Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DLP Solutions

Posted on 2014-09-20
8
Medium Priority
?
345 Views
Last Modified: 2014-09-24
We currently use McAfee ePo ad Email Gateway's and looking into implementing DLP and looking at doing this at the desktop and MEG level's. I have recently read about Network DLP and how is can inspect content for specific key words. Is this a separate network device or is what McAfee already does?
0
Comment
Question by:compdigit44
  • 4
  • 4
8 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40335010
DLP can be part of MEG but the network DLP is not part of MEG at all, as the latter is not reaching deep into the network packet for inspection. From McAfee network DLP, it is likely the DLP monitor that can integrates passively into the network using either a SPAN port or a physically inline network tap (optional).
http://www.mcafee.com/sg/resources/data-sheets/ds-dlp-monitor.pdf

As far as I know, McAfee DLP Manager, McAfee DLP Monitor, McAfee DLP Discover, and McAfee DLP Prevent are supported on the McAfee DLP 5500 appliance.

Actually that is common working for most network DLP sensors (or appliance) "planted" in strategic pt of interest for outbound monitoring.The sensor normally has to perform packet capture, session reassembly, channel control, payload decoding and content recognition and analysis.

One example, is Fidelis (acquired by General Dynamics) XPS appliance. For info, IBM's network DLP is using Fidelis XPS. There is also Gartner MQ on content aware DLP - one 2013 version pdf (http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf)
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40335588
This is great information.. it sounds like the hardware DLP solution from McAfee is more in-depth than their software based solutions... Is this correct?
0
 
LVL 65

Expert Comment

by:btan
ID: 40335819
the primary reason for the network DLP appliance at the strategic pt is the network cpature and deep inspection engine required pretty high performance depending on your organisation bandwidth so that you do not drop packet or corrupt packet - note that you are not really inline (break the wire) unless you want to inspect and block actively all SSL based connection...rather similar to FW, IPS but in diff inspection domain ....
Software based can still be viable as the engine logic will not differ since it is still very much signature and behaviour driven in their db, it is the throughput and pt of interest that make the different. For endpt it is normally agent based of DLP which can be simply those HIPS based scheme for DLP monitor and EPO mgmt.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 20

Author Comment

by:compdigit44
ID: 40337546
Thanks for the great feedback.... Which in your option is better and give more granularity? It sounds like the hardware version does not require a desktop agent which is a plus.
0
 
LVL 65

Expert Comment

by:btan
ID: 40338166
each has its good and ugly

(a) sensor is suited for the pt of segment interest where in particular the entry/exit boundary is of interest; for use case such as monitoring extranet/intranet, VVIP/VIP zone, ops/intel/admin  function zone traversal. very much is to also detect network security device misconfiguration and any anomalous behaviours from the "trusted" FW, IPS/IDS, proxy etc.

(b) agent is suited for the endpoint(s)  where particular interest of the machine exfiltrating intentional (violate policy/insiders/contractor) or unintentionally (malware infected) any "deemed" sensitive information such as classified, personal, company secrets, project related, intellectual property.

(a) + (b) give a good picture overall but you have to set your priority as most of the time if you do not have central SOC or security team working on it the data and intel can be overwhelming and not to further worsen operational aspect to lower the noise vs the true positive (lot of tuning constantly and in regular period).

the DLP strategy should be at both endpoint, network and even internet trawling to stay proactive. if need to you may want to consider dedicate  (a) as plan and   (b) for specific machine like kiosk/shared  or admin accessible machine to critical server. (b) will already have the HIPS as main bouncer to safeguard end user machine security hygiene.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40340345
very interesting!!!

So both are good and work together for a complete solution.  The appliance can catch DLP violation regardless of protocol used correct?

Regarding HIPS shouldn't this be installed on all DMZ servers?
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40340519
Network DLP  protocol support will be better to be validated by the provider as that itself is like signature list they supported which include the application protocol etc.
Indeed HIPS should be in all machines (servers and client) and especially in critical server but it depends on the policy configured may varied depending on the risk assessment and baseline mandated based on your org policy...e.g. not all org will mandate USB block in all servers but only specific sensitive one and for clients, it is all and probably not VIP and include certain whitelisted USB ...
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40342163
Thanks .. It looks like I have more researching and learning on the topic to do yet... But I have learned a lot with your help
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question