Block data leaks at the endpoint

Endpoint data loss prevention tools are designed to block sensitive data from leaving PCs, laptops and servers. We tested products from TrendMicro, Websense and Identity Finder, and discovered that endpoint DLP tools offer sophisticated, easy-to-use methods for protecting sensitive corporate data.

It almost goes without saying that the greatest threat to the security of an enterprise network often comes from within. Security professionals can shore up their borders, lock down their devices, and search bags on the way out, but there might never be a way to be 100% certain that an employee is not abusing access to sensitive data.

Archive of Network World tests

Endpoint data loss prevention (DLP) products, which can be installed on desktops, laptops or servers, are designed to restrict the actions of users, if not their access. For example, Larry in accounting might need access to the Social Security numbers of employees, but should he really be e-mailing them to China? The Holy Grail of DLP is to permit users to do exactly what they need to do, without allowing them to do anything that may pose a risk. That's a tall order, but the products tested in this review impressed us with their sophistication, feature set and ease of use.

This is the second in a series of reviews of DLP products. The first focused upon perimeter-based DLP tools. A test of end-to-end DLP products is next.

In this test, the three endpoint DLP products were: Data Endpoint from Websense, LeakProof from TrendMicro, and Identity Finder Enterprise Edition from Identity Finder. Invitations were also sent to: Cisco, McAfee, CA, RSA, Symantec, Verdasys, Safend, Code Green, Indorse, Proofpoint, nexTier, Vericept, GTB, and Workshare, but those vendors decided not to participate.

The basic idea for this test was to identify various types of sensitive data and to see whether the endpoint DLP could stop that data from being exfiltrated via a variety of methods, including saving to a USB drive, burning to a disk, printing, sending via Webmail or sending via Instant Message. In all, we conducted 588 tests.

TrendMicro's LeakProof is our Clear Choice Test winner, as the best general-purpose endpoint DLP tool of the three. Configuration was painless, performance was the best, it was the least obtrusive, and it enforced policies across the entire system. It was also the most consistent across operating systems and exfiltration methods. Plus, the installation options of a physical appliance, bare-metal install, or VMware appliance provide deployment flexibility.

Websense's Data Endpoint is a powerful, feature-rich product that gives administrators the ability to draw on a large selection of policy templates, to script custom actions upon detection, to tailor actions per-application, and to schedule fingerprinting of files in a network share. Data Endpoint, part of Websense's Data Security Suite, has a more elaborate feature set than TrendMicro's LeakProof, and it's considerably less expensive. But it also has a few rough edges.

Both of these products are aimed at keeping data from leaving the endpoint, whether it be intentional or accidental. Practically speaking, accidental removal is probably where the money is at, as a determined user could probably find ways around many of the blocking schemes.

Identity Finder does not attempt to keep users from doing naughty things with sensitive data, but rather tries to help users protect sensitive data they possess. This is a very different philosophy – trusting that users will do the right thing instead of assuming they are trying to do the wrong thing.

Identity Finder still features centralized control and logging, but gives users remediation options when a sensitive item is found. It focuses principally upon identity-related information, such as names, addresses, Social Security numbers, credit card numbers and other personal data. However, it supports the use of regular expression matching, which allows for more generic matching, if desired.

Data discovery differences

The traditional method of data discovery is to crawl every file share that can be reached for the data in question. Data Endpoint and LeakProof can both discover data in this manner, if discovery alone is needed for a system, or if installing the endpoint agent is not feasible or desirable. However, recognizing that enabling file sharing on every device in a network could have some unintended side effects, these products can perform discoveries on endpoints via the software agent without file sharing enabled.

Identity Finder's scanning is all performed on the local system, and any sensitive files it identifies are reported to the management console. After the scan is finished, if the endpoint user has write access to the scanned files, the Data Endpoint and Identity Finder agents have the option to reset the file access times to what they were before the scan.

Combine this with the stealth mode in Data Endpoint, and discovery becomes nearly undetectable (at least for ordinary users). Data Endpoint boasts an additional perk to ensure that network discoveries do not pose an inordinate burden on the network or any device: the ability to throttle network throughput available to the discovery process.

Fingerprinting for the masses

Fingerprinting functionality stands out in these products. Typically in DLP products, the fingerprinting process is limited to a few users who are allowed to log in to the management console, submit a file for fingerprinting, and then enable that fingerprint for detection. Data Endpoint and LeakProof strip away all these layers and allow ordinary users to determine which information should be protected by running scheduled fingerprints of all items in a network share. Of course, the administrator can still manually fingerprint files, and can also configure a scheduled fingerprint scan of a network share.

If your accountant has a spreadsheet that shouldn't be allowed to leave the network, all he has to do is drop that into this network share. Upon the next fingerprint scan (which is on a schedule determined by the administrator), this new file will automatically be fingerprinted and woven into the DLP policy.

