February 19, 2019 at 12:08How we chose a DLP system (practical experience)
Hello, Habr! Not so long ago, a fairly typical situation arose - management gave the command " Choose a system for protecting data from leakage ." The main selection criterion is the ability to solve the problem of preventing leaks of critical (in the opinion of the manual) documentation, files and the like. As follows from the oral management of the head, magazines and various analytical functional equipment are secondary. Quoting the boss, “ for catching intruders, we can hang up video cameras, solve the problem in such a way that we don’t deal with leaks, but eliminate them .” Of course, everyone understands that it is unrealistic to achieve 100% elimination of the risk of leaks, therefore, we are talking about minimizing the risk of information leakage.
A little about the company: we are medium-sized - about 300 workstations (some work on shifts), plus for some employees remote access to virtual workspaces is organized through Citrix Desktop. As a side effect, some compliance under 152FZ and the corresponding organization for protecting personal data were considered.
We have no relation to the state, other industry regulatory requirements, in principle, do not affect us either. The issue price and the procurement process in general are the business of the competent unit. Accordingly, the cost of the solution and the current topic of import substitution did not limit us, and we could consider any developments: both domestic and foreign. We (a small IS department consisting of as many as three people) did not want to fill out various questionnaires and forms from vendors and integrators, so we decided to refresh the memory with fact checking (we were already familiar with the DLP theme, but without much practical experience). This means - with your own hands to test only those DLP-systems, which are either relatively easy ("without registration and SMS" and flashing the company to the seller) to get for an independent test on your own stand, Or you can look at the work of colleagues from other organizations. Important: taking into account that further implementation and operation will be carried out on our own, we wanted to test it on the stand by ourselves, and not engage in viewing “properly debugged” demo versions “from hand” and brochures to make sure ourselves that the declared functions are really implemented and work as we need.
Systems built on the basis of monitoring applications, screenshots, keyboards, etc. they didn’t even try to look - simply because they did not solve the key task, no matter how their developers positioned themselves in the market. This refers to Stakhanovets and his clone from Infovotch Person Monitor, StaffCop, TimeInformer, KickIdler and the like. This does not mean that these systems are bad - they just do not solve the key task of “ prevent leakage! »Confidential data, but can be (possibly) a good tool for other tasks with passive observation.
In between, we got acquainted with independent analytical and review materials ... they turned out to be sparse. From the readable - two publications on Habré ( one and two) and an already outdated and very superficial review on Anti-Malware with a separate comparison in a tabular form.
Our interests included: foreign Symantec DLP, Forcepoint DLP, McAfee DLP, Sophos Endpoint Protection, Russian (or, as it were, Russian) Solar Dozor, Zecurion DLP, InfoWatch Traffic Monitor, DeviceLock DLP, Information Security Circuit SearchInform, Falcongaze SecureTower.
As soon as a fresh version appeared on our hands or an invitation to colleagues, tests of declared functions and capabilities were actually conducted. As a source of additional information, publications and records of webinars of vendors and their partners, as well as data from the OBS agency, that is, the expert opinion of colleagues with experience, were taken.
I’ll immediately list which DLP systems could not be seen.
The test results were summarized in a table of the type function - system / compliance; quite a lot turned out. We checked how each tested DLP fulfills its tasks for a wide range of data leakage channels, what other possibilities there are, how it works with the system in principle ... The test is, of course, not a full-fledged pilot, we could have missed something, I apologize immediately for this.
We checked simple things that directly corresponded to the task: blocking the channel as such for these users (" this is impossible! "); sending a shadow copy of the intercepted document to the archive; notification for information security when a ban is triggered.
Checked:
Upon successful completion of the basic test, an additional stress test was carried out with load elements and complications for the analytical module of the system:
As additional useful functions (in addition to checking compliance with the primary criterion, see above), we looked at analytical capabilities, working with the archive, and reporting. They decided to postpone the function of scanning workstations (for example, how the system detects a document with passport data on a workstation) for another run, now this task is not primary (and critical in general).
The test bench is simple, as a server - a virtual machine with 8 GB of memory allocated, as an experimental rabbit - a typical computer on i5 / 2.3 GHz / 4 Gb RAM and with 32-bit Windows 10.
Well, here are some DLP systems that were eventually managed to be viewed and felt at your stand or at colleagues, and the corresponding impressions on them: McAfee DLP, Sophos Endpoint Protection, InfoWatch Traffic Monitor, DeviceLock DLP, Information Security Circuit SearchInform, Falcongaze SecureTower. To begin, I will describe the general impressions, then an overview of the actual test runs.
The tests got the version of McAfee Data Loss Prevention 10.0.100.
