What is DLP? DLP systems. DLP systems: what's it all about

The release of commercially significant information can lead to significant losses for the company – both financial and reputational. Configuration of DLP components allows for internal scrolling, mail notifications, data exchange, work with emergency tasks, launching programs on the desktop, connecting external devices, calling, SMS messaging. , telephone conversations. All suspicious operations are monitored and a database is created based on precedents. For this purpose, DLP systems may use mechanisms to designate a system of confidential information, for which special document markers and their locations (behind keywords, phrases, propositions) are analyzed. A wide range of additional arrangements for personnel control (legitimacy of actions in the middle of the company, allocation of work resources, right up to the distribution of printers).

Since the priority is full-scale control over data transmission, the gradual adjustment of DLP is essential for identifying and identifying possible flows of information, controlling end devices and allowing users to access company resources. Since statistics prioritize moving important corporate information across the organization, channels and transmission methods are also calculated. DLP systems are customized individually for the skin, based on the transmission of threat models, the category of damage, and the selection of possible channels for the flow of information.

DLP occupy a large niche in the market in the area of ​​economic security. Based on the research of the Analytical Center Anti-Malware.ru, there is an increase in the company's demand for DLP systems, an increase in sales and an expansion of the product line. It is important to regulate the transmission of unnecessary information not only in the middle, but also in the center of information management. Moreover, healthcare providers are expanding virtualization in corporate information systems and everywhere using mobile devices through which business control of mobile satellites is carried out - one of the shih zavdan.

It is important to ensure the integration of the selected DLP systems with the corporate IT network, such as programs such as a vice-research company. To successfully capture the flow of data and operational actions before dealing with malicious corporate information, it is necessary to establish a stable DLP robot, adjust the functionality according to specifications, install the robot inside corporate electronic screenshots, USB drives, instant messengers, evil devices, mobile devices, and from a great corporation – and integration From a SIEM system within the SOC.

Entrust the use of DLP systems to your accountants. System integrator “Radius” can install and configure DLP in accordance with information security standards and regulations, as well as the characteristics of the client company.

D LP system should be used if it is necessary to ensure the protection of confidential data from internal threats. And since information security agents have sufficiently mastered and defended their tools against external attackers, the situation with internal ones on the right is not so smooth.

The system in the information security structure of the DLP system transmits, which ensures the following:

  • how the company's security specialists can organize the flow of confidential data;
  • Any information must be protected against the risk of breach of confidentiality.

General knowledge will help farmers better understand the principles of operation of DLP technology and adjust the protection of threads in the correct manner.

The DLP system is responsible for discriminating between confidential and non-confidential information. If you analyze all the data in the middle of an organization’s information system, the problem of excessive demand on IT resources and personnel arises. DLP operates mainly in “liaison” with a reliable accountant, who ensures that the system is correctly processed, introduces new and irrelevant rules, and monitors current, blocked or suspicious information in ійній system.

To customize "SearchInform KIB" use vikory- Rules for responding to cybersecurity incidents The system has 250 established policies that can be adjusted to meet the company's requirements.

The functionality of the DLP system will be around the “core” - a software algorithm that is responsible for identifying and categorizing information that requires protection from the turns. The core of most DLP solutions is based on two technologies: linguistic analysis and technology based on statistical methods. Also, less advanced techniques, such as marking or formal analysis methods, may be used in the core.

Developers of anti-terrorism systems supplement the unique software algorithm with system agents, incident management mechanisms, parsers, protocol analyzers, interceptors and other tools.

Early DLP systems were based on one method at the core: either linguistic or statistical analysis. In fact, the shortcomings of the two technologies were compensated by the strengths of one, and the evolution of DLP led to the creation of systems that are universal across the “core”.

Linguistic method of analysis It works directly from the file and document. This allows you to ignore such parameters as the name of the file, the visibility and presence of a signature on the document, whoever created the document. Linguistic analytics technology includes:

  • morphological analysis - searching for all possible word forms of information that needs to be kept out of the loop;
  • Semantic analysis - searching for the entry of important (key) information in a file, adding the entry to the clear characteristics of the file, assessing the context of the search.

Linguistic analysis shows the high intensity of work with a great deal of information. For large text, a DLP system with a linguistic analysis algorithm will select the correct class, add it to the required category and run the adjusted rule. For documents of minor importance, it is better to use the stop-flow technique, which has proven effective in the fight against spam.

The progress in systems with a linguistic analysis algorithm has been implemented at a high level. Early DLP complexes had predefined categories and other stages of “initiation,” but today’s systems have sophisticated self-initiation algorithms: identifying category signs, the ability to independently form and change response rules. To set up such software systems in information systems to protect data, it is not necessary to hire linguists.

Before the linguistic analysis is complete, it is necessary to ensure a link to a specific language, unless it is possible to use a DLP system with an English core to analyze Russian information flows and so on. Another shortage of knitting due to the complexity of a clear categorization with a different approach, which reduces the accuracy of ordering in the range of 95%, which can be critical for the company Any obligation regarding confidential information.

Statistical methods of analysis,In fact, they demonstrate an accuracy close to 100,000. The failure of the statistical core is associated with the algorithm of the analysis itself.

