Channels that lead to the display of information between the company’s information systems can include intermediate channels (for example, email or ICQ), local (from external USB storage devices), (databases) that are saved. You can also call it a waste of space (flash memory, laptop). A system can be upgraded to DLP class if it meets the following criteria: rich channel capacity (monitoring as many possible channels as possible); unified management (unified management features on all monitoring channels); active zakhist (until the introduction of the non-pek policy); appearance according to location and context.

The competitive advantage of most systems is the analysis module. Desktop developers promote this module and often call their products by this name, for example, “tag-based DLP solutions.” Therefore, the analyst often chooses a solution not on the basis of productivity, scale, or other criteria traditional for the corporate information security market, but on the basis of the type of document analysis that is being analyzed.

Obviously, this method has its advantages and disadvantages, and only one method of analyzing documents places the decision in a technological context over another. Most vicorists use several methods, although one of them is considered the “flagship”. This article is a failure of the classification of methods that are used when analyzing documents. An assessment of their strengths and weaknesses is given based on the practical storage of several types of products. The statistics do not look at specific products, because The main tasks of the buyer when choosing them are the variety of marketing extinguishers such as “we protect everything from everything”, “unique patented technology” and knowledge of what will be lost if the seller goes.

Container analysis

This method analyzes the power of a file or another container (archive, crypto disk, etc.) where the information is stored. A simple name for such methods is “solutions on marks”, which still reflects their essence. Each container has a label that clearly indicates the type of content that should be placed in the middle of the container. These methods practically do not require any computational resources to analyze the information that is being moved, since the label essentially describes the rights of the user to move the content along any route. In simple terms, such an algorithm would sound like this: “if there is a mark – it is blocked, if there is no mark – it is passed.”

The advantages of this approach are obvious: the speed of analysis and the constant presence of other types of compromises (if the document is detected by the security system as confidential). Such methods are generally called deterministic.

Obvious and disadvantages - the system only provides information about tagged information: if the tag is not set, the content is not stolen. It is necessary to develop a procedure for placing marks on new input documents, as well as a system for preventing the transfer of information from a marked container without additional operations with a buffer, file operations, copying information From timely files, etc.

The weakness of such systems is also manifested in the organization of placement of tags. If they are placed by the author of the document, then, due to evil intentions, he may not mark the information that is about to be stolen. In the absence of evil in the world, it is too early and late to reveal lack of balance and lack of turbochargedness. If you need to assign security tags, such as an information security officer or a system administrator, you will not be able to view confidential content in the open. does not know thoroughly all the processes of the company. Thus, the “white” balance may be posted on the company’s website, and the “gray” and “black” balance cannot be posted across cross-information systems. Albeit, one can only tear up the head, then. one of the authors.

Labels are divided into attribute, format and external. As is evident from the names, the first are located in the file attributes, the others - in the fields of the file itself, and the third - are attached to the file (associated with it) by external programs.

Container structures in IB

Another advantage of deciding on marks is that there are also low benefits to the productivity of swimmers, and it is also unnecessary to check the marks, then. act like the turnstiles in the metro: “Oh ticket - go through.” However, do not forget that miracles do not happen - the calculation of importance in this case is transferred to the work station.

The place is decided on the marks, no matter what the stench of the bullets is - the protection of document shenanigans. If the MAH Document, Yak, with one side, will sort to finish the ridko, and the same side - exactly the same category of the Social Document of the skin document, then the organizuvati yogo Zahist Nyprostheys to the vicoristani Mitok. You can organize the placement of marks on documents that go to the treasure table using an additional organizational procedure. For example, before you send a document to the depository, a document that confirms its functioning can be contacted by the author and a document holder who is responsible for the confidentiality of the document. This is especially true with the help of formatting marks, then. Each input document is saved in a secure format and is then presented to the scanner as designated as being approved for reading. Current solutions allow you to grant access rights for an hour, and after the key is expired, the document simply cannot be read. This scheme itself organizes, for example, the submission of documentation for tenders from government purchases from the United States: the procurement management system generates a document that can be read without the possibility of being changed or copied instead of other listings in this document participants in the competition. The access key is valid until the submission of documents to the competition, after which the document stops being read.

Also, with an additional solution based on tags, companies organize document management in closed segments of the network, where intellectual power and government secrecy explode. Surely, now, with the help of the Federal Law “On Personal Data”, document management will be organized among the personnel departments of great companies.

Content analysis

When implementing descriptions in this section of technology, in addition to the descriptions previously described, however, it is absolutely independent of which container the content is stored in. The purpose of these technologies is to extract significant content from the container or transfer the communication channel and analyze the information for the presence of hidden content.

The main technologies for storing protected content in containers are signature control, hash function-based control and linguistic methods.

Signature

The simplest method of control is to search for the current sequence of symbols. Sometimes a blocked sequence of characters is called a “stop word”, while in the case of a counterword it may not be a word, but an additional set of characters, for example, a tag. Unfortunately, this method cannot be extended to content analysis in all its implementations. For example, in most devices of the UTM class, searches for hidden signatures are obtained from the flow of data without extracting the text from the container, analyzing the “as is” flow. Otherwise, since the system is tuned with just one word, the result of the work is a 100% improvement, then. The method can be characterized as deterministic.

However, more often than not, the search for a clear sequence of symbols still stagnates when analyzing the text. Most importantly, the signature system has a search for a number of words and the frequency of occurrence of terms, etc. We still bring this system down to content analysis systems.

The advantage of this method is the independence of the language and the simplicity of updating the dictionary of defensive terms: if you want to quickly use this method to search for words in my Pashto, you don’t have to use it, it’s enough to know , that's how it's spelled. It is also easy to obtain, for example, transliterations of Russian text or “Albanian” language, which is important, for example, when analyzing SMS texts, ICQ notifications or blog posts.

The shortcomings become obvious when using a non-English language. Unfortunately, most text analysis systems work for the American market, and English language is even “signature” - word forms are often created using additional applicators without changing the word itself. In Russian language everything is much more complex. Take, for example, the word “secret” is dear to the heart of the information security specialist. In English, it means both the noun “secret”, the adjective “secret”, and the word “secret”. From the Russian root “secret” you can tell dozens of different words. Tobto. Whereas in an English-language organization the information security specialist only needs to enter one word, in a Russian-language organization he will have to enter a couple of dozen words and then change them in six different codes.

