data loss prevention leading vendor review · 2018-11-06 · endpoint (data in use). the core of...
TRANSCRIPT
DLP Experts | 760.927.5000 | www.DLPExperts.com | [email protected]
Data Loss Prevention Leading Vendor Review
A DLP Experts White Paper Version 8.1 – Updated November 2018Author’s Note The content of this white paper was developed independently of any vendor sponsors. The views and opinions in this paper represent the sole work of DLP Experts.
Copyright Notice The content of this publication is copyrighted © 2018 DLP Experts, LLC.
Page 2 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
A Note About This Update Inanefforttostreamlinethiswhitepaperforreadability’ssake,inthisversion(8.1)wehaveremovedinformationregardingtheDLPmarketplaceandvariousDLPapproaches.ThisinformationwillbemovedtoanewwhitepaperontheDLPmarketplace.ThiswhitepaperreviewsleadingDLPvendorsinanefforttopaintaclearerpictureofvendorcapabilities,strengthsandweaknesses.
DLP Vendors Included ThefollowingDLPvendorsolutionsareincludedinthisreview(inalphabeticalorder):
• DigitalGuardianDataLossPrevention• ForcepointData&InsiderThreatSecurity(includesForcepointDLP,InsiderThreatandUEBA)• McAfeeTotalProtectionforDataLossPrevention• SymantecDataLossPrevention
Page 3 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
Digital Guardian Note:BecauseDigitalGuardian’sapproachisadeparturefromTraditionalDLP(TDLP),moreexplanationisrequiredtofullycoverthesolution’scapabilities.ThereadershouldnotinterprettheaddedcoverageinthiswhitepaperasanendorsementoftheDigitalGuardiansolutionovertheothersolutionsreviewedhere.CompanyOverviewDigitalGuardian(DG),formerlyknownasVerdasys,isaventure-fundedsoftwarevendorofdatalosspreventionsolutions.Thecompanywasfoundedin2003anduntilitsOctober2015acquisitionofCodeGreenNetworks(CGN),wasoneofonlytworemainingindependentprovidersofcomprehensivedatalossprevention.DG’slongtermplayistobringtogetherinsiderthreatdetectionandmarryitwithDLPfor“threatawaredataprotection.”ProductOverviewFromapurelytechnicalstandpoint,DGrepresentsadrasticshiftfromthetraditionalthree-prongedapproachemployedbyotherleadingDLPvendorsuiteswithcomponentstocoverNetwork(datainmotion),Discovery(dataatrest)andEndpoint(datainuse).ThecoreoftheDGsolutionisakernellevelendpointagentknownastheDGAgent(DGA)andthatprovidesthemajorityofthiscomprehensivecoverage.WhileDGalsohasanetworkappliancefordatainmotionanddataatrest(CodeGreenNetworksacquisition),thekernellevelagentremainsthecenteroftheDGDLPuniverse.DGA’skernellevelapproachanddeepconnectionsintotheOSallowforcomprehensivevisibilityintoalluserandsystemactivity,whichisauniquecapabilityamongDLPvendors.Thisenhancedvisibilityprovidesveryusefulinformationonuseractivityandbehavior.Thekernellevelagentapproach,however,alsobringspotentialcompatibilityissueswithotherapplicationsandtheoperatingsystem.CompaniesconsideringDGshouldweighthebenefitsofthisenhancedvisibilityagainstpotentialdownsidesofakernellevelagent.Architecturally,theDGAsolutionisverysimple:endpointagentscoveringWindows,MacOSandLinux,whichcommunicatewithacentralmanagementserver.DGNetworkDLP(NDLP)isamoretraditionalDLPapproachandincludesNetworkDLP(datainmotion)andDiscoveryDLP(dataatrest).Thenetworkcomponentsaretypicallydeployedonasingleappliance,resultinginaverystreamlinednetworkarchitecture.DGNetworkDLPisnotasfeaturerichandcustomizableasitscompetitors,butfororganizationswithmorestraightforwardcompliancerequirements,thesolutioncanbeverysimpleandeasytouse.DGrecentlyreleasedAnalyticsandReportingCloud(ARC),acloud-based,softwareasaservicedesignedtoleverageDG’suniqueenhancedendpointvisibilityinconjunctionwithdatalosspreventiontoprovidewhatDGcalls“threatawaredataprotection.”ARCtakesDGAeventlogs(eventsareuserandsystemactivity,butnotnecessarilyincidentsorpolicyviolations)andcombinesitwithincidentdatafromDGAandNDLPincidentdatatouncoverinsiderthreats.TheARCinterfaceprovidesinnovativewaystodrilldownandcorrelateincidentdatatoidentifyandrespondtothreats.AsDGworkstointegrateDGAandNDLPwithARC,solutionmanagementfortheentiresuiteisaworkinprogress.TheDGManagementConsole(DGMC)haslongbeenthemanagementcoreforDGA.TheacquisitionofCodeGreen’sNDLPbroughtasecondmanagementconsoleintothemix.ARCisplannedasthefinalstepintheDGsolutionmanagementstrategy.Fornow,allthreemanagementconsolesareinplayinthefollowingways:
• NetworkDLPmanagementconsoleisrequiredforNetworkDLP• DGMCisrequiredforDGAgent• BothconsolesarerequiredfordeploymentswithDGAgentandNetworkDLP
Page 4 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
