DLP Solutions?

theanimal

Just to start off - I haven't been in my security position very long so I don't have the most experience in the world, so forgive me there. The company I work for passes all PCI DSS requirements but we have no sort of DLP in place.

So, I started toying around with OpenDLP originally which worked fantastic for finding data containing Credit Cards/PANs/SSN but it does have many flaws, and is just a project some guy made and has no support. Upon using this I found a lot of data in various places just sitting around that shouldn't be which opened up the doors for me to implement some sort of DLP.

Then I started testing out MyDLP which compared to OpenDLP, obviously had a much cleaner interface with more advanced options, though lacking some simple aspects of OpenDLP like a progress bar, total file sizes, files scanned, estimated time to completion, what the string/text found was, etc.

I've been speaking with MyDLP and they've told me they're releasing an update sometime this week, I'll have to see how it is, but as of now I'm not completely sold on the product.

We're mainly looking for something that scans shares/servers/PC's for Credit Cards/PANs/SSN/other sensitive data and reports it the string/text found and file/file location, but I would also like to implement some sort of removable media and email DLP, but it isn't a top priority for us at the moment.

I'm currently in contact with Symantec, McAfee, EMC, CheckPoint, and CA to look at the features of their products an; this may be a stupid question but, what other products are out there? What DLP solutions does anyone have experience with, do you like it, pros/cons?

dover

I've rolled out the McAfee DLP host-based product in a small(ish) environment - mostly for removable media control/auditing but also for file and email scanning looking for sensitive strings. So far I like it but I wouldn't say I'm confident it will significantly reduce the possibility of data leakage (by itself). Layered, overlapping controls and detection-in-depth is really where you have to take it to make any serious impact.

My take on McAfee DLP:
For control/audit of removable media - B
Email and file scanning - C+

There is a McAfee Data Loss Prevention Discover appliance that is their centralized DLP compliance/enforcement device...looks alright but I'd have to get hands-on before I judge.

I'd be curious to hear your take on the other solutions you listed after you get some time with them: Symantec, EMC, Checkpoint, etc.

theanimal

Well, I'm just glad I got at least one response lol.

Thanks for the input. I'm actually looking forward to messing with McAfee's stuff as it looks pretty solid, along with Symantec. I'm just worried about what their pricing is going to be.

But being that my cost restrictions are going to be really tight with this project, I'm going to try to test every possible option, making sure I get the best bang for the buck. I'll definitely report back with my findings/opinions.

Kreken

For email DLP, I just recently installed Cisco IronPort. So far it works great and is relatively easy to implement into the environment. Nice integration with Exchange and AD. It is very decently priced too.

For removable media, I created the GPO to remove write access to any kind of removable media.

I was looking at Checkpoint website today and saw Checkpoint Go (Check Point GO | Check Point Software) which looks very similar to Cisco discontinued Secure Desktop. Something to consider if you have remote users working with a sensitive data.

theanimal

Kreken wrote: »

For email DLP, I just recently installed Cisco IronPort. So far it works great and is relatively easy to implement into the environment. Nice integration with Exchange and AD. It is very decently priced too.

For removable media, I created the GPO to remove write access to any kind of removable media.

I was looking at Checkpoint website today and saw Checkpoint Go (Check Point GO | Check Point Software) which looks very similar to Cisco discontinued Secure Desktop. Something to consider if you have remote users working with a sensitive data.

Thanks for the input.

One of my coworkers has experience with IronPort and from the research I've done it seems like a solid product for locking down workstations, but it doesn't appear to have anything in terms of data discovery. Or did I miss it, lol?

I was looking into CheckPoint a little bit, I'm waiting for them to get back to me at the moment.

I kind of feel bad requesting all this info and trials from so many companies when ultimately only one is getting picked.

Kreken

Sorry if I was unclear, Cisco IronPort is a DLP solution for just emails. You place the device in DMZ and it replaces Exchange Edge Transport server. It's not to secure data at rest. (Cisco also has IronPort web security but it's not really DLP).

