, weak marketing partnerships with Verdasys, Safend and other now-defunct endpoint DLP players.

McAfee DLP

McAfee is likely to remain one of four vendors in the Leaders quadrant, although recognized by many as a laggart behind Symantec, RSA and Websense.  McAfee DLP provides a multi-appliance solution that is managed through the company's widely-used ePolicy Orchestrator. 

McAfee DLP Strengths

  • Big company name.
  • Unique network monitoring approach allows for monitoring and categorizing *all* network traffic rather than just policy violations.

McAfee DLP Weaknesses

  • Multi-appliance approach can be complex and requires separate appliances for network monitor, prevent, discovery and management.
  • Many customers report difficulty in deploying and configuring the solution.

Palisade Systems

Despite Palisade Systems' deep DLP roots, the company has struggled to find success. One of very few remaining DLP independent software vendors, Palisade has run through three top executives in as many years. Until very recently, the company claimed a network-only focus and only this year have they released an endpoint component to complement their DLP suite. The appliance-based solution provides web filtering, among other non-DLP features. 

Palisade Systems Strengths

  • Unique non-DLP feature set desirable for small business or education.
  • Aggressive pricing structure.

Palisade Systems Weaknesses

  • DLP road map and development resources lag behind many DLP leaders.
  • Company's viability is in question.

RSA

RSA is one of the four current Leaders and we predict they will remain. RSA is one of few vendors to leverage their technology through high-profile licensing agreements with Microsoft and Cisco. RSA is one of the most widely-considered solutions among DLP projects. While RSA has made attempts to simplify DLP architecure by leveraging multiple virtual machines on a single server, many customers still complain of deployment complexities. 

RSA Strengths

  • Big name player.
  • OEM licensing agreements position RSA among non-DLP projects (DRM, email security, etc.).

RSA Weaknesses

  • Architectural complexity.
  • Many customers report problems in deploying and configuring the solution.

Symantec DLP

Symantec has enjoyed its well-deserved position of leadership since the inception of the Gartner Magic Quadrant for the space in 2006 (then known as "Content Monitoring and Filtering").  Symantec's acquisition of Vontu, the leading DLP vendor in the space, positioned Symantec squarely in the leaders quadrant from day one.  Vontu was already well into the development of its own endpoint agent, making it one of the first to recognize and execute on this need.  Since that time, Symantec has taken a leadership role in shaping the DLP space with its innovative features to address the growing market requirements.  

Symantec DLP Strengths

  • Big name player and market leader.
  • Most feature-rich DLP offering.

Symantec DLP Weaknesses

  • Multi-server architectural complexity.
  • High cost.

Trend Micro

Trend Micro's DLP reach is limited largely to small endpoint deployments. We have never come across an organization giving them serious consideration. They are currently squarely positioned in the niche player quadrant and we could see them slipping further down and to the far left since their DLP vision is very limited.

Trend Micro Strengths

  • Convenient for current Trend customers looking to check the DLP box.

Trend Micro Weaknesses

  • Very weak DLP feature set.

Trustwave

Trustwave made the most recent acquistion in the DLP space, gobbling up Vericept, one of the early DLP leaders. Along with the DLP acquisition, Trustwave has acquired a number of other under-acheiving technologies. Since that time, however Trustwave has apparently done little to improve the DLP offering and have actually stopped marketing their endpoint DLP agent.  We predict Trustwave will be one of few vendors that actually slip in 2011 from its former position of challenger to niche player. 

Trustwave Strengths

  • Trustwave provides a full suite of security services and DLP may be an easy add-on for current Trustwave customers.

Trustwave Weaknesses

  • Functionality has regressed with loss of endpoint.
  • Trustwave may not be able to reach beyond their limited customer base and expand their DLP marketshare.

Verdasys

Verdasys was an early entry to DLP and one of few who started with an endpoint focus. Unlike other vendors who have branched out to include all three DLP components (network, endpoint, discovery), Verdasys has not and remains largely endpoint focused. Verdasys maintains marketing partnerships with IBM and a technology partnership with Fidelis, though we don't know how beneficial either of those is.  

Verdasys Strengths

  • Leading endpoint-only DLP solution.

Verdasys Weaknesses

  • Limited true DLP capabilities.
  • Very expensive endpoint-only solution.

Websense

As a DLP Leader, Websense has done a good job marketing its single solution for web security, email security and DLP under the TRITON moniker. The concept appeals to many buyers of DLP, especially current Websense filtering or secure web gateway customers looking to add DLP. Unlike some of the other appliance DLP vendors, the Websense platform uses virtual machines to pull everything into a single appliance/server.  

Websense Strengths

  • Single vendor solution for web security, email security and DLP.

Websense Weaknesses

  • Subscription pricing can become more expensive than traditional perpetual license after a few years – and the subscription remains indefinitely.
  • Under the TRITON solution, sharing of server resources for web and email security can have a negative impact on resources needed for critical DLP function.
AuthorDLPX | CommentPost a Comment |
tagged , , in , , , , , , , , , , , , , , ,
Monday
Jan172011

DLP Product Guide for RSA Conference Expo 2011

DateMonday, January 17, 2011 at 8:16AM

With Gartner estimating the Data Loss Prevention (DLP) market to reach $400 million in 2011[1] and with adoption of DLP technologies moving quickly down to the small to medium enterprise, DLP is no longer an unknown quantity.  In spite of this progress, DLP remains a market shrouded by confusion over everything from the definition of DLP to the right way to address the problem--whether that's at the endpoint or the gateway.  Many vendors show they're suffering from a severe identity crisis as they try to wedge their way into the DLP space by blunt force marketing.

