Data Loss Prevention and other data protection technologies are now widely accepted by organizations that have to protect sensitive data. Still, there continues to be confusion about the DLP space, solution capabilities and the many competing technologies: CASB, DaBA, UBA, Insider Threat, et al. This guide provides buyers of data protection products a high-level overview of the DLP market and uncovers the critical differences between leading DLP vendors. DLP Experts is in its 12th year of business as a vendor-agnostic, data protection-focused reseller and integrator. Our expertise spans the data protection product spectrum and includes DLP, CASB, DaBA and UBA technologies from the following vendors (among many others):
• Cyberhaven – DaBA (Data Behavior Analytics)
• Forcepoint – DLP, CASB, UEBA, Insider Threat
• InteliSecure – Data Protection Managed Service leveraging data protection technologies
• McAfee – DLP, CASB
• Netskope – CASB
• Symantec – DLP, CASB
We have also created a comprehensive DLP Vendor Review document that compares different data protection vendors.
Before you get too far down the DLP road, it may be helpful to consider all available data protection technologies. CASB, DaBA, UBA and Insider Threat technologies all provide some elements of data protection, but in each case the approach is very different. Here's a quick overview:
Traditional Data Loss Prevention (DLP) – technologies inspect data content at the point of egress (email, cloud, USB, etc.) and can block instances of sensitive data leakage based on pre-written policies.
Cloud Access Security Broker (CASB) – similar to DLP but focused on controlling movement to/from cloud.
Data Behavior Analytics (DaBA) – complete departure from DLP, detects sensitive data based on recorded data behavior – origin (sensitive or not), how it's used (in accordance with policy or not) and where is goes (in accordance with policy or not) – as well as data content.
Insider Threat – monitors user activity to identify questionable behavior that may indicate an inside threat and possible data risk.
User Behavior Analytics (UBA) – similar to insider threat, but analyzes user behavior to identify activity outside the norm that may indicate insider threat or possible data risk.
Identifying the right DLP technology requires much more than simply comparing a feature matrix. As much as a single vendor might want you to believe it, their DLP technology is very unlikely to be the right fit for every company, be it a 100-user community bank, a multi-national financial and a semiconductor manufacturer. Simply put: DLP is not a one-size-fits-all solution. The right vendor depends on many factors including sensitive data types, technical requirements, network architecture, organization size, budget and personnel resources, to name a few. Determining which solution is the best match for your organization's requirements, industry, size, and data types, is not difficult. But it does require some effort and research to gain an understanding of the different DLP approaches, general detection methods, solution architectures and so on. This DLP Buyer's Guide is intended to provide that information.
The two core functions of Data Loss Prevention technologies are to accurately identify sensitive data in its many forms and then to prevent the loss of that data. DLP coverage capabilities vary. Solutions are commonly categorized into two groups based on that coverage: Enterprise DLP (EDLP) and Integrated DLP (IDLP). DLP coverage is not the only differentiation between EDLP and IDLP.
Enterprise DLP technologies are purpose built solutions to prevent data loss across the leakage vector spectrum, including at the network gateway (data in motion), in storage (data at rest) and at the endpoint (data in use). Prominent EDLP Vendors include Digital Guardian, Forcepoint, McAfee and Symantec.
By contrast, Integrated DLP tools were designed to address requirements other than DLP, but have some ability to inspect outbound data. IDLP solutions generally offer coverage limited to a single protocol (e.g. email, web) or a single DLP component (e.g. data in motion, data at rest). Examples of IDLP solutions include: email security, email encryption, web security, discovery and device control.
1. Comprehensive Coverage. EDLP solutions provide comprehensive coverage across all channels to mitigate the most data loss risk. EDLP components cover: 1) the network gateway to inspect all outbound traffic and block email, web and FTP traffic, 2) stored data (network and local) across the enterprise and 3) the endpoint to monitor and prevent loss of data in use.
2. Single Management Console. Often overlooked is the ability to manage the entire data protection effort from a single management console. EDLP solution management is extensive and requires time spent in a number of important areas: 1) system configuration and maintenance, 2) policy creation and management, 3) management reporting, 4) early risk detection and mitigation, 5) event correlation, 6) incident triage and 7) incident management and workflow. To support these areas across more than one console is not only time-consuming, it can also introduce unnecessary risk.
3. Incident Management for Compliance. EDLP solutions are designed not only for preventing data loss, but also to support the proper handling of data loss incidents. Data loss is inevitable, but the way in which incidents are handled can make the difference between a hefty fine or a light slap on the wrist. Incident management and workflow capabilities are a critical feature for the proper handling of incidents and are found only in EDLP solutions. A well-designed incident workflow process can show proof of proper incident handling.
4. Detection Method Accuracy. Perhaps the greatest distinction between EDLP and IDLP is an enterprise DLP solution's ability to accurately detect sensitive data. What good is a solution that cannot accurately distinguish sensitive data from non-sensitive? Integrated DLP technologies rely on a limited set of detection methods for identifying sensitive data. In fact, the most widely-used detection method among IDLP solutions is pattern matching using regular expressions. Pattern matching is known to be highly inaccurate, resulting in incident queues that are overflowing with false positives. While EDLP technologies also leverage pattern matching, they can also layer various other detection methods that greatly improve accuracy.
Just a few years ago, all leading Enterprise DLP vendors approached DLP in the same way, with components to cover the major areas of network, discovery and endpoint DLP. That has recently changed and leading vendors are not necessarily all using that same approach. The approaches differ in significant ways. So much so that an explanation of core differences between approaches is critical to understanding the DLP market.
While each approach has its strengths and weaknesses, we do not provide great detail in this DLP Buyer's Guide. For more information, please refer to the DLP Vendor Review document.
For the purposes of this Buyer's Guide, we have divided the DLP market into two approaches. The vendors that comprise the first approach include the vendors Forcepoint, McAfee and Symantec. While certainly not identical, each of these vendors supports what has become the generally accepted and market leading, multi-pronged DLP approach: coverage at the network gateway, in storage, at the endpoint and in the cloud. This approach was the first to garner significant market share and has largely shaped today’s DLP market. For these reasons we have chosen to group these vendors together under the label of Traditional DLP (TDLP).
The second DLP approach leverages a kernel-level endpoint agent and is characterized particularly as endpoint DLP solutions that monitor all user/system activity.
Determining which solution is the best fit to meet your organization's requirements is not a simple question to answer. But much of the answer depends on the types of data to protect, often separating organizations by industry and even further down to the reasons behind the need to protect data.
Meeting regulatory compliance requirements was the first need filled by early DLP technologies and it's still a leading reason for DLP today. Organizations in regulated industries like healthcare and financial rely on DLP to help prevent the loss of sensitive personal information – protected health information (PHI) and personally-identifiable information (PII). To effectively meet basic compliance use cases, a DLP solution must be able to accurately detect that personal information in its many forms and across many different channels.
Consider the nature of personally-identifiable information – e.g. a name, social security number, diagnosis, etc. To accurately identify this data requires a particular type of detection methods, some of which are more effective (accurate) than others. It's important to understand which vendors utilize these detection methods and which ones do not. Without this information a vendor search can lead you down the wrong path to a very expensive mistake.
While personally-identifiable information is generally short pieces of data (many in repeatable patterns), intellectual property (IP) comes in many forms that are much more difficult to detect accurately. Just as not all DLP vendors are the right fit for regulatory compliance needs, even fewer are effective for protecting IP. Because of the varied forms that may constitute IP, accurate detection (and protection) are much more difficult to achieve and specialize detection methods are required.
These specialized detection methods rely more heavily on the context surrounding user activity than data content.
For a more detailed review of detection methods, refer to the DLP Vendor Review document.
Generally speaking, DLP enforcement technologies are complex. Solutions cross departmental bounds requiring input from many technology functions: security, networking, infrastructure, email, web, endpoint, storage, databases, etc. As solutions combatting the business problem of data loss, DLP technologies also often directly impact and require input from many non-IT groups, including risk management, compliance, legal, HR, operations, etc.
