• United States



by John Breeden II

Top tools for preventing data leaks

Aug 29, 201623 mins
Data and Information SecuritySecurity

Comodo, Digital Guardian, Forcepoint provide strong protection for sensitive data

tools preventing data leaks 1
Credit: Thinkstock

Most security tools are focused on keeping external attackers at bay. But what about the sensitive data that lives inside your network? How do you make sure it doesn’t get out, either intentionally or by accident?

That’s where Data Loss Prevention (DLP) comes into play. DLP tools are designed to block protected data from being shared in various ways, everything from e-mail attachments to printing to even screen captures. DLP can protect core network stores as well as connected endpoints which might have confidential information.

We looked at DLP solutions from Comodo, Digital Guardian and Forcepoint. Symantec was invited to participate, but declined.

Of the three products tested, Forcepoint Triton was the most mature, easiest to setup and had the most features. It would probably be the best choice for most organizations, especially those under regulatory pressure from federal and state governments.

Digital Guardian DLP was able to eliminate almost all false positives, even for very large installations, and would be a good choice for organizations with huge amounts of intellectual property, where too many false positives would be debilitating.

Comodo DLP started as a blank slate, but offered a lot of flexibility as well as extras like a VPN, firewall, patch and mobile device manager, making it a good choice for organizations just getting up to speed with their overall cybersecurity defenses, and which need to include DLP as part of that package. (See screenshots of each product.)

Here are the individual reviews:

Net results

PRODUCTComodo DLPDigital Guardian Network DLPForcepoint DLP
PRICE$8.29 per seat based on a three-year commitment and 5,000 or more seats.Starts at $25,000$44.50 per seat for 5,000 users; 10% discount for multi-year contract.
PROSAll attempted breaches are logged, and the files can be archived for study; works as part of an overall security package or standalone; can stop printing, screenshots and copying of entire documents or tiny snippets from protected files; can be used to prevent protected data from entering or exiting a network.Precise rules can be crafted to ensure almost no false positives; can be up and running in just a few hours; can be used as part of a user awareness training program or can be completely secret, can automatically encrypt sensitive communications in addition to blocking or quarantining.Comes with over 1,700 preset DLP rules and regulatory compliance settings; can scan Dropbox, Office 365 and OneDrive to look for protected data already in the cloud; has OCR engine that can find protected data in screenshots and graphics; can encrypt files.
CONSLack of plug and play rules means a lot of work needs to be done by hand, putting a larger burden on DLP administrators.Emphasis on reducing false positives with large datasets can mean that smaller or one-off data policy breaches can slip through; highly detailed rules may require tweaking over time; data tagging may be necessary to completely eliminate false positives.Can only be installed as a module under AP-Email or AP-Web in the Forcepoint Data Security Suite.

Comodo DLP

Comodo DLP is installed as a network or virtual appliance and works either independently or as part of the Comodo 360 Complete Security Bundle. The full suite includes things like sandboxing files to look for threats, VPN, a firewall, patch management, a Web security agent and even a mobile device manager. It would be a good choice for an organization that is beefing up its endpoint, boundary and network protection at the same time. For this evaluation, we only looked at the DLP component.

The Comodo appliance is reasonably priced at $8.29 per seat based on a three-year commitment and 5,000 or more seats. The appliance’s software is configured to be able to handle that load and we tried to overload it without success. With a virtual appliance, expanding power to match increased capacity is also a simple process.

+ ALSO ON NETWORK WORLD Next up for DLP: The cloud? +

Comodo DLP can protect data stored on internal network drives right from the start, but gets much more powerful if agents can be installed on connected endpoints. Pushing the agents out to Windows clients (there is no Mac support yet) is a simple process, though you do need to have the rights to be able to do so. With agents installed, Windows clients can be locked down in the same way that the main data servers are, including USB and even printing protection.

Out of the box, the Comodo DLP that we tested was pretty much a blank slate. It has a lot of powerful potential, but needs to be programmed. For many organizations this probably won’t be a problem since they know the kind of data that they hold and need to protect. Common things like credit card information or ABA routing information can easily be added to the list of protected objects, as well as information combinations such as Social Security numbers in conjunction with the names of diseases or national drug codes.

