Block data leaks at the endpoint
TrendMicro, Websense offer effective protection against insider security breaches
The option to globally block or confirm actions is available, but is not recommended, as this might interfere with Windows. During this process, the reviewers occasionally encountered "Security Clearance" errors when clicking through a page before it had fully loaded. In more than one instance, this resulted in the loss of all changes made to the profile since the last explicit save. The product also lacks the ability to block files based upon file name, as Websense does not see this as a useful feature. For this test, keyword blocking was able to serve the same function in most cases.
In all three products, changes to the configuration must be pushed out to the endpoints. With LeakProof and Data Endpoint, the policies are given version numbers, which makes checking for up-to-date configurations trivial. In Data Endpoint, the interval at which endpoints check for policy and profile updates is configurable by the administrator (in intervals as short as one minute). All endpoints update their policy upon system startup.
LeakProof has a very clearly labeled Web interface that was easy to use. It included a configuration flowchart that made it clear which steps needed to be taken to configure the system. Like Data Endpoint, LeakProof can enforce policies globally, or at the finer level of user or computer groups. An additional feature was the ability to create conditional rules. For example: if the file contains "Top Secret" but not "Approved for Release" then take some blocking action. The Web interface was easy enough to use that minimal reference to the documentation was needed, and support only needed to be contacted once.
Identity Finder's configuration interface lags somewhat behind the other two in ease of use. The policy configuration is reminiscent of Microsoft Group Policy in that the administrator is faced with a rather daunting tree of jargon-filled options. However, once we established the difference between "Anyfind" and "Onlyfind", the explanations given in the interface were sufficient to configure the system to test specifications. This product was only tested on its ability to detect HIPAA- and PCI-related data, as that is its main focus. Custom regular expressions can be used to find other types of data, but those seem to lie in the periphery of this product's functionality.
The Identity Finder enterprise administrator has the ability to control which remediation measures end-users can take, and what configuration options are available to them. The endpoint was easier to configure from its local console than from the central console.
After completing configuration, we tried combinations of protected file, exfiltration method, operating system and vendor (588 tests in all). The general categories of protected files were: HIPAA-relevant data, PCI-relevant data, code in several languages, a (formerly) classified document, a legal document, a media file, an empty file used to check file name blocking, and a standards document -- including six obfuscations.
The exfiltration methods were: copying to a USB drive; burning to CD; printing to a network printer; sending instant messages; e-mailing via a Web-based client, an open source client, and Outlook Express/Windows mail; sharing via a peer-to-peer client; copying to a network share; and pasting the contents of the file into Wordpad.
Not every test was possible on every configuration. Identity Finder has no blocking ability, therefore it is not included in these performance tests.