Choosing a DLP system for an average organization
Good afternoon, dear habrasociety! Not so long ago, our company faced the question of which of the data leakage protection systems to choose. Under the cut your own thoughts on this issue, as well as a comparative table describing the capabilities of the systems.
Please note that the article is not an advertisement for any particular product. It reflects the views of one sole IT employee in a mid-sized company.
So, on a recent meeting, the task of “Implement!” Was set. But what specifically to implement was not agreed, therefore, after studying the issue and conducting market analysis, this topic was created.
Our organization is not particularly distinguished from the mass of other medium-sized organizations, inside there are about 250 workstations and several servers that need to be protected from leakage of very important and extremely sensitive data. Unfortunately, the statistics are inexorable, and 80% of information leaks occur through the fault of the organization’s employees themselves (insiders). Data dissemination can be either intentional or completely random, and all cases of such distribution should be detected and suppressed (this is ideal). How to achieve this? Company administrators can completely close the Internet, e-mail and removable media, leaving users without access to external resources. An option of almost perfect security, except that it does not suit anyone, except for the administrators themselves. You can warm up a bit and open access to the Internet or to removable media only to “selected” employees. The likelihood of leaks will decrease, but who can guarantee that the “chosen” employee is fully loyal to the company? It would seem that the situation is hopeless, but here DLP systems come to the rescue.
DLP (Data Loss Prevention) - a system is a software product designed to prevent the leakage of confidential information outside the corporate network. This system is built on the analysis of data streams that go beyond the corporate network. In the event that a certain signature and detection of the transfer of confidential information is triggered, the system either blocks such a transmission or sends notifications to the security officer.
The main requirements for the candidates were the cost of the complex and the number of controlled channels.
In comparison took part:
- Securit ZGate;
- InfoWatch Traffic Monitor;
- Symantec Data Loss Prevention;
- Search Inform Security loop;
- FalconGaze SecureTower.
Product information was taken from official websites and from regional representatives of companies. Here is the result:
A | SecurIT | Infowatch | Symantec | SearchInform | Falconge |
System name | Zgate | TrafficMonitor | DataLossPrevention | Safety circuit | SecureTower |
System modularity | Yes | Not | Not | Yes | Not |
Installation locations | To server + ZLock on client PCs | Server, client | Server, client | Server, client | Server, client |
Availability of certificates and licenses | FSTEC NDV 3 and OUD4 | FSTEC NDV 4 and ISPDn 1, Gazpromtsert, Central Bank Accreditation, eToken compatibility certificate | FSTEC NDV 4 | FSTEC NDV 4 | FSTEC NDV 4 and ISPDn 2 |
Licensing | Mailboxes, jobs | Interception channels, analysis technology | n / a | Server, mail, IM, Skype, Print, device, HTTP, FTP | Workplace |
Roles | Any quantity | Some | Any quantity | Any quantity | System Administrator, Security Officer |
IM control | Yes | Yes | Yes | Yes | Yes |
HTTP / HTTPS, FTP control | Yes | Yes | Yes | Yes | Yes |
Skype Control | Text | Text | Not | Yes | Yes |
Email Control | Yes | Yes | Yes | Yes | Yes |
Social networks and blogs | Yes | Yes | Yes | Yes | Yes |
Control external devices connected | When buying Zlock | Yes | Yes | Yes | Not |
Port control | USB, COM, LPT, Wi-Fi, Bluetooth | USB, COM, LPT, Wi-Fi, Bluetooth | USB, COM, LPT, Wi-Fi, Bluetooth | USB, LPT | USB, LPT |
Blocked Protocols | HTTP, HTTPS, SMTP, OSCAR | HTTP, HTTPS, FTP, FTP over HTTP, FTPS, SMTP, SMTP / S, ESMTP, POP3, POP3S, IMAP4, IMAP4S | SMTP, HTTP, HTTPS FTP, Yahoo Messenger, MSN Messenger, AIM, AIM Pro Messenger, MSN Messenger, AIM, AIM Pro Messenger, MSN Messenger, AIM, AIM Pro | SMTP, POP3, MAPI, IMAP, HTTP, FTP, ICQ, Jabber | HTTP, HTTPS, FTP, FTTPS, All mail and IM |
Dictionary Analysis | Yes | Yes | Yes | Yes | Yes |
Linguistic analysis | Yes | Yes + BKF | Not | Yes | Yes |
Translit Analysis | Yes | Yes | Not | n / a | n / a |
Archive Analysis | Yes | Yes | Yes | Yes | Yes |
Pattern Analysis | Yes | Yes | Yes | Yes | Not |
Predefined filtering patterns | Yes | Yes | Yes | Yes | Yes |
Delay in sending suspicious messages | Yes, OB decides | Yes, OB decides | Yes, the user explains the reason for sending, the incident is recorded | n / a | No, only informing an IS officer |
Logging system administrator actions | Yes | Yes | Yes | n / a | If the agent is installed on the administrator’s RM |
Agent Installation Mode | Open | n / a | n / a | n / a | Secret / Outdoor |
Shutdown Agent Protection | Yes | Yes | Yes | Yes | Yes |
Recording reports to local storage in case of server unavailability | Yes | Yes | Yes | Yes | Yes |
View Incident History | Yes | Yes | Yes | Yes | Yes |
Alert Modes | Console, mail, charts | Console, mail | Console, mail, charts | Console, mail, charts | Console, mail, charts |
The ability to test the product on the developer's servers | not | not | Yes | not | on the distributor server |
Ability to get demos for testing within the organization | ± | ± | not | ± | Yes, 1 month |
Company Price 250 pcs | 2 500 000 rub. | n / a | n / a | 3 300 000 - 5 400 000 p. | 1 500 000 rub. |
It should be clarified that:
System modularity is a parameter meaning whether the product can control everything or whether it is necessary to purchase different modules to control certain channels of information leakage.
The system administrator installs and configures the system. The security officer monitors the actions of employees and the operation of the system as a whole.
BKF-base content filtering. Allows for certain signs to attribute the document to a certain degree of confidentiality.
OB-security officer.
RM-Workplace.
The symbol n / a indicates the points for which I could not clarify the information, and the symbols ± the points where the receipt of information caused difficulty. For example, obtaining trial versions is a rather complicated event, requiring a lot of information about the organization, as well as attracting specialists from the development company to your office.
So, this table has simplified the choice of a DLP system for my organization, and I hope it will help you make your choice in case of a similar problem.