In addition, such methods are unstable to primitive coding. Almost everyone gives in to the favorite technique of spammers - the replacement of symbols with ones similar to the names. The author has repeatedly demonstrated to security officers an elementary technique - passing confidential text through signature filters. Take a text that uses, for example, the phrase “entirely secret,” and the postal serviceman, adjusting to this phrase. If you open the text in MS Word, then a two-second operation: Ctrl+F, “find “o” (Russian layout)”, “replace with “o” (English layout)”, “replace all”, “send document” - open the document absolutely invisible to this filter. Let me tell you more about the fact that such a replacement is carried out using the standard methods of MS Word or another text editor, etc. They are available to users, however, because they do not have local administrator rights or the ability to run encryption programs.

Most often, signature-based flow control is included in the functionality of UTM devices. A solution that cleans traffic from viruses, spam, intrusions and other threats that are detected by signatures. Although this function is “costless”, people often respect what is enough. Such decisions are rightly protected from the fallout currents, then. In these situations, if the output text is not changed by the directory with a method to bypass the filter, otherwise there is no power against the evil stench of the stench.

Masks

The advanced functionality searches for stop-word signatures and searches for their masks. The problem with such a change is that it is impossible to accurately enter “stop-select” in the database, but it is also possible to enter its element or structure. Before such information, you should include any codes that characterize a person or business: IPN, account numbers, documents, etc. It’s impossible to hunt them down for additional signatures.

It is unreasonable to specify the number of a specific bank card as a search target, but you want to find out any credit card number, even without spellings - with spaces or all at once. This is not just a problem, but in compliance with the PCI DSS standard: unencrypted numbers of plastic cards are blocked by electronic mail, that is. The customer is obligated to find such numbers in the email and send a security notification.

The axis, for example, is a mask that specifies a safe word, such as the name of a confidential or secret order, the number of which starts from zero. The mask is like a number, and whatever the register is, it will lead to the substitution of Russian letters for Latin ones. The mask is written in the standard “REGEXP” notation, although different DLP systems may use different notations. There is another group on the right with phone numbers. This information is included in personal data, and you can write it in a dozen ways – using different types of clearings, different types of arches, plus or minus the other. Here, perhaps, a single mask will not be enough. For example, in anti-spam systems, where it is necessary to observe a similar security, dozens of masks are used at the same time to detect a phone number.

Regardless of the different codes entered into the activities of companies and cybersecurity companies, they are protected by a wealth of laws and constitute a commercial secret, a banking secret, personal data and other information, What is protected by law, the problem of detecting them in traffic is obligatory in any way.

Hash functions

Various types of hash functions of confidential documents have recently become a new concept in the market for security in the current market, although the technology itself dates back to the 1970s. In some countries this method is called “digital fingerprints.” “digital fingertips”, or “shindley” in scientific slang.

The essence of all methods is the same, although the specific algorithms for the skin tester can vary greatly. These algorithms are subject to patenting, which confirms the non-repetition of implementation. The ultimate scenario is this: a database of confidential documents is collected. They are known as “beats”, then. A significant value is drawn from the document, which is brought to a normal, for example (but not necessarily) textual appearance, then the hashes of all parts are taken, for example, paragraphs, sentences, five lines of words, etc. live in a concrete realization. These data are saved in a special database.

Once the document has been processed, it is cleared of itself as service information and brought to a normal appearance, and then the highlight bits are removed from the same algorithm. Removal of the bits is searched from the database of confidential documents, and if so, the document is considered confidential. Since this method is used to find direct quotes from an excerpt document, the technology is also called “anti-plagiarism”.

Most of the advantages of this method are immediate, but there are few shortcomings. In advance, it is necessary to obtain copies of documents. On the one hand, journalists do not need to worry about safe words, meaningful terms and other information that is absolutely non-specific for security officers. On the other hand, “no expression - no protection,” which gives rise to the same problems with new and input documents, even when updated to technologies that are based on labels. A very important advantage of this technology is its tendency to work with sufficient sequences of symbols. This brings home to us the independence of the language text - be it hieroglyphs or Pashto. Further, one of the main benefits of this approach is the ability to extract cues from non-text information - databases, computers, media files. This very technology is used by Hollywood studios and light recording studios to protect media content from their digital devices.

Unfortunately, low-level hash functions are not stable to primitive coding, as seen in the application with signatures. It is easy to cope with changing the order of words, rearranging paragraphs and other tricks of “plagiarists”, but, for example, changing letters throughout the document ruins the hash symbol and such a document becomes invisible to the scrounger.

Using this method, the robot folds with forms. Thus, the empty loan application form contains a document that is easily accessible, and is filled with confidential information, as it contains personal data. Since it is easy to remove the filling from the empty form, then overfilling the document will contain all the information from the empty form. There are plenty of things to gain from. Thus, the system will either miss confidential information or overload a large number of empty forms.

Regardless of the fact that this method is widely used, especially in such a business that cannot afford qualified specialists, and follows the principle of “put all confidential information in this folder.” And sleep well." In this sense, the benefit of specific documents for their protection is similar to the solution that is based on labels, which only saves the text and saves them when changing the file format, copying parts of the file etc. However, a great business that has hundreds of thousands of documents in circulation is often simply not possible to provide images of confidential documents, which is why this article is not reliable. The company's business processes do not require anything. The only thing that exists (or rather, perhaps) in the skin industry is “the flow of information that can become a commercial secret.” Developing ideas from it is a non-trivial task.

The simplicity of adding words to the base of controlled content most often plays an evil role with koristuvachs. This leads to a step-by-step increase in the base of signals, which significantly affects the productivity of the system: the more signals, the greater the leveling of skin breakdown. Remnants of the leather are deposited at a rate of 5 to 20% of the original, and the base of the leather is constantly growing. Corruption means a sharp drop in productivity when the database begins to overload the server RAM it is filtering. The problem lies in the regular audit of documents and old and duplicate documents. people save money on waste, and moneymakers spend money on exploitation.

