Block data leaks at the endpoint

TrendMicro, Websense offer effective protection against insider security breaches

RELATED TOPICS

The option to globally block or confirm actions is available, but is not recommended, as this might interfere with Windows. During this process, the reviewers occasionally encountered "Security Clearance" errors when clicking through a page before it had fully loaded. In more than one instance, this resulted in the loss of all changes made to the profile since the last explicit save. The product also lacks the ability to block files based upon file name, as Websense does not see this as a useful feature. For this test, keyword blocking was able to serve the same function in most cases.

In all three products, changes to the configuration must be pushed out to the endpoints. With LeakProof and Data Endpoint, the policies are given version numbers, which makes checking for up-to-date configurations trivial. In Data Endpoint, the interval at which endpoints check for policy and profile updates is configurable by the administrator (in intervals as short as one minute). All endpoints update their policy upon system startup.

LeakProof has a very clearly labeled Web interface that was easy to use. It included a configuration flowchart that made it clear which steps needed to be taken to configure the system. Like Data Endpoint, LeakProof can enforce policies globally, or at the finer level of user or computer groups. An additional feature was the ability to create conditional rules. For example: if the file contains "Top Secret" but not "Approved for Release" then take some blocking action. The Web interface was easy enough to use that minimal reference to the documentation was needed, and support only needed to be contacted once.

Identity Finder's configuration interface lags somewhat behind the other two in ease of use. The policy configuration is reminiscent of Microsoft Group Policy in that the administrator is faced with a rather daunting tree of jargon-filled options. However, once we established the difference between "Anyfind" and "Onlyfind", the explanations given in the interface were sufficient to configure the system to test specifications. This product was only tested on its ability to detect HIPAA- and PCI-related data, as that is its main focus. Custom regular expressions can be used to find other types of data, but those seem to lie in the periphery of this product's functionality.

The Identity Finder enterprise administrator has the ability to control which remediation measures end-users can take, and what configuration options are available to them. The endpoint was easier to configure from its local console than from the central console.

Performance

After completing configuration, we tried combinations of protected file, exfiltration method, operating system and vendor (588 tests in all). The general categories of protected files were: HIPAA-relevant data, PCI-relevant data, code in several languages, a (formerly) classified document, a legal document, a media file, an empty file used to check file name blocking, and a standards document -- including six obfuscations.

The exfiltration methods were: copying to a USB drive; burning to CD; printing to a network printer; sending instant messages; e-mailing via a Web-based client, an open source client, and Outlook Express/Windows mail; sharing via a peer-to-peer client; copying to a network share; and pasting the contents of the file into Wordpad.

Not every test was possible on every configuration. Identity Finder has no blocking ability, therefore it is not included in these performance tests.

LeakProof won our performance testing, scoring a 76% overall success rate to 68% for Data Endpoint. LeakProof scored 100% in blocking HIPAA and PCI data, 100% blocking various types of code and 96% blocking different access to media, such as thumb drives and CDs. LeakProof scored only 29% blocking legal documents and 18% blocking via file names, although the company argues that this functionality is irrelevant because file names don't tell you anything about the content of the file.

When it came to exfiltration methods, LeakProof was remarkably consistent, blocking roughly 75% of sensitive data no matter which method was used. LeakProof did have a problem blocking smaller portions of a fingerprinted document.

Though Data Endpoint was able to catch pages, it was not able to catch paragraph- or sentence-sized excerpts. This could pose a problem for documents where only a couple paragraphs contain truly sensitive information. Thankfully, most scenarios where this would pose a problem are handled by other mechanisms (such as pattern matching and keyword blocking).

Data Endpoint scored higher than LeakProof in many categories of exfiltration methods. For example, 85% each for blocking via USB drive, CD and Webmail, compared with 75% for LeakProof in those three categories. However, the current version of Data Endpoint doesn't block users from moving data to shared network drives without denying Windows access to these files, so it scored a zero in that category. Websense plans to provide enhanced support for CIFS shares in Version 7.5, which should remedy this shortcoming.

While neither product had an explicit file name matching ability, the keyword ability in Data Endpoint was able to largely achieve the same purpose.

Identity Finder performed well within its intended purpose. The only HIPAA- or PCI-related data it did not identify was American Express card numbers. It had no trouble with Mastercard or Visa numbers, names, addresses, phone numbers, or Social Security numbers. However, it also found a large number of false positives in Windows system dynamic link libraries and other program files that it thought were sensitive information.

System resources

Data Endpoint seemed to be the most lightweight of the agents. It only consumed up to 30MB of memory, and a small share of the processor. Hard disk usage was between 68MB (in Windows 2008) and 91MB (in Vista). It's worth repeating that it was the only program with an option to throttle discovery network usage.

LeakProof used a quarter to half of the processor, and a max of 50MB of memory. Hard drive space was a little less than Data Endpoint, weighing in at 55M to 67MB (again with Win 2008 taking the least and Vista taking the most). Blocking actions never got in the way of system operation.

Identity Finder's discovery scan consumed most of the processor and up to 60MB of memory. Canceling a scan forced the program to finish scanning the file it was on before it would terminate. Hard disk usage was consistent around 47MB.

Product summaries

LeakProof was the best general-purpose endpoint DLP tool of the three. Configuration was painless, performance was tops, it was the least obtrusive, and it enforced policies across the entire system.

Data Endpoint by far gives the administrator the most power. The fully packaged installation, ability to draw on a large selection of policy templates from around the world, scriptable custom actions upon detection, tailored actions per-application, and scheduled fingerprinting of files in a network share make DSS by far the most attractive feature-wise.

However, the application-centricity requires the administrator to maintain vigilance of the applications installed on his network, and keep the endpoint profiles up to date. It also means the administrator can't apply policies that restrict a user from moving the files around in Windows. It also suffered from small glitches in the configuration interface and user experience. With a bit of polish on the interface and some improvements to the blocking accuracy, this would be a stellar product.

Identity Finder seems best suited to smaller organizations where the responsibility of data protection can be delegated to the user base. Enterprise-level configuration is not quite on par with Data Endpoint and LeakProof, and the lack of a blocking function precludes it from the circle of big time DLP vendors. On the other hand, the remediation abilities it gives to users are impressive, the endpoint interface is friendly and easy to understand, and it is very good at its intended purpose -- finding identity-related data. Identity Finder was also the only product that supported Mac OS.

Blakely is pursuing his Doctorate of Philosophy in Computer Engineering at the Iowa State University of Science and Technology. He works as a research assistant at the Iowa State University Internet-Scale Event and Attack Generation Environment Laboratory (ISEAGE). He can be reached at bab@iastate.edu.

Rabe is a graduate student at the Iowa State University of Science and Technology. He is pursuing his Master's of Science in Computer Engineering and Information Assurance. Justin Duffy is a senior undergraduate student at the Iowa State University of Science and Technology.

This story, "Block data leaks at the endpoint" was originally published by Network World.

RELATED TOPICS
| 1 2 Page 3
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies