Download presentation
Presentation is loading. Please wait.
Published bySandra di Castro Dinis Modified over 6 years ago
1
DeviceLock Company & Product Introduction
Netherlands
2
Agenda Company Brief Problem & Solution DeviceLock DLP Overview
Data-in-Use DLP: Contextual Local Controls Data-in-Motion DLP: Contextual Network Controls Data-in-Use/Motion DLP: Content-Aware Controls Data-at-Rest DLP: Content Discovery DeviceLock Virtual DLP What’s New Typical Endpoint DLP Scenarios Advantages & Value Hi, my name is ___. I represent DeviceLock – a software company whose products are designed to prevent data leakage from endpoint computers. In this presentation, I will introduce the company, the DeviceLock DLP solution, describe its value, main functions, features, and advantages.
3
Company Brief
4
DeviceLock Key Facts Established in 1996
Develops and markets DeviceLock® software Endpoint device control and data leak prevention solution DeviceLock products used worldwide Protecting 7+ million computers in over 80,000 organizations Privately owned, self-funded international business Sales HQs in US, offices/representatives in Canada, Germany, UK, Italy, UAE Channel partner network in all global regions Team of 60 full-time employees, half of them in R&D Since its establishment in 1996, DeviceLock provides its customers with a high-quality endpoint security software. Initially, DeviceLock has built its international brand as the developer of the best-in-industry endpoint device/port control software, which since then has been largely extended up to a full-function endpoint Data Leak Prevention solution. During its 20-year history, DeviceLock products have been deployed on more than 7 million computers in over 80 thousand organizations worldwide, and today DeviceLock is the most widely used device control software on the global IT security market. Organizationally, DeviceLock is a small, privately owned, self-funded international business with Sales HQs in the US, as well as regional sales offices and representatives in Germany, Canada, the UK, Italy, and UAE. In addition, we have a large network of channel partners, which sell our products worldwide. Currently, DeviceLock employs about 60 people including half of them working in our R&D.
5
Select US, EMEA and APAC customers
Organizations in 100+ countries Historically – Financial, Government, Defense, Defense Contractor, Health Care, Energy, Bio-Tech, Manufacturing, Education, Resorts & Casinos Major production installation 80,000+ seats (in US) Recently – any type organizations regardless of industry, size, geography… Select US, EMEA and APAC customers With its 20-year history on the international market, DeviceLock has thousands of customers in more than 100 countries. Historically, they came from data security sensitive industries – including Financial, Government, Defense, Defense Contractor, Health Care, Energy, Bio-Tech, Manufacturing, Education and Resorts & Casinos. More recently, the need for DLP solutions is coming from any type organizations regardless of their industry, size and geography. Some of DeviceLock customers from the US, EMEA and Asia Pacific are shown on this slide.
6
Recognition from Professionals
5-star rating in 2012, 2013, 2015, 2016 “The Swiss Army knife of endpoint security”, 2015 “Very effective endpoint DLP application with all of the bells and whistles you might think of, plus some that you may not”, 2016 “It is very focused on DLP and does that extremely well”, 2016 These screenshots and quotes from recent product reviews in popular IT and infosecurity magazines in the U.S. is an independent confirmation that the DeviceLock DLP solution is highly recognized on the international market and top-rated by IT security professionals.
7
Problem & Solution
8
The Data Leakage Problem
What is data leak/breach? Security incident in which confidential, protected or sensitive business-related data are accidentally or deliberately released to an untrusted environment or unauthorized users outside or inside the organization What is leaked? Payment card data, client/employee PII, patient PHI, IP, confidential information, trade secrets, state classified data… How data get leaked? External attacks: malware infiltration through software vulnerabilities, hacking, social engineering (e.g. phishing) Internal roots: insider mistakes, negligence, misconduct and theft; system glitches & misconfigurations What are consequences? Financial and reputational damages, loss of business Large fines and expensive litigations Damage to national security In the information security context, “data leak” (or “data breach”) means a security incident in which confidential, protected or sensitive data used in the corporate IT system is accidentally or deliberately released to an untrusted environment or become uncontrollably accessible to unauthorized users outside or inside the organization. What is leaked? Any valuable business-related or personal information. It is not only payment card data stored in a bank or Protected Health Information (PHI) of patients kept by a hospital – for other businesses it may be corporate confidential information, intellectual property (IP), trade secrets, private customer data, Personally Identifiable Information (PII) of employees, or even state classified data. How data get leaked? It happens when the organization does not really control who has access to its valuable business data and what is allowed to do with this data. Data breaches may be caused by external activities or internal reasons. External attacks usually involve malware infiltration through vulnerabilities in software used in the organization, as well as phishing and other social engineering techniques. Data leaks may have internal roots – including for instance, system glitches and misconfigurations. However, the major internal reason of data leaks in organizations is human nature. Employees, clients, contractors, partners – all legitimate users of the corporate IT system – are humans whose accidental mistakes, negligence, curiosity or misconduct may lead to data leaks. Some users may also fall victims of phishing attacks. Others may purposely steal corporate information. Once those people who are not supposed to see restricted access data get it in their possession, they may sell it, publish it or use it in other ways to negatively impact the organization. In any instance, data leaks may cause heavy financial and reputational damages, lead to large penalties, expensive litigations and loss of business, or even cause damage to national security.
9
Real Threat to Any Organization
No one is immune Banks, insurance companies, healthcare providers, telcos, chain & online retailers… Internet giants – Yahoo! Social networks – VKontakte Tax authorities – U.S. Internal Revenue Service Military – U.S. Office of Personal Management Porno-site & hookup sex services – Adult Friend Finder Mobile phone hacking vendor – Celebrite Risk Based Security 2016: 4,149 incidents worldwide with 4.2 billion exposed records (570% increase vs 2015) Identity Theft Resource Center 2016: 1,093 data breaches in U.S. (40% increase vs 2015) The data leakage problem is not a marketing hype – it is happening every day in various organizations across the world. Statistics from all credible sources shows the same threatening picture – data breaches affect businesses across all industries, as well as non-profit and government sectors. These are not only banks, chain and online retailers, insurance companies and hospitals. No one is immune to data breaches: just look at the list of indicative incidents happened in 2016: tax authorities, military, a porno-site and even a company that develops mobile phone hacking solutions. Worse yet, this threat to corporate IT is growing: in the database of international breaches maintained by Risk Based Security, more than 4 thousand incidents were registered last year worldwide with the total number of compromised records 4.2 billion, which is a 570% growth in comparison with 2015. At the same time, a 40% increase in the number of data breaches has been reported for the U.S. in 2016 by the Identity Theft Resource Center. Sources: Informationisbeautiful.net , David McCandless © 2017; Risk Based Security, 2017; Identity Theft Resource Center, 2017
10
Biggest Data Security Risk for Corporate IT
New data leak threat vectors: cloud “drives” & file sharing, social media, IMs, torrents, mobile BYODs ... Massive hunt for valuable business & personal data by cybercrime industry Tightened data protection laws: GDPR (EU), Data Protection Bill (UK), NDB Act 2017 (AU), China’s Cybersecurity Law, Singapore’s Draft Cybersecurity Bill... Today, data breaches are considered as the biggest data security risk for many companies worldwide and, specifically, for those offering their products and services across national borders. This has been confirmed once again in a recent Ponemon Institute survey exemining data protection risks in the global economy. How did it happen that data breaches have become so big problem and why? == CLICK == In the past few years, the interplay of key technological, economical and social trends in corporate IT has created a whole new range of data leak threat vectors uncontrolled by conventional network- and IT infrastructure-centric security solutions. Provisioned with these new exfiltration channels and accelerated by the massive hunt for valuable business and personal data [started] by the cybercrime industry, data breaches have become a real pandemic infecting corporate IT on a global scale. The deep concerns over this threatening situation have reached the level of state, national and international governments and is pushing them to tighten privacy and data protection laws. This significantly increases compliance risks not only for international businesses but also for the majority of local companies in many countries. The most significant example of recently updated data protection laws is the European General Data Protection Regulation (GDPR), which makes provision of very stringent breach notification requirements and extremely high financial penalties for incompliance. [Other countries are following the EU: new data protection regulations have been proposed and are actively discussed in the UK, Australia and Singapore while China already enacted its new Cybersecurity Law in June ] The last and the most materially important reason of ranking data breaches as the biggest security risk is purely economical – they cost a lot of money. DATA BREACH COSTS Sources: “Data Protection Risks & Regulations in the Global Economy”, Ponemon Institute LLC, June 2017
11
Data Leaks Cost a Lot of Money
Average total cost of a data breach in FY2017 US: $7.35 million EU: $ $4.58 million Average cost per record in FY2017 US: $225 EU: $123- $160 Extreme reality $ million – total cost of the Home Depot data breach in 2014 $115 million settlement cost for Anthem to end litigation over a massive data breach in 2015 Incompliance penalties to increase in 2018 European GDPR: up to €20 million or 4% of the total worldwide annual turnover The costs of a data breach are the direct and indirect expenses incurred by the organization to compensate damages from the data breach to customers, partners, and themselves, as well as pay related fines and penalties awarded by courts and imposed by authorities. In addition, these expenses include loss of revenue [due to loss of business], reputational damages, litigation expenses, etc. According to the latest study by the Ponemon Institute, in FY2017 financial losses of European companies for every compromised user record were on average in the range of $123 - $160 and in the U.S. they reached $225. The average total cost of a data breach for a business in EU was between $2.8 and $4.6 million depending on the country, while in the U.S. this figure grew to $7.35 million. However, in some specific cases – depending on the size and the business type – the financial damage to the company hit by data breach can be 1-2 orders of magnitude higher than the average. A couple of such extreme examples are presented here: + The total cost of the Home Depot data breach in 2014 is estimated in the range of $ million. + In case of health insurer Anthem, they have already paid $115 million only to end litigation over a massive data breach they had in And today it is impossible to even guess how much this data breach will ultimately cost to Anthem in total. However, what is possible to predict with confidence is that after the European General Data Protection Regulation (GDPR) comes into full force in May 2018 the costs of incompliance with data protection laws will significantly increase for all companies having customers in Europe – regardless of where these business are located. Source: “2017 Cost of Data Breach Study: Global Analysis” Ponemon Institute LLC, June 2017
