Solved

DLP Solutions

Posted on 2014-09-20
8
324 Views
Last Modified: 2014-09-24
We currently use McAfee ePo ad Email Gateway's and looking into implementing DLP and looking at doing this at the desktop and MEG level's. I have recently read about Network DLP and how is can inspect content for specific key words. Is this a separate network device or is what McAfee already does?
0
Comment
Question by:compdigit44
  • 4
  • 4
8 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40335010
DLP can be part of MEG but the network DLP is not part of MEG at all, as the latter is not reaching deep into the network packet for inspection. From McAfee network DLP, it is likely the DLP monitor that can integrates passively into the network using either a SPAN port or a physically inline network tap (optional).
http://www.mcafee.com/sg/resources/data-sheets/ds-dlp-monitor.pdf

As far as I know, McAfee DLP Manager, McAfee DLP Monitor, McAfee DLP Discover, and McAfee DLP Prevent are supported on the McAfee DLP 5500 appliance.

Actually that is common working for most network DLP sensors (or appliance) "planted" in strategic pt of interest for outbound monitoring.The sensor normally has to perform packet capture, session reassembly, channel control, payload decoding and content recognition and analysis.

One example, is Fidelis (acquired by General Dynamics) XPS appliance. For info, IBM's network DLP is using Fidelis XPS. There is also Gartner MQ on content aware DLP - one 2013 version pdf (http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf)
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40335588
This is great information.. it sounds like the hardware DLP solution from McAfee is more in-depth than their software based solutions... Is this correct?
0
 
LVL 61

Expert Comment

by:btan
ID: 40335819
the primary reason for the network DLP appliance at the strategic pt is the network cpature and deep inspection engine required pretty high performance depending on your organisation bandwidth so that you do not drop packet or corrupt packet - note that you are not really inline (break the wire) unless you want to inspect and block actively all SSL based connection...rather similar to FW, IPS but in diff inspection domain ....
Software based can still be viable as the engine logic will not differ since it is still very much signature and behaviour driven in their db, it is the throughput and pt of interest that make the different. For endpt it is normally agent based of DLP which can be simply those HIPS based scheme for DLP monitor and EPO mgmt.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40337546
Thanks for the great feedback.... Which in your option is better and give more granularity? It sounds like the hardware version does not require a desktop agent which is a plus.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Expert Comment

by:btan
ID: 40338166
each has its good and ugly

(a) sensor is suited for the pt of segment interest where in particular the entry/exit boundary is of interest; for use case such as monitoring extranet/intranet, VVIP/VIP zone, ops/intel/admin  function zone traversal. very much is to also detect network security device misconfiguration and any anomalous behaviours from the "trusted" FW, IPS/IDS, proxy etc.

(b) agent is suited for the endpoint(s)  where particular interest of the machine exfiltrating intentional (violate policy/insiders/contractor) or unintentionally (malware infected) any "deemed" sensitive information such as classified, personal, company secrets, project related, intellectual property.

(a) + (b) give a good picture overall but you have to set your priority as most of the time if you do not have central SOC or security team working on it the data and intel can be overwhelming and not to further worsen operational aspect to lower the noise vs the true positive (lot of tuning constantly and in regular period).

the DLP strategy should be at both endpoint, network and even internet trawling to stay proactive. if need to you may want to consider dedicate  (a) as plan and   (b) for specific machine like kiosk/shared  or admin accessible machine to critical server. (b) will already have the HIPS as main bouncer to safeguard end user machine security hygiene.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40340345
very interesting!!!

So both are good and work together for a complete solution.  The appliance can catch DLP violation regardless of protocol used correct?

Regarding HIPS shouldn't this be installed on all DMZ servers?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40340519
Network DLP  protocol support will be better to be validated by the provider as that itself is like signature list they supported which include the application protocol etc.
Indeed HIPS should be in all machines (servers and client) and especially in critical server but it depends on the policy configured may varied depending on the risk assessment and baseline mandated based on your org policy...e.g. not all org will mandate USB block in all servers but only specific sensitive one and for clients, it is all and probably not VIP and include certain whitelisted USB ...
0
 
LVL 19

Author Comment

by:compdigit44
ID: 40342163
Thanks .. It looks like I have more researching and learning on the topic to do yet... But I have learned a lot with your help
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now