I want to note right away that this is a very difficult system both to install and to configure. To install and use it, you must first deploy McAfee ePolicy Orchestrator as your own management platform. Maybe for organizations where the McAfee ecosystem of solutions is fully implemented, it will be meaningful and convenient, but for the sake of one product ... pleasure from the category of doubtful. The situation is somewhat facilitated by the fact that the user documentation is very thoughtful and describes the entire installation procedure, and the installer itself installs all the external components it needs. But for a long time ... To set the rules is also not an easy task.
Liked:the ability to set conditional priorities for rules, and then use these priorities as parameters for filtering events in the log. Filtering itself is done very nicely and conveniently. The ability to allow the user to forward the file when prohibited, if it provides some explanation (user-justification).
I didn’t like it: the already mentioned need to install our own management platform, which largely duplicates AD. Built-in OCR-module - no, control of scanned documents - by. They revealed a number of restrictions such as mail control only in Outlook (correspondence through The Bat! Flew past agent control), dependence on specific browser versions, lack of control of correspondence in Skype (only files are intercepted).
Summary:at first glance, the McAfee DLP seemed to us a very interesting solution, despite the disadvantages mentioned above. It was disappointing that the wizards for setting politicians were gone - in the old versions that were once explored, in our opinion it was more convenient than in the current web console. The key drawback is that almost all control is implemented through application control, and not at the protocol or driver level. Allows you to block forwarded devices in a Citrix environment.
We took the Sophos Endpoint Protection 10 version for tests.
The solution is complex, the basis is an antivirus. I had to install for a long time. The manual does not even indicate system requirements - please follow them to the site. Policies are set based on the per computer logic :(
Liked: like in McAfee, it is possible to let the user forward the file when it is disabled. That’s probably all.
That's not it:There is no difficulty in circumventing device control by the agent - stop the antivirus from Sophos, then turn on the device driver in Device Manager - and voila, full access to the prohibited flash drive. It’s somehow complicated and murky to do with the implementation and configuration of content analysis rules, which, as a result, are still not executed in fact. Surprisingly, there are no shadow copies. Notifications in the form of email alerting and SNMP messaging must be configured from the antivirus of the same developer. The list of monitored devices is poor, mail is controlled through embedding in mail clients. Access control to sites made simply like a firewall. Built-in OCR-module - no, control of scanned documents - by. The user manual is sad - you can’t find any details in it. There’s not even a description
Summary: Unsuccessful, in our opinion, solution. In fact, this is an appendage to the antivirus, and even the complete lack of the ability to create evidence base on incidents. Policies are set not by users, but by machines - this is unacceptable. Well, actually, a lot was not expected from a free antivirus supplement, but hope dies last.
Perhaps the most well-developed DLP-complex in our market today, which means that we most expected of it. Opportunities just to take and see - no, but the site is replete with beauty from marketers. It was hard to test, but I managed to get InfoWatch Traffic Monitor 6.9 Enterprise version. Perhaps there is a newer version - but we do not know about this, we did not find the same marketing behind the kilotons. But the technical information on the site is somehow not enough. During the test, it was found that the documentation had the same problem - if something is unclear, it is almost impossible to find an answer in the manual, and there is no detail in general. This significantly reduces the possibility of independent operation.
Liked:very high-quality, thoughtful interface, with good structure. Convenient dashboards where you can configure a specific request, the time of its updating - and then observe the whole picture. A good assortment of widgets for the console. It is possible to send a user request to provide access to the device directly from the agent module. The ability to set different recipients for notifications depending on the type of event and user membership in the OU. A solid set of reports. Good opportunities for working with the archive, a large set of tools for analyzing the contents of the data in the archive is supported. There are screenshots from workstations.
Did not like:in fact, this is not one product, but a bunch of Infowatch Traffic Monitor and Infowatch Device Monitor, and it works on two operating systems (Windows and Red Hat Linux), so installing and configuring to run is complicated. There are also two management consoles. The logic widely advertised by the developer “checked the content, only then we block it, we don’t interfere with business processes” actually somewhere in the bud. There is simply no analysis of the contents for controlling devices - access to devices can be disabled for users, there are White Lists, but the Infowatch Device Monitor agent simply does not know what the document is written to on the USB flash drive. For network channels, the problem is approximately the same - content checking is implemented only for SMTP and HTTP. As colleagues long familiar with this decision say, now at least there is an opportunity to block network channels - before there was only monitoring. In fact - this feature is limited to HTTP, FTP, SMTP, plus file sharing and some instant messengers. I repeat, there is no possibility of blocking data transfer based on checking their contents in, for example, instant messengers - only SMTP and HTTP. This is not bad, but not very consistent with the description in the brochures, and this is not enough to fully cover the leak channels. The agent module is actually implemented as a kind of mix of different agents. and this is not enough to fully cover the leakage channels. The agent module is actually implemented as a kind of mix of different agents. and this is not enough to fully cover the leakage channels. The agent module is actually implemented as a kind of mix of different agents.