TrendMicro says it uses a unique fingerprinting method inspired by human fingerprints. This allows LeakProof to identify a document, even if a large portion of it has been changed. For this test, the only content change performed was a minor one, so this functionality was not fully tested.

Violators will be punished

The hardest decision for an endpoint protection product is what to do when a violation is detected. Data Endpoint and LeakProof both support the ability to block the action, ask the user to confirm or justify the action, send notification to an administrator, and log the violation. However, each offers something the other doesn't.

Data Endpoint gives the power to run a custom script on the item – perhaps moving it to a secure location and leaving a notification message in its place, or encrypting the file. The only limit is the administrator's scripting ability.

On the other hand, LeakProof has the capability to gather more information from the user. LeakProof gives the option to request a justification for the action, instead of just a yes or no allow decision, as in Data Endpoint.

To be clear, either of these options is only available to the user when the confirmation response is selected instead of the block response. Both Data Endpoint and LeakProof can be completely silent about blocking the activity. The user might never know the agent is on the system.

Identity Finder gives the user options about what to do with a discovered sensitive file. The user may move it into an encrypted file vault (maintained by Identity Finder); shred the file any number of times; quarantine the item to a secure location; or if the file is a text file, Office 2007 file or PDF, scrub the offending items from the file. We were only able to verify the scrubbing functionality for text files. The central console controls the selection of these features that are available to the end-user.

A feature that left us somewhat on the fence was Data Endpoint's application-centric policy configuration. While this gives a very fine level of control to the administrator, it leaves one open to a constant stream of new applications that must be detected and added to the policy. In an environment where users are not allowed to install software, this might be less of an issue.

Another potential downside is that if an administrator wishes to control copying to network shares, unauthorized internal hard drives or other folders on the same drive, he must block Explorer.exe's access to sensitive files. Obviously this will create some issues, as Windows will be cordoned off from them.

Installation

None of the installations were particularly difficult, though they all had their minor shortcomings.

Websense requires both Oracle and MS SQL to be installed on the system, as well as .Net 3.5. Thankfully, these items were all bundled with the installation files provided, and their installation was wrapped into the installer. We had to manually extract the installer files for Oracle and MS SQL and then instruct the installer where to find them. Considering the items are all bundled together, this seems like something that could be automated. After installation, the management console was used to input the licensing information provided by Websense.

Data Endpoint includes a utility to build installation packages for the endpoint software. In this utility, the administrator specifies the IP address of the management server and a couple of other parameters. From this information, Data Endpoint builds a customized installer package that can be used to deploy the agent to the clients. For this test, the files were copied to the clients and manually installed.

TrendMicro's LeakProof installation was eased by the fact that a physical appliance was used, instead of a software installation. However, the installation documentation was somewhat lacking. The quick start guide that shipped with the product contained a port diagram that did not match the configuration of ports on the PowerEdge 1950 that was used. Next, the user name and password on the sheet did not work. An e-mail to support returned an updated Quick Start guide containing a working login (though the port diagram was still incorrect). This guide mentioned a configuration utility that was apparently supposed to start at first login, but did not give the name of the command to start it by hand. Since the utility did not start on first login, network configuration had to be performed manually. Fortunately, the system is built upon CentOS (a free RedHat clone), which we were familiar with.

From this point on, sailing was relatively smooth for LeakProof's installation. The endpoint agent installer was command line driven, requiring the administrator to specify the IP address of the management server. Deployment via Active Directory or System Center Configuration Manager are also advertised, but were not tested.

Identity Finder's installation process was about average. No major problems were encountered, but the reviewers had to manually install .Net 3.5, Microsoft Report Viewer 2008 and IIS 6.0 or better before the installer would continue. Since the first two are freely available, and the third is a Windows component, this process could definitely be automated. After installation, the license file needed to be manually copied into the directory containing the management console executable.

The Identity Finder installer also created a registry file that, along with the installer and license files, needed to be copied to the clients. The registry file needed to be manually executed to add the management server information to the registry, and then the installer could be executed from the command line.

Configuration

LeakProof and Identity Finder's management server configuration is done entirely from a Web console. Data Endpoint has a Web console for policy and profile management, but also a separate MMC snap-in for management of the server itself. Websense is working towards unifying this into a single Web-based console.

Data Endpoint for the most part had the easiest-to-use configuration, other than being split into two interfaces. After an orientation from an engineer at Websense, we were able to navigate comfortably around the interfaces. That said, a couple of the test items required additional support to configure fully. Initial policy configuration is a breeze with the Policy Wizard. This tool asks the administrator what type of organization is using the product (for example, government, finance, healthcare, education) and in which locality the product is to be used. It then tailors a (long) list of available templates. For this test, only the HIPAA and PCI templates were used, but many others could have been enabled.

After the initial configuration of policy profiles, the administrator moves over to the Web interface to configure profiles for protection. This test only made use of the default profile, but the ability to target profiles for different computers or users is available. Each profile consists of channels and services (applications). The administrator selects which channels to protect, and then configures the blocking actions for the desired groups of applications, or individual applications.