DLP tools deliver strong endpoint protection
- 13 August, 2012 04:31
With serious data breaches occurring on almost a daily basis, concerns about data protection have skyrocketed. While some experts believe endpoint breaches may no longer comprise the majority of data leaks, the intentional or unintentional release of sensitive data from endpoints within an organization, whether by employees, contractors or guests, remains a serious problem that data loss prevention (DLP) products seek to address.
We tested broad-based DLP products from four vendors: Sophos, Trend Micro, Verdasys and Websense, plus we tested Cisco's Ironport Email Security Appliance (see sidebar). (Symantec, TrustWave, McAfee, Code Green Networks, RSA and Computer Associates were invited to participate, but declined.)
Our overall conclusion is that these products work well in blocking unintended releases of sensitive information, and also work just fine in an environment where the IT department has control over the types of email systems and browsers that are being deployed by end users. In a scenario where an end user is determined to find holes in the DLP system, IT needs to be extra vigilant.
For example, we found that we could thwart some of the DLP systems by using Mozilla Thunderbird for email. The vendors told us the workaround was simple enough: block the use of non-Outlook email. But this example points to the fact that a successful DLP deployment requires constant attention. (See how we conducted our test.)
All five products tested were easy to install and we experienced no difficulty getting each product up and running on our test LAN, usually within an hour. DLP policies and enforcement rules were easy to create and deploy in our test environment, once any applicable endpoint agents were in place, although some server consoles, notably Websense and Verdasys, seemed more intuitive than others. As we expected, policies were enforced regardless of our status as Windows users - i.e. being a system administrator in Windows did not allow us to bypass rules.
Overall, the products passed our DLP tests by successfully blocking data transfers, quarantining or auditing sensitive data or warning the end user, depending how enforcement was configured. In some cases, tweaking and workarounds were needed to achieve a successful result. Only one product, Sophos Enterprise Console, passed all our endpoint tests without workarounds.
While there are many more similarities in the features of the products we tested than differences, a few things stood out. For example, Cisco's Ironport Email Security Appliance turned out to be even more flexible than expected. The Ironport ESA 'officially' supports Microsoft Exchange, but we got it to work just fine with our free hMailServer by setting up just a few simple SMTP rules to route mail to the ESA as the last hop out. It also protected data no matter which email client we used, which was not necessarily the case with the other DLP products, several of which failed tests when we used email clients such as Mozilla Thunderbird.
Surprisingly, we were able to wreak havoc across three products - Websense, Verdasys and Trend Micro - with Google's Chrome browser. While it seems a reasonable assumption that DLP products would support the most popular browsers (Chrome, IE, Firefox, and Safari), we quickly discovered this was not the case. In the products affected, we were initially able to freely upload and email sensitive data via Chrome without so much as a peep from the endpoint agent or DLP server, even when we had rules configured to prevent such transfers. All but one of the Chrome test failures were eventually resolved with workarounds.
Across the board we noted that the products could use better real-time synchronization of events between the server and endpoint agents. We did not delve into the causes -- our test network was a standard Ethernet wired LAN with gigabit connections and no network traffic except the server and the client, so we doubt that the latency issues related to the test environment. Since we were in test mode we were more impatient for real-time responsiveness, but maybe in a production environment if it takes a few moments more to synchronize endpoints, it might not be an issue.
Here are the individual product reviews:
Sophos: Content Control Management
We installed the Sophos Enterprise Console on a 32-bit Windows Server 2008 R2 Standard Edition Dell rack server. The installation utilizes a familiar wizard-type walkthrough and the install performs system checks to make sure the server meets minimum specifications.
When the server is installed it creates a bootstrap location that can be shared on the network. This contains an executable that can be run on the client endpoints to install the agent. The agent install was straightforward, but on our endpoint it did not provide any notification to indicate that the install was complete. This could be intentional to streamline remote installation.
The web-based Enterprise Console provides a rich user interface with numerous management options.
However, this is a console that is capable of managing more than just DLP, so there are a lot of drop-downs and menus that are shown, but disabled until you are in the right section for these to become active. For example, intuitively we tried to open the 'Policies' menu at the top, but all the selections were grayed out. At first we thought we had the wrong license activated, but as it turned out we had to click on a different section below the menus to actually get to the DLP policies. A bit counterintuitive, but once we found it, everything proceeded smoothly.
We were able to easily create and edit rules, whether custom or based on predefined policies. This screenshot shows some of the many predefined options available just for managing credit card data.