Summary: In general, the solution looks (especially looks) very good. Basic device control is good; for network channels, monitoring is good and blocking is satisfactory. In terminal sessions, it allows you to restrict access to the forwarded drives, or to provide read-only access, shadow copying works (for flash drives and for forwarded drives at the same time). The upset is the lack of content verification for most of the controlled channels, especially devices - despite the fact that the marketing documents declared exactly the logic. Let's hope this is a kind of roadmap, and sooner or later, developers will catch up with marketers. In the meantime, the PR team is the top five, the developers are the top three with a plus. Or vice versa. How to look.
For tests, version 8.3 (the last update released in December 2018) was downloaded, downloaded from the developer's site.
A rather narrowly specialized system, only leakage protection and nothing more - no screenshots, application control ... However, if you believe the information from the webinars from the developer, the user control function through screenshots should appear in the foreseeable future. Installation is easy. A bunch of control options, old-school consoles, to work with them you need at least some system administrator experience - then everything becomes obvious and simple. In general, the impression is very simple to operate the system.
Liked:detailing in control settings. Not just conditional control, for example, Skype - but separate monitoring, events, shadow copies, alerts, content checking - and using separate Skype components - chat, files, calls ... The list of monitored devices and network channels is built reasonably, and very large. Built-in OCR module. Content locks do work, albeit with some workstation load. Alerts can come almost instantly. Agents are completely independent with respect to the server side, they can live their own lives as long as required. Automatic switching of modes has been done - you can safely let go of an employee with a laptop, politicians will switch themselves to other settings. Locks and monitoring in the system are divorced even at the console level - there is no difficulty for some channels to enable the ban for individual comrades, and for other comrades to set the settings only for monitoring. The rules for analyzing content also look independent and work both to prohibit and vice versa to allow transmission when the channel is closed in principle.
I did not like it: there are no wizards. To configure a policy, you must immediately understand what you need to get, go to the appropriate section of the console and poke checkmarks, select users, etc. A step-by-step option for creating a policy suggests itself. On the other hand, you can check what is really set in the control plan. Archive search is limited to full-text search by the contents of shadow copies; there is no possibility to search by document template or using dictionaries. A developed filter system helps out more or less, but these are far from content filters. Inevitable load on workstations when working with content-dependent rules (developer terminology).
Summary:The system is easy to operate, clearly working, with a rich arsenal of capabilities specifically for protection against information leakage. According to the apt remark of one of the colleagues, it is made on the basis of “tuned and forgot”. Considering that all policies are set by per user, to change the available operations for a user, just transfer it to another User group of the domain for which other control rules are configured, from simple controls to rules with content analysis. In terminal sessions, it allows you to set permissions for forwarded drives (lock or read only), for the clipboard (everything is quite flexible depending on the direction of copying, the type of data transferred), shadow copying works, locks on the contents work when writing to forwarded drives and when transferring data through the clipboard.
