Data loss prevention comes of age
McAfee, Sophos shine in test of data loss prevention tools that can do it all
We sent invitations to McAfee, Sophos, Fidelis, TrendMicro, CodeGreen, Palisade, Symantec, RSA, Websense, NextLabs and CA. Only McAfee and Sophos accepted the challenge.
We found both these products to be a breath of fresh air. McAfee and Sophos seem to have a very practical understanding of the role of DLP in a modern organization. They both have innovative features, excellent user interfaces, and a clear vision for the future of DLP. McAfee's solution seems to be more appropriate for larger organizations spanning many locations, even globally.
Sophos' solution seems better suited for small to midsize businesses that are looking for DLP as an added bonus to an existing antimalware infrastructure, and for whom the cost of and training for a larger solution might be prohibitive.
The Sophos DLP lineup consisted of their Email Security and Data Protection appliance (ES1100) and the Endpoint Security and Data Protection software suite. McAfee sent us its ePolicy Orchestrator, DLP agent, Email Gateway, and Web Gateway software, as well as the Discover, Prevent, Monitor, and Insight network DLP (NDLP) appliances.
We received the four appliances and a VMware server from McAfee, then were joined by two technicians who got everything up and running, and walked us through the initial configuration.
Much of the configuration work had been done prior to McAfee shipping the products. Our part of the DLP setup consisted of wiring up all four of the DLP appliances, including giving the NDLP Monitor device a network tap connection (which we chose to place between our DMZ and its gateway), giving the technicians IP addresses to use for all of the services, and helping them to integrate their product into our Active Directory setup.
We had the opportunity to get a more hands-on impression of the installation of Sophos' software, and were very pleased. The ES1100 appliance came with a very easy to digest quick start guide. This gave us the information we needed to initially connect to the device and initiate the configuration wizard.
This wizard was one of the best we've seen. It was well designed, provided helpful information at each step, and did a number of checks to verify proper configuration (even testing to make sure its network connections weren't cross-wired). The only issue we ran into was that, in our isolated environment, we didn't have a connection to the Internet. The product needs to be able to connect back to Sophos to test its connectivity and download a large (200MB) license file. We were able to get around this using a proxy server.
Sophos also gives the administrator the option to relay status information about the ES1100's health back to Sophos. The administrator can elect to receive notifications if a critical or non-critical error (or both) is detected. This proactive support could stave off a major service interruption, but the exact criteria for these alerts are not defined so it's hard to say for sure.
Installation of the Sophos Enterprise Console was also quite easy (though it too requires an Internet connection for activation and updating). The only issue here was that the update manager, which must be run before the software can be deployed to clients, does not yet support Windows Server 2008 R2. We sidestepped this issue by running it in Windows XP compatibility mode, and Sophos has advised us that the next version of the software will support 2008 R2.
Rollout of the client to endpoints is eased by the ability to synchronize the client list with Active Directory, and automatically deploy the software to new computers. One issue we ran into was that the updater uses a Windows file share to fetch updates, so firewall rulesets and share permissions will need to be configured accordingly.
Existing Sophos customers will be pleased to know that the DLP software makes use of the existing Sophos client software, so adding DLP is only a matter of rolling out additional rules. Sophos uses the same engine for both antivirus and DLP.
Configuration and functionality
The bulk of our testing consisted of test driving the management interfaces. The configuration of both products turned out to be very easy -- a real pleasure after some of the more Spartan interfaces we've experienced in previous reviews. Both products also proved to be feature-rich and each had its own unique innovations.
In the current version of its DLP products, McAfee has a separate management interface for host DLP and network DLP. We found the pre-generated rules, dictionaries, and policies to be the same between them, but it was necessary to create the policies in both places, and thus monitor it in both places. Thankfully, the upcoming Version 9 will integrate these both into the ePolicy Orchestrator console (though leaving the option to manage them separately if desired), so that policies can be deployed to all levels of the network from a single interface.
One of the biggest things we were looking for was an "out-of-the-box" start to policies for compliance. We were happy to find templates for HIPAA and PCI, and also for identifying personally identifiable information (PII) that we were able to use for our rules.
