It almost goes without saying that the greatest threat to the security of an enterprise network often comes from within. Security professionals can shore up their borders, lock down their devices, and search bags on the way out, but there might never be a way to be 100% certain that an employee is not abusing access to sensitive data.
Endpoint data loss prevention (DLP) products, which can be installed on desktops, laptops or servers, are designed to restrict the actions of users, if not their access. For example, Larry in accounting might need access to the Social Security numbers of employees, but should he really be e-mailing them to China? The Holy Grail of DLP is to permit users to do exactly what they need to do, without allowing them to do anything that may pose a risk. That's a tall order, but the products tested in this review impressed us with their sophistication, feature set and ease of use.
This is the second in a series of reviews of DLP products. The first focused upon perimeter-based DLP tools. A test of end-to-end DLP products is next.
In this test, the three endpoint DLP products were: Data Endpoint from Websense, LeakProof from TrendMicro, and Identity Finder Enterprise Edition from Identity Finder. Invitations were also sent to: Cisco, McAfee, CA, RSA, Symantec, Verdasys, Safend, Code Green, Indorse, Proofpoint, nexTier, Vericept, GTB, and Workshare, but those vendors decided not to participate.
The basic idea for this test was to identify various types of sensitive data and to see whether the endpoint DLP could stop that data from being exfiltrated via a variety of methods, including saving to a USB drive, burning to a disk, printing, sending via Webmail or sending via Instant Message. In all, we conducted 588 tests.
TrendMicro's LeakProof is our Clear Choice Test winner, as the best general-purpose endpoint DLP tool of the three. Configuration was painless, performance was the best, it was the least obtrusive, and it enforced policies across the entire system. It was also the most consistent across operating systems and exfiltration methods. Plus, the installation options of a physical appliance, bare-metal install, or VMware appliance provide deployment flexibility.
Websense's Data Endpoint is a powerful, feature-rich product that gives administrators the ability to draw on a large selection of policy templates, to script custom actions upon detection, to tailor actions per-application, and to schedule fingerprinting of files in a network share. Data Endpoint, part of Websense's Data Security Suite, has a more elaborate feature set than TrendMicro's LeakProof, and it's considerably less expensive. But it also has a few rough edges.
Both of these products are aimed at keeping data from leaving the endpoint, whether it be intentional or accidental. Practically speaking, accidental removal is probably where the money is at, as a determined user could probably find ways around many of the blocking schemes.
Identity Finder does not attempt to keep users from doing naughty things with sensitive data, but rather tries to help users protect sensitive data they possess. This is a very different philosophy – trusting that users will do the right thing instead of assuming they are trying to do the wrong thing.
Identity Finder still features centralized control and logging, but gives users remediation options when a sensitive item is found. It focuses principally upon identity-related information, such as names, addresses, Social Security numbers, credit card numbers and other personal data. However, it supports the use of regular expression matching, which allows for more generic matching, if desired.
Data discovery differences
The traditional method of data discovery is to crawl every file share that can be reached for the data in question. Data Endpoint and LeakProof can both discover data in this manner, if discovery alone is needed for a system, or if installing the endpoint agent is not feasible or desirable. However, recognizing that enabling file sharing on every device in a network could have some unintended side effects, these products can perform discoveries on endpoints via the software agent without file sharing enabled.
Identity Finder's scanning is all performed on the local system, and any sensitive files it identifies are reported to the management console. After the scan is finished, if the endpoint user has write access to the scanned files, the Data Endpoint and Identity Finder agents have the option to reset the file access times to what they were before the scan.
Combine this with the stealth mode in Data Endpoint, and discovery becomes nearly undetectable (at least for ordinary users). Data Endpoint boasts an additional perk to ensure that network discoveries do not pose an inordinate burden on the network or any device: the ability to throttle network throughput available to the discovery process.
Fingerprinting for the masses
Fingerprinting functionality stands out in these products. Typically in DLP products, the fingerprinting process is limited to a few users who are allowed to log in to the management console, submit a file for fingerprinting, and then enable that fingerprint for detection. Data Endpoint and LeakProof strip away all these layers and allow ordinary users to determine which information should be protected by running scheduled fingerprints of all items in a network share. Of course, the administrator can still manually fingerprint files, and can also configure a scheduled fingerprint scan of a network share.
If your accountant has a spreadsheet that shouldn't be allowed to leave the network, all he has to do is drop that into this network share. Upon the next fingerprint scan (which is on a schedule determined by the administrator), this new file will automatically be fingerprinted and woven into the DLP policy.
TrendMicro says it uses a unique fingerprinting method inspired by human fingerprints. This allows LeakProof to identify a document, even if a large portion of it has been changed. For this test, the only content change performed was a minor one, so this functionality was not fully tested.