• ARCcanbeaddedasanoverlaytoanyDGAdeploymentNDLPincidentlogsandmetadataareconsolidatedwithDGAincidentdataintheDGMC,butnetworkDLPincidentdetailremainsontheNDLPConsole.CombinedDGAandNDLPincidentmetadataissenttotheDGMC.AndforthosecustomerswhopurchaseARC,allDGAandNDLPincidentmetadataisrolleduptoARC.UniquenessofDG’sKernelLevelAgentUserandSystemEvents.Asreferencedpreviously,oneoftheuniquebenefitsoftheDGsolutionisitsabilitytoautomaticallymonitorandlogallendpointactivity.Thiscanbeaccomplishedevenwithoutdefinedpolicies.Thatmeansrightoutofthebox,withoutanypolicyconfiguration,manyinstancesofsensitivedatamisuse(orotherinappropriateactivity)canbeidentified.Basedonfindingsinmonitoronlymode,policiescanbeenactedtoenforcedataprotection.EndpointDetectionandResponse.BecauseofDGA’suniquevisibilityintoalluserandsystemevents,thesolutionhastheabilitytodetectactivitythatmaynotspecificallytargetsensitivedata,butthatmightstillbeconsideredathreatinsomeway.DGhasrefinedthiscapabilitytoactivelydetectthreatsinrealtimeandprovideadministratorswiththeabilitytorespondtothosethreats.Discovery(StoredData)DLPCoverage.LikeTDLP,DGAhastheabilitytoscanlocalfilesystemsforsensitivedata.However,whenitcomestonetwork-basedstorage,DG’scapabilitiesarelimitedtoserversuponwhichtheagentcanbedeployed.Ifanagentcanbeinstalledonaserver,thenthatlocaldatacanbescanned.Ifanagentcannotbeinstalled(orifthecustomerdoesnotwanttoinstallanagent),thenthedatacannotbescanned.Inthesecases,DGreliesonitsNetworkDiscoverycomponent.FileTagging.Supportednativelybyonlyoneothervendor(McAfee),filetaggingisoftenseenasanantiquatedandineffectiveapproachbecauseitrequiresinputfromfallibleenduserstoapplydocumentclassifications.DGAreliesheavilyonfileclassificationand“tagging,”however,theprocessisautomatedanddoesnotrequireuserinput.Theclassificationprocess,whichaddstagstofiles,providesagoodstartingpointforpolicies.Tagscanautomaticallybeappliedbasedoncontentor,moredistinctivelytoDG,contextsuchaswhereafilecamefromorwhatapplicationwasusedtocreatethefile.Forexample,aCSVextractfromadatabasecontainingsensitivedatacanautomaticallyandpermanentlybetaggedas“confidential,”oradesigndocumentcreatedinaparticularapplicationcanbetaggedascontainingintellectualproperty.DigitalGuardianDeliveryModelsDGhaslongbeenknownforauniquefullymanagedsecurityprogram(MSP),withthemanagementconsolehostedinthecloud.DG’snewSoftwareasaServicemodel,includingARC,wasaddedtotheDGofferinginOctober2017.TheDGAgentproductisnowdeliveredusingeithertheMSPorSaaSmodels.TheDGNetworkDLPofferingremainsanon-premisearchitecture,butcanalsobemanagedbyDGasanMSP.DigitalGuardianStrengthsTheDigitalGuardiansolutionbringsahighlevelofvisibilitytouseractivityanddatahandling–rightoutoftheboxwithnopoliciesenabled.ThisincreasedcontextawarenesscanhelpcompaniesfindwaystoimprovedataprotectionthatwouldotherwisegounnoticedbytraditionalDLPsolutions.Thiscontextawarenesscanalsocallattentiontootherproblemswithinanorganization.Anomaloususerbehaviorcanbeidentifiedandmayindicateamoreseriouscybersecurityproblem,suchasmaliciousoutsidersposingasprivilegedinsiders.
Page 5 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
DGA’senhancedvisibilityprovidesuniquecapabilitiesbeyondDLP,includinguserbehavioranalytics,fileactivitymonitoringandendpointdetectionandresponse.DGAisabletodetectevenmaliciousinsiderswhomaytrytohideattemptstoexfiltratesensitivedata.WiththeadditionofAnalyticsandReportingCloud(ARC),DGexpectstorefineandproductizethisuniquecapability.DGAemploysasimplearchitecture,coveringWindows,MacOSandLinux,withnonetworkintegrationsotherthandirectoryservicesrequired.ThesolutioncanactivelyseeandblocksensitivedatawithinSMTP,HTTP,HTTPS,FTPandothernetworkprotocolswithoutanICAP-compatibleproxyoremailintegration.Thisisespeciallyhelpfulforcompaniesthatdonothavebudgettoaddaproxyorsimplypreferaproxy-freeenvironment.Thearchitecturealsoavoidstheneedforanetworkmonitoringdeviceateachegresspoint,whichcandriveuphardwarecosts,increasearchitecturalcomplexityandongoingmanagement.DG’sMSPandSaaSmodelsaretheonlyvendor-offeredservicesoftheirkind.DGhoststhemanagementconsolefortheseservicesinitsowncloud,drasticallysimplifyingdeploymentandeliminatingtheneedforon-premisenetworkhardware.Onlyincidentandeventmetadataaremovedtoandstoredinthecloud,sonosensitivedataleavesthecustomernetworkorendpoints.DGMSPstaffareexperiencedandtrainedinthreatdetectionanddataprotection.TheMSPofferingincludespolicycreationandmanagement,reporting,incidenttriageandworkflow.DigitalGuardianWeaknessesDGA’smostglaringweaknessisthecomplexityofthesolution