Well, here are some DLP systems that were eventually managed to be viewed and felt at your stand or at colleagues, and the corresponding impressions on them: McAfee DLP, Sophos Endpoint Protection, InfoWatch Traffic Monitor, DeviceLock DLP, Information Security Circuit SearchInform, Falcongaze SecureTower. First, I will describe the general impressions, then an overview of the actual test runs.
McAfee DLP
The tests got the McAfee Data Loss Prevention 10.0.100 version.
I want to note right away that this is a very difficult system to install and configure. To install and use it, you must first deploy McAfee ePolicy Orchestrator as your own management platform. Maybe for organizations where the McAfee ecosystem of solutions is fully implemented, it will be meaningful and convenient, but for the rest no. The situation is somewhat facilitated by the fact that the user documentation is very thoughtful and describes the entire installation procedure, and the installer itself installs all the external components it needs. But for a long time … To set the rules is also not an easy task.
I liked: the ability to set conditional priorities for the rules, and then use these priorities as parameters for filtering events in the log. Filtering itself is done very nicely and conveniently. The ability to allow the user to forward the file when prohibited, if it provides some explanation (user-justification).
I didn’t like: the already mentioned need to install our own management platform, which largely duplicates AD. Built-in OCR-module – no, control of scanned documents – also. They revealed a number of restrictions, such as controlling mail only in Outlook (correspondence through The Bat! Flew past agent control), dependence on specific browser versions, lack of control of correspondence in Skype (only files are intercepted).
Summary: At first glance, the McAfee DLP seemed to us a very interesting solution, despite the disadvantages mentioned above. It was disappointing that the wizards for setting policies were gone – in the old versions that were once explored, in our opinion it was more convenient than in the current web console. The key drawback is that almost all control is implemented through application control, and not at the protocol or driver level. Allows you to block forwarded devices in a Citrix environment.
Sophos Endpoint Protection
For tests, we took the version of Sophos Endpoint Protection 10.
The solution is complex, the basis is an antivirus. I had to install for a long time. The manual does not even indicate the system requirements – for them you are should go to the site. Policies are set based on the per computer logic 🙁
Liked: as in McAfee, it is possible to allow the user to forward the file when prohibited. That’s probably all.
Didn’t like: there is no difficulty in circumventing device control by the agent – stop the antivirus from Sophos, then turn on the device driver in Device Manager – and bingo, full access to the prohibited flash drive. Somehow it’s difficult to do with the implementation and configuration of content analysis rules, which, as a result, are still not executed in fact. Surprisingly, there are no shadow copies. Notifications in the form of email alerting and SNMP messaging must be configured from the antivirus of the same developer. The list of monitored devices is poor, mail is controlled through embedding in mail clients. Access control to sites made simply like a firewall. Built-in OCR-module – no, control of scanned documents – no. The user manual is sad – you can’t find any details in it. There is not even a description of what is meant by one or another built-in rule – whether it is a dictionary check, or a regular expression …
Summary: Unsuccessful, in our opinion, solution. In fact, this is an addition to the antivirus, and even the complete lack of the ability to create evidence base on incidents. Policies are set not by users, but by machines – this is unacceptable. Well, actually, a lot was not expected from a free antivirus supplement, but hope dies last.
InfoWatch Traffic Monitor
Perhaps the most popular DLP-complex in our market today, which means that we most expected from him. Opportunities just to take and see – no, but the site is replete with beauty from marketers. It was difficult to test, but I managed to get InfoWatch Traffic Monitor 6.9 Enterprise version. Perhaps there is a newer version – but we do not know about this, we did not find the same marketing behind the kilotons. But the technical information on the site is somehow not enough. During the test, it was found that the documentation had the same problem – if something is unclear, it is almost impossible to find an answer in the manual, and there is no detail in general. This significantly reduces the possibility of independent operation
Liked: a very high-quality, thoughtful interface, with good structure. Convenient dashboards where you can configure a specific request, the time of its updating – and then observe the whole picture. A good assortment of widgets for the console. It is possible to send a request for providing access to the device from the agent module. Types of events and user memberships in OU. A solid set of reports. Good opportunities for working with the archive. There are screenshots from workstations.
Infowatch Traffic Monitor and Infowatch Device Monitor, running on two operating systems (Windows and Red Hat Linux), so installing and configuring to run is complicated. There are also two management consoles. Widely advertised by the developer of the logic “Everything you need for a business process.” Access to devices is denied, there are white lists that are inside the document – the Infowatch Device Monitor agent simply doesn’t know. Network Validation is implemented only for SMTP and HTTP. Although now there is an opportunity to block network channels – before there was only monitoring. In fact – this feature is limited to HTTP, FTP, SMTP, plus file sharing and some instant messengers. This is not bad, but not very consistent with the description in the brochures. The agent module is actually implemented as a kind of mix of different agents.
Summary: in general, the solution looks (especially looks) very good. Monitoring devices at a basic level are good, for network channels it is good, and blocking is satisfactory. In terminal sessions, you can restrict access to trial disks, or read-only access, shadow copying works (both for trial and forwarded drives). We have all the necessary controlled channels. Let’s hope that sooner or later, the developers will catch up with marketers. In the meantime, the PR team is the top five, the developers are the top three with a plus. Or vice versa. How to look.
