To assist us with analyzing breaches, both vendors included methods of quarantining or redirecting violating items. This means quarantining data on the endpoint in the same manner that viruses are quarantined, or re-routing (to another server), redirecting (to another user), duplicating (to another server), or tagging the subject line of violating e-mails.
Monitoring, notification, and workflow
Having all of those nifty features isn't worth much without an interface with which the administrator, compliance officers, security officers, human resource personnel, or some other entity can monitor this data and take action to improve the organization's security standing.
Both Sophos and McAfee's solutions provided dashboards that gave us a birds-eye view into the current status of the DLP solution. Both allow historical analysis and report generation to help drill-down and find more information.
McAfee also provides the ability to customize these dashboards, reports and workflow per-user or per-group. For example, we were able to create a dashboard for HR that only showed acceptable use violations, and another for security that highlighted compliance issues. The reporting functionality allowed us to view various cross-sections of the data to help find patterns and trends in the data.
A unique feature of McAfee is the case workflow interface. In this system, new violations are shown as events. As mentioned above, a rule action can be to assign an event to a particular group for further analysis. As with the dashboards, this partitions the potentially vast amount of data coming in into manageable chunks for different audiences.
An analyst viewing these events can group them together into cases, including adding past events discovered from the network traffic capture. This entire case is treated as a single entity, and can be passed on to someone else for further action. While this functionality seems particularly suited for large organizations with a large compliance, security, and human resources staff, it does an excellent job of bridging the gap between the technical world of DLP and the non-technical world of business management. McAfee is the only one of the nine vendors we've evaluated during our three reviews to implement this.
Two other features unique to McAfee in this regard are forthcoming in their new release. The first is the highlighting of violating data in an event. In the current version, and in other vendors' products, the event usually includes a fragment of the offending action, or perhaps the entire file. It's up to the analyst to manually search the file for the specific data that triggered the alert. In the new version, this data is highlighted, similar to a Google cache search result for easier analysis.
The second feature is the redaction of the above data. If there was a reason the data couldn't be leaked, perhaps it also shouldn't be viewed by the DLP analyst. McAfee's new version will provide the option to require multiple-individual authentication to release the offending data for further analysis. This is probably overkill in most situations, but could definitely be useful in protecting especially sensitive information.
This three-part series of DLP tests has spanned the past 18 months. When we started, the products were relatively immature, but they have been constantly getting better. With these latest two offerings from McAfee and Sophos, DLP has finally come of age.
Blakely is a graduate student at the Iowa State University of Science and Technology. He can be reached at firstname.lastname@example.org. Rabe is a graduate student at the Iowa State University of Science and Technology. Duffy is a senior undergraduate student at the Iowa State University of Science and Technology.
The attacks that overwhelmed the internet-address lookup service provided by Dyn today were well...
Amazon Web Services and Microsoft Azure, take very different approaches in how their data centers are...
By forcing Windows 10 on users, Microsoft has lost the tenuous trust and credibility users had in the...
Here’s a roundup of products, services and more that Microsoft rid itself of in 2016.
Apple has been selling Macintosh branded computers for 31 years, but with its emphasis shifting to...
What every citizen should know about the state of our voting systems and the security of our elections....
Poll results are supposed to be driven by opinions, but marketers, politicians and others know opinions...