1. DeviceLock Company & Product Introduction
Netherlands

2. Agenda Company Brief Problem & Solution DeviceLock DLP Overview
Data-in-Use DLP: Contextual Local Controls
Data-in-Motion DLP: Contextual Network Controls
Data-in-Use/Motion DLP: Content-Aware Controls
Data-at-Rest DLP: Content Discovery
DeviceLock Virtual DLP
What’s New
Typical Endpoint DLP Scenarios
Advantages & Value
Hi, my name is ___. I represent DeviceLock – a software company whose products are designed to prevent data leakage from endpoint computers. In this presentation, I will introduce the company, the DeviceLock DLP solution, describe its value, main functions, features, and advantages.

3. Company Brief

4. DeviceLock Key Facts Established in 1996
Develops and markets DeviceLock® software
Endpoint device control and data leak prevention solution
DeviceLock products used worldwide
Protecting 7+ million computers in over 80,000 organizations
Privately owned, self-funded international business
Sales HQs in US, offices/representatives in Canada, Germany, UK, Italy, UAE
Channel partner network in all global regions
Team of 60 full-time employees, half of them in R&D
Since its establishment in 1996, DeviceLock provides its customers with a high-quality endpoint security software.
Initially, DeviceLock has built its international brand as the developer of the best-in-industry endpoint device/port control software, which since then has been largely extended up to a full-function endpoint Data Leak Prevention solution.
During its 20-year history, DeviceLock products have been deployed on more than 7 million computers in over 80 thousand organizations worldwide, and today DeviceLock is the most widely used device control software on the global IT security market.
Organizationally, DeviceLock is a small, privately owned, self-funded international business with Sales HQs in the US, as well as regional sales offices and representatives in Germany, Canada, the UK, Italy, and UAE. In addition, we have a large network of channel partners, which sell our products worldwide.
Currently, DeviceLock employs about 60 people including half of them working in our R&D.

5. Select US, EMEA and APAC customers
Organizations in 100+ countries
Historically – Financial, Government, Defense, Defense Contractor, Health Care, Energy, Bio-Tech, Manufacturing, Education, Resorts & Casinos
Major production installation 80,000+ seats (in US)
Recently – any type organizations regardless of industry, size, geography…
Select US, EMEA and APAC customers
With its 20-year history on the international market, DeviceLock has thousands of customers in more than 100 countries.
Historically, they came from data security sensitive industries – including Financial, Government, Defense, Defense Contractor, Health Care, Energy, Bio-Tech, Manufacturing, Education and Resorts & Casinos.
More recently, the need for DLP solutions is coming from any type organizations regardless of their industry, size and geography.
Some of DeviceLock customers from the US, EMEA and Asia Pacific are shown on this slide.

6. Recognition from Professionals
5-star rating in 2012, 2013, 2015, 2016
“The Swiss Army knife of endpoint security”, 2015
“Very effective endpoint DLP application with all of the bells and whistles you might think of, plus some that you may not”, 2016
“It is very focused on DLP and does that extremely well”, 2016
These screenshots and quotes from recent product reviews in popular IT and infosecurity magazines in the U.S. is an independent confirmation that the DeviceLock DLP solution is highly recognized on the international market and top-rated by IT security professionals.

7. Problem & Solution

8. The Data Leakage Problem
What is data leak/breach?
Security incident in which confidential, protected or sensitive business-related data are accidentally or deliberately released to an untrusted environment or unauthorized users outside or inside the organization
What is leaked?
Payment card data, client/employee PII, patient PHI, IP, confidential information, trade secrets, state classified data…
How data get leaked?
External attacks: malware infiltration through software vulnerabilities, hacking, social engineering (e.g. phishing)
Internal roots: insider mistakes, negligence, misconduct and theft; system glitches & misconfigurations
What are consequences?
Financial and reputational damages, loss of business
Large fines and expensive litigations
Damage to national security
In the information security context, “data leak” (or “data breach”) means a security incident in which confidential, protected or sensitive data used in the corporate IT system is accidentally or deliberately released to an untrusted environment or become uncontrollably accessible to unauthorized users outside or inside the organization.
What is leaked? Any valuable business-related or personal information. It is not only payment card data stored in a bank or Protected Health Information (PHI) of patients kept by a hospital – for other businesses it may be corporate confidential information, intellectual property (IP), trade secrets, private customer data, Personally Identifiable Information (PII) of employees, or even state classified data.
How data get leaked? It happens when the organization does not really control who has access to its valuable business data and what is allowed to do with this data. Data breaches may be caused by external activities or internal reasons. External attacks usually involve malware infiltration through vulnerabilities in software used in the organization, as well as phishing and other social engineering techniques. Data leaks may have internal roots – including for instance, system glitches and misconfigurations. However, the major internal reason of data leaks in organizations is human nature. Employees, clients, contractors, partners – all legitimate users of the corporate IT system – are humans whose accidental mistakes, negligence, curiosity or misconduct may lead to data leaks. Some users may also fall victims of phishing attacks. Others may purposely steal corporate information.
Once those people who are not supposed to see restricted access data get it in their possession, they may sell it, publish it or use it in other ways to negatively impact the organization. In any instance, data leaks may cause heavy financial and reputational damages, lead to large penalties, expensive litigations and loss of business, or even cause damage to national security.

9. Real Threat to Any Organization
No one is immune
Banks, insurance companies, healthcare providers, telcos, chain & online retailers…
Internet giants – Yahoo!
Social networks – VKontakte
Tax authorities – U.S. Internal Revenue Service
Military – U.S. Office of Personal Management
Porno-site & hookup sex services – Adult Friend Finder
Mobile phone hacking vendor – Celebrite
Risk Based Security
2016: 4,149 incidents worldwide with 4.2 billion exposed records (570% increase vs 2015)
Identity Theft Resource Center
2016: 1,093 data breaches in U.S. (40% increase vs 2015)
The data leakage problem is not a marketing hype – it is happening every day in various organizations across the world.
Statistics from all credible sources shows the same threatening picture – data breaches affect businesses across all industries, as well as non-profit and government sectors.
These are not only banks, chain and online retailers, insurance companies and hospitals. No one is immune to data breaches: just look at the list of indicative incidents happened in 2016: tax authorities, military, a porno-site and even a company that develops mobile phone hacking solutions.
Worse yet, this threat to corporate IT is growing: in the database of international breaches maintained by Risk Based Security, more than 4 thousand incidents were registered last year worldwide with the total number of compromised records 4.2 billion, which is a 570% growth in comparison with 2015.
At the same time, a 40% increase in the number of data breaches has been reported for the U.S. in 2016 by the Identity Theft Resource Center.
Sources: Informationisbeautiful.net , David McCandless © 2017; Risk Based Security, 2017; Identity Theft Resource Center, 2017