After some minor tweaking all of the rules behaved as expected (blocked or warned) and Sophos was the only product that did not fail any of our DLP tests.
The Enterprise Console comes with about ten pre-defined reports and includes the capability to create custom reports with a variety of parameters. Reports can be output to multiple formats such as PDF, HTM, Excel and XML.
" Very comprehensive device and application control
" Supports Google Chrome browser
" Passed all tests without workarounds
" Endpoint took too long to retrieve latest policies from server
" Console menus could be more intuitive
Trend Micro System: Tested Trend Micro Data Loss Prevention for Endpoints
We chose to install the Trend Micro server as a bare-metal Linux server and it took less than 10 minutes to get the server up and running. The agent install was a bit more cumbersome as we needed to copy files to the endpoint and run a DOS prompt command in order to install, as the .msi executable did not succeed, even after re-imaging the Windows 7 client. A reboot was needed to activate the agent and obtain the latest policies from the server.
After loading the Web console we reviewed the built-in templates of which there were just over 100 in the version we tested, ranging from domestic regulations such as HIPAA, Gramm-Leach-Bliley and PCI-DSS to international regulations by country. You can also build your own template or import templates in binary or XML format.
Overall, we found Trend Micro's approach to creating and managing templates and policies intuitive and easy to use. As for what action to take when a violation is detected, there are multiple options such as Pass or Block, Notify the client, Notify the administrator, Encrypt data or Prompt the user to enter a justification.
Next we created a much broader custom policy that selected all channels in order to prevent credit card data from being moved outside the network.
This broad-based channel protection successfully blocked our attempts to transfer credit card data and other policy-based, sensitive information, which was quarantined with a warning (per our rule configuration).
However, as the tests proceeded, we discovered we were able to use the Google Chrome browser to upload a sensitive file via Web upload and we also used Chrome with Gmail to email a sensitive file. The file was not blocked, and no alert was raised. After we reported the problem, Trend Micro provided us with a newer version of their product (Version 5.6) that solved the first issue, but the second issue remained open. The vendor's official response at the conclusion of testing was that the DLP agent doesn't support HTTPS via Google Chrome, further explaining that "the vast majority of our enterprise customer installations are using IE and Firefox. Adoption of Chrome in the consumer space is growing rapidly but is not quite there on the enterprise side. "
Except for the issues noted above, all other tests passed without incident.
The Trend Micro DLP server does not come with any pre-defined reports, but you can easily create custom reports using the built-in report generator. Reports can be saved in different formats such as HTML or PDF, and can be sent via email to one or multiple recipients on a recurring schedule.
" Ease of server installation
" Intuitive browser-based user interface
" Easy to create and manage policies
" Lack of support for Chrome browser
Verdasys System: Tested Digital Guardian Hosted Enterprise DLP Service
With Verdasys, we tested the company's cloud-based service. The endpoints have an agent installed and policies are either manually updated on the endpoint or synchronized when connected to the Internet at predefined intervals. The agent installed with an MSI file, but can also be pushed from the console or installed when the endpoint is commissioned. The management console is accessed via a browser-based interface.
Most of the rules behaved as expected and informative error messages were displayed to the user (the product can also be configured to suppress user notifications). When using the Chrome browser and Thunderbird email client we ran into some issues as these are not currently supported natively, but Verdasys engineers assisted with writing custom rules that provided the desired protection.
The Digital Guardian tagging capabilities allowed us to classify a folder as 'Classified' and thus restrict handling of content in this folder. This extends not only to the files themselves, but also any derivative content. This worked well against our attempts to transfer data by copying just a portion of the content to Notepad and trying to save it, or saving a screenshot of the data. Both attempts were blocked successfully.
The Verdays solution provides a lot of granularity when creating rules, but we found this to be a mixed bag. Some of our rules did not behave as expected until we went back and tweaked them. And we found the wizard to be a bit less than intuitive. However, this is probably a training issue. Verdasys requires a week of training compared to the much shorter time we had at our disposal. The rules are created in an XML-style code and we suspect once you become familiar with the tags you can write the rules directly in XML as opposed to going through the wizard every time.
Although Verdasys provides a mobile endpoint protection through an agent that works in conjunction with a mail server such as MS Exchange or Lotus Notes, we were not able to test this solution due to time constraints.
The reporting capabilities are very rich and you can essentially drill down to very detailed information such as which user printed which document at what time.