.Asakernellevelagent,companiesarelikelytoexperienceatleastsomecompatibilitydifficultieswithotherapplicationsandoperatingsystems.Mostofthesechallenges,however,canbeovercomewithgoodplanningandpatience.WhatmaynotbeaseasytoovercomearethechallengespresentedbyoneofDGA’sprimarystrengths:enhancedcontextualvisibility.CreatingpoliciesthatleverageoneormoreofhundredsofcontextualelementspresentsmuchdeeperchallengesthansimpleDLPpolicies.DGA’sapproachandvisibilityroutinelyuncoveractivityshowingcriticaldatabeingputatrisk.MitigatingthatriskcanmeanhoursspentinDGtraining,study,trialanderror–or,DGprofessionalservices.ThiscomplexityistheprimaryreasonforthesuccessofDG’sMSP.DGclaimsthatmorethanhalfofallnewDGAcustomersoptfortheMSPoffering.AndmanycompaniesthatinitiallyoptedoutoftheMSParemovingthatdirection.TherearesomecompaniesthatabsolutelyrequireoneormoreofDG’suniquecapabilities.Assumingthecompanyhasbudgettosupportit,DG’sMSPeliminatesthiscomplexity.TheMSPcanalsobringalevelofcomfortknowingexpertsaresupportinganorganization’sdataprotectionefforts.Inadditiontotheissuesofcomplexity,DGA’slimitedcontentdetectionmethods–andspecificallyalackofdatabasefingerprintingcapability–couldsignificantlyreduceitsappealfororganizationswithsimplePIIcompliancerequirements.DGA’slimiteddiscoverycoveragemayalsobeaconcernforDLPbuyers.DG’sNetworkDLPaddressesboththesedeficiencies,butcurrentlyrequireadminstoworkacrosstwoormoreseparatemanagementconsoles.DGcurrentlyhastwoendpointagents:DGAandalightweight“ComplianceAgent,”thatcameaspartoftheCodeGreenacquisition.TheComplianceAgentoffersaverylimitedfeaturesetbycomparisontoDGAandtheotherTDLPDLPagents.ComplianceAgentfeaturesarelimitedtodevicecontrol,localdiscoveryandmonitoring/blockingofdatamovementtoremovablestorage.Thisleavesoutcommonandcorefeaturesofnetworkcoverage(email,web)andcopy/paste,print,printscreenmonitoring.It’santicipatedthatDGwilleventuallyendsupportfortheComplianceAgent,replacingitwithDGA.GiventhecomplexitiesofDGA,thismaynotbodewellforsmallerorganizationscurrentlyusingDGComplianceAgent.
Page 6 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
WiththecurrentlackofintegrationbetweenDGAandNDLP,companiesneedingbothproductstomeetDLPrequirementsmustbepreparedtocreateandmanagepoliciesacrosstwoseparatemanagementconsolesuntilfullintegrationiscomplete.EvenforcompanieswithonlyDGA,twoconsolesarerequired:DGMCandARC.Pricing–DigitalGuardianWithDG’smostrecentpricingmodelchanges,whatoncewerethreeseparateDGAgentlicensesforDataVisibilityandControl(DV&C),DLPandATP(nowEDR)arenowallincludedinacombinedThreatAwareDataProtection(TADP)offering.TADPalsoincludesARC(andDGMC).DG’sperpetuallicenseofferingisnolongerofficiallyavailable.Theonlyremainingon-premiseoptionisforNDLP(networkanddiscover).AllDGAoptionsarenowcloudhostedviatheSaaSandMSPmodelsandarelicensedas“per-endpoint”annualsubscriptionsthatincludesupport.ThecombinationofthethreeDGAlicensesintoTADPcanresultinsomecostsavingscomparedtopastpricing.Thereisapricingfloorforbothmodelsthatmaymakeitexpensiveforsmallerorganizations.Inadditiontotheannualsubscription,DGsolutiondeploymentisbasedonlow,mediumandhigh-leveldeployments.Thelow-leveldeploymentretailsat$30,000andthemostcommonmedium-leveldeploymentofferingis$60,000.Web-basedadmintrainingisincludedwithmostsubscriptionsatnocost.TheDGmanagedservicehasbeenwellreceivedasacost-effectivealternativefororganizationsthatcan’thandletheDGAgentcomplexityorwanttoleaveon-goingsolutionmanagementtoDG’sexperts.MSPcostsstartataround$150,000annually,butconsideringthefactthatthecostincludesboththelicenseandfullsolutionmanagement,thismayprovecosteffectiveforsomeorganizations.FinalWord–DigitalGuardianTheDGsolutionisasolidoptionespeciallyinitsprovenmarketplaceofprotectingintellectualpropertyorfororganizationsthathavespecificendpointDLPrequirements.DG’svisibilityintoalluserandsystemeventsisakeyfeaturethatseparatesthemfromthepack.TraditionalDLPsolutionsonlyfindwhatspecificpoliciescallfor–ifthereisnopolicylookingforXYZ,thenXYZwillnotbefound.DGisabletouncoverincidentsthatotherwisewouldremainhiddenfromview.CompaniesthatlisttheDGAgent’svisibilityanduniqueEDRcapabilitiesascriticalrequirementstoeffectivelyprotectingsensitivedatawillfindtheDGsolutionuniquelycapable.AndifbudgetssupporttheMSPoffering,thesolutioncanbeevenmoreappealing.However,iftheuniqueDGAgentcapabilitiesarenotdeemedcritical,thenamoretraditionalDLPsolutionmaybemoreappropriate.FutureroadmapplansforintegratingtheDGAgentandNetworkDLPmanagementconsoleswithARCwillhaveasignificantimpactonDG’sneartermsuccess.
