Choosing a DLP system for an average organization.
Good afternoon, dear habrasoobschestvu! Not so long ago, our company was faced with the question of which of the data leakage protection systems to choose. Under the cut their own thoughts on this issue, as well as a comparative table describing the capabilities of the systems.
Please note that the article is not an advertisement for any particular product. It reflects the views of a single employee of the IT department of an average company.
So, at the recent planning meeting, the task was to “implement”! But what specifically to implement was not specified, so after studying the issue and conducting market analysis, this topic was created.
')
Our organization is not particularly distinguished from the mass of other medium-sized organizations, inside there are about 250 workstations and several servers that need to be protected from the leakage of very important and extremely secret data. Unfortunately, the statistics are relentless, and 80% of information leaks occur through the fault of the organization’s employees (insiders). The dissemination of data can be both deliberate and completely random, and all cases of such dissemination should be detected and stopped (this is ideal). How to achieve this? Company administrators can completely close the Internet, e-mail and removable media, thereby leaving users completely without access to external resources. The option of almost perfect security, except that it does not suit anyone except the administrators themselves. You can get a little kinder, and open access to the Internet or to removable media only to “elected” employees. The probability of leakage will decrease, but who can guarantee that the “elected” employee is completely loyal to the company? It would seem that the situation is hopeless, but here come to the aid of DLP-system.
DLP (Data Loss Prevention) - the system is a software product designed to prevent leaks of confidential information outside the corporate network. This system is built on the analysis of data flows that go beyond the corporate network. In the case of the triggering of a certain signature and detection of the transfer of confidential information, the system either blocks such transfer or sends notifications to the security officer.
The main requirements for candidates were the cost of the complex and the number of controlled channels.
In the comparison took part:
- Securit ZGate;
- InfoWatch Traffic Monitor;
- Symantec Data Loss Prevention;
- Search Inform Security Loop;
- FalconGaze SecureTower.
Information about products was taken from official sites and from regional representatives of companies. Here's what happened in the end:
| A | Securit | InfoWatch | Symantec | SearchInform | Falcongaze |
| System name | Zgate | TrafficMonitor | DataLossPrevention | Safety circuit | SecureTower |
| System modularity | Yes | Not | Not | Yes | Not |
| Installation sites | To server + ZLock on client PCs | Server client | Server client | Server client | Server client |
| Certificates and licenses | FSTEC NDV 3 and EAL4 | FSTEK NDV 4 and ISPDn 1, Gazpromsert, Accreditation of the Central Bank, certificate of compatibility eToken | FSTEC NDV 4 | FSTEC NDV 4 | FSTEC NDV 4 and ISPDN 2 |
| Licensing | Mailboxes, jobs | Interception Channels, Analysis Technologies | n / a | Server, mail, IM, Skype, Print, device, HTTP, FTP | Workplace |
| Roles | Any quantity | Some | Any quantity | Any quantity | System Administrator, Security Officer |
| IM control | Yes | Yes | Yes | Yes | Yes |
| HTTP / HTTPS, FTP control | Yes | Yes | Yes | Yes | Yes |
| Skype control | Text | Text | Not | Yes | Yes |
| Control E-mail | Yes | Yes | Yes | Yes | Yes |
| Social networks and blogs | Yes | Yes | Yes | Yes | Yes |
| Control of connected external devices | When buying Zlock | Yes | Yes | Yes | Not |
| Port Control | USB, COM, LPT, Wi-Fi, Bluetooth | USB, COM, LPT, Wi-Fi, Bluetooth | USB, COM, LPT, Wi-Fi, Bluetooth | USB, LPT | USB, LPT |
| Blocked protocols | HTTP, HTTPS, SMTP, OSCAR | HTTP, HTTPS, FTP, FTP over HTTP, FTPS, SMTP, SMTP / S, ESMTP, POP3, POP3S, IMAP4, IMAP4S | SMTP, HTTP, HTTPS FTP, Yahoo Messenger, MSN Messenger, AIM, AIM Pro Messenger, MSN Messenger, AIM, AIM Pro Messenger, MSN Messenger, AIM, AIM Pro | SMTP, POP3, MAPI, IMAP, HTTP, FTP, ICQ, Jabber | HTTP, HTTPS, FTP, FTTPS, All Mail and IM |
| Dictionary analysis | Yes | Yes | Yes | Yes | Yes |
| Linguistic analysis | Yes | Yes + BKF | Not | Yes | Yes |
| Transliteration analysis | Yes | Yes | Not | n / a | n / a |
| Archive analysis | Yes | Yes | Yes | Yes | Yes |
| Analysis of drawings | Yes | Yes | Yes | Yes | Not |
| Predefined Filtering Templates | Yes | Yes | Yes | Yes | Yes |
| Suspicious message sending delay | Yes, OB makes the decision | Yes, OB makes the decision | Yes, the user explains the reason for sending, the incident is fixed | n / a | No, only informing an information security officer |
| Logging system administrators actions | Yes | Yes | Yes | n / a | In the case of agent installation on the administrator's PM |
| Agent installation mode | Open | n / a | n / a | n / a | Secret / Open |
| Agent shutdown protection | Yes | Yes | Yes | Yes | Yes |
| Write reports to local storage in case of server unavailability | Yes | Yes | Yes | Yes | Yes |
| View case history | Yes | Yes | Yes | Yes | Yes |
| Alert Modes | Console, mail, graphics | Console, mail | Console, mail, graphics | Console, mail, graphics | Console, mail, graphics |
| Ability to test the product on the developer servers | not | not | Yes | not | on the distributor server |
| The possibility of obtaining a demo version for testing within the organization | ± | ± | not | ± | Yes, 1 month |
| The price for the company is 250 pcs. | 2 500 000 rub. | n / a | n / a | 3 300 000- 5 400 000 r. | 1 500 000 rub. |
It should be clarified that:
System modularity is a parameter meaning whether a product can control everything or it is necessary to purchase different modules to control certain channels of information leakage.
The system administrator installs and configures the system. The security officer monitors the actions of employees and the operation of the system as a whole.
BKF-database content filtering. Allows on certain grounds to attribute the document to a certain degree of confidentiality.
OB-security officer.
RM-Workplace.
The symbol n / a denotes points for which I was unable to clarify, and the characters ± those points where obtaining information caused difficulty. For example, getting trial versions is a rather complicated event, requiring you to specify a lot of data about the organization, as well as to attract specialists from the development company to your office.
So, this table has simplified the choice of DLP-system for my organization, and, I hope, will help you to make your choice in the case of a similar task.
Source: https://habr.com/ru/post/141000/
All Articles