At the first stage, the document (text) is divided into fragments of a reasonable size (not character by character, but sufficient to ensure accuracy of execution). A hash is taken from the fragments (in DLP systems the term Digital Fingerprint is used). Then the hash is equal to the hash of the reference fragment taken from the document. When saved, the system marks the document as confidential and is subject to the security policy.

The disadvantage of the statistical method is that the algorithm cannot independently be read, form categories and type. As a result, the importance of the fakhivtsa’s competence and the consistency of the supply of hash is of such a size that the analysis allows for an over-the-top number of chemical applications. It’s difficult to put in a little bit, as long as you follow the manufacturer’s recommendations to set up the system.

With the formation of hashes of connections and other shortcomings. In advanced IT systems that generate large volumes of data, the data base can reach such a size that checking traffic for errors against a standard will significantly improve the operation of all information systems.

The advantage of the decision lies in the fact that the effectiveness of statistical analysis does not depend on the evidence of non-textual information in the document. The hash, however, is well recognized from English phrases, images, and videos.

Linguistic and statistical methods are not suitable for identifying data in a specific format for any document, for example, a card number or a passport. To identify such typical structures in an array of information, the core of the DLP system uses technologies for analyzing formal structures.

In a clear DLP solution, all analysis methods are analyzed, which are performed sequentially, in addition to each other.

This means what technologies are in the kernel are possible.

No less important, the lower functionality of the kernel is equal to the control provided by the DLP system. There are two:

Developers of current DLP products have seen a strong implementation of the protection of peers, since the current needs to protect end devices, and the edge.

Merezhevyy rhubarb control In this case, we can ensure the maximum possible security of edge protocols and services. There is not much talk about “traditional” channels (, FTP,), but also about new network exchange systems (Instant Messengers,). Unfortunately, at least it is impossible to control encrypted traffic, but this problem in DLP systems occurs at the host level.

Control on the host level Allows more detailed monitoring and analysis. In fact, the Internet Security service provides a tool for complete control over the actions of the account manager at the workstation. DLP with a host-based architecture allows you to connect documents that are typed on the keyboard, record audio materials, and work. At the same end workstation, traffic encryption is performed (), and in order to verify the confidential data that is being processed at the moment and is saved on the customer’s PC for such a difficult time.

In addition to the highest requirements, DLP systems with control at the host level will provide additional steps to ensure information security: control of installation and change of software, blocking of I/O ports, etc.

The disadvantages of the host implementation are that systems with a wide range of functions are easier to administer and are more capable of using the resources of the workstation itself. The supporting server regularly updates to the “agent” module on the end device to check the availability and up-to-date settings. In addition, some of the resources of a computer workstation will inevitably be “submitted” by the DLP module. Moreover, at the stage of selecting a solution to protect the flow, it is important to pay attention to the hardware capabilities.

The principle of sub-technology in DLP systems has been lost in the past. Current software solutions for controlling the flow involve methods to compensate for shortcomings of one another. With a comprehensive approach, confidential data at the center of the information security perimeter becomes more resistant to threats.

28.01.2014 Sergiy Korablov

Select a corporate-level product for technical accountants and security specialists who make decisions on non-trivial tasks. Selecting a data storage system Data Leak Protection (DLP) is even more complex. The presence of a unified conceptual system, regular independent research and the complexity of the products themselves make it difficult for residents to engage in research projects and independently carry out numerical testing, which means that Compare them with the capabilities of the systems that are being verified.

Such an approach is undoubtedly correct. It is important, and in some situations, the decision will be taken away from the victim and allows you to eliminate frustration when using a particular product. The process of making a decision can sometimes drag on for many months. In addition, the constant expansion of the market, the emergence of new solutions and manufacturers further complicate the task not only in the choice of products for introduction, but also in the creation of a further shortlist of high-speed DLP systems. In such minds, up-to-date reviews of DLP systems have immeasurable practical value for technical accountants. Should you include a specific solution on the list for testing, what would be difficult for implementation in a small organization? Our solution can be scaled up for a company of 10 thousand. spіvrobitniki? How can a DLP system control business-important CAD files? Please note that this is not a substitute for reactive testing, but rather support the basic nutrition that occurs at the initial stage of work on choosing DLP.

Participants

The participants found the most popular (according to the Anti-Malware.ru analytical center as of mid-2013) on the Russian information security market the DLP systems of the companies InfoWatch, McAfee, Symantec, Websense, Zecurion and Jet information system.

For the analysis, commercially available versions of DLP systems were used at the time of preparation of the review, as well as documentation and product reviews.

The criteria for upgrading DLP systems were selected based on the needs of companies of different sizes and different types of work. The main tasks of DLP systems are to respect the flow of confidential information across different channels.

Examples of the products of these enterprises are presented on panels 1–6.
Figure 3. Symantec product

Malyunok 4. Product of the company InfoWatch

Figure 5. Websense product

Figure 6. McAfee product

Robot modes

There are two main operating modes of DLP systems – active and passive. Active – select the main operating mode, which blocks actions that violate security policies, for example, sending confidential information to an external email screen. The passive mode is most often used at the stage of adjusting the system for verification and adjustment, if there is a high frequency of mild requests. And here the broken policies are fixed, but the interchange of information movement is not imposed (Table 1).