Page 7 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
Forcepoint CompanyOverviewForcepointwasfirstnamedaDLPLeaderinGartner’s2007MagicQuadrantforContentMonitoringandFilteringandDataLossPrevention,sotheofferingisoneofthelongeststandingsuccessstoriesintheDLPmarketplace.TheDLPleaderdistinctioncamejustafewmonthsafterForcepointacquiredDLPpioneerPortAuthorityTechnologies.In2015Raytheonacquiredan80.3%stakeinWebsensefor$1.9billionfromVistaEquityPartnerstoformanewcybersecurityjointventurecalledRaytheon|Websense.InJanuary2016thecompanyacquiredIntelSecurity’sfirewallbusinessandrebrandedasForcepoint.Sincethattime,Forcepointhasmadeotherstrategicacquisitions.Raytheon’sSureViewinsiderthreatoffering(nowdubbedForcepointInsiderThreat)camealongwiththeRaytheondeal.Sincethen,ForcepointacquiredImperva’sSkyfenceCASBoffering(nowForcepointCASB)andmorerecently,RedOwluserbehavioranalyticstechnology(nowForcepointUEBA).TheCASBandUEBAadditions,combinedwithForcepoint’sInsiderThreatandDLPtechnologiesstarttolookalotliketheDigitalGuardianpositioning.ProductOverview–Data&InsiderThreatSecurityForcepoint’soverallapproachisuniqueamongDLPvendorsinthatitispartofacomprehensivesecurityplatformapproachcharacterizedbyplansforasingleusermanagementconsoleandcapabilitiesthatinclude1)websecurity,2)emailsecurityand3)datasecurity(DLP).ForthepurposesofthispaperwereferonlytotheDLPoffering.DLPisnowpartofForcepoint’sData&InsiderThreatSecurityproductsmadeupofForcepointDLP,ForcepointInsiderThreat(FIT)andForcepointUEBA.ForcepointCASBisofficiallypartofthecloudoffering,butitstillplaysheavilyintothedataprotectionspace.TheForcepointarchitectureisdesignedtosupportthethreecoresecuritytechnologies(theoriginalWebsenseproductlines)ofemailsecurity,websecurityandDLP.TheDLParchitectureisasfollows:
• DLPManagementServer.ThisWindowsserverrunstheForcepointSecurityManagerthathoststhemanagementandreportingconsoleforForcepointweb,emailandDLPsolutions.
• ForcepointDLPServer.CanbeinstalledonthesameserverastheForcepointSecurityManagerandincludesthepolicyengine,crawler,fingerprintrepository,forensicsrepository,andendpointserver.
• ForcepointProtector.TheForcepointProtectorworksintandemwiththeForcepointDLPServer.TheDLPServerprovidesadvancedanalysiscapabilities,whiletheProtectorsitsonthenetwork,interceptstrafficandcaneithermonitororblockthetraffic,asneeded.TheProtectorsupportsanalysisofSMTP,HTTP,FTP,plaintext,IMtraffic(e.g.,Yahoo,MSN,chat,andfiletransfer).TheProtectorisalsoanintegrationpointforthird-partysolutionsthatsupportICAP.
Strengths–ForcepointDLPTheForcepointDLPofferingeasilymeetsthecoreDLPrequirementsofmostorganizationsandisconsideredtobeatopDLPsolution.ForcepointDLPincludesallkeycomponentsandrollsthemintoasionglemanagementinterface–ForcepointSecurityManager.ThismanagementconsolesupportsnotonlyDLP,butalsoForcepoint’sotherkeysolutionsforwebandemailsecurity.ForcurrentForcepointweboremailsecuritycustomers,theadditionofDLPismucheasier
Page 8 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
thanaddingacompetingDLPsolution.EvenfornewForcepointcustomers,theForcepointarchitectureismuchmorestreamlinedthanotherleadingDLPsolutionsandtheproductscoreshighforeaseofuse.Forcepoint’shybridplatformapproachallowsorganizationstochoosefromappliances,server/software,virtualmachinesandcloud(insomecomponents).Virtualmachinesupportformanyofitscomponentsallowsbuyerstotakeadvantageofthemovetowardandinvestmentsinvirtualmachineenvironments.DLPsolutionsarewidelyconsideredtobecomplex,costlyanddifficulttomanage,especiallyforsmallerorganizations.TheForcepointDLPsolutionisknowntobethemostsimpletodeploy,configureandmanagelongtermandmakesasolidchoiceforsmallercompanies.Forcompaniesseekingaverylowcostentrypoint,Forcepoint’sDLPEndpointisagoodstartingpoint.Thecostisverylow,coverageiscomprehensive,managementissimpleandfuturegrowthiseasy.Forcepoint’sDLProadmapincludesintegrationwithrecentacquisitionstomakethesolutionmoreeffectiveindetectingandpreventingdataloss–eventhroughmaliciousactivity.ForcepointInsiderThreat(FIT)logsuseractivitythatcallsattentiontohigh-riskusers.ForcepointUserandEntityBehaviorAnalytics(UEBA)ingestdatafromDLP,FIT,CASBandothersourceslikeHRdataandphysicalaccesslogstoprovideacomprehensiveuserriskview.ArecentchallengeforDLPsolutionsisthemoveawayfromaproxyarchitecture.DLPsolutionsrequireaproxyarchitectureinorderto1)providevisibilityintoHTTPStrafficand2)provideblockingofHTTP/Straffic.HTTPSvisibilityandwebblockingisastandardDLPrequirement,butwiththefactthatmanycompanieshavedumpedtheirproxies,thiscreatesdifficultyindeployingacomprehensiveDLPsolution.Forcepointhasauniqueapproachtoeffectivelyaddressingthisproblem.Ratherthanforcingacompanytoreinvestinaproxyinfrastructure,Forcepointincludesa“softproxy”aspartoftheirDLPsolution.WhilewebtrafficstillhastobeproxiedtotheDLPsolutionforinspection,thereisnoadditionalcostorextensivemanagementoverhead.Weaknesses–ForcepointDLPInspiteofForcepoint’seasy-to-usemanagementconsole,creationandmanagementofdiscoverypoliciesisseparatedfromnetworkandendpointpolicies.DiscoverypoliciesareverydifferentfromnetworkorendpointpoliciesandthisisnotuncommontoseeamongDLPvendors,butitstillrequireswritingpoliciestwice–oncefornetwork/endpointandasecondtimefordiscovery.ForcepointDLPalsorequirespushingoutpoliciesforeverychangeandinlargeenvironments,thisforcesadministratorstowaitforallchangestocomplete.ForcepointwasthefirstmajorvendortobringOCRcapabilitiestoDLPsolutions.OCRiscurrentlyavailablefornetworkDLPonlyandisnotavailableonDLPEndpoint.Scanningimagesviatheendpointrequirestoomuchoverheadandcouldnegativelyimpactworkstationperformance.SomecommonDLPcapabilitiesthatnormallycomeviathird-partyemailandwebsecurityintegrationrequiretheuseofForcepoint’sownemailand/orwebproducts.ThiscouldbeameansofmotivatingcustomerstopurchaseadditionalForcepointproductormorelikely,simplyawaytostreamlinethedevelopmentprocessbyleveragingthevendor’sexistingproducts.Eitherway,it’simportanttofullyunderstandcapabilitiesbeforedecidingonaDLPsolution.
