Block data leaks at the endpoint

It almost goes without saying that the greatest threat to the security of an enterprise network often comes from within. Security professionals can shore up their borders, lock down their devices, and search bags on the way out, but there might never be a way to be 100% certain that an employee is not abusing access to sensitive data.

Endpoint data loss prevention (DLP) products, which can be installed on desktops, laptops or servers, are designed to restrict the actions of users, if not their access. For example, Larry in accounting might need access to the Social Security numbers of employees, but should he really be e-mailing them to China? The Holy Grail of DLP is to permit users to do exactly what they need to do, without allowing them to do anything that may pose a risk. That's a tall order, but the products tested in this review impressed us with their sophistication, feature set and ease of use.

This is the second in a series of reviews of DLP products. The first focused upon perimeter-based DLP tools. A test of end-to-end DLP products is next.

Click to see: Net results

In this test, the three endpoint DLP products were: Data Endpoint from Websense, LeakProof from TrendMicro, and Identity Finder Enterprise Edition from Identity Finder. Invitations were also sent to: Cisco, McAfee, CA, RSA, Symantec, Verdasys, Safend, Code Green, Indorse, Proofpoint, nexTier, Vericept, GTB, and Workshare, but those vendors decided not to participate.

The basic idea for this test was to identify various types of sensitive data and to see whether the endpoint DLP could stop that data from being exfiltrated via a variety of methods, including saving to a USB drive, burning to a disk, printing, sending via Webmail or sending via Instant Message. In all, we conducted 588 tests.

Click to see: Scorecard

TrendMicro's LeakProof is our Clear Choice Test winner, as the best general-purpose endpoint DLP tool of the three. Configuration was painless, performance was the best, it was the least obtrusive, and it enforced policies across the entire system. It was also the most consistent across operating systems and exfiltration methods. Plus, the installation options of a physical appliance, bare-metal install, or VMware appliance provide deployment flexibility.

Websense's Data Endpoint is a powerful, feature-rich product that gives administrators the ability to draw on a large selection of policy templates, to script custom actions upon detection, to tailor actions per-application, and to schedule fingerprinting of files in a network share. Data Endpoint, part of Websense's Data Security Suite, has a more elaborate feature set than TrendMicro's LeakProof, and it's considerably less expensive. But it also has a few rough edges.

Both of these products are aimed at keeping data from leaving the endpoint, whether it be intentional or accidental. Practically speaking, accidental removal is probably where the money is at, as a determined user could probably find ways around many of the blocking schemes.