In this aspect, all analyzed systems turned out to be equivalent. The skin with DLP can work in both active and passive modes, which gives the assistant the freedom to sing. Not all companies are ready to start using DLP in blocking mode - this can lead to disruption of business processes, dissatisfaction with the control branches and claims (including runtovanyh) on the side of kerivnitstva.

Technologies

Detection technologies make it possible to classify information transmitted through electronic channels and identify confidential records. Today there are a number of basic technologies and their varieties, similar in essence, but different in implementation. Skin with technology has both advantages and disadvantages. In addition, different types of technologies are suitable for analyzing information of different classes. Therefore, DLP solution providers strive to integrate as many technologies as possible into their products (Table 2).

Our products offer a wide range of technologies that, when properly tuned, allow us to ensure a high level of recognition of confidential information. DLP McAfee, Symantec and Websense are poorly adapted for the Russian market and cannot promote the use of “modern” technologies to customers – morphology, translation analysis and masked text.

Monitored channels

The skin transmission channel is not a potential channel of turns. You can redirect one open channel through the information security service, which controls information flows. It is so important to block the channels, so as not to be used by anti-virus agents for robots, and those who have lost control over the help of systems for blocking the turns.

Despite the fact that the most modern DLP systems control a large number of edge channels (see Table 3), unnecessary channels are completely blocked. For example, if the Internet browser only runs on a computer with an internal database, you can immediately enable Internet access for it.

Similar rules apply to local channels of the current. However, it is more difficult to block adjacent channels, port fragments often interfere with connections to peripherals, I/O devices, etc.

Encryption plays a special role in protecting traffic through local ports, mobile storage devices and devices. Encryption cards are easy to use, and their use can be useful for crypto users. At the same time, encryption makes it possible to disable a whole class of issues related to unauthorized access to information and the waste of mobile storage devices.

The situation with the control of local agents along the top, bottom and edge channels (div. table 4). All products including USB devices and local printers are successfully monitored. Also, despite the fact that encryption is considered more important, this capability is absent only in other products, and the function of primus encryption is based on content analysis of the presence of a person in Zecurion DLP.

To protect the flow of importance, it is not only the recognition of confidential data during the transmission process, but also the exchange of extensive information in the corporate environment. For this purpose, in order to store DLP systems, developers include tools that specifically identify and classify information that is stored on servers and workstations at the edge (see Table 5). Data that violates information security policies may be deleted and moved to a secure location.

To identify confidential information at corporate network nodes, the same technologies are used to monitor flows through electronic channels. The main responsibility is architectural. Just as traffic and file operations are analyzed to monitor the flow, then to identify unauthorized copies of confidential data, the information that is saved is monitored - instead of working stations and the network servers.

Of the DLP systems that are considered, only InfoWatch and Dozor-Jet ignore various aspects of the identified place for saving information. This is not a critical function for capturing the flow of electronic channels, but essentially limits the capabilities of DLP systems to proactively capture the flow. For example, if a confidential document travels between corporate borders, there is a flow of information. However, since the place of saving this document is not regulated, since information authorities and security officers do not know about the place of storage of this document, they can bring it to justice. Possible unauthorized access to information or documents will not be subject to the same security rules.

Handling control

Characteristics such as handiness and control may be no less important than the technical capabilities of the solution. Even if a foldable product will be important to ship, the project will take more than an hour, effort and, apparently, finances. The DLP system, which has already been introduced, receives respect from technical accountants. Without proper maintenance, regular audits and adjustments, the recognition of confidential information will decline greatly over the years.

The Internet interface for the mobile security service is the first step to simplifying the work with the DLP system. You can make it easier to understand, which is due to other adjustments, but also significantly speed up the process of configuring a large number of parameters that need to be adjusted for the correct operation of the system. The English language can be a useful guide for Russian administrators to understand unambiguously the specific technical issues (div. Table 6).

Most solutions transfer manually from a single (for all components) console with a web interface (see Table 7). Blame the Russian InfoWatch (one console every day) and Zecurion (no web interface). With this in mind, vendors have already announced the appearance of web consoles in their upcoming products. The presence of a single console at InfoWatch is based on a variety of technological bases of products. The development of a high-power agency solution has been largely pinned down, and the current EndPoint Security is a successor to the third-party product EgoSecure (formerly known as Cynapspro), acquired by the company in 2012.

Another point that can be brought to the attention of the InfoWatch solution is that in order to set up and operate the flagship DLP product InfoWatch TrafficMonitor, you need to know a special LUA script language, which makes the system easier to operate. Tim is no less, for most technical fachivts the prospect of advancement of the powerful professional level and the development of additional, no matter and not necessarily popular language, will be received positively.

The role of the system administrator is necessary to minimize the risks of the emergence of a super-correspondent with unauthorized rights and other fraud with DLP victoria.

Journaling and news

DLP archive is a database in which objects (files, sheets, http requests, etc.) are accumulated and saved, which are recorded by the system sensors during the operation process. The information collected in the database can be stored for a variety of purposes, including for analyzing the actions of bank employees, for saving copies of critically important documents as the basis for investigating information security incidents. In addition, the basis of all ideas is fundamentally at the stage of implementing a DLP system, as it helps to analyze the behavior of the components of the DLP system (for example, to understand why other operations are blocked) and Make adjustments to safety (div. table 8).