We watched with colleagues, so the timing was very tight. At first I wanted to write “I got the XXXXX version for tests,” but I couldn’t. Just because CIB Searchinform is not a system, but acomplex luncha set of several practically independent systems. Up to individual consoles for different tasks - counted as many as 5 pieces. Colleagues say that there were even more consoles before ... The key module in this complex is the EndpointController module - version 5.49. The rest have their own numbering. By the way, the distribution kit is also from a bunch of archives ... Accordingly, installing such a system is not easy - you can’t do without documentation. It, in turn, is also specific - it is written on the principle of "what I see, then I write", without explaining the logic of work. Management looks like this - interception policies are created in one management console, indexing and index settings for viewing intercepted data is a separate console, viewing audit and shadowing data is again a separate console, reporting is again a separate console, and so on. And in the marketing descriptions on the site, and in the documentation the word "interception" is constantly found. In practice, this means that for almost all network leakage channels, only receiving a shadow copy. There are locks for devices, but for Internet channels you can disable SMTP for all users - or allow it. Another option is to use message quarantine, which is implemented on the agent, for SMTP. The analysis of the content as a reason for blocking is made very specifically: the agent sends to quarantine all messages that are already viewed on the server (manually or using the content analyzer) by the administrator and then he chooses what to send next and what to block. We imagined how it would look in an organization where there are at least 5 times more employees than ours ... In practice, this means that for almost all network leakage channels, only receiving a shadow copy. There are locks for devices, but for Internet channels you can disable SMTP for all users - or allow it. Another option is to use message quarantine, which is implemented on the agent, for SMTP. The analysis of the content as a reason for blocking is made very specifically: the agent quarantines all messages that are already viewed on the server (manually or using the content analyzer) by the administrator and then he chooses what to send next and what to block. We imagined how it would look in an organization where there are at least 5 times more employees than ours ... In practice, this means that for almost all network leakage channels, only receiving a shadow copy. There are locks for devices, but for Internet channels you can disable SMTP for all users - or allow it. Another option is to use message quarantine, which is implemented on the agent, for SMTP. The analysis of the content as a reason for blocking is made very specifically: the agent quarantines all messages that are already viewed on the server (manually or using the content analyzer) by the administrator and then he chooses what to send next and what to block. We imagined how it would look in an organization where there are at least 5 times more employees than ours ... Another option is to use message quarantine, which is implemented on the agent, for SMTP. The analysis of the content as a reason for blocking is made very specifically: the agent quarantines all messages that are already viewed on the server (manually or using the content analyzer) by the administrator and then he chooses what to send next and what to block. We imagined how it would look in an organization where there are at least 5 times more employees than ours ... Another option is to use message quarantine, which is implemented on the agent, for SMTP. The analysis of the content as a reason for blocking is made very specifically: the agent quarantines all messages that are already viewed on the server (manually or using the content analyzer) by the administrator and then he chooses what to send next and what to block. We imagined how it would look in an organization where there are at least 5 times more employees than ours ...
I liked it: the possibilities of working with the archive are powerfully developed. There is everything. A lot of criteria, search tools for dictionaries, regular expressions, fingerprints, branded "search for similar" ... There are tags for different incidents - you can mark already viewed, for example. There is a transparent encryption of flash drives.
I didn’t like it: chaos in the logic of system control, an overwhelming number of control consoles. Lack of blocking for network channels. The absence of content blocking for the entire set of "intercepted" channels.
Summary: Blocking devices is implemented at a decent level, for network channels - at the embryo. In terminal sessions, you can set permissions for forwarded drives (lock, read-only), shadow copying works for forwarded drives. In general, the system is quite complicated to operate, strictly focusing on incident investigations - that is, monitoring and working with the archive. For this, there is, perhaps, all that is needed. Protecting the organization from data leaks is clearly not here, except to close devices that are unnecessary for users.
The tests got version 6.2. Two keywords describing this system, if not delving into the nuances, are easy, convenient. Easy to install, convenient to manage, convenient to view reports, convenient to work with the archive. Documentation is practically not required. Then the focus begins again with the word “interception”, as in the CIB. Interception here is just for monitoring, that is, a shadow copy is created, there is practically no talk about blocking (except for HTTP, SMTP and MAPI). There are screenshots from workstations and some other functions for monitoring user activity.
Liked:friendly user interface. Everything is done for the convenience of work. A good tool for viewing and analyzing the archive, a graph of links has been successfully implemented. From almost any report, you can go to the event (incident) indicated there. Incidents can be assigned categories (investigated, unexplored, deferred). Monitoring Telegram and Viber.
I did not like it: the absence of locks for network channels. The inability to lock printers and drives thrown into the terminal session. The absence of content blocking for the entire set of "intercepted" channels. Low stability of the agent - unpredictable freezes and the appearance of dumps were noted. Unexpected freezes of the console even when working with the archive.
Summary: The system is very easy and convenient to install and operate, but geared towards monitoring and working with the archive. There is a feeling that the system is somewhat damp, the OTC is underdeveloped.
As mentioned above, the results of basic tests are tabulated. The parameters that can be evaluated subjectively were evaluated conditionally, according to the “traffic light scale” - by color.
The table itself looks like this (clickable):
Stress tests were conducted only for McAfee and DeviceLock DLP. In other cases, it simply did not make sense (see table below).
McAfee has correctly worked out the ban of the archive with the Excel file.
The test with interception of the scan in McAfee did not go - there is no built-in OCR.
With checking on templates - it works only with full compliance, if the document is changed - the DLP system skips it.
With DeviceLock DLP, all tests worked completely. Amended contract, interception in skype:
Record on a flash drive of archive with the littered excel file:
Lock print inverted document scan:
The summary results of the tests are as follows (clickable):
Anticipating the readers' question - “what did you choose in the end, because the heading is“ experience of choice ”? Unfortunately, at the time of this writing, the manual has not yet been decided. We tried to fulfill our task - we ran tests on a number of systems, presented the test results to the management, and along the way decided to share with the Habra community.