In addition to a number of other compliance templates (FISMA, GLBA, SOX, and FERPA), McAfee also provided a number of intellectual property templates for finance, legal, pharmaceutical, entertainment, and high-tech organizations, and more general templates, such as acceptable use, disgruntled employees, and competitive information. Granted these would all need a great deal of tweaking to meet the needs of a specific organization, but they provided a solid starting point for a security or compliance administrator.
The biggest difference between these two vendors was found in the methods available to detect policy violations. McAfee offered the ability to fingerprint (register) documents, including automatically scanning a network share on our file server for documents to register. This way, the onus for document protection can be on the end-users. If the accounting department has a document they need to protect, they need only to copy it to this shared volume and it will automatically be registered for detection.
Sophos lacked this functionality, but believes that trying to manually track documents in this way creates too much overhead. Instead, they suggest using third-party software to tag these documents, and then creating a filter to search for these tags.
Another neat feature in McAfee is the ability to integrate physical location into the ruleset. Using the physical location of the user (in an organization with many locations) gives the administrator the ability to tailor policy to a particular area. For example, creating policies to target state-specific legislation or export controls. Additionally, the software maintains a database of geo-location information for IP addresses. This way, the administrator can create policies that block data from being sent or received by a particular country. This is used in the arms control template, which matches any traffic destined to "sensitive" countries.
Each vendor takes a different approach to the control of applications on endpoints. While McAfee let us use the application (along with user, computer, location, and data) in its rules, Sophos gave us the ability to define which applications may be run on the endpoints. Both vendors have a fairly extensive selection of categorized applications from which to choose. Sophos requires the administrator to allow only applications supported by Sophos and block all others, while McAfee allows the use of a larger number of applications. A nice feature we discovered in Sophos was the ability to select "All added by Sophos in future" as an application under each category. This keeps the administrator from having to keep tabs on every new application that needs to be controlled.
The ability to filter e-mail is handled well by both vendors. In Sophos' case, the ES1100 acted as both the mail proxy and filtering device. McAfee required a separate proxy (we used McAfee's Email Gateway), which hands off the messages to the NDLP appliances.
McAfee also has a very mature network DLP product, which consists of several appliances that work together to get the job done. McAfee allowed us to not only block data leaks on supported operating systems or in traffic that could be proxied, but in any traffic leaving the network.
Encryption, stenography or other advanced methods of encapsulating data will keep it from being flagged. However, the product can analyze traffic on many levels, including the source and destination, type, and many others. So even if the employee payroll database is encrypted before being copied off-site, the NDLP can flag a large file being transferred via FTP for further analysis.
This dovetails into one of the most innovative features we found in the McAfee suite: the ability to search backwards in time. Since the monitor appliance constantly records all traffic it sees, and saves it for a configurable amount of time (with the option to save this to a storage-area network), an administrator can look for evidence in the past of policy violations in response to a newly detected event. For example, if it's noticed that a user was copying a sensitive proposal to a server in China, an administrator could look into the past to see if the user has a pattern of copying files to strange places. This search could then be saved as a filter so the administrator can keep tabs on this user.
Sophos does not provide a network DLP product. However, some of our test cases were accomplished with application blocking. Blocking things such as FTP clients, desktop search tools, untrusted browsers, P2P software, anonymity clients (such as Tor), or e-mail clients let us effectively control the types of traffic that could be generated on the network.
McAfee also gave us a few additional types of blocking on the endpoint: the ability to control printing, screen captures, and clipboard usage. These are features we had tested in our endpoint tests, but McAfee has improved upon our experience there. In our previous testing, you could only allow or disallow these actions for an entire application or altogether (with the exception of copying data -- which was based upon the actual data). McAfee allowed us to base this upon the data that was actually in use. So if there wasn't any sensitive data on the screen, screenshots could be allowed.
An exciting feature in the next version of McAfee's DLP solution will be the ability to connect to and browse database servers and tag particular databases, tables, or columns for monitoring by DLP. This extends the file discovery ability into the database, and does so without requiring any knowledge of query languages or database commands. It also allows the data to be analyzed in-place, and not copied off the database server for analysis.