There are very important architectural differences between Russian and foreign DLPs. The rest began to keep archives. In this situation, DLP itself becomes more simple for maintenance (the daily need to maintain, save, reserve and retrieve a large amount of data), but not for operation. The archive also helps to set up the system. The archive helps you understand why the transmission of information was blocked, check that the rule was applied correctly, and make the necessary adjustments to the system setup. Please also note that DLP systems will require not only initial configuration when installed, but also regular “tuning” during operation. The system, if it is not maintained properly, is not carried out by technical specialists, who are largely wasted in the recognition of information. As a result, there is an increase in both the number of incidents and the number of difficult requests.

Conscience is an important part of any activity. Information security is not to blame. In DLP systems there are several functions. First of all, short and succinct messages allow the servers of the IB services to quickly control the level of information theft without going into details. In another way, reports help security officers adjust security policies and adjust systems. Thirdly, the results can now be shown to the company’s top managers to demonstrate the results of the DLP system and the IB accountants themselves (Div. Table 9).

May all competing decisions, reviewed in detail, be presented graphically and manually to top managers and IT service managers, and tables, more general technical managers. Graphical sounds are missing from DLP InfoWatch, for which the rating has been reduced.

Certification

The discussion about the need to certify information security features and DLP is very open, and within the framework of professional discussions, experts often discuss this topic. The secret thoughts of the parties are clear that certification itself does not provide serious competitive advantages. At the same time, there are a number of deputies, first of all, the government organization, for the identification of one or another certificate and liability.

In addition, the certification procedure is poorly consistent with the software product development cycle. As a result, consumers are faced with a choice: buy an out-of-date, certified version of the product or a current certification that has not passed. The standard way out of this situation is to add a certified product “to the police” and to substitute a new product from the real industry (div. table 10).

Results

Let's take a closer look at the DLP solution you've looked at. By the way, all participants have made friendly hostilities and can join forces to keep up with the flow of information. The types of products allow us to specify the scope of their application.

The InfoWatch DLP system can be recommended to organizations for which it is important to have an FSTEC certificate. However, the remaining certified version of InfoWatch Traffic Monitor was tested at the end of 2010, and the term of the certificate will end at the end of 2013. Agent solutions based on InfoWatch EndPoint Security (also known as EgoSecure) are more suitable for small businesses and can be used alongside Traffic Monitor. The third-party Traffic Monitor and EndPoint Security can identify problems with scaling in the minds of great companies.

Products of foreign vendors (McAfee, Symantec, Websense), according to independent analytical agencies, are significantly less popular, less Russian. The reason is the low level of localization. Moreover, on the right, it’s not the complexity of the interface or the availability of Russian documentation. Features of the technology for recognizing confidential information, adjusted templates and rules “sharpened” for the development of DLP in the latest countries and aimed at achieving the latest regulatory benefits. As a result, the ability to recognize information appears noticeably weaker, and the understanding of foreign standards is often irrelevant. However, the products themselves are not bad at all, but the specifics of the stagnation of DLP systems on the Russian market are unlikely to allow them to become more popular in the near future, even if they are not developed in China.

Zecurion DLP stands out due to its high scalability (a single Russian DLP system with confirmed deployment of more than 10 thousand workers) and high technological maturity. However, the availability of the web console is surprising, which would help simplify the management of corporate solutions targeting different market segments. Among the strengths of Zecurion DLP are the high sensitivity of recognizing confidential information and a wide range of products for securing the flow, including protection on gateways, workstations and servers, the identified space is saved information and tools for encrypting data.

The Dozor-Jet DLP system, one of the pioneers of the domestic DLP market, is widely used among Russian companies and continues to grow its client base thanks to the great connections of the Jet Infosystems system integrator, behind the DLP maker. Although technologically advanced, DLP still stands out from its more advanced cousins, but it can also be used in wealthy companies. In addition, in addition to foreign solutions, Dozor Jet allows you to maintain archives of all types and files.


Enter

A look at the benefits for everyone interested in the market for DLP solutions and, first of all, for those who want to choose the right DLP solution for their company. The overview looks at the market for DLP systems using a broadly defined term, and gives a short description of the lighting market and, in the report, the Russian segment.

Systems for the protection of valuable data arose from their appearance. Over the centuries, these systems have developed and evolved along with humanity. With the beginning of the computer era and the transition of civilization into the post-industrial era, information gradually became the main value of powers, organizations and even private individuals. And the main tool for saving and processing became computer systems.

Powers have always stolen their secrets, but in their powers, their costs and methods, which, as a rule, did not flow into the molding market. In the post-industrial era, banks and other financial institutions became part of the victims of the computer flow of valuable information. The world's banking system first required legislative protection of its information. The need to protect private life was made known to medicine. As a result, for example, the United States adopted the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the Basel Committee issued a low recommendation and the title “Basel Accords.” Such developments have enabled the development of the market for computer information protection systems. Following the growing demand, companies began to appear that launched the first DLP systems.

What are DLP systems?