Linguistic methods

The most widespread method of analysis today is linguistic analysis of the text. This is so popular that it is often colloquially called “content filtering.” carries characteristics of the entire class of analysis methods instead. At a glance, classification includes hash analysis, signature analysis, mask analysis, and “content filtering.” filtering traffic based on analysis instead.

As the name suggests, the method only works with texts. You won’t steal your other database, which consists only of numbers and dates, and more importantly, a chair, babies and a collection of your favorite songs. Using texts to create this method is amazing.

Linguistics as a science consists of many disciplines - from morphology to semantics. Therefore, linguistic methods of analysis also differ from each other. Є methods that eliminate the use of stop words, that are only entered on the basis of the root word, and the system itself already compiles a new vocabulary; It is based on the arrangement of terms in the text of the terms. And linguistic methods have their own methods, which are based on statistics; For example, you take a document, look at fifty well-known words, and then select 10 of your favorite words. Such a “dictionary” is a practically unique characteristic of the text and allows you to find significant quotes in “clones”.

Analysis of all the subtle linguistic analysis is not within the scope of this article, so we will focus on the advantages and disadvantages.

The advantage of this method is complete insensitivity to the number of documents. Scalability is rare for corporate information security. The content filtering base (a set of key word classes and rules) does not change as new documents and processes appear in the company.

In addition, experts point out that this method is similar to “stop words” in that if the document is blurred, then it is immediately clear what has happened. Since the system, which is based on bits, indicates that each document is similar to another, the security officer will have to compare the two documents himself, and for linguistic analysis, he will also select the marked content. Linguistic systems with signature filtering are so widespread that they allow you to start trading without changes from the company immediately after installation. There is no need to worry about arranging marks and taking notes, inventorying documents and doing other work that is not specific to a security officer.

A few of the layers are obvious, and the first one is stored in the language. At the end of the day, the language is supported by the virus, but not much, from the point of view of global companies that exist in addition to a single corporate list (for example, English), even without local documents movami in the skin region, which is clearly not enough.

Another shortcoming is a high number of errors of a different kind, to reduce the required qualification in linguistics (for fine-tuning the filtering base). Standard Galuzev bases are expected to provide a filtration accuracy of 80-85%. This means that there are five or six sheets of mischief in Milkovo. The adjustment of the database to an acceptable 95-97% accuracy of the application depends on the input of a specially trained linguist. And if you want to start adjusting the filtration base, it’s enough for your mother to spend two days of free time and work like a high school graduate, this work, besides a security officer, work for no one, and you deserve this non-core work. There is always a risk of getting a person from behind - even if you deal with confidential information. The way out of this situation is to purchase an additional module - a self-starting “autolinguist”, which is “appreciated” by Milkov’s instructions, and automatically adapts the standard Galuzev base.

Linguistic methods are used if you want to minimize the transfer from business, if the information security service does not require administrative resources, change other processes for creating and preserving documents. They work again and again, even with unknown shortcomings.

Popular channels of current trends mobile media information

InfoWatch analysts note that the most popular channel for current trends is the loss of mobile data (laptops, flash drives, mobile communicators, etc.), fragments of Such devices do not have special methods for encrypting data.

Another common cause of slip threads is paper paper: it is more difficult to control the folded, less electronic, splinters, for example, after the arc comes out of the printer, you can only follow it “manually”: control over paper paper is weaker than control over a computer information. There are many ways to protect the output of currents (it is impossible to call them full-fledged DLP systems) without controlling the channel of information output to the printer - so confidential data can easily go beyond interorganizations.

This problem can be solved by richly functional DLP systems that block the sending of unauthorized information to others and check the type of mailing address and addressee.

In addition, ensuring the protection of currents is significantly hampered by the popularity of mobile devices, as well as similar DLP clients, which are not yet available. In addition, it is very important to identify the development of cryptography and steganography. Insider, in order to bypass any filter, you can now go to the Internet for the latest practices. It’s bad enough to steal the DLP from the organized over-the-air flow.

The effectiveness of DLP tools can interfere with their obvious reasons: current solutions for protecting the flow of threads do not allow controlling and blocking all obvious information channels. DLP systems control corporate email, the use of web resources, meeting communications, work from external media, other documents and hard drives. If not controlled by DLP systems, Skype is still deprived. However, Trend Micro has announced that it has control over the operation of its communication programs. The vendors promise that the same functionality will be provided in the current version of their proprietary software.

Although Skype intends to open its protocols to DLP vendors, other solutions, such as Microsoft Collaboration Tools for organizing work, are not closed to third-party programs. How to control the transmission of information through this channel? Nowadays, practice begins to develop in the world, when workers are forced to form teams to work on a secret project and disband after its completion.

The main drivers of confidential information flows in the first half of 2010, as before, were commercial (73.8%) and government (16%) organizations. Nearly 8% of the flows come from major deposits. The nature of confidential information is personal data (maybe 90% of all information flows).

The leaders in terms of currents in the world are traditionally the USA and Great Britain (also Canada, Russia and Germany with significantly lower indicators are behind the top five countries), which is associated with According to the legislation of these countries, it is forbidden to report all incidents to the authorities confidential data. Infowatch analysts predict that in the coming fate, a shortening of the fallout phases and an increase in the downstream phases.

Problems of stagnation

In addition to the obvious difficulties in implementing DLP, there is also the complexity of choosing an appropriate solution, and several suppliers of DLP systems advocate different approaches to organizing security. Some have patented algorithms for analyzing content for keywords, while others use the digital search method. What is the optimal product for vibrati? What is more effective? The answer to this question is even more complex, since the deployment of DLP systems today is very small, and there are even fewer actual practices of their use (on which one could rely). All those projects, which were nevertheless implemented, showed that more than half of the work and budget in them was spent on consulting, and this obviously evokes great skepticism among the servicing industry. In addition, as a rule, with the help of DLP it is necessary to rework the essential business processes of the enterprise, and this is important for the company.