The RSA Conference Expo (Expo) is not immune to this confusion; in fact, in some respects the Expo may add as much confusion to the mix as it resolves.  By way of example, an organization recently contacted me to seek guidance on DLP vendors at the Expo.  This particular organization has an active DLP initiative and has committed the financial and personnel resources to send a delegation to the RSA Conference to research potential vendors.  However, when my contact used the Security Keyword Search feature for the search term “data loss prevention,” he was presented a list of no less than 37 vendors at the Expo who have chosen to associate themselves with the term[2]

Upon further research, of those 37 vendors, the vast majority have very little or nothing to do with DLP, effectively nullifying the benefit of being able to narrow your DLP search at the Expo.

This is not an indictment of these vendors or the RSA Conference as a whole.  Most well-meaning vendor marketing departments want to align themselves with many security keyword listings in order to drive as much traffic as possible to their site.  It’s an unfortunate byproduct of the Expo.

The DLP Product Guide for RSA Conference Expo 2011 is an effort to help potential buyers of DLP enforcement technologies.  The guide will list all 37 vendors with the designation of “data loss prevention,” however, it will also provide key details that should prove helpful in maximizing Expo time.

Download the DLP Product Guide for RSA Conference Expo 2011.

[1] Gartner Magic Quadrant for Content-Aware Data Loss Prevention, June 2, 2010

[2] http://www.mapyourshow.com/shows/index.cfm?show_id=RSA11 - security keyword “data loss prevention”

AuthorDLPX | CommentPost a Comment |
tagged , , in , , , , , ,
Friday
Sep032010

Employees Are More Apt to Take Company Data than a Stapler

DateFriday, September 3, 2010 at 8:45AM

The title of this post is taken from the headline of a press release from SailPoint as reported in NetworkWorld.  While it is a great headline, more importantly it should tell us that no organization's data is safe, especially for those laying off employees. 

For me the takeaway from SailPoint's survey is that companies should not trust their employees, especially when layoffs are on the horizon.  I have spoken to many companies in the past three years who have laid off workers.  Some have implemented some strategy to protect that data (technology or otherwise), but most have proceeded with the layoffs without any method for ensuring the safety of their sensitive data. 

In the SailPoint survey, they found that 29% of US workers admitted they would take customer data.  This is consistent with my recent personal experience.  A banking customer confessed to me that many of the home lending staff they had laid off apparently took the bank's customer list to use as a sales prospecting list--presumably along with personally identifiable information (PII).  One trucking company that contacted me for data loss prevention was concerned that their competitors would somehow gain access to their customer contacts (read:  "from their former employees"). 

The problem could be exacerbated by a bad economy and the personal impact on individual finances.  While the survey did indicate that 45% of the US respondents claimed this tendency to steal from an employer was not influenced by the recession, there were slightly less than .5% of US respondents who said they would try to sell confidential data.  Using these stats, one out of every 200 employees, would try to sell your confidential data.  All it takes is one to end up like TJX.

This is not the first survey of its kind with similar findings.  For me, this confirms what I've felt for years:  that data loss prevention technologies will eventually become part of every network security plan.

AuthorDLPX | CommentPost a Comment |
tagged , , , , , , in ,
Thursday
Sep022010

DLP Myth #5: DLD is the same thing as DLP

DateThursday, September 2, 2010 at 8:58PM

It may surprise you to find that many DLP enforcement technology implementations are not even DLP--they're DLD, data loss detection.  Too many companies forget that the "P" stands for prevention.  Blocking.  Frankly, it's not really the end user's fault, rather the responsibility of the vendors.  There are a couple critical elements at play in this discussion:

  • Inaccuracy often is the cause for failing to enable blocking.  If a vendor's DLP technology does not prove accurate, to turn on blocking is far too risky for the end user.  This will impede normal business process.  Unfortunately, a DLP vendor is only as good as their capacity for accurate detection.  Keep in mind that not all DLP detection is create equal.  (We'll discuss this topic in a later post).
  • Most DLP enforcement technologies are limited in what they can block:  SMTP, FTP, HTTP, HTTPS and other proxiable protocols.  This is true of the biggest names in DLP and is not something that's commonly known among buyers of DLP technologies.  Since this is the case among most vendors,  analysts accept it as a limitation of DLP, and since the analysts help shape the expectations of the marketplace, most buyers accept the limitation (once they finally know about it).  The limitation lies in the core technologies of these vendors which depend on proxy devices to do the dirty work of blocking.  There are two vendors I'm aware of that have the ability to block all protocols and not just proxiable ones:  Fidelis Security Systems and GTB Technologies.  However, in my opinion, each have their own deficiencies in other areas that may cancel out the blocking benefit.  There is no perfect DLP enforcement technology (and we'll discuss this in a later post also).

The bottom line is, as much as you may like to, you'll likely not be able to block everything that needs to be.  However, if you choose a vendor with the right detection capabilities, it will go a long way toward being able to flip the switch to turn your data loss detection into true data loss prevention!

AuthorDLPX | CommentPost a Comment |
tagged , , , , in , , , , , ,
Wednesday
Sep012010

DLP Myth #4: DLP is Expensive

DateWednesday, September 1, 2010 at 8:41AM

The topic of Data Loss Prevention enforcement technology expense is a difficult one to address.  DLP technologies have long been considered very expensive and in fact, many still are.  But the idea of DLP technologies can be sliced and mixed and mashed in so many ways, it is possible to purchase DLP enforcement technologies without breaking the bank.  And considering the amount of risk mitigation that comes with effective DLP strategies, I believe the cost to be well worth it.