10. Biggest Data Security Risk for Corporate IT
New data leak threat vectors: cloud “drives” & file sharing, social media, IMs, torrents, mobile BYODs ...
Massive hunt for valuable business & personal data by cybercrime industry
Tightened data protection laws:
GDPR (EU), Data Protection Bill (UK), NDB Act 2017 (AU), China’s Cybersecurity Law, Singapore’s Draft Cybersecurity Bill...
Today, data breaches are considered as the biggest data security risk for many companies worldwide and, specifically, for those offering their products and services across national borders. This has been confirmed once again in a recent Ponemon Institute survey exemining data protection risks in the global economy.
How did it happen that data breaches have become so big problem and why?
== CLICK ==
In the past few years, the interplay of key technological, economical and social trends in corporate IT has created a whole new range of data leak threat vectors uncontrolled by conventional network- and IT infrastructure-centric security solutions.
Provisioned with these new exfiltration channels and accelerated by the massive hunt for valuable business and personal data [started] by the cybercrime industry, data breaches have become a real pandemic infecting corporate IT on a global scale.
The deep concerns over this threatening situation have reached the level of state, national and international governments and is pushing them to tighten privacy and data protection laws. This significantly increases compliance risks not only for international businesses but also for the majority of local companies in many countries. The most significant example of recently updated data protection laws is the European General Data Protection Regulation (GDPR), which makes provision of very stringent breach notification requirements and extremely high financial penalties for incompliance. [Other countries are following the EU: new data protection regulations have been proposed and are actively discussed in the UK, Australia and Singapore while China already enacted its new Cybersecurity Law in June ]
The last and the most materially important reason of ranking data breaches as the biggest security risk is purely economical – they cost a lot of money.
DATA BREACH COSTS
Sources: “Data Protection Risks & Regulations in the Global Economy”, Ponemon Institute LLC, June 2017

11. Data Leaks Cost a Lot of Money
Average total cost of a data breach in FY2017
US: $7.35 million
EU: $ $4.58 million
Average cost per record in FY2017
US: $225
EU: $123- $160
Extreme reality
$ million – total cost of the Home Depot data breach in 2014
$115 million settlement cost for Anthem to end litigation over a massive data breach in 2015
Incompliance penalties to increase in 2018
European GDPR: up to €20 million or 4% of the total worldwide annual turnover
The costs of a data breach are the direct and indirect expenses incurred by the organization to compensate damages from the data breach to customers, partners, and themselves, as well as pay related fines and penalties awarded by courts and imposed by authorities. In addition, these expenses include loss of revenue [due to loss of business], reputational damages, litigation expenses, etc.
According to the latest study by the Ponemon Institute, in FY2017 financial losses of European companies for every compromised user record were on average in the range of $123 - $160 and in the U.S. they reached $225. The average total cost of a data breach for a business in EU was between $2.8 and $4.6 million depending on the country, while in the U.S. this figure grew to $7.35 million.
However, in some specific cases – depending on the size and the business type – the financial damage to the company hit by data breach can be 1-2 orders of magnitude higher than the average. A couple of such extreme examples are presented here:
+ The total cost of the Home Depot data breach in 2014 is estimated in the range of $ million.
+ In case of health insurer Anthem, they have already paid $115 million only to end litigation over a massive data breach they had in And today it is impossible to even guess how much this data breach will ultimately cost to Anthem in total.
However, what is possible to predict with confidence is that after the European General Data Protection Regulation (GDPR) comes into full force in May 2018 the costs of incompliance with data protection laws will significantly increase for all companies having customers in Europe – regardless of where these business are located.
Source: “2017 Cost of Data Breach Study: Global Analysis” Ponemon Institute LLC, June 2017

12. Most Data Leaks Involve Insiders
Insider-related data leaks
Mistakes, negligence, misconduct, theft
Hacking – when insiders fall victims of social engineering phase (e.g. phishing)
Ponemon: “2017 Cost of Data Breach Study”
Human errors caused 28% of data breaches
Most of the 47% breaches attributed to malicious or criminal attacks relate to criminal insiders, phishing/social engineering
Ponemon: “Data Protection Risks & Regulations in the Global Economy” survey
Negligent or malicious insiders – root cause of data breaches in 69% of affected organizations
Black Hat USA 2016/2017 Attendee Surveys
Weakest link in enterprise IT defenses – “end users who violate security policy and are too easily fooled by social engineering attacks”
Human
error
Criminal
insiders,
Phishing, Social engineering
SQL
injection, Malware
System
glitch
Insider-related leaks
What is specific and especially dangerous about data breaches is that more than half of them are related to insiders – normal users of corporate IT systems including employees, contractors, partners and clients. The reason is human nature – they make accidental mistakes, may be negligent, misconduct or become victims of social engineering attacks, such as phishing.
The latest market and industry statistics shows that the majority of data leak incidents involve insiders. Not only because they initiate incidents themselves but also because they make possible many of externally initiated data breaches – for instance, those hacking attacks that use social engineering methods, such as phishing, to infect corporate computers with malware.
=== optionally ===
In its latest 2017 “Cost of Data Breach Study”, Ponemon Institute estimates that 28% of all data breaches were caused directly by human errors. In addition, a significant part of another 47%, which were attributed to the category called “malicious and criminal attacks”, in fact includes incidents related to criminal insiders, as well as ??? victims of phishing and other social engineering. Therefore, it is safe to estimate that the total percentage of insider-related data breaches accounted for in the Ponemon’s study exceeds 50%.
Even higher level of data breach dependence on insider actions has been revealed in another recent survey by Ponemon called “Data Protection Risks & Regulations in the Global Economy”: for 69% of organizations affected by data breaches, negligent or malicious insiders were the root cause of these incidents.
Important is that not only statistical data but also top-level IT security professionals point at insiders as the dominant data breach threat factor. When asked to identify the weakest link in the corporate IT security chain, the participants of Black Hat USA conferences in 2016 and 2017 had given the highest score to end users – because of their habit to violate security policies and their vulnerability to social engineering attacks.
Sources: “2017 Black Hat USA Attendee Survey” Black Hat, July 2017; “Data Protection Risks & Regulations in the Global Economy”, “2017 Cost of Data Breach Study: Global Analysis” Ponemon Institute LLC, June 2017