12
Most Data Leaks Involve Insiders
Insider-related data leaks Mistakes, negligence, misconduct, theft Hacking – when insiders fall victims of social engineering phase (e.g. phishing) Ponemon: “2017 Cost of Data Breach Study” Human errors caused 28% of data breaches Most of the 47% breaches attributed to malicious or criminal attacks relate to criminal insiders, phishing/social engineering Ponemon: “Data Protection Risks & Regulations in the Global Economy” survey Negligent or malicious insiders – root cause of data breaches in 69% of affected organizations Black Hat USA 2016/2017 Attendee Surveys Weakest link in enterprise IT defenses – “end users who violate security policy and are too easily fooled by social engineering attacks” Human error Criminal insiders, Phishing, Social engineering SQL injection, Malware System glitch Insider-related leaks What is specific and especially dangerous about data breaches is that more than half of them are related to insiders – normal users of corporate IT systems including employees, contractors, partners and clients. The reason is human nature – they make accidental mistakes, may be negligent, misconduct or become victims of social engineering attacks, such as phishing. The latest market and industry statistics shows that the majority of data leak incidents involve insiders. Not only because they initiate incidents themselves but also because they make possible many of externally initiated data breaches – for instance, those hacking attacks that use social engineering methods, such as phishing, to infect corporate computers with malware. === optionally === In its latest 2017 “Cost of Data Breach Study”, Ponemon Institute estimates that 28% of all data breaches were caused directly by human errors. In addition, a significant part of another 47%, which were attributed to the category called “malicious and criminal attacks”, in fact includes incidents related to criminal insiders, as well as ??? victims of phishing and other social engineering. Therefore, it is safe to estimate that the total percentage of insider-related data breaches accounted for in the Ponemon’s study exceeds 50%. Even higher level of data breach dependence on insider actions has been revealed in another recent survey by Ponemon called “Data Protection Risks & Regulations in the Global Economy”: for 69% of organizations affected by data breaches, negligent or malicious insiders were the root cause of these incidents. Important is that not only statistical data but also top-level IT security professionals point at insiders as the dominant data breach threat factor. When asked to identify the weakest link in the corporate IT security chain, the participants of Black Hat USA conferences in 2016 and 2017 had given the highest score to end users – because of their habit to violate security policies and their vulnerability to social engineering attacks. Sources: “2017 Black Hat USA Attendee Survey” Black Hat, July 2017; “Data Protection Risks & Regulations in the Global Economy”, “2017 Cost of Data Breach Study: Global Analysis” Ponemon Institute LLC, June 2017
13
DeviceLock Stops Leaks at the Source
DeviceLock snap-in for Microsoft GPMC Active Directory Domain Controller Software for preventing data leaks from corporate endpoint computers Insider mistakes, negligence, theft, social engineering Protection of data in use, data in motion and data at rest Lightweight enforcement agent for Windows and Mac Transparent to normal business activities Tamper-proof against users and local sysadmins Scalable yet easy to deploy & manage from Active Directory Natively via Group Policies No involvement of end users and local administrators Helps organizations reduce infosecurity risks & comply with IT security standards and regulations Group Policies DeviceLock Agent The scale of insider data leaks shouldn’t come as a surprise, because it is actually insiders, normal business users, who generate and use information in any organization. In order to do their job, they use endpoint computers – desktops, laptops, servers and, recently, tablets and other BYOD devices. Therefore, most business data, including confidential, are created, processed and stored on corporate endpoint computers. == CLICK == If user access to these data and their transfer from the computers are not controlled by the organization, then plenty of easy ways remain completely open for accidentally or deliberately exfiltrating valuable corporate information to the wild. To solve this problem, DeviceLock has developed a software solution that prevents data leakage from corporate endpoint computers by implementing all three main DLP functions – protection of DIU, DIM and DAR. Basically, DeviceLock DLP includes a lightweight enforcement agent installed on every protected computer and a central management console adjustable to the size and type of corporate network. Running transparently for users and applications in the scope of normal business processes, DeviceLock Agents detect and prevent unauthorized data access and transfer [operations] through local ports and peripheral devices, as well as [popular] network applications and services. In addition, DeviceLock DLP can discover documents with exposed sensitive content stored at prohibited locations and remediate these data storage policy violations. The solution is simple yet scalable and easy to operate, because its deployment, management and administration can be performed right from the corporate Active Directory by using its native configuration feature – Group Policies. By preventing endpoint data leaks DeviceLock DLP helps organizations minimize related information security risks and achieve compliance with corporate data use policies, IT security standards and state regulations.
14
Prevented Data Breach Types
Theft Misconduct Negligence Mistakes Insider-Initiated Data Leaks & Destruction DeviceLock Agent BLOCK LOG SHADOW ALERT Exfiltration External Insider-Related Data Leaks Phishing External Data Leaks Not Involving Insiders Vulnerabilities What types of data breaches can be prevented by DeviceLock DLP? === CLICK === In the first place, these are data leaks initiated by insiders – such as employees and other users of corporate IT systems – when they copy, upload or send confidential data from their computers in violation with the corporate data security policy. Or when a malicious room cleaner installs a hardware keylogger on a workstation with standalone keyboard. The root cause of these data leaks relates to human factors including accidental mistakes, negligence, deliberate misconduct or data theft committed by insiders. Another type of data breaches prevented by DeviceLock DLP is data leaks caused by external attacks hunting for valuable data on corporate computers. Typically, in the final phase of these attacks the malware residing on the infected computer uses network communications for transmitting collected data to a destination in the Internet. If these exfiltrating transmissions utilize network applications or protocols monitored by DeviceLock Agent, it can intercept, inspect and block them before data leave the computer because, at the very least, the destinations of malware-initiated data transfers do not belong to partners, clients or other legitimate recipients of outgoing communications allowed by the corporate data security policy in order to enable normal business processes. These externally initiated data leaks could be of two categories. The first one necessarily requires at least unintentional involvement of an insider, which essentially allows the malware to infect the computer when he or she becomes a victim of a social engineering attack, for instance, phishing. And the second category of external attacks does not need any help from insiders because it uses vulnerabilities in operating systems or applications for infecting the computer. But that’s not all. By controlling user access to some risky operations on the protected computer DeviceLock Agents can prevent one more type of data breaches – data destruction when the “format” and “eject” operations are misused by end users. === DOUBLE CLICK === Destruction
15
DeviceLock DLP Overview
Now lets get a bit deeper into product details. DEVICELOCK DLP 8.2
16
Security Functions (1) Contextual controls – prevent data-related operations unnecessary for the business process Data-in-Use: Ports, peripheral and redirected devices, clipboard, local channels Data-in-Motion: most dangerous network communications Content-aware controls – prevent unnecessary transmission & use of confidential data Removable storage, optical drives, printers, clipboard, locally connected mobile devices, mapped/redirected peripherals, network communications Textual data – in files, s, webmails, attachments, chats, posts, webforms, images/graphical files, binaries Data types – file formats, file/document properties, clipboard data types, local synchronization protocol objects, security contexts of IRM-sealed documents Content discovery – prevent storage of unprotected confidential data at wrong locations Data-at-Rest: endpoints, file shares, NAS Scheduled scans & automatic remediation actions Which security functions and technologies DeviceLock DLP implements for its mission? Its principal security function is a comprehensive set of [preventive] contextual controls over data access and transfer operations in local channels and network communications of the protected computer. Contextual controls do not inspect the content of transferred or accessed data. In order to decide whether a controlled operation is allowed or must be blocked or logged or alerted, the contextual methods detect and use various parameters of the operation context – including who (a user) or what (a process) initiates the operation, when, where from, where to or to whom, and how – through which channel or device – the data are used or transferred. For instance, with its contextual controls DeviceLock DLP can block or allow operations by recognizing the authenticated user, his security group memberships, the device, network application or protocol used for the operation, the data transfer direction, whether the storage media is encrypted or the network communication is SSL-protected, the date and time of the operation, and where the data are sent to or who is the recipient. However, there are many scenarios that require a deeper level of control intelligence than the operation context alone can provide: for instance, when s with company confidential information are allowed to be sent only to employees but not to recipients outside of the organization. DeviceLock DLP achieves this level of information-centric intelligence by using several content-aware inspection and filtering technologies – so that it can stop only those operations that carry on data with content prohibited by specified DLP policies while not interrupting the very same operations with data required for [normal] business processes. In DeviceLock DLP, content-aware controls are enforced for data operations with removable storage, floppy and optical drives; for clipboard copy/paste operations, screenshot captures, document printing, synchronizations with locally connected mobile devices, data exchanges with mapped and redirected peripherals of remote BYOD devices, and for the most dangerous network communications. To prevent leakage of “data-at-rest” stored on corporate endpoints and in the network, DeviceLock DLP supports content discovery. By scanning data residing on file shares and network attached storage in the corporate network, as well as on Windows endpoint computers regardless of where they are used, DeviceLock Discovery locates documents with exposed sensitive content and protects them with automatic remediation actions.