Page 9 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
Pricing–ForcepointDLPFormanyyears,Forcepoint’sDLPsubscriptionlicensemodelwasanoddityamongDLPvendors.Likemanytechnologyvendors,however,thatischanging.SubscriptionlicenseorSaaSmodelsarebecomingmorecommon,butForcepointisstillwillingandabletoquoteperpetuallicensepricingforthosecompaniesthatpreferacapitalexpenditure.TherearethreelicensedmodulestoForcepointDLP:DLPNetwork,DLPDiscoverandDLPEndpoint.Eachofthethreecomponentscarriesaseparatelicensecost.ForcepointrecentlydividedDLPpricingstructureintotwooptions:1)IPProtectionand2)Compliance.TheComplianceoptionisdesignedforthosecompanieswithmorebasicDLPrequirementsandincludestheuseofForcepoint’sbase,outoftheboxpolicies.IPProtectionisthefull-featuredofferingandincludesadvancedsensitivedatadetectioncapabilities–structured/unstructureddatafingerprintingandmachinelearning–aswellDLPAnalyticsandautomaticRiskRankingtohelpprioritizeincidentresponseforthehighestrisks.Forcepointoffersmulti-productpricingaswellasmulti-yeardiscountsfortwoorthreeyearsubscriptions,paidupfront.SupportpackagesarerequiredforForcepointDLP,calculatedbasedonthetotallicensecost(MSRP).TheseoptionsincludeEssentialSupportat15%oftotallicensecost,EnhancedSupportat21%($25,000annualminimum)andEnterpriseSupportat28%($75,000annualminimum).AswithotherenterpriseDLPsolutions,professionalinstallationservicesarerequiredandcanaddsignificantcosttoaForcepointDLPimplementation.WhileForcepointDLPdeploymentcostsarenottypicallyashighassomeoftheothervendorsconsideredinthisreview,buyersshouldrequestverydetailedimplementationplansandcostspriortoanypurchaseagreement.ForcepointbasecostsforfullsuiteDLPdeployment,performedremotely,canbeunder$15,000forasmallorganization.InadditiontobasedeploymentofDLPcomponents,Forcepointalsooffersdatatuningpackages.PoorlywrittenpoliciesareacommonDLPchallengeandcanpreventexpensiveDLPpurchasesfrombeingfullyeffective.Datatuningpackageshelpensurepoliciesarewelltunedtoreducefalsepositivesanddecreasemanagementoverhead.FinalWord–ForcepointDLPForcepointDLPisahighqualityproductthatincludesallthecorefeaturesexpectedfromanenterpriseDLPsolution.ForexistingcustomersofForcepointwebfilteringoremailsecurity,ForcepointDLPisanobviouschoice,withasimpleupgradepath,leveragingexistingForcepointarchitecture.Likealloftheproductsconsideredinthispaper,theproductsimplyworks.WiththeultimateintegrationofInsiderThreat,UEBA,CASBwithDLP,theForcepointdataprotectionsolutionwillbepositionedtotakeon“nextgeneration”DLPrequirements.Withthiswillcometheabilitytodetectnotonlyaccidentaldatalossincidents,butalsointentionalattemptsatdataexfiltration.WhileForcepointboastssomeoftheworld’slargestcompaniesasDLPcustomers,thesolutionalsouniquelyscalesdowntosupporteventherequirementsofverysmallorganizations.Fororganizationswithbudgetconstraints,especiallyinthefirstyear,theForcepointsubscriptionmodelcanreducefirstyearcostssignificantly.