If all this were not enough, the deployment, configuration and management of DLP solutions (and resulting incidents) is often very complex in its own right. DLP and TDLP solutions are both considered complex, but for very different reasons.
TDLP solutions typically have more complex architectures, requiring multiple devices and software – appliances, virtual appliances or servers – to run the entire solution. These devices must then be integrated within an organization’s network architecture, including outbound network traffic inspection via SPAN port or network tap, email integration for email blocking, an ICAP-compatible web proxy for SSL visibility and HTTP/S blocking, Active Directory, etc. Once the integration is complete, the level of solution management complexity depends on the specific vendor. Some are more complex to support and manage than others.
ADLP solutions tend to have more simple architectures, requiring little to no network integration. However, given the large number of system activity events logged by ADLP solutions, building policy around so many different events can be challenging and require professional service support. ADLP solutions also interact with the OS at the kernel level, often requiring extended tuning to reduce conflict with the OS and existing applications.
Finally, while solutions that include both ADLP and TDLP elements may provide the best of both worlds in terms of features, they are also likely to have the highest levels of complexity.
Adding to the complexity of DLP solutions is the fact that TDLP solutions require integrations with existing network components. Often times these integrations are not communicated ahead of time by the DLP vendor and can cause serious problems if not planned for ahead of time. Some of these integrations are not mandatory, but if not employed severely limit the DLP solution's ability to actually prevent data loss.
1. Database. Each DLP solution needs a database to store incident details. Some vendors require Oracle and some Microsoft SQL. One vendor does not require a separate database but instead includes the database as part of the software.
2. Email Integration. In order to actually block (or quarantine) an email that violates policy, the DLP solution must be able to collect and hold an email while scanning for sensitive data. In most cases, this requires the DLP solution be put inline with the mail flow.
3. Web Proxy Integration. As with email, in order to actually block web traffic, the DLP solution must collect the request and hold it for inspection. This is done with a web proxy, which receives the web request and hands it off to the DLP solution for inspection via the ICAP protocol. The DLP solution can then tell the proxy whether to block or allow the request. Most commercial and open source proxies support the ICAP protocol, but many other web security tools do not. Without the ICAP proxy, a company will be unable to block web traffic containing sensitive data.
4. SSL Integration. In order to gain visibility into SSL traffic for inspection, a DLP solution must integrate with a network device capable of acting as a man-in-the-middle and communicating with the DLP solution via ICAP. Generally speaking, this means a web proxy.
If your organization is like many today, proxy infrastructure has been supplanted by new web security technologies. If this is the case, you have two options: 1) opt for a DLP approach that does not require a proxy (an endpoint only solution) or 2) deploy a proxy.
Following is a brief overview of prominent DLP vendors. For a more detailed report on individual vendors, capabilities and strengths and weaknesses, please refer to the DLP Vendor Review document.
The following vendors are included in this Buyer's Guide:
Cyberhaven offers a new approach to data protection, referred to as Data Behavior Analytics (DaBA) by analysts. The Cyberhaven solution acts more like a Data Security Orchestration Platform, recording all data activity and movement across the enterprise, providing real time alerts into factual data risk and uncovering insider threats. This enables platform users the ability to identify previously unknown data risk – and address that risk – long before attempts to egress data.
While traditional DLP tools passively wait for data to hit an egress point before attempting any inspection, Cyberhaven's proactive approach seeks out and logs all data activity and movement in real time to uncover factual data risk. Recorded activity includes all data origination (download, creation), all user to data interaction (file open, edit, save, move, copy) and all data egress (via email, cloud, web, USB). It's estimated that for every 8 egress attempts, there are 92 other data events, giving Cyberhaven an unparalleled level of visibility.
As Cyberhaven records data activity, it uncovers event context, allowing for sensitive data detection based not only on content, but also on where the data is created, how data is used and by whom. This additional context provides an added dimension that can be used to more accurately identify even hard-to-detect intellectual property.