17
Security Functions (2) Centralized event logging & data shadowing
Policy-based, context/content-aware Automatic log delivery to central database via proprietary secure protocol or SYSLOG Built-in full-text searching & log viewers Graphical and interactive reports with configurable parameters Real-time security alerting SNMP, SMTP, SYSLOG Integration with 3rd party removable media encryption solutions Windows BitLocker To Go, Apple OS X FileVault, Sophos SafeGuard, Symantec Drive Encryption, TrueCrypt, Cardwave SafeToGo™… Fast integration with other encryption products on customer request Blocking USB and PS/2 hardware keyloggers Tamper-proof agent Protection against users and local sysadmins Two other important DeviceLock security functions are event logging and data shadowing: + Detailed event logs of all relevant user and administrative activities are recorded and automatically delivered to the central log database via a proprietary secure protocol or standard SYSLOG. + In a similar way, data uploaded through controlled channels, ports and devices can be copied to a hidden local “shadow storage” on the endpoint and then automatically delivered to the central database for further storage, review and analysis. With built-in log viewers and a full-text search component, both event and shadow logs can be effectively used for security information auditing, incident investigations, as well as evidence in the court. In addition, several types of graphical and interactive reports with user-configurable parameters can be generated from the logs. To facilitate real-time security monitoring, DeviceLock Agents can generate alerts on various critical events and immediately send them via SMTP s to security administrators, as well as via standard SNMP traps or SYSLOG to external Security Event & Information Management (SIEM) systems. When used together with several 3rd party removable media encryption products, DeviceLock can enforce a policy that allows data to be copied to a removable media only if it is encrypted by the 3rd party product. With this integrated solution, no plain data can leave the computer on a removable media thus eliminating the risk of data breach in case this media is lost. [DeviceLock currently integrates with Windows BitLocker To Go, macOS FileVault, Sophos SafeGuard, TrueCrypt, Symantec Drive Encryption (former PGP Whole Disk Encryption), and SecurStar DriveCrypt software products, as well as with Cardwave SafeToGo USB flash drive with built-in hardware encryption.] On top of all above, DeviceLock can block operations of USB and PS/2 hardware keyloggers. Finally, it is critically important that the DeviceLock Agent can operate in a tamper-proof mode – so that neither end users nor local system administrators can remove the agent or disable its centrally managed DLP controls.
18
Product Components DeviceLock Endpoint DLP Suite
Modular functional architecture Complementary components Optional incremental licensing Non-interruptive upgrades DeviceLock Search Server Full-text searching in shadow & audit logs on endpoints & in network DeviceLock Discovery Content scanning Corporate Data NetworkLock™ Network communications control ContentLock™ Content inspection & filtering Data In Motion Data In Motion Data At Rest Data At Rest DeviceLock® Core Device/port control Management & administration Data In Use Data In Use How these security functions are packed into DeviceLock products? DeviceLock DLP is designed as a modular architecture of standalone products and add-on components whose functional capabilities are complementary to each other while their management is unified and licensing is optional. As a result, these products and components can be used in various combinations thus allowing DeviceLock customers to choose cost-optimized solutions with only those functions necessary to satisfy their current security needs. Yet this modular architecture enables customers to incrementally upgrade the functionality of deployed DeviceLock products as their data protection requirements grow from the basic device/port control option up to the all-inclusive content-aware DLP solution. === CLICK === The most functional DeviceLock product called DeviceLock Endpoint DLP Suite prevents leakage of data when they are used and moved locally on protected endpoint computers, as well as when the data are transmitted from corporate endpoints over network communications. In other words [by using the DLP industry lexicon], the Suite implements the functions of “Data-in-Use” and “Data-in-Motion” endpoint leak prevention. The Suite’s fundamental component [and its basic yet very popular standalone product option] is DeviceLock Core. It enforces fine-grained contextual controls over data access and transfer operations locally on the protected computer including [user] access to peripheral devices and ports, document printing, clipboard copy/paste operations, screenshot capturing, media format & eject operations, as well as synchronizations with locally connected mobile devices. It is important that DeviceLock Core includes all central management and administration components of the entire Suite and therefore must be used in any Suite installation. Another Suite’s component called NetworkLock™ is an optional add-on [module] which can be used together with DeviceLock Core to extend the Suite’s security functions with contextual controls over network communications of protected computers through most risky applications and protocols – including s, webmails, IMs, cloud-based file storage, social media, web access, and more [local network shares, torrent P2P file sharing, as well as FTP and Telnet protocols]. [NetworkLock uses deep packet inspection (DPI) technology to detect the protocol and application type regardless of the network ports they use. The DPI engine intercepts and disassembles the traffic of detected application, reconstructs its sessions, and extracts their parameters necessary for enforcing contextual controls – such as who is transferring data and to whom or where to, what is being transferred (for instance, , instant message, file, webform, or blog post), how the data are transferred (for instance, which type of or IM is used), and when (e.g. during business hours or on weekends).] The third functional component – ContentLock™, which is also an optional add-on to DeviceLock Core – performs content inspection and filtering of files and other data objects used on or transferred from the protected computer. For local access and transfer operations, data objects are supplied for analysis to ContentLock by DeviceLock Core, while NetworkLock provides to ContentLock files, messages and other data extracted from network communications. In addition to these preventive components, an optional post-analysis component – DeviceLock Search Server (DLSS) – can be used to perform full-text searches in the central audit and shadow log database. DLSS is aimed at making much faster and more accurate the labor-intensive processes of log analysis during information security audits and [data breach] incident investigations. Bundled in different combinations with the basic DeviceLock Core, NetworkLock, ContentLock and DLSS implement various functional subsets of the DeviceLock Endpoint DLP Suite. To prevent leakage of “data-at-rest” stored on corporate endpoints and on network shares, a dedicated content discovery product called DeviceLock Discovery scans files residing on file shares and network attached storage systems in the corporate network, as well as on Windows computers regardless of where they are used, locates documents with exposed sensitive content and protects them with configurable automatic remediation actions. This modular architecture and incremental licensing make DeviceLock DLP a practical solution for organizations of any size and budget – from SMBs to large enterprises. Where to Who What When How What data CONTEXT CONTENT
19
Structural Components
DeviceLock Group Policy Manager (DLGPM) DeviceLock Agent DeviceLock Discovery Agent Network Shares, NAS DLP Policies (GPO) DLP Policies (RPC) Scan Policies Scan Logs Scan Policies SMB Scans Logs DLP Policies (RPC) Server Settings For DLES, DLSS Search Structural components of the DeviceLock solution are presented on this diagram. All or some of these software components should be installed in order to implement the relevant set of licensed functional components described on the previous slide. Arrows on the diagram present most important types of management communications between the structural components. DeviceLock Agent – an endpoint DLP agent that performs all types of data leak prevention functions on its host computer including content inspection, filtering and discovery, device control, event logging and alerting, as well as data shadowing. DeviceLock Discovery Agent – a dedicated content discovery client software for scanning local file systems and accessible network shares on Windows computers (desktops, laptops or servers) that are not otherwise protected by full-function DeviceLock Agents. DeviceLock Discovery Server – a content discovery server software that remotely scans files on network shares and storage systems via the SMB/CIFS protocol, deploys and manages DeviceLock Discovery Agents and collects discovery logs. DeviceLock management consoles – there are several types of them including DeviceLock Group Policy Manager, DeviceLock Enterprise Manager, DeviceLock Management Console and DeviceLock WebConsole. The management consoles are used for DLP policy management and administration of DeviceLock Suite components. Customers can choose different consoles depending on the size and type of their corporate network. DeviceLock Enterprise Server (DLES) – an optional server component for centralized storage of audit and shadow logs collected from managed DeviceLock Agents. DLES uses Microsoft SQL Server to store its data. In deployments without Active Directory, DLES can also be used for delivering DLP policies to managed DeviceLock Agents. DeviceLock Search Server (DLSS) – an optional server component that performs full-text searches in the central audit and shadow log database managed by DLES. For architectural optimization, DeviceLock Discovery Server and DeviceLock Search Server are implemented as components of an extensible server framework called DeviceLock Content Security Server (DLCSS). DeviceLock Enterprise Manager (DLEM) or DeviceLock Management Console (DLMC) or DeviceLock WebConsole DeviceLock Search Server DeviceLock Discovery Server DeviceLock Enterprise Server DeviceLock Content Security Server
20
Central Management & Administration
DLP policy server AD networks: domain controller Non-AD: DeviceLock Enterprise Server Windows style management consoles with the same look-n-feel for any scale deployments DeviceLock Group Policy Manager MMC snap-in for Microsoft Group Policy Management Console (GPMC) in Active Directory or Windows Server Native use of Group Policies DeviceLock Enterprise Manager Standalone console for non-AD customers DeviceLock Management Console MMC snap-in for remote DeviceLock Agent management in small networks DeviceLock Discovery management DeviceLock WebConsole for standard browsers Agent installation, upgrade, removal No system reboot Unattended centralized, interactive local One of the main DeviceLock DLP differentiators is that in networks with Active Directory, native Group Policy tools and mechanisms are used for managing DLP policies and DeviceLock Agents. As a result, there is no need for a separate DLP policy server, because the existing domain controller is used to perform this function. In non-Active Directory deployments, the DeviceLock Enterprise Server software running on a standalone server can be used for distributing DLP policies to all managed DeviceLock Agents. DeviceLock DLP offers a flexible set of central management consoles, which have the same look-n-feel GUI and can be tailored to the needs of any size organization – from small businesses to large enterprises. The most popular DeviceLock management console is a custom MMC snap-in to the Microsoft Group Policy Management Console. This native integration enables for DeviceLock Agents to be deployed and fully managed via Group Policies from an existing Active Directory installation – without any separate DLP management platform. At the same time, customers that do not use Active Directory are fully supported by another management console – DeviceLock Enterprise Manager, which is a native Windows application that runs on a separate computer. For small installations without any directory (for example, in a W4WG network), the same custom DeviceLock snap-in to MMC can be used to remotely manage DeviceLock Agents on per-computer basis. This console option is also used for managing DeviceLock Discovery. In addition, DeviceLock offers a web-based management console. It is also important that neither system reboot nor end user involvement is necessary to install, upgrade and remove DeviceLock Agents.