13. DeviceLock Stops Leaks at the Source
DeviceLock snap-in
for Microsoft GPMC
Active Directory
Domain Controller
Software for preventing data leaks from corporate endpoint computers
Insider mistakes, negligence, theft, social engineering
Protection of data in use, data in motion and data at rest
Lightweight enforcement agent for Windows and Mac
Transparent to normal business activities
Tamper-proof against users and local sysadmins
Scalable yet easy to deploy & manage from Active Directory
Natively via Group Policies
No involvement of end users and local administrators
Helps organizations reduce infosecurity risks & comply with IT security standards and regulations
Group Policies
DeviceLock Agent
The scale of insider data leaks shouldn’t come as a surprise, because it is actually insiders, normal business users, who generate and use information in any organization. In order to do their job, they use endpoint computers – desktops, laptops, servers and, recently, tablets and other BYOD devices. Therefore, most business data, including confidential, are created, processed and stored on corporate endpoint computers.
== CLICK ==
If user access to these data and their transfer from the computers are not controlled by the organization, then plenty of easy ways remain completely open for accidentally or deliberately exfiltrating valuable corporate information to the wild.
To solve this problem, DeviceLock has developed a software solution that prevents data leakage from corporate endpoint computers by implementing all three main DLP functions – protection of DIU, DIM and DAR.
Basically, DeviceLock DLP includes a lightweight enforcement agent installed on every protected computer and a central management console adjustable to the size and type of corporate network. Running transparently for users and applications in the scope of normal business processes, DeviceLock Agents detect and prevent unauthorized data access and transfer [operations] through local ports and peripheral devices, as well as [popular] network applications and services. In addition, DeviceLock DLP can discover documents with exposed sensitive content stored at prohibited locations and remediate these data storage policy violations.
The solution is simple yet scalable and easy to operate, because its deployment, management and administration can be performed right from the corporate Active Directory by using its native configuration feature – Group Policies.
By preventing endpoint data leaks DeviceLock DLP helps organizations minimize related information security risks and achieve compliance with corporate data use policies, IT security standards and state regulations.

14. Prevented Data Breach Types
Theft
Misconduct
Negligence
Mistakes
Insider-Initiated
Data Leaks
& Destruction
DeviceLock
Agent
BLOCK
LOG
SHADOW
ALERT
Exfiltration
External
Insider-Related
Data Leaks
Phishing
External Data Leaks
Not Involving Insiders
Vulnerabilities
What types of data breaches can be prevented by DeviceLock DLP?
=== CLICK ===
In the first place, these are data leaks initiated by insiders – such as employees and other users of corporate IT systems – when they copy, upload or send confidential data from their computers in violation with the corporate data security policy. Or when a malicious room cleaner installs a hardware keylogger on a workstation with standalone keyboard. The root cause of these data leaks relates to human factors including accidental mistakes, negligence, deliberate misconduct or data theft committed by insiders.
Another type of data breaches prevented by DeviceLock DLP is data leaks caused by external attacks hunting for valuable data on corporate computers. Typically, in the final phase of these attacks the malware residing on the infected computer uses network communications for transmitting collected data to a destination in the Internet. If these exfiltrating transmissions utilize network applications or protocols monitored by DeviceLock Agent, it can intercept, inspect and block them before data leave the computer because, at the very least, the destinations of malware-initiated data transfers do not belong to partners, clients or other legitimate recipients of outgoing communications allowed by the corporate data security policy in order to enable normal business processes.
These externally initiated data leaks could be of two categories. The first one necessarily requires at least unintentional involvement of an insider, which essentially allows the malware to infect the computer when he or she becomes a victim of a social engineering attack, for instance, phishing. And the second category of external attacks does not need any help from insiders because it uses vulnerabilities in operating systems or applications for infecting the computer.
But that’s not all. By controlling user access to some risky operations on the protected computer DeviceLock Agents can prevent one more type of data breaches – data destruction when the “format” and “eject” operations are misused by end users.
=== DOUBLE CLICK ===
Destruction

15. DeviceLock DLP Overview
Now lets get a bit deeper into product details.
DEVICELOCK DLP 8.2

16. Security Functions (1)
Contextual controls – prevent data-related operations unnecessary for the business process
Data-in-Use: Ports, peripheral and redirected devices, clipboard, local channels
Data-in-Motion: most dangerous network communications
Content-aware controls – prevent unnecessary transmission & use of confidential data
Removable storage, optical drives, printers, clipboard, locally connected mobile devices, mapped/redirected peripherals, network communications
Textual data – in files, s, webmails, attachments, chats, posts, webforms, images/graphical files, binaries
Data types – file formats, file/document properties, clipboard data types, local synchronization protocol objects, security contexts of IRM-sealed documents
Content discovery – prevent storage of unprotected confidential data at wrong locations
Data-at-Rest: endpoints, file shares, NAS
Scheduled scans & automatic remediation actions
Which security functions and technologies DeviceLock DLP implements for its mission?
Its principal security function is a comprehensive set of [preventive] contextual controls over data access and transfer operations in local channels and network communications of the protected computer.
Contextual controls do not inspect the content of transferred or accessed data. In order to decide whether a controlled operation is allowed or must be blocked or logged or alerted, the contextual methods detect and use various parameters of the operation context – including who (a user) or what (a process) initiates the operation, when, where from, where to or to whom, and how – through which channel or device – the data are used or transferred. For instance, with its contextual controls DeviceLock DLP can block or allow operations by recognizing the authenticated user, his security group memberships, the device, network application or protocol used for the operation, the data transfer direction, whether the storage media is encrypted or the network communication is SSL-protected, the date and time of the operation, and where the data are sent to or who is the recipient.
However, there are many scenarios that require a deeper level of control intelligence than the operation context alone can provide: for instance, when s with company confidential information are allowed to be sent only to employees but not to recipients outside of the organization.
DeviceLock DLP achieves this level of information-centric intelligence by using several content-aware inspection and filtering technologies – so that it can stop only those operations that carry on data with content prohibited by specified DLP policies while not interrupting the very same operations with data required for [normal] business processes. In DeviceLock DLP, content-aware controls are enforced for data operations with removable storage, floppy and optical drives; for clipboard copy/paste operations, screenshot captures, document printing, synchronizations with locally connected mobile devices, data exchanges with mapped and redirected peripherals of remote BYOD devices, and for the most dangerous network communications.
To prevent leakage of “data-at-rest” stored on corporate endpoints and in the network, DeviceLock DLP supports content discovery. By scanning data residing on file shares and network attached storage in the corporate network, as well as on Windows endpoint computers regardless of where they are used, DeviceLock Discovery locates documents with exposed sensitive content and protects them with automatic remediation actions.

