This month, we are tackling a combined group that, it turns out, is not quite so combined after all. We are addressing DLP and endpoint security but, of the nine products we tested, only two did not offer DLP functionality and only two - not the same two - did not offer endpoint anti-malware functionality, a staple for endpoint protection products. There, however, the similarities ended. This group really is a mixed bag when it comes to feature sets.
Normally, we do not begin with our test procedure but, especially because the tools were so different while being the same, that really seems like a good starting point this month. To begin with, we had cloud, hybrid and on-premises products. In every case, the on-prem products were delivered as install packages rather than as virtual appliances. Some were very easy to install - one took us about five minutes to get up and running - and some were brutal or simply did not work. We found mis-documentation and we found a situation where the error was 100 percent ours - yes, Virginia, .Net 4.5 does not mean .Net 4.0. That under control - and with the admonition to read the manual - we forged ahead.
Generally, our test bed consisted of a server and an endpoint. We used our physical test bed and our virtual one with equally good results. So, what are the takeaways so far? First, read the manual. Even intuitive deployments may not be quite as intuitive as they seem. The product that we got up in five minutes we did without the manual, but when we started to get into creating custom policies, we found that the documentation was necessary. Second, if things are not going as you believe they should be, call for help. Every one of these products had credible support teams standing by.
Next, plan, plan and then plan some more. Rolling out a couple of endpoints in the lab is not the same as deploying to 10,000 users around the globe. Finally, these products work in a virtualized environment, so if you can, put 'em there. Performance is good, deployment is fairly easy and, overall, the installation is bound to be clean and manageable. An added plus is that managing the security of the tool is pretty straightforward, the virtual is easier to secure in some cases than in the physical world (yes, we know that's a controversial statement, but done right the virtual can be well-secured).
Now, onto what you should be looking for as you select one of these products. Of course the usual caveats about knowing your environment apply here. But, in addition, you may find yourself in one of these situations: You have nothing and need to start from scratch, you have DLP but you want some additional endpoint protection, or you have some endpoint protection but you want DLP. There is something here for each use case, but a bit of care is necessary to do it right. In the case where you are trying to flesh out a partial implementation - the last two of our three situations - your first stop in this group review should be the Features Matrix. This is one of the most extensive matrices we've done in a long time.
Next step is to build a short list from the Features Matrix and go straight to the reviews. Match potential products to your requirements and move from there. The variant on this approach is to evaluate what you have and determine whether or not you are satisfied with it. We almost never recommend "rip and replace," but there are a few situations where it makes sense. If your current endpoint system is getting long in the tooth, for example, you may want to re-evaluate your options.
The features that you should be looking for in endpoint protection today usually are built around anti-malware. If that is important to you, take a close look at how the product detects malware. Today, a next-generation tool almost is a must. Such threats as ransomware are sophisticated and the consequences of an infection can be pretty costly. Also, look closely at what the product means by an endpoint. Does it include mobile devices, for example?
One of the best reasons for a robust endpoint product is that simple compromises, such as click fraud, can turn into a big deal easily. The CISO of one this month's vendors presented at BlackHat on the emerging underground market for compromised servers and endpoints. These can be the gateways into the organization's enterprise.
As for DLP, the questions are similar. DLP today usually is most effective at the endpoint. If the endpoint gets infected and the malware tries to exfiltrate data, you want the same protection as when the user tries to steal corporate data on a thumb drive.