Violators will be punished
The hardest decision for an endpoint protection product is what to do when a violation is detected. Data Endpoint and LeakProof both support the ability to block the action, ask the user to confirm or justify the action, send notification to an administrator, and log the violation. However, each offers something the other doesn't.
Data Endpoint gives the power to run a custom script on the item – perhaps moving it to a secure location and leaving a notification message in its place, or encrypting the file. The only limit is the administrator's scripting ability.
On the other hand, LeakProof has the capability to gather more information from the user. LeakProof gives the option to request a justification for the action, instead of just a yes or no allow decision, as in Data Endpoint.
To be clear, either of these options is only available to the user when the confirmation response is selected instead of the block response. Both Data Endpoint and LeakProof can be completely silent about blocking the activity. The user might never know the agent is on the system.
Identity Finder gives the user options about what to do with a discovered sensitive file. The user may move it into an encrypted file vault (maintained by Identity Finder); shred the file any number of times; quarantine the item to a secure location; or if the file is a text file, Office 2007 file or PDF, scrub the offending items from the file. We were only able to verify the scrubbing functionality for text files. The central console controls the selection of these features that are available to the end-user.
A feature that left us somewhat on the fence was Data Endpoint's application-centric policy configuration. While this gives a very fine level of control to the administrator, it leaves one open to a constant stream of new applications that must be detected and added to the policy. In an environment where users are not allowed to install software, this might be less of an issue.
Another potential downside is that if an administrator wishes to control copying to network shares, unauthorized internal hard drives or other folders on the same drive, he must block Explorer.exe's access to sensitive files. Obviously this will create some issues, as Windows will be cordoned off from them.
None of the installations were particularly difficult, though they all had their minor shortcomings.
Websense requires both Oracle and MS SQL to be installed on the system, as well as .Net 3.5. Thankfully, these items were all bundled with the installation files provided, and their installation was wrapped into the installer. We had to manually extract the installer files for Oracle and MS SQL and then instruct the installer where to find them. Considering the items are all bundled together, this seems like something that could be automated. After installation, the management console was used to input the licensing information provided by Websense.
Data Endpoint includes a utility to build installation packages for the endpoint software. In this utility, the administrator specifies the IP address of the management server and a couple of other parameters. From this information, Data Endpoint builds a customized installer package that can be used to deploy the agent to the clients. For this test, the files were copied to the clients and manually installed.
TrendMicro's LeakProof installation was eased by the fact that a physical appliance was used, instead of a software installation. However, the installation documentation was somewhat lacking. The quick start guide that shipped with the product contained a port diagram that did not match the configuration of ports on the PowerEdge 1950 that was used. Next, the user name and password on the sheet did not work. An e-mail to support returned an updated Quick Start guide containing a working login (though the port diagram was still incorrect). This guide mentioned a configuration utility that was apparently supposed to start at first login, but did not give the name of the command to start it by hand. Since the utility did not start on first login, network configuration had to be performed manually. Fortunately, the system is built upon CentOS (a free RedHat clone), which we were familiar with.
From this point on, sailing was relatively smooth for LeakProof's installation. The endpoint agent installer was command line driven, requiring the administrator to specify the IP address of the management server. Deployment via Active Directory or System Center Configuration Manager are also advertised, but were not tested.
Identity Finder's installation process was about average. No major problems were encountered, but the reviewers had to manually install .Net 3.5, Microsoft Report Viewer 2008 and IIS 6.0 or better before the installer would continue. Since the first two are freely available, and the third is a Windows component, this process could definitely be automated. After installation, the license file needed to be manually copied into the directory containing the management console executable.
The Identity Finder installer also created a registry file that, along with the installer and license files, needed to be copied to the clients. The registry file needed to be manually executed to add the management server information to the registry, and then the installer could be executed from the command line.
LeakProof and Identity Finder's management server configuration is done entirely from a Web console. Data Endpoint has a Web console for policy and profile management, but also a separate MMC snap-in for management of the server itself. Websense is working towards unifying this into a single Web-based console.
Data Endpoint for the most part had the easiest-to-use configuration, other than being split into two interfaces. After an orientation from an engineer at Websense, we were able to navigate comfortably around the interfaces. That said, a couple of the test items required additional support to configure fully. Initial policy configuration is a breeze with the Policy Wizard. This tool asks the administrator what type of organization is using the product (for example, government, finance, healthcare, education) and in which locality the product is to be used. It then tailors a (long) list of available templates. For this test, only the HIPAA and PCI templates were used, but many others could have been enabled.
After the initial configuration of policy profiles, the administrator moves over to the Web interface to configure profiles for protection. This test only made use of the default profile, but the ability to target profiles for different computers or users is available. Each profile consists of channels and services (applications). The administrator selects which channels to protect, and then configures the blocking actions for the desired groups of applications, or individual applications.
