Solved

DLP Solutions

Posted on 2014-09-20
8
328 Views
Last Modified: 2014-09-24
We currently use McAfee ePo ad Email Gateway's and looking into implementing DLP and looking at doing this at the desktop and MEG level's. I have recently read about Network DLP and how is can inspect content for specific key words. Is this a separate network device or is what McAfee already does?
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40335010
DLP can be part of MEG but the network DLP is not part of MEG at all, as the latter is not reaching deep into the network packet for inspection. From McAfee network DLP, it is likely the DLP monitor that can integrates passively into the network using either a SPAN port or a physically inline network tap (optional).
http://www.mcafee.com/sg/resources/data-sheets/ds-dlp-monitor.pdf

As far as I know, McAfee DLP Manager, McAfee DLP Monitor, McAfee DLP Discover, and McAfee DLP Prevent are supported on the McAfee DLP 5500 appliance.

Actually that is common working for most network DLP sensors (or appliance) "planted" in strategic pt of interest for outbound monitoring.The sensor normally has to perform packet capture, session reassembly, channel control, payload decoding and content recognition and analysis.

One example, is Fidelis (acquired by General Dynamics) XPS appliance. For info, IBM's network DLP is using Fidelis XPS. There is also Gartner MQ on content aware DLP - one 2013 version pdf (http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf)
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40335588
This is great information.. it sounds like the hardware DLP solution from McAfee is more in-depth than their software based solutions... Is this correct?
0
 
LVL 63

Expert Comment

by:btan
ID: 40335819
the primary reason for the network DLP appliance at the strategic pt is the network cpature and deep inspection engine required pretty high performance depending on your organisation bandwidth so that you do not drop packet or corrupt packet - note that you are not really inline (break the wire) unless you want to inspect and block actively all SSL based connection...rather similar to FW, IPS but in diff inspection domain ....
Software based can still be viable as the engine logic will not differ since it is still very much signature and behaviour driven in their db, it is the throughput and pt of interest that make the different. For endpt it is normally agent based of DLP which can be simply those HIPS based scheme for DLP monitor and EPO mgmt.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 20

Author Comment

by:compdigit44
ID: 40337546
Thanks for the great feedback.... Which in your option is better and give more granularity? It sounds like the hardware version does not require a desktop agent which is a plus.
0
 
LVL 63

Expert Comment

by:btan
ID: 40338166
each has its good and ugly

(a) sensor is suited for the pt of segment interest where in particular the entry/exit boundary is of interest; for use case such as monitoring extranet/intranet, VVIP/VIP zone, ops/intel/admin  function zone traversal. very much is to also detect network security device misconfiguration and any anomalous behaviours from the "trusted" FW, IPS/IDS, proxy etc.

(b) agent is suited for the endpoint(s)  where particular interest of the machine exfiltrating intentional (violate policy/insiders/contractor) or unintentionally (malware infected) any "deemed" sensitive information such as classified, personal, company secrets, project related, intellectual property.

(a) + (b) give a good picture overall but you have to set your priority as most of the time if you do not have central SOC or security team working on it the data and intel can be overwhelming and not to further worsen operational aspect to lower the noise vs the true positive (lot of tuning constantly and in regular period).

the DLP strategy should be at both endpoint, network and even internet trawling to stay proactive. if need to you may want to consider dedicate  (a) as plan and   (b) for specific machine like kiosk/shared  or admin accessible machine to critical server. (b) will already have the HIPS as main bouncer to safeguard end user machine security hygiene.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40340345
very interesting!!!

So both are good and work together for a complete solution.  The appliance can catch DLP violation regardless of protocol used correct?

Regarding HIPS shouldn't this be installed on all DMZ servers?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40340519
Network DLP  protocol support will be better to be validated by the provider as that itself is like signature list they supported which include the application protocol etc.
Indeed HIPS should be in all machines (servers and client) and especially in critical server but it depends on the policy configured may varied depending on the risk assessment and baseline mandated based on your org policy...e.g. not all org will mandate USB block in all servers but only specific sensitive one and for clients, it is all and probably not VIP and include certain whitelisted USB ...
0
 
LVL 20

Author Comment

by:compdigit44
ID: 40342163
Thanks .. It looks like I have more researching and learning on the topic to do yet... But I have learned a lot with your help
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question