I've outlined below a number of key points related to DLP expense, any of which may apply directly to your organization.

Some Vendors Just Cost More

As in any marketplace, there are expensive vendors and their are cheap vendors.  DLP technologies are no different.  You have your high-cost leaders who may set the standard in complete coverage and expansive feature lists, targeting the large enterprise and your low-cost vendors who may only cover basic features and target small companies.  Even among the leaders in the space who provide very comparable levels of coverage, there can be drastic cost differences.  Want to save some money?  Do your homework and don't fall into the trap of thinking all vendor costs are the same.  They are not.

Retail Price vs. Street Price

Even after you get the list price quotes from DLP vendors, keep in mind there is always a retail price and a street price.  DLP street price can get surpisingly competitive with a couple vendors in the mix.  To get the best price, don't hone in on a single vendor, even if you're convinced they're the only one that can meet your unique requirements.  Keep a couple of vendors involved, preferably a mix of leaders and challengers and play your cards close to your vest.  Only reveal just enough to keep your preferred vendor on their toes and ready to negotiate. 

Differing DLP Cost Models

Data loss prevention is one of those newer spaces where vendors and buyers are still trying to figure out the best way to charge for DLP.  There are two basic cost models:  perpetual and term (subscription).  The marketplace has not completely moved to one or the other and in fact, many vendors can provide either/or. The differences in price can be very significant, both in the first year and also looking out over a number of years.  Perpetual license models require a front-loaded payment on all license and support fees, plus any hardware, with a percentage paid annually for maintenance and support (usually around 15%-25%).  In this case you "own" the right to use the product perpetually, assuming you pay the required annual support fees.  Term models (aka annually-renewable subscription) are typcially less initial cost and often look really good when compared with the first-year cost of a perpetual license.  This cost savings may be short-lived, however; annual renewals can really add up!  In the end, it's important to consider what the total costs will be over the course of multiple years.

Phased Implementation

Another way to approach DLP to keep costs down is to implement the solution in a phased approach.  This may mean starting with network coverage and then adding other coverage in the coming months.  This can cut initial costs by as much as a third, but some vendors provide discounts if the complete suite is purchased up front.  For many companies, this approach makes good sense and allows them to roll out the DLP enforcement at their own pace.

One word of caution with a phased approach.  Depending on the product, many vendors have architectures that require you add additional appliances or servers as you roll out new components.  A few vendors have architectures that combine the full suite into a single appliance, so adding a service is as simple as flipping a switch in the UI.

Channel DLP

There's some buzz around "channel DLP," which are DLP products that provide limited coverage, say for monitoring email only.  These channel DLP products can be an inexpensive way to "break in" to data protection, but are considered by many to be "good enough" approaches that may not address a company's long term DLP needs.  Popular channel DLP products include:

  • Endpoint (content-aware)
  • Device Control
  • Email
  • Network

Be sure to note that while channel DLP can address short-term needs in one particular area (say email), adding to your DLP enforcement technologies may require you to ditch that channel DLP product for one that provides the all-critical single user interface.  Managing multiple DLP products, incidents, rules, etc., means multiple interfaces which can easily double or triple management times.

Hardware vs. Software

Finally, when it comes to DLP technologies being expensive, be sure you understand all the costs involved.  An appliance-based solution typically includes the appliance in the cost quote, while many leading software solutions require multiple servers be purchased along with operating systems, databases, etc., and are not included in the costs.

AuthorDLPX | CommentPost a Comment |
tagged , , , , , , in ,
Tuesday
Aug312010

DLP Myth #3: You can "buy" DLP

DateTuesday, August 31, 2010 at 7:27PM

Many organizations considering data loss prevention focus on technology to address the need.  While you can "buy" DLP enforcement technologies, data loss prevention is more than a product.  Data loss prevention is a process and one step in that process is the purchase and deployment of technologies to enforce an organization's data protection strategy.

Some people think I'm splitting hairs with this thinking, however, after having seen dozens of good and bad DLP strategies, I'm convinced my argument is sound.

Since DLP is a process it's important not to get caught up only in the technology side.  For many companies, this is a real tendency because many DLP projects are handed off to IT to deal with as an IT problem.  The reality is that data loss prevention is a risk management and compliance problem that happens to utilize technology as a major method of policy enforcement.  

Because it's a process, it's important to complete each step.  Like the proverbial three-legged stool, to leave out one step can lead to serious negative consequences.

At DLP Experts, we promote a five step process to our customers for a successful data loss prevention initiative:

  1. Assess.  Assess current situation, identifying critical data and major concerns. –What data should be protected? –Where is the data located? –Who should have access to this data? –What are the major data leakage points?
  2. Create.  Create a comprehensive data protection plan and written data protection policy. –Use the data from the assessment as a guide. –Prioritize your critical data and start with a policy to protect that first, building to other key data. –Your data protection plan is dynamic and you can always update it in the coming months.
  3. Promote.  Promote the data protection plan and policy among all employees, contractors and vendors.  –This is the single most important step in protecting critical data. Most data breaches are unintentional, so getting staff to be vigilant is key. –Get signed acknowledgement from employees that they understand the policy—and the consequences for failing to follow it! –Consider formal training.
  4. Enforce.  Implement technologies to enforce the data protection plan and policy.  –Consider all existing technologies in your network. You likely have some elements of DLP in your arsenal:  encryption and email content filtering are fairly common. Make use of them. –Configure enforcement technologies to best mirror your new policies. 
  5. Maintain.  Maintain and update plans and policies based on changing business needs. –Monitor enforcement technology reports. –Conduct regular extrusion testing. –Provide annual data protection training.

