Top tools for preventing data leaks

tools preventing data leaks 1
Credit: Thinkstock
Data loss prevention tools

We tested data loss prevention (DLP) tools from Comodo, Digital Guardian and Forcepoint. These products are designed to stop protected data from being shared in multiple ways, everything from e-mail attachments to printing to even screen captures. Forcepoint Triton was the most mature, easiest to setup and had the most features. Digital Guardian DLP was able to eliminate almost all false positives and would be a good choice for organizations with huge amounts of intellectual property. Comodo DLP offered a lot of flexibility as well as extras like a VPN, firewall, patch and mobile device manager, making it a good choice for organizations getting up to speed with their overall cybersecurity defenses. Read the full review.

tools preventing data leaks 2
Comodo DLP

Comodo DLP is installed as a network or virtual appliance and works independently or as part of the Comodo 360 Complete Security Bundle. The Comodo appliance is priced at $8.29 per seat for a three-year commitment and 5,000 or more seats. Comodo DLP can protect data stored on internal network drives right from the start, but gets more powerful if agents can be installed on connected endpoints. Out of the box, the Comodo DLP that we tested was pretty much a blank slate. It has a lot of powerful potential, but needs to be programmed. This screenshot shows the Comodo DLP blocking numbers in credit card format from leaving a system after first putting them into Notepad.

tools preventing data leaks 3
Comodo DLP

The console gives administrators lots of options regarding how to deal with attempts to exfiltrate protected data. It can be simply blocked, the fact that it was blocked can be recorded, users can be warned or kept in the dark, or everything that a user tried to illegally copy can be archived. One entire folder on our test network was protected against copying. When we tried to pull files from the network and save them on a key drive, not only was that transfer stopped, but a full archive of every file that we tried to copy was provided to the DLP administrator. Another nice feature of Comodo DLP is that it can scan endpoints to determine if any protected information has already left. Finally, Comodo DLP can be reversed to prevent certain types of information from entering a network. Here’s the main dashboard showing potential DLP policy breaches over time.

tools preventing data leaks 4
Digital Guardian Network DLP

The Digital Guardian Network DLP appliance is designed for very large installations, or at least places where there are potentially millions of records to protect. Its pricing model starts at approximately $25,000 based on licensing volume, and it can be installed as either an on-premises appliance or as a managed security service. The interface when creating rules for the Digital Guardian Network DLP is very precise, and designed to eliminate false positives. In this screenshot, not even hiding a protected account number within a huge reviewer’s guidebook, or turning the text to Chinese would let it slip past the DLP protection.

tools preventing data leaks 5
Digital Guardian

For a program with such complex ruleset possibilities, getting it up and running is a surprisingly easy two-step process. It begins by registering the data that needs to be protected. Then, it’s time to go in and configure what uses are allowed and which should be blocked, quarantined or encrypted before being sent out. The final tweak is data tagging for true precision. Data tagging is conducted after the main rules are in place to create or modify exceptions. Finally, Digital Guardian offers an encryption feature for scenarios where employees need to send sensitive data outside of a network for partners or contractors to work with. Here’s an example of an email that was flagged.

tools preventing data leaks 6
Forcepoint Triton DLP

Forcepoint DLP was the most mature product we reviewed. Forcepoint DLP is integrated with the Triton APX product line of cybersecurity defense tools. Installed as an appliance, the DLP component along with the required module in the Data Security Suite is priced at $44.50 per seat for a deployment of 5,000 users. A 10% discount would apply for a multi-year contract. For such a powerful tool, setting up the Forcepoint DLP was incredibly easy. The module comes pre-configured with 1,700 presets. Federal regulations as well as the individual rules for every state and most countries are included. This screenshot shows the Forcepoint interface smartly condensing multiple violations into one alert.

tools preventing data leaks 7
Forcepoint

The Forcepoint DLP works best when agents are installed on corporate endpoints. Forcepoint was the only product in our test that had a working OS X agent in addition to a 32 and 64-bit Windows version. Creating an agent is easy using a wizard-like interface. Forcepoint DLP can also use fingerprinting for important documents that may not be legally protected, but which are important or even critical to an operation. Part of the Forcepoint endpoint protection includes a native encryption engine so administrators can allow, for example, someone to take files home using a USB drive, but only after being encrypted. Forcepoint DLP also works with Dropbox, Office 365 and OneDrive, allowing an administrator to scan for fingerprinted data or protected information in the cloud. This screenshot shows the main dashboard.