Critical Infrastructure Security

Industry Innovators: Data protection

Now we get to the meat of the issue: Protecting the data directly. Everything else in this issue contributes to defense-in-depth, but the tools in this section hit the target right in the bullseye. We deal with the problem on several levels. The solutions to challenges in the various aspects of data protection come in several flavors, and one can mix them together as requirements dictate. That in mind, we are pretty certain that you'll find something in this group that will help you solve a data protection challenge.

We start by assuming that our enterprise is infected – a good assumption to make these days – and we need to ensure that our data stays in the enterprise where it belongs. Data leakage protection does not need to address malware-borne data exfiltration only, though. Some data walks out the door on thumb drives or gets emailed out either maliciously or in naïve innocence. This year's DLP product is a one-two punch that adds encryption to the DLP mix.

One of the most dangerous attack vectors is the browser. This is where the bugs ride into the enterprise on a wave of surfing, whether innocent or not. There is just about no website that can, de facto, be trusted today. If not for the browser, though, we still would have challenges in email. Our next two Innovators hit the browser and email respectively.

We wrap up this section with the latest security monster under the bed: mobile devices. Mobile device apps are, as a colleague once told me, the leading distribution channel for malware on the internet. There are lots of ways to address this threat, and this year we have a couple of the most creative ones we've seen in quite a while.

Taken together, the tools in this section have a good handle on protecting the data directly no matter where it lies. If we toss in some of the tools in our other sections, this year we get the whole mix and overall we find that the generation of tools exemplified by this year's Innovators does the job nicely. The tools in this section make a strong centerpiece for exactly that.


Over and over we have said in these pages that the key duty of information assurance is to protect the data. One of the most difficult instances of that duty is data leakage prevention. DLP must address data at rest and data in motion. To do that it must know where the data is. This Innovator accomplishes this duty through four seamlessly integrated DLP modules.

Trustwave is well experienced in information assurance, in general. The TrustKeeper platform is a mainstay of solid information protection on several levels. The company has leveraged this experience to achieve a strongly conceived product that addresses the tough challenges of data leakage prevention.

Starting with more than 70 out-of-the-box compliance categories, this Innovator addresses regulatory issues head on. The product is designed to be set up rapidly, delivering quick results. That is yet another example of the trend that we saw this year toward ease of use. The product actually is a suite of four modules.

DLP Discover detects and locates IP and sensitive content that one doesn't want to exfiltrate. DLP Monitor watches for sensitive data traveling out of the network and blocks it. DLP Protect explicitly monitors email and attachments. And DLP + Encryption adds strong encryption to the mix. Taken as a suite, these modules cover the DLP landscape quite nicely.

The DLP + Encryption module is especially creative. It is a combination of DLP Discover, encryption and a comprehensive set of policies that let users find sensitive data and apply encryption per an established policy. It does this with minimal user intervention, and the encryption uses a tagging mechanism to ensure its persistence.

Compliance reporting is comprehensive as well so the DLP suite not only provides appropriate, easy-to-use DLP, it addresses regulatory requirements. As part of the overall Trustwave product line, DLP provides a strong, focused capability for protecting an organization's data. This is a tough challenge, but this Innovator's DLP suite really shines. Priced right, backed by an experienced vendor, and with all of the appropriate tools, Trustwave DLP is just the kind of innovative product we look for.


Vendor: Trustwave

Flagship product: Trustwave DLP

Cost: Unlimited scanning for data-at-rest starts at $5,000 per scanning node. Finding and protecting data-in-motion starts at $50 per device.

Innovation: Tight integration of all of the functionality of DLP, including the addition of encryption.

Greatest strength: Comprehensive view of information assurance in general and DLP in particular, along with the ability to draw from that view to make the whole greater than the sum of its parts.


Phishing is, arguably, the number one threat against organizational data. The spear phishing variant is the manifestation of the phishing attack that is, perhaps, the scariest because it targets individuals instead of being an attack of opportunity. Taken with the numerous other types of malware, it is no wonder that many security analysts believe – with good reason – that malware is the greatest threat against enterprise data with spear phishing leading the charge. Certainly this Innovator believes that to be the case.

We have been watching this Innovator since it came on the scene and we have made some observations. First, there is some very creative thinking about preventing the impact of malware attacks. The company has a deep understanding of the mechanics of malware attacks and how to detect and stop them, even if they are zero-day attacks. As well, the company listens to its customers and takes action when necessary. We have seen that on a couple of occasions and we find it gratifying.

Invincea has a pretty simple premise: As the company puts it, place the user in a bubble. The idea is that the user who surfs the net or, in fact, does anything that relates to http, is a virtual machine dedicated to the activity. The VM isolates the http-related activity and, if malware activity is detected, it closes the session, wipes the VM and rebuilds with a clean VM retaining the user's settings. This is subtly different from using a typical sandbox for isolation because the VM is an independent entity with its own operating system, its own iteration of the browser and more

The Enterprise Edition consists of the desktop software and the Threat Data Server. The Threat Data Server collects forensic data from thwarted attacks from every Invincea desktop on the enterprise and provides that intel to other devices – such as McAfee ePO, Splunk, NetWitness and more – for analysis. The forensic analysis is important because Invincea is adept at interdicting zero-day malware, and that information helps address this unknown code in the future. It also helps understand how to clean up the impacts of the attack should it occur on an unprotected device.


Vendor: Invincea

Flagship product: Enterprise Edition

Cost: While Enterprise packages vary based on volume, the basic SOC package is offered for $125,000.

Innovation: Malware isolation during the browsing process.

Greatest strength: Deep understanding of malware mechanics.


This year, McAfee broke the mold. It has been our experience that most of our Innovators are small companies with niche products for niche markets within the information assurance space. That certainly does not characterize McAfee.