To what extent does the advancement of DLP contribute to the practical benefits of regulators? At the end of the day, the use of DLP systems is motivated by laws, standards, regulations and other regulations. In the opinion of experts, behind the cordon of clear legislation, methodical introduction of good security may be the real driver of the DLP market, since the promotion of special solutions makes it difficult to raise claims on the part of regulators. In our country, this area is becoming completely different, and the use of DLP systems does not contribute to compliance with the law.

An actual incentive for the stagnation and development of DLP in the corporate environment may be the need to protect trade secrets of enterprises and violate the federal law “On Commercial Secrets.”

In addition, the following documents have been adopted for every business, such as “Regulations on commercial custody” and “Process of information on establishing commercial custody”, and they can be subsequently dismissed. The main idea is that the law “On commercial secrets” (98-FZ) does not apply, and company security officers are kindly aware that it is important and necessary for them to protect their trade secrets. Moreover, we are more than aware of the importance of the law “On Personal Data” (152-FZ), and it would be easier for any professional to explain the need to secure confidential documents, not to inform about personal protection their tributes.

What is the importance of DLP in the automation processes of the commercial warehouse? According to the Civil Code of the Russian Federation, in order to introduce a regime for the protection of commercial secrecy, it is only necessary that the information is of low value and be included before the transfer. Whoever has access to such information is subject to the law's requirement to comply with the protection of confidential information.

At the same time, it is obvious that DLP cannot supply all power. Lock down, block access to confidential information to third parties. But for whom there are other technologies. There are a lot of current DLP solutions that can integrate with them. Then, with the use of this technological lanyard, a working system can be achieved without the protection of a commercial prison. Such a system will be more reasonable for business and the business itself can act as a guardian of the system for protecting the flow of currents.

Russia and Zahid

According to analysts, Russia has a different level of security and a different level of maturity of companies that deliver DLP solutions. The Russian market is oriented towards faciliates with security and highly specialized problems. People who deal with the flow of data do not always understand how valuable data is. Russia has a “militaristic” approach to organizing security systems: a central perimeter with inter-boundary screens and every effort is made to prevent penetration into the middle.

Is it possible that the company's specialist has access to a lot of information that is not required for completing your contract? On the other hand, if you look at the approach that was formed at the Sunset in the remaining 10-15 years, you can say that more respect is attached to the value of information. Resources are directed to where there is valuable information, and not all information afterwards. Perhaps there is the greatest cultural difference between the West and Russia. Prote, analysts say, the situation is changing. Information is beginning to be treated as a business asset, but evolution is needed at any time.

There is no clear decision

Hundred hundredths of protection from the turns have not yet broken down the zhoden virobnik. Experts formulate the problems with the use of DLP products approximately as follows: the effective way to combat the turns that stagnate in DLP systems is important because of the protection of the turns May buti was carried out on the side of the deputy, the fragments of no one better than anyone else knows the power of information flows

Others respect that it is impossible to protect yourself from the flow of information: it is impossible to escape the flow of information. Any information that may be of value to anyone will be removed sooner rather than later. Software can acquire this information in a more expensive process that requires a lot of time and effort. This can significantly reduce the benefits of information and its relevance. Also, the effectiveness of DLP systems must be monitored.

28.01.2014 Sergiy Korablov

Select a corporate-level product for technical accountants and security specialists who make decisions on non-trivial tasks. Selecting a data storage system Data Leak Protection (DLP) is even more complex. The presence of a unified conceptual system, regular independent research and the complexity of the products themselves make it difficult for residents to engage in research projects and independently carry out numerical testing, which means that Compare them with the capabilities of the systems that are being verified.

Such an approach is undoubtedly correct. It is important, and in some situations, the decision will be taken away from the victim and allows you to eliminate frustration when using a particular product. The process of making a decision can sometimes drag on for many months. In addition, the constant expansion of the market, the emergence of new solutions and manufacturers further complicate the task not only in the choice of products for introduction, but also in the creation of a further shortlist of high-speed DLP systems. In such minds, up-to-date reviews of DLP systems have immeasurable practical value for technical accountants. Should you include a specific solution on the list for testing, what would be difficult for implementation in a small organization? Our solution can be scaled up for a company of 10 thousand. spіvrobitniki? How can a DLP system control business-important CAD files? Please note that this is not a substitute for reactive testing, but rather support the basic nutrition that occurs at the initial stage of work on choosing DLP.

Participants

The participants found the most popular (according to the Anti-Malware.ru analytical center as of mid-2013) on the Russian information security market the DLP systems of the companies InfoWatch, McAfee, Symantec, Websense, Zecurion and Jet information system.

For the analysis, commercially available versions of DLP systems were used at the time of preparation of the review, as well as documentation and product reviews.

The criteria for upgrading DLP systems were selected based on the needs of companies of different sizes and different types of work. The main tasks of DLP systems are to respect the flow of confidential information across different channels.

Examples of the products of these enterprises are presented on panels 1–6.

Figure 3. Symantec product

Malyunok 4. Product of the company InfoWatch

Figure 5. Websense product

Figure 6. McAfee product

Robot modes

There are two main operating modes of DLP systems – active and passive. Active – select the main operating mode, which blocks actions that violate security policies, for example, sending confidential information to an external email screen. The passive mode is most often used at the stage of adjusting the system for verification and adjustment, if there is a high frequency of mild requests. And here the broken policies are fixed, but the interchange of information movement is not imposed (Table 1).

In this aspect, all analyzed systems turned out to be equivalent. The skin with DLP can work in both active and passive modes, which gives the assistant the freedom to sing. Not all companies are ready to start using DLP in blocking mode - this can lead to disruption of business processes, dissatisfaction with the control branches and claims (including runtovanyh) on the side of kerivnitstva.

Technologies

Detection technologies make it possible to classify information transmitted through electronic channels and identify confidential records. Today there are a number of basic technologies and their varieties, similar in essence, but different in implementation. Skin with technology has both advantages and disadvantages. In addition, different types of technologies are suitable for analyzing information of different classes. Therefore, DLP solution providers strive to integrate as many technologies as possible into their products (Table 2).