21
Logging, Shadowing, Alerting, Searching
DeviceLock Enterprise Server (DLES) Centralized automatic event & shadow log collection Multi-server architecture for load sharing Agent-based server connection quality detection & switching Traffic shaping & data compression for log delivery Central data storage in MS SQL database Built-in Audit and Shadow Log Viewers Real-time agent status and policy consistency monitoring & repair Set of statistical reports – graphical, interactive, configurable parameters DeviceLock Search Server (DLSS) Full-text searching in central audit and shadow log database On-demand and scheduled searches Parsing 120+ file & 40+ archive formats, OCR from images in 30+ graphical formats Stemming, noise-word filtering, synonyms, fuzzy & phonic search, variable term weighting, Regular Expressions, Boolean search logic… Facilitates compliance auditing, incident investigations, forensic analysis Real-time policy-based alerts to administrators & external SIEM systems DeviceLock Agents & Discovery Agents SMTP, SNMP, SYSLOG DeviceLock Enterprise Server (DLES) DeviceLock Search Server (DLSS) For customers that want to centrally log and audit user and administrative actions or use data shadowing to analyze the content of transferred data, an additional management software component is included in the product – DeviceLock Enterprise Server (DLES), which runs on a separate computer. The DeviceLock solution for logging and data shadowing supports automatic log collection and delivery to the central MS SQL database, multi-server architecture for load-sharing and scalability, automatic log server connection quality detection and switching, as well as traffic shaping and data compression for log transmissions to the central server. For convenience, built-in audit and shadow log viewers are included in the solution. Besides its main functions, DLES can centrally monitor the status of deployed DeviceLock agents and check their policy consistency, which can be repaired remotely if damaged or outdated. DLES can also install, update and uninstall DeviceLock Agents on remote computers using this monitoring feature. In addition, several types of predefined graphical statistical reports with user-configurable parameters can be generated from the logs. The DeviceLock Search Server (DLSS) is an optional component for on-demand and scheduled full-text searching in the central event and shadow log database. DLSS can index and search texts in more than 120 file formats and 40+ archive types. What is unique, a built-in OCR engine enables DLSS to extract and index textual content from images in graphical files of 30+ formats and pictures embedded in documents and other objects stored in the log database. The OCR function supports 31 language. An extremely powerful search query uses “all words” (AND) logic for single words and phrases with wildcards. Synonyms, fuzzy and phonic search methods are also supported, as well as stemming and noise-word filtering for Catalan, English, French, German, Italian, Polish, Portuguese, Russian and Spanish. Search results are sorted by “hit count” by default with term or field weighting possible as options. DeviceLock Agents and DeviceLock Discovery Agents can send configurable real-time alerts on critical events to security administrators and external SIEM systems by using SMTP messages, SNMP traps or via the SYSLOG protocol.
22
Operating Platforms DeviceLock Agents Management Consoles
Windows NT/2000/XP/Vista/7/8/8.1/10/Server (32/64-bit) Apple Mac OS X/OS X/macOS – (32/64-bit) Microsoft RDS, Citrix XenDesktop/XenApp, Citrix XenServer, VMware Horizon View VMware Workstation, VMware Player, Oracle VM VirtualBox, Windows Virtual PC Management Consoles Windows 2000/XP/Vista/7/8/8.1/10/Server (32/64-bit) DeviceLock Enterprise Server, Discovery Server, Search Server Windows Server (32/64-bit) Microsoft RDS, Citrix XenServer, VMware vSphere Desktop DeviceLock WebConsole Any standard web-browser Directory integration Microsoft AD (full native), Novell eDirectory, any LDAP Databases Microsoft SQL Server/Server Express 2005 or later DeviceLock Agents can protect any Windows versions starting from Windows NT4 and higher. DeviceLock Agent for Mac runs on all Apple operating systems starting from Snow Leopard and including the latest macOS Sierra. DeviceLock Agents and Management Consoles have been verified to run on a wide rage of virtualized platforms including dominating remote virtualization solutions, such as Microsoft RDS, Citrix XenDesktop/XenApp, Citrix XenServer, VMware Horizon View, as well as local hypervisor-based products, such as VMware Workstation, VMware Player, Oracle VM VirtualBox, Windows Virtual PC. Citrix and VMware have certified DeviceLock DLP as Citrix® Ready and VMware® Ready respectively. In addition to Windows native management consoles, DeviceLock agents can be centrally managed from any standard web browser by using DeviceLock WebConsole. DeviceLock’s native management integration with Microsoft Active Directory is complemented with its ability to import objects import from any LDAP-compliant directories. Both Microsoft SQL Server 2005 or later and its Express editions could be used by DeviceLock to store the central database of collected event and shadow logs. Optionally, for small installations the logs might be centrally stored in a flat file.
23
Licensing Perpetual with 1st year upgrades and support included
Annually paid upgrades & support for 2nd year and further DeviceLock Core – device/port control & central management Basic Endpoint DLP component – purchased independently Mandatory for solutions with ContentLock or NetworkLock NetworkLock – network communications control Optional add-on with DeviceLock (2-license pack: DL+NL) Upgrade from DeviceLock (NL license) ContentLock – content filtering Optional add-on with DeviceLock (2-license pack: DL+CL) Upgrade from DeviceLock (CL license) DeviceLock Endpoint DLP Suite DeviceLock + ContentLock + NetworkLock (3-license pack) Upgrade from DeviceLock Core, DL+NL or DL+CL DeviceLock Search Server (DLSS) Optional add-on for Endpoint DLP Suite DeviceLock Discovery Shipped independently Bundled/upgraded with any Endpoint DLP Suite variation DeviceLock products are shipped with a perpetual license that also includes one-year technical support and version upgrades. Upgrades and support for the 2nd and consecutive years may be purchased on an annual subscription basis. To ensure maximal purchasing flexibility for its customers, DeviceLock offers a functional incremental licensing scheme. The entire set of product functions of DeviceLock Endpoint DLP Suite is split for several non-intersecting functional modules including mandatory “DeviceLock Core” and optional “ContentLock” and “NetworkLock” functional modules. All three modules are included in a single DeviceLock distribution package, but each functional module has a separate license that can be purchased individually. As a result, the aggregate set of features available in a particular DeviceLock 7 installation will depend on the set of functional licenses purchased and activated. Providing complete contextual controls over all local devices, ports, and data channels on the endpoint, DeviceLock Core (DL Core) is the basic module of DeviceLock Endpoint DLP Suite. DeviceLock Core could be used either separately as an independent product. At the same time, it is the mandatory basic module of various functional packages that could additionally include either ContentLock or NetworkLock or both. ContentLock and NetworkLock are available as optional functional add-ons to the DeviceLock Core functionality. Neither of them can be used as an independent product. To turn each of them on, a separate add-on license should be acquired and activated within the Endpoint DLP Suite installation. DeviceLock Search Server (DLSS) is licensed as another optional add-on for any DeviceLock Endpoint DLP Suite installation. Important is to mention that DLSS is supplied free of charge for any packages that include both ContentLock and NetworkLock components. DeviceLock Discovery, which can be licensed and used independently of other DeviceLock DLP components, includes Discovery Server and Discovery Agents. Yet it seamlessly integrates with any installation of DeviceLock Endpoint DLP Suite version 8.x by leveraging the built-in content discovery module of DeviceLock Agents.
