August 27, 2010, 7:11 PM — Data loss prevention (DLP) is an emerging field with a lot of different products and players. The idea is to stop information from leaving your internal networks in close to real time, so you can identify the leaker or thief before too much damage (and ensuring lawsuits) happen.
A recent study by DLP vendor Proofpoint found that more than third of the respondents had an incident in the last year, and a quarter of them had investigated leaked information as a result of a blog post.
There are more than a dozen different DLP vendors. We show you three typical products, how they work, and what kinds of information they track.
- Global Velocity's GV-2010 security appliance,
- BlueCoat Networks DLP appliance, and
- Sendmail's Sentrion email server.
Each is designed for somewhat different situations, which is why we have collected them together. Before you dive into these products, you might want to address the following questions:
- Who will own the DLP process in your organization: Will it be the general IT staff, the infrastructure management group, the desktop security group, or some other combination? Depending on this ownership might compel a particular collection of DLP products.
- Where does DLP presently touch your existing IT security infrastructure? Most firewalls and email servers have some DLP capabilities; the tricky part is being consistent across your enterprise and getting a specialized DLP product that can complement and in some cases work with these legacy devices.
- Are you looking at total DLP protection, for endpoints, data in motion and file server data? No single product can handle all of these situations; so how each vendor partners and integrates with others for complete coverage is critical.
- Do you want something to decrypt emails and https traffic? Not all products can see inside these protocols without some additional work.
All three products have the ability to scan for particular character strings (like a Social Security or credit card pattern) and also upload sensitive documents into their protective scanning engines to ensure that this specific unstructured information is also protected. Another typical situation is where a rogue employee will send a customer database list to their personal Gmail or Yahoo mail account, and then downloads or forwards this information once they get home. Each product has a variety of reports to show you incidents flagged by the protective policies and what information was leaked.
All three also have mechanisms to test new policies to ensure that they are actually protecting you under the specific circumstances that you intended. This is very useful; otherwise you could end up with a lot of false positive incident reports to plow through. Once you have tested a particular policy, all of them make it fairly easy to activate the policy and have it start working across your data streams.
Sendmail's Sentrion is a high-powered email server that takes the code base of Sendmail – found in any Linux server – and bulks it up with a series of powerful mail processing policies. Some of these can be used to scan outgoing messages for particular character strings, or data types, to ensure that confidential data doesn't get emailed outside of your domain.
Sendmail has partnered with a variety of vendors, including Voltage Security, to handle decrypting emails to ensure that no one is hiding sensitive information inside these messages. They also have an extensive collection of add-on applications in their own AppStore, patterned after Apple. For example, one called the DLP bundle also includes RPost, software that can send registered return email receipts. But Sentrion is email-centric: if you want endpoint protection (such as to flag when an employee steals data on a USB stick), or protection for emails sent over Webmail providers such as Gmail and Hotmail, you will need something else.
