Geekly Articles each Day
📜 ⬆️ ⬇️

Personal experience: how we chose the DLP system

Good day to all! In the article I will tell you how 5 systems were tested, what was liked and what was not in them. The opinion is subjective, but in practice, and this is not enough on the network ( anti-malware compares and emphasizes that it was basic + on Habré wrote about it , but it turned out a comparative table that someone has / no). We tried the functionality and measured it for ourselves, spent almost half a year and can share our experience. I apologize in advance to the developers - I'll take a look at the minuses of the products as they are (they themselves also speak well of the advantages).


image


For those who do not want to read the full article - conclusions and tips for choosing DLP immediately:



Big point


So, to the point - let's start the review.


Zecurion


Install and configure the system can even a child. The question of a couple of hours - independently and without manual! And it does not matter if components are put on one OS or distributed - in both cases everything is quite obvious.


With the settings, too, everything is good, at first even the eyes run. For example, the fact that in other DLP is simply called “control of the Internet” is divided into a bunch of groups, and each can be assigned its own rules.


There are many models of work - full interception, auditing, blocking.


In general, the coverage of transmission channels from Zekurion is quite extensive, it was noted by all colleagues. But when it came to working with information - jambs got into it.


What you liked:


  1. Large channel coverage, individual settings broken down into groups or logical blocks.
  2. The possibility of reaction depending on the content of the documents and generally work with text content.
  3. Emulation of the proxy on the agency decision.

What did not like:


  1. Illogical modularity .
    If the presence of several server parts is perceived positively, then the presence of TWO agents is perceived, to put it mildly, strange. It is difficult to say what logic it serves, I personally did not like this decision - both agents fulfill, in fact, the same role.


  2. Work with the archive.
    When the hands reached the work with intercepted information, the opinion about Zekurion changed dramatically. The interface is made using MMC technology, and I think all the problems of such a solution are clear. It is very difficult to work with the archive - it is inconvenient to view data samples and violations found. In many places, the work goes not even with samples from the database, but with filtering of logs, and all the problems arising from this are obvious.


  3. Agents.
    There were a number of problems with agents, administrators are aware of the situation - we have an agreement to remove an agent only as a last resort and only upon agreement. Therefore, we see all the problems and save statistics. The computer can start to blunt terribly simply from the presence of an agent, for no explainable reason. No possible conflicts, incompatibility with software and other things that would help to understand the reason could not be found.

Total:


The unfinished tools for working with the archive were upset, and the archive there is accumulated very considerable - the database is growing at a fantastic speed! Yes, there are sampling tools, there is data compression, there are various filtering options - but this does not solve the problem of an outdated interface. What is done in 2 actions in other systems may require 10 and 20 operations here.


Infowatch


We were given the 5th version for the test. The system controls the basic list of channels (mail, Internet, instant messengers, storage devices, printing) and has a number of predefined analytical functions. The whole system logic is based on them.


Even before the first use, it became clear that the system is not so simple. The fact is that the solution uses several products and platforms that are independent of each other at once. Part of the functionality is in one product, part in another. It is absolutely incomprehensible why the system is so complicated. In general, it would be possible to come to terms with this misfortune, but problems of an architectural plan arise - out of three solutions, the analysis works only for one. For example, for mail analysis works fine, for skype questionable (depending on which agent is installed), for vibeers it doesn't work at all.


What you liked:


  1. A sophisticated and quite nice user interface.
  2. Control channels are not so much traffic monitor. But immediately, without any manual, it is clear how to use them and for what they are responsible.
  3. Well-structured submission of intercepted information. Everything is divided into groups, all step by step, everything is logical and simple.

What did not like:


  1. Agents.
    Suffice it to say that there are several of them. Skype is controlled by one agent, Viber - another. And this is not about the different “modules” of one solution - these are absolutely unrelated solutions.


  2. System architecture
    Usually the system works either in WIN or in UNIX. And here two platforms are required at once. Why - it is not clear.