Our products offer a wide range of technologies that, when properly tuned, allow us to ensure a high level of recognition of confidential information. DLP McAfee, Symantec and Websense are poorly adapted for the Russian market and cannot promote the use of “modern” technologies to customers – morphology, translation analysis and masked text.

Monitored channels

The skin transmission channel is not a potential channel of turns. You can redirect one open channel through the information security service, which controls information flows. It is so important to block the channels, so as not to be used by anti-virus agents for robots, and those who have lost control over the help of systems for blocking the turns.

Despite the fact that the most modern DLP systems control a large number of edge channels (see Table 3), unnecessary channels are completely blocked. For example, if the Internet browser only runs on a computer with an internal database, you can immediately enable Internet access for it.

Similar rules apply to local channels of the current. However, it is more difficult to block adjacent channels, port fragments often interfere with connections to peripherals, I/O devices, etc.

Encryption plays a special role in protecting traffic through local ports, mobile storage devices and devices. Encryption cards are easy to use, and their use can be useful for crypto users. At the same time, encryption makes it possible to disable a whole class of issues related to unauthorized access to information and the waste of mobile storage devices.

The situation with the control of local agents along the top, bottom and edge channels (div. table 4). All products including USB devices and local printers are successfully monitored. Also, despite the fact that encryption is considered more important, this capability is absent only in other products, and the function of primus encryption is based on content analysis of the presence of a person in Zecurion DLP.

To protect the flow of importance, it is not only the recognition of confidential data during the transmission process, but also the exchange of extensive information in the corporate environment. For this purpose, in order to store DLP systems, developers include tools that specifically identify and classify information that is stored on servers and workstations at the edge (see Table 5). Data that violates information security policies may be deleted and moved to a secure location.

To identify confidential information at corporate network nodes, the same technologies are used to monitor flows through electronic channels. The main responsibility is architectural. Just as traffic and file operations are analyzed to monitor the flow, then to identify unauthorized copies of confidential data, the information that is saved is monitored - instead of working stations and the network servers.

Of the DLP systems that are considered, only InfoWatch and Dozor-Jet ignore various aspects of the identified place for saving information. This is not a critical function for capturing the flow of electronic channels, but essentially limits the capabilities of DLP systems to proactively capture the flow. For example, if a confidential document travels between corporate borders, there is a flow of information. However, since the place of saving this document is not regulated, since information authorities and security officers do not know about the place of storage of this document, they can bring it to justice. Possible unauthorized access to information or documents will not be subject to the same security rules.

Handling control

Characteristics such as handiness and control may be no less important than the technical capabilities of the solution. Even if a foldable product will be important to ship, the project will take more than an hour, effort and, apparently, finances. The DLP system, which has already been introduced, receives respect from technical accountants. Without proper maintenance, regular audits and adjustments, the recognition of confidential information will decline greatly over the years.

The Internet interface for the mobile security service is the first step to simplifying the work with the DLP system. You can make it easier to understand, which is due to other adjustments, but also significantly speed up the process of configuring a large number of parameters that need to be adjusted for the correct operation of the system. The English language can be a useful guide for Russian administrators to understand unambiguously the specific technical issues (div. Table 6).

Most solutions transfer manually from a single (for all components) console with a web interface (see Table 7). Blame the Russian InfoWatch (one console every day) and Zecurion (no web interface). With this in mind, vendors have already announced the appearance of web consoles in their upcoming products. The presence of a single console at InfoWatch is based on a variety of technological bases of products. The development of a high-power agency solution has been largely pinned down, and the current EndPoint Security is a successor to the third-party product EgoSecure (formerly known as Cynapspro), acquired by the company in 2012.

Another point that can be brought to the attention of the InfoWatch solution is that in order to set up and operate the flagship DLP product InfoWatch TrafficMonitor, you need to know a special LUA script language, which makes the system easier to operate. Tim is no less, for most technical fachivts the prospect of advancement of the powerful professional level and the development of additional, no matter and not necessarily popular language, will be received positively.

The role of the system administrator is necessary to minimize the risks of the emergence of a super-correspondent with unauthorized rights and other fraud with DLP victoria.

Journaling and news

DLP archive is a database in which objects (files, sheets, http requests, etc.) are accumulated and saved, which are recorded by the system sensors during the operation process. The information collected in the database can be stored for a variety of purposes, including for analyzing the actions of bank employees, for saving copies of critically important documents as the basis for investigating information security incidents. In addition, the basis of all ideas is fundamentally at the stage of implementing a DLP system, as it helps to analyze the behavior of the components of the DLP system (for example, to understand why other operations are blocked) and Make adjustments to safety (div. table 8).

There are very important architectural differences between Russian and foreign DLPs. The rest began to keep archives. In this situation, DLP itself becomes more simple for maintenance (the daily need to maintain, save, reserve and retrieve a large amount of data), but not for operation. The archive also helps to set up the system. The archive helps you understand why the transmission of information was blocked, check that the rule was applied correctly, and make the necessary adjustments to the system setup. Please also note that DLP systems will require not only initial configuration when installed, but also regular “tuning” during operation. The system, if it is not maintained properly, is not carried out by technical specialists, who are largely wasted in the recognition of information. As a result, there is an increase in both the number of incidents and the number of difficult requests.

Conscience is an important part of any activity. Information security is not to blame. In DLP systems there are several functions. First of all, short and succinct messages allow the servers of the IB services to quickly control the level of information theft without going into details. In another way, reports help security officers adjust security policies and adjust systems. Thirdly, the results can now be shown to the company’s top managers to demonstrate the results of the DLP system and the IB accountants themselves (Div. Table 9).

May all competing decisions, reviewed in detail, be presented graphically and manually to top managers and IT service managers, and tables, more general technical managers. Graphical sounds are missing from DLP InfoWatch, for which the rating has been reduced.

Certification

The discussion about the need to certify information security features and DLP is very open, and within the framework of professional discussions, experts often discuss this topic. The secret thoughts of the parties are clear that certification itself does not provide serious competitive advantages. At the same time, there are a number of deputies, first of all, the government organization, for the identification of one or another certificate and liability.