I repeat, our opinion is subjective, based on personal impressions and is determined by the task, so our own choice will remain unpublished.
By and large, the tasks set are always primary, therefore, we recommend that everyone who chooses a DLP system to solve their problems go our own way and, starting from the tasks set, deal with the capabilities of the proposed systems. We hope our tablets will be a useful cheat sheet for you.
Thank you all for your attention!
A little about the company: we are medium-sized - about 300 workstations (some work on shifts), plus for some employees remote access to virtual workspaces is organized through Citrix Desktop. As a side effect, some compliance under 152FZ and the corresponding organization for protecting personal data were considered.
We have no relation to the state, other industry regulatory requirements, in principle, do not affect us either. The issue price and the procurement process in general are the business of the competent unit. Accordingly, the cost of the solution and the current topic of import substitution did not limit us, and we could consider any developments: both domestic and foreign. We (a small IS department consisting of as many as three people) did not want to fill out various questionnaires and forms from vendors and integrators, so we decided to refresh the memory with fact checking (we were already familiar with the DLP theme, but without much practical experience). This means - with your own hands to test only those DLP-systems, which are either relatively easy ("without registration and SMS" and flashing the company to the seller) to get for an independent test on your own stand, Or you can look at the work of colleagues from other organizations. Important: taking into account that further implementation and operation will be carried out on our own, we wanted to test it on the stand by ourselves, and not engage in viewing “properly debugged” demo versions “from hand” and brochures to make sure ourselves that the declared functions are really implemented and work as we need.
Systems built on the basis of monitoring applications, screenshots, keyboards, etc. they didn’t even try to look - simply because they did not solve the key task, no matter how their developers positioned themselves in the market. This refers to Stakhanovets and his clone from Infovotch Person Monitor, StaffCop, TimeInformer, KickIdler and the like. This does not mean that these systems are bad - they just do not solve the key task of “ prevent leakage! »Confidential data, but can be (possibly) a good tool for other tasks with passive observation.
In between, we got acquainted with independent analytical and review materials ... they turned out to be sparse. From the readable - two publications on Habré ( one and two) and an already outdated and very superficial review on Anti-Malware with a separate comparison in a tabular form.
Our interests included: foreign Symantec DLP, Forcepoint DLP, McAfee DLP, Sophos Endpoint Protection, Russian (or, as it were, Russian) Solar Dozor, Zecurion DLP, InfoWatch Traffic Monitor, DeviceLock DLP, Information Security Circuit SearchInform, Falcongaze SecureTower.
As soon as a fresh version appeared on our hands or an invitation to colleagues, tests of declared functions and capabilities were actually conducted. As a source of additional information, publications and records of webinars of vendors and their partners, as well as data from the OBS agency, that is, the expert opinion of colleagues with experience, were taken.
I’ll immediately list which DLP systems could not be seen.
- Solar Dozor (Solar Dozor). Well, a very heavy system. The descriptions have a strong emphasis on analytical capabilities. The developer’s website stated “The modular architecture allows you to distribute the load and deploy Solar Dozor on any old hardware”, and according to the documentation you need to allocate a server with 8 cores and 32 GB of memory. And this is just to ensure the launch of the minimum configuration, plus put an additional proxy and mail server ... Apparently, we have not so old hardware :) We abandoned such resource consumers. Although it is rumored that you can run on the config 6 cores / 24 GB.
- Symantec DLP . From the first click on the site, a form opens with a bunch of questions and there is not a hint of a trial. Buy and try. Thanks, wrap it back.
- Forcepoint DLP (aka
Websense ). The site also does not have a hint of a trial, but there is a form for requesting a demonstration in order to look “from the hand” of the integrator. Thanks again, but no. - Zecurion DLP . Again, not a hint of a trial without sticking sales, nor the opportunity to look at colleagues.
- Digital Guardian - it's generally unrealistic to get a trial.
- Another small list from the Gartner quadrant, which are too difficult to get, and “young” Russian products that have not yet undergone a serious break-in in the mass market.
The test results were summarized in a table of the type function - system / compliance; quite a lot turned out. We checked how each tested DLP fulfills its tasks for a wide range of data leakage channels, what other possibilities there are, how it works with the system in principle ... The test is, of course, not a full-fledged pilot, we could have missed something, I apologize immediately for this.
I emphasize separately that the opinion described in this article is subjective and is based on the personal impressions of the employees of one unit based on the results of several basic tests and a general review of the system. All conclusions are built from "trying on yourself" and fulfilling the main task of "preventing leakage", they do not claim to be complete.
