Solved

Recommendation - DLP, Antivirus, web, and email security

Posted on 2013-11-22
14
747 Views
Last Modified: 2013-11-22
Hello Experts - I'm starting a project next week to choose and install a DLP solution for my company.  As I begin initial research I'm finding that most vendors prefer to offer a suite of security software rather than just the DLP component.  The idea of managing all of these security related items under one banner is appealing so I'd like to ask for opinions on what packages might be suitable for a smaller company with about 100 employees and five sites over a MPLS WAN.  So far I've looked at Symantec, Cisco, and Websense which are all leaders on Gartner's Magic Quadrant.

I'd very much appreciate any recommendations or personal experience you could share, thanks!
0
Comment
Question by:First Last
  • 5
  • 4
  • 2
  • +2
14 Comments
 
LVL 6

Expert Comment

by:Biniek
ID: 39669487
I have some positive experience with McAfee, so I can suggest You to research the McAfee solutions, DLP, AV and others with ePO as management solutions.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39669528
I know that this doesn't quite go the way you are asking, but I'll share it with you anyway. I've split my security between various vendors because Some things I wanted to keep in house while others I did not. And when we first started looking at these things several years ago, there really wasn't one vendor that popped up as good for all things.

We don't use a dedicated DLP application. For our web filtering I use an appliance from Edgewave called iPrism. It was easy to configure and seems to work well for us.

For email filtering I was using Postini until Google took it over. I really didn't want to get involved in the Google world in the ways that Google is changing that service so we moved to Mimecast. I looked at several Email filtering services and products and felt that MC offered a good combination of features, simplicity, support and pricing.
0
 
LVL 1

Author Comment

by:First Last
ID: 39669542
Nice suggestions guys, keep 'em coming!
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 167 total points
ID: 39669552
Let me preface by saying I've tested 6 of the 12 DLP's in Gartner's magic quadrant for 2013
http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf
That said, they will only catch "stupid" as Symantec has said. If someone is determined to get the information, they can quite easily no matter which solution. You will get a lot of false positives, sometimes phone numbers look a lot like SSN's or even like Credit Card's, so that is something you'll tune first.
We killed our DLP initiative because the demo's caught everything we already knew was happening for the most part. Only a few surprises and they were easily remedied. I'd say test 3-2 of them at a minimum and send them packing after that. You'll find your weaknesses without having to spend a dime.
You can't stop someone from removing a HDD and taking it home, mounting it (thus bypassing the DLP client because it's off network and the OS isn't running), or from someone running a ROT-13 script on a file or text to bypass a filter and then attaching that file to their hotmail/gmail drafts. You can't stop screen shots and OCR software from reconstituting the document, you can't stop a 3rd party driver that doesn't use the windows kernel, from reading the files.
The simplest bypass was password protecting a document, adding to a zip file with a password, copy and pasting over RDP to an outside host, and printing to a file, then sending that print file out.

DLP is to catch mistakes or people who aren't careful at stealing. It's nothing more than that.
-rich
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 333 total points
ID: 39669558
0
 
LVL 1

Author Comment

by:First Last
ID: 39669569
@rishrumble - great info, thank you!  I realize we won't be able to stop everything (someone can always just take a photo) but as with most things security its to keep the honest people honest.  We do prevent users form being able to take hardware out of the building (most are physical locked), and have decently strict policies that prevent the most obvious security issues.  But like you summarized, if a user wants the data they'll find a way.  I'm excited to do the project because it means I get to try and circumvent the software...the ROT-13 script was a new one to me.  :)
0
 
LVL 1

Author Comment

by:First Last
ID: 39669575
@x66_x72_x65_x65 - Interesting, never heard of this.  I'll start reading about it now, thanks!
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 28

Expert Comment

by:jhyiesla
ID: 39669595
One of the reasons I choose the appliance model for web filtering is that it just made sense. It's not some server that I need to maintain, but it sits inline between the firewall and the main switch so that there is NO way out to the Internet that doesn't pass through the appliance.

Mimecast is a service so that all the email gets filtered before it even crosses the boundary into my network and we have the firewall set to not accept any email that doesn't pass thru the MC service.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39669645
The quadrant can't help you with physical theft :) Fidelis was good at looking at the clipboard and preventing pasting, but not against RDP and VNC's clipboards.
DLP allows you to stop (or tries to stop) files it can't read that are password protected, but you have to be prepared to block them all or none generally.
You may just start out with OpenDLP: http://code.google.com/p/opendlp/ it's not bad considering, I'd put it right up there with a few of them (better than trustwave that's for sure). It would never make it into the quadrant because it's free and open source and not backed by a fortune 500 company :)
DLP doesn't work well on unknown or seldom used file formats, so putting data in sqlite database bypassed many of the DLP's. Storing the data as binary in the sqlite file bypassed them all. HTML is a good way too http://www.kimoto.us/tools/obfuscate.htm, just about any transformitive method get's past DLP. And I think that's probably to be expected, So just know going in, it's an easy bypass if anyone tries.
We put it to our users, and they can be dim, and they came up with password protecting the word document, or and taking the HDD home. We knew it already, but they were quick to rise to the challenge.
Good people are good people, occasional reminders are fine, and DLP can do that, don't break the bank on that aspect of the security :)

I can't speak to your AV questions, we don't use AV anymore on our host's, we have users admin rights revoked and processes in place to keep data scanned before it gets to their desktop. Sophos Proxies are a good product. and we use Symantec for our Email scanning. Used to use McAfee got a good break in price on Symantec, it's been fine, they are all about the same really, but you should have diverse AV providers if you can.
-rich
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 333 total points
ID: 39669661
Here's some other useful references:

http://www.sans.org/critical-security-controls/control.php?id=17
http://www.sans.org/reading-room/whitepapers/dlp

Here's some other interesting solutions to review when addressing the Cyber Threat category of DLP:

http://www.invincea.com/2013/10/invincea-how-it-works/
https://spikes.com/
http://www.fireeye.com/products-and-solutions/
http://technet.microsoft.com/en-us/security/dn283932.aspx
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/

I completely agree that the insider threat aspects of DLP primarily address "stupid" as Rich has stated.  Considering the litigious and regulated society we live in, its worth considering mitigation of these legal risks as well, by either transferring them or by creating meaningful controls which demonstrative a "good faith effort."

There are highly effective solutions in the Cyber Threat category as well, some of which I've referenced above.

Perhaps clear justification may be found by incorporating these perspectives in your DLP Qualitative vs. Quantitative Risk Assessment.
0
 
LVL 1

Author Comment

by:First Last
ID: 39669721
I'd agree the goal here is to create that good faith effort and ultimately satisfy the audit requirements and protect the company legally if there were to be a breach.  If we do nothing and that happens it gets very bad.  If we use a full DLP solution we can at least claim to have done what we can to mitigate data loss issues.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39669814
Here's some more detail in that regard.
http://datalossdb.org/us_states
0
 
LVL 1

Author Comment

by:First Last
ID: 39669822
You guys are the best, thanks to everyone!
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39669842
DLP stats
DLP stats
Considering 57% of data loss purportedly comes from outside, the cyber threat category could easily be considered primary.

http://datalossdb.org/statistics

Enjoy!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now