Traditional DLP Vendors
TRADITIONAL DLP SYSTEMS
DLP is still needed to protect the more obvious data transfer channels [CRDW, USB / disk drives, email scanning, web traffic monitoring ... the blue perimeter protections here]. These are the prominent traditional DLP solutions that do a good job of that and should be used to complement Data Border's Covert Channel DLP.
Digital Guardian (DG) is a pioneer in the area of intellectual property (IP) protection. The company was founded in 2003 as Verdasys in an effort to prevent privileged insiders from stealing corporate IP. The resulting product is a kernel-level endpoint agent that can monitor all system and user activity and interaction with data.
In addition to activity that violates policy, the solution also logs seemingly benign user activity. After establishing benchmarks of this "normal" user behavior, the solution is then capable of identifying suspicious activity that is outside the norm. Because the solution is tracking all activity, an administrator can also review user activity – often step by painful step – to establish user intent. This same capability is also facilitating DG's recent push into the Endpoint Detection and Response space for protection against advanced threats.
All endpoint activity is logged as contextual events (separate from policy violations or incidents), including file activity, application use and data touches, along with an extensive list of other activity. The logging of these contextual elements is unique to DG and can be leveraged to detect activity that traditional DLP solutions do not even attempt.
DG also utilizes automated file tagging to classify files. These tags are permanent and persistent, meaning that the tags follow files through any iteration, including copy/paste to new file, file archiving and even password protecting. This enables the DLP solution to identify files even if the solution cannot open the file for sensitive data detection.
In 2015, DG acquired Code Green Networks to round out their ADLP offering with traditional DLP components. Currently the DG ADLP and TDLP solutions are sold separately and the integration between the two is limited to a common incident log. TDLP (Network and Discovery) system configuration, policy creation/management, reporting and incident workflow is still managed in its own interface.
Symantec has grown to become the leading provider of DLP in the market. In 2007, Symantec acquired Vontu, the then-current DLP market leader for $350 million. Symantec did not rest on its Vontu laurels, however, and continued to transform the DLP marketplace, bringing to light many of the innovations in the space that are in common use today by many vendors. Today the Symantec DLP offering continues to be the undisputed leader.
Symantec boasts the largest DLP install base and ongoing revenue of any DLP vendors. The product is considered to be the most feature rich of any DLP offering and often is the bar against which all other DLP products are measured. The Symantec DLP approach is very modular, with a different software – and license – required for each of Symantec's many DLP components: Enforce Platform, Network Monitor, Network Prevent for Email, Network Prevent for Web, Network Discover, Network Protect, Endpoint Prevent, Endpoint Discover, Data Insight, Data Insight Self-Service Portal, Oracle Standard Edition One.
One unique advantage of the Symantec DLP solution is the option to include Veritas' Data Insight product. Data Insight provides visibility into unstructured data usage, ownership and access permissions. This product competes directly with solutions outside the DLP space and can represent a good value for organizations looking for this additional capability. No other DLP vendor provides this type of solution.
In addition to leading on the feature front, Symantec DLP can also be customized in ways most other DLP solutions cannot. There are configurations for most every feature, allowing a level of customizability and policy tuning that is unsurpassed. That configurability, however, comes at a cost. Symantec DLP is widely considered to be the most complex of all DLP solutions and more likely to require significant deployment hours and ongoing consulting support. For organizations with sufficient resources – budgetary and personnel – the solution may be a good choice. But for the SME space, Symantec often proves to be too much to handle.
McAfee entered the DLP space in 2006 with its acquisition of endpoint DLP vendor Onigma, but didn’t gain full momentum until its 2008 acquisition of Reconnex, then a leader in the area of Network DLP. In 2010, Intel acquired McAfee for $7.6 billion, becoming Intel Security. From this time, Intel made little investment in its DLP offering and the product languished. Product updates over a five-year period were limited mainly to point releases with very few new features. During this time, Intel Security lost ground to other leading DLP solutions.
In September 2016, Intel announced a spin-out of Intel Security in the form of a sale to TPG a “global alternative asset firm” for $4.2 billion. The new firm will return to the McAfee name. TPG has majority ownership at 51 percent with Intel retaining 49 percent. Through these changes, McAfee has experienced significant employee attrition and has sold off some of its security product portfolio, including the Stonesoft firewall business, to rival DLP player, Forcepoint.
In the last year, McAfee has produced some long-needed updates to its DLP product line. These updates do not appear to be enough to bring McAfee DLP to its former glory days and back into contention.
Like other TDLP vendors, McAfee has three main components that cover the Network, Discovery and Endpoint. The McAfee DLP Monitor component is unique among DLP offerings, allowing the capture of not only data from incidents triggered by policy violations, but potentially all network traffic. This allows review of data that does not meet existing rule sets, uncovering incidents or violations that otherwise may have gone unnoticed. Policies can also be edited or fine-tuned and then run against this captured data, providing a historical view of how policy changes would have impacted incident results.
Most of the management of the DLP solution is done via McAfee's ePolicy Orchestrator, so for companies with significant investment in ePO the solution may make sense. Some of the management, however, is still done outside of ePO, namely for DLP Monitor and appliance-based DLP Discovery. The fact that McAfee has yet to fully integrate its DLP offering after nine years may be taken as an indicator of the company's commitment to the DLP space. Whether that attitude will change in the future is unknown.
In 2015, Websense was acquired by Raytheon in a deal valued at $1.9 billion with the resulting company branded as Forcepoint. Forcepoint is building a security platform that includes the old Websense URL filtering, email and web security products, its long-time leading DLP solution, Raytheon's SureView Insider Threat technology and two more recent acquisitions: McAfee's Stonesoft NGFW business and Imperva's Skyfence CASB solution.
Forcepoint has been a leader in the DLP space since 2007. The solution has seen steady improvement over that time to find itself standing in the far upper-right of the Gartner Magic Quadrant for DLP. As a traditional DLP vendor, the Forcepoint DLP approach combines separate modules for Network Gateway, Discovery and Endpoint DLP. While not overpowering the competition, the Forcepoint DLP solution is considered to be a strong contender in each area.
The Forcepoint architecture is relatively simple by DLP standards and includes a management server, a data server and a third server to monitor network traffic and provide blocking for email and web traffic. The solution is considered to be user-friendly, with hundreds of pre-packaged policies categorized by country, state, industry, etc. A policy wizard walks the administrator through the process of identifying all relevant policies.
An interesting twist on DLP is the Forcepoint Insider Threat product (formerly Raytheon SureView). The solution is an endpoint agent that's not quite DLP, since it has no blocking capability. What it does have, however, is a very unique feature set that provides detailed insight into user activity. Like the DG agent, the product monitors user activity, building out user behavior risk scores that enable administrators to prioritize threats. The solution actually has video reply that can prove user intent very conclusively.
Unique features of the Forcepoint DLP solution include OCR capability – the ability to detect sensitive data in image files. This is a feature that's been on DLP vendor roadmaps for years, but only Forcepoint has managed to make it a reality. Forcepoint DLP includes an incident risk ranking letting admins know which incidents and/or users to review first as well as "drip DLP" to identify small leaks over time.