In addition, the certification procedure is poorly consistent with the software product development cycle. As a result, consumers are faced with a choice: buy an out-of-date, certified version of the product or a current certification that has not passed. The standard way out of this situation is to add a certified product “to the police” and to substitute a new product from the real industry (div. table 10).

Results

Let's take a closer look at the DLP solution you've looked at. By the way, all participants have made friendly hostilities and can join forces to keep up with the flow of information. The types of products allow us to specify the scope of their application.

The InfoWatch DLP system can be recommended to organizations for which it is important to have an FSTEC certificate. However, the remaining certified version of InfoWatch Traffic Monitor was tested at the end of 2010, and the term of the certificate will end at the end of 2013. Agent solutions based on InfoWatch EndPoint Security (also known as EgoSecure) are more suitable for small businesses and can be used alongside Traffic Monitor. The third-party Traffic Monitor and EndPoint Security can identify problems with scaling in the minds of great companies.

Products of foreign vendors (McAfee, Symantec, Websense), according to independent analytical agencies, are significantly less popular, less Russian. The reason is the low level of localization. Moreover, on the right, it’s not the complexity of the interface or the availability of Russian documentation. Features of the technology for recognizing confidential information, adjusted templates and rules “sharpened” for the development of DLP in the latest countries and aimed at achieving the latest regulatory benefits. As a result, the ability to recognize information appears noticeably weaker, and the understanding of foreign standards is often irrelevant. However, the products themselves are not bad at all, but the specifics of the stagnation of DLP systems on the Russian market are unlikely to allow them to become more popular in the near future, even if they are not developed in China.

Zecurion DLP stands out due to its high scalability (a single Russian DLP system with confirmed deployment of more than 10 thousand workers) and high technological maturity. However, the availability of the web console is surprising, which would help simplify the management of corporate solutions targeting different market segments. Among the strengths of Zecurion DLP are the high sensitivity of recognizing confidential information and a wide range of products for securing the flow, including protection on gateways, workstations and servers, the identified space is saved information and tools for encrypting data.

The Dozor-Jet DLP system, one of the pioneers of the domestic DLP market, is widely used among Russian companies and continues to grow its client base thanks to the great connections of the Jet Infosystems system integrator, behind the DLP maker. Although technologically advanced, DLP still stands out from its more advanced cousins, but it can also be used in wealthy companies. In addition, in addition to foreign solutions, Dozor Jet allows you to maintain archives of all types and files.

D LP system should be used if it is necessary to ensure the protection of confidential data from internal threats. And since information security agents have sufficiently mastered and defended their tools against external attackers, the situation with internal ones on the right is not so smooth.

The system in the information security structure of the DLP system transmits, which ensures the following:

• how the company's security specialists can organize the flow of confidential data;
• Any information must be protected against the risk of breach of confidentiality.

General knowledge will help farmers better understand the principles of operation of DLP technology and adjust the protection of threads in the correct manner.

The DLP system is responsible for discriminating between confidential and non-confidential information. If you analyze all the data in the middle of an organization’s information system, the problem of excessive demand on IT resources and personnel arises. DLP operates mainly in “liaison” with a reliable accountant, who ensures that the system is correctly processed, introduces new and irrelevant rules, and monitors current, blocked or suspicious information in ійній system.

To customize "SearchInform KIB" use vikory- Rules for responding to cybersecurity incidents The system has 250 established policies that can be adjusted to meet the company's requirements.

The functionality of the DLP system will be around the “core” - a software algorithm that is responsible for identifying and categorizing information that requires protection from the turns. The core of most DLP solutions is based on two technologies: linguistic analysis and technology based on statistical methods. Also, less advanced techniques, such as marking or formal analysis methods, may be used in the core.

Developers of anti-terrorism systems supplement the unique software algorithm with system agents, incident management mechanisms, parsers, protocol analyzers, interceptors and other tools.

Early DLP systems were based on one method at the core: either linguistic or statistical analysis. In fact, the shortcomings of the two technologies were compensated by the strengths of one, and the evolution of DLP led to the creation of systems that are universal across the “core”.

Linguistic method of analysis It works directly from the file and document. This allows you to ignore such parameters as the name of the file, the visibility and presence of a signature on the document, whoever created the document. Linguistic analytics technology includes:

• morphological analysis - searching for all possible word forms of information that needs to be kept out of the loop;
• Semantic analysis - searching for the entry of important (key) information in a file, adding the entry to the clear characteristics of the file, assessing the context of the search.

Linguistic analysis shows the high intensity of work with a great deal of information. For large text, a DLP system with a linguistic analysis algorithm will select the correct class, add it to the required category and run the adjusted rule. For documents of minor importance, it is better to use the stop-flow technique, which has proven effective in the fight against spam.

The progress in systems with a linguistic analysis algorithm has been implemented at a high level. Early DLP complexes had predefined categories and other stages of “initiation,” but today’s systems have sophisticated self-initiation algorithms: identifying category signs, the ability to independently form and change response rules. To set up such software systems in information systems to protect data, it is not necessary to hire linguists.

Before the linguistic analysis is complete, it is necessary to ensure a link to a specific language, unless it is possible to use a DLP system with an English core to analyze Russian information flows and so on. Another shortage of knitting due to the complexity of a clear categorization with a different approach, which reduces the accuracy of ordering in the range of 95%, which can be critical for the company Any obligation regarding confidential information.

Statistical methods of analysis,In fact, they demonstrate an accuracy close to 100,000. The failure of the statistical core is associated with the algorithm of the analysis itself.

At the first stage, the document (text) is divided into fragments of a reasonable size (not character by character, but sufficient to ensure accuracy of execution). A hash is taken from the fragments (in DLP systems the term Digital Fingerprint is used). Then the hash is equal to the hash of the reference fragment taken from the document. When saved, the system marks the document as confidential and is subject to the security policy.

The disadvantage of the statistical method is that the algorithm cannot independently be read, form categories and type. As a result, the importance of the fakhivtsa’s competence and the consistency of the supply of hash is of such a size that the analysis allows for an over-the-top number of chemical applications. It’s difficult to put in a little bit, as long as you follow the manufacturer’s recommendations to set up the system.