What does characterize McAfee as an Innovator is its approach to the most important aspect of innovation: how one thinks. The Network Security Business Unit – the home of McAfee Email Protection – is solidly ensconced in the type of thinking process that results in innovative solutions to difficult, and occasionally obscure, information assurance challenges.

McAfee Email Protection is an integrated suite of capabilities. That does not necessarily mean that there are lots of separate products, but if one examines the tool, one will find just about every email protection functionality imaginable, all presented on a single pane of glass. Perhaps most interesting is that this product does not integrate into McAfee ePO. It does, however, exchange data with it.

Functionality included with McAfee Email Protection includes inbound and outbound scanning, reputation analysis, DLP, compliance reporting, encryption and cloud-based email continuity that maintains integrity of the email system even if a server crashes. The platform for the product can be cloud, on premises or a hybrid. The on-premises piece can be a physical or a virtual appliance, so there is a lot of flexibility built into the system.

Compliance reporting is comprehensive with more than 110 content dictionaries to support most regulatory requirements. The DLP system uses deep content analysis and recognizes more than 300 file types, and reputation analysis is part of McAfee Global Threat Intelligence, which assesses billions of file queries per month.

We did not expect a company the size of McAfee to be one of our Innovators, but we were pleasantly surprised because larger companies seem to have less capacity for the turn-on-a-dime mentality that characterizes true innovators. However, having a large number of individuals free to think about where products, challenges and the market are going and to ask “what if” questions certainly shifts the thinking paradigm from how to have a great quarter to how to have a great company.


Vendor: McAfee

Flagship product: McAfee Email Protection

Cost: Ranges from $25 to $4.75/user/year, depending on user count and term commitment.

Innovation:Comprehensive inbound and outbound security against all email-borne threats and data loss.

Greatest strength: Experience and about 600 people who have the freedom to spend time thinking about the next thing to address in their domains.


It's a simple problem, really. How does one know what applications to trust in the enterprise? At least when one controls the acquisition of those applications, it's a simple problem. But BYOD has changed all of that. Someone once told me that the app stores for mobile devices are the world's most prolific distributors of malware. That certainly makes sense when one considers that most, if not all, apps for some types of mobile devices are never vetted, and many aren't built to any programming standard at all.

If one wants to target corporate data for exfiltration, we cannot think of an easier way than to hide a trojan in a mobile app and then entice users who will bring their own mobile devices to work and connect to the corporate network to buy it. That is where Appthority comes into the picture. The idea behind this product is that it identifies and characterizes risky behavior in apps. Then it communicates its findings to whatever tools the organization is using to manage its mobile devices, including those covered by BYOD.

Rather than try to be yet another anti-malware product with huge data sets of signatures – most of which are useless in the mobile device world – it works 100 percent on behavior. If an app misbehaves in certain ways deemed to be typical of malware behavior, Appthority sends that information to the Enterprise Mobility Management, Mobile Device Management, Mobile App Management, Enterprise App Catalogs, or Enterprise Mobile App Developers' Software Development Lifecycle process for action.

The Appthority Platform is cloud-based so the price is extremely low. It integrates into the types of management systems above through an open API and it is already in a large number of market-leading mobile device management products. In addition to the static and dynamic analysis using behavior-based engines, like many of the cloud-based products we looked at this year, Appthority Platform takes advantage of the intelligence available from its cloud-based activities to develop a significant reputation-analysis capability.

Appthority gives organizations supporting BYOD the ability to allow users to have the personal apps they want without undue restriction while taking measures to keep the egregious apps from threatening the organizational enterprise.


Vendor: Appthority

Flagship product: The Appthority Platform

Cost: $1.50/user/month

Innovation: Automatically identifies and grades risky behavior in mobile apps, including known and unknown malware, new malware used in targeted attacks, corporate data exfiltration and intellectual property exposure.

Greatest strength: Imagination to identify a problem and develop a novel approach to solving it.


To start with, we really like the name of this Innovator. After that, though, we really like what this creatively named company does. The problem is quite straightforward. In an age of BYOD, comingling personal apps and data with organizational apps and data is almost a given. There are things that one can do, of course, but they depend on the capabilities and will of the users. The real solution to this challenge is the solution to all policy challenges in information assurance: Make a policy and then enforce it through technical means. Don't depend on the user to do anything. Make it simple for them.

The problem Fixmo set out to address – separation of organizational and personal data and apps – is perennial within most organizations that allow personal mobile devices. The ability to solve the problem is predicated on the ability to identify it. When Fixmo looked at the market from the perspective of enablement and empowerment, the answer was obvious: Let employees do whatever they want with their mobile devices without sacrificing or compromising security, compliance or utility. Once that challenge was articulated it was time to start development.

To get started, this Innovator partnered with the National Security Agency (NSA) in a CREDA (Cooperative Research Engineering Development Agreement). This allowed Fixmo to have access to NSA software used for verifying device integrity, security and compliance. From that point on, this Innovator developed a type of sandboxing that implements those requirements.

SafeZone is deployed on the business side of the device only. So the user adds personal apps and data as he or she normally would. The organization manages the business side only. That piece can be deployed against Active Directory, so in that regard it is similar to any typical security policy on any device in the enterprise. For the user, access to the organizational side of the device is no different from logging into a corporate laptop.

Because this is a familiar operation, users do not feel that they are being forced to learn something new. Also, when/if it becomes necessary for the organization to perform a wipe or forced password reset, it affects only the organization's apps or data. The user's apps and data are safe.


Vendor: Fixmo

Flagship product: Fixmo SafeZone

Cost: $59/year

Innovation: Separates personal apps and data from organizational apps and data on tablets and smartphones in a BYOD environment.

Greatest strength: Clear vision of the problem and the solution along with the ability to execute on the vision.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.