⬆️ ⬇️

Choosing a DLP system for an average organization.

image

Good afternoon, dear habrasoobschestvu! Not so long ago, our company was faced with the question of which of the data leakage protection systems to choose. Under the cut their own thoughts on this issue, as well as a comparative table describing the capabilities of the systems.



Please note that the article is not an advertisement for any particular product. It reflects the views of a single employee of the IT department of an average company.



So, at the recent planning meeting, the task was to “implement”! But what specifically to implement was not specified, so after studying the issue and conducting market analysis, this topic was created.

')

Our organization is not particularly distinguished from the mass of other medium-sized organizations, inside there are about 250 workstations and several servers that need to be protected from the leakage of very important and extremely secret data. Unfortunately, the statistics are relentless, and 80% of information leaks occur through the fault of the organization’s employees (insiders). The dissemination of data can be both deliberate and completely random, and all cases of such dissemination should be detected and stopped (this is ideal). How to achieve this? Company administrators can completely close the Internet, e-mail and removable media, thereby leaving users completely without access to external resources. The option of almost perfect security, except that it does not suit anyone except the administrators themselves. You can get a little kinder, and open access to the Internet or to removable media only to “elected” employees. The probability of leakage will decrease, but who can guarantee that the “elected” employee is completely loyal to the company? It would seem that the situation is hopeless, but here come to the aid of DLP-system.



DLP (Data Loss Prevention) - the system is a software product designed to prevent leaks of confidential information outside the corporate network. This system is built on the analysis of data flows that go beyond the corporate network. In the case of the triggering of a certain signature and detection of the transfer of confidential information, the system either blocks such transfer or sends notifications to the security officer.



The main requirements for candidates were the cost of the complex and the number of controlled channels.

In the comparison took part:



Information about products was taken from official sites and from regional representatives of companies. Here's what happened in the end:

ASecuritInfoWatchSymantecSearchInformFalcongaze
System nameZgateTrafficMonitorDataLossPreventionSafety circuitSecureTower
System modularityYesNotNotYesNot
Installation sitesTo server + ZLock on client PCsServer clientServer clientServer clientServer client
Certificates and licensesFSTEC NDV 3 and EAL4

FSTEK NDV 4 and ISPDn 1, Gazpromsert, Accreditation of the Central Bank, certificate of compatibility eToken

FSTEC NDV 4

FSTEC NDV 4

FSTEC NDV 4 and ISPDN 2

LicensingMailboxes, jobs

Interception Channels, Analysis Technologies

n / a

Server, mail, IM, Skype, Print, device, HTTP, FTP

Workplace

RolesAny quantity

SomeAny quantity

Any quantity

System Administrator, Security Officer

IM control

Yes

Yes

Yes

Yes

Yes

HTTP / HTTPS, FTP control

YesYesYesYesYes
Skype control

Text

Text

NotYesYes
Control E-mail

YesYesYesYesYes
Social networks and blogs

YesYesYesYesYes
Control of connected external devices

When buying Zlock

Yes

Yes

Yes

Not
Port Control

USB, COM, LPT, Wi-Fi, Bluetooth

USB, COM, LPT, Wi-Fi, Bluetooth

USB, COM, LPT, Wi-Fi, BluetoothUSB, LPT

USB, LPT

Blocked protocols

HTTP, HTTPS, SMTP, OSCAR

HTTP, HTTPS, FTP, FTP over HTTP, FTPS, SMTP, SMTP / S, ESMTP, POP3, POP3S, IMAP4, IMAP4S

SMTP, HTTP, HTTPS FTP, Yahoo

Messenger, MSN

Messenger,

AIM, AIM Pro

Messenger, MSN

Messenger,

AIM, AIM Pro

Messenger, MSN

Messenger,

AIM, AIM Pro

SMTP, POP3, MAPI, IMAP, HTTP, FTP, ICQ, Jabber

HTTP, HTTPS, FTP, FTTPS, All Mail and IM

Dictionary analysis

YesYesYesYesYes
Linguistic analysis

Yes

Yes + BKF

Not

Yes

Yes

Transliteration analysis

YesYesNotn / an / a
Archive analysis

YesYesYesYesYes
Analysis of drawings

YesYesYesYesNot
Predefined Filtering Templates

YesYesYesYesYes
Suspicious message sending delay

Yes, OB makes the decision

Yes, OB makes the decision

Yes, the user explains the reason for sending, the incident is fixed

n / a

No, only informing an information security officer

Logging system administrators actions

Yes

Yes

Yes

n / aIn the case of agent installation on the administrator's PM

Agent installation mode

Open

n / a

n / a

n / a

Secret / Open

Agent shutdown protection

Yes

Yes

Yes

Yes

Yes

Write reports to local storage in case of server unavailability

Yes

Yes

Yes

Yes

Yes

View case history

YesYesYesYesYes
Alert Modes

Console, mail, graphics

Console, mailConsole, mail, graphics

Console, mail, graphics

Console, mail, graphics

Ability to test the product on the developer servers

not

not

Yesnoton the distributor server



The possibility of obtaining a demo version for testing within the organization

±

±

not±

Yes, 1 month

The price for the company is 250 pcs.

2 500 000 rub.

n / an / a3 300 000- 5 400 000 r.

1 500 000 rub.



It should be clarified that:

System modularity is a parameter meaning whether a product can control everything or it is necessary to purchase different modules to control certain channels of information leakage.



The system administrator installs and configures the system. The security officer monitors the actions of employees and the operation of the system as a whole.



BKF-database content filtering. Allows on certain grounds to attribute the document to a certain degree of confidentiality.



OB-security officer.



RM-Workplace.



The symbol n / a denotes points for which I was unable to clarify, and the characters ± those points where obtaining information caused difficulty. For example, getting trial versions is a rather complicated event, requiring you to specify a lot of data about the organization, as well as to attract specialists from the development company to your office.



So, this table has simplified the choice of DLP-system for my organization, and, I hope, will help you to make your choice in the case of a similar task.

Source: https://habr.com/ru/post/141000/



All Articles