How to choose a DLP system
Dozens of DLP systems (Data Leak Prevention) are represented on the Russian information security market. According to a study by the analytical center Anti-Malware, in 2015 the segment of DLP solutions showed a total growth of 17% in ruble terms - and continues to grow by tens of percent per year.
The starting point for growth was the position of the heads of large and medium-sized Russian companies. They accepted the idea that DLP products are an integral component of an information security system. Now, as domestic and foreign developers continue to build capacity in the market, consumers are faced with a choice problem. To compare the characteristics and test each of the numerous systems in "combat conditions" in order to choose the right one is a laborious and time-consuming task.
Where to start choosing a DLP system?
At the preliminary stage, a competent technical assignment will help to weed out unsuitable systems. Selection criteria to consider when drafting the document include:
- the number of monitored channels;
- reliability and speed of the system;
- analytical capabilities;
- developer expertise, experience and reliability;
- availability, quality and responsiveness of technical support;
- price and cost of ownership of the system.
The main requirement for a DLP system is the ability to prevent the leakage of confidential data through any of the channels used by the company. If the solution does not "close" at least one, it is worthwhile to closely examine the remaining capabilities of the system and understand whether they compensate for the lack of control over the required data transmission channel.
Basic DLP functions also include control over the storage, use and movement of critical documents within the corporate infrastructure. Some DLP solutions on the Russian cybersecurity market allow, if necessary, to block confidential information and make backups (save shadow copies). A number of DLP systems are capable of encrypting data so that it cannot be read outside the company perimeter.
What type of DLP system should you choose?
Traditional classification implies two groups of DLP systems:
- active, capable of blocking confidential information when violations are detected;
- passive, capable only of "watching" the data flows without the ability to interfere and influence the processes.
State-of-the-art solutions for leakage prevention are two-in-one systems capable of operating in both active and passive modes.
The combination of the two modes in a DLP system gives an advantage already at the testing stage. The implementation of active DLP is accompanied by the risk of suspension of debugged business processes due to incorrect settings or an irregular response to events. Installing a DLP complex in a passive test mode makes it possible to calmly make sure that the monitoring and reaction rules are configured correctly, information flow channels are under continuous supervision, and logging and archiving systems do not overload the network infrastructure.
Another criterion for classifying DLP solutions is based on architectural implementation methods.
Host DLP involves the installation of agent programs on users' computers. Agents monitor compliance with security policies and prevent potentially dangerous actions, for example, launching software from removable devices. Simultaneously, agents register all user actions and transfer information to a single database. Thus, the information security specialist gets a complete picture of what is happening in the corporate network.
The main advantage of host solutions is more complete control over the communication channels and user actions in the workplace. Agents record all operations at the computer, plus new-generation DLP solutions allow you to record employee conversations or, for example, connect to a webcam. The disadvantage of host systems is that control only applies to devices that connect directly and directly interact with the workstation.
When choosing host DLP systems, you should pay attention to how agents are installed on user computers. The remote installation and administration function relieves information security specialists from the need to manually install an agent on each workstation.
Another important requirement for agent components of host DLPs is stealth mode and protection against deletion. If a user has local administrator rights and a higher than average level of IT literacy, he can potentially stop the work of agents and take the computer out of the "field of view" of the DLP system.
Network DLP is based on the use of centralized servers, where a copy of inbound and outbound traffic is redirected to be checked for compliance with security policies. Network solutions provide a high level of protection against unauthorized attacks, as they allow you to restrict access to a dedicated gateway and provide administrative rights to a narrow circle of employees.
The scope of network DLP systems is limited, respectively, by network protocols and channels: SMTP, POP3, HTTP (S), IMAP, MAPI, NNTP, ICQ, XMPP, MMP, MSN, SIP, FTP, etc. A weighty argument in favor of a network DLP solution will be, accordingly, the ability to control all data transfer protocols in demand in the company. From the point of view of the security administrator, the attractiveness of the network DLP complex will add ease of implementation and configuration.
Host and network DLP systems control different channels of information transmission, and the integration of the capabilities of different types of solutions became a logical step for developers. Almost all modern tools for preventing leaks in the information security market are universal complexes.
In addition to architectural features, one should also take into account the specifics of administering DLP systems. In comparison, it is necessary to take into account the algorithms for deploying system components, methods for distributing roles, and the implementation of the management console. The security administrator must first assess the informativeness of the interface, the complexity of setting rules and other parameters, on which the convenience of managing the information protection complex depends.
Domestic or foreign DLP solution?
Despite the fact that foreign manufacturers pay serious attention to the localization of products, all other things being equal, it is better to choose a system with "native" linguistic algorithms.
For government organizations and institutions in Russia, the choice in favor of domestic DLP solutions is dictated by the law on import substitution. In the public sector, when holding tenders, Russian solutions enjoy preferences. In addition, in information security systems it is recommended to use products certified by regulators, for example, FSTEC. For government institutions, the use of uncertified DLP systems is unacceptable, and when introducing information security solutions, for example, in the structures of Gazprom or the Central Bank, certificates of “internal” regulators are required.
Analytical capabilities of DLP systems
Four parameters will help determine whether a DLP solution meets the company's objectives.
Reporting depends on the capabilities of the DLP system not only to monitor, but also to archive the intercepted information. A shadow copy can include various types of data: web traffic; postal items; activity on printers; files recorded on USB-media; information passing through network protocols. Shadow copying is an effective means of investigating incidents, but the ability to save a "backup" is not included in all DLP systems. The reason is the additional load on network resources and end-user workstations.
How much does DLP cost?
An important criterion that will narrow the range of suitable solutions at the stage of forming requirements for a DLP system is the product price. Host and network systems are cheaper than generic ones. The general pricing principle is reduced to a simple formula: the more additional options, the higher the final cost of the solution.
The price of a DLP system is directly proportional to the availability of advanced tools, including a text recognition engine in an image, linguistic analysis modules, self-learning technologies and other functions. The higher the requirements for the protection of corporate information and the more solid the information security budget, the more "advanced" the DLP system will be. "Advanced" features include, for example:
- the ability to identify transliteration;
- Bayesian text analysis;
- application of signatures and regular expressions;
- technology of "digital prints" for the analysis of documents with little change in structure and content;
- OCR modules (Optical Character Recognition - optical character recognition) and other high-tech means of content analysis.
DLP system costs include more than the cost of the product itself. The final amount is formed for several expense items.
One of the options to reduce the cost of the solution is to find out if it is possible to buy separate DLP modules so as not to overpay for unnecessary interception channels.
The final stage
Real load tests should be performed before deciding on the only true DLP solution. For testing, it is necessary to select 2-3 systems in accordance with the terms of reference and budget. Testing a DLP system is preceded by a program and test procedure. It will take from two weeks to a month to reveal all the nuances and check the reliability of the software. As a result, all that remains is to compare the results and choose a DLP that meets all the criteria.