It would be nice if there were common settings for things like HIPAA or PCI compliance that would set up all the necessary rules based on those guidelines. You can configure a very tight set of rules to protect against any regulatory breaches, but it can take a long time setting it all up manually.

In addition to blanket rules that apply to any data, you can also configure Comodo DLP to protect files based on almost any other factor, such as the source of the info or the destination. Even time of day rules can be set using the main interface. And of course, individual files and folders can be protected regardless of any other factor.

Using Comodo DLP, we were able to configure some very specific rules. For example, we allowed anyone to access a certain folder containing several data files. However, users were not allowed to print any of the information or copy it to another drive. In addition, certain documents were locked down so that no part of them could be copied and removed by any means, even by highlighting certain parts and copying and sending snippets. Outside of that protected folder, the blanket rules applied, so that for example, no credit card information could leave the system.

The console gives administrators lots of options regarding how to deal with attempts to exfiltrate protected data. It can be simply blocked, the fact that it was blocked can be recorded, users can be warned or kept in the dark as to Comodo’s actions, or everything that a user tried to illegally copy can be archived for later examination.

So for example, one entire folder on our test network was protected against copying. When we tried to pull files from the network and save them on a key drive, not only was that transfer stopped, but a full archive of every file that we tried to copy was provided inside the Comodo DLP administrator interface.

The same thing happened when a user tried to print a document which was protected. The process was stopped, the user was warned as per the policy we configured, and the document was archived in the main interface. Building up an audit trail is thus incredibly easy. Insider threats can likely be weeded out from legitimate mistakes based on the volume of attempted data breaches alone, with a full audit trail to prove everything for authorities.

When the full text of a .pdf document was protected, Comodo DLP was able to keep that information safe in a variety of ways. First, we blocked copying by simply defining clipboard policy rules as well as screenshot rules. But even with those disabled, Comodo was able to recognize when we tried to cut a small snippet out of a protected document and send it out using instant messaging. Comodo uses both text and hash matching to lock everything down. When we tried to share our tiny snippet, the DLP kicked in and blocked that process, with the aforementioned archiving so that administrators could see what we were trying to do when the policy was broken.

The Comodo DLP program is designed for network installations. Our testbed was admittedly not nearly enough to tax its abilities, however, we did set up a batching process to send out a bunch of rule-breaking instant messages and e-mails at the same time. Although more than 500 of them tried to go out at the same time, each one was instantly blocked. And using a variety of e-mail and webmail clients was no help either as Comodo was always able stop us from breaking policy. And don’t forget that each attempted breach is logged, so someone trying to defeat the DLP protection by trial and error is likely to get caught long before they get anywhere close to finding a hole in that protection, assuming one even exists.

Another nice feature of Comodo DLP is that it is able to scan all the endpoints on a connected network to determine if any protected information has already left its safe havens. That way, it’s not like locking the barn door after the horse has gotten out. It’s like locking down the barn and then directing the owner to exactly where the missing horse is located. That’s not as good as locking things down right from the start, but this way administrators won’t be surprised if hundreds of credit card numbers are already sitting on an unsecured laptop outside of the main database.

Finally, as a nice extra feature, Comodo DLP can be reversed to prevent certain types of information from entering a network. To do that, you simply need to set up rules based on the destination of protected information types being inside a network. This could be helpful in certain industries where workers are not allowed to come into contact with specific data from people on the outside, like a broker who needs to be protected from insider trading accusations or a doctor who does not want to receive unsolicited health information from non-patients.

It takes a little bit of work as well as the knowledge of what kind of data needs protecting to get the most out of Comodo DLP. But once you get there, there is no way that we found for someone to circumvent that protection. And if they try, everything they do will be instantly flagged, logged and archived for later study and possible disciplinary or corrective action.