24
Contextual Local Controls
Data-in-Use DLP Contextual Local Controls DEVICELOCK DLP 8.2
25
Data-in-Use: Controlled Channels/Scenarios
Ports/interfaces USB, FireWire, COM, LPT, IrDA Peripheral devices Removable, hard drives, printers, Bluetooth, Wi-Fi, floppy, tape Locally connected mobile devices iPhone/iPad/iPod, MTP, Windows Mobile, BlackBerry, Palm Sync protocols (iTunes, ActiveSync, WMDC, HotSync) Removable encrypted Windows BitLocker To Go™, Apple® OS X FileVault, Sophos® SafeGuard Easy®, SecurStar® DriveCrypt®, TrueCrypt®, PGP® Whole Disk Encryption, Infotecs SafeDisk®, Cardwave SafeToGo™ Virtual printers and optical drives Windows Clipboard Inter/intra-application transfers Screenshot captures by PrintScreen and 3rd party applications Redirections to VDI and shared app/desktop sessions from remote terminals/BYODs USB and LPT ports, USB devices, mapped drives (removable, hard, optical), clipboard Microsoft RDS, Citrix XenDesktop/XenApp, VMware Horizon View At the contextual level, DeviceLock Agent controls user access and data transfers to practically all computer ports, to peripheral devices including not only physical but also some virtual (like printers and optical drives), as well as to locally connected mobile devices of various types. For mobile devices, in addition to general device type-based controls DeviceLock Core can analyze data exchanges over synchronization protocols between the device and the computer. Data transfers to and from removable devices encrypted by selected 3rd party [removable media] encryption products are controlled independently from the rest of connected removable storage. Another controlled local channel is copy/paste operations in the Windows Clipboard and screenshot capturing with the Print Screen function or by any 3rd party applications. And the last, but not less important, controlled channel includes ports, devices and clipboards redirected from remote terminals (BYOD devices) to VDI and shared desktop or application sessions running on host servers in virtualization solutions like Microsoft RDS, Citrix XenDesktop/XenApp and VMware Horizon.
26
Data-in-Use: Contextual Control Capabilities
Connection interface-independent device type detection & control Removable, hard/optical/floppy/tape drives, printers, mobile devices, Wi-Fi/Bluetooth Selective operation controls Read-only, write, format, eject Device class-based controls USB and FireWire storage, printers, HIDs, BT adapters, modems,… USB device whitelisting Vendor/product ID, serial number Temporary USB whitelisting On-demand offline policy adjustments for USB devices Media whitelisting Access to company-authorized content Controls over data transfer to/from 3rd party encrypted removable storage Windows BitLocker To Go, Apple OS X FileVault, … Audit logging, data shadowing, alerting This is a summary of the most important contextual control capabilities that DeviceLock Core enforces over local DIU channels on protected computers. The fundamental DeviceLock Core feature is its ability to detect the type of connected device and control its operations regardless of the interface used to connect the device. [For instance, any physical printer will be recognized as a printer regardless of whether it is connected through USB, Wi-Fi or Bluetooth. As a result, there will be no way for a user to avoid a prohibitive printing policy by disconnecting the printer from the controlled USB port and reconnecting it through an uncontrolled Wi-Fi connection.] Not less important is that not only Read-only and Write access rights can be selectively controlled but also permissions for Format and Eject operations – indeed for those devices that support them. The product provides easily configurable options to turn on access control to the entire class of devices including, for instance, FireWire storage, HIDs and so on. The highest level of granularity – down to serial numbers – is supported for USB device whitelisting. Temporary USB whitelisting is a must-have capability of temporarily allowing user access to a specific USB device in situations when the computer works offline and is not reachable from the management server for online policy modification. In this case, the required policy adjustment can be controllably delivered and activated by using offline communications with the user of the computer (e.g. telephone call, , instant messaging, etc.) The media whitelisting feature allows user access to an optical storage media (CD/DVD/BR disc) with authorized content even in case users do not have permissions to access optical drives. This is useful, for instance, when optical media is used to deploy a company-authorized software. DeviceLock Core can control data transfers to/from removable storage devices encrypted by several 3rd party products running on the protected computer. For example, an organization may prohibit to copy data from its computers to removable USB drives unless they are encrypted by BitLocker To Go. Such a control eliminates a possibility of data breach if the USB stick with corporate data is lost or stolen. In addition to preventive controls, DeviceLock Core enables administrators to log monitored DIU operations, shadow-copy the data transferred, and send real-time alerts on critical events and policy violations.
27
Contextual Network Controls
Data-in-Motion DLP Contextual Network Controls DEVICELOCK DLP 8.2
28
Data-in-Motion: Controlled Communications
SMTP/SMTPS, Microsoft Outlook (MAPI), IBM Notes (NRPC) Gmail, Yahoo!Mail, Hotmail/Outlook.com, AOL Mail, Outlook Web App/Access (OWA), Mail.ru, Yandex Mail, Rambler Mail, GMX.de, Web.de, T-Online.de, freenet.de Webmail Google+, Facebook (+API), Twitter, LiveJournal, LinkedIn, Tumblr, LiveInternet, MySpace, Disqus, Vkontakte (+API), Odnoklassniki, XING.com, Studivz.de, Meinvz.de Social Networks Skype, Skype for Web, Skype Meetings App/Skype for Business Web App, Skype for Business in Outlook Web Client (OWA 365), Viber, ICQ/AOL, MSN Messenger, Jabber, IRC, Yahoo! Messenger, Mail.ru Agent, WhatsApp Web/Windows App, Telegram Web/Desktop Instant Messengers Dropbox, Google Drive, OneDrive, Amazon S3, iCloud, Box, Cloud Mail.ru, Rusfolder.com, Yandex.Disk, GMX.de, Web.de, MagentaCLOUD, freenet.de Cloud Storage Web Services TCP/UDP/HTTP communications of any torrent clients P2P File Sharing TOR traffic Tor Browser SMB network file shares File Shares HTTP/HTTPS, FTP/FTPS, Telnet Network Protocols Network connections uncontrolled by NetworkLock’s DPI (beyond listed above) Stateful IP Firewall On this slide you can see the profile of network applications, protocols and services controlled by NetworkLock. It is wide enough to reliably cover most insider-related network data leakage scenarios – indeed, on the condition that the controls are of a high quality.
29
Data-in-Motion: Contextual Network Controls
Agent-resident DPI engine Port-independent detection of protocols, applications, services Message/session reconstruction with file/data/parameter extraction Controls are not limited to specific applications – web browsers, SMTP clients, ftp clients, torrent agents Extracted data objects passed on to ContentLock for content inspection Data exchange permissions Basic/receive/download/view-only access to web sites, services & applications Receive and send IM messages Send messages, web forms, posts, comments Send attachments, upload files Inspect plain and SSL-protected traffic Whitelisting Network protocols/applications SSL-protected communications Hosts/IP addresses, ports Web resources (URLs) Sender/recipient IDs or s Content inspection Blocking HTTP/HTTPS/SOCKS proxy-redirected, Tor Browser and Torrent communications Built-in stateful IP Firewall Selective filtering of network connections uncontrolled by NetworkLock’s DPI Audit logging, data shadowing, alerting The quality and main advantages of NetworkLock controls come out from its built-in its built-in DPI engine, which allows detecting network applications and protocols regardless of the network ports they use. The DPI engine intercepts and disassembles the traffic of detected application, reconstructs its sessions and extracts their parameters necessary for applying contextual controls. In addition, the payload data, such as messages and files transferred in the communication, can be extracted and – if required – handed over to ContentLock for content inspection. It is important that DPI-based controls are not limited to particular applications running on the protected computer – as a result, NetworkLock controls traffic from any web browser, any SMTP client, any FTP client and any Torrent agent. This is one of the key differentiators, DeviceLock Agents have versus competitive products. [To the best of our knowledge, there is no other endpoint DLP solution on the market with agent-resident DPI.] The DPI technology also enables NetworkLock to flexibly control the level of user permissions to receive and send data in network communications. It starts from the basic (receive/download/view-only) access to web services and [network] applications. For Instant Messengers, the basic level allows only chatting but not sending files. The next more extended level adds permissions to send and webmail messages, fill in web forms, and publish posts and comments. And, finally, users with full permissions can additionally send s and webmails with attachments, send files via IMs, and upload files to social networks, FTP servers, cloud-based file storage and so on. Another critical capability: NL can inspect not only plain but also any SSL-protected communications. The inspection is done without any external SSL proxies and is completely transparent to end users. If necessary, some communications can be whitelisted from controls by using a granular mix of various network, user and application-related parameters. It is even possible to control whether the content of whitelisted communications is inspected or not. At the same time, NetworkLock controls cannot be bypassed by communications tunneled through web or SOCKS proxies, anonymized by the Tor Browser, as well as multiplexed by torrent agents. These communications can be detected and blocked. On top of all above, a built-in stateful packet firewall can be used to additionally filter those connections uncontrolled by the DPI engine. And, indeed, NetworkLock enables administrators to log monitored communications, send real-time alerts on DLP policy violations, and shadow-copy the data transferred to the network from protected computers.
