Block data leaks at the endpoint
TrendMicro, Websense offer effective protection against insider security breaches
Both of these products are aimed at keeping data from leaving the endpoint, whether it be intentional or accidental. Practically speaking, accidental removal is probably where the money is at, as a determined user could probably find ways around many of the blocking schemes.
Identity Finder does not attempt to keep users from doing naughty things with sensitive data, but rather tries to help users protect sensitive data they possess. This is a very different philosophy -- trusting that users will do the right thing instead of assuming they are trying to do the wrong thing.
Identity Finder still features centralized control and logging, but gives users remediation options when a sensitive item is found. It focuses principally upon identity-related information, such as names, addresses, Social Security numbers, credit card numbers and other personal data. However, it supports the use of regular expression matching, which allows for more generic matching, if desired.
Data discovery differences
The traditional method of data discovery is to crawl every file share that can be reached for the data in question. Data Endpoint and LeakProof can both discover data in this manner, if discovery alone is needed for a system, or if installing the endpoint agent is not feasible or desirable. However, recognizing that enabling file sharing on every device in a network could have some unintended side effects, these products can perform discoveries on endpoints via the software agent without file sharing enabled.
Identity Finder's scanning is all performed on the local system, and any sensitive files it identifies are reported to the management console. After the scan is finished, if the endpoint user has write access to the scanned files, the Data Endpoint and Identity Finder agents have the option to reset the file access times to what they were before the scan.
Combine this with the stealth mode in Data Endpoint, and discovery becomes nearly undetectable (at least for ordinary users). Data Endpoint boasts an additional perk to ensure that network discoveries do not pose an inordinate burden on the network or any device: the ability to throttle network throughput available to the discovery process.
Fingerprinting for the masses
Fingerprinting functionality stands out in these products. Typically in DLP products, the fingerprinting process is limited to a few users who are allowed to log in to the management console, submit a file for fingerprinting, and then enable that fingerprint for detection. Data Endpoint and LeakProof strip away all these layers and allow ordinary users to determine which information should be protected by running scheduled fingerprints of all items in a network share. Of course, the administrator can still manually fingerprint files, and can also configure a scheduled fingerprint scan of a network share.
If your accountant has a spreadsheet that shouldn't be allowed to leave the network, all he has to do is drop that into this network share. Upon the next fingerprint scan (which is on a schedule determined by the administrator), this new file will automatically be fingerprinted and woven into the DLP policy.
TrendMicro says it uses a unique fingerprinting method inspired by human fingerprints. This allows LeakProof to identify a document, even if a large portion of it has been changed. For this test, the only content change performed was a minor one, so this functionality was not fully tested.
Violators will be punished
The hardest decision for an endpoint protection product is what to do when a violation is detected. Data Endpoint and LeakProof both support the ability to block the action, ask the user to confirm or justify the action, send notification to an administrator, and log the violation. However, each offers something the other doesn't.