Digital Guardian Network DLP

Digital Guardian used to be called Verdasys. Today, the newly branded company offers several types of DLP defense, including the network level protection which is the focus of this test. It is deployed as either a network or virtual appliance and all network traffic is routed through it. This gives Digital Guardian the ability to protect data from leaving the enterprise regardless of where it exists and on what platform it is stored. It does not work with off-network traffic or disconnected endpoints, though the company has other products to fill in those gaps.

The Digital Guardian Network DLP appliance is designed for very large installations, or at least places where there are potentially millions of records to protect. Its pricing model starts at approximately $25,000 based on licensing volume, and it can be installed as either an on-premises appliance or through a managed security service program.

Because of the emphasis on large installations, the interface when creating rules for the Digital Guardian Network DLP are very precise, and designed to eliminate false positives. This is necessary because if you try to apply the same blanket type of rules found with some DLP products to very large datasets, your security teams might end up getting overloaded with false alerts.

So when trying to protect something like 5 million account numbers, even if you use full text matching in the rule creation, quite a few numbers are going to get flagged as potentially protected data that have nothing to do with the actual accounts. For example, employees couldn’t order 12,673 new items if there was a matching account number protected by DLP, even if the employee didn’t know about it. Phone numbers could also prove problematic. To compensate, rules that are created within Digital Guardian’s DLP appliance can be configured with multiple trigger points where all of them need to be met before the DLP will alert to a problem. They can then be further tweaked with data tagging that creates exceptions to the rules.

For a program with such complex ruleset possibilities, getting it set up and running is surprisingly easy. Granted that our testing environment did not contain millions of records, but from a rule creation standpoint, there would be no difference. Getting the Digital Guardian appliance ready to protect data is a two-step process. It begins by registering the data that needs to be protected. This can be done by simply pointing to files and folders or identifying the location of something like an SQL or Oracle database server. If you have millions of records then you are probably going to want to specify where the data lives instead of individual records, but the process is the same.

+ MORE ON NETWORK WORLD 7 devices that make your data vulnerable +

Users are also going to want to, most likely, identify specific columns within the protected data spreadsheets that will be the focus of the rules created later. There is no need to protect something like the first name fields of customers or patients, for example. Specifying the column data within those servers can help to reduce the time it takes to scan everything, though even with thousands of records, the registration process should only take a few minutes and then a few minutes each day as the DLP appliance checks to see if any new data has been added to those fields. The data itself isn’t stored on the DLP, just a hashed version of it so that the appliance itself does not become a liability.

Registering the data to be protected doesn’t actually do anything on its own. Once the DLP knows all the possible data it’s protecting, it’s time to go in and configure what uses are allowed and which should be blocked, quarantined or encrypted before being sent out.

We used a store of patient names and Social Security numbers contained within several spreadsheets. Our first rule stated that anytime five or more Social Security numbers attempted to be sent out of the network along with the last name of the accompanying patient, that the DLP was to block the transmission and alert the proper personnel.

Users could be warned about the actions that were being taken or left in the dark that anything suspicious was happening. That way we could set it up so users could be trained as to good DLP practices in some cases, or examined secretly if we suspected that, for example, a true insider was working against the host organization.

To test our new rule, we went in and grabbed 10 Social Security numbers along with 10 last names from different patients. In this scenario, the names and the Social Security numbers did not match on any of the protected spreadsheets. When we tried to send Webmail with that information, nothing was blocked, which was the correct action based on our rules. When we similarly tried to send out information using instant messaging that contained several made up Social Security numbers which were not in the spreadsheets at all, but which were obviously within Social Security numbers format, they also got through.

Only when we matched last names from the same line with Social Security numbers did our transmissions get blocked. And they were blocked despite anything we tried to do to obfuscate the relationship like putting the numbers randomly throughout a multi-page document that was nowhere near the corresponding last name.

We also got blocked when we used the Social Security numbers but retyped the last names in caps instead of cutting and pasting them into place. When we changed the fonts to something nonsensical like Wingdings, the Digital Guardian appliance still knew what we were doing and locked everything down. In fact, we even changed the extension of the file we were trying to send so that it was simply displayed in Unicode and then zipped that. But nothing we did could get around the ruleset for the DLP.