17. Security Functions (2) Centralized event logging & data shadowing
Policy-based, context/content-aware
Automatic log delivery to central database via proprietary secure protocol or SYSLOG
Built-in full-text searching & log viewers
Graphical and interactive reports with configurable parameters
Real-time security alerting
SNMP, SMTP, SYSLOG
Integration with 3rd party removable media encryption solutions
Windows BitLocker To Go, Apple OS X FileVault, Sophos SafeGuard, Symantec Drive Encryption, TrueCrypt, Cardwave SafeToGo™…
Fast integration with other encryption products on customer request
Blocking USB and PS/2 hardware keyloggers
Tamper-proof agent
Protection against users and local sysadmins
Two other important DeviceLock security functions are event logging and data shadowing:
+ Detailed event logs of all relevant user and administrative activities are recorded and automatically delivered to the central log database via a proprietary secure protocol or standard SYSLOG.
+ In a similar way, data uploaded through controlled channels, ports and devices can be copied to a hidden local “shadow storage” on the endpoint and then automatically delivered to the central database for further storage, review and analysis.
With built-in log viewers and a full-text search component, both event and shadow logs can be effectively used for security information auditing, incident investigations, as well as evidence in the court. In addition, several types of graphical and interactive reports with user-configurable parameters can be generated from the logs.
To facilitate real-time security monitoring, DeviceLock Agents can generate alerts on various critical events and immediately send them via SMTP s to security administrators, as well as via standard SNMP traps or SYSLOG to external Security Event & Information Management (SIEM) systems.
When used together with several 3rd party removable media encryption products, DeviceLock can enforce a policy that allows data to be copied to a removable media only if it is encrypted by the 3rd party product. With this integrated solution, no plain data can leave the computer on a removable media thus eliminating the risk of data breach in case this media is lost. [DeviceLock currently integrates with Windows BitLocker To Go, macOS FileVault, Sophos SafeGuard, TrueCrypt, Symantec Drive Encryption (former PGP Whole Disk Encryption), and SecurStar DriveCrypt software products, as well as with Cardwave SafeToGo USB flash drive with built-in hardware encryption.]
On top of all above, DeviceLock can block operations of USB and PS/2 hardware keyloggers.
Finally, it is critically important that the DeviceLock Agent can operate in a tamper-proof mode – so that neither end users nor local system administrators can remove the agent or disable its centrally managed DLP controls.

18. Product Components DeviceLock Endpoint DLP Suite
Modular functional architecture
Complementary components
Optional incremental licensing
Non-interruptive upgrades
DeviceLock Search Server
Full-text searching in shadow & audit logs
on endpoints & in network
DeviceLock
Discovery
Content scanning
Corporate Data
NetworkLock™ Network
communications control
ContentLock™ Content inspection & filtering
Data In Motion
Data In Motion
Data At
Rest
Data At
Rest
DeviceLock® Core Device/port control Management & administration
Data In Use
Data In Use
How these security functions are packed into DeviceLock products?
DeviceLock DLP is designed as a modular architecture of standalone products and add-on components whose functional capabilities are complementary to each other while their management is unified and licensing is optional. As a result, these products and components can be used in various combinations thus allowing DeviceLock customers to choose cost-optimized solutions with only those functions necessary to satisfy their current security needs. Yet this modular architecture enables customers to incrementally upgrade the functionality of deployed DeviceLock products as their data protection requirements grow from the basic device/port control option up to the all-inclusive content-aware DLP solution.
=== CLICK ===
The most functional DeviceLock product called DeviceLock Endpoint DLP Suite prevents leakage of data when they are used and moved locally on protected endpoint computers, as well as when the data are transmitted from corporate endpoints over network communications. In other words [by using the DLP industry lexicon], the Suite implements the functions of “Data-in-Use” and “Data-in-Motion” endpoint leak prevention.
The Suite’s fundamental component [and its basic yet very popular standalone product option] is DeviceLock Core. It enforces fine-grained contextual controls over data access and transfer operations locally on the protected computer including [user] access to peripheral devices and ports, document printing, clipboard copy/paste operations, screenshot capturing, media format & eject operations, as well as synchronizations with locally connected mobile devices. It is important that DeviceLock Core includes all central management and administration components of the entire Suite and therefore must be used in any Suite installation.
Another Suite’s component called NetworkLock™ is an optional add-on [module] which can be used together with DeviceLock Core to extend the Suite’s security functions with contextual controls over network communications of protected computers through most risky applications and protocols – including s, webmails, IMs, cloud-based file storage, social media, web access, and more [local network shares, torrent P2P file sharing, as well as FTP and Telnet protocols].
[NetworkLock uses deep packet inspection (DPI) technology to detect the protocol and application type regardless of the network ports they use. The DPI engine intercepts and disassembles the traffic of detected application, reconstructs its sessions, and extracts their parameters necessary for enforcing contextual controls – such as who is transferring data and to whom or where to, what is being transferred (for instance, , instant message, file, webform, or blog post), how the data are transferred (for instance, which type of or IM is used), and when (e.g. during business hours or on weekends).]
The third functional component – ContentLock™, which is also an optional add-on to DeviceLock Core – performs content inspection and filtering of files and other data objects used on or transferred from the protected computer. For local access and transfer operations, data objects are supplied for analysis to ContentLock by DeviceLock Core, while NetworkLock provides to ContentLock files, messages and other data extracted from network communications.
In addition to these preventive components, an optional post-analysis component – DeviceLock Search Server (DLSS) – can be used to perform full-text searches in the central audit and shadow log database. DLSS is aimed at making much faster and more accurate the labor-intensive processes of log analysis during information security audits and [data breach] incident investigations.
Bundled in different combinations with the basic DeviceLock Core, NetworkLock, ContentLock and DLSS implement various functional subsets of the DeviceLock Endpoint DLP Suite.
To prevent leakage of “data-at-rest” stored on corporate endpoints and on network shares, a dedicated content discovery product called DeviceLock Discovery scans files residing on file shares and network attached storage systems in the corporate network, as well as on Windows computers regardless of where they are used, locates documents with exposed sensitive content and protects them with configurable automatic remediation actions.
This modular architecture and incremental licensing make DeviceLock DLP a practical solution for organizations of any size and budget – from SMBs to large enterprises.
Where to
Who
What
When
How
What data
CONTEXT
CONTENT

19. Structural Components
DeviceLock Group Policy Manager (DLGPM)
DeviceLock
Agent
DeviceLock Discovery Agent
Network Shares, NAS
DLP Policies (GPO)
DLP Policies (RPC)
Scan
Policies
Scan
Logs
Scan
Policies
SMB Scans
Logs
DLP Policies (RPC)
Server Settings
For DLES, DLSS
Search
Structural components of the DeviceLock solution are presented on this diagram. All or some of these software components should be installed in order to implement the relevant set of licensed functional components described on the previous slide.
Arrows on the diagram present most important types of management communications between the structural components.
DeviceLock Agent – an endpoint DLP agent that performs all types of data leak prevention functions on its host computer including content inspection, filtering and discovery, device control, event logging and alerting, as well as data shadowing.
DeviceLock Discovery Agent – a dedicated content discovery client software for scanning local file systems and accessible network shares on Windows computers (desktops, laptops or servers) that are not otherwise protected by full-function DeviceLock Agents.
DeviceLock Discovery Server – a content discovery server software that remotely scans files on network shares and storage systems via the SMB/CIFS protocol, deploys and manages DeviceLock Discovery Agents and collects discovery logs.
DeviceLock management consoles – there are several types of them including DeviceLock Group Policy Manager, DeviceLock Enterprise Manager, DeviceLock Management Console and DeviceLock WebConsole. The management consoles are used for DLP policy management and administration of DeviceLock Suite components. Customers can choose different consoles depending on the size and type of their corporate network.
DeviceLock Enterprise Server (DLES) – an optional server component for centralized storage of audit and shadow logs collected from managed DeviceLock Agents. DLES uses Microsoft SQL Server to store its data. In deployments without Active Directory, DLES can also be used for delivering DLP policies to managed DeviceLock Agents.
DeviceLock Search Server (DLSS) – an optional server component that performs full-text searches in the central audit and shadow log database managed by DLES.
For architectural optimization, DeviceLock Discovery Server and DeviceLock Search Server are implemented as components of an extensible server framework called DeviceLock Content Security Server (DLCSS).
DeviceLock Enterprise Manager (DLEM) or DeviceLock Management Console (DLMC) or DeviceLock WebConsole
DeviceLock
Search Server
DeviceLock Discovery Server
DeviceLock
Enterprise Server
DeviceLock Content Security Server