We checked simple things that directly corresponded to the task: blocking the channel as such for these users (" this is impossible! "); sending a shadow copy of the intercepted document to the archive; notification for information security when a ban is triggered.
Checked:
- record on a flash drive;
- printing documents on a printer (local via USB and network);
- sending to SMTP and MAPI;
- sending to webmail (looked Mail.ru, Gmail, Yandex.Mail);
- sending to social networks (watched Facebook and Vkontakte);
- upload to the clouds (looked Yandex.Disk and Dropbox);
- sending files via forms via HTTP;
- upload to FTP server;
- instant messengers: chat, file sending, voice or video communication (watched Skype, Whatsapp, Telegram);
- control in the terminal session (whether there will be a response when the document is pulled out of the clipboard in the terminal session and when writing to a disk forwarded from a remote workstation to the terminal session).
Upon successful completion of the basic test, an additional stress test was carried out with load elements and complications for the analytical module of the system:
- A multilevel archive with a modified extension was sent through the channels being checked, with an excel file of gigantic size inside, where the target text was hidden among thousands of garbage text cells. Expected response to the given words, phone numbers and email addresses of the company.
- The channels to be scanned sent a document print scan to two pages scanned by an ordinary upside down MFP. Expected response to passport numbers and driver's licenses.
- The filled-in contract was sent via the checked channels, and the contract template was pre-fed to the system.
As additional useful functions (in addition to checking compliance with the primary criterion, see above), we looked at analytical capabilities, working with the archive, and reporting. They decided to postpone the function of scanning workstations (for example, how the system detects a document with passport data on a workstation) for another run, now this task is not primary (and critical in general).
The test bench is simple, as a server - a virtual machine with 8 GB of memory allocated, as an experimental rabbit - a typical computer on i5 / 2.3 GHz / 4 Gb RAM and with 32-bit Windows 10.
Well, here are some DLP systems that were eventually managed to be viewed and felt at your stand or at colleagues, and the corresponding impressions on them: McAfee DLP, Sophos Endpoint Protection, InfoWatch Traffic Monitor, DeviceLock DLP, Information Security Circuit SearchInform, Falcongaze SecureTower. To begin, I will describe the general impressions, then an overview of the actual test runs.
McAfee DLP
The tests got the version of McAfee Data Loss Prevention 10.0.100.
I want to note right away that this is a very difficult system both to install and to configure. To install and use it, you must first deploy McAfee ePolicy Orchestrator as your own management platform. Maybe for organizations where the McAfee ecosystem of solutions is fully implemented, it will be meaningful and convenient, but for the sake of one product ... pleasure from the category of doubtful. The situation is somewhat facilitated by the fact that the user documentation is very thoughtful and describes the entire installation procedure, and the installer itself installs all the external components it needs. But for a long time ... To set the rules is also not an easy task.
Liked:the ability to set conditional priorities for rules, and then use these priorities as parameters for filtering events in the log. Filtering itself is done very nicely and conveniently. The ability to allow the user to forward the file when prohibited, if it provides some explanation (user-justification).
I didn’t like it: the already mentioned need to install our own management platform, which largely duplicates AD. Built-in OCR-module - no, control of scanned documents - by. They revealed a number of restrictions such as mail control only in Outlook (correspondence through The Bat! Flew past agent control), dependence on specific browser versions, lack of control of correspondence in Skype (only files are intercepted).
Summary:at first glance, the McAfee DLP seemed to us a very interesting solution, despite the disadvantages mentioned above. It was disappointing that the wizards for setting politicians were gone - in the old versions that were once explored, in our opinion it was more convenient than in the current web console. The key drawback is that almost all control is implemented through application control, and not at the protocol or driver level. Allows you to block forwarded devices in a Citrix environment.
Sophos Endpoint Protection
We took the Sophos Endpoint Protection 10 version for tests.
The solution is complex, the basis is an antivirus. I had to install for a long time. The manual does not even indicate system requirements - please follow them to the site. Policies are set based on the per computer logic :(
Liked: like in McAfee, it is possible to let the user forward the file when it is disabled. That’s probably all.
That's not it:There is no difficulty in circumventing device control by the agent - stop the antivirus from Sophos, then turn on the device driver in Device Manager - and voila, full access to the prohibited flash drive. It’s somehow complicated and murky to do with the implementation and configuration of content analysis rules, which, as a result, are still not executed in fact. Surprisingly, there are no shadow copies. Notifications in the form of email alerting and SNMP messaging must be configured from the antivirus of the same developer. The list of monitored devices is poor, mail is controlled through embedding in mail clients. Access control to sites made simply like a firewall. Built-in OCR-module - no, control of scanned documents - by. The user manual is sad - you can’t find any details in it. There’s not even a description
Summary: Unsuccessful, in our opinion, solution. In fact, this is an appendage to the antivirus, and even the complete lack of the ability to create evidence base on incidents. Policies are set not by users, but by machines - this is unacceptable. Well, actually, a lot was not expected from a free antivirus supplement, but hope dies last.
InfoWatch Traffic Monitor
Perhaps the most well-developed DLP-complex in our market today, which means that we most expected of it. Opportunities just to take and see - no, but the site is replete with beauty from marketers. It was hard to test, but I managed to get InfoWatch Traffic Monitor 6.9 Enterprise version. Perhaps there is a newer version - but we do not know about this, we did not find the same marketing behind the kilotons. But the technical information on the site is somehow not enough. During the test, it was found that the documentation had the same problem - if something is unclear, it is almost impossible to find an answer in the manual, and there is no detail in general. This significantly reduces the possibility of independent operation.
Liked:very high-quality, thoughtful interface, with good structure. Convenient dashboards where you can configure a specific request, the time of its updating - and then observe the whole picture. A good assortment of widgets for the console. It is possible to send a user request to provide access to the device directly from the agent module. The ability to set different recipients for notifications depending on the type of event and user membership in the OU. A solid set of reports. Good opportunities for working with the archive, a large set of tools for analyzing the contents of the data in the archive is supported. There are screenshots from workstations.
Did not like:in fact, this is not one product, but a bunch of Infowatch Traffic Monitor and Infowatch Device Monitor, and it works on two operating systems (Windows and Red Hat Linux), so installing and configuring to run is complicated. There are also two management consoles. The logic widely advertised by the developer “checked the content, only then we block it, we don’t interfere with business processes” actually somewhere in the bud. There is simply no analysis of the contents for controlling devices - access to devices can be disabled for users, there are White Lists, but the Infowatch Device Monitor agent simply does not know what the document is written to on the USB flash drive. For network channels, the problem is approximately the same - content checking is implemented only for SMTP and HTTP. As colleagues long familiar with this decision say, now at least there is an opportunity to block network channels - before there was only monitoring. In fact - this feature is limited to HTTP, FTP, SMTP, plus file sharing and some instant messengers. I repeat, there is no possibility of blocking data transfer based on checking their contents in, for example, instant messengers - only SMTP and HTTP. This is not bad, but not very consistent with the description in the brochures, and this is not enough to fully cover the leak channels. The agent module is actually implemented as a kind of mix of different agents. and this is not enough to fully cover the leakage channels. The agent module is actually implemented as a kind of mix of different agents. and this is not enough to fully cover the leakage channels. The agent module is actually implemented as a kind of mix of different agents.
Summary: In general, the solution looks (especially looks) very good. Basic device control is good; for network channels, monitoring is good and blocking is satisfactory. In terminal sessions, it allows you to restrict access to the forwarded drives, or to provide read-only access, shadow copying works (for flash drives and for forwarded drives at the same time). The upset is the lack of content verification for most of the controlled channels, especially devices - despite the fact that the marketing documents declared exactly the logic. Let's hope this is a kind of roadmap, and sooner or later, developers will catch up with marketers. In the meantime, the PR team is the top five, the developers are the top three with a plus. Or vice versa. How to look.
DeviceLock DLP
For tests, version 8.3 (the last update released in December 2018) was downloaded, downloaded from the developer's site.
A rather narrowly specialized system, only leakage protection and nothing more - no screenshots, application control ... However, if you believe the information from the webinars from the developer, the user control function through screenshots should appear in the foreseeable future. Installation is easy. A bunch of control options, old-school consoles, to work with them you need at least some system administrator experience - then everything becomes obvious and simple. In general, the impression is very simple to operate the system.
Liked:detailing in control settings. Not just conditional control, for example, Skype - but separate monitoring, events, shadow copies, alerts, content checking - and using separate Skype components - chat, files, calls ... The list of monitored devices and network channels is built reasonably, and very large. Built-in OCR module. Content locks do work, albeit with some workstation load. Alerts can come almost instantly. Agents are completely independent with respect to the server side, they can live their own lives as long as required. Automatic switching of modes has been done - you can safely let go of an employee with a laptop, politicians will switch themselves to other settings. Locks and monitoring in the system are divorced even at the console level - there is no difficulty for some channels to enable the ban for individual comrades, and for other comrades to set the settings only for monitoring. The rules for analyzing content also look independent and work both to prohibit and vice versa to allow transmission when the channel is closed in principle.