One byproduct of Cyberhaven's unique approach is that it is much more simple to deploy and manage than traditional data protection tools. There are no servers or VMs to stand up, no external databases, no network integrations (email, Active Directory or other), no configuration and no DLP policies. Cyberhaven simply records file activity and its analytics uncover data risk that other tools can not see.
Cyberhaven's SaaS solution leverages two different data sensors: an endpoint sensor as well as various cloud sensors. The cloud sensors record the movement of data into/out of the cloud, in addition to all internal cloud movement. The Cyberhaven endpoint sensor records all data on the machine, from origin to egress and everywhere in between. This allows Cyberhaven to create complete, factual data flows throughout data's lifecycle.
Cyberhaven does not require existing data protection tools, but for companies that do have the likes of DLP, Cyberhaven can enhance policy effectiveness by showing factually how data is used. This enables companies to tweak DLP policies based on what's actually happening with data, eliminating any policy guesswork.
Ultimately, Cyberhaven is able to identify data misuse and stop it *before* it escalates to the point of egress, improving overall data loss prevention effectiveness.
Digital Guardian (DG) is a pioneer in the area of intellectual property (IP) protection. The company was founded in 2003 as Verdasys in an effort to prevent privileged insiders from stealing corporate IP. The resulting product is a kernel-level endpoint agent that can monitor all system and user activity and interaction with data.
In addition to activity that violates policy, the solution also logs seemingly benign user activity. After establishing benchmarks of this "normal" user behavior, the solution is then capable of identifying suspicious activity that is outside the norm. Because the solution is tracking all activity, an administrator can also review user activity – often step by painful step – to establish user intent. This same capability is also facilitating DG's recent push into the Endpoint Detection and Response space for protection against advanced threats.
All endpoint activity is logged as contextual events (separate from policy violations or incidents), including file activity, application use and data touches, along with an extensive list of other activity. The logging of these contextual elements is unique to DG and can be leveraged to detect activity that traditional DLP solutions do not even attempt.
DG also utilizes automated file tagging to classify files. These tags are permanent and persistent, meaning that the tags follow files through any iteration, including copy/paste to new file, file archiving and even password protecting. This enables the DLP solution to identify files even if the solution cannot open the file for sensitive data detection.
In 2015, DG acquired Code Green Networks to round out their ADLP offering with traditional DLP components. Currently the DG ADLP and TDLP solutions are sold separately and the integration between the two is limited to a common incident log. TDLP (Network and Discovery) system configuration, policy creation/management, reporting and incident workflow is still managed in its own interface.
In 2015, Websense was acquired by Raytheon in a deal valued at $1.9 billion with the resulting company branded as Forcepoint. Forcepoint is building a security platform that includes the old Websense URL filtering, email and web security products, its long-time leading DLP solution, Raytheon's SureView Insider Threat technology and two more recent acquisitions: McAfee's Stonesoft NGFW business and Imperva's Skyfence CASB solution.
Forcepoint has been a leader in the DLP space since 2007. The solution has seen steady improvement over that time to find itself standing in the far upper-right of the Gartner Magic Quadrant for DLP. As a traditional DLP vendor, the Forcepoint DLP approach combines separate modules for Network Gateway, Discovery and Endpoint DLP. While not overpowering the competition, the Forcepoint DLP solution is considered to be a strong contender in each area.
The Forcepoint architecture is relatively simple by DLP standards and includes a management server, a data server and a third server to monitor network traffic and provide blocking for email and web traffic. The solution is considered to be user-friendly, with hundreds of pre-packaged policies categorized by country, state, industry, etc. A policy wizard walks the administrator through the process of identifying all relevant policies.
An interesting twist on DLP is the Forcepoint Insider Threat product (formerly Raytheon SureView). The solution is an endpoint agent that's not quite DLP, since it has no blocking capability. What it does have, however, is a very unique feature set that provides detailed insight into user activity. Like the DG agent, the product monitors user activity, building out user behavior risk scores that enable administrators to prioritize threats. The solution actually has video reply that can prove user intent very conclusively.
