Comparing the best data loss prevention products
Expert Bill Hayes examines the strengths and weaknesses of top-rated data loss prevention (DLP) products to help enterprises make the right purchasing decision.
The best data loss prevention products offer vital protective measures to prevent an organization's sensitive information from being compromised and exposed. While there are DLP products that offer a comprehensive soup-to-nuts suite to protecting data at rest, in motion or in use, at the other end of the product spectrum are DLP products that offer a more specialized form of data protection, such when DLP is integrated into other security products or when it is designed for specific applications, such as email or Web security.
All of the products covered in this article are considered excellent choices for taking DLP measures. In it, we examine DLP offerings from Bluecoat, CodeGreen, Computer Associates, Intel Security (McAfee), Proofpoint, RSA, Symantec, Trend Micro, Trustwave and Websense to identify the best data loss prevention products for your organization. All the of the products offered by these companies answer the DLP procurement questions already presented in this series, and are highly regarded. Organizations will be able to find a viable product for small, midsize and enterprise environments within this group.
As with any security initiative, however, the project team will also need to do their homework before picking the product that best meets its needs. Of particular interest is how these DLP products work with other security measures, such as encryption or mobile device management (MDM).
Comprehensive DLP suites
Security vendors like CA Technologies, Code Green Networks, Intel (McAfee), RSA, Symantec, Trustwave and Websense offer data loss protection suites to address data in use (endpoints), data in transit and data at rest (the DLP trifecta). These products are regarded as being highly specialized and usually do not perform other security functions. They may also offer interfaces for supporting technologies such as encryption, MDM and identity access management (IAM) applications.
When comparing these suites, keep in mind that scalability will vary. DLP products have been traditionally designed with large enterprises in mind, and therefore often require multiple specialized beefy servers. That trend has changed over the past few years, however, and some vendors -- as outlined below -- are now offering appliance-based DLP products that can also be fielded in small enterprises.
CA Technologies DLP
CA Technologies DLP suite, formerly known as CA DataMinder, is now called CA Data Protection.
Data at rest is examined by CA Data Protection Classification, a tool that scrutinizes data and classifies it according to established policies and can integrate with CA Technologies IAM suite to aid in the enforcement of data classification based on user attributes and content awareness. Data in use is protected by CA Data Protection for Endpoints, which monitors email, Web mail, social media, printing and the copying of files to removable media. Data in transit is protected by CA Data Protection for Networks.
This is a network appliance that can be deployed to monitor via SPAN ports or inline to block undesired traffic. Desirable features in CA Technologies' DLP include its integration with IAM technology for granular classification and access control of sensitive data. This product is best suited for large enterprises with a skilled IT and cybersecurity staff.
Code Green Networks DLP
Code Green Networks offers a DLP product called TrueDLP. It is appliance-based, which may provide quicker deployments, especially in smaller organizations. This appliance is available as either a bare-metal or virtual appliance. For the enterprise model, Network DLP addresses data in transit, Endpoint DLP addresses data in use, and Discovery DLP addresses data at rest. In addition to supporting the traditional enterprise model, TrueDLP also offers a DLP tool for the cloud called CloudDLP. Desirable features in Code Green Networks' DLP include the availability of appliance- and virtual appliance-based versions, cloud DLP control, and ease of deployment. This product is best suited for small to medium-sized enterprises.
Intel Security (McAfee) DLP
Intel Security (McAfee) offers a scalable DLP product called McAfee Total Protection for Data Loss Prevention. This suite, unlike a lot of the other DLP products, boasts the ability to perform forensic analysis on data loss events that occurred prior to creation of DLP detection rules -- a big plus for some organizations. The appliance-based components -- McAfee DLP Manager, McAfee DLP Discover, McAfee DLP Prevent and McAfee DLP Monitor -- integrate with McAfee ePolicy Orchestrator's (ePO)-managed endpoint components, McAfee DLP Endpoint and McAfee DLP Device Control. Intel Security also offers McAfee Complete Data Protection Advanced, an encryption based-data protection suite that also features the McAfee DLP Endpoint tool.
This suite is also administered though ePO. It offers policy-enforced encryption of files, folders and removable media, and provides key-sharing methods that enable users to securely share files. The product accommodates devices using Apple FileVault and Microsoft BitLocker. It also offers hardening against cold boot attacks. Desirable features in McAfee's DLP products include the availability of both appliance and virtual appliance-based offerings, and ePO integration for DLP endpoint and encryption tools. These products are best suited for medium to large enterprises with a skilled IT and cybersecurity staff.
