The most valuable assets of a company are also the most difficult to protect.
We are talking about data, the essential substance that keeps every company’s nervous system alive. Fortunately, there is an entire industry dedicated exclusively to help companies avoid data loss. This industry is led by a handful of vendors that provide a technology known as Data Loss Prevention, or DLP for short.
DLP technologies perform two core functions.
- Identify the sensitive data that needs to be protected
- Prevent the loss of such data
The kinds of data they protect can be divided into three primary groups:
- Data in use
- Data in motion
- Data at rest
Data in use refers to active data, typically data that reside in RAM, cache memories, or CPU registers.
Data in motion refers to the data that is traveling through a network, either an internal and secure network or an unsecured public network (internet, telephone network, etc.).
And data at rest refers to the data that is in an inactive state, either stored in a database, a file system, or a storage infrastructure.
In terms of coverage capabilities, DLP solutions can be classified into two categories.
- Enterprise DLP or EDLP
- Integrated DLP or IDLP
The solutions that fall into the EDLP category are those that cover the entire leakage vector spectrum. By contrast, IDLP solutions are focused on a single protocol or on only one of the three previously mentioned kinds of data. Some examples of IDLP solutions are web security, email encryption, and device control.
What to expect of a great DLP solution?
There is no such thing as a one-for-all solution in DLP. The right solution for each necessity depends on many factors. These include organization size and budget, types of sensitive data, network infrastructure, technical requirements, between others. To determine which solution is best for your company requires effort and research, in order to determine what to choose between DLP approaches, detection methods, and solution architectures.
After researching and analyzing your requirements, your ideal DLP solution should provide the optimal balance of these aspects:
- Comprehensive Coverage: The DLP components should cover the network gateway so as to monitor all outbound traffic and block leakages in the form of emails and web/FTP traffic. They should also cover stored data across all the company’s storage resources, and all the endpoints, to prevent losses on the data in use.
- Single Management Console: The DLP solution management requires effort and time spent in system configuration/maintenance, policy creation/management, reporting, incident management/triage, early risk detection/mitigation, and event correlation. The support of these areas requires a single management console. Otherwise, you can introduce unnecessary risks.
- Incident Management for Compliance: When a data loss incident occurs, its proper handling is crucial. You have to be conscious that data loss is inevitable, but the difference between a costly fine and a slap on the wrist can be made in the way a data loss incident is handled.
- Detection Method Accuracy: Last but not least, this aspect of a DLP solution separates the good solutions from the bad. DLP technologies depend on a reduced set of detection methods when the time comes to identify sensitive data. Pattern matching, using regular expressions, is the most widely-used detection method. However, this method is highly inaccurate, resulting in long queues of false-positive incidents. Good DLP technologies should add other detection methods to the traditional pattern matching in order to improve accuracy.
Major DLP approaches
When DLP solutions started to soar, all vendors approached DLP with sets of components designed to cover the company’s infrastructure. Nowadays, the situation has changed, and not all vendors are using the same approach. These approaches fall into two main categories.
- Traditional DLP
- Agent DLP
Traditional DLP is offered by some of the vendors in the market, such as Forcepoint, McAfee, and Symantec. The traditional approach these vendors offer is also a multi-pronged one: it provides coverage at the network gateway, in the storage infrastructure, at the endpoints, and in the cloud. This approach was successful enough to outline today’s DLP market and was the first to grab an important piece of market share.
The second approach to DLP is called Agent DLP, or ADLP. It uses kernel-level endpoint agents that monitor all user and system activity. That’s why the solutions that fit into this approach are also known as Endpoint DLP solutions.
It is not easy to determine which approach is best for an organization’s requirements. It heavily depends on the types of data that need to be protected, the industry in which the organization operates, and the reasons for protecting the data. For example, organizations in the healthcare and financial industries are forced to use DLP for regulatory compliance. For these companies, a DLP solution needs to detect personal and health information across different channels and in many different forms.
On the other hand, if a company needs DLP for intellectual property protection, the DLP solution to apply would require more specialized detection methods. Also, accurate detection and protection of sensitive data are much more difficult to achieve. Not every traditional DLP solution is going to provide the right tools for this job.
DLP architecture: how to survive solution complexity
DLP technologies are sophisticated. They require inputs from many disparate areas: web, email, databases, networking, security, infrastructure, storage, etc. Also, the impact of a DLP solution could reach non-IT areas, such as legal, HR, risk management, etc. To make it even more complex, DLP solutions are usually very difficult to deploy, configure, and manage.
Traditional DLP solutions add even more complexity to the recipe. They require multiple devices and software to run the complete solution. These could include appliances (virtual or real) and servers.
The organization’s network architecture must integrate those devices, and this integration needs to include outbound network traffic inspection, email blocking, etc. Once the integration is done, another level of complexity arises management complexity, which depends on each vendor.