Page 10 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
McAfee CompanyOverviewMcAfeeenteredtheDLPspacein2006withitsacquisitionofendpointDLPvendorOnigma,butdidn’tgainfullDLPmomentumuntilits2008acquisitionofReconnex,thenaleaderintheareaofNetworkDLP.In2010,IntelacquiredMcAfeefor$7.6billion,becomingIntelSecurity.Fromthistime,IntelmadelittleinvestmentinitsDLPofferingandtheproductlanguished.Productupdatesoverafive-yearperiodwerelimitedmainlytopointreleaseswithveryfewnewfeatures.Duringthistime,IntelSecuritylostgroundtootherleadingDLPsolutions.InSeptember2016,Intelannouncedaspin-outofIntelSecurityintheformofasaletoTPGa“globalalternativeassetfirm”for$4.2billion.ThenewfirmreturnedtotheMcAfeename.TPGhasmajorityownershipat51percentwithIntelretaining49percent.Throughthesechanges,McAfeehasexperiencedsignificantemployeeattritionandhassoldoffsomeofitssecurityproductportfolio,includingtheStonesoftfirewallproduct,torivalDLPplayer,Forcepoint.ProductOverview–McAfeeTotalProtectionforDataLossPreventionMcAfeeTotalProtectionforDataLossPrevention(“McAfeeDLP”forourpurposes)employsanappliance(orvirtualappliance)approach,withfourcomponents.Atthecore,DLPMonitorexaminesnetworktraffic.DLPDiscoverscansnetworksystemsanddatabases,whileDLPPreventprovidesforthenetworkblockingcapabilityofthesolution(foremailandweb).Thefourthcomponent,DLPManager,bringsitalltogetherbyacceptingallinputfromtheappliances,providingtheDLPmanagementinterfaceviaePO.McAfeeDLPintegratesviaitsPreventappliancewithanexistingICAP-capableproxyforblockingofHTTP,HTTPSandFTP,andexistingemailinfrastructuretoprovideforemailremediation.ThesolutioncanalsobeintegratedwithemailencryptionsolutionsandActiveDirectory.Startingin2010therewasastretchofmanyyearsduringwhichMcAfeedidnotupdatetheirDLPversion9offeringbeyondpointreleases.Itwasn’tuntilmid-2016thatMcAfeereleasedversion10,followinguplessthanayearlaterwithversion11.Duringthatsix-yearspanofdevelopmentinactivity,theMcAfeeDLPproductlostgroundtotheotherleadingDLPvendorsandinmanyrespectsisstillplayingcatch-up.Interestingly,wehavefoundmanyMcAfeeDLPdeploymentsarelimitedtoEndpointDLP.PerhapsthisisduetoMcAfee’slonghistoryasanendpointfocusedcompanyandoftentimesendpointDLPrepresentsthepathofleastresistanceinpurchasinganddeployingDLP.Onelong-standinganduniquefeatureoftheMcAfeeNetworkDLPsolutionhasbeenits“capturedatabase,”loggingandstoringallnetworkactivity–evennon-policyviolations.Thisfeatureallowedfortestingpoliciesagainstpastdataandprovidedameansforreviewingthisdataforitsforensicbenefit.Unfortunately,thisfeaturewasnotincludedinthemostrecentupdates.Theplanistobringthiscapabilitybackinfuturereleases.
Page 11 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
Strengths–McAfeeDLPTheMcAfeeDLPsolutionismostoftenacquiredbyexistingMcAfeecustomersbecauseoftheintegrationwithePolicyOrchestrator(ePO).WithpastversionsofMcAfeeDLP,thesolutionrequiredbothePOandaseparatemanagementconsolefornetworkDLP,puttingMcAfeeDLPfarbehinditsmajorcompetitors.ThathaschangedwithMcAfeeDLPnowbeingfullyintegratedintoePO.ThisremovesoneofthemajorchallengesMcAfeeDLPhashadtoovercome:workingacrossmultiplemanagementconsoles.OneofthegreateststrengthsofMcAfeeDLPisitsintegrationwithmanyoftheotherMcAfeeproducts,includingthosethatdirectlysupportthedataprotectioneffort,suchasencryption.ForexistingMcAfeecustomers,theseintegrationscouldhavesignificantbenefitsoverotherDLPsolutions.McAfee’srecentupdateshavealsolessenedtheneedforhardappliances,allowingtheoptionforvirtualappliancesforalmostalloftheDLPcomponents.Physicalappliancesarestillavailableforthosecompanieswhopreferorrequirethem.AnothernicefeatureofMcAfeeDLPistheabilityto“tag”fileswithasetclassification.Thisenablesuserstomanuallyapplyaclassificationtofilesthatcanthenbeusedtoidentifythefileforpreventingloss,etc.Weaknesses–McAfeeDLPProbablythebiggestweaknessofMcAfeeDLPistheinabilitytofingerprintdatabaseelementsforexactmatching.Thiscancreatechallengesforcompaniestryingtoprotectpersonalinformationandresultinhighfalsepositiverates.Databasefingerprintingisasensitivedatadetectionmethodthatgreatlyreducesfalsepositives–eveneliminatingthem.Byhashingkeypersonalinformationdatabasefields(likesocialsecuritynumberandlastname),policiescanbecreatedthatmatchexactlyontwoormoreelementsfromtheactualpersonalinformationinthecompany’sdatabase.Forexample,ifwefingerprinttheconsumerrecordbelongingtoJaredThorkelsonandhisspecificSSNof556-76-9934,andthenweseethetwodataelementsof“Thorkelson”