Both vendors also supported controlling external devices on the endpoints. This allowed us to disable optical drives or USB drives, only allow certain types, brands, or models of devices, only allow specific devices (for example by serial number), limit the amount of data copied to a drive, or apply encryption before allowing data to be moved to these devices.
To the end of assisting and educating users, instead of just policing them, comes the ability to take remediation actions when a policy violation is detected. Sure it's easy to just block the transfer, disallow the program, disconnect the device, or take other actions to stop the action. But more often than not, this is only going to frustrate an employee who wasn't trying to do anything wrong, they just didn't know enough to properly secure their data or keep it from leaving the organization. Thankfully, both vendors excelled in this area.
They both gave us options for notifying the user with an explanation when a violation occurred. McAfee by e-mail and Sophos with a pop-up on the client, and both with a system tray balloon message. This at least lets the user know why "it isn't working".
Both products also had the ability to apply encryption to the file to protect it before completing the action. In the next version of McAfee's offering, this will also include the ability to apply Adobe Digital Rights Management (DRM) restrictions to documents before releasing them.
McAfee also has an entire case workflow system, which provides the ability to automatically assign violation events to a particular user or group for analysis. To this end, a violation can be passed on to another party, such as HR, security, or the employee's supervisor for further analysis. This allows them to discuss the violation with the employee and explain why the action was not allowed.
To assist us with analyzing breaches, both vendors included methods of quarantining or redirecting violating items. This means quarantining data on the endpoint in the same manner that viruses are quarantined, or re-routing (to another server), redirecting (to another user), duplicating (to another server), or tagging the subject line of violating e-mails.
Monitoring, notification, and workflow
Having all of those nifty features isn't worth much without an interface with which the administrator, compliance officers, security officers, human resource personnel, or some other entity can monitor this data and take action to improve the organization's security standing.
Both Sophos and McAfee's solutions provided dashboards that gave us a birds-eye view into the current status of the DLP solution. Both allow historical analysis and report generation to help drill-down and find more information.
McAfee also provides the ability to customize these dashboards, reports and workflow per-user or per-group. For example, we were able to create a dashboard for HR that only showed acceptable use violations, and another for security that highlighted compliance issues. The reporting functionality allowed us to view various cross-sections of the data to help find patterns and trends in the data.
A unique feature of McAfee is the case workflow interface. In this system, new violations are shown as events. As mentioned above, a rule action can be to assign an event to a particular group for further analysis. As with the dashboards, this partitions the potentially vast amount of data coming in into manageable chunks for different audiences.
An analyst viewing these events can group them together into cases, including adding past events discovered from the network traffic capture. This entire case is treated as a single entity, and can be passed on to someone else for further action. While this functionality seems particularly suited for large organizations with a large compliance, security, and human resources staff, it does an excellent job of bridging the gap between the technical world of DLP and the non-technical world of business management. McAfee is the only one of the nine vendors we've evaluated during our three reviews to implement this.
Two other features unique to McAfee in this regard are forthcoming in their new release. The first is the highlighting of violating data in an event. In the current version, and in other vendors' products, the event usually includes a fragment of the offending action, or perhaps the entire file. It's up to the analyst to manually search the file for the specific data that triggered the alert. In the new version, this data is highlighted, similar to a Google cache search result for easier analysis.
The second feature is the redaction of the above data. If there was a reason the data couldn't be leaked, perhaps it also shouldn't be viewed by the DLP analyst. McAfee's new version will provide the option to require multiple-individual authentication to release the offending data for further analysis. This is probably overkill in most situations, but could definitely be useful in protecting especially sensitive information.
This three-part series of DLP tests has spanned the past 18 months. When we started, the products were relatively immature, but they have been constantly getting better. With these latest two offerings from McAfee and Sophos, DLP has finally come of age.
Blakely is a graduate student at the Iowa State University of Science and Technology. He can be reached at firstname.lastname@example.org. Rabe is a graduate student at the Iowa State University of Science and Technology. Duffy is a senior undergraduate student at the Iowa State University of Science and Technology.