EMC RSA DLP
As for EMC RSA, it offers the RSA Data Loss Prevention suite, which is comprised of three modules:
- The RSA DLP Datacenter module addresses data at rest on a variety of information storage technologies, including Microsoft Windows file servers, UNIX file servers, NAS/SAN, Microsoft SharePoint, Lotus Notes, databases and Windows PC local drives. This module also offers temporary scanning agents to scan large storage resources without using dedicated scanning hardware.
- The RSA DLP Network module monitors data in motion for sensitive data and can enforce DLP policies to prevent exposure of sensitive information across a network. This module can monitor and prevent sensitive data exposure through corporate email, email from smartphones and tablets, posts to websites and social media, IM traffic, encrypted traffic, FTP and even generic TCP traffic where a network protocol might be subverted as a covert communications channel.
- The RSA DLP Endpoint module monitors and prevents sensitive information exposure on PCs by keeping sensitive data from being printed, copied to USB devices and written to CD/DVD. Additionally, it can keep sensitive data from being written to network file shares or exposed through HTTP-based services, such as Web mail and social media. RSA DLP Endpoint can also scan all local drives for sensitive data on desktops, laptops and virtual machines.
Desirable features in RSA's DLP suite include the availability of both appliance- and virtual appliance-based products, multiple endpoint platform support, encryption integration and mobile device controls. These products are best suited for medium to large enterprises with a skilled IT and cybersecurity staff.
Symantec Data Loss Prevention is a scalable DLP suite that has an excellent track record of deployment in highly distributed environments and for monitoring thousands of users and devices. At the other end of the scale, there is a small business version that utilizes a single server for all functions. This product is composed of a unified management platform, content-aware detection servers, and lightweight endpoint agents for a variety of platforms, including Windows, Mac and Citrix clients. DLP servers can be deployed on Windows and Red Hat Linux servers, on server hardware or virtual machines. The suite can be deployed on-premises, in a hybrid cloud, and through a managed service. It supports cloud deployments with Symantec DLP for Cloud Storage and Cloud Prevent for Microsoft Office 365, and includes DLP monitoring for mobile devices and mobile email through Symantec DLP for Mobile with Mobile Email Monitor and Mobile Prevent.
Traditional enterprise architectures are supported with Symantec DLP Endpoint Discover and Symantec Endpoint Prevent. Data in motion is addressed by Symantec DLP Network Monitor, Network Prevent for Email and Network Prevent for Web. Data at rest is monitored using Symantec DLP Network Discover, Network Protect, Data Insight and the Data Insight Self Service Portal. Additionally, Symantec Endpoint Encryption (SEE) can be integrated with Symantec DLP.
Desirable features include support for multiple DLP server operating systems, support of multiple endpoint platforms, encryption integration as well as mobile and cloud controls. Although these products are scalable and comprehensive, they are best suited for enterprises with a skilled IT and cybersecurity staff.
Trustwave Data Loss Prevention features the Trustwave Content Control Engine for handling sensitive data monitoring, protection and discovery. For data in transit, the engine analyzes all HTTP protocol communication and attachments, including blog and social media posts. It also analyzes FTP and Telnet communication, email, IM traffic and P2P file sharing, as well as blocks undesired FTP and HTTP/HTTPS traffic and offers automatic encryption, blocking and quarantining of email traffic that contains sensitive information. Finally, the engine can investigate data at rest.
This product can be deployed in a standalone appliance or in a distributed system that has at least one DLP console appliance that manages one or more DLP collector appliances consisting of the DLP Network Collector and DLP Web Collector appliances. Desirable features include appliance-based and encryption integration. These products are scalable from small to large enterprises with skilled IT resources and cybersecurity staff.
The Websense DLP module is deployed in the Websense advanced persistent threat Triton-AP modules, TRITON AP-WEB and TRITON AP-EMAIL. Data at rest can be examined using TRITON AP-DATA. Data in use is monitored with TRITON AP-ENDPOINT. This tool can secure Mac OS X and Microsoft endpoints and provides protection against data loss through removable media. It does include encryption integration, plus mobile device and cloud DLP controls. It is an appliance-based product with multiple endpoint platform support, encryption integration as well mobile and cloud DLP controls. These products are scalable from small to large enterprises with skilled IT resources and cybersecurity staff.