There are generally accepted interpretations of the term DLP: Data Loss Prevention, Data Leak Prevention or Data Leakage Protection, which can be translated in Russian as “prevention of data loss”, “prevention of data flow”, “protection of data flow”. This term became widely used and became established on the market around 2006. And the first DLP systems went down much earlier as a result of the flow of valuable information. They were designed to identify and block the flow of information that can be identified by keywords or viruses and subsequently created digital “triggers” of confidential documents.

The further development of DLP systems was indicated by incidents, on the one hand, and legislative acts of powers, on the other. The increasing demand for protection against various types of threats has led companies to the need to create complex protection systems. At this time, DLP products are being developed, in addition to protecting the flow of data, ensuring protection from internal and external threats, the work hours of security guards, and control of these actions at workstations, including remote robots.

With the blocking of the transfer of confidential data, the canonical function of DLP systems has become common in many current solutions that are being introduced by retailers to this market. Such solutions are also suitable for monitoring the corporate information environment, but as a result of the manipulation of terminology, they are called DLP and are widely available in this market.

At this time, the main interest of developers of DLP systems has shifted to the breadth of the accumulation of potential channels, the flow of information and the development of analytical tools for investigation and incident analysis. New DLP products will surpass the viewing of documents, their copying on external media, the launch of add-ons on workstations and the connection of external devices to them, and the daily analysis of traffic flows that are being transferred, є reveal the information behind various tunneling and encrypted protocols.

In addition to the development of powerful functionality, modern DLP systems offer a wide range of capabilities through integration with various products and with competing products. As an application, you can provide extensive support to the ICAP protocol, which is provided by proxy servers and the integration of the DeviceSniffer module, which is included in the “SearchInform Information Security Circuit”, with Lumension Device Control. Further development of DLP systems is carried out to their integration with IDS/IPS products, SIEM solutions, document management systems and workstation protection.

DLP systems are divided according to the method of detecting the flow of data:

  • in case of data-in-use - on the working place of the correspondent;
  • during transmission (Data-in-Motion) – at the company’s discretion;
  • when saved (Data-at-Rest) – on the company’s servers and workstations.

DLP systems can recognize critical documents:

  • beyond formalities – this is not reliable, but will require prior registration of documents with the system;
  • for analysis together - this can be done in a peaceful manner, but allows you to identify critical information in the warehouse of any documents.

Over the years, the nature of threats, the stock of agents and buyers of DLP systems have changed. The current market offers these systems the following benefits:

  • support for several ways to identify the flow of data (Data in-Use, Data-in-Motion, Data-at-Rest);
  • support for all popular network transfer protocols: HTTP, SMTP, FTP, OSCAR, XMPP, MMP, MSN, YMSG, Skype, various P2P protocols;
  • the presence of a fake agent on websites and the correct processing of traffic that is transmitted to them (webmail, social networks, forums, blogs, search sites, robots, etc.);
  • It is important to support tunneling protocols: VLAN, MPLS, PPPoE, and the like;
  • insightful control of theft of SSL/TLS protocols: HTTPS, FTPS, SMTPS and others;
  • support for VoIP telephony protocols: SIP, SDP, H.323, T.38, MGCP, SKINNY and others;
  • the detection of hybrid analysis - the support of several methods for recognizing valuable information: behind formal signs, behind keywords, instead of regular expression, based on morphological analysis;
  • The ability to vibrate block the transmission of critically important information from any controlled channel in real time is important; elective blocking (for large buildings, groups or outbuildings);
  • What is important is the ability to control the clerk’s actions over critical documents: review, revision, copying on external media;
  • It is possible to control network protocols with mail servers Microsoft Exchange (MAPI), IBM Lotus Notes, Kerio, Microsoft Lync, etc. For analysis and blocking, please refer to the following protocols in real time: (MAPI, S/MIME, NNTP, SIP, etc.);
  • storage, recording and recognition of voice traffic: Skype, IP-telephony, Microsoft Lync;
  • availability of graphics recognition (OCR) module and analysis together;
  • support for the analysis of documents of the Russian Federation;
  • maintaining report archives and logs to ensure the integrity of incident investigations;
  • It is important to detect abnormalities in the analysis of these connections and their connections;
  • Possibility of different sounds, including graphic sounds.

With new trends in the development of information technologies, new functions of DLP products are also required. With the widespread expansion of virtualization in corporate information systems, there has been a need for support in DLP solutions. The widespread use of mobile devices as a business tool has become an impetus for the rise of mobile DLP. The creation of both corporate and public “evils” required their protection, including DLP systems. And how a logical continuation led to the emergence of “dark” information security services (security as a service - SECaaS).

Principle of robotic DLP system

A modern system for dealing with the flow of information, as a rule, is divided into a software and hardware complex, which consists of a large number of modules of various purposes. Some of the modules operate on dedicated servers, some – on the company’s security service workstations, and some – on the security service’s security service work stations.

Viewing servers may be required for modules such as database and information analysis modules. These modules are essentially the core and no DLP system can do without them.