30
Data-in-Use/Motion DLP
Content-Aware Controls DEVICELOCK DLP 8.2
31
Channels with Preventive Content Controls
Local channels Removable storage Floppy Optical drives Document printing Local and network Windows Clipboard Screenshot capturing PrintScreen and 3rd party applications Mapped drives and redirected clipboards of remote BYOD/terminals VDI and shared application/desktop sessions on virtualization host servers Network communications s Webmails Social Networks Instant Messengers Web access to cloud storage services FTP file transfers Web applications (HTTP/HTTPS) Extending DeviceLock DLP capabilities beyond contextual controls, ContentLock can inspect and filter the content of data received from DeviceLock Core and NetworkLock. For local channels, preventive content controls are available for removable storage devices, floppy and optical drives, printing to local and network printers, the Windows Clipboard, screenshot capturing, as well as for mapped drives and clipboards redirected to VDI sessions or shared desktop and application sessions from remote BYOD devices or terminals. Regarding network communications, ContentLock inspects and can block in real time most of those controlled by NetworkLock except SMB, Telnet, Tor Browser, WhatsApp Web, SMB and torrent-based file sharing. [Telnet was not designed to transfer any considerable amount of data and consequently is therefore ineffective for data theft – so it is basically useless to filter its content and simply blocking Telnet for anybody but admins is sufficient. For torrents and Tor Browser, content inspection of their traffic is practically unfeasible. At the same time, torrents and Tor Browser are generally not used in corporate IT and rather considered as threat vectors. So it is enough to give IT security administrators an option to reliably block these communications. As to WhatsApp Web, it uses a sophisticated end-to-end encryption scheme, which at this moment eliminates any possibility to inspect message content at the endpoint.]
32
Detectable Content Content types: textual data, data types
Textual data extraction 120+ file formats & 40+ archives (including nested) s, webmails, instant messages, web-forms, posts, comments, textual data, file and folder names, unidentified binary data Images in 30+ graphical formats, screenshots, pictures in documents, s, webmails, instant messages Built-in agent OCR technology Verified file types Binary signature based, extension-independent 5,300+ formats with 37 prebuilt, customizable & user-defined file type groups File and document properties File type, name, size, modification date, password-protected, embedded image properties, process name … Title, subject, tags, categories, comments, author … Clipboard data types Files, textual data, images, audio, unidentified Sync protocol objects (iTunes, ActiveSync, WMDC, HotSync) Calendar, contact, , attachment, file, media, note, task,.. Security contexts of Oracle IRM-sealed documents ContentLock can detect and use for its controls two types of content: textual data and various data types. Textual data can be extracted for inspection from more than 120 character-based file formats and 40+ archive types, as well as in other data objects such as s, webmails, instant messages, web forms, comments, textual data, file and folder names, and even unidentified binary data. By using its built-in OCR technology ContentLock can also extract and inspect textual data presented as images from graphical files of 30+ formats, screenshots and pictures embedded in documents and other data objects, such as s and webmails, instant messages and so on. Verified File Type detection is another method used by ContentLock to enforce content-aware controls. A binary content signature-based method is used to reliably detect the actual file type regardless of its extension or header. Another file-related group of detectable data types includes many file and document properties. Several types of data can also be recognized and selectively controlled in clipboard operations, including files, text, images, audio and data of unidentified type. When data are transferred between protected computers and locally connected mobile devices through synchronization protocols, it is possible to detect protocol objects like Calendar, Contact, File, s and so on and use them for content-aware controls. In addition, security contexts of Oracle IRM-sealed documents can be used to select a document or class of documents in content-aware DLP policies.
33
Content Specification Methods
Textual content Structured data – keywords and RegExp patterns Pre-built industry/country specific Keyword dictionaries (160+) and RegExp validators (90+) Customizable, user-defined Keyword morphological analysis English, French, German, Italian, Portuguese, Russian, Spanish, Catalan Spanish Numerical thresholds, case sensitivity, word forms and weight Verified file types Pre-built (37), customizable, user-defined groups File and document properties Clipboard data types Sync protocol objects Compound content definitions Various matching criteria applied to content types and combined by Boolean operators ({regexp("\b(?<patient>\w+)\s+(\k<patient>)\b")>10} OR ({regexp(…)>5}) AND … Sync Objects Textual Content Verified File Types File/Doc Properties Clipboard Data Types Compound Content Definitions In order to detect content it should be specified in the DLP policy. For defining textual content, DeviceLock uses structured data types including keywords and Regular Expressions, which can be combined with numerical thresholds to specify triggering conditions. To ease the task of specifying content patterns, ContentLock is shipped with hundreds of pre-built industry- and country-specific keyword dictionaries, as well as RegExp validators for common sensitive information types, such as Social Security Numbers, credit cards, bank accounts, addresses, driving licenses, etc. In addition, security administrators can define their own keyword dictionaries and Regular Expression validators, as well as modify those pre-built in ContentLock. The accuracy of content detection is increased by morphological analysis of keywords in eight popular languages. Verified file types, file and document properties, clipboard data type and synchronization protocol objects are other content detection methods that can be used independently or in combination with textual patterns. To increase the flexibility of its content filtering policies ContentLock uses so-called compound content definitions, which specify multiple matching criteria for various content types and combine them in a logical aggregate. This method enables DeviceLock administrators to specify DLP rules with content definitions of any required complexity.
34
Agent-Resident OCR Graphical files, archives, screenshots, embedded images in documents, s, instant messages, posts 30+ graphical formats Multilingual 30+ languages Among others – Chinese (2), Japanese, Korean and Arabic Improved recognition Rotated/mirrored/inverted images Advantages of distributed agent-resident OCR architecture OCR-based DLP extended to computers outside of the corporate network Leaks prevented via both network & local data channels Local printing, saving documents to pen-drives, clipboard operations, screenshot captures, data transfer to redirected peripherals of remote BYOD devices Dramatically reduced Server processing payload Network bandwidth consumption Complementing textual content detection in data objects with character-based encoding, a built-in optical character recognition (OCR) module allows ContentLock to extract and inspect pieces of text from images in graphical files of more than 30 formats, as well as from pictures embedded in documents, files, s, instant messages, posts to social networks and so on. With 31 languages recognized (including most popular Asian and the Arabic among others), text extraction from rotated, mirrored and inverted images, this agent-resident OCR engine delivers to DeviceLock customers the ability to detect and protect confidential data presented in graphical form. Unique to DeviceLock DLP is that the OCR module runs in each of its enforcement components: the Devicelock Agent, the DeviceLock Discovery Agent and the DeviceLock Discovery Server. This distributed OCR architecture tremendously improves the overall performance, functional scope and reliability of the solution. Because graphical objects on endpoints are scanned and inspected locally by agent-resident OCR modules, the load on the Discovery Server and the scan traffic in the corporate network are dramatically reduced. Other major advantages of endpoint-resident DeviceLock OCR in comparison with server-based OCR solutions directly relate to DLP functions: - DeviceLock extends the reach of OCR-based DLP security to employee’s computers used outside of the corporate network – for instance, in a business trip or at home. - DeviceLock OCR prevents textual data leakage in images not only via network communications but also via local data channels on the endpoint including local printing, copying files to a pen-drive or via the clipboard, making screenshots or transferring data to redirected peripherals of remote BYOD devices.
35
Data-at-Rest DLP Content Discovery DEVICELOCK DLP 8.2
36
Content Discovery (1) Functions Structure Targets
Scan and inspect content of files in the corporate IT environment Detect content stored at wrong places Remediate, alert, log and report data-at-rest policy violations Structure DeviceLock Discovery Server DeviceLock Discovery Agent Optionally – discovery module built in DeviceLock Agent DeviceLock Management Console Targets SMB file shares and NAS Windows endpoints Local file system & connected storage devices Local synchronization folders of cloud-based file sharing applications repositories (.OST, .PST) DeviceLock Discovery is a separate functional component of DeviceLock DLP that enables organizations to gain visibility and control over confidential “data-at-rest” stored across their IT environment in order to proactively prevent data breaches and achieve compliance with regulatory and corporate data security requirements. By automatically scanning files residing on network shares, storage systems and Windows endpoint computers inside and outside (with DL agent) of the corporate network, DeviceLock Discovery locates documents with exposed sensitive content and provides options to protect them with remediation actions, as well as initiate incident management procedures by sending real-time alerts to Security Information and Event Management (SIEM) systems and/or data security personnel in the organization. Structurally, DeviceLock Discovery includes the DeviceLock Discovery Server, Discovery Agents and DeviceLock Management Console. Optionally, when used together with DeviceLock Endpoint DLP Suite, discovery modules built in DeviceLock Agents can be used for scanning protected computers.
37
Content Discovery (2) Operation modes Content detection methods
Agentless ► Discovery Server via SMB Agent-based ► Discovery Agent or DeviceLock Agent scan local files, connected removable storage and accessible network shares on protected computers Hybrid ► configurable combination of scans performed by Server and Agents Automatic non-interruptive Discovery Agent installation & removal centrally from Discovery Server Content detection methods Textual content – files, archives, images in graphical files and documents Types of data – file types, file/document properties, embedded image properties Remediation actions Delete, Safe Delete, Delete Container, Set Permissions, Log, Alert, Notify User, Encrypt (EFS) Depending on the network topology and specifications, DeviceLock Discovery can perform scans in agentless, agent-based and hybrid scanning modes. In the agentless mode, DeviceLock Server scans files on network shares and storage systems accessible via the SMB protocol. Both DeviceLock Discovery Agents and DeviceLock Agents could be used in the agent-based mode for scanning data stored on their host computers and accessible network shares. It is very convenient for Security Administrators that DeviceLock Discovery Agents can be installed on and removed from target computers remotely by DeviceLock Discovery Server in a fully automatic and transparent manner. By using the full set of ContentLock features, DeviceLock can discover textual data in more than 120 file formats and 40 types of nested archives, as well as within pictures in documents and graphical files. In addition, data types can be used as parameters for content discovery including file types, file and document properties, as well as properties of images embedded in documents. When a file with exposed sensitive content is discovered, a set of automatic remediation actions can be enforced including Delete, Safe Delete, Delete Container, Set Permissions (for NTFS files), Log, Alert, Notify User, as well as Encrypt the file (with EFS for NTFS files).