The final tweak is data tagging for true precision. Data tagging is conducted after the main rules are in place to create or modify exceptions. This is probably the most complicated thing to do within the otherwise easy to use interface, but might be necessary if something like phone numbers are triggering false positives. The data tagging is like an “if-then” statement.

Even if a rule trips, the DLP will check the data tags and if the protected IP matches a seven-digit phone number format, it will allow the communication through because it’s likely just a phone number and not a protected account within the database.

One thing to consider is that with such tightly controlled rules, it might be possible for someone to smuggle data out of an organization by keeping under the radar. In our test they could, for example, send out the information in groups of four, or send the SSNs by themselves and then send the last names at a later time. It’s one possible danger about having those types of rules in place to eliminate almost all of the false positives. Then again, the alternative for organizations with very large datasets would be to live with seemingly unending false positives every time a number or a name happened to match some type of communication across the entire enterprise. Many people’s names are also real words, like Iris, Love and Strong, while others, like Kraft or Kellogg, are companies, which could trigger problems without those safeguards.

Someone attempting to thwart the rules by keeping under the false positive threshold would need to know exactly what rules were in place. That’s highly unlikely to happen, but something to keep in mind when setting up the rules based on the balance between total security and comfort with false positives.

The Digital Guardian appliance can take several different actions once a rule has been tripped. These actions can be modified by almost any factor a user wants, like the type of data, the size of the alleged breach, the source or destination or almost anything else. Specifically, it can log, allow, prompt, quarantine, encrypt or block communications that trigger rule breaks.

For most of our testing, we used either the block or quarantine actions. Blocking is just what it sounds like; the communication is stopped. Users can then either be told what rule they broke so they can learn what they did wrong, or be kept in the dark and investigated. Quarantine is interesting because it blocks the communication temporarily, but moves it into an area where an administrator is able to see what the user was trying to accomplish. It can then later be permanently blocked or allowed to pass, which is good if an organization needs a second set of eyes on sensitive communications.

The encryption feature is somewhat unique to Digital Guardian. It can be used when, for example, employees need to send sensitive data outside of a network for partners or contractors to work with, but which should not be seen by unauthorized eyes or intercepted in transit. For data flagged that way, the Digital Guardian appliance will automatically encrypt that data and let the user know about it by default. While Digital Guardian has no native encryption, it works with many third-party programs and can even be set up to send jobs to an encryption appliance should one exist within the enterprise.

The Digital Guardian appliance is geared toward installations where very large or even Big Data sets need to be protected without instantly overloading security teams with too many false positives. It handled everything within its ruleset perfectly in all of our testing, but may require a bit of tweaking at first in order to find that perfect balance, and then further programming with data tagging to eliminate any operational problems that pop up with false positives.

Forcepoint DLP

The Forcepoint DLP protection product was the most mature solution that we reviewed. That isn’t too surprising given that it got its start in 2003 as a regulatory compliance tool. Today Forcepoint is an independent company launched as a joint venture between technology firms, with Raytheon as its majority stakeholder. The Forcepoint DLP product tested is integrated with the Triton APX product line of cybersecurity defense tools which includes Triton AP-Web, AP-Email, AP-Data and AP-Endpoint.

All Triton products share a common architecture and work with the ThreatSeeker Intelligence Cloud to identify and classify network traffic. Technically, any of the products can be installed separately or together within a single appliance, but they are so tightly integrated that it’s difficult to tell where one ends and the next begins. The DLP solution tested here is a module that can be added to either AP-Email or AP-Web, and which comes included with AP-Data. The integrated AP-Data version was the flavor tested.

Installed as an appliance, the DLP component along with the required module in the Data Security Suite is priced at $44.50 per seat for a deployment of 5,000 users. A 10% discount would apply for signing a multi-year contract.