The database is necessary for storing information, including control rules and detailed information about incidents and finally all documents that were captured in the system’s field of view during the previous period. In some cases, the system can save a copy of all the company's traffic flows during a given period of time.

p align="justify"> Information analysis modules are responsible for the analysis of texts pulled by other modules from various devices: boundary traffic, documents on any devices for storing information within the company. These systems may be able to extract text from images and recognize voice notifications that are being interrupted. All analyzed texts are compared with the previously specified rules and are designated as an appropriate rank if a problem is detected.

To control the activities of spyware, special agents can be installed on their work stations. Such an agent is guilty of thefts in the hands of the client from his work (in practice, this is not always the case) and can either passively monitor his actions or actively override those who are protected by the company's security policy. A range of control actions can be interconnected between the user’s input/output from the system and the connections of USB devices, and can include re-logging and blocking of network protocols, shadow copying of documents on any external media, other documents on local and edge printers, information transfer via Wi-Fi Bluetooth and much more. DLP systems are designed to record all typing on the keyboard (key-logging) and save copies of the screen (screen-shots), rather than going beyond conventional practices.

Please note that the DLP system has a control module designed to monitor the operation of the system and administration. This module allows you to monitor the performance of all other modules of the system and configure them.

For ease of use, security service analytics in the DLP system can be equipped with a separate module that allows you to adjust the company’s security policy, detect violations, conduct detailed investigations and generate necessary information. It’s not surprising that, despite the fact that the ability to analyze incidents, carry out extensive investigations, and visibility comes to the forefront of importance in today’s DLP system.

Light DLP market

The market for DLP systems has begun to take shape since this century. As stated initially, the concept of DLP itself expanded around 2006. The largest number of companies that created DLP systems were in the USA. There will be the greatest interest in this decision and a friendly environment for the creation and development of such a business.

May be all the companies that started the creation of DLP systems and achieved notable successes were purchased or upgraded, and their products and technologies were integrated into larger information systems. For example, Symantec added Vontu (2007), Websense added PortAuthority Technologies Inc. (2007), EMC Corp. added the company RSA Security (2006), and McAfee fell below the companies: Onigma (2006), SafeBoot Holding B.V. (2007), Reconnex (2008), TrustDigital (2010), tenCube (2010).

Currently, the wired light generators of DLP systems are: Symantec Corp., RSA (a subsidiary of EMC Corp.), Verdasys Inc., Websense Inc. (2013 purchased by private company Vista Equity Partners), McAfee (2011 purchased by Intel). Fidelis Cybersecurity Solutions (acquired by General Dynamics in 2012), CA Technologies and GTB Technologies play a significant role in the market. A basic illustration of their market positions, in one of the sections, can be the magic quadrant of the analytical company Gartner at the end of 2013 (Fig. 1).

Figure 1. RozpodilpositionDLP-systems on the lighting marketByGartner

Russian DLP market

In Russia, the market for DLP systems has become increasingly shaped both by light and by its own characteristics. It was a step-by-step process, the world began to blame for incidents and tried to fight them. The first in Russia in 2000, the DLP-solution company “Jet Infosystems” began to develop (starting with mail archives). A little later in 2003, InfoWatch was founded as a subsidiary of Kaspersky Lab. The very decisions of these two companies set the guidelines for the solution of the graves. Before them, a few years later, the companies Perimetrix, SearchInform, DeviceLock, SecureIT (renamed to Zecurion in 2011) grew. The world has created legislative acts to protect information (DK of the Russian Federation, Article 857 “Banking Secrets”, 395-1-FZ “About Banks and Banking Activity”, 98-FZ “About Commercial Secrets”, 143- Federal Law “On Civil Acts” , 152-FZ “About personal data”, and others, about 50 types in total), the need for protection tools has increased and growth will come to DLP systems. And within a few years, a “friend of many” retailers came to the market: Falcongaze, MFI Soft, Trafica. All of these companies have been active in the DLP field for a long time, but have recently begun to enter the market. For example, the company "MFI Soft" started the development of its DLP solution back in 2005, but declared itself on the market only in 2011.

Even later, the Russian market became attractive for foreign companies. In 2007-2008, Symantec, Websense and McAfee products became available to us. Recently, in 2012, a new company, GTB Technologies, entered our market. Other leaders of the light market are still trying to enter the Russian market, but so far without significant results. Currently, the Russian DLP market is demonstrating stable growth (over 40% roughly) over a period of several years, which is attracting new investors and retailers. As a butt, you can call the company Iteranet, which since 2008 has been distributing elements of DLP systems for internal purposes, then for corporate managers. The company is now promoting its Business Guardian solution to Russian and foreign buyers.

The company merged with Kaspersky Lab in 2003. In 2012, InfoWatch takes over a third of the Russian DLP market. InfoWatch introduces a new range of DLP solutions for managers, from medium-sized businesses to large corporations and government structures. The solution that is most in demand on the market is InfoWatch Traffic Monitor. The main advantages of their solution: functionality changes, unique patented technologies for traffic analysis, hybrid analysis, support for rich people, recruitment of web resources, scalability, large numbers There are configuration settings and policies for different galuzes. The main benefits of the InfoWatch solution include a single management console, control over the activities of spyware that are under suspicion, an intuitive interface, and the formation of secure policies without Boolean ї algebra, creation of the roles of employees (security officer, company worker, HR director, etc.). Disadvantages: the importance of monitoring the activities of employees at work stations, the importance of InfoWatch Traffic Monitor for average businesses, high level of concern.