Integrated DLP tools
Unlike the companies and products described above, vendors such as Blue Coat, Proofpoint and Trend Micro offer specialized DLP products that may cover only one form of data loss protection for a specific application, such as email, instant messaging, Web browsing or endpoint security. Comparisons between products in this area are difficult, but perhaps should instead be compared with the offerings provided in the DLP suites listed above. These may help defray the expense of a DLP suite and help a company introduce DLP technical controls for business units that handle sensitive information in ways that may be more cost-effective for the organization.
Integrated or comprehensive DLP? That is the question
When shopping for the best data loss prevention products, DLP project planners should consider how specific integrated products could be used in their organization. The intent should be to leverage existing security products that possess integrated DLP features. Toward that end, project planners should have a good understanding of what technical controls are needed to protect data in use, data in transit and data at rest (DLP's golden trio). Additionally, planners should understand the scope of control for the technical controls -- be it the entire enterprise or the data path from resources containing sensitive information and likely egress points. Once planners know which technical controls need to be used and their scope of employment, then they can look at complete DLP suites (described above) and integrated DLP tools (described below) to determine if a DLP suite, an integrated DLP tool or a hybrid DLP suite/integrated DLP tool deployment is required to best prevent data loss in the organization.
Blue Coat DLP provides an appliance to monitor data in transit and data at rest. The DLP appliance can be deployed with a Blue Coat SG appliance to monitor and block SSL-based sensitive data exposures. It can also be used to scan file and database servers for sensitive data at rest without deploying local agents. In data in transit mode, it is used to detect primarily HTTP/HTTPS traffic, which would include Web mail and posts to blogs and social media sites.
The Proofpoint Data Loss Prevention module monitors data in transit found in SMTP email. It is managed through security policies and advanced deep content analysis based on structured data such as protected health information (PHI) or credit card primary account numbers, and unstructured data found in documents containing intellectual property or sensitive business information. Policies regulating structured and unstructured data can be created. Attachments can be blocked based on file type, for instance engineering drawings or CAD/CAM files.
Trend Micro Integrated Data Loss Protection features a lightweight DLP plugin that can be deployed through its existing products to address data at rest, data in transit and data in use. Integrated DLP modules can be found in Trend Micro's Endpoint Security, Mail Server Security, Security for Microsoft SharePoint, IM Security, Gateway Messaging Security and Web Gateway Security. DLP policies are centrally managed using Trend Micro's Control Manager.
Security gateways with integrated DLP tools like those from Blue Coat and Proofpoint provide good coverage for data in transit. Additionally, Blue Coat can address data in transit or data at rest. These might do very well at remote offices or as a backstop to a DLP suite network monitor deployed at large offices and data centers. These two integrated tools should be used as complementary products for Web and email DLP work rather than exclusive either/or solutions.
Integrated Data Loss Prevention, by contrast, offers the most flexibility and is the least hardware-intensive of the integrated DLP products. Its ability to address data in use, in transit and at rest make this product a compelling choice, provided an organization currently deploys Trend Micro security products or is willing to switch AV products. It is a good broad DLP product for small and remote offices.
Finding the best data loss prevention products
When looking for the best data loss prevention products, consider ones that have the desired features for the scope of the controls, scalability and ease of installation and maintenance desired. For instance, for DLP controls that address sensitive data beyond the border of the traditional brick and mortar data center, be sure to pick one that includes encryption integration for portable media plus cloud and mobile DLP protection. These are among the most desirable features to have in a DLP product today.
For integrated DLP tools, look for ones that address the controls you need to employ. A lightweight DLP product like Trend Micro's Integrated Data Loss Prevention is easy to employ and offers some advanced features like encryption integration. For very small offices, this would be an ideal choice, for example.
As for organizations of a thousand or more nodes, appliance-based products such as Websense APX and Code Green Networks' TrueDLP are good choices for those with limited resources. Finally, for large organizations with a good base of IT and cybersecurity skills, beefy DLP products such as Symantec DLP, McAfee DLP and RSA DLP scale well and contain many of the desired features large enterprises should look for in DLP controls.
In this article, we've looked at ten companies offering a range of full suites to integrated products. The purpose has been to offer brief descriptions and recommendations to help readers decide the best data loss prevention products for their organizations.
Part one of this series explores the basics of data loss prevention products in the enterprise
Part two of this series looks at the business case for data loss prevention products
Part three of this series examines usage scenarios for data loss prevention products
Part four of this series looks at the purchasing criteria for data loss prevention products
Part five of this series offers insight on deploying the right DLP products for the right jobs