With the formation of hashes of connections and other shortcomings. In advanced IT systems that generate large volumes of data, the data base can reach such a size that checking traffic for errors against a standard will significantly improve the operation of all information systems.

The advantage of the decision lies in the fact that the effectiveness of statistical analysis does not depend on the evidence of non-textual information in the document. The hash, however, is well recognized from English phrases, images, and videos.

Linguistic and statistical methods are not suitable for identifying data in a specific format for any document, for example, a card number or a passport. To identify such typical structures in an array of information, the core of the DLP system uses technologies for analyzing formal structures.

In a clear DLP solution, all analysis methods are analyzed, which are performed sequentially, in addition to each other.

This means what technologies are in the kernel are possible.

No less important, the lower functionality of the kernel is equal to the control provided by the DLP system. There are two:

Developers of current DLP products have seen a strong implementation of the protection of peers, since the current needs to protect end devices, and the edge.

Merezhevyy rhubarb control In this case, we can ensure the maximum possible security of edge protocols and services. There is not much talk about “traditional” channels (, FTP,), but also about new network exchange systems (Instant Messengers,). Unfortunately, at least it is impossible to control encrypted traffic, but this problem in DLP systems occurs at the host level.

Control on the host level Allows more detailed monitoring and analysis. In fact, the Internet Security service provides a tool for complete control over the actions of the account manager at the workstation. DLP with a host-based architecture allows you to connect documents that are typed on the keyboard, record audio materials, and work. At the same end workstation, traffic encryption is performed (), and in order to verify the confidential data that is being processed at the moment and is saved on the customer’s PC for such a difficult time.

In addition to the highest requirements, DLP systems with control at the host level will provide additional steps to ensure information security: control of installation and change of software, blocking of I/O ports, etc.

The disadvantages of the host implementation are that systems with a wide range of functions are easier to administer and are more capable of using the resources of the workstation itself. The supporting server regularly updates to the “agent” module on the end device to check the availability and up-to-date settings. In addition, some of the resources of a computer workstation will inevitably be “submitted” by the DLP module. Moreover, at the stage of selecting a solution to protect the flow, it is important to pay attention to the hardware capabilities.

The principle of sub-technology in DLP systems has been lost in the past. Current software solutions for controlling the flow involve methods to compensate for shortcomings of one another. With a comprehensive approach, confidential data at the center of the information security perimeter becomes more resistant to threats.

DLP technology

Digital Light Processing (DLP) is an advanced technology developed by Texas Instruments. It turned out that it was possible to create even smaller, even lighter ones (3 kg - what's the point?) and, not least, to handle heavier multimedia projectors (more than 1000 ANSI Lm).

Brief history of the creation

A long time ago, in a distant galaxy.

In 1987, Dr. Larry J. Hornbeck digital multi-mirror device(Digital Micromirror Device or DMD). This result has completed ten-fold research by Texas Instruments on micromechanical galusia. deformed mirror devices(Deformable Mirror Devices or I call DMD). The essence of the effect lies in the appearance of hard mirrors on the matrix of hard mirrors, which allows only two stable positions.

1989 Texas Instruments became one of the few companies selected to implement the “projector” part of the U.S. software. High-Definition Display, which is funded by the Advanced Research Projects Agency (ARPA).

In July 1992, TI demonstrated its first DMD-based system, which supports the current ARPA resolution standard.

High-Definition TV (HDTV) version of DMD based on three high-quality DMDs was shown in 1994.

Mass sales of DMD chips began in 1995.

DLP technology

The key element of multimedia projectors created using DLP technology is a matrix of microscopic mirrors (DMD elements) made of aluminum alloy, which has a very high optical efficiency. The skin mirror is attached to a solid lining, which is connected to the base of the matrix through the folded plates. Under the bottom layers of the mirrors there are electrodes connected to the middle of the CMOS SRAM memory. Under the influence of the electric field, the lining with the mirror takes one of two positions, which are cut exactly 20° by the edgers placed on the matrix stand.

These two positions ensure a high level of light flow, which must be supplied to the lens and an effective light source, which will ensure reliable heat dissipation and minimal light reflection la.

The data bus and the matrix itself are designed to provide up to 60 or more image frames per second with a separate capacity of 16 million colors.

The mirror matrix is ​​made from CMOS SRAM and becomes a DMD crystal - the basis of DLP technology.

The small dimensions of the crystal are impressive. The area of ​​the matrix's skin mirror should be 16 microns or less, and the distance between the mirrors should be about 1 micron. Crystal, who is not alone, easily fits into the valley.

In addition, as Texas Instruments does not deceive us, three types of crystals (chips) are produced with different resolutions. Tse:

• SVGA: 848,600; 508,800 mirrors
• XGA: 1024×768 with black aperture (middle space); 786,432 mirrors
• SXGA: 1280x1024; 1,310,720 mirrors

Well, we have a matrix, what can we earn from it? Well, obviously, lighten it more intensely with a light stream and place an optical system on the side of one of the direct mirror mirrors, which focuses the image on the screen. On the other’s path, it would be wise to place a light-colored clay so that the unnecessary light does not create inconsistencies. We can now design single-color pictures. Ale de color? Is it bright?

And the axis of this is similar to that of friend Larry, which was mentioned in the first paragraph of the history section of the creation of DLP. If you still don’t understand what’s on the right, get ready, because you may get a shock right away :), which is, of course, an elegant and completely obvious solution, which suggests itself, today’s most advanced and technologically advanced in the field of design Nya image.

Guess the child's trick with the lekhtarik, which turns around, the light from which at any given moment gets angry and turns into a stake that glows. This heat of our vision allows us to remain visually aware of analogue image systems and turn them into digital ones. Even though digital monitors at the last stage have an analogue nature.

What would happen if a frosty mirror switched from one position to another with great frequency? If you need to mix the mirror for an hour (and you can always do it with its microscopic dimensions), then the visible brightness will not be the same as twice. Depending on the time, each mirror remains in one or another position, and we can easily change the apparent brightness of the image. And as long as the frequency of cycles is even higher, no visible interference will be close. Eureka. I want nothing special, but everything has been known for a long time :)

Well, now the last touch. If the mixing fluidity is high, then we can sequentially place light filters in the light flow path and thereby create a color image.