" Hassle-free installation (endpoint agent only - no server install with SaaS version)
" Directory and file 'tagging'
" Excellent monitoring capability
" Rule writing wizard needs to be more intuitive
" Policies/rules a bit finicky
" Slow synchronization between agent and server
" Doesn't support Chrome (per Verdasys, support for Chrome will be included in the next product release)
Websense System: Tested Triton Data Security Suite
Websense provided us with what they unofficially call a 'Protector,' essentially a preconfigured Windows 2008 server running its Triton Data Security Suite. The server sits in line with the corporate network like any other server.
Even if the installation of the Triton Data Security Suite requires a number of steps, it was fairly straightforward and we were up and running in less than an hour. We configured the Test LAN as a logical business unit with certain geographical policy preferences.
An endpoint agent is installed on each 32- or 64-bit client. After installation of the agent, the client machine synchronizes with the Websense Triton server, and events on the client are monitored and acted upon according to the policies and rules configured for each client machine.
Websense passed all the tests we threw at it until the Chrome browser test. We were able to upload a sensitive document using the Chrome browser, although as was the case with other vendors who failed the Chrome test, the same test data was blocked successfully using both Internet Explorer and Firefox. Websense quickly provided a workaround, allowing us to clear the flag on this test.
Websense offers mobile endpoint protection through its Triton Mobile Security. This is a cloud-based solution provided via VPN so any registered devices, BYODs or company owned, can be registered and all traffic is routed through the VPN. This allows Triton to block access to websites and apps as well as provide full email DLP protection. We tested the mobile email protection with our lab iPhone and confirmed that we were not able to send or receive emails containing information in violation of the PCI-DSS and HIPAA policies that were set up for use in our tests.
The Websense Triton server comes with a rich DLP report catalog including numerous pre-defined reports and the ability to drill down to various detail levels. The reporting feature also allows the admin to take action on items that need to be resolved. Some customization is available and reports and data can be exported to several formats including PDF and CSV.
" 1,600+ predefined policies
" Optional configuration for geographical, logical or operational units
" Powerful, intuitive and comprehensive system console
" Ability to launch corrective action from inside the reporting module
" Doesn't natively support all popular browsers (namely Chrome) - the vendor is looking into this for a future release
How to choose a DLP Product
The DLP market is starting to mature, and products are becoming more stable, hence the very consistent 'passing' grades across products on our endpoint tests. With more similarities than differences in product features, choosing a DLP vendor is likely to hinge on considerations other than feature-by-feature comparisons. Factors such as market share, vendor strength and reputation, and TCO (total cost of ownership) should be taken into account. Organizations new to DLP may wish to deploy DLP solutions as a gradual process, starting out with easily implemented solutions such as a single-channel or hosted solution. Organizations who seek to immediately protect all channels and all network layers will more likely be drawn to full suite products they can install and maintain directly. (All of the vendors in our test offer DLP products beyond endpoint in one form or another.)
TCO is comprised of many elements, but in addition to product cost, organizations should expect a fairly significant learning curve if they have no prior experience with DLP and expect to jump right into a full DLP suite. The learning curve has less to do with plugging the vendor's product into the corporate network (which we found to be quite straightforward with all products tested), than going through the business process of deciding which data needs protection, what actions to take if policies are violated, and determining where the buck stops and who is allowed to 'override' the system. This gets into the area of usability and user productivity vs. data protection, a topic beyond the scope of this review, but not an area that should get short shrift. More than one vendor told us that DLP administrators who went about locking the network down without going through the proper management channels reduced their DLP product to 'shelfware' in rather short order.
It was nonetheless quite empowering to view the capabilities of each DLP tool we tested in real time as a mechanism for gaining control over what is becoming a battle that can no longer be waged by passive methods, such as viewing and analyzing server logs. While such data is useful, it is largely academic, since it cannot predict where the next data leak will come from, and log analyzers can't prevent loss, only report it after the fact. Whether an organization's data protection needs center around regulatory compliance, or protecting intellectual property or other sensitive corporate data, a good, centrally-managed DLP solution can greatly reduce attack risks (both from within and without). DLP products are becoming an essential component in the increasingly complex challenge of protecting digital assets.
Perschke is CSO for Arc Seven Technology. She is also an experienced technical writer, and has written numerous white papers for a number of organizations, including Fortune 500 companies. Susan can be reached at firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.