Choosing a DLP system for an average organization

image
Good afternoon, dear habrasociety! Not so long ago, our company faced the question of which of the data leakage protection systems to choose. Under the cut your own thoughts on this issue, as well as a comparative table describing the capabilities of the systems.

Please note that the article is not an advertisement for any particular product. It reflects the views of one sole IT employee in a mid-sized company.

So, on a recent meeting, the task of “Implement!” Was set. But what specifically to implement was not agreed, therefore, after studying the issue and conducting market analysis, this topic was created.

Our organization is not particularly distinguished from the mass of other medium-sized organizations, inside there are about 250 workstations and several servers that need to be protected from leakage of very important and extremely sensitive data. Unfortunately, the statistics are inexorable, and 80% of information leaks occur through the fault of the organization’s employees themselves (insiders). Data dissemination can be either intentional or completely random, and all cases of such distribution should be detected and suppressed (this is ideal). How to achieve this? Company administrators can completely close the Internet, e-mail and removable media, leaving users without access to external resources. An option of almost perfect security, except that it does not suit anyone, except for the administrators themselves. You can warm up a bit and open access to the Internet or to removable media only to “selected” employees. The likelihood of leaks will decrease, but who can guarantee that the “chosen” employee is fully loyal to the company? It would seem that the situation is hopeless, but here DLP systems come to the rescue.

DLP (Data Loss Prevention) - a system is a software product designed to prevent the leakage of confidential information outside the corporate network. This system is built on the analysis of data streams that go beyond the corporate network. In the event that a certain signature and detection of the transfer of confidential information is triggered, the system either blocks such a transmission or sends notifications to the security officer.

The main requirements for the candidates were the cost of the complex and the number of controlled channels.
In comparison took part:
  • Securit ZGate;
  • InfoWatch Traffic Monitor;
  • Symantec Data Loss Prevention;
  • Search Inform Security loop;
  • FalconGaze SecureTower.

Product information was taken from official websites and from regional representatives of companies. Here is the result:
ASecurITInfowatchSymantecSearchInformFalconge
System nameZgateTrafficMonitorDataLossPreventionSafety circuitSecureTower
System modularityYesNotNotYesNot
Installation locationsTo server + ZLock on client PCsServer, clientServer, clientServer, clientServer, client
Availability of certificates and licensesFSTEC NDV 3 and OUD4
FSTEC NDV 4 and ISPDn 1, Gazpromtsert, Central Bank Accreditation, eToken compatibility certificate
FSTEC NDV 4
FSTEC NDV 4
FSTEC NDV 4 and ISPDn 2
LicensingMailboxes, jobs
Interception channels, analysis technology
n / a
Server, mail, IM, Skype, Print, device, HTTP, FTP
Workplace
RolesAny quantity
SomeAny quantity
Any quantity
System Administrator, Security Officer
IM control
Yes
Yes
Yes
Yes
Yes
HTTP / HTTPS, FTP control
YesYesYesYesYes
Skype Control
Text
Text
NotYesYes
Email Control
YesYesYesYesYes
Social networks and blogs
YesYesYesYesYes
Control external devices connected
When buying Zlock
Yes
Yes
Yes
Not
Port control
USB, COM, LPT, Wi-Fi, Bluetooth
USB, COM, LPT, Wi-Fi, Bluetooth
USB, COM, LPT, Wi-Fi, BluetoothUSB, LPT
USB, LPT
Blocked Protocols
HTTP, HTTPS, SMTP, OSCAR
HTTP, HTTPS, FTP, FTP over HTTP, FTPS, SMTP, SMTP / S, ESMTP, POP3, POP3S, IMAP4, IMAP4S
SMTP, HTTP, HTTPS FTP, Yahoo
Messenger, MSN
Messenger,
AIM, AIM Pro
Messenger, MSN
Messenger,
AIM, AIM Pro
Messenger, MSN
Messenger,
AIM, AIM Pro
SMTP, POP3, MAPI, IMAP, HTTP, FTP, ICQ, Jabber
HTTP, HTTPS, FTP, FTTPS, All mail and IM
Dictionary Analysis
YesYesYesYesYes
Linguistic analysis
Yes
Yes + BKF
Not
Yes
Yes
Translit Analysis
YesYesNotn / an / a
Archive Analysis
YesYesYesYesYes
Pattern Analysis
YesYesYesYesNot
Predefined filtering patterns
YesYesYesYesYes
Delay in sending suspicious messages
Yes, OB decides
Yes, OB decides
Yes, the user explains the reason for sending, the incident is recorded
n / a
No, only informing an IS officer
Logging system administrator actions
Yes
Yes
Yes
n / aIf the agent is installed on the administrator’s RM
Agent Installation Mode
Open
n / a
n / a
n / a
Secret / Outdoor
Shutdown Agent Protection
Yes
Yes
Yes
Yes
Yes
Recording reports to local storage in case of server unavailability
Yes
Yes
Yes
Yes
Yes
View Incident History
YesYesYesYesYes
Alert Modes
Console, mail, charts
Console, mailConsole, mail, charts
Console, mail, charts
Console, mail, charts
The ability to test the product on the developer's servers
not
not
Yesnoton the distributor server

Ability to get demos for testing within the organization
±
±
not±
Yes, 1 month
Company Price 250 pcs
2 500 000 rub.
n / an / a3 300 000 - 5 400 000 p.
1 500 000 rub.

It should be clarified that:
System modularity is a parameter meaning whether the product can control everything or whether it is necessary to purchase different modules to control certain channels of information leakage.

The system administrator installs and configures the system. The security officer monitors the actions of employees and the operation of the system as a whole.

BKF-base content filtering. Allows for certain signs to attribute the document to a certain degree of confidentiality.

OB-security officer.

RM-Workplace.

The symbol n / a indicates the points for which I could not clarify the information, and the symbols ± the points where the receipt of information caused difficulty. For example, obtaining trial versions is a rather complicated event, requiring a lot of information about the organization, as well as attracting specialists from the development company to your office.

So, this table has simplified the choice of a DLP system for my organization, and I hope it will help you make your choice in case of a similar problem.

Also popular now: