Data Leak Prevention Tools

In most enterprises, there are several access-control mechanisms--firewalls, encryption, and clearly defined permissions and access-control lists. Yet these defenses aren't working. Thefts keep occurring. If you have the time to read all the news reports (don't worry, no one else does, either), you know that many of these breaches occur despite the usual controls, because the usual controls are pointed at invaders from the outside but ignore the inside jobs. That is, users caught with 10,000 customer identification records are users who were allowed access to the records. If no electronic access policy is violated, no alarm is ever set off.

A surprising amount of enterprise data leaks, whether from malicious origins or not, happen because of authorized users. Forty-nine percent of companies reported they experienced an internal security breach in the past year, according to Deloitte's 2006 Global Security Survey. Of those, 31 percent experienced a breach from a virus/worm incident, 28 percent through insider fraud and 18 percent by means of data leakage (19 percent experienced the breach through other means). It's also somewhat significant that fully 96 percent of respondents reported that they are "concerned about employee misconduct involving their information systems." Wow.

We invited three vendors--PortAuthority Technologies, Tizor Systems and Vontu--to our Neohapsis partner labs so we could examine products designed to help stop data leaks from a corporate network. The three offer different types of products, but they are used for similar functions. Tizor's Mantra is a database-transaction-monitoring tool that can be used for transaction auditing. Vontu's and PortAuthority's products are similar in that they sit at the edge of the network and monitor all outgoing traffic. But Vontu's eponymously named software suite is designed around incident response, and PortAuthority's appliances lean more toward standalone enforcement.

Inside JobProtection techniques are valuable for preventing data leaks through employee laziness, accidental or careless policy violation, or just plain stupid user actions, but they're not going to stop a determined and malicious attempt at data theft--at least, not all of those attempts. But if security is about layered protections and trying to stay one step ahead of at least most of the bad and the careless, these products have a lot of promise.

As it turns out, a lot of information compromise happens not because of a malicious or rogue employee bent on destruction, but rather because users are preoccupied--they're thinking about bolstering the bottom line or bolting for the door to get to dinner on time. They may be unaware of policy, uninformed about information handling or security procedures, or unconvinced that their acts could really affect security. Welcome to the real world--one that doesn't revolve around IT security.

Here's a sample scenario: John from HR has to complete an employee payroll spreadsheet by 9 a.m. on Monday, only he doesn't get the assignment until 4:30 on Friday afternoon. "No problem," John says. "I'll just send it to my Yahoo.com account and complete it from home over the weekend." But confidential data, such as employee ID and payroll information, should never be sent to an unauthorized external address and never be sent in the clear. John wasn't trying to steal company information, he was just trying to get his job done. Here's where data-leak-prevention products excel. All those we tested will stop the data from leaving or alert someone in this type of situation. Dandy!As it stands, there are many ways in which confidential data or proprietary secrets can leave an organization. The most familiar of these channels is e-mail, of course. However, all outbound network channels can act as an avenue for data leaks. These include instant messaging, HTTP and FTP links and many more, some more covert than others. The data-leak-prevention products we examined essentially create a profile of an organization's intellectual property, then station themselves at the exits, scanning each passing packet. The products construct the profile sets based on rules and configurations provided by IT--responding in a variety of ways, depending on the profile matched. This is a great way to catch accidental or uninformed leaks as in the situation above, but it won't catch any encrypted transmissions. Our products solve this by integrating with secure proxy appliances, such as those from Blue Coat Systems. This integration lets the monitoring mechanism of the data-leak-prevention products "see into" the encrypted HTTPS traffic as it passes by, again responding based on a positive profile match to the content of a communication.

Network traffic interception isn't the only area of concern. Current media frenzy compels us to consider how information can be protected on network clients (the Veteran's Affairs laptop theft springs to mind). Until organizations get around to implementing whole-disk encryption on these mobile devices, awareness and control of the confidential data residing on them is a giant first step toward complete protection. The products we tested make progress in tackling this problem because they provide a peek into what data is residing on which clients.

Of course, it doesn't take a hacking mastermind to see that these methods are insufficient to stop a determined malicious user. The method Vontu and PortAuthority use to tackle this problem is one of continuous or scheduled automated scans of client machines. This lets you know where data resides and can help isolate and investigate incidents to find out exactly what may have been lost if a laptop goes missing, but it won't prevent all intentional theft. They can't stop an authorized user from copying files from a workstation to a USB drive, for instance, because they're not actively monitoring client or disk activity, only network and perimeter activity.

Time To Buy?

Medical and financial companies, or any company with quantifiable critical data and compliance obligations, can benefit substantially from these products. This is because these products can act not only as safeguards against information loss, but also as regulation-enforcement devices. They can respond to outgoing data proactively as well as defensively. Outbound e-mail containing patient information, for instance, can be encrypted automatically, as can any mail attachments containing proprietary or ID information. It's almost like having a little postal inspector at your perimeter, making sure you used the right-size box with enough packing tape.This is where the Vontu and PortAuthority products can shine, because they are basically configured to stop this type of data from exiting the perimeter in an unauthorized state. Rules can be implemented to prevent violations of several regulations, including HIPAA--though both need integration with an IronPort proxy device or something similar to implement any sort of autoencrypt policy for proactive policy compliance.

Data-leak-prevention products might be even more valuable for outsourced development houses and offshore support sites, because these environments have gone relatively unmonitored at this granular a level until now. Data-leak-prevention products can help ensure that your sensitive data is protected even when it's in the hands and control of a separate entity entirely. We think these products will quickly become standard in every major outsourced R&D project.

It's possible that data-leak-prevention products are worth the price only to heavily regulated industries, though that view may be too simplistic. The decision as to whether to seriously consider such a class of products should be case-specific, but it's certain that the easier it is to quantify your sensitive data, the more benefit these products can offer.

Perhaps the most important lesson in our evaluation was this: Regardless of any claims, these products can be extremely valuable to a large organization for one thing in particular--discovery. This is probably the single largest benefit offered. Managing intellectual property is a task too large to be tackled without the kind of focused effort and dedicated assistance offered by the products we reviewed. Think about it: For a large enterprise, figuring out where its intellectual property is and where it travels throughout its lifecycle is a huge job. For all the products we looked at, an initial discovery demonstration to an enterprise client likely means a sale, because most organizations will be shocked to see the number of violations going on right under their noses. Security best practices are never easy to follow, so it's no surprise how often people cut corners; having the cold, hard statistics play out in front of you makes it impossible to ignore data security.During the initial "discovery" step, these products gather information about the data available on the network and where it's headed. This makes sense--how could they protect the data if they didn't first figure out which data to protect and where it resides? The similarities don't end there. Two of the product sets (Vontu's and PortAuthority's) are similar in their additional reporting, monitoring and auditing capabilities, but the other (Tizor's) didn't quite fit the same mold. It seemed like we were forcing Tizor's Mantra to protect intellectual property when what it really wants to do is protect and monitor database transactions. We'll talk more about that later.

PortAuthority's MX Manager and M-500 and M-100 appliances and Vontu's software suite reside at the network perimeter to monitor all traffic exiting the enterprise. Keeping in mind the caveats stated above about their inability to stop determined malicious users, they do a pretty good job at it--and "pretty good" just might be good enough. Frankly, the cost of the Vontu and PortAuthority products is prohibitive for any small business, considering the amount of intellectual capital requiring protection and the relative simplicity of the computing environment. All of these products are enterprise-only, though Tizor's Mantra is for different reasons.

We've thus far avoided the proverbial elephant in the room, and perhaps this only bothers us because we approach these products in a somewhat adversarial manner, but the point is important. These products are designed to discover and protect masses of sensitive data, Social Security numbers, credit-card numbers, patient records, and so on. In doing so, a virtual honeypot of sensitive data exists right on the device designed to protect it. That's right, with the exception of Tizor's Mantra, these products store copies of the data involved in various incidents as they arise. Theoretically, if I were looking to get my hands on the crown jewels, malicious intent would dictate that I go straight to the queen herself. See? Even we can appreciate a little irony every now and again. This is something to keep in mind when you're deploying one of these solutions: Guard access to these products as cautiously as you guard access to all your intellectual property.

Speaking Incidentally ...

Vontu's suite of software sits at the network perimeter and monitors outgoing channels for protected data. Protected data can be anything you want it to be, whether designated manually or located automatically with the product suite's Discover component. The interface? We love it. Vontu's sensitivity to logical incident-response workflow really shows in its usability. However, if your sensitive data resides in a database, you must export that data to a flat file for Vontu to create policy rules protecting it.We like this product as software, because the five pieces that comprise the Vontu offering would be totally overwhelming and unnecessary as separate appliances. The five applications are Discover and Protect, Monitor and Prevent, and Enforce. Vontu Enforce is the central management platform for the other four components. The components are usually grouped together in pairs as listed, though you'll need both groups and Enforce to match the functionality offered by the other products.

This module approach allows for procurement of the valuable discovery capability mentioned earlier without the logical add-on of perimeter-leak monitoring. This may sound silly (why would you want one without the other?), but the discovery phase is a very important step forward for a Fortune 500 enterprise, and the modularity of the products makes it easy to plug them in as the data-protection process is implemented.

Vontu does a good job of integrating its components into its usable, Web-based Enforce front end that takes advantage of the suite's modularity. The Vontu modules had the best look and feel of the bunch, and they seemed especially tailored to provide information valuable to the team responsible for an enterprise's data protection. Data-rule violations are referred to as "incidents" and are displayed by many configurable statistical means in a summary page useful for monitoring overall process health.

Vontu has a good handle on the lifecycle of a typical incident and provides more granular control over incident response and status tracking than the other two products. This is an important difference, because incident handling is a critical element of data protection, and Vontu's suite does a better job of providing a mature view of that process than the other products. As each incident is detected, workflow is designed to let responders view the current state in their own role-based process queue. That is, they see clearly in default screens what requires action and what has been cleared. This is an effective way to manage response to data-protection violations.

In addition to a more granular role-based response workflow, Vontu allows for configuration of the amount of information responders can see on any given incident. This is important, because an employee responding to a particular incident shouldn't necessarily have specific information about the employee violating policy. This level of configuration prevents internal privacy policy violations among users and is especially important in cases that may require legal action.As we mentioned earlier, our biggest disappointment with this suite was the lack of database integration. Vontu requires that database data be exported to a flat file before it can be profiled for protection. This seems like an inconvenience for an organization with any sizable database.

Vontu requires integration with additional perimeter devices to be truly valuable from an enforcement standpoint. In our tests, Vontu's Monitor-Prevent software detected that we were sending sensitive, previously profiled documents outside the company (even when we tried to obfuscate somewhat through text reorganization and compression), but couldn't stop the mail from going out. Vontu's products alone can't stop data from going out in e-mail messages; they can only report that it's happening. Actually stopping the leak before it exits requires integration with third-party perimeter devices. This likely limits the market for those modules to enterprises with an existing IronPort implementation or other enforcing perimeter products, or enterprises that are willing to invest in proxy technology as part of a data-leak-prevention solution.

Vontu's Discover, Protect, Monitor and Prevent applications each cost a minimum of $25,000. The Enforce management application is included with each of them (though you need only one copy of Enforce regardless of how many individual packages are selected). Vontu offers both annual subscription and perpetual licensing programs, with the price varying based on the protocols and number of employees being monitored. And remember: This is a software suite, so you still have to buy the hardware to run the software; hardware requirements depend on the amount of traffic to monitor.

Vontu says its products readily handle 200 Mbps of sustained traffic round the clock while still maintaining enforcement accuracy. We didn't verify this, but the company has some big clients in the financial industry, including Charles Schwab and Equifax. A closer look at its customer lists reinforces our opinion that Vontu's suite offers the greatest benefit to large, heavily regulated enterprises. With the right infrastructure in place, these products might save your neck.

Enforcement AgencyLike Vontu's suite, PortAuthority's appliance offering also sits at the network perimeter, watching for data-protection violations, but the product is designed with an emphasis on enforcement. With available agents, PortAuthority can enforce data policy without any additional third-party proxy devices, but only over e-mail and HTTP channels. Its interface isn't as clean as we would like, but it's not designed to be as heavily used as our other products' interfaces. Where this product really stands out is its database-integration capabilities. PortAuthority can connect to databases throughout the network, then use that information to make more informed decisions about policy violations at the perimeter.

PortAuthority's MX Manager and M-100/M-500 Monitor appliances work together at the network perimeter, but they offer a little bit more compared with Vontu's suite for midsize and large enterprises that haven't already implemented another perimeter proxy device: PortAuthority's devices can enforce the configured blocking policies on outbound e-mail regardless of whether a site has an IronPort-related architecture in place; and, they use their own integrated proxy for HTTP enforcement without requiring additional proxy products. Keep in mind, though, that without third-party perimeter proxy integration, the PortAuthority products also fail to read encrypted data, which makes sense (how would they?). PortAuthority's position on this is that if the data is encrypted, then it's OK to leave the enterprise--but this holds true only from a regulatory policy-enforcement viewpoint, not a data-leak one. Regardless, PortAuthority's setup works with your mail server to stop outgoing messages that contain protected data, and it does it on its own without additional products. The same file-obfuscation techniques we tried on protected files with the Vontu suite were caught here as well--but PortAuthority's e-mail enforcement agent stopped the mail from going out.

Initial and ongoing configuration of PortAuthority's appliances happens in a Windows application on the server. The familiar interface makes for easy usability, though it's somewhat overwhelming at first glance because of the large number of configurable options cluttering the left pane. Most of the settings work in a default configuration, so this isn't as daunting as it seems.

Whereas Vontu's design centers on the incident-response workflow, PortAuthority's focuses on enforcement. The response workflow for each incident is not broken down for use by an incident-response team, but rather spread out among department and data "owners." When a policy violation is detected, notification is sent to the owner of the data in question, and a response to the incident is the responsibility of that owner. This can become a bottleneck of sorts, if alternatives aren't put in place prior to a data owner going on vacation, for example.

The MX management appliance's Web interface is easy to use and well-designed, but since the response workflow is distributed among responders, dealing with a large number of policy violations can be chaotic. This design doesn't easily lend itself to strictly organized process flow among users. This is a side effect of the enforcement design mentioned earlier: Data owners are primarily responsible for releasing potential data leaks or policy violations from quarantine, and they can do that quickly through notification e-mail response. It's assumed, then, that the response workflow of the management Web interface is less critical, as most responders don't need to access that interface. But volume can turn this job into somewhat of a chore for users who have other responsibilities to worry about. And as we stated earlier, if you're not careful, this can become a bottleneck in the process.As with the Vontu suite, PortAuthority's system lets administrators configure the level of detail responders can see about any particular incident, but the level of control is not quite as granular. This is another side effect of the workflow architecture being less geared toward the response process.

PortAuthority's focus on enforcement really makes a difference with existing data-storage implementations. Out of the box, this product uses ODBC communication to connect to existing databases on your network; it uses the information it finds to aid in fingerprinting potential data leaks or policy violations. That is, the data discovered in databases can be correlated with the additional profiled and protected data on the network. This is something that Vontu hasn't done yet.

PortAuthority's pricing structure makes the products a little more accessible to small and midsize enterprises. The MX Manager appliance costs $25,000. The M-100 and the M-500 Monitor appliances cost $25,000 and $45,000, respectively (the number in the name represents sustained traffic capacity in Mbps, and the M-500 can support a fiber interface for Gigabit networks). Agents for mail integration cost $25,000 for the first one, with volume discounts for additional agents. Our installation included the MX Manager and the M-500 Monitor along with PortAuthority's MS Exchange agent; such a configuration costs $95,000 and is typical for both internal and external protection in an environment with 5,000 to 10,000 employees. The M-100 is typically used for organizations with an average of 1,000 users. The M-100 and M-500 cluster to support more users if necessary. The products' licensing is independent of the number of users being protected.

Internal Auditing

At its core, Tizor's Mantra is a database-auditing appliance. This product does database-transaction monitoring well, and we couldn't stretch it successfully beyond that.Mantra resides in front of the database and tracks every transaction processed, along with various details (who, what, when) surrounding each transaction. It's an interesting model that offers quite a bit of benefit from a data-management perspective, but not in the enterprisewide data-leak-prevention class we're investigating here. In that respect, it's somewhat unfair to compare Mantra to the more mature products dedicated to enterprise data protection, because it is much more specialized. Tizor's Mantra is like access control for your database that goes way beyond the built-in functions available through conventional database configuration.

Mantra doesn't work only with databases; the same behavioral fingerprinting technology can be applied to file servers with this appliance, but it's clear that the design focus was on database auditing. The fingerprinting technology in play here isn't enough to monitor document contents and CAD diagrams, because Tizor doesn't fingerprint the files; it fingerprints typical user behavior with regard to the files. Another important point: Mantra only alerts to anomalous behavior, it doesn't prevent transactions from occurring. This makes sense on the database front because application operation depends heavily on transaction completion. But a transaction-monitoring appliance for a file server that cannot prevent transactions seems silly.

Mantra can recognize structured data sets such as Social Security numbers as they pass through, but it can't identify sensitive documents being sent outside the perimeter. This is a large shortcoming in the leak-prevention arena, which is why Mantra isn't positioned there. Remember, Mantra doesn't fingerprint documents the way other leak-prevention products do; it monitors access anomalies. As an auditing tool, Mantra performs well and provides audit information and statistics in a significantly more accessible manner than conventional database logfiles. These include creating highly customizable graphs and reports of database operations and users.

If your sensitive data is stored in a database, such as with patient records or pricing information, Tizor has a unique way of protecting it that makes it a viable component of a data-protection strategy. And at half the cost of the Vontu and PortAuthority products we evaluated, it shouldn't be written off; Mantra has potential as a component of a more complete data-protection solution. It alerts on anomalous transactions, which are likely to be involved in any sort of theft incident. Anomalies are calculated based on a number of variables, such as transfer time or size, table accessed, or user; filters are applied as percentage thresholds to maintain accuracy over time.

Mantra management takes the form of a Java client installed on the desktop and provides an interface for audit log reporting and policy compilation. This is something you'll love or hate based on your personal preferences; we've grown quite fond of the Web-based standard for appliance management. Audit rules are composed using a proprietary language developed by Tizor (a GUI removes users from interaction with the language). Mantra is relatively new to the market, and this shows in places where usability lacks refinement. Some of the navigation buttons are awkward and counterintuitive at first, and the icons poorly represent their intended functions. This product is still being developed, and it may need a little bit of time to mature, but the technology holds promise. We're not aware of many other products that do exactly what the Mantra does so it seems likely that Tizor will be a big player in the database-auditing and behavioral-fingerprinting or data-extrusion space. It does a good job with behavioral fingerprinting of database transactions, and while it uses the same technology to monitor file-server transactions, it seems a little out of its league in that area.Mantra costs $50,000 as we tested it. This includes the Mantra appliance and the Java client to access the management and reporting interface.

What Stays?

Which data-leak-prevention product will provide the greatest benefit for your company? The answer depends on your enterprise organization. Do you even have an incident-response team? If not, or if none of your employees are trained as first responders, you might not be able to take advantage of the incident-response workflow that is the backbone of Vontu's suite, though it is well enough designed to be a valuable aid in the generation of an incident-response group, if that's where you're headed.

How much of your data resides in databases, and how integral is that data to the success of your enterprise? PortAuthority's design can leverage that information to provide more informed policy enforcement at the perimeter. However, PortAuthority's design relies on data owners responding to each violation notification; this may be an ideal choice if it fits with your organization's current process.

How do you imagine your response process developing as you move forward? If you have a need for closely monitored and audited database transactions, or if you want more control over database access than available configuration constraints allow, Tizor hits the nail on the head.Marisa Mack is a security consultant for Neohapsis, a Chicago-based security consulting firm. Write to her at [email protected].

Where We're Headed

Although the data-leak-prevention product arena is currently viable only for enterprise-level organizations (and possibly only within certain vertical industries), it promises to raise the compliance bar for everyone in the not-too-distant future. As this market gets commoditized the same way the IDS market did several years ago, these leak-prevention products will become a necessary standard in any good-faith attempt at data protection. To compound the problem, data sets aren't getting any smaller nor networks any less complex. Off-shore outsourcing is a perfect example of new network residents that put high demands on a structure's antique plumbing. For many companies, monitoring service providers is a legal requirement. But data monitoring cannot be done efficiently or effectively through policies and contracts alone, and words by themselves don't pass muster as good-faith attempts at privacy or security. That's not to say that policies and contracts aren't necessary, just that they aren't enough.

Data-leak prevention is the fence we have to jump over before effective management of intellectual property can become a reality, and the size of your enterprise is a pretty good indicator of the height of that fence.

How We Tested Data-leak Prevention

We configured a lab network to contain two separate subnets--one representing an intranet, the other acting as the Internet. We used a Cisco 5N firewall router to separate the two networks. Our intranet contained a Windows 2003 Domain Controller, a separate Windows 2003 file server, a Microsoft SQL Server database, an Internet Information Services Web server and Exchange Server. Our "Internet" consisted of a SuSE Linux server running the Postfix mail transfer agent and Apache Web server. Each subnet had an additional two Windows XP clients to act as users. This entire environment was virtualized with VMWare GSX using three rackmount Dell PowerEdge SC 1425 servers with dual Intel Xeon 3-GHz processors and 3 GB of RAM. Our protected data was a mix of Microsoft Office documents, presentations and spreadsheets, with additional Microsoft Visio diagrams, text files, source code and executables simulating actual enterprise-level protected data.To test the products' ability to recognize data leaks, we attempted first to transfer original documents outside of our network, followed by progressively more obfuscated versions of the document content. This included various methods of reorganizing or reformatting text in documents and compressing documents. Additionally, we tried transferring credit-card numbers, personally identifiable information, such as Social Security numbers, names, source code and images.

All Network Computing product reviews are conducted by current or former IT professionals in our own Real-World Labs®, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.