and“556-76-9934”inatransaction,theoddsofafalsepositiveareminiscule.ThisisafeatureeveryDLPvendorhashadforoveradecadeandiswidelyusedinfinancialandhealthcarecompliance.McAfee’ssupportfordatabasediscoveryisalsolimitedanddoesnotsupportsomecommondatabasesthatarewidelysupportedbyotherDLPvendors.McAfeeisalsobehindinitsintegrationwithpopularcloudserviceslikeOneDriveandGoogleDrive.Bothhavebeenlongontheroadmap.Opticalcharacterrecognition(OCR)isanotherfeaturethatmostDLPvendorshavehadforanumberofyears.McAfeehaschosennottoaddthisfeatureclaimingtheaccuracyratesat60-70%arenotgoodenoughandtheyrequire90%.TheyalsochoosenottointegratewithexistingOCRenginesasmanyDLPvendorshave.Pricing–McAfeeDLPLikeallDLPsolutions,McAfeeDLPcanbeacostlyproposition.However,thisisespeciallytruewhenappliancesarerequiredandevenmoresowithmultipleegresspointsthatmayneedmorethanasingleDLPappliance.Virtualappliancescanlessenthatcost,but,ataminimum,theDLPManagerappliancewillalwaysberequiredifdeployingallDLPcomponents.Thepricingmodelisbasedonaperpetuallicensewitha20%annualcostforGoldSoftwareSupport.Professional
Page 12 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
ServicesarerequiredforallnewDLPpurchasesandvarybasedontheDLPcomponentsselected.Generally,mostorganizationsshouldexpecttoincuraminimumof100professionalserviceshourstoasmanyas200forfullDLPdeployment.FinalWord–McAfeeDLPTheMcAfeeDLPsolutionismostlikelytobeselectedbyexistingMcAfeecustomersfirmlyentrenchedinandcommittedtoePolicyOrchestrator.McAfeeisknowntopromotetheDLPsolutiontoitsexistingcustomerbaseveryaggressivelywithhard-to-resist,competitivepricingpackages.LikesomeotherDLPvendors,McAfeehasaverylucrativeinstalledbaseofotherproductsthatitmustprotectfromreplacement–andMcAfeeDLPisoftenusedasanincentivetoremaincommittedtotheseotherproducts.CurrentMcAfeecustomersshouldattempttoleveragethistotheextentpossibleforincreasedsavings.WhileMcAfeewasoneofthefirstmajorvendorstojumpintotheDLPspacebyacquisitionin2006,ittookthecompanyanumberofyearstoacquireandintegratethedifferentpartsofitsenterpriseDLPoffering.Othervendorstookadvantageofthatdowntime,stealingcriticalmomentumthatMcAfeehasbeenunabletoregaininthelastfewyears.Morerecently,withallofthechangesbetweenMcAfeeandIntel,themomentumoftheDLPofferinghasslowedfurther,causingmanyinthespacetoquestionIntel’scommitmenttothespace.
Page 13 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
Symantec CompanyOverviewSymantechasgrowntobecometheleadingproviderofDLPinthemarket.In2007,SymantecacquiredVontu,thethen-currentDLPmarketleaderfor$350million.SymantecdidnotrestonitsVontulaurels,however,andcontinuedtotransformtheDLPmarketplace,bringingtolightmanyofthemajorinnovationsinthespace.TodaytheSymantecDLPofferingcontinuestobetheundisputedleader.ProductOverview–SymantecDLPSymantecDLPistheproverbial800-poundgorillaoftheDLPspace.SymantecboaststhelargestDLPinstallbaseandongoingrevenueofanyDLPvendors.MostestimatesputtheSymantecDLPmarketshareanywherefromtwo-tothree-timesthenextclosestcompetitor.TheproductisconsideredtobethemostfeaturerichofanyDLPofferingandoftenisthebaragainstwhichallotherDLPproductsaremeasured.Thesolutionisunlikeanyoftheofferingspreviouslyreviewed.TheSymantecDLPapproachisdecidedlysoftware;notrueapplianceoptionisavailable,althoughsomeSymantecDLPresellerswillpackageanddeliverhardwareandsoftwaretogether.Adifferentsoftware–andlicense–isrequiredformostSymantecDLPcomponents,howevertheDLPsuitecanbepurchasedatasingle,discountedprice.
• EnforcePlatform(managementplatform–separatelicensenotrequired)• NetworkMonitor• NetworkPreventforEmail• NetworkPreventforWeb• NetworkDiscover• NetworkProtect• EndpointPrevent• EndpointDiscover• DataInsight(includedinDLPSuite)• DataInsightSelf-ServicePortal(add-on)• OracleStandardEdition2
MosteverysoftwarecomponentcanbeinstalledonWindows,RedHatEnterpriseLinuxorasavirtualmachine–andit’sokaytomixandmatch.Liketheothersolutions,thepassiveNetworkMonitorisconnectedviaaSPANportornetworktap.Inordertoblockweboremail,NetworkPreventworkswithexistingemailinfrastructureandICAP-capableproxies.SymantecDLPsupportsintegrationwithvariousothertechnologies,includingemailencryptionandActiveDirectory.Strengths–SymantecDLPBecauseofitsextensivefeaturelists,SymantecDLPalmostalwaysmakesthecutwhenconsideredforDLPprojectrequirementsandmatchingvendorcapabilities.ItsfeaturesarenotlimitedtoanysinglecomponentofDLP;theyareuniversallystrong,makingitasolidchoiceacrossNetwork,DiscoveryandEndpoint.