What do you want to accomplish with DLP? Do you want to monitor access to the sensitive data? Do you want to prevent sensitive data leaving the perimeters of your network? Why do you want to implement DLP?
I just went through DLP implementation in my company and unless you can clearly answer these questions, you will have hard time selecting the product which will work for you.

Once you clearly identify your goals, you can look at the control mechanisms which already exist in your network and operating systems. By getting the right solution with the licenses and enabled features that you need, will save you a lot of money since no DLP solution is cheap.

dover

theanimal wrote: »

I kind of feel bad requesting all this info and trials from so many companies when ultimately only one is getting picked.

Man, this made me laugh. I used to feel like this all the time....

Just consider all the time you spend going through all of the case-studies, white papers, glossy fact-sheets, web sites, forums and endless conference calls, testlab demos and Web-Ex sessions trying to weed out true features from fancy techno-babble selling points as your investment in the process. You, by far, put more into evaluating solutions and systems than any vendor sales/engineer team.

On another note, we also use the Cisco Ironport for email and use it as another layer of the DLP control (for email), but you are right it isn't a general discovery tool. For us it adds another layer to the host-based McAfee - and may be a bit more accurate.

katherinel

theanimal wrote: »

Just to start off - I haven't been in my security position very long so I don't have the most experience in the world, so forgive me there. The company I work for passes all PCI DSS requirements but we have no sort of DLP in place.

So, I started toying around with OpenDLP originally which worked fantastic for finding data containing Credit Cards/PANs/SSN but it does have many flaws, and is just a project some guy made and has no support. Upon using this I found a lot of data in various places just sitting around that shouldn't be which opened up the doors for me to implement some sort of DLP.

Then I started testing out MyDLP which compared to OpenDLP, obviously had a much cleaner interface with more advanced options, though lacking some simple aspects of OpenDLP like a progress bar, total file sizes, files scanned, estimated time to completion, what the string/text found was, etc.

I've been speaking with MyDLP and they've told me they're releasing an update sometime this week, I'll have to see how it is, but as of now I'm not completely sold on the product.

We're mainly looking for something that scans shares/servers/PC's for Credit Cards/PANs/SSN/other sensitive data and reports it the string/text found and file/file location, but I would also like to implement some sort of removable media and email DLP, but it isn't a top priority for us at the moment.

I'm currently in contact with Symantec, McAfee, EMC, CheckPoint, and CA to look at the features of their products an; this may be a stupid question but, what other products are out there? What DLP solutions does anyone have experience with, do you like it, pros/cons?

I was just researching on this since last few months and I found your topic is quite similar than mine..I found the below solution However it's on your choice that you want it or not...

[LIST]
[*]Manual and scheduled locking of various leakage  points, including Flash drive, DVD/CD writers, PCMCIA ports, Network  ports, Printer ports, Infrared ports and Bluetooth port.
[*][B]Disable ports[/B] to prevent unauthorized access.
[*]File Transfer Log maintains detailed record of all the files added, deleted, transferred, or renamed in USB storage devices.
[*][B]Block USB[/B] and other ports when PC is unused or idle
[*]Secure important information with unique Print Screen Locking feature.
[*]Disable ports for schedule duration.
[*][B]Restrict USB[/B] usage with USB read only feature to make any mass storage device read only.
[*]Email filtering log displays the complete report of blocked emails of MS Outlook client.
[*]Activity log feature keeps a track of activities performed on [B]Port Locker[/B] software, including all the changes done on settings or locking and unlocking of ports.
[*]White listing feature allows access to authorized USB devices, with the help of unique hardware ID.
[*]Alerts, if access is detected on Locked Ports
[/LIST]

Download DLP

dingoshark

theanimal wrote: »

I'm currently in contact with Symantec, McAfee, EMC, CheckPoint, and CA to look at the features of their products an; this may be a stupid question but, what other products are out there? What DLP solutions does anyone have experience with, do you like it, pros/cons?

One of my personal favorites is a DLP solution called "SafeSend" that prevents data leakage by asking our users to confirm all external email recipients. It is simple and effective

BerkshireHerd

Not sure your enterprise size, but here at a 7 billion dollar bank we use RSA for DLP.