Agent DLP solutions are usually less complex than traditional ones, mainly because they require little or no network integration at all. However, these solutions interact with the OS at the kernel level. Therefore, extended tuning is required to avoid conflict with the OS and other applications.
DLP vendor breakdown:
Digital Guardian was born in 2003 as Verdasys, with the goal of providing technology to prevent intellectual property from being stolen. Its first product was an endpoint agent capable of monitoring all user and system activity.
Besides monitoring illegal activities, the solution also logs apparently benign activities, in order to detect suspicious actions. Logging report can be analyzed to detect events that TDLP solutions are not able to capture.
DG acquired Code Green Networks so as to complement its ADLP solution with traditional DLP tools. However, there is little integration between DG’s ADLP and TDLP solutions. They are even sold separately.
Forcepoint is situated in a privileged position in Gartner’s “magic quadrant” of TDLP vendors. Its security platform includes a set of products for URL filtering, email, and web security. Those tools are complemented with some renowned third-party solutions: SureView Insider Threat Technology, McAfee’s Stonesoft NGFW, and Imperva’s Skyfence CASB.
The architecture in the Forcepoint’s solution is simple, in comparison to other solutions. It includes servers for management, data and network traffic monitoring, and email blocking/web traffic monitoring. The solution is user-friendly, and it includes many policies, categorized by country, industry, etc.
Some features make the Forcepoint DLP solution unique. For example, OCR capability to detect sensitive data in image files. Or incident risk ranking, to let system administrators see which incidents should be reviewed in the first place.
Since its acquisition by Intel, McAfee didn’t make too much investment in its DLP offering. Therefore, the products didn’t get many updates and lost ground to competing DLP products. Some years later, Intel spun-off its security division, and McAfee became an autonomous company again. After that, its DLP product line got some necessary updates.
McAfee DLP solution is composed of three main parts, covering
One component is quite unique among other DLP offerings: The McAfee DLP Monitor. This component allows the capture of data from incidents fired by policy violations, together with all network traffic. This way, the component allows for the review of most data and can uncover incidents that otherwise could go unnoticed.
McAfee’s ePolicy Orchestrator takes care of most of the management of the DLP solution. But there are still some management tasks that need to be done outside the Orchestrator. The company still has to integrate its DLP offering fully. It is yet to be known if it will be done in the future.
Symantec is the undisputed leader in the field of DLP solutions, thanks to the continuous innovations it applies to its product portfolio. The company has the largest installed base of any DLP vendors. The solution has a modular approach, with a different software component required for each function. The component list is quite impressive, including Network Prevent for Web, Network Prevent for Email, Network Monitor, Endpoint Prevent, Data Insight, Endpoint Discover, etc.
In particular, the unique Data Insight component provides visibility of unstructured data usage, ownership, and access permissions. This advantage lets it compete with products outside the DLP arena, providing extra value for organizations that can leverage this capability.
Symantec’s DLP can be customized in many diverse ways. Almost every feature has its configurations, providing a high level of policy tuning. However, this advantage comes at the cost of a bigger complexity. It is probably the most complex in the market, and it might require quite a lot of hours for deployment and support.
EMC’s DLP solution, RSA Data Loss Prevention, lets you discover and monitor the flow of sensitive data, like corporate IP, customer credit cards, etc. The solution helps educate end-users and enforce controls in email, web, phones, etc., to reduce risks of compromising critical data.
RSA Data Loss Prevention differentiates itself by providing comprehensive coverage, platform integration, and workflow automation. It offers a combination of content classification, fingerprinting, metadata analysis, and expert policies to identify sensitive information with optimal accuracy.
EMC’s extensive coverage includes many risk vectors. Not only the most common email, web, and FTP, but also social media, USB devices, SharePoint, and many others. Its approach centered on user education seeks to generate risk awareness among end-users, guiding their behavior when dealing with sensitive data.
CA Data Protection
CA Data Protection (Broadcom’s DLP offering) adds a fourth class of data –besides in-use, in-motion, at-rest– that needs to be protected: on-access. Its focus is on the place where data is located, how it is handled, and what is its sensitivity level. The solution seeks to reduce data loss and misuse by controlling not only the information but access to it.
The solution promises network administrators to reduce the risk to their most critical assets, control information across enterprise locations, mitigate high-risk modes of communication, and enable compliance with regulatory and corporate policies. It also sets the ground for a transition to cloud services.
Save you millions or cost you millions?
The best DLP solution could indeed save you millions. But it is also true that it could cost you millions if you don’t choose the right one for your needs, or if you don’t deploy it the right way. If you thought that choosing the right DLP solution was only a matter of browsing a feature-comparison chart, you were wrong.
So be prepared to spend a big deal of effort not only to put a DLP solution to work once you buy it but also to analyze all offerings and choose the one that better fits your organization.