Axis, power, and all technology. The further evolutionary development is simply due to the use of multimedia projectors.

DLP projector device

Texas Instruments is not involved in the development of DLP projectors, but other companies such as 3M, ACER, PROXIMA, PLUS, ASK PROXIMA, OPTOMA CORP., DAVIS, LIESEGANG, INFOCUS, VIEWSONIC, SHARP, COMPAQ, NEC, TOSHIBA, , LIESEGANG ta in. Most of the projectors that are produced are portable, with a weight ranging from 1.3 to 8 kg and a density of up to 2000 ANSI lumens. Projectors are divided into three types.

Single matrix projector

The simplest type, which we have already described, is single matrix projector, between the light core and the matrix there is a disk that is wrapped with color light filters - blue, green and red. The disc wrapping frequency is the same as the frame rate.

The image is formed step by step from the main colors, resulting in a uniquely multi-colored image.

All, or perhaps all portable projectors are of the same type.

A further development of this type of projector was the introduction of a fourth, transparent light filter, which allows the brightness of the image to be significantly increased.

Trimatrix projector

The most foldable type of projectors is trimatrix projector where it is lightly split into three color streams and appears as a three-dimensional matrix. Such a projector has the purest color and frame rate, not hindered by the disc wrapping fluidity of single-matrix projectors.

The exact consistency of the displayed flow from the skin matrix (viscosity) is ensured using an additional prism, as you can apply to the baby.

Dual Matrix Projector

The intermediate type of projectors is dual matrix projector. In this case, the light is split into two streams: the red one is separated from one DMD matrix, and the blue and green ones are from another. The light filter, obviously, removes blue and green elements from the range.

A dual-matrix projector will provide the same image clarity as a single-matrix or tri-matrix type.

Upgrading LCD and DLP projectors

Compared to LCD projectors, DLP projectors have a number of important advantages:

What are the downsides of DLP technology?

All theory is theory, but in practice there is still a lot to work on. The main shortcoming lies in the lack of technology and, as a result, the problem of sticking mirrors.

The truth is that with such microscopic dimensions, various parts tend to “stick together”, and the mirror base is not to blame.

Despite the application of the Texas Instruments company, it is necessary to introduce new materials that will change the sticking of micromirrors, such a problem is evident, as we have studied while testing a multimedia projector Infocus LP340. Ale, I want to respect you, I don’t particularly respect your life.

Another problem is not so obvious and lies in the optimal selection of mirror mixing modes. A skin company that produces DLP projectors has its own idea behind the drive.

That will stay. It doesn’t matter if the mirrors are switched from one position to another for a minimum hour, but this process eliminates the stain on the screen. This is such a cost-free antialiasing.

Development of technology

• In addition to the introduction of a clear light filter, work is steadily underway to change the inter-mirror space and the surface of the stacker in order to secure the mirror to the lining (the black point in the middle of the image element).
• By dividing the matrix around the blocks and expanding the data bus, the frequency of mirror interconnection increases.
• Work is underway to increase the number of mirrors and change the size of the matrix.
• The intensity and contrast of the light flow are gradually increasing. Currently, there are tri-matrix projectors with a density of over 10,000 ANSI Lm and a contrast ratio of more than 1000:1, which have found their place in ultra-modern cinemas, where digital media is being used.
• DLP technology is ready to replace CRT technology for displaying images in home theaters.

Visnovok

This is not all that could be learned about DLP technology, for example, we did not get caught up in the use of the DMD matrix at the same time. Please note that Texas Instruments does not confirm the information available from other devices, so as not to give you a lie. I am confident that this small amount of evidence is enough to avoid not only superior, but also sufficient information about the technology and not torment sellers with claims about the superiority of DLP projectors over others.

Thanks to Oleksia Slepinin for assistance in preparing the material

The choice of a specific DLP system depends on the required level of data security and is then selected individually. For assistance in choosing a DLP system and installing it into the company’s IT infrastructure, fill out the application and we will contact you as soon as possible.

What is a DLP system?

DLP system(Data Leak Prevention in the English translation - methods of keeping the flow of data) - these are technologies and technical devices that keep the flow of confidential information from information systems.

DLP systems analyze data flows and control their movements in the middle of the entire perimeter of the information system, which is protected. This can include ftp connection, corporate and web mail, local connection, as well as transfer of meeting notifications and data to the printer. Whenever confidential information is processed, a system component is activated that blocks the transmission of the data stream.

In other words, DLP systems standing on confidential and strategically important documents, the use of such information systems can bring wrongful harm to the company, as well as violate Federal Law No. 98-FZ “On commercial secrecy” and No. 152-FZ “On personal data". The protection of information in the flow is also stated in GOST. "Information technology. Practical rules for information security management" - GOST R ISO/MEK 17799-2005.

As a rule, a spiral of confidential information can arise both as a result of malicious penetration and as a result of disrespect, lack of confidence in the security industry, as well as an insider ів - direct transfer of confidential information by the company's security guards. Therefore, DLP systems have the most reliable technologies for protecting the flow of confidential information - they identify information that is protected, regardless of the type of document, signature, transmission channels format.

Also, DLP system controls all channels that are constantly monitored to transmit information electronically. Information flows are automatically processed in accordance with the established security policy. If confidential information is subject to the security policy established by the company, the transfer of data is blocked. If you are entrusted with a special company that guarantees the security of your information, you are required to inform us in advance about the transfer of confidential information.

Vikoristannya DLP systems First of all, we ensure compliance with the lowest possible PCI DSS standard to ensure the level of information security of the enterprise. Also, DLP systems create an automatic audit of stolen information, together with local authorities, and provide automated control, according to the rules for moving confidential information in the company. troubling and alarming incidents of unlawful disclosure of secret information. The system for capturing the flow of data, based on responses to incidents, maintains a high level of risks, as well as in the modes of retrospective analysis and emergency response, controls the flow of information.

DLP systems are installed in both small and large enterprises, capturing the flow of information, thereby protecting the company from financial and legal risks that arise when spending or transferring important corporate information confidential information.