Product Group Tests
Endpoint data leakage prevention (2010)
GFI EndPointSecurity offers solid endpoint management at a good price, making it our Best Buy this month.
We rate Cyberoam Endpoint Data Protection Recommended for its ease of use and strong feature set.
Full Group Summary
Data loss at the endpoint is a major concern, but there are solutions to help businesses. By Peter Stephenson
In a survey conducted by Cisco in 2008 there was a finding that 33 per cent of IT professionals were most concerned about data leaving the organisation through the use of USB thumb drives or USB external disks*. I cannot imagine that the level of concern has abated in the intervening two years given the high visibility data losses over that period.
When we look at data leakage we must consider two things: where the data lies and where it could go that it is not supposed to. For example, data sitting inside a database is vulnerable two ways. First, it is vulnerable to an employee with access stealing the data. Second, it is vulnerable to being harvested by a bot or other malware. Data sitting on a workstation may only be vulnerable to actions on the PC such as copying to a thumb drive or CD.
It is that endpoint data theft or other types of endpoint leakage with which we are concerned this month. Vendors have long addressed the illicit use of peripherals. Cutting off external ways of accessing a PC, such as via CD ROM or USB ports, does the job but is a bit draconian for most organisations. What is needed is a more detailed way to manage these devices and today's batch of tools addresses that need well.
Not limited to turning ports on and off as endpoint security tools have in the past, today's endpoint protection products are focused on the real purpose of controlling endpoint peripherals: data leakage, whether accidentally or maliciously. They accomplish this by centralised control across the enterprise and detailed policies that draw data from Active Directory.
How to buy endpoint DLP
Data leakage is not always malicious. In fact some might argue that it is more likely to be accidental, but I do not know of any statistics either way. However, in either case there are some criteria that we should look to that can cover both possibilities.
First, user friendliness and transparency are important. No security control should ever manifest itself unless it is violated. As long as all is going as it should, the control should remain transparent to the user. The intervention should also be measured. In other words, rather than disabling a port completely, for example, it should be disabled only for those things that constitute a violation of policy.
That leads to the second criteria: manageability. Endpoint DLP should be centrally manageable and should be policy-driven. Older systems were very restricted in this regard. That brings up a related point. When the computer is off the network protections should persist. That is especially important for laptops.
A third important criteria addresses malicious activity but can be very useful in understanding user error. That is auditability. The product should have a good audit log and that log should have acceptable detail. It should never be saved on the computer being protected. Rather, it should be kept on the machine that administers the products across the enterprise.
When the endpoint product can integrate directly with a gateway or network product the result is superior protection. There is a need to enforce security policies with technical controls. Studies have shown that both users, and surprisingly, IT personnel tend to violate security policies. Whether this is done out of ignorance or apathy does not matter. A significant enough portion of an organisation's population is likely to violate policy so that technical enforcement is necessary. Integrating the gateway and the endpoint is the best way to achieve control over data leakage.
Back to policy-driven systems, we found that the detailed configurability is very important. Centrally managed endpoints with very granular policies allow the administrator to set up protection that supports the user's work needs without being unnecessarily draconian. An important part of that is identification and authentication. Endpoint products should have the ability to integrate with Active Directory or some similar product. This provides the basis for detailed policies.
Finally, just stopping data leakage is not enough. Identifying the root cause is equally important from the perspective of remediation. That goes back to logging, but there is a bit more to consider. For example, what about encrypted connections such as SSL? Can the system tell what kind of document is being transferred? Since breaking encryption is really not on the cards, how does the system identify the type of file or data being transferred?
There is an extension to the encryption question. What about methods of communication, encrypted or not? What about instant messaging, text messaging, screen captures and so on? Some of these, text messaging for example, use unique protocols for communication and often are best intercepted at the source. Since the endpoint is the source we can avoid being concerned about the protocols in some cases. However, the DLP product needs to be smart enough to recognise the traffic.
The bottom line is that DLP is a double-edged sword. Protection at both the gateway and the endpoint makes the best protection. If the two are well integrated and some identity and access mechanism such as Active Directory is included it would be better.