Most security tools are focused on keeping external attackers at bay. But what about the sensitive data that lives inside your network? How do you make sure it doesn’t get out, either intentionally or by accident?
That’s where Data Loss Prevention (DLP) comes into play. DLP tools are designed to block protected data from being shared in various ways, everything from e-mail attachments to printing to even screen captures. DLP can protect core network stores as well as connected endpoints which might have confidential information.
We looked at DLP solutions from Comodo, Digital Guardian and Forcepoint. Symantec was invited to participate, but declined.
Of the three products tested, Forcepoint Triton was the most mature, easiest to set up and had the most features. It would probably be the best choice for most organizations, especially those under regulatory pressure from federal and state governments.
Digital Guardian DLP was able to eliminate almost all false positives, even for very large installations, and would be a good choice for organizations with huge amounts of intellectual property, where too many false positives would be debilitating.
Comodo DLP started as a blank slate, but offered a lot of flexibility as well as extras like a VPN, firewall, patch and mobile device manager, making it a good choice for organizations just getting up to speed with their overall cybersecurity defenses, and which need to include DLP as part of that package. (See screenshots of each product.)
Here are the individual reviews:
|PRODUCT||Comodo DLP||Digital Guardian Network DLP||Forcepoint DLP|
|PRICE||$8.29 per seat based on a three-year commitment and 5,000 or more seats.||Starts at $25,000||$44.50 per seat for 5,000 users; 10% discount for multi-year contract.|
|PROS||All attempted breaches are logged, and the files can be archived for study; works as part of an overall security package or standalone; can stop printing, screenshots and copying of entire documents or tiny snippets from protected files; can be used to prevent protected data from entering or exiting a network.||Precise rules can be crafted to ensure almost no false positives; can be up and running in just a few hours; can be used as part of a user awareness training program or can be completely secret, can automatically encrypt sensitive communications in addition to blocking or quarantining.||Comes with over 1,700 preset DLP rules and regulatory compliance settings; can scan Dropbox, Office 365 and OneDrive to look for protected data already in the cloud; has OCR engine that can find protected data in screenshots and graphics; can encrypt files.|
|CONS||Lack of plug and play rules means a lot of work needs to be done by hand, putting a larger burden on DLP administrators.||Emphasis on reducing false positives with large datasets can mean that smaller or one-off data policy breaches can slip through; highly detailed rules may require tweaking over time; data tagging may be necessary to completely eliminate false positives.||Can only be installed as a module under AP-Email or AP-Web in the Forcepoint Data Security Suite.|
Comodo DLP is installed as a network or virtual appliance and works either independently or as part of the Comodo 360 Complete Security Bundle. The full suite includes things like sandboxing files to look for threats, VPN, a firewall, patch management, a Web security agent and even a mobile device manager. It would be a good choice for an organization that is beefing up its endpoint, boundary and network protection at the same time. For this evaluation, we only looked at the DLP component.
The Comodo appliance is reasonably priced at $8.29 per seat based on a three-year commitment and 5,000 or more seats. The appliance’s software is configured to be able to handle that load and we tried to overload it without success. With a virtual appliance, expanding power to match increased capacity is also a simple process.
+ ALSO ON NETWORK WORLD Next up for DLP: The cloud? +
Comodo DLP can protect data stored on internal network drives right from the start, but gets much more powerful if agents can be installed on connected endpoints. Pushing the agents out to Windows clients (there is no Mac support yet) is a simple process, though you do need to have the rights to be able to do so. With agents installed, Windows clients can be locked down in the same way that the main data servers are, including USB and even printing protection.
Out of the box, the Comodo DLP that we tested was pretty much a blank slate. It has a lot of powerful potential, but needs to be programmed. For many organizations this probably won’t be a problem since they know the kind of data that they hold and need to protect. Common things like credit card information or ABA routing information can easily be added to the list of protected objects, as well as information combinations such as Social Security numbers in conjunction with the names of diseases or national drug codes.
It would be nice if there were common settings for things like HIPAA or PCI compliance that would set up all the necessary rules based on those guidelines. You can configure a very tight set of rules to protect against any regulatory breaches, but it can take a long time setting it all up manually.
In addition to blanket rules that apply to any data, you can also configure Comodo DLP to protect files based on almost any other factor, such as the source of the info or the destination. Even time of day rules can be set using the main interface. And of course, individual files and folders can be protected regardless of any other factor.
Using Comodo DLP, we were able to configure some very specific rules. For example, we allowed anyone to access a certain folder containing several data files. However, users were not allowed to print any of the information or copy it to another drive. In addition, certain documents were locked down so that no part of them could be copied and removed by any means, even by highlighting certain parts and copying and sending snippets. Outside of that protected folder, the blanket rules applied, so that for example, no credit card information could leave the system.