20. Central Management & Administration
DLP policy server
AD networks: domain controller
Non-AD: DeviceLock Enterprise Server
Windows style management consoles with the same look-n-feel for any scale deployments
DeviceLock Group Policy Manager
MMC snap-in for Microsoft Group Policy Management Console (GPMC) in Active Directory or Windows Server
Native use of Group Policies
DeviceLock Enterprise Manager
Standalone console for non-AD customers
DeviceLock Management Console
MMC snap-in for remote DeviceLock Agent management in small networks
DeviceLock Discovery management
DeviceLock WebConsole for standard browsers
Agent installation, upgrade, removal
No system reboot
Unattended centralized, interactive local
One of the main DeviceLock DLP differentiators is that in networks with Active Directory, native Group Policy tools and mechanisms are used for managing DLP policies and DeviceLock Agents. As a result, there is no need for a separate DLP policy server, because the existing domain controller is used to perform this function.
In non-Active Directory deployments, the DeviceLock Enterprise Server software running on a standalone server can be used for distributing DLP policies to all managed DeviceLock Agents.
DeviceLock DLP offers a flexible set of central management consoles, which have the same look-n-feel GUI and can be tailored to the needs of any size organization – from small businesses to large enterprises.
The most popular DeviceLock management console is a custom MMC snap-in to the Microsoft Group Policy Management Console. This native integration enables for DeviceLock Agents to be deployed and fully managed via Group Policies from an existing Active Directory installation – without any separate DLP management platform.
At the same time, customers that do not use Active Directory are fully supported by another management console – DeviceLock Enterprise Manager, which is a native Windows application that runs on a separate computer.
For small installations without any directory (for example, in a W4WG network), the same custom DeviceLock snap-in to MMC can be used to remotely manage DeviceLock Agents on per-computer basis. This console option is also used for managing DeviceLock Discovery.
In addition, DeviceLock offers a web-based management console.
It is also important that neither system reboot nor end user involvement is necessary to install, upgrade and remove DeviceLock Agents.

21. Logging, Shadowing, Alerting, Searching
DeviceLock Enterprise Server (DLES)
Centralized automatic event & shadow log collection
Multi-server architecture for load sharing
Agent-based server connection quality detection & switching
Traffic shaping & data compression for log delivery
Central data storage in MS SQL database
Built-in Audit and Shadow Log Viewers
Real-time agent status and policy consistency monitoring & repair
Set of statistical reports – graphical, interactive, configurable parameters
DeviceLock Search Server (DLSS)
Full-text searching in central audit and shadow log database
On-demand and scheduled searches
Parsing 120+ file & 40+ archive formats, OCR from images in 30+ graphical formats
Stemming, noise-word filtering, synonyms, fuzzy & phonic search, variable term weighting, Regular Expressions, Boolean search logic…
Facilitates compliance auditing, incident investigations, forensic analysis
Real-time policy-based alerts to administrators & external SIEM systems
DeviceLock Agents & Discovery Agents
SMTP, SNMP, SYSLOG
DeviceLock Enterprise Server (DLES)
DeviceLock Search Server
(DLSS)
For customers that want to centrally log and audit user and administrative actions or use data shadowing to analyze the content of transferred data, an additional management software component is included in the product – DeviceLock Enterprise Server (DLES), which runs on a separate computer.
The DeviceLock solution for logging and data shadowing supports automatic log collection and delivery to the central MS SQL database, multi-server architecture for load-sharing and scalability, automatic log server connection quality detection and switching, as well as traffic shaping and data compression for log transmissions to the central server.
For convenience, built-in audit and shadow log viewers are included in the solution.
Besides its main functions, DLES can centrally monitor the status of deployed DeviceLock agents and check their policy consistency, which can be repaired remotely if damaged or outdated. DLES can also install, update and uninstall DeviceLock Agents on remote computers using this monitoring feature.
In addition, several types of predefined graphical statistical reports with user-configurable parameters can be generated from the logs.
The DeviceLock Search Server (DLSS) is an optional component for on-demand and scheduled full-text searching in the central event and shadow log database. DLSS can index and search texts in more than 120 file formats and 40+ archive types. What is unique, a built-in OCR engine enables DLSS to extract and index textual content from images in graphical files of 30+ formats and pictures embedded in documents and other objects stored in the log database. The OCR function supports 31 language.
An extremely powerful search query uses “all words” (AND) logic for single words and phrases with wildcards. Synonyms, fuzzy and phonic search methods are also supported, as well as stemming and noise-word filtering for Catalan, English, French, German, Italian, Polish, Portuguese, Russian and Spanish.
Search results are sorted by “hit count” by default with term or field weighting possible as options.
DeviceLock Agents and DeviceLock Discovery Agents can send configurable real-time alerts on critical events to security administrators and external SIEM systems by using SMTP messages, SNMP traps or via the SYSLOG protocol.

22. Operating Platforms DeviceLock Agents Management Consoles
Windows NT/2000/XP/Vista/7/8/8.1/10/Server (32/64-bit)
Apple Mac OS X/OS X/macOS – (32/64-bit)
Microsoft RDS, Citrix XenDesktop/XenApp, Citrix XenServer, VMware Horizon View
VMware Workstation, VMware Player, Oracle VM VirtualBox, Windows Virtual PC
Management Consoles
Windows 2000/XP/Vista/7/8/8.1/10/Server (32/64-bit)
DeviceLock Enterprise Server, Discovery Server, Search Server
Windows Server (32/64-bit)
Microsoft RDS, Citrix XenServer, VMware vSphere Desktop
DeviceLock WebConsole
Any standard web-browser
Directory integration
Microsoft AD (full native), Novell eDirectory, any LDAP
Databases
Microsoft SQL Server/Server Express 2005 or later
DeviceLock Agents can protect any Windows versions starting from Windows NT4 and higher.
DeviceLock Agent for Mac runs on all Apple operating systems starting from Snow Leopard and including the latest macOS Sierra.
DeviceLock Agents and Management Consoles have been verified to run on a wide rage of virtualized platforms including dominating remote virtualization solutions, such as Microsoft RDS, Citrix XenDesktop/XenApp, Citrix XenServer, VMware Horizon View, as well as local hypervisor-based products, such as VMware Workstation, VMware Player, Oracle VM VirtualBox, Windows Virtual PC.
Citrix and VMware have certified DeviceLock DLP as Citrix® Ready and VMware® Ready respectively.
In addition to Windows native management consoles, DeviceLock agents can be centrally managed from any standard web browser by using DeviceLock WebConsole.
DeviceLock’s native management integration with Microsoft Active Directory is complemented with its ability to import objects import from any LDAP-compliant directories.
Both Microsoft SQL Server 2005 or later and its Express editions could be used by DeviceLock to store the central database of collected event and shadow logs. Optionally, for small installations the logs might be centrally stored in a flat file.