Products are fragmented - there is a Traffic Monitor, there is a Device Monitor. As I said, they are on different platforms, but in fact it is the same system. And there is also Endpoint Security and Personal Monitor - seemingly related tasks, but this is a completely different solution, not compatible with the first two. Why is it so - again, it is not clear, because the same “working time” would be useful in DLP. Thoughts are sneaking in that this division has been made in order to push several more products along with DLP and increase the total bill.


  1. Functionality.
    While working with Traffic Monitor - everything is fine, the console is nimble and pleasant, everything is very simple, the system works quickly. But as soon as you move on to other tasks (and other consoles), darkness begins. Here you can block, but you can not create a shadow copy. Here you can create a shadow copy, but you can’t search for anything in it. Storage devices are generally controlled in all three platforms, and everywhere in their own way.

In the process, there is a problem - you need to climb into different systems, you can not just click on the event twice and see all the details, as is done in ALL other solutions.


Total:


My colleagues and the management agreed that the price offered was unreasonably high for the proposed solution, given that it was a kind of “hodgepodge” of heterogeneous software that was not connected in any way.


Searchinform


The system consists of many applications, both client and server. After installation, so many icons appear on the desktop that at first you experience a state close to shock. Then the situation is smoothed out: in fact, the necessary components are 3-4, the rest is run once and after the configuration is not used. All components are exclusively for Windows applications, no multiplatform is provided. There is some web access, but it works only for graphical reports.


As for the control of channels, then everything is very good - almost all ways are closed. You can log changes to the file system, and changes in the configurations of machines, in short, up to the recording of video user actions. Not everything can be blocked in the system, but there is no problem with evidence.


What you liked:


  1. Many versatile channels and methods of interception. There are many non-DLP’s, but useful features, such as equipment audit, encryption, blocking of file system objects.
  2. Cool archive search tool. Lots of options, searches, filtering, selection, grouping.
  3. There is no restriction on the complexity of security policies - in one setting there can be any combination: regular passport, document fingerprint, dictionary, morphology, categorization, accounting of typos, searching for a similar meaning, etc.
  4. Stability is the only system that was not buggy during our test.

What did not like:


  1. Channel lock.
    You can block not all intercepted channels. And there are no content blocking rules, all solely by attributes.


  2. Complex interface.
    Not everyone can start working with the system: there are a lot of consoles and each has a tangled interface that you still need to get over your head to figure out. Or read the manual that no other system is required.


  3. Number of consoles
    9 consoles. Are they serious ?!

Total:


In terms of working with the archive CIB is really strong. Upset weak content blocking functionality and tightened the console.


TP work is worth mentioning separately. The resulting shoals and wishes were resolved during the pilot, when we had not paid a penny. Perhaps our monetary character played a role, but the fact remains: we worked well with us.


Falcongaze


To say that the system unfolds simply is not enough, you rarely will see such an easy-to-install product. The developer claims that a full deployment takes a few hours - in fact it takes minutes! At first, it seems that the product is very simple and in administration - all basic actions are carried out logically and as something taken for granted.


The number of monitored channels is quite extensive - in addition to the basic ones, there are features such as recording sound from a microphone, online connections and other specific channels, the list can be found in any review, so I will not dwell on it.


What you liked:


  1. There are a lot of different control channels, in addition to the main ones, there are such things as viber, screenshots, keylogger, search, etc.
  2. Developed data retrieval mechanism. It is convenient to look for some specific things.
  3. The bundle (templates, policies, even Abbyy OCR) can be used five minutes after installing interception agents.
  4. The effectiveness of the user, as a separate and rather developed control channel: who, what he did and how much time, is very clearly visible.

What did not like:


  1. Data processing.
    The big delay in data acquisition connected with features of processing, (indexing) - can be measured by hours.


  2. Reports.
    Stupid reports: there are some worked out with which you can deal with and give to the authorities, but the bulk of the reports are absolutely useless.