The next time someone in your organization says, "We need to buy DLP," make sure they read this! ;)

AuthorDLPX | CommentPost a Comment |
tagged , , in , ,
Monday
Aug302010

DLP Myth #2: DLP is Architecturally Complex

DateMonday, August 30, 2010 at 3:02PM

A common misconception is that DLP must always be archtiecturally complex.  This myth has roots in reality; traditional DLP techonologies have been architecturally complex.  However, as DLP technologies evolve, there is a move toward greater archtitectural simplicity.

To understand how we go to the architectural complexity, consider the origins of data loss prevention:  built for the world's largest enterprises and with an immature roadmap that was a moving target in early years.  Original DLP technologies were really DLD, data loss detection.  They were designed first as passive network monitors looking for patterns matching simple expressions such as for social security and credit card numbers, but there was no blocking involved.  As companies saw data leaving the organization, it didn't take long for the next requirement to come to light:  blocking.  Then came discovery, endpoint and so on. 

Most early vendors employed a modular, multi-server architecture, which is typical among the .  This gave them the ability to develop one server component at a time as market demand required, rather than bring everything together under a single server.  The results were shortened development times.  Plus, it allowed early adopters to get their feet wet with the new technology, one component at a time. 

A key side benefit of the modular approach was that it spread the load among many servers, keeping the network monitor free for the all-critical task of identifying sensitive information.  It was an unspoken concern that an overloaded network monitor could "slip," allowing sensitive data to get by without being seen.  This was an especially important concern to address among the early adopting large enterprise, who have a tendency to run at bandwidths that can overload packet filters.

This evolution resulted in DLP architectures that require many servers:  management server, network monitor, database server, email blocking server, web blocking server, discovery server, endpoint management, etc.  Couple this mult-server approach with separate integrations for mail transfer agents, ICAP proxies, databases, active directory, etc., and you end up with a very complex architecture.

Contrast this traditional DLP architecture with the concept of a single appliance that combines everything required for a complete DLP suite:  network monitor, management interface, incident database, web and email blocking, discovery and endpoint management.  This is the approach of a couple of DLP vendors.  And even the traditional DLP vendors normally requiring 4-5 servers are reconizing the need to simplify with single appliances running 2-3 DLP components as virtual machines.

DLP does not have to be architecturally complex.  Some vendors have developed simple architectures combining components in single appliance, while others are leveraging virtual machines to make their architectures more steamlined and easy to deploy.

AuthorDLPX | CommentPost a Comment |
tagged , , in , , , , ,
Thursday
Aug262010

DLP Myth #1: You can get DLP as an add-on to an existing solution.

DateThursday, August 26, 2010 at 8:10AM

I read a blog post today from Midwest IT Professional entitled Myths of Data Loss Prevention (DLP).  The post didn't really address the kind of thing I consider to be myths about DLP, but it did get my thought process going.  So, over the coming days, I'll present a series of myths related to Data Loss Prevention.

The first myth I'd like to address came in the form of a firewall/UTM vendor announcement about the growing demand for DLP.  The quote that accompanied the press release stated:  "Today, customers can have both state of the art multifunction firewall protection and unbeatable Web, messaging and DLP security that is affordable, powerful, highly reliable and easy to use."  

From this, I pull myth number one:  You can get effective DLP as an add-on to your firewall, web or email security solution.  While some rudimentary data loss prevention functionality can be added to most any network security device, its effectiveness may often do more harm than good.  

Most add-on DLP functionality comes in the form of scanning network traffic (web, email, other) and looking for simple regular expression pattern matches for social security numbers, credit card numbers, etc.  This content monitoring capability has been around for many, many years, however in my experience it has been ineffective and in many cases counterproductive.  

I had one client, for example, who tried to use their leading email security solution to identify and block incidents of sensitive data leakage using regular expression patterns.  They went this route initially to avoid having to buy a purpose-built DLP technology--trying to save some money in this tough economy.  What they found was that the rudimentary content monitoring and filtering technologies did a poor job of identifying *true* incidents of data leakage.  They ended up with more incidents each day than they could keep up with and since the vast majority of the incidents were false positives, they stopped looking at them altogether.  I won't go into detail about why this just doesn't work.  Just give it a try with your own email security solution and see the results for yourself.  

In addition to the fact that regex patterns alone are ineffective, consider the fact that in most cases, an SSN alone does not constitute a data breach.  Most regulatory or legal mandates state an SSN when accompanied by other data points that together make an individual "personally identifiable" (hence the term PII--personally identifiable information).  True DLP technologies have the ability to do much more than just pattern matching.  In fact, a key feature of most every major DLP technology includes the ability to do "exact matching" of specific individual data fields.  This means that a rule can be established that when an SSN combined with other data fields *from the same database record* are seen in a single communication, this will trigger an incident.  So if it's my SSN along with the name Steve Smith (not my name), that won't trigger.  However, if it's my SSN along with my name, it will trigger.  This exact matching capability is critical to effective data loss prevention and adding "DLP" to your basic firewall, web or email security device just may do more harm than good.

Other data loss prevention (DLP) myths to follow! 

