CheckPoint Software Technologies has jumped into the Data Loss Prevention (DLP) market with the release of CheckPoint DLP, a gateway product for inspecting outbound traffic to prevent information-sharing policy violations and maintain regulatory compliance. The product, which can sit inline to block communications or simply monitor traffic, examines SMTP, HTTP (including Web mail) and FTP traffic. MultiSpect, the product's data-classification engine, detects more than 600 file formats and includes more than 270 predefined content data types.
CheckPoint emphasizes the new product's user education and self-remediation component, UserCheck, as a prime capability. When a possible violation is detected, the gateway can be configured so that a user gets a customizable pop-up saying that their message has been quarantined. Users have the option of sending, discarding or reviewing the message.
While all DLP products have this type of capability, CheckPoint makes user involvement a focal point of its approach. The aim is to make users aware that someone is watching, and that they are violating policy by transmitting sensitive information to unauthorized recipients and/or over unauthorized channels. "It gives users an opportunity to think about how they are handling sensitive data, at the same time, it guides them towards keeping with corporate policy," says Tamir Hardoff, CheckPoint's group manager for Product Marketing.
"It's very beneficial for enterprises that want to use DLP as educational tool to help the user community understand policy and help them to become better data stewards," says Michael Suby, director of Stratecast, a division of Frost & Sullivan. "Some organizations may prefer to have centralized control, while others put greater emphasis on user engagement." Organizations can also have an administrator or manager review any suspect content, or block messages automatically. Companies have been slow to use blocking because they have to be convinced that DLP can block intelligently without a lot of false positives, and the need for administrators to fine-tune the rules for exceptions.
CheckPoint says it targets false positives as a prime issue with DLP deployments. False positives can slow business processes by frustrating users and putting added burdens on help desks. The vendor asserts that its MultiSpect detection engine is highly accurate, but that's to be expected. The proof will come in the customer's environment. "There is no standard way to measure accuracy, no industry standards," says Suby. "You are in many ways relying on reputation of the vendor."
CheckPoint DLP is available as a dedicated appliance or as a gateway software blade. CheckPoint's flexible Software Blade Architecture includes security blades for firewall, VPN, IPS, Web security, URL filtering, anti-virus/anti-malware and email, as well as advanced networking, acceleration and clustering and VoIP. CheckPoint is also developing DLP end-point capability.
While a number of competitors offer both gateway and client-based DLP, CheckPoint is unique among major security vendors in developing its DLP product internally, rather than through acquisition. The DLP market has seen extensive consolidations in the last three years. Last year CA bought Orchestria and Trustwave acquired Vericept. Earlier acquisitions include McAfee (Onigma and Reconnex), Symantec (Vontu), RSA Security/EMC (Tablus) Trend Micro (Provilla), Raytheon (Oakley Networks) and Websense (PortAuthority Technologies). Remaining independent vendors include Verdasys, Code Green, Fidelis Security Systems, Workshare, Palisades Data Systems and GTB Technologies Inc.
A lab test of six DLP products is available here.
Pricing for the software blade starts at $3,000 per year for up to 500 users to $15,000 per year for 1,500-plus users. There are two appliance models. The DLP-1 2571 is $14,990 for the first year, including service, and $7,000 per year for service thereafter. The DLP-1 9571 costs $49,990 for the first year, including service, and $12,000 per year for service thereafter.