DeviceLock DLP
We tested version 8.3 (the last update released in December 2018), downloaded from the developer’s site.
And yet, according to information about the web developer, functions for controlling the use of screenshots should appear in the foreseeable future. Installation is simple. The experience of the system administrator – then everything becomes obvious and simple. In general, the impression is very easy to operate.
Liked: detailing in the control settings. Skype, files, calls … chat, files, calls … All monitored devices and network channels are built reasonably and very broadly. Built-in OCR module. Content locks really work. Alerts can come almost instantly. They can live their own lives as long as they want. Automatic switching of modes has been done – you can safely let go of an employee with a laptop, politicians switch themselves to other settings. Blocking and control in the system may be prohibited only for individual partners, and for others only for monitoring. And also, on the contrary, the resolution of the transmission when closing in principle the channel.
I didn’t like it: there are no wizards. To configure a policy, you must immediately understand what you need to get, go to the appropriate section of the console and poke checkmarks, select users, etc. A step-by-step option for creating a policy suggests itself. You can check what is really set in the control plan. Archive searches are limited to full-text searches for shadow copies. A developed filter system helps out more or less, but these are far from content filters. Inevitable load on workstations when working with content-dependent rules (developer terminology).
The system is easy to operate, clearly working, with a rich arsenal of capabilities specifically for protection against information leakage. According to the remark of one of the colleagues, it is made on the basis of “tuned and forgot”. Considering that all policies are set by per user, to change the available operations for a user, just transfer it to another User group of the domain for which other control rules are configured, from simple controls to rules with content analysis. In terminal sessions, it allows you to set permissions for forwarded drives (lock or read-only), for the clipboard (everything is quite flexible depending on the direction of copying, the type of data transferred), shadow copying works, locks on the contents work when writing to forwarded drives and when transferring data through the clipboard.
SearchInform Information Security Circuit
We watched with colleagues, so the deadlines were very tight. At first I wanted to write “I got version XXXX for the tests”, but I couldn’t. Just because CIB Searchinform is not a system, but a complex lunch set of several practically independent systems. Up to individual consoles for different tasks – counted as 5 pieces. Colleagues say there were even more consoles before … The key module in this complex is the EndpointController module – version 5.49. The rest have their own numbering. By the way, the distribution kit is also from a bunch of archives … Accordingly, installing such a system is not easy – you can’t do without documentation. It, in turn, is also specific – it is written on the principle of “what I see, then I write”, without explaining the logic of work. Management looks like this – interception policies are created in one management console, indexing and index settings for viewing captured data is a separate console, viewing audit and shadowing data is again a separate console, reporting is again a separate console, and so on. And in the marketing descriptions on the site, and in the documentation the word “interception” is constantly found. In practice, this means that for almost all network leakage channels, only receiving a shadow copy. There are locks for devices, but for Internet channels you can disable SMTP for all users – or allow it. Another option is to use message quarantine for SMTP, which is implemented on the agent. The analysis of the content as a reason for blocking is made very specifically: the agent quarantines all messages that are already viewed on the server (manually or using the content analyzer) by the administrator and then he chooses what to send next and what to block. We imagined what it would look like in an organization where at least 5 times more employees than ours …
I liked: the possibilities of working with the archive are powerfully developed. There is everything. A lot of criteria, search tools for dictionaries, regular expressions, fingerprints, branded “search for similar” … There are tags for different incidents – you can mark already viewed, for example. There is a transparent encryption of flash drives.
I didn’t like: chaos in the logic of system control, an overwhelming number of control consoles. Lack of blocking for network channels. The absence of content blocking for the entire set of “intercepted” channels.
Summary: Blocking devices is implemented at a decent level, for network channels – at the embryo. In terminal sessions, you can set permissions for forwarded drives (lock, read-only), shadow copying works for forwarded drives. In general, the system is quite complicated to operate, strictly focusing on incident investigations – it means, on monitoring and working with the archive. For this, there is, perhaps, all that is needed. Protecting your organization from data leaks is clearly not here, except to close devices that users do not need.
Falcongaze SecureTower
The tests got version 6.2. Two keywords describing this system, if not delving into the nuances, are easy and convenient. Easy to install, convenient to manage, convenient to view reports, convenient to work with the archive. Documentation is practically not required. Then the focus begins again with the word “interception”, as in the CIB. The interception here is just for monitoring, that is, a shadow copy is created, there is practically no talk about blocking (except for HTTP, SMTP and MAPI). There are screenshots from workstations and some other functions for monitoring user activity.
Liked: friendly user interface. Everything is done for the convenience of work. A good tool for viewing and analyzing the archive, a graph of links has been successfully implemented. From almost any report, you can go to the event (incident) indicated there. Incidents can be assigned categories (investigated, unexplored, deferred). Telegram and Viber’s monitoring.
I didn’t like: the absence of locks for network channels. The inability to lock printers and drives thrown into the terminal session. The absence of content blocking for the entire set of “intercepted” channels. Low stability of the agent – unpredictable freezes and the appearance of dumps were noted. Unexpected freezes of the console even when working with the archive.
Summary: The system is very lightweight and easy to install and operate, but concentrated on monitoring and working with the archive. There is a feeling that the system is kind of damp, the OTC is underdeveloped.