AuthorDLPX | CommentPost a Comment |
tagged , , , , in , , , , , , ,
Tuesday
Jul062010

Data Loss Prevention (DLP) Interest Increasing

DateTuesday, July 6, 2010 at 4:57PM

I've been hearing about how data loss prevention (DLP) would someday explode on the security scene since I first heard a security analyst claim that 2007 would be the "year of DLP."  Then I heard the same analyst claim that 2008 would be the "year of DLP."  The economy single-handedly proved that wasn't going to happen.  Even then, I heard a number of people (admittedly mostly positive-thinking vendors) claim that 2009 would be the "year of DLP."  Now, when it didn't happen in 2009, I didn't hear anyone make the claim that 2010 would be that blessed year, when DLP would finally–FINALLY–hit its stride and explode.  But that may be just what's happening.

I think I can safely say that interest in data loss prevention (DLP) appears to be on the rise, even if the indicators aren't very scientific.  Many DLP vendors are quietly reporting significant DLP enforcement technology revenue increases in the first half of 2010 over the same period in 2009.  From personal experience at DLP Experts, I can safely say that interest has turned from a passive and tentative DLP tire-kicking to active research for deployment in 2010 or 2011.  Many organizations that first discussed with me the topic of DLP a number of years ago have just now begun to make DLP active, budgeted projects.

So, to hear that the Data Loss Prevention session at the recent Gartner Security Summit was "bigger than ever" is really no surprise.  For those of us (vendors, VARs, integrators, etc.) who have committed ourselves, companies and resources to DLP, I say it's about time.

AuthorDLPX | CommentPost a Comment |
tagged , , in , , ,
Monday
Jul052010

Yet Another DLP Player

DateMonday, July 5, 2010 at 11:59AM

For a number of years, Lumension has skirted the DLP space with its device control capabilities.  In fact, it's been a number of years since the company first started touting the "DLP" capabilities of its device control product (SecureWave acquisition). 

Well, now Lumension is ready to really move into DLP with the recent announcement of a relationship with RSA's DLP solution.  Lumension will license the RSA DLP SDK in order to bring these DLP features to its solution.  This move is not surprising as many of Lumension endpoint control competitors have already signed on to increase true DLP functionality. 

It does make me wonder how the face of DLP may change in coming years.  With so many endpoint solutions adding real DLP features, will they be able to significantly compete and win marketshare from the DLP suites that include network and discovery?

AuthorDLPX | CommentPost a Comment |
tagged , , in , , , ,
Wednesday
Jun302010

Single Channel DLP "Excluded" from Gartner DLP MQ?

DateWednesday, June 30, 2010 at 4:05PM

There is some chatter in and out of DLP circles about "single channel DLP" solutions.  The question is, should these solutions be included in that exclusive fraternity of solutions known as DLP or should the definition of DLP be altered to allow their inclusion? 

By way of definition, single channel DLP would be solutions that do not address the generally-accepted DLP requirements of network, endpoint and discovery (aka data in motion, in use and at rest).  Specifically, there have been some mentions of single channel DLP in the following articles/posts on the Internet:

Network World article by Ellen Messmer in which "Single Channel DLP" is mentioned

and

LinkedIn Data Loss Prevention (DLP) Forum post

In the Network World article, the term single channel DLP is attributed to Gartner and described as "a second track for DLP...which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used." Eric Ouellet is quoted as saying, "What we've learned over five or six years is that organizations overall seem to be buying more DLP than they need for the real-world case.  Routinely, they do not deploy all of the components within the two- to three-year timeframe."

My interpretation of Ouellet's comments combined with the reference to single-channel DLP, is that such a solution may be suitable for some companies, given the fact that some organizations do not deploy all channels (network, endpoint and discovery) during the course of a two- to three-year deployment.

The LinkedIn DLP Forum post includes a comment from Joshua Block, vp bizdev at Safend, lamenting the fact that to use a definition of DLP as solutions that cover *all* channels (unfairly?) excludes "a large number of vendors."  Single channel DLP vendors were, in fact, left out of the recently-released 2010 Gartner Magic Quadrant for Content-Aware DLP.  One requirement for inclusion in this MQ is that solutions be able to "detect sensitive content in any combination of network traffic, data at rest or endpoint operations."  The simple fact is that single channel DLP solutions do not provide this functionality.

Joshua goes on to say that many single-channel DLP solutions partner and/or OEM in order to provide complete coverage of network, endpoint and discovery. I say vendors who partner or OEM in order to provide complete DLP channel coverage should be included in future DLP comparisons, however, these vendors will need to keep in mind, they'll be going up against solutions with full integration between all channels.  Sometimes no showing at all in an analyst review is better than a poor showing.

AuthorDLPX | CommentPost a Comment |
tagged , , in , , ,
Thursday
Jun242010

Gartner Data Loss Prevention (DLP) Magic Quadrant - SMB DLP?

DateThursday, June 24, 2010 at 9:47AM

I was waiting to digest the recent DLP MQ before I posted my thoughts and comments, but just read the Network World article reporting on Gartner analyst Eric Ouellet's presentation at the Gartner Security & Risk Management Summit this week.  (My full response to the new MQ will be forthcoming.)  There was one section that promoted Gartner's "dividing line" between enterprise and SMB DLP solutions.  Below is my post on the subject:

No one will contest the fact that Gartner's data loss prevention leaders (Symantec, RSA, et al) were designed architecturally to support the world's largest enterprise environments. However, I think it's inaccurate to pigeonhole all remaining vendors as suitable only for SMB. Especially considering the fact that some of these remaining vendors have created proven DLP architectures that scale more easily and cleanly than others.