The console gives administrators lots of options regarding how to deal with attempts to exfiltrate protected data. It can be simply blocked, the fact that it was blocked can be recorded, users can be warned or kept in the dark as to Comodo’s actions, or everything that a user tried to illegally copy can be archived for later examination.
So for example, one entire folder on our test network was protected against copying. When we tried to pull files from the network and save them on a key drive, not only was that transfer stopped, but a full archive of every file that we tried to copy was provided inside the Comodo DLP administrator interface.
The same thing happened when a user tried to print a document which was protected. The process was stopped, the user was warned as per the policy we configured, and the document was archived in the main interface. Building up an audit trail is thus incredibly easy. Insider threats can likely be weeded out from legitimate mistakes based on the volume of attempted data breaches alone, with a full audit trail to prove everything for authorities.
When the full text of a .pdf document was protected, Comodo DLP was able to keep that information safe in a variety of ways. First, we blocked copying by simply defining clipboard policy rules as well as screenshot rules. But even with those disabled, Comodo was able to recognize when we tried to cut a small snippet out of a protected document and send it out using instant messaging. Comodo uses both text and hash matching to lock everything down. When we tried to share our tiny snippet, the DLP kicked in and blocked that process, with the aforementioned archiving so that administrators could see what we were trying to do when the policy was broken.
The Comodo DLP program is designed for network installations. Our testbed was admittedly not nearly enough to tax its abilities, however, we did set up a batching process to send out a bunch of rule-breaking instant messages and e-mails at the same time. Although more than 500 of them tried to go out at the same time, each one was instantly blocked. And using a variety of e-mail and webmail clients was no help either as Comodo was always able stop us from breaking policy. And don’t forget that each attempted breach is logged, so someone trying to defeat the DLP protection by trial and error is likely to get caught long before they get anywhere close to finding a hole in that protection, assuming one even exists.
Another nice feature of Comodo DLP is that it is able to scan all the endpoints on a connected network to determine if any protected information has already left its safe havens. That way, it’s not like locking the barn door after the horse has gotten out. It’s like locking down the barn and then directing the owner to exactly where the missing horse is located. That’s not as good as locking things down right from the start, but this way administrators won’t be surprised if hundreds of credit card numbers are already sitting on an unsecured laptop outside of the main database.
Finally, as a nice extra feature, Comodo DLP can be reversed to prevent certain types of information from entering a network. To do that, you simply need to set up rules based on the destination of protected information types being inside a network. This could be helpful in certain industries where workers are not allowed to come into contact with specific data from people on the outside, like a broker who needs to be protected from insider trading accusations or a doctor who does not want to receive unsolicited health information from non-patients.
It takes a little bit of work as well as the knowledge of what kind of data needs protecting to get the most out of Comodo DLP. But once you get there, there is no way that we found for someone to circumvent that protection. And if they try, everything they do will be instantly flagged, logged and archived for later study and possible disciplinary or corrective action.
Digital Guardian Network DLP
Digital Guardian used to be called Verdasys. Today, the newly branded company offers several types of DLP defense, including the network level protection which is the focus of this test. It is deployed as either a network or virtual appliance and all network traffic is routed through it. This gives Digital Guardian the ability to protect data from leaving the enterprise regardless of where it exists and on what platform it is stored. It does not work with off-network traffic or disconnected endpoints, though the company has other products to fill in those gaps.
The Digital Guardian Network DLP appliance is designed for very large installations, or at least places where there are potentially millions of records to protect. Its pricing model starts at approximately $25,000 based on licensing volume, and it can be installed as either an on-premises appliance or through a managed security service program.
Because of the emphasis on large installations, the interface when creating rules for the Digital Guardian Network DLP are very precise, and designed to eliminate false positives. This is necessary because if you try to apply the same blanket type of rules found with some DLP products to very large datasets, your security teams might end up getting overloaded with false alerts.
So when trying to protect something like 5 million account numbers, even if you use full text matching in the rule creation, quite a few numbers are going to get flagged as potentially protected data that have nothing to do with the actual accounts. For example, employees couldn’t order 12,673 new items if there was a matching account number protected by DLP, even if the employee didn’t know about it. Phone numbers could also prove problematic. To compensate, rules that are created within Digital Guardian’s DLP appliance can be configured with multiple trigger points where all of them need to be met before the DLP will alert to a problem. They can then be further tweaked with data tagging that creates exceptions to the rules.
For a program with such complex ruleset possibilities, getting it set up and running is surprisingly easy. Granted that our testing environment did not contain millions of records, but from a rule creation standpoint, there would be no difference. Getting the Digital Guardian appliance ready to protect data is a two-step process. It begins by registering the data that needs to be protected. This can be done by simply pointing to files and folders or identifying the location of something like an SQL or Oracle database server. If you have millions of records then you are probably going to want to specify where the data lives instead of individual records, but the process is the same.
+ MORE ON NETWORK WORLD: 7 devices that make your data vulnerable +