The company was founded back in 1991, and today it is one of the pillars of the Russian DLP market. From now on, the company has been developing systems to protect organizations from external threats and entering the DLP market is a natural step. The Jet Infosystems company is an important player in the Russian IB market, which provides system integration services and distributes the power of software. Zokrema, Vlasne DLP-solution "Dozor-Jet". Its main advantages: scalability, high productivity, the power of work with Big Data, a large number of resource managers, recruitment of web resources, hybrid analysis, optimized saving system, active monitoring, work at risk, apparently the joke and analysis of incidents, blamed technical support, protection in the regions. The complex also has the ability to integrate with class systems SIEM, BI, MDM, Security Intelligence, System and Network Management. Vlasna know-how – the “Dossier” module, used for incident investigation. Disadvantages: insufficient functionality of agents for work stations, weak control over the actions of corporate employees, decision-orientation of a large company, high level of responsibility.

An American company that started its business in 1994 as a provider of information security software. In 1996, the company introduced its first Internet Screening System to monitor the activities of personnel on the Internet. Next, the company continued its work in the field of information security, exploring new segments and expanding the range of products and services. In 2007, the company strengthened its position in the DLP market by adding the PortAuthority company. In 2008, Websense entered the Russian market. Currently, the company is promoting a comprehensive product, Websense Triton, to protect against the flow of confidential data, as well as current threats. Main advantages: unified architecture, productivity, scalability, number of delivery options, establishment of policies, development of reporting methods and analysis. Not enough: no support for low IM protocols, no support for Russian morphology.

Symantec Corporation is a recognized leader in the DLP solution market. This became the case after the purchase of Vontu, a great manufacturer of DLP systems, from 2007. Since 2008, Symantec DLP has been officially introduced to the Russian market. At the end of 2010, after competing with foreign companies, Symantec localized its DLP product for our market. The main advantages of this solution are: powerful functionality, a large number of methods for analysis, the ability to block a thread by any controlled channel, a reminder for websites, the ability to scale, an excuse agent for analyzing the more workstations, a wealth of international evidence on the advancement and integration of other Symantec products. Up to a few parts of the system, it is possible to provide high level of control and ability to control various popular IM protocols.

This Russian company was founded in 2007 as a distributor of information security features. The main advantages of the Falcongaze SecureTower solution: ease of installation and configuration, manual interface, control of a large number of data transmission channels, flexible methods for analyzing information, the ability to monitor the activity of spyware computers on workstations (including viewing screenshots of the desktop), graph analyzer of interactions among personnel, scaling , a quick search for the accumulated data, a new system of grading based on various criteria.

Disadvantages: the work is not transferred to the gateway, the possibility of blocking the transfer of confidential data (only SMTP, HTTP and HTTPS), the presence of a module for searching confidential data at the enterprise level.

American company, founded in 2005. Due to the strong focus on information security, there is great potential for development. It entered the Russian market in 2012 and has successfully implemented a number of corporate projects. Advantages of this solution: high functionality, control of rich protocols and channels of potential data flow, original patented technologies, modularity, integration with IRM. Shortcomings: partial Russian localization, lack of Russian documentation, availability of morphological analysis.

Russian company, founded in 1999 as a system integrator. 2013 Roku was reorganized into a holding. One of the areas of activity is the provision of a wide range of services and products for information protection. One of the company's products is the Business Guardian wireless DLP system.

Advantages: high speed of information processing, modularity, territorial scale, morphological analysis in 9 languages, support for a wide range of tunneling protocols.

Disadvantages: the possibility of blocking transmission is limited (supported only by plugins for MS Exchange, MS ISA/TMG and Squid), support for encrypted edge protocols is provided.

"MFI Soft" is a Russian company that develops information security systems. Historically, the company has specialized in complex solutions for telecom operators, with great respect for the speed of data processing, flexibility and efficient savings. Developments in the area of ​​information security of MFI Soft have been carried out since 2005. The company is introducing to the market the DLP system of the Garda Enterprise agro-industrial complex, aimed at large and medium-sized enterprises. Advantages of the system: ease of setup and setup, high productivity, flexible setup of detection rules (including the ability to record all traffic), wide ability to control communication channels (in addition to standard dialing, which includes VoIP telephony, P 2P and tunneling protocols). Disadvantages: the presence of various types of calls, the possibility of blocking the transfer of information and the search for a place to preserve confidential information at the level of business.

The Russian company was founded in 1995 and initially specialized in the development of technologies for saving and searching for information. The later company demonstrated its evidence of information security focus by creating a DLP solution called “Information Security Circuit.” Advantages of this solution: wide possibilities of traffic flow and analysis of data on work stations, control of the working hours of employees, modularity, scalability, optimization of search tools, speed of processing of search queries, graphics links of spivrobitniks, power patents, search algorithm “Search for similar”, power the initial center for training analysts and technical managers of clients. Disadvantages: the possibility of blocking transmission, the presence of a single control console.