I have experience working with some of the vendors referred to in this report (and the Gartner MQ) as good fits "...for SMBs mainly concerned with a basic compliance need..." While I agree that a couple of them are best-suited to smaller environments, I disagree with the inference that the others are SMB-only solutions. I know two of these vendors have customers with tens of thousands of users--hardly SMB--and one of the others supports multi-gigabit speed networks.

Gartner lists Websense among vendors "suitable for large enterprises" while also listing them as a "good fit for SMBs" in the same sentence. I have to believe that's a simple mistake. But, just in case it wasn't a mistake and we want to confuse the issue further, this report leaves out the Gartner DLP MQ comment that shows Code Green as much more than an SMB solution: "It is very easy to deploy and use for up to 50,000 users, making the overall offering attractive to price-sensitive enterprise buyers."

I have a couple take-aways from this exercise: be sure to do your DLP homework and consider the idea that some vendors may actually be well-suited for and scale from the SMB to the large enterprise.

AuthorDLPX | CommentPost a Comment |
tagged , in , , , , , , ,
Tuesday
Jun222010

Blue Coat Enters the DLP Fray

DateTuesday, June 22, 2010 at 4:38PM

In a move that failed to surprise many, Blue Coat announced Monday that it has officially entered the data loss prevention (DLP) space.  Given archrival Websense’s acquisition of DLP vendor PortAuthority more than three years ago, some may consider Blue Coat to be the “Johnny-come-lately” of DLP.  While it’s true that Blue Coat is a few years late to the party, the good news for them is that Websense has largely failed to deliver on its original DLP revenue expectations. 

Blue Coat is positioning its DLP offering to compete against the major DLP vendors known for their complexity (Symantec, RSA, McAFee, to name just a few), in a move not unlike GTB Technologies, Palisade Systems and Code Green Technologies.  According to reports, the Blue Coat DLP product is appliance-based and can be deployed in a matter of “hours rather than weeks or months.”  The solution supports fingerprinting of both structured and unstructured data, provides both network and discovery components, but lacks integration of a Blue Coat-provided endpoint solution.  Instead, according to the Blue Coat website, they partner with Code Green Networks to provide endpoint coverage.

Blue Coat has been used to leading the pack, at least when it comes to its renowned ProxySG appliances for web security and WAN optimization.  That landscape is much different in the DLP space as they compete against leading DLP solutions backed by the world’s most recognizable security firms.  With Blue Coat’s customer base of over 60 million users, it will be interesting to see the level of DLP penetration in the coming months.

AuthorDLPX | CommentPost a Comment |
tagged , in , , ,
Wednesday
Jun022010

Do Data Loss Prevention (DLP) Architectures Matter?

DateWednesday, June 2, 2010 at 7:39PM

I just found a post in another DLP group asking users for installation graphics in order to understand a particular vendor's deployment methodology.  The resulting comments included things like, "why study the installation of the technologies instead of just the capabilities?"

I found that response to be nearly idiotic.  I don't usually respond in these forums for fear of offending some poor soul, but I couldn't help myself. 

I find xxxxxx's question very useful and an appropriate discussion topic. No one questions the need to cover critical requirements and I assume xxxxxxx's smart enough to know that.

One of the criticisms of DLP is that it's complex. Just ask any company that has tested two or more DLP technologies and they'll tell you some are more complex than others. Depending on an organization's tolerance for complexity, their technical skill level or even just their desire to minimize time spent overseeing four, five or six DLP boxes (whether appliances or software), a vendor's architectural approach is as important as how well a feature list mirrors requirements. (In fact, shouldn't architecture itself be a requirement?)

I agree that deployments are easy, at least conceptually. However, in practice, that's not always the case. I spoke with two companies in the past week who complained of complications during PoC installs--being done by the vendors themselves. In one case, the vendor never got it to work to spec. In both cases the vendors were Gartner MQ leaders.

AuthorDLPX | CommentPost a Comment |
tagged , in ,
Monday
May312010

False Positive "Rates" of Data Loss Prevention (DLP) Solutions

DateMonday, May 31, 2010 at 7:45PM

I saw an interesting request posted in a DLP discussion group today asking for the false positive rates for some of the top DLP products in the marketplace.  (Just the question itself, I think, goes to prove that the DLP space is still misunderstood by a lot of would-be DLP users.)

Oh, that it were that easy to have someone provide the "official" false positive rates of each vendor and go and buy the vendor with the lowest false positive rate.  Not only are false positive rates of DLP vendor products impossible to effectively and fairly determine, but the question seems to oversimplify the whole idea of DLP as it discounts dozens of other critical criteria for selecting the right DLP product.

A Note About False Positive Rates

The question of false positives was one of the early complaints about first-to-market DLP technologies.  False positives cast a negative shadow on DLP technologies because of user experience with other commonly-used security technologies.  What added more to the concern was the idea that a false positive could have the unintended effect of hobbling business efficiency.  I have heard horror stories of business production being shut down single-handedly by DLP enforcement technologies.  While the effect is possible, it's hardly likely if today's legitimate DLP technologies are configured and used effectively in the enterprise.  (Maybe a specific post on that at a later time...?)

Unfortunately, while false positives still occur with DLP, many DLP detractors beat that drum with the assumption that false positives will undermine the effectiveness of DLP in general.  Too often, these detractors make such accusations without first-hand experience with legitimate, comprehensive DLP technologies.  