38
DeviceLock Virtual DLP
DEVICELOCK DLP 8.2
39
DeviceLock Virtual DLP
Context/content-aware endpoint DLP for BYOD solutions based on remote virtualization Microsoft RDS, VMware Horizon View, Citrix XenDesktop/XenApp Prevents data leaks from VDI and shared desktop/app sessions on virtualization hosts Mapped drives (removable, hard, optical), redirected USB devices, clipboard and serial ports of remote BYOD/terminals Local channels at the host server Network communications DeviceLock DLP Agent is virtually “remoted” to every connected BYOD device Separate DLP policies for every session/user Mobile OS-independent endpoint DLP for remote virtualization-based BYOD programs Low OPEX – corporate IT do not have to maintain/support employee-owned devices Employees happy to keep full control over their devices and private data The DeviceLock Virtual DLP feature extends the reach of DeviceLock data leak prevention capabilities to a variety of virtual computing solutions. These include session-based and streamed desktops and applications, as well as local virtual machines on hypervisors. Supported desktop and application virtualization solutions from major vendors include: Microsoft RDS, Citrix XenApp, Citrix XenDesktop and VMware View. Virtual DLP complements the inherent capabilities of these solutions to isolate virtual and host environments by providing a comprehensive set of contextual and content filtering policies. These policies are enforced over data flows between centrally hosted virtual desktops or applications and redirected peripheral devices of remote terminal endpoints including mapped drives, the clipboard, USB and serial ports. In addition, user network communications from within the terminal session are controlled by DeviceLock DLP mechanisms. Centralized event logging and data shadowing are also fully supported for all Virtual DLP scenarios. As a result, by using the DeviceLock Endpoint DLP Suite in BYOD implementations based on virtualization platforms from Microsoft, Citrix, VMware and others, organizations can fully control virtual corporate environments on employees’ personal devices. In addition they can monitor, inspect and filter the content of all data exchanges between the protected virtual workspace and the personal part of the BYOD device, its local peripherals and the network – i.e., all those destinations outside of the corporate border that should be treated as insecure. DeviceLock Virtual DLP controls enforced on the edge of virtual platforms ensure that data from the corporate IT environment and the host BYOD environment are not intermingled. All necessary business-related data exchanges between the two environments are allowed based on least-privilege DLP policies, and employees maintain full control over the device platform, personal applications and their private data. In addition, the employee remains fully responsible for the device maintenance and support, which provides a distinct advantage over the conventional BYOD approach whereby the enterprise can be responsible for causing problems with the personal device and its owner’s private data. Best of all, the DLP protection delivered by Virtual DLP to BYOD solutions based on desktop and application virtualization is universal and works for all types of BYOD devices. These can include mobile platforms, such as iOS, Android and Windows RT, thin terminal clients with Windows CE, Windows XP Embedded or Linux, as well as any computers that run OS X, Linux or Windows. Organizations standardized on any virtualization platform for their BYOD strategies will benefit greatly from deploying the DeviceLock Endpoint DLP Suite, since it is the most effective, straight-forward and affordable way of implementing comprehensive endpoint DLP services for any type of BYOD devices.
40
What’s New DEVICELOCK DLP 8.2
41
Main New Features in Version 8.2
Contextual & content-aware controls for Skype for Web, Skype Meetings App/Skype for Business Web App, Skype for Business in Outlook Web Client (OWA 365) Separate for outgoing messages and files Browser independent (for web-based versions) Contextual & content-aware controls for Viber Content inspection of files transferred from VDI/desktop/app sessions to mapped drives on remote BYOD/terminals Virtual DLP for Microsoft RDS, VMware Horizon View, Citrix XenDesktop/XenApp Separate content-aware policies for every local sender & remote recipient combination in user communications addresses – IBM Notes, MS Outlook (MAPI), SMTP, Webmails IM identifiers – ICQ/AOL Messenger, IRC, Jabber, Mail.ru Agent, Viber, Yahoo Messenger, Skype & all Skype for Web variants Contextual controls for Telegram Desktop and Telegram Web Tor Browser traffic blocking regardless of its obfuscation methods SYSLOG support for centralized log collection and alerting Assigning different log servers for collecting logs from particular user accounts or groups Scheduled indexing and searching by DLSS in the central shadow/audit log database DeviceLock Agent for Mac supports macOS “Sierra” Relations Chart – interactive log-based HTML report for easy analysis of user relationships based on their communications inside and outside of the organization This slide summarizes main new features added in DeviceLock DLP version 8.2. In order to see the full list of new capabilities and improvements please visit the DeviceLock website.
42
Relations Chart – Interactive Reporting & Analysis Tool
With the interactive Relations Chart report generated from log data over user communications, DeviceLock administrators can conveniently review and easily analyze relationships between users within the organization and with their external contacts. This HTML-based report, which can be viewed in a web browser or in the DeviceLock Management Console, shows user connections for the following applications and protocols: ICQ/AOL Messenger, Jabber, Mail.ru Agent, Skype, Skype for Web, Windows Messenger, Yahoo Messenger, MAPI, IBM Notes, SMTP, Webmails, and Social Networks. Information on user relationships is presented in the form of a node-link graph with nodes representing domains and users, and links representing communications between them. The graph is zoomable in and out, as well as each of its nodes can be repositioned for the most convenient and informative viewing. Information displayed for each node can be incrementally expanded in order to show various types and amounts of logged data – including all or part of users belonging to domain nodes, as well as internal and external communications for user nodes. To ease the task of information mining, the graph supports “visual filtering” by allowing to highlight an individual node with all its connections or a single connection between two nodes while graying out the rest of connections in the graph. In the “highlight” mode, hovering the cursor over a user node generates a callout bubble with the list of identities used for communications linked to the computers hosting these identities. If the cursor is placed over a highlighted link, the callout bubble shows a table with statistical data on logged communications between the nodes including channels used (e.g. SMTP, MAPI, Skype), directions, total size of data transferred, and the number of messages sent or sessions opened in each direction. The graphical format of the report and its interactive visual filtering mechanisms make the tasks of log viewing and analysis by far more convenient and less laborious.
