Product Group Tests

Extrusion Prevention (2007)

Group Summary

For its ease of use and deployment, good pricing and comprehensive protection, we award the BigFix DLP our Best Buy.

For its unique approach to forensics we designate Oakley SureView version 5.0 our Recommended product.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Making sure that intellectual property and other sensitive corporate information does not leave the organisation is crucial. Peter Stephenson rounds up some very different approaches to the problem.

We have finally entered a world where everything important is on a server or workstation somewhere in our organisations. Certainly we're nowhere near paperless, but the really important stuff lives happily in our systems as data bits and bytes. It also travels around - on our networks, in email, on thumb drives, on CDs etc.

How do we ensure that critical corporate data, intellectual property, private information and the like don't grow wings and fly our nicely protected coop?

The short answer is that today we cannot. But we can close many of the escape routes effectively, and that is what extrusion prevention products intend to do. As long as there are USB ports and CD writers on user machines, there is a chance that data can leak out of the business.

And, as long as there are laptops that travel with employees and virtual private networks so that staff can work remotely, there is the chance that something will escape that you would rather keep inside the organisation. But the tools we looked at this month make that escape a lot harder.

In a nutshell, they attempt to stop unauthorised transfer of files or information based on a set of rules or policies. The tools come in three types: sniffers; gateways - sometimes called proxies; and client-side applets or agents. Each performs a different set of extrusion-prevention tasks.

Client-side agents sit on each user's computer and apply the policies to all of the actions on the machine. Sniffers generally only notify an administrator that data is leaving the enterprise in violation of policy, along with the source of the leakage. Gateways both notify and stop if they are so configured.

Obviously there are pros and cons to each of these. For example, agents may be able to stop activities such as saving unauthorised data to a thumb drive, but they need to be deployed to all desktops that need protecting. Sniffers may only be able to alert and, by that time, it may be too late to act. Gateways present a single point of failure and/or a chokepoint in network traffic flow and may default to a fail-open state, allowing unrestricted data flows in the event of a failure.

What to look for

First, determine why you want to implement extrusion prevention. Probably the number one extrusion vector is email. Employees say things in email you might not want them to or they attach files you might not want to leave the internal network. If this is your primary concern, you need to ask yourself if file-tracking is enough, or if you want to look for key words or phrases contained in messages or attachments.

Do you need to stop traffic that violates extrusion policy? Or is simply knowing about it enough? Are you concerned with multiple extrusion vectors such as FTP, instant messenger, webmail, thumb drives or CDs/DVDs?

Once you know what you want to address, how you want to address it and why it is important, you are ready to look at some products.

The batch we reviewed this month is a pretty wide-ranging group. We had gateway appliances, software products and one very interesting tool that works by recognising users' behaviour patterns. For situations where you want multiple layers of extrusion protection, consider combining products that have unique capabilities and can augment each other.

How we tested
This was very straightforward. We installed the product in our test bed and tried to defeat it. The test bed was a simulation of two communicating enterprises separated by the internet. We used, mostly, Microsoft Server 2003 and Microsoft Exchange with Outlook clients.

The appliances were easy to install - one actually took less than five minutes and had several policies already in place ready for tuning.

The software-based solutions required more setup and installation. In general, all the products we reviewed, in the context of our testing, did quite well.

As always, there is the beginning of a convergence in this market space. Last year we had fewer products to look at. However, this time, we are beginning to see extrusion prevention as part of multipurpose gateways. I predict that, within a couple of years, extrusion prevention will be a stable function of unified threat management products, which already contain intrusion prevention systems.

Two years ago the term extrusion prevention was hardly known. Today, it is a major piece of the enterprise security tool kit.

- For details on how we test and score products, visit

All Products In This Group Test