By way of example, many of my customers have used content monitoring technologies of various email security platforms in what they then considered to be DLP.  You can't really blame them for expecting these solutions to effectively prevent sensitive data from leaving the network since almost all email security platforms use the term "Data Loss Prevention (DLP)" in marketing literature.  The difference is that these solutions are limited in how they detect sensitive data.  They rely almost wholly on regular expression patterns for identifying this data, so throw in a pattern for a US SSN and lo and behold, you get a bunch of false positives.  (That's why I hate how the term DLP is so loosely applied to all kinds of security technologies.)

The good news is that today's legitimate DLP technologies rely on far more effective means of sensitive data detection, including exact data matching.  This methodology makes a fingerprint of the known sensitive data (whether that's sensitive database fields or complete documents) and detects actual matches to these fingerprints.  This, along with a number of other detection methods, effectively reduce false positives to next to nothing when used correctly.  This is *the* advantage of legitimate DLP technologies over technologies that include DLP as a feature.

My recommendation is to let legitimate DLP technologies do what they do best:  detect and deal with sensitive data.  Let the email security solutions of the world do what they're good at.

Determining False Positive Rates

I also contend that it's terribly difficult, if not impossible, to get fair and accurate data on the false positive rates of the major DLP vendors.  Here's why:

Legitimate DLP vendors use very similar data detection methods.  Not all, but, most combine a) regular expression patterns (SSN or credit card number pattern matches); b)  data fingerprinting (hashes of specific known sensitive data, database fields, files, etc.) and c)  content analysis techniques (in its many varied forms).  Between a combination of these technologies, it's likely that each DLP technology can be tuned to accurately detect the same stuff as the next guy.  The problem for fair and accurate testing, however, requires that tuning be performed over a period of time longer than most test are willing to run.

This also means that users will likely be forced to rely on the studies paid for by the DLP vendors themselves.  Not exactly what I would consider to be fair and accurate reporting of fales positive rates.

In the end, because every customer has different data, they will need to test and determine the best solution for their specific needs.  There are DLP vendors that, because of their specific detection methods, may handle certain data types better than others.  That's why it's critical to always understand your sensitive data and then seek a solution that matches your needs.

What Could Be More Important Than Accuracy?

Really, sensitive data detection accuracy is the most critical component of effective DLP.  However, there are so many other criteria for selecting the right solution, including coverage areas (gateway, endpoint, discovery), appliance versus software, tolerance for architectural complexity, etc.

All the effectiveness in the world won't do a bit of good if the platform is too complex for your organization to manage or if it doesn't provide the coverage you need.

Ultimately, do your homework.  But do not get bogged down with this idea of having to know false positive rates of each vendor.  If you wait to move on your DLP project until you get this data, you'll be waiting a long, long time.

AuthorDLPX | CommentPost a Comment |
tagged , , in , ,
Saturday
May292010

Speaking of DLP Vendors You've Never Heard Of...

DateSaturday, May 29, 2010 at 10:58PM

Well, I've actually heard of CoSoSys in my research, but have never encountered them in a production environment.  They have a funny YouTube video referencing their "Data Leakage" offering, which is an endpoint device control solution.  I don't see anything on their site about the solution being content-aware (IMHO a critical requirement for endpoint protection if it's to be considered DLP).

Enjoy the video.  But beware the creepy voice at the end.  It gave me nightmares.  ;)

AuthorDLPX | CommentPost a Comment |
tagged , , , in ,
Saturday
May292010

Ending the Data Loss Prevention Debate?

DateSaturday, May 29, 2010 at 10:49PM

*  I just re-read this post that goes back two-plus years.  It's interesting to see how things have changed--and what remains the same.  I'll post later this week with my thoughts on ending the data loss prevention debate.

Ending the Data Loss Prevention Debate?  April, 2008


What do Symantec (Vontu), Reconnex, Fidelis, Websense, RSA (Tablus) and the rest of the DLP vendors all have in common?  Not nearly enough.  At least not enough to conclusively call a winner in the battle of DLP technologies.

I spent last week in San Francisco at the annual RSA Conference with the primary goal of getting answers to questions and concerns I have regarding the data loss prevention (DLP) market and the claims and approaches of each of the many vendors.  I was amazed at the extreme opposing viewpoints of different vendors over a number of key technological points.  I walked away with the continuing conclusion that the different platforms, technologies and features are still largely unproven. 

All that notwithstanding, DLP is certainly proving its value.  That’s clear from speaking to organizations that have deployed DLP technologies and many of those that haven’t, but now wish they had!  Any organization with data essential to its operation—whether its own intellectual property, customers’ personally identifiable information, protected health information or non-public information—needs to ensure that it remains safe within the confines of the company’s protected network. 

While I heard a lot of interesting claims as I engaged sales and techs alike at RSA, there were three points on which a number of vendors argued quite forcefully with me.  They were:  the endpoint versus network; stand-alone versus integrated network devices and fingerprinting versus content analysis.

Endpoint or Network?

There are two major camps on the question of where to start monitoring for sensitive data:  the endpoint and the gateway.  While most companies acknowledge the need to address both ends, there is at least one endpoint vendor that doesn’t.  I was told by this vendor that they have no plans to build or OEM a gateway device.  From their perspective, everything can be done more effectively at the endpoint.  A very bold statement, indeed, but one I happen to disagree with.

For the other vendors who take a softer approach on the subject, the preference typically still falls in line with the vendor’s roots.  If the vendor started building DLP gateways, then they very likely favor gateway devices, allowing for the endpoint to handle the “less essential” functions of protecting data in use.  If the vendor started as an endpoint solution, then they likely favor starting at the endpoint, using the gateway device to identify anything the endpoint may have missed.

