Product Group Tests
Endpoint data leakage prevention
May 03, 2010
Just stopping data leakage is not enough. Identifying the root cause is equally important from the perspective of remediation.
When the endpoint product can integrate directly with a gateway or network product, the result is superior protection, says Technology Editor Peter Stephenson.
In a survey conducted by Cisco in 2008, there was a finding that 33 percent of IT professionals were most concerned about data leaving the organization through the use of USB thumb drives or USB external disks. I cannot imagine that the level of concern has abated in the intervening two years given the high visibility of data losses over that period.
When we look at data leakage, we must consider two things: where the data lies and where it could go that it's not supposed to. For example, data sitting inside a database is vulnerable in two ways. First, it is vulnerable to an employee with access stealing the data. It also is vulnerable to being harvested by a bot or other malware. Data sitting on a workstation may only be vulnerable to actions on the PC, such as copying to a thumb drive or CD.
It is that endpoint data theft or other types of endpoint leakage with which we are concerned this month. Vendors have long addressed the illicit use of peripherals. Cutting off peripherals - such as CD ROM or USB ports - does the job, but is a bit draconian for most organizations. What is needed is a more granular way to manage peripherals and today's batch of tools addresses that need nicely.
Not limited to turning ports on and off, as endpoint security tools have in the past, today's endpoint protection products are focused on the real purpose of controlling endpoint peripherals: data leakage, whether accidently or maliciously. They accomplish this granularity by centralized control across the enterprise and granular policies that draw data from Active Directory.
How to buy endpoint DLP
Data leakage is not always malicious. In fact, some might argue that it is more likely to be accidental. I don't know of any statistics either way. However, in either case, there are some criteria that we should look to that can cover both possibilities.
First, user friendliness and transparency are important. No security control ever should manifest itself unless it is violated. As long as all is going as it should, the control should remain transparent to the user. Second, the intervention should be measured. In other words, rather than disabling a port completely, for example, it should be disabled only for those things that constitute a violation of policy.
That leads to the second criterion: manageability. Endpoint DLP should be centrally manageable and should be policy-driven. Older systems were very restricted in this regard. That brings up a related point. Configurations should be "sticky," In other words, when the computer is off the network, the protections should persist. That is especially important for laptops.
A third important criterion addresses malicious activity particularly, but can be very useful in understanding user error. That criterion is auditability. The product should have a good audit log and that log should have acceptable detail. It also should never be saved on the computer being protected. Rather, it should be kept on the machine that administers the products across the enterprise.
When the endpoint product can integrate directly with a gateway or network product the result is superior protection. There is a need to enforce security policies with technical controls. Studies have shown that both users and, surprisingly, IT personnel tend to violate security policies. Whether it is done out of ignorance or apathy doesn't matter. A significant enough portion of an organization's population is likely to violate policy so that technical enforcement is necessary. Integrating the gateway and the endpoint is the best way to achieve control over data leakage.
Let's step back to policy-driven systems. We found that the granularity of configurability is very important. Centrally managed endpoints with very granular policies allow the administrator to set up protection that supports the user's work needs without being unnecessarily draconian. An important part of that is identification and authentication. Endpoint products should have the ability to integrate with Active Directory or some similar product. This provides the basis for granular policies.
Finally, just stopping data leakage is not enough. Identifying the root cause is equally important from the perspective of remediation. That, of course, goes back to logging. But there is a bit more to consider. For example, what about encrypted connections, such as SSL? Can the system tell what kind of document is being transferred? Since breaking encryption is really not in the cards, how does the system identify the type of file or data being transferred?
There is an extension to the encryption question. What about methods of communication - encrypted or not? What about instant messaging, text messaging, screen captures and so on? Since the endpoint is the source, we can avoid being concerned about the protocols in some cases. However, the DLP product needs to be smart enough to recognize the traffic.
The bottom line is that DLP is a two-edged sword. Protection at both the gateway and the endpoint makes the best protection. If the two are well-integrated and some I and A mechanism, such as Active Directory, is included, so much better.
All products in this group test