Unique features of the Forcepoint DLP solution include OCR capability – the ability to detect sensitive data in image files. This is a feature that's been on DLP vendor roadmaps for years, but only Forcepoint has managed to make it a reality. Forcepoint DLP includes an incident risk ranking letting admins know which incidents and/or users to review first as well as "drip DLP" to identify small leaks over time.
McAfee entered the DLP space in 2006 with its acquisition of endpoint DLP vendor Onigma, but didn’t gain full momentum until its 2008 acquisition of Reconnex, then a leader in the area of Network DLP. In 2010, Intel acquired McAfee for $7.6 billion, becoming Intel Security. From this time, Intel made little investment in its DLP offering and the product languished. Product updates over a five-year period were limited mainly to point releases with very few new features. During this time, Intel Security lost ground to other leading DLP solutions.
In September 2016, Intel announced a spin-out of Intel Security in the form of a sale to TPG a “global alternative asset firm” for $4.2 billion. The new firm will return to the McAfee name. TPG has majority ownership at 51 percent with Intel retaining 49 percent. Through these changes, McAfee has experienced significant employee attrition and has sold off some of its security product portfolio, including the Stonesoft firewall business, to rival DLP player, Forcepoint.
In the last year, McAfee has produced some long-needed updates to its DLP product line. These updates do not appear to be enough to bring McAfee DLP to its former glory days and back into contention.
Like other TDLP vendors, McAfee has three main components that cover the Network, Discovery and Endpoint. The McAfee DLP Monitor component is unique among DLP offerings, allowing the capture of not only data from incidents triggered by policy violations, but potentially all network traffic. This allows review of data that does not meet existing rule sets, uncovering incidents or violations that otherwise may have gone unnoticed. Policies can also be edited or fine-tuned and then run against this captured data, providing a historical view of how policy changes would have impacted incident results.
Most of the management of the DLP solution is done via McAfee's ePolicy Orchestrator, so for companies with significant investment in ePO the solution may make sense. Some of the management, however, is still done outside of ePO, namely for DLP Monitor and appliance-based DLP Discovery. The fact that McAfee has yet to fully integrate its DLP offering after nine years may be taken as an indicator of the company's commitment to the DLP space. Whether that attitude will change in the future is unknown.
Symantec has grown to become the leading provider of DLP in the market. In 2007, Symantec acquired Vontu, the then-current DLP market leader for $350 million. Symantec did not rest on its Vontu laurels, however, and continued to transform the DLP marketplace, bringing to light many of the innovations in the space that are in common use today by many vendors. Today the Symantec DLP offering continues to be the undisputed leader.
Symantec boasts the largest DLP install base and ongoing revenue of any DLP vendors. The product is considered to be the most feature rich of any DLP offering and often is the bar against which all other DLP products are measured. The Symantec DLP approach is very modular, with a different software – and license – required for each of Symantec's many DLP components: Enforce Platform, Network Monitor, Network Prevent for Email, Network Prevent for Web, Network Discover, Network Protect, Endpoint Prevent, Endpoint Discover, Data Insight, Data Insight Self-Service Portal, Oracle Standard Edition One.
One unique advantage of the Symantec DLP solution is the option to include Veritas' Data Insight product. Data Insight provides visibility into unstructured data usage, ownership and access permissions. This product competes directly with solutions outside the DLP space and can represent a good value for organizations looking for this additional capability. No other DLP vendor provides this type of solution.
In addition to leading on the feature front, Symantec DLP can also be customized in ways most other DLP solutions cannot. There are configurations for most every feature, allowing a level of customizability and policy tuning that is unsurpassed. That configurability, however, comes at a cost. Symantec DLP is widely considered to be the most complex of all DLP solutions and more likely to require significant deployment hours and ongoing consulting support. For organizations with sufficient resources – budgetary and personnel – the solution may be a good choice. But for the SME space, Symantec often proves to be too much to handle.
DLP Experts is a vendor-agnostic reseller of DLP technologies exclusively since 2008. We have worked with every major (and minor) DLP vendor in the marketplace and have information that will benefit any DLP project.