For such a powerful tool, setting up the Forcepoint DLP was incredibly easy. The module comes pre-configured with 1,700 presets for creating data protection and regulatory compliance rules. Federal regulations as well as the individual rules for every state and most countries are included. So if your company does business in Virginia, you can check that state’s box and data protection rules specific to Virginia will be automatically applied as a policy without incorporating the rules of another state which your organization does not touch. And heavily regulated industries like finance and healthcare have many possible rules that can be selected and implemented within their trees. Each can be individually selected, or installed as a group.

The pre-written rules can be examined and modified, though some, like HIPAA in healthcare, are so well defined that doing so would be ill-advised. Still, a user is free to modify the protection offered by the DLP based on specific needs within an organization. Creating entirely new rules can be done manually or using wizards that help users define exactly how they want their protection to act. Creating a complex new rule using the wizard took us less than five minutes.

Rules can be configured with either a narrow or wide scope, and there are generally multiple versions of each type within the presets. If no DLP violations are being triggered, then administrators can choose to change from narrow to wide first before diving into the rule configuration. Likewise, if too many false positives are being discovered, a switch to the narrower definition might be a quick fix that saves time without sacrificing protection.

The Forcepoint DLP works best when agents are installed on all corporate endpoints. Forcepoint was the only product in our test that had a working OS X agent in addition to a 32- and 64-bit Windows version. Creating an agent is easy using a wizard-like interface. It took 30 seconds to make a new one for Windows 64-bit systems in our test network. Then it can be pushed out to network clients using whatever method an organization chooses.

When creating an agent, users specify a name and password which needs to be re-entered to uninstall the program from a host machine. This makes agent removal easy if such a thing is desired for individual machines, and also prevents someone from getting rid of their DLP protection without permission.

In addition to the easy creation of rules using the presets, the Forcepoint DLP can also use fingerprinting for important documents that may not be legally protected, but which are important or even critical to an operation.

Once we had the rules in place and had fingerprinted other documents, we tried to find ways of exfiltration. In every case, even using snippets or retyping data, we got blocked. Forcepoint was even able to stop a protected document from leaving the network after we hid snippets of it inside a .gif picture. Forcepoint was the only program we tested with this feature. We took protected data and placed it inside a photo, figuring that there was no way a machine would be able to recognize that method of data theft. But Forcepoint runs graphical files through an optical character recognition engine and compares the results against the fingerprinted protected data and the general compliance rules. It was able to stop screenshots of protected documents, but also a series of Social Security numbers that we cut and pasted into a photograph.

With endpoint protection in place, administrators on the main console could even control and enforce USB and printing policies at endpoints. One interesting feature is that we could restrict USB drives from copying data, but could also allow that copying to happen under certain circumstances, such as if we were using company-approved USB devices or ones that had native encryption. Our printing rules were also very flexible, allowing us to enable printing at certain machines – such as those located in a secure or monitored location – while preventing protected documents from being sent anywhere else. This level of granular security control was very impressive, and also easy to configure and monitor.

Part of the Forcepoint endpoint protection includes a native encryption engine. So administrators can allow, for example, someone to take certain files home using a USB drive, but only after forcing the files to be encrypted. This encryption can take the form of a password that needs to be entered to look at the document, or session encryption which means that the files can be opened automatically like normal, but only when running on an endpoint that also has a Forcepoint agent installed – basically keeping the data in-house and under control.

Cloud services are not left out either. The Forcepoint DLP works with the professional or corporate versions of Dropbox, Office 365 and OneDrive, allowing an administrator to scan for fingerprinted data or information protected by regulations sitting in those off-site corporate shares.

The Forcepoint DLP module is an incredibly powerful tool. When working in conjunction with the other tools in the Data Security Suite, it can do even more, like coordinating DLP alerts with other security modules to look for patterns that could potentially uncover insider threats.

The only negative aspect is that the Forcepoint DLP module tested here needs to run with another program. So it might not be the right choice for an organization that has mature and robust cybersecurity defenses in place and just needs a standalone DLP solution. However, the Forcepoint DLP is so good that it might be worth it to bring in AP-Email, AP-Web or AP-Data just to get the DLP capabilities.

Breeden is an award-winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at