23. Licensing Perpetual with 1st year upgrades and support included
Annually paid upgrades & support for 2nd year and further
DeviceLock Core – device/port control & central management
Basic Endpoint DLP component – purchased independently
Mandatory for solutions with ContentLock or NetworkLock
NetworkLock – network communications control
Optional add-on with DeviceLock (2-license pack: DL+NL)
Upgrade from DeviceLock (NL license)
ContentLock – content filtering
Optional add-on with DeviceLock (2-license pack: DL+CL)
Upgrade from DeviceLock (CL license)
DeviceLock Endpoint DLP Suite
DeviceLock + ContentLock + NetworkLock (3-license pack)
Upgrade from DeviceLock Core, DL+NL or DL+CL
DeviceLock Search Server (DLSS)
Optional add-on for Endpoint DLP Suite
DeviceLock Discovery
Shipped independently
Bundled/upgraded with any Endpoint DLP Suite variation
DeviceLock products are shipped with a perpetual license that also includes one-year technical support and version upgrades. Upgrades and support for the 2nd and consecutive years may be purchased on an annual subscription basis.
To ensure maximal purchasing flexibility for its customers, DeviceLock offers a functional incremental licensing scheme. The entire set of product functions of DeviceLock Endpoint DLP Suite is split for several non-intersecting functional modules including mandatory “DeviceLock Core” and optional “ContentLock” and “NetworkLock” functional modules. All three modules are included in a single DeviceLock distribution package, but each functional module has a separate license that can be purchased individually. As a result, the aggregate set of features available in a particular DeviceLock 7 installation will depend on the set of functional licenses purchased and activated.
Providing complete contextual controls over all local devices, ports, and data channels on the endpoint, DeviceLock Core (DL Core) is the basic module of DeviceLock Endpoint DLP Suite. DeviceLock Core could be used either separately as an independent product. At the same time, it is the mandatory basic module of various functional packages that could additionally include either ContentLock or NetworkLock or both.
ContentLock and NetworkLock are available as optional functional add-ons to the DeviceLock Core functionality. Neither of them can be used as an independent product. To turn each of them on, a separate add-on license should be acquired and activated within the Endpoint DLP Suite installation.
DeviceLock Search Server (DLSS) is licensed as another optional add-on for any DeviceLock Endpoint DLP Suite installation. Important is to mention that DLSS is supplied free of charge for any packages that include both ContentLock and NetworkLock components.
DeviceLock Discovery, which can be licensed and used independently of other DeviceLock DLP components, includes Discovery Server and Discovery Agents. Yet it seamlessly integrates with any installation of DeviceLock Endpoint DLP Suite version 8.x by leveraging the built-in content discovery module of DeviceLock Agents.

24. Contextual Local Controls
Data-in-Use DLP
Contextual Local Controls
DEVICELOCK DLP 8.2

25. Data-in-Use: Controlled Channels/Scenarios
Ports/interfaces
USB, FireWire, COM, LPT, IrDA
Peripheral devices
Removable, hard drives, printers, Bluetooth, Wi-Fi, floppy, tape
Locally connected mobile devices
iPhone/iPad/iPod, MTP, Windows Mobile, BlackBerry, Palm
Sync protocols (iTunes, ActiveSync, WMDC, HotSync)
Removable encrypted
Windows BitLocker To Go™, Apple® OS X FileVault, Sophos® SafeGuard Easy®, SecurStar® DriveCrypt®, TrueCrypt®, PGP® Whole Disk Encryption, Infotecs SafeDisk®, Cardwave SafeToGo™
Virtual printers and optical drives
Windows Clipboard
Inter/intra-application transfers
Screenshot captures by PrintScreen and 3rd party applications
Redirections to VDI and shared app/desktop sessions from remote terminals/BYODs
USB and LPT ports, USB devices, mapped drives (removable, hard, optical), clipboard
Microsoft RDS, Citrix XenDesktop/XenApp, VMware Horizon View
At the contextual level, DeviceLock Agent controls user access and data transfers to practically all computer ports, to peripheral devices including not only physical but also some virtual (like printers and optical drives), as well as to locally connected mobile devices of various types.
For mobile devices, in addition to general device type-based controls DeviceLock Core can analyze data exchanges over synchronization protocols between the device and the computer.
Data transfers to and from removable devices encrypted by selected 3rd party [removable media] encryption products are controlled independently from the rest of connected removable storage.
Another controlled local channel is copy/paste operations in the Windows Clipboard and screenshot capturing with the Print Screen function or by any 3rd party applications.
And the last, but not less important, controlled channel includes ports, devices and clipboards redirected from remote terminals (BYOD devices) to VDI and shared desktop or application sessions running on host servers in virtualization solutions like Microsoft RDS, Citrix XenDesktop/XenApp and VMware Horizon.

26. Data-in-Use: Contextual Control Capabilities
Connection interface-independent device type detection & control
Removable, hard/optical/floppy/tape drives, printers, mobile devices, Wi-Fi/Bluetooth
Selective operation controls
Read-only, write, format, eject
Device class-based controls
USB and FireWire storage, printers, HIDs, BT adapters, modems,…
USB device whitelisting
Vendor/product ID, serial number
Temporary USB whitelisting
On-demand offline policy adjustments for USB devices
Media whitelisting
Access to company-authorized content
Controls over data transfer to/from 3rd party encrypted removable storage
Windows BitLocker To Go, Apple OS X FileVault, …
Audit logging, data shadowing, alerting
This is a summary of the most important contextual control capabilities that DeviceLock Core enforces over local DIU channels on protected computers.
The fundamental DeviceLock Core feature is its ability to detect the type of connected device and control its operations regardless of the interface used to connect the device. [For instance, any physical printer will be recognized as a printer regardless of whether it is connected through USB, Wi-Fi or Bluetooth. As a result, there will be no way for a user to avoid a prohibitive printing policy by disconnecting the printer from the controlled USB port and reconnecting it through an uncontrolled Wi-Fi connection.]
Not less important is that not only Read-only and Write access rights can be selectively controlled but also permissions for Format and Eject operations – indeed for those devices that support them.
The product provides easily configurable options to turn on access control to the entire class of devices including, for instance, FireWire storage, HIDs and so on.
The highest level of granularity – down to serial numbers – is supported for USB device whitelisting.
Temporary USB whitelisting is a must-have capability of temporarily allowing user access to a specific USB device in situations when the computer works offline and is not reachable from the management server for online policy modification. In this case, the required policy adjustment can be controllably delivered and activated by using offline communications with the user of the computer (e.g. telephone call, , instant messaging, etc.)
The media whitelisting feature allows user access to an optical storage media (CD/DVD/BR disc) with authorized content even in case users do not have permissions to access optical drives. This is useful, for instance, when optical media is used to deploy a company-authorized software.
DeviceLock Core can control data transfers to/from removable storage devices encrypted by several 3rd party products running on the protected computer. For example, an organization may prohibit to copy data from its computers to removable USB drives unless they are encrypted by BitLocker To Go. Such a control eliminates a possibility of data breach if the USB stick with corporate data is lost or stolen.
In addition to preventive controls, DeviceLock Core enables administrators to log monitored DIU operations, shadow-copy the data transferred, and send real-time alerts on critical events and policy violations.

