DeviceLock Endpoint DLP Suite + DeviceLock DLP Discovery
Strengths: Very effective endpoint DLP application with all of the bells and whistles you might think of, plus some that you may not.
Weaknesses: None that we found.
Verdict: This is a very strong solution to endpoint DLP challenges.
This is one of the best-known endpoint DLP products in the industry. It is effective and straightforward to deploy and set up. It contains all of the forensic tools necessary to perform a data exfiltration investigation. The tool covers the full gamut of exfiltration vectors from malware-induced - noting, of course, that SSL or other encryption used by malware to steal data may impact detection - to user data theft or accident. In this regard, it adheres to the traditional definition of what an endpoint DLP product should do. While it does not have malware detection or alerting capabilities that one might expect in an endpoint security product, that is not the sandbox in which DeviceLock plays. It is very focused on DLP and does that extremely well.
Any DLP product needs to watch such things as peripherals and network connections. This tool does that. It is policy-driven and it can be configured to intercept specific organizational keywords for such things as trade secrets. Its network monitoring is protocol and context aware. So an exfiltration through Facebook, Skype and an instant messaging route will be caught.
DeviceLock is not restricted to physical devices, of course. We tested in our virtual and our physical environments. As regards detection in the virtual, there are lots of ways to address devices in a virtual system. For example, you could be accessing virtual endpoints using remote desktop protocol (RDP) or VMware View, as we did at a university where we deployed virtualization. This limits what the user sees and can do. For example, our malware forensics lab was set up to avoid student removal of malware samples. We did that by placing the endpoint in the virtual and allowing the students to access only using RDP.
That is fine for protecting against file removal, but what about going to a virtual endpoint, opening a document and reading it, which is captured on the physical workstation. Even RDP won't prevent that and it may be nearly undetectable since reading a document is a normal activity. However, DeviceLock addresses that problem and will alert and capture evidentiary data to facilitate an investigation.
DeviceLock is administered in cooperation with Microsoft Active Directory using a snap-in Microsoft Management Console for deployment. Of course there is a server component and a web console for day-to-day management of such things as policies and alerting. Alerting can be done using SNMP or SMTP. The product even has a 30-plus language optical character recognition system.
Data-at-rest detection and endpoint remediation are functions of the optional Discovery module. In addition to the provided content filtering templates, there are specialized capabilities, including regular expressions and binary discovery of file types avoiding the trick of renaming a file with an incorrect extension to make it look harmless. Most of the templates are useful as supplied, but modifying them is a very straightforward process.
The endpoint agents can be deployed as any other Microsoft software deployment or the DeviceLock Enterprise Manager can be used for that as well as for management of the agents when deployed.
The website is among the best we've seen. Everything one needs - whether making the selection of a new product or already a DeviceLock customer - is right there available for download. In addition, there are quite a few bits of supplementary materials such as white papers. Support is available eight-hours-a-day/five-days-a-week by phone and email/web tickets any time. It is included in the price of the product. Premium services are available at extra cost.