I did not like it: there are no wizards. To configure a policy, you must immediately understand what you need to get, go to the appropriate section of the console and poke checkmarks, select users, etc. A step-by-step option for creating a policy suggests itself. On the other hand, you can check what is really set in the control plan. Archive search is limited to full-text search by the contents of shadow copies; there is no possibility to search by document template or using dictionaries. A developed filter system helps out more or less, but these are far from content filters. Inevitable load on workstations when working with content-dependent rules (developer terminology).
Summary:The system is easy to operate, clearly working, with a rich arsenal of capabilities specifically for protection against information leakage. According to the apt remark of one of the colleagues, it is made on the basis of “tuned and forgot”. Considering that all policies are set by per user, to change the available operations for a user, just transfer it to another User group of the domain for which other control rules are configured, from simple controls to rules with content analysis. In terminal sessions, it allows you to set permissions for forwarded drives (lock or read only), for the clipboard (everything is quite flexible depending on the direction of copying, the type of data transferred), shadow copying works, locks on the contents work when writing to forwarded drives and when transferring data through the clipboard.
SearchInform Information Security Circuit
We watched with colleagues, so the timing was very tight. At first I wanted to write “I got the XXXXX version for tests,” but I couldn’t. Just because CIB Searchinform is not a system, but a
I liked it: the possibilities of working with the archive are powerfully developed. There is everything. A lot of criteria, search tools for dictionaries, regular expressions, fingerprints, branded "search for similar" ... There are tags for different incidents - you can mark already viewed, for example. There is a transparent encryption of flash drives.
I didn’t like it: chaos in the logic of system control, an overwhelming number of control consoles. Lack of blocking for network channels. The absence of content blocking for the entire set of "intercepted" channels.
Summary: Blocking devices is implemented at a decent level, for network channels - at the embryo. In terminal sessions, you can set permissions for forwarded drives (lock, read-only), shadow copying works for forwarded drives. In general, the system is quite complicated to operate, strictly focusing on incident investigations - that is, monitoring and working with the archive. For this, there is, perhaps, all that is needed. Protecting the organization from data leaks is clearly not here, except to close devices that are unnecessary for users.
Falcongaze SecureTower
The tests got version 6.2. Two keywords describing this system, if not delving into the nuances, are easy, convenient. Easy to install, convenient to manage, convenient to view reports, convenient to work with the archive. Documentation is practically not required. Then the focus begins again with the word “interception”, as in the CIB. Interception here is just for monitoring, that is, a shadow copy is created, there is practically no talk about blocking (except for HTTP, SMTP and MAPI). There are screenshots from workstations and some other functions for monitoring user activity.
Liked:friendly user interface. Everything is done for the convenience of work. A good tool for viewing and analyzing the archive, a graph of links has been successfully implemented. From almost any report, you can go to the event (incident) indicated there. Incidents can be assigned categories (investigated, unexplored, deferred). Monitoring Telegram and Viber.
I did not like it: the absence of locks for network channels. The inability to lock printers and drives thrown into the terminal session. The absence of content blocking for the entire set of "intercepted" channels. Low stability of the agent - unpredictable freezes and the appearance of dumps were noted. Unexpected freezes of the console even when working with the archive.
Summary: The system is very easy and convenient to install and operate, but geared towards monitoring and working with the archive. There is a feeling that the system is somewhat damp, the OTC is underdeveloped.
Test results
As mentioned above, the results of basic tests are tabulated. The parameters that can be evaluated subjectively were evaluated conditionally, according to the “traffic light scale” - by color.
The table itself looks like this (clickable):
Stress tests were conducted only for McAfee and DeviceLock DLP. In other cases, it simply did not make sense (see table below).
McAfee has correctly worked out the ban of the archive with the Excel file.
The test with interception of the scan in McAfee did not go - there is no built-in OCR.
With checking on templates - it works only with full compliance, if the document is changed - the DLP system skips it.
With DeviceLock DLP, all tests worked completely. Amended contract, interception in skype:
Record on a flash drive of archive with the littered excel file:
Lock print inverted document scan:
The summary results of the tests are as follows (clickable):
conclusions
Anticipating the readers' question - “what did you choose in the end, because the heading is“ experience of choice ”? Unfortunately, at the time of this writing, the manual has not yet been decided. We tried to fulfill our task - we ran tests on a number of systems, presented the test results to the management, and along the way decided to share with the Habra community.
I repeat, our opinion is subjective, based on personal impressions and is determined by the task, so our own choice will remain unpublished.
By and large, the tasks set are always primary, therefore, we recommend that everyone who chooses a DLP system to solve their problems go our own way and, starting from the tasks set, deal with the capabilities of the proposed systems. We hope our tablets will be a useful cheat sheet for you.
Thank you all for your attention!