  3. Glitches.
    While testing some other systems, users suffered from problems with agents, then we ourselves were in their place, because server glitches have also been added to the agent - a policy that checks may well hang, dragging the console along with it. Moreover, the situation is not always solved by restarting.


  4. Locks
    I got the impression that the system is partly unfinished, partly - implemented, so to speak, for a tick. Let me explain by example. The software declared blocking functionality through a proxy. This function really is, but you need to see how it is done!

The user can access the blocking rules wizard, in which all parameters are manually selected. For example, if you want to block Gmail attachments - please, the system allows it, get into Shark and watch the traffic when you understand what part of the URI to block - the wizard is at your service. Would you like to send a dropbox? - there is nothing simpler: fill in the test dock, looking at traffic along the way, look for the necessary piece, add it to the rule, check the whole business! Do not forget to play all the download methods. And this needs to be done for all tasks. And there are no locks based on the content.


Total:


The system has powerful capabilities for collecting various data, but apart from viewing the archive, it does not allow you to do anything with them. That is, a possible reaction to the incident is to notify the admin. Locks are declared, but they work specifically. And in general, everything works specifically - it may of course be unlucky for us, but to call it a glitch-free language does not turn.


Device lock


The test came hard - we obviously knew that there was no functionality we needed, because the system works only on agents, which in our case is not always possible. Anyway, we decided to test it, as the developer assured that we did not see much functionality.


The system is set up very simply, the client-server architecture inherent in DLP solutions is very conditional here. Agents in general can work without communication with the server, so the installation takes place in fact, like a normal program. Everything unfolds extremely quickly, there are special tools for administering the settings - this is quite convenient. Working with the system itself does not cause much difficulty, everything is very clear.


What you liked:


  1. The system is simple. Of course, all the problems inherent in the MMC have not gone away, but everything is very clear and expected.
  2. Very good work with devices. Proper division of devices into types - for example, mobile phones (IOS, PALM, WinPhone, etc.) are divided into different categories, for each one you can create your own rule.
  3. Contextual locks are available for any monitored channels. If the document contains, for example, full name or credit card data - you can block it, regardless of the transfer method, whether it be mail, remote session or even Skype!
  4. The system is weakly dependent on the server and is able to work without communication with it. Once configured, the rules will work if the agent is running. Moreover, offline and online modes are available for any channels and for each policy. All this can be customized individually.

What did not like:


  1. Work exclusively on agents.
    There is no possibility to control the network, there is no possibility to block on the proxy, there is almost no integration with corporate systems (post offices, etc.)


  2. Work with the archive.
    The archive is maintained, but in fact, the user is not accessing the sample, but filtering the received data. Because of this problem, firstly, with speed, and secondly, with capabilities - very few elements are available for filtering. The results do not have a preview, for the study you need to open and watch each - it begins to annoy after the first more or less serious task.

There is a text search tool in the archive, but it is supplied separately, and the search capabilities themselves cannot be compared with the same Surcham and Falcon.


  1. Analytics.
    All analytics work in real time, and, sort of like, this is a positive moment. But in fact this is not always the case. Regular expressions and search with morphology are available, well, various attribute rules. This is only enough for very simple locks, which does not always allow solving applied problems.


  2. No some tools.
    There is no technology for checking files on digital fingerprints and searching for modified text inside documents. This would give the opportunity to set the system a list of confidential files and confidential content, enable blocking for all channels and never go there again.

Total:


The system is fundamentally different from the analogs - it is made for “work in the moment”. Interaction with the archive, investigation, data retrieval is all worked out badly. Well, the work is only on agents: you can’t put them on phones and tablets, even if they are corporate - all others do this through a proxy.


I will not draw any global conclusions - for each organization they will have their own, because everyone has different requirements for technology and functionality. I hope only that my review will be useful to someone in the difficult task of choosing a DLP system.


')

Source: https://habr.com/ru/post/318324/

More articles:


All Articles