Sticker Shock Over DLP Products Could Be Short-Lived

Data-loss prevention products can potentially save organizations a bundle by preventing the escape of sensitive information. But the six-figure starting price for a typical enterprise deployment of host and gateway-based DLP is tough for many to swallow.

Data-loss prevention products can potentially save organizations a bundle by preventing the escape of sensitive information. But the six-figure starting price for a typical enterprise deployment of host and gateway-based DLP is tough for many to swallow.

The good news is that prices are expected to fall heading into next year as more vendors enter the fray and more choices for how to roll out DLP emerge.

"If you're dealing with a couple thousand seats for DLP, expect $250,000 to half a million," says Forrester Research analyst Andrew Jacquith. "But we will see price erosion because of competition."

(Of course, vendors are fond of pointing out that even today's prices aren't too high when you consider the cost of responding to a data breach. A Ponemon Institute study has tagged this at more than $6 million on average, or $202 per customer record, plus the loss of good reputation and possible lawsuits.)

The market to prevent data leaks got going in the early 2000s and has gained momentum of late, though even successful vendors still tend to boast of customer numbers in the hundreds rather than thousands. The market is dominated by traditional antimalware vendors that bought out DLP start-ups, though independents such as Verdasys remain in the mix as well. Newcomers will include the likes of antimalware vendor Sophos, which is expected this fall to introduce a DLP offering of its own making.

Jacquith says when enterprises determine an immediate need for DLP, the usual course has been to first turn to a security vendor they already rely on for other things.

"If it's a big McAfee shop or a Symantec shop, they'll look there first," he says. In Forrester's analysis, the market leaders are Websense, McAfee, Symantec, CA, EMC security division RSA and Verdasys. (For more on DLP products, read our recent test on perimeter-based tools.)In addition to DLP becoming available from more vendors, it will wind up getting embedded in existing software and hardware, including switches, servers and even laptops. It may all lead to the "content-aware enterprise," a phrase coined by Gartner analyst Eric Ouellet, who says, "It's about sprinkling DLP everywhere."

Buying into DLP

For those investing in DLP today, the need is straightforward.

"We need to protect patient information or other business information," says Larry Whiteside, CISO at New York City-based Visiting Nurses, which has 13,000 employees, with 3,500 nurses providing home assistance and facilitating hospital transition care for some 30,000 patients in the greater New York area.

Visiting Nurses, which had already been making use of the Websense Security Gateway, recently added the vendor's DLP gateway functionality. Using the DLP discovery tool (technology deriving from Websense's acquisition of PortAuthority in 2007), Visiting Nurses has determined where sensitive data is located in its 30 file servers for the purpose of detecting and blocking breaches, including inadvertent ones.

Plans are to add DLP data-blocking capability into mobile computers used by nurses. Any alerts would be collected into the firm's Symantec security-event management system, Whiteside says.

"If a user attempts to send a file, we would want it stopped at the gateway, with an alert generated and sent to the [management system]," he says.

Support from business managers for DLP has been solid, especially as the IT department is also under constant pressure to grant more open access, Whiteside says. "From the data stewardship standpoint, it's on my staff to make sure people are doing what they're supposed to do," he notes, adding he does expect it to take up to half a year to deploy DLP widely as business processes are closely scrutinized.

And DLP does nothing if not give an organization a clear picture of how content gets distributed internally and to the outside. "The visibility you get is incredibly useful," Jacquith notes. "Some people even talk about using it for chargeback."

DLP shortcomings

While the accuracy of DLP products is regarded as good, the tools aren't impervious to being tricked. James Wingate, director of the Steganography Analysis & Research Center in Fairmont, West Virginia, says it's possible to hide a file inside another using steganography tools and "DLP tools will not detect it."

Dave Meizlik, director of product marketing at Websense, acknowledges data hidden through steganographic tricks may slip through a DLP system. Encryption also is problematic in that a scrambled document would have to be decrypted to have its content inspected. In some cases, that can be set up under an authorized encryption method. Documents that have been encrypted with unauthorized methods could be flagged as suspicious.

Gijo Mathew, vice president of security management at CA, which acquired DLP start-up Orchestria last January, says encryption can be regarded as a weak point in DLP today. "If it can't read it, it can't analyze it to block it."

In fact, the role of encryption looms large in DLP, with the more sophisticated systems designed to block and hand off e-mail that should be encrypted to other security products the organization might use. CA DLP, for instance, works with products from Voltage, PGP and BitArmor so data tagged as sensitive can be automatically handed off for encryption before transmission.

Visiting Nurses is considering this such interaction between its Websense Security Gateway and Cisco IronPort appliance. (Cisco, by the way, says its IronPort C-Series appliance will gain DLP functionality based on RSA technology by this fall.

Where to put your DLP

Whether to install DLP at the gateway or host level -- or buy a multipurpose security gateway with DLP or a stand-alone device -- is a topic for debate among IT and security managers.

Installing a DLP gateway is "a no-brainer," Forrester's Jacquith says, noting it's the least expensive and easiest way to get started.

But some vendors say there's been too much emphasis on the gateway when you take into account the mobility of employees.Trend Micro's global product marketing manager, Mark Bloom, voiced some dismay that his company (which acquired Provilla's LeakProof) is considered a niche player in DLP by Gartner because "we're focused on the endpoint." (See how Trend Micro and others fared in our recent endpoint DLP test.)

Trend Micro expects to offer DLP for the gateway in the near future. While LeakProof is a stand-alone DLP agent, the DLP functionality will be moving into Trend Micro's OfficeScan products in the early 2010 timeframe. "We're seeing a big push to have a content-aware endpoint," Bloom says. "We should have a single agent."

In fact, there's a broad march underway by IT vendors to integrate DLP functionality into existing security host and gateway products. These include:

* McAfee's host DLP software can be used alone or as an add-on to its flagship antimalware security software that's part of its Total Protection for Data Endpoint suite. McAfee is looking at integrating the DLP engine into its Web gateway, e-mail gateway, firewall and intrusion-protection gear in the coming year.

* Microsoft and VMware anticipate integrating RSA DLP technology into future products, though this is still in the early stages. RSA is the security division of EMC, which is the majority owner of VMware.

* Symantec, which integrated DLP into its Brightmail e-mail security gateway, has also begun integration with its Altiris management software. Altiris 7 can be used to deploy and troubleshoot endpoint DLP Prevent and Discover agents so that there's communication between the DLP endpoint and the Symantec Endpoint Protection agent, its flagship security software. Integrating DLP into Symantec storage systems can be expected in the future. Symantec DLP Discover, for instance, has already been integrated into Backup Exec System Recovery, and Symantec intends to introduce some open APIs for DLP.

HP, which acquired outsourcing giant EDS last year, has a strategic partnership with Symantec on DLP.

EDS supports Symantec DLP in outsourcing arrangements with enterprise customers and even manages the DLP system for Symantec itself, which selected EDS as its outsourcing partner, says Chris Whitener, chief strategist at HP's Secure Advantage division.

A focus now is integrating some of the Symantec DLP capability into HP ProCurve switches and deploying DLP in HP data centers, he notes. Whitener points out that sometimes organizations don't want the company's CSO or IT support in the middle of handling data-loss issues since this is seen as a possible conflict of interest.

The changing world of DLP is something that Phil Moltzen, senior security architect at the U.S. Department of Energy, is keeping an eye on. He says there's a growing awareness that attention must be paid to monitoring content that's leaving the network as well as all the work that's done to stop attacks related to phishing, hackers and malware from coming in.

The cost of DLP does present a barrier to large-scale adoptions today, but he adds, "DLP is really just starting to take off."

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)