43
Typical Endpoint DLP Scenarios
DEVICELOCK DLP 8.2
44
Saving Documents to Removable Storage
Permissions per user, user group, computer, computer group, OU Control at the device type level AND/OR port level (USB) Whitelist as USB device, temporary whitelist Transfer direction: read-only, write Format and eject permissions Plain or encrypted storage: e.g. by BitLocker To Go Time-based policy: hour-based weekly schedule Allowed file types Also types of embedded images and other objects (e.g. excel in word) Specified file and document properties Name, size, password-protected, author, accessing process … Textual content inspection Char-based data OCR in embedded images and graphical files Log, shadow-copy, alert on policy events Save File Overwrite DeviceLock Agent
45
Clipboard Ops & Screenshot Capturing
Permissions per user, user group, computer, computer group, OU Inter-app controls only or intra-app transfers also controlled Time-based policy: hour-based weekly schedule Clipboard What types of data allowed to copy (files, text, image, audio, unidentified) For detected files and images: all file type/properties controls For files, images, text and unidentified: textual content inspection In char-based data OCR in embedded images and graphical files Screenshots Separate controls for PrintScreen and 3rd party utilities All file type/properties controls for captured images OCR-based textual content inspection Log, shadow-copy, alert on policy events DeviceLock Agent
46
Sending SMTP Emails Any SMTP client controlled
Permissions per user, user group, computer, computer group, OU Time-based policy: hour-based weekly schedule Both plain and SSL-protected s inspected and controlled Receive-only mode Sending s without/with attachments Whitelisting based on SSL, IP, FQDN, sender and recipient addresses/domains All file type/property-based controls applied to outgoing attachments Textual content inspection Outgoing s, attachments OCR for inline images, attached graphical files and embedded images Log, shadow-copy, alert on policy events DeviceLock Agent
47
Sending Webmails Web browser-independent controls
Selectively for Gmail, Yahoo!Mail, Hotmail/Outlook.com, AOL Mail, Outlook Web App/Access (OWA), Mail.ru, Yandex Mail, Rambler Mail, GMX.de, Web.de, T-Online.de, freenet.de Permissions per user, user group, computer, computer group, OU Time-based policy: hour-based weekly schedule Both plain and SSL-protected webmails inspected and controlled Receive-only mode Sending webmails without/with attachments Whitelisting based on webmail services, SSL, sender and recipient addresses/domains All file type/property-based controls applied to outgoing attachments Textual content inspection Outgoing webmails, attachments OCR for inline images, attached graphical files and embedded images Log, shadow-copy, alert on policy events DeviceLock Agent
48
Using Skype, Skype for Web, Skype for Business
Permissions per user, user group, computer, computer group, OU Time-based policy: hour-based weekly schedule Receive-only mode for messages Incoming/outgoing media calls Send outgoing messages Send outgoing files Whitelisting based on sender and recipient Skype names For chats, files and calls All file type/property-based controls applied to outgoing files Textual content inspection Outgoing messages, files OCR for graphical files and embedded images Web browser-independent controls of Skype for Web Log, shadow-copy (chats & files), alert on policy events DeviceLock Agent
49
Web Access to Cloud File Storage
Web browser-independent controls Selectively for Dropbox, Google Drive, OneDrive, Amazon S3, iCloud, Box, Cloud Mail.ru, Rusfolder.com, Yandex.Disk, GMX.de, Web.de, MagentaCLOUD, freenet.de Permissions per user, user group, computer, computer group, OU Time-based policy: hour-based weekly schedule Both plain and SSL-protected access inspected and controlled Browse content/download-only mode Sending comments (POST requests) Uploading files All file type/property-based controls for uploaded files Textual content inspection Outgoing webform data, files OCR for graphical files and embedded images Log, shadow-copy, alert on policy events DeviceLock Agent
50
Using Social Media Web browser-independent controls
Selectively for Google+, Facebook (+API), Twitter, LiveJournal, LinkedIn, Tumblr, LiveInternet, MySpace, Disqus, Vkontakte (+API), Odnoklassniki, XING.com, Studivz.de, Meinvz.de Permissions per user, user group, computer, computer group, OU Time-based policy: hour-based weekly schedule Both plain and SSL-protected webmails inspected and controlled View-only mode Sending messages, comments, posts Uploading files All file type/property-based controls for uploaded files Textual content inspection Outgoing messages, comments, posts, files OCR for graphical files and embedded images Log, shadow-copy, alert on policy events DeviceLock Agent
51
Generic Web Access Controls for any web browser, any web application
Permissions per user, user group, computer, computer group, OU Time-based policy: hour-based weekly schedule Both plain and SSL-protected access inspected and controlled Basic browse/download-only web access Submitting webforms (POST requests) Uploading files Whitelisting based on SSL, IP, host names, URLs All file type/property-based controls for uploaded files Textual content inspection Char-based data OCR in embedded images and graphical files Log, shadow-copy, alert on policy events DeviceLock Agent
52
Advantages & Value DEVICELOCK DLP 8.2
53
Technical Differentiators (1)
The widest in industry set of endpoint contextual controls Ports, physical/virtual/redirected devices, clipboard, network applications/protocols Agent-resident Deep Packet Inspection (DPI) Application/web browser-independent control of network communications via SMTP, HTTP(S), WebDAV, FTP(S), SMB, Telnet, Torrent P2P Web-browser independent access to popular social networks & cloud file sharing services Native policy management and agent administration from Active Directory Group Policies from Microsoft GPMC Agent for Mac computers Managed from Active Directory Integration with FileVault Instant Messaging Selective content filtering of outgoing messages and files Additionally for Skype and web-based Skype clients: ID-based access control for media calls Universal control of Torrent-based P2P file sharing Ability to block TCP/UDP/HTTP communications of any torrent agents Tor Browser traffic blocking regardless of its obfuscation methods DeviceLock product benefits are based on its technical differentiators – those DeviceLock capabilities not supported by other DLP products at all or implemented with substantial deficiencies [in comparison with DeviceLock]. - First of all, DeviceLock Agent enforces the widest in the industry set of endpoint contextual controls over local ports, peripheral, virtual and redirected devices, the Windows clipboard, as well as [data] leak-prone network applications and protocols. Technically, “the widest” means more local channels and network communications controlled, as well as more control parameters and their configurable options (for example, data operation types and network whitelisting parameters). - In addition, DeviceLock Agent is the only endpoint DLP agent on the market with built-in Deep Packet Inspection (DPI) engine, which provides for universal, application and web browser-independent control of user communications via most risky network protocols and applications [including SMTP, HTTP/HTTPS, WebDAV, FTP(S), Telnet, as well as Torrent-based P2P file sharing]. - DeviceLock DLP can be deployed and fully managed via Group Policies from an Active Directory installation – without any separate DLP management server. In fact, DeviceLock uses Active Directory as its DLP management platform. - Going beyond DLP for Windows computers, DeviceLock has developed its endpoint agent for Mac computers, which supports essential port and device control capabilities while being conveniently managed via Group Policies from Microsoft Active Directory – in the same uniform way with DeviceLock Agents for Windows. In addition, DeviceLock Agent for Mac integrates with the Apple’s FileVault encryption feature in order to allow users copying data to a removable storage only if it is encrypted by FileVault. - For most of the Instant Messaging applications controlled by DeviceLock, it can inspect and filter the content of not only outgoing files but also chat messages. An indicative example of such a messenger is Skype desktop and all web-based Skype clients [including those used in Skype for Business]. In addition, DeviceLock can control user permissions to make and receive Skype media calls depending on their identities. - Another unique DeviceLock feature is its universal control of Torrent-based file sharing communications for any torrent agents. - DeviceLock can also completely block Tor Browser communications – regardless of which obfuscation methods are used to hide the TOR traffic.
54
Technical Differentiators (2)
Agent-resident Optical Character Recognition (OCR) Prevents leakage of textual data in images to removable storage, via local printing and from roaming/offline computers Facilitates full-text search in images in shadow log database Universal content filtering for document printing Printer/application-independent, shadowing in searchable PDF Printing control of “non-saved-in-file” documents Comprehensive logging & shadowing Centralized, automatic, scalable, content-aware, with built-in full-text searching Tamper-proof endpoint agent Including protection from local system administrators DeviceLock Virtual DLP Content-aware endpoint DLP for BYOD solutions based on remote virtualization Microsoft RDS, Citrix XenDesktop/XenApp, VMware View - Major advantages of agent-resident DeviceLock Optical Character Recognition (OCR) in comparison with server-based OCR solutions (for instance, offered in Websense DLP) include its ability to prevent leakage of sensitive data in images via local data channels on the endpoint, as well as from computers used outside of the corporate network. - With DeviceLock, data leaks via the printing channel are prevented by a printer- and application-independent content filtering technology that also enables for all shadow copies of printed documents to be stored as searchable PDF files – regardless of their original formats. Another capability not supported in competitive DLP products is that DeviceLock can control the content of printed documents even before they have been saved as files in the file system. - In comparison with competitors, the DeviceLock solution has more comprehensive and scalable logging subsystem with automatic log collection to the central database, content-aware data shadowing and built-in full-text searching. - The tamper-proof DeviceLock Agent protects itself not only from malicious actions of end users but also from local system administrators – a unique feature not available in competitive endpoint DLP agents. - In addition to all above, the DeviceLock Virtual DLP feature delivers content-aware endpoint DLP for BYOD solutions based on remote virtualization platforms, such as Microsoft RDS, Citrix XenDesktop and VMware View. Citrix and VMware have certified DeviceLock DLP as Citrix® Ready and VMware® Ready respectively.
55
Business Advantages & Value
Better protection from insider data leakage More endpoint data channels and communications controlled → leakage scenarios blocked Higher quality preventive DLP controls Simple and scalable from SMB to large enterprises Active Directory as DLP management platform Cost-saving: easy to learn/deploy/maintain Managed natively via Group Policies from GPMC Superior customer investment protection Modular functional licensing & incremental upgrades Basic device control → content-aware endpoint DLP No re-installation, no infrastructure changes Time-proven and trusted 20 years on the international market Customers from sensitive industries, defense and governments in 100+ countries By preventing endpoint data leaks DeviceLock DLP helps organizations minimize insider-related information security risks and achieve compliance with corporate data use policies, IT security standards and state regulations DeviceLock technical differentiators complemented by functional incremental licensing, easy learning, deployment and maintenance, unique scalability as well as the worldwide trust in the product altogether define its business advantages over the competition: - With more endpoint data channels and communications protected at contextual and content levels, more leakage scenarios blocked and a higher control quality, DeviceLock Agent has better preventive DLP controls than its rivals. - With DeviceLock DLP, there is no need to use a separate management platform – because DeviceLock Agents can be centrally deployed and fully managed natively via Group Policies from the corporate Active Directory. As a result, the solution scales from SMB to large enterprises. To put it simple, DeviceLock DLP is as scalable as Active Directory. - At the same time, due to its full administrative interface integration with Microsoft GPMC, which is familiar to every system and security administrator, DeviceLock is much easier to learn, deploy and maintain than any other DLP solution. - Yet any customer investments in DeviceLock products are fully protected, because DeviceLock DLP supports incremental functional upgrades from the basic device control option up to its full content-aware DLP Suite. Important is that the upgrade does not require DeviceLock re-installation and neither system nor network modifications have to be made in the customer’s IT infrastructure. - And, finally, with its 20-year history on the international market and customers form sensitive industries, defense and government in 100+ countries, DeviceLock is a time-proven and trusted infosecurity product. What is the value of DeviceLock DLP to its users? By preventing endpoint data leaks it helps organizations minimize insider-related information security risks and achieve compliance with corporate data use policies, IT security standards and state regulations.
56
THANK YOU!
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.