Page 14 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
OneuniqueadvantageoftheSymantecDLPsolutionistheinclusionofDataInsightintheDLPsuite.DataInsightprovidesvisibilityintounstructureddatausage,ownershipandaccesspermissions.ThisproductcompetesdirectlywithsolutionsoutsidetheDLPspaceandcanrepresentagoodvaluefororganizationslookingforthisadditionalcapability.NootherDLPvendorprovidesthistypeofsolution.SymantechasalsopartneredwithoneormoremanagedservicescompaniestoofferSymantecDLPasamanagedservicehostedinthecloud.Whilethereareslowadoptionrates,therealityisthatmoreandmorecompanieswilllooktohostedDLPsolutions.Weaknesses–SymantecDLPOnthedownside,SymantecDLPisgenerallyconsideredtobethemostcomplexoftheavailableDLPsolutions,withmoreindividualsoftwarecomponentsthatmustbeinstalledandconfigured.Thislimitstheappealamongmanysmallersizedorganizationsthatdonothavetheresourcesoflargerenterprises.Symantec’sDLPsolutionalsorequirestheuseofaseparateinstanceofOracleStandardEdition2.Fornon-Oracleshops,thiscanprovetobeintimidatingandbecomeamanagementheadache.Thecompanyhasmadeattemptstostreamlinetheseparatecomponentsbyleveragingvirtualmachineenvironments.ThishashelpedsomewhattopositionSymantecDLPforsmallerorganizations.Insomecases,multiplecomponentsmaybeinstalledonasingleserver,makingforamorestreamlinedapproach.Butthisabilityisdependentonthesizeoftheorganizationandhardwareconfiguration,amongotherthings.It’simportanttokeepinmindthattherearelimitationstorunningcertaincomponentsasvirtualmachines–notallcomponentsaresuitedtosuchvirtualenvironments.Intheend,eachcomponent,whetherVMorserver/software,stillrepresentsanothermovingpartintheoverallsolution.Pricing–SymantecDLPSymantecDLPcostisbaseduponaper-user,perpetuallicenseorsubscriptionmodel.Intheperpetualmodel,thereisanannualmaintenancecostof23%.ThecompleteSymantecDLPsolutionisofferedasasuiteandatsignificantlyreducedpricing.Whileindividualcomponentscanbeselectedfromthemanyoffered,theDLPSuiterepresentsthebestvalueforSymantecDLP.SymantecDLPhasthedubiousdistinctionofbeingthemostexpensivesolutioninthemarket,fromapurelicensecoststandpoint.Ofcourse,thereareothercostsbesidessoftwarelicensingandthesemustbeconsidered,aswell.SinceSymantecDLPisasoftwaresolution,nohardwarecostsarepriceddirectlybySymantec.Anysuchcostswilldependonthehardwarerequirementsforthespecificimplementationplan.AhandfulofSymantecVARsprovidebundledDLPhardwareofferingstosimplifytheprocess.LikeotherDLPsolutions,professionalinstallationservicesarerequiredandcanrepresentasignificantoverallcosttotheDLPproject.BuyersofSymantecDLPshouldexpectaminimumof100hoursformorebasicdeploymentservices,andupwardof200hoursforlarger,morecompleximplementations.PhaseddeploymentsmayrequireadditionalprofessionalservicesforeachnewDLPcomponentadded.FinalWord–SymantecDLPOrganizationsthatfindcomfortinnumbers,oftenfeelmostcomfortablewiththemarketshareleadingSymantecDLPoffering.AswehaveheardmorethanoneDLPbuyersay,“NoonewaseverfiredforbuyingSymantecDLP.”Itcertainly
Page 15 of 15
+1 760.927.5000 | www.DLPExperts.com © 2018 DLP Experts LLC
standsoutasthesafechoiceforDLP.However,justlikeanyotherDLPsolution,SymantecDLPisnotaone-size-fits-allsolutionandthusnotanautomaticfitforallorganizations.BecauseofSymantec’sarchitecturalcomplexity,smallandmediumenterprisesunder1000userswilllikelyfinditverydifficulttotakeonthecostandpersonnelresourcesrequiredtoacquire,deployandmanagetheSymantecDLPsolution.Ontheotherhand,organizationswithcomplexnetworkarchitecturesordistributedenvironmentsmayfindSymantec’ssoftware/virtualmachineapproachtobeveryflexible,forgiving–andevencosteffective.
About This Review TheDLPVendorReviewrepresentsthesolework,viewsandopinionofDLPExperts.Everyefforthasbeenmadetoverifythecontentincludedforeachvendoriscurrent,accurateandbestrepresentsthevendoranditsDLPoffering.Aswithanydocumentofthissort,weacknowledgethatmuchofthecontentrepresentsopinion.Wherepersonaljudgmentiscalledfor,wereservetherighttoshareourpersonalexperienceandacquiredknowledge.Ofcourse,weappreciatefeedbackfromvendorsandtheDLP-usingpublictoensurethecontentisaccurateanduptodate.
The Vendor-Agnostic Approach of DLP Experts Thefactthatthereisnoone-size-fits-allapproachtoDLPistheprecisereasonDLPExpertsisinbusiness.Asavendor-agnosticresellerofleadingDLPsolutions,DLPExpertsfaceseachcustomerDLPprojectasuniqueandbringsnopre-conceivedideasintotheproject.DLPExpertsbringsonlytheirnineyearsofexclusiveDLPexperience.Theirapproachistofirstunderstandspecificrequirements,uniqueenvironmentsanddatatypes,andthenmatchvendorcapabilitiestothoserequirements.DLPExpertsisabletobringanyandallvendorstothetable.WhatsetsDLPExpertsapartfromotherresellersisthefactthattheygoonestepfurther:Unlikethevendorsandtheirtraditionalresellers,DLPExpertsdisclosesallrelevantvendorinformation–thegood,thebad,andtheugly–givingorganizationsatrulyunbiasedviewoftheDLPmarketlandscape.DLPExperts’uniqueapproachenablesbuyersofDLPtechnologiestogointothepurchasingprocesswiththeireyeswideopenandawareofnotjusttheupside,butalsothedownsideofeveryDLPtechnologyunderconsideration.