To assist us with analyzing breaches, both vendors included methods of quarantining or redirecting violating items. This means quarantining data on the endpoint in the same manner that viruses are quarantined, or re-routing (to another server), redirecting (to another user), duplicating (to another server), or tagging the subject line of violating e-mails.
Monitoring, notification, and workflow
Having all of those nifty features isn't worth much without an interface with which the administrator, compliance officers, security officers, human resource personnel, or some other entity can monitor this data and take action to improve the organization's security standing.
Both Sophos and McAfee's solutions provided dashboards that gave us a birds-eye view into the current status of the DLP solution. Both allow historical analysis and report generation to help drill-down and find more information.
McAfee also provides the ability to customize these dashboards, reports and workflow per-user or per-group. For example, we were able to create a dashboard for HR that only showed acceptable use violations, and another for security that highlighted compliance issues. The reporting functionality allowed us to view various cross-sections of the data to help find patterns and trends in the data.
A unique feature of McAfee is the case workflow interface. In this system, new violations are shown as events. As mentioned above, a rule action can be to assign an event to a particular group for further analysis. As with the dashboards, this partitions the potentially vast amount of data coming in into manageable chunks for different audiences.
An analyst viewing these events can group them together into cases, including adding past events discovered from the network traffic capture. This entire case is treated as a single entity, and can be passed on to someone else for further action. While this functionality seems particularly suited for large organizations with a large compliance, security, and human resources staff, it does an excellent job of bridging the gap between the technical world of DLP and the non-technical world of business management. McAfee is the only one of the nine vendors we've evaluated during our three reviews to implement this.
Two other features unique to McAfee in this regard are forthcoming in their new release. The first is the highlighting of violating data in an event. In the current version, and in other vendors' products, the event usually includes a fragment of the offending action, or perhaps the entire file. It's up to the analyst to manually search the file for the specific data that triggered the alert. In the new version, this data is highlighted, similar to a Google cache search result for easier analysis.
The second feature is the redaction of the above data. If there was a reason the data couldn't be leaked, perhaps it also shouldn't be viewed by the DLP analyst. McAfee's new version will provide the option to require multiple-individual authentication to release the offending data for further analysis. This is probably overkill in most situations, but could definitely be useful in protecting especially sensitive information.
This three-part series of DLP tests has spanned the past 18 months. When we started, the products were relatively immature, but they have been constantly getting better. With these latest two offerings from McAfee and Sophos, DLP has finally come of age.
Blakely is a graduate student at the Iowa State University of Science and Technology. He can be reached at email@example.com. Rabe is a graduate student at the Iowa State University of Science and Technology. Duffy is a senior undergraduate student at the Iowa State University of Science and Technology.