DLP Solutions

We currently use McAfee ePo ad Email Gateway's and looking into implementing DLP and looking at doing this at the desktop and MEG level's. I have recently read about Network DLP and how is can inspect content for specific key words. Is this a separate network device or is what McAfee already does?
LVL 20
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
DLP can be part of MEG but the network DLP is not part of MEG at all, as the latter is not reaching deep into the network packet for inspection. From McAfee network DLP, it is likely the DLP monitor that can integrates passively into the network using either a SPAN port or a physically inline network tap (optional).

As far as I know, McAfee DLP Manager, McAfee DLP Monitor, McAfee DLP Discover, and McAfee DLP Prevent are supported on the McAfee DLP 5500 appliance.

Actually that is common working for most network DLP sensors (or appliance) "planted" in strategic pt of interest for outbound monitoring.The sensor normally has to perform packet capture, session reassembly, channel control, payload decoding and content recognition and analysis.

One example, is Fidelis (acquired by General Dynamics) XPS appliance. For info, IBM's network DLP is using Fidelis XPS. There is also Gartner MQ on content aware DLP - one 2013 version pdf (http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf)
compdigit44Author Commented:
This is great information.. it sounds like the hardware DLP solution from McAfee is more in-depth than their software based solutions... Is this correct?
btanExec ConsultantCommented:
the primary reason for the network DLP appliance at the strategic pt is the network cpature and deep inspection engine required pretty high performance depending on your organisation bandwidth so that you do not drop packet or corrupt packet - note that you are not really inline (break the wire) unless you want to inspect and block actively all SSL based connection...rather similar to FW, IPS but in diff inspection domain ....
Software based can still be viable as the engine logic will not differ since it is still very much signature and behaviour driven in their db, it is the throughput and pt of interest that make the different. For endpt it is normally agent based of DLP which can be simply those HIPS based scheme for DLP monitor and EPO mgmt.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

compdigit44Author Commented:
Thanks for the great feedback.... Which in your option is better and give more granularity? It sounds like the hardware version does not require a desktop agent which is a plus.
btanExec ConsultantCommented:
each has its good and ugly

(a) sensor is suited for the pt of segment interest where in particular the entry/exit boundary is of interest; for use case such as monitoring extranet/intranet, VVIP/VIP zone, ops/intel/admin  function zone traversal. very much is to also detect network security device misconfiguration and any anomalous behaviours from the "trusted" FW, IPS/IDS, proxy etc.

(b) agent is suited for the endpoint(s)  where particular interest of the machine exfiltrating intentional (violate policy/insiders/contractor) or unintentionally (malware infected) any "deemed" sensitive information such as classified, personal, company secrets, project related, intellectual property.

(a) + (b) give a good picture overall but you have to set your priority as most of the time if you do not have central SOC or security team working on it the data and intel can be overwhelming and not to further worsen operational aspect to lower the noise vs the true positive (lot of tuning constantly and in regular period).

the DLP strategy should be at both endpoint, network and even internet trawling to stay proactive. if need to you may want to consider dedicate  (a) as plan and   (b) for specific machine like kiosk/shared  or admin accessible machine to critical server. (b) will already have the HIPS as main bouncer to safeguard end user machine security hygiene.
compdigit44Author Commented:
very interesting!!!

So both are good and work together for a complete solution.  The appliance can catch DLP violation regardless of protocol used correct?

Regarding HIPS shouldn't this be installed on all DMZ servers?
btanExec ConsultantCommented:
Network DLP  protocol support will be better to be validated by the provider as that itself is like signature list they supported which include the application protocol etc.
Indeed HIPS should be in all machines (servers and client) and especially in critical server but it depends on the policy configured may varied depending on the risk assessment and baseline mandated based on your org policy...e.g. not all org will mandate USB block in all servers but only specific sensitive one and for clients, it is all and probably not VIP and include certain whitelisted USB ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Thanks .. It looks like I have more researching and learning on the topic to do yet... But I have learned a lot with your help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.