While it’s true that an endpoint solution has the ability to see everything that the gateway may eventually see, the fact is that most security professionals would rather stick an appliance in the rack rather than perform a rollout of software on every single workstation in the company. 

Regardless of the angle, the fact remains that not all essential data will leak via the network nor will all of it leak at the endpoint.  The first step in any DLP initiative is a risk assessment to determine the extent of the problem—who is sending what to where and how?  From my personal experience, this is most quickly and easily accomplished at the gateway.  From there, the deployment should certainly include software at the endpoint as well as a discovery module to identify where the essential data resides in the network.

Stand-Alone or Integrated Network Device?

One commonly overlooked aspect is whether the gateway device should be a stand-alone appliance or integrated with other network devices.  The question seldom comes up simply because there are very few vendors in the space who have built products that can not only detect sensitive data, but also prevent it from leaving the network.  This may come as a surprise to most people interested in DLP, but nearly all of the available solutions in the DLP marketplace require other devices in order to prevent (or block) more than just SMTP. 

This typically comes in the form of an in-line proxy device—either from a third-party vendor or from one of the DLP vendors themselves.  These devices are typically limited to preventing only the most basic network protocols of HTTP and FTP (and HTTPS if the device can handle SSL certs).  This still leaves open a number of widely-used protocols as well as generic TCP traffic.

If your company already has a proxy infrastructure, this may be a moot point as you’re able integrate the DLP solution with the proxy device.  If proxies are not a part of your current infrastructure, you might consider one of the vendors who provide integrated enforcement on a single device.

In either case, it pays to address this issue up front before you get too far down the road in evaluating the different DLP vendors.  Ask this question:  How can your product effectively block all protocols—including generic TCP—at the gateway?

Fingerprints or Content Analysis?

Each vendor must identify sensitive data in order to effectively function as a data loss prevention solution.  There are two general methodologies used to identify sensitive data:  data registration, where known sensitive data is logged and stored in a database using a digital fingerprinting process and content analysis, where sensitive data is identified on the fly based on content and/or context.  Here are a couple examples of both technologies in action:

Example 1:  A financial institution wants to protect their customer database of personally identifiable information (PII), such as name and credit card number.  They elect to fingerprint their customer database, including first and last name and an account number that varies between 5 and 8 digits.  They create a policy that prohibits the sending of first and last name and social security number such that when the DLP solution sees the exact matches of “Jared Thorkelson 123456” in an email transmission, it takes action and blocks the email.

Example 2:  A large retailer wants to protect their customer payment card data before it reaches their main database.  They choose to use the content analysis tools of their DLP solution to watch for generic credit card numbers.  They create a policy that prohibits the sending of credit card numbers such that when the DLP solution sees a number “4444 4444 4444 4444” which matches the DLP solution’s regular expression for a Visa Card number in an email transmission, it takes action and quarantines the email.

The examples above show situations where one data identification method works far better than another.  In the case of Example 1, it is impossible for a content analysis tool to consistently and correctly identify a first or last name and to distinguish between an account number and any other 5- to 8-digit number.  In Example 2, it is impossible to fingerprint data before it reaches a database, so a credit card regular expression works best.

Most DLP solutions use some level of both methods for identification of sensitive data since certain methods are simply better suited to different types of data.  I was surprised to hear one vendor dismissing fingerprinting technologies altogether and another downplaying the benefits of content analysis.  Get the low-down from your DLP vendor on their different detection methodologies.

Conclusion

There is no right answer to any of the different vendor claims.  No vendor technologies, platforms or features can be proven superior to another’s largely because the technology is so new and very few organizations have tested more than a single vendor’s product.  I guess that may be the natural course of all new technology.

It pays to do your homework and to invest in outside DLP expertise before venturing down your own DLP project road.

AuthorDLPX | CommentPost a Comment |
tagged , , , in , , , , , , , ,
Friday
May282010

Where to Find Credible Data Loss Prevention (DLP) Information?

DateFriday, May 28, 2010 at 5:02PM

Do a simple Google search for "data loss prevention" and try to find information that's not provided by DLP vendors themselves or the analysts on their payroll.  Besides a Wikipedia entry on the subject, you'll be hard-pressed to find any open and unbiased discussions on the subject of DLP.

This makes it very difficult to find information aside from the usual vendor-specific product collateral.  There are a few sources, however.  Below, I've listed some top sources for information on DLP available online.

LinkedIn Groups
There are a number of groups accessible on LinkedIn with open discussions on the topic of DLP.  While there are a number of them, only a few have more than 100 subscribers and only one has any real activity at all: Data Loss Prevention (DLP) Forum.  Most of the LinkedIn DLP groups were started by DLP vendor employees as a means of lead generation, however, they may still provide for open discussion on the topic.

Blogs
On Data Loss Prevention (http://www.ondlp.com) is a blog hosted by Dave Meizlik of Websense.  While Dave's views are certainly not centrist (as the employee of a DLP vendor), he provides a lot more inside information on the marketplace than you find elsewhere.

Security Pubs
There have been a few good articles or reviews on data loss prevention technologies over the past few years, but there have also been a number of them that have been poorly done and misrepresented the marketplace.

DLP Experts DLP Forums
In the DLP Forums at http://www.dlpexperts.com, you'll find not only information on vendors, products and happenings in the marketplace, but also open discussions to address your specific questions on DLP.

AuthorDLPX | CommentPost a Comment |
tagged , in ,