The Russian company was founded in 1996 and specializes in the development of DLP and EDPC solutions. The company moved to the DLP-device category in 2011, adding to its well-known EDPC category the DeviceLock solution (control of devices and ports on Windows workstations) components that ensure control of edge channels and technology ii content analysis and filtration. Today DeviceLock DLP implements all methods of detecting data flow (DiM, DiU, DaR). Advantages: flexible architecture and modular licensing, ease of installation and management of DLP policies, incl. through AD group policies, original patented technologies for monitoring mobile devices, support for virtualized environments, visibility of agents for Windows and Mac OS, comprehensive control of mobile devices via corporate security y, resident OCR module (visory, close, save data when scanning). Disadvantages: the presence of a DLP agent for Linux, the version of the agent for Mac computers does not implement contextual control methods.

A young Russian company that specializes in Deep Packet Inspection (DPI) traffic analysis technologies. Based on these technologies, the company is developing a wireless DLP system called Monitorium. Advantages of the system: ease of installation and setup, manual backend interface, simple and straightforward policy creation mechanism, suitable for small companies. Shortcomings: limited ability to analysis (no hybrid analysis), limited ability to control at peer workstations, limited ability to search for unauthorized copies of confidential information information from corporate officials.

Visnovki

Further development of DLP products involves direct integration and integration with products in related areas: personnel control, protection from external threats, other segments of information security. At the same time, all companies are working on lightweight versions of their products for small and medium-sized businesses, since the ease of use of the DLP system and ease of use are highly important for the ease of use and ease of use of functionality. The development of DLP for mobile devices, the support of virtualization technologies and SECaaS are also in progress.

Based on all that has been said, one can assume that the hectic development of the light market, and especially the Russian DLP market, will attract new investments and new companies. And this, in its turn, may lead to a further increase in the number and quality of DLP products and services offered.

We present a number of markers that will help you get the most out of any DLP system.

DLP-system: what is it like

It is worth remembering that DLP systems (Data Loss/Leak Prevention) allow you to control all channels of a company’s network communication (mail, Internet, emergency notification systems, flash drives, printers, etc.). Protecting the flow of information is achieved by installing agents on all computers that collect information and transmit it to the server. Other information is collected through a gateway using vicious SPAN technologies. The information is analyzed, after which solutions to the incident are taken by the system and the security officer.

Well, your company has undergone a DLP system upgrade. What kind of time do you need to earn for the system to process effectively?

1. Correctly set up safety rules

It is possible that in a system that serves 100 computers, a rule has been created “Fix all listings with the word “agreement””, which provokes a large number of incidents in which the current work may be ruined.

In addition, no company can afford to employ emergency personnel in case of incidents.

Increase the value of rules by using tools to create effective rules and improve the results of their work. The skin DLP system has functionality that allows you to work.

The underlying methodology involves analyzing the accumulated database of incidents and creating various combinations of rules that ideally lead to the appearance of 5-6 truly unique incidents per day.

2. Update safety rules at regular intervals

The sharp decrease or increase in the number of incidents is an indication that the rules need to be adjusted. The reasons may be that the rule has lost its relevance (the servers have stopped downloading old files) or the security providers have adopted the rule and no longer interrupt activities blocked by the system (DLP is the initial system). Prote practice shows that once one rule has been mastered, then the potential risks have grown exponentially.

This will also increase the respect for seasonality in the business. Over time, key parameters related to the specifics of the company's work may change. For example, for a wholesale supplier of small equipment, bicycles will be relevant in the spring, and snowmobiles in the spring.

3. Think through an algorithm for responding to an incident

There are a number of approaches to responding to incidents. When testing and running DLP systems, people are most often not notified about changes. Those involved in incidents are no longer under surveillance. When a critical mass accumulates, a representative from the security department and the human resources department gathers from it. Workers and employees are often given as bribes to security officials. Mini-conflicts arise, and the team accumulates negativity. The wine may spill out from the blatant mischief of the Russian Federation. It is important to maintain a balance between maintaining discipline and maintaining a healthy atmosphere in the team.

4. Change the robot to blocking mode

There are two modes of responding to an incident in the system - fixation and blocking. However, the fact of overstretching the sheet or attaching the attached file to the flash drive is blocked, which creates problems for the customer. Often, attackers attack the system administrator with attempts to unblock part of the function, and the server may also be dissatisfied with such adjustments. As a result, the DLP system and the company reject the negative, the system is discredited and unmasked.

5. Verify that the commercial lockup mode has been entered

This makes it possible to keep all information confidential, and also requires any person who knows about it to bear full legal responsibility for its disclosures. In case of a serious flow of information under the regime of a commercial prison, the amount of actual and moral harm can be collected from the offender through the court according to 98-FZ “On commercial crime.”

We believe that this will help to reduce the number of unnecessary flows in companies, and even DLP systems will successfully combat them. However, it is important to remember about the complex system of information security and about those that rely heavily on the flow of information. There are current solutions that will allow us to add functionality to DLP systems and significantly reduce the risk of overflow currents. For example, one of the distributors introduces this technology - when confidential files are suspected of being frequently accessed, the webcam automatically turns on and starts recording. The system itself allows you to record the failure of stealth by actively taking pictures on the screen behind your mobile camera.

Oleg Necheukhin, expert in the protection of information systems, “Kontur.Bezpeka”

Application © 2023 Mobile and computer gadgets