The short answer is that today we cannot offer that assurance. But we can close many of the escape routes effectively, and that is what this month’s data leakage prevention products intend to do. As long as there are USB ports and CD writers on user machines there is a chance that data can leak out of the organization. And, as long as there are laptops that travel with employees, and VPNs so that employees can work remotely, there is the chance that something will escape that you would rather have stay inside the organization. But the tools we looked at make that escape a lot harder.
Another, and increasingly popular, term for what this month’s batch of products do is extrusion prevention. In a nutshell, these products attempt to stop unauthorized transfer of files or information based on a set of rules or policies. The tools come in three types: sniffers, gateways (sometimes called proxies), and client-side applets or agents. Each one performs a different set of extrusion prevention tasks.
Client-side agents sit on each user’s computer and apply the policies to all of the actions on the computer. Sniffers generally only notify an administrator that data is leaving the enterprise in violation of policy, along with the source of the leakage. Gateways, or proxies, both notify and stop if they are so configured.
Obviously, there are pros and cons to each of these. For example, agents may be able to stop such activities and save unauthorized data to a thumb drive. Sniffers may only be able to alert, but by that time the horse is out of the barn. Gateways present a single point of failure and/or a chokepoint in network traffic flow and may default to a fail open state, allowing unrestricted data flows in the event of a failure.
What to look for
First, determine why you want to implement extrusion prevention. Probably, the number one extrusion vector is email. Employees say things in email that you might not want said. If this is your concern, you now need to ask if file tracking is enough, or if you want to look for hot words or phrases. Some products are focused on files, while others also look for keywords and key phrases.
Do you need to stop traffic that violates extrusion policy? Or is simply knowing about it enough? Are you concerned with multiple extrusion vectors, such as FTP, instant messenger, webmail, thumb drives or CDs/DVDs?
Once you know what you want to address, how you want to address it, and why it is important, you are ready to look at some products. The batch we looked at this month is a pretty wide-ranging group. We had gateway appliances, software products and one very interesting product that works by recognizing the behavior patterns of users.
How we tested
Testing this month was very straightforward. We installed the product in our test bed and tried to defeat it. The test bed was a simulation of two communicating enterprises separated by the internet. We used, mostly, Microsoft Server 2003 and Microsoft Exchange with Outlook clients. The appliances were easy — one actually took fewer than five minutes to install. It had several policies already in place ready for tuning. Software required more setup and installation. In general, all of the products we reviewed, in the context of our testing, performed quite well.
As always, there is the beginning of a convergence in this market space. Last year, we had fewer products to look at. However, this year we are beginning to see extrusion prevention as part of multipurpose gateways. I predict that within a couple of years, extrusion prevention will be a stable function of UTMs, which already contain intrusion prevention systems.
This, as always, was an interesting month, and the products show remarkable maturity. Two years ago, the term extrusion prevention was hardly known. Today, it is a major piece of the enterprise security tool kit.