The option to globally block or confirm actions is available, but is not recommended, as this might interfere with Windows. During this process, the reviewers occasionally encountered “Security Clearance” errors when clicking through a page before it had fully loaded. In more than one instance, this resulted in the loss of all changes made to the profile since the last explicit save. The product also lacks the ability to block files based upon file name, as Websense does not see this as a useful feature. For this test, keyword blocking was able to serve the same function in most cases.
In all three products, changes to the configuration must be pushed out to the endpoints. With LeakProof and Data Endpoint, the policies are given version numbers, which makes checking for up-to-date configurations trivial. In Data Endpoint, the interval at which endpoints check for policy and profile updates is configurable by the administrator (in intervals as short as one minute). All endpoints update their policy upon system startup.
LeakProof has a very clearly labeled Web interface that was easy to use. It included a configuration flowchart that made it clear which steps needed to be taken to configure the system. Like Data Endpoint, LeakProof can enforce policies globally, or at the finer level of user or computer groups. An additional feature was the ability to create conditional rules. For example: if the file contains “Top Secret” but not “Approved for Release” then take some blocking action. The Web interface was easy enough to use that minimal reference to the documentation was needed, and support only needed to be contacted once.
Identity Finder's configuration interface lags somewhat behind the other two in ease of use. The policy configuration is reminiscent of Microsoft Group Policy in that the administrator is faced with a rather daunting tree of jargon-filled options. However, once we established the difference between “Anyfind” and “Onlyfind”, the explanations given in the interface were sufficient to configure the system to test specifications. This product was only tested on its ability to detect HIPAA- and PCI-related data, as that is its main focus. Custom regular expressions can be used to find other types of data, but those seem to lie in the periphery of this product's functionality.
The Identity Finder enterprise administrator has the ability to control which remediation measures end-users can take, and what configuration options are available to them. The endpoint was easier to configure from its local console than from the central console.
After completing configuration, we tried combinations of protected file, exfiltration method, operating system and vendor (588 tests in all). The general categories of protected files were: HIPAA-relevant data, PCI-relevant data, code in several languages, a (formerly) classified document, a legal document, a media file, an empty file used to check file name blocking, and a standards document – including six obfuscations.
The exfiltration methods were: copying to a USB drive; burning to CD; printing to a network printer; sending instant messages; e-mailing via a Web-based client, an open source client, and Outlook Express/Windows mail; sharing via a peer-to-peer client; copying to a network share; and pasting the contents of the file into Wordpad.
Not every test was possible on every configuration. Identity Finder has no blocking ability, therefore it is not included in these performance tests.
LeakProof won our performance testing, scoring a 76% overall success rate to 68% for Data Endpoint. LeakProof scored 100% in blocking HIPAA and PCI data, 100% blocking various types of code and 96% blocking different access to media, such as thumb drives and CDs. LeakProof scored only 29% blocking legal documents and 18% blocking via file names, although the company argues that this functionality is irrelevant because file names don't tell you anything about the content of the file.
When it came to exfiltration methods, LeakProof was remarkably consistent, blocking roughly 75% of sensitive data no matter which method was used. LeakProof did have a problem blocking smaller portions of a fingerprinted document.
Though Data Endpoint was able to catch pages, it was not able to catch paragraph- or sentence-sized excerpts. This could pose a problem for documents where only a couple paragraphs contain truly sensitive information. Thankfully, most scenarios where this would pose a problem are handled by other mechanisms (such as pattern matching and keyword blocking).
Data Endpoint scored higher than LeakProof in many categories of exfiltration methods. For example, 85% each for blocking via USB drive, CD and Webmail, compared with 75% for LeakProof in those three categories. However, the current version of Data Endpoint doesn't block users from moving data to shared network drives without denying Windows access to these files, so it scored a zero in that category. Websense plans to provide enhanced support for CIFS shares in Version 7.5, which should remedy this shortcoming.
While neither product had an explicit file name matching ability, the keyword ability in Data Endpoint was able to largely achieve the same purpose.
Identity Finder performed well within its intended purpose. The only HIPAA- or PCI-related data it did not identify was American Express card numbers. It had no trouble with Mastercard or Visa numbers, names, addresses, phone numbers, or Social Security numbers. However, it also found a large number of false positives in Windows system dynamic link libraries and other program files that it thought were sensitive information.
Data Endpoint seemed to be the most lightweight of the agents. It only consumed up to 30MB of memory, and a small share of the processor. Hard disk usage was between 68MB (in Windows 2008) and 91MB (in Vista). It's worth repeating that it was the only program with an option to throttle discovery network usage.
LeakProof used a quarter to half of the processor, and a max of 50MB of memory. Hard drive space was a little less than Data Endpoint, weighing in at 55M to 67MB (again with Win 2008 taking the least and Vista taking the most). Blocking actions never got in the way of system operation.