27. Contextual Network Controls
Data-in-Motion DLP
Contextual Network Controls
DEVICELOCK DLP 8.2

28. Data-in-Motion: Controlled Communications
SMTP/SMTPS, Microsoft Outlook (MAPI), IBM Notes (NRPC)
Gmail, Yahoo!Mail, Hotmail/Outlook.com, AOL Mail, Outlook Web App/Access (OWA), Mail.ru, Yandex Mail, Rambler Mail, GMX.de, Web.de, T-Online.de, freenet.de
Webmail
Google+, Facebook (+API), Twitter, LiveJournal, LinkedIn, Tumblr, LiveInternet, MySpace, Disqus, Vkontakte (+API), Odnoklassniki, XING.com, Studivz.de, Meinvz.de
Social Networks
Skype, Skype for Web, Skype Meetings App/Skype for Business Web App, Skype for Business in Outlook Web Client (OWA 365), Viber, ICQ/AOL, MSN Messenger, Jabber, IRC, Yahoo! Messenger, Mail.ru Agent, WhatsApp Web/Windows App, Telegram Web/Desktop
Instant Messengers
Dropbox, Google Drive, OneDrive, Amazon S3, iCloud, Box, Cloud Mail.ru, Rusfolder.com, Yandex.Disk, GMX.de, Web.de, MagentaCLOUD, freenet.de
Cloud Storage Web Services
TCP/UDP/HTTP communications of any torrent clients
P2P File Sharing
TOR traffic
Tor Browser
SMB network file shares
File Shares
HTTP/HTTPS, FTP/FTPS, Telnet
Network Protocols
Network connections uncontrolled by NetworkLock’s DPI (beyond listed above)
Stateful IP Firewall
On this slide you can see the profile of network applications, protocols and services controlled by NetworkLock.
It is wide enough to reliably cover most insider-related network data leakage scenarios – indeed, on the condition that the controls are of a high quality.

29. Data-in-Motion: Contextual Network Controls
Agent-resident DPI engine
Port-independent detection of protocols, applications, services
Message/session reconstruction with file/data/parameter extraction
Controls are not limited to specific applications – web browsers, SMTP clients, ftp clients, torrent agents
Extracted data objects passed on to ContentLock for content inspection
Data exchange permissions
Basic/receive/download/view-only access to web sites, services & applications
Receive and send IM messages
Send messages, web forms, posts, comments
Send attachments, upload files
Inspect plain and SSL-protected traffic
Whitelisting
Network protocols/applications
SSL-protected communications
Hosts/IP addresses, ports
Web resources (URLs)
Sender/recipient IDs or s
Content inspection
Blocking HTTP/HTTPS/SOCKS proxy-redirected, Tor Browser and Torrent communications
Built-in stateful IP Firewall
Selective filtering of network connections uncontrolled by NetworkLock’s DPI
Audit logging, data shadowing, alerting
The quality and main advantages of NetworkLock controls come out from its built-in its built-in DPI engine, which allows detecting network applications and protocols regardless of the network ports they use. The DPI engine intercepts and disassembles the traffic of detected application, reconstructs its sessions and extracts their parameters necessary for applying contextual controls. In addition, the payload data, such as messages and files transferred in the communication, can be extracted and – if required – handed over to ContentLock for content inspection.
It is important that DPI-based controls are not limited to particular applications running on the protected computer – as a result, NetworkLock controls traffic from any web browser, any SMTP client, any FTP client and any Torrent agent. This is one of the key differentiators, DeviceLock Agents have versus competitive products. [To the best of our knowledge, there is no other endpoint DLP solution on the market with agent-resident DPI.]
The DPI technology also enables NetworkLock to flexibly control the level of user permissions to receive and send data in network communications. It starts from the basic (receive/download/view-only) access to web services and [network] applications. For Instant Messengers, the basic level allows only chatting but not sending files. The next more extended level adds permissions to send and webmail messages, fill in web forms, and publish posts and comments. And, finally, users with full permissions can additionally send s and webmails with attachments, send files via IMs, and upload files to social networks, FTP servers, cloud-based file storage and so on.
Another critical capability: NL can inspect not only plain but also any SSL-protected communications. The inspection is done without any external SSL proxies and is completely transparent to end users.
If necessary, some communications can be whitelisted from controls by using a granular mix of various network, user and application-related parameters. It is even possible to control whether the content of whitelisted communications is inspected or not.
At the same time, NetworkLock controls cannot be bypassed by communications tunneled through web or SOCKS proxies, anonymized by the Tor Browser, as well as multiplexed by torrent agents. These communications can be detected and blocked.
On top of all above, a built-in stateful packet firewall can be used to additionally filter those connections uncontrolled by the DPI engine.
And, indeed, NetworkLock enables administrators to log monitored communications, send real-time alerts on DLP policy violations, and shadow-copy the data transferred to the network from protected computers.

30. Data-in-Use/Motion DLP
Content-Aware Controls
DEVICELOCK DLP 8.2

31. Channels with Preventive Content Controls
Local channels
Removable storage
Floppy
Optical drives
Document printing
Local and network
Windows Clipboard
Screenshot capturing
PrintScreen and 3rd party applications
Mapped drives and redirected clipboards of remote BYOD/terminals
VDI and shared application/desktop sessions on virtualization host servers
Network communications s
Webmails
Social Networks
Instant Messengers
Web access to cloud storage services
FTP file transfers
Web applications (HTTP/HTTPS)
Extending DeviceLock DLP capabilities beyond contextual controls, ContentLock can inspect and filter the content of data received from DeviceLock Core and NetworkLock.
For local channels, preventive content controls are available for removable storage devices, floppy and optical drives, printing to local and network printers, the Windows Clipboard, screenshot capturing, as well as for mapped drives and clipboards redirected to VDI sessions or shared desktop and application sessions from remote BYOD devices or terminals.
Regarding network communications, ContentLock inspects and can block in real time most of those controlled by NetworkLock except SMB, Telnet, Tor Browser, WhatsApp Web, SMB and torrent-based file sharing.
[Telnet was not designed to transfer any considerable amount of data and consequently is therefore ineffective for data theft – so it is basically useless to filter its content and simply blocking Telnet for anybody but admins is sufficient. For torrents and Tor Browser, content inspection of their traffic is practically unfeasible. At the same time, torrents and Tor Browser are generally not used in corporate IT and rather considered as threat vectors. So it is enough to give IT security administrators an option to reliably block these communications. As to WhatsApp Web, it uses a sophisticated end-to-end encryption scheme, which at this moment eliminates any possibility to inspect message content at the endpoint.]

32. Detectable Content Content types: textual data, data types
Textual data extraction
120+ file formats & 40+ archives (including nested)
s, webmails, instant messages, web-forms, posts, comments, textual data, file and folder names, unidentified binary data
Images in 30+ graphical formats, screenshots, pictures in documents, s, webmails, instant messages
Built-in agent OCR technology
Verified file types
Binary signature based, extension-independent
5,300+ formats with 37 prebuilt, customizable & user-defined file type groups
File and document properties
File type, name, size, modification date, password-protected, embedded image properties, process name …
Title, subject, tags, categories, comments, author …
Clipboard data types
Files, textual data, images, audio, unidentified
Sync protocol objects (iTunes, ActiveSync, WMDC, HotSync)
Calendar, contact, , attachment, file, media, note, task,..
Security contexts of Oracle IRM-sealed documents
ContentLock can detect and use for its controls two types of content: textual data and various data types.
Textual data can be extracted for inspection from more than 120 character-based file formats and 40+ archive types, as well as in other data objects such as s, webmails, instant messages, web forms, comments, textual data, file and folder names, and even unidentified binary data.
By using its built-in OCR technology ContentLock can also extract and inspect textual data presented as images from graphical files of 30+ formats, screenshots and pictures embedded in documents and other data objects, such as s and webmails, instant messages and so on.
Verified File Type detection is another method used by ContentLock to enforce content-aware controls. A binary content signature-based method is used to reliably detect the actual file type regardless of its extension or header.
Another file-related group of detectable data types includes many file and document properties.
Several types of data can also be recognized and selectively controlled in clipboard operations, including files, text, images, audio and data of unidentified type.
When data are transferred between protected computers and locally connected mobile devices through synchronization protocols, it is possible to detect protocol objects like Calendar, Contact, File, s and so on and use them for content-aware controls.
In addition, security contexts of Oracle IRM-sealed documents can be used to select a document or class of documents in content-aware DLP policies.

33. Content Specification Methods
Textual content
Structured data – keywords and RegExp patterns
Pre-built industry/country specific
Keyword dictionaries (160+) and RegExp validators (90+)
Customizable, user-defined
Keyword morphological analysis
English, French, German, Italian, Portuguese, Russian, Spanish, Catalan Spanish
Numerical thresholds, case sensitivity, word forms and weight
Verified file types
Pre-built (37), customizable, user-defined groups
File and document properties
Clipboard data types
Sync protocol objects
Compound content definitions
Various matching criteria applied to content types and combined by Boolean operators
({regexp("\b(?<patient>\w+)\s+(\k<patient>)\b")>10} OR ({regexp(…)>5}) AND …
Sync
Objects
Textual Content
Verified
File Types
File/Doc Properties
Clipboard Data Types
Compound Content Definitions
In order to detect content it should be specified in the DLP policy.
For defining textual content, DeviceLock uses structured data types including keywords and Regular Expressions, which can be combined with numerical thresholds to specify triggering conditions.
To ease the task of specifying content patterns, ContentLock is shipped with hundreds of pre-built industry- and country-specific keyword dictionaries, as well as RegExp validators for common sensitive information types, such as Social Security Numbers, credit cards, bank accounts, addresses, driving licenses, etc. In addition, security administrators can define their own keyword dictionaries and Regular Expression validators, as well as modify those pre-built in ContentLock.
The accuracy of content detection is increased by morphological analysis of keywords in eight popular languages.
Verified file types, file and document properties, clipboard data type and synchronization protocol objects are other content detection methods that can be used independently or in combination with textual patterns.
To increase the flexibility of its content filtering policies ContentLock uses so-called compound content definitions, which specify multiple matching criteria for various content types and combine them in a logical aggregate. This method enables DeviceLock administrators to specify DLP rules with content definitions of any required complexity.

34. Agent-Resident OCR
Graphical files, archives, screenshots, embedded images in documents, s, instant messages, posts
30+ graphical formats
Multilingual
30+ languages
Among others – Chinese (2), Japanese, Korean and Arabic
Improved recognition
Rotated/mirrored/inverted images
Advantages of distributed agent-resident OCR architecture
OCR-based DLP extended to computers outside of the corporate network
Leaks prevented via both network & local data channels
Local printing, saving documents to pen-drives, clipboard operations, screenshot captures, data transfer to redirected peripherals of remote BYOD devices
Dramatically reduced
Server processing payload
Network bandwidth consumption
Complementing textual content detection in data objects with character-based encoding, a built-in optical character recognition (OCR) module allows ContentLock to extract and inspect pieces of text from images in graphical files of more than 30 formats, as well as from pictures embedded in documents, files, s, instant messages, posts to social networks and so on.
With 31 languages recognized (including most popular Asian and the Arabic among others), text extraction from rotated, mirrored and inverted images, this agent-resident OCR engine delivers to DeviceLock customers the ability to detect and protect confidential data presented in graphical form.
Unique to DeviceLock DLP is that the OCR module runs in each of its enforcement components: the Devicelock Agent, the DeviceLock Discovery Agent and the DeviceLock Discovery Server. This distributed OCR architecture tremendously improves the overall performance, functional scope and reliability of the solution.
Because graphical objects on endpoints are scanned and inspected locally by agent-resident OCR modules, the load on the Discovery Server and the scan traffic in the corporate network are dramatically reduced.
Other major advantages of endpoint-resident DeviceLock OCR in comparison with server-based OCR solutions directly relate to DLP functions:
- DeviceLock extends the reach of OCR-based DLP security to employee’s computers used outside of the corporate network – for instance, in a business trip or at home.
- DeviceLock OCR prevents textual data leakage in images not only via network communications but also via local data channels on the endpoint including local printing, copying files to a pen-drive or via the clipboard, making screenshots or transferring data to redirected peripherals of remote BYOD devices.

35. Data-at-Rest DLP
Content Discovery
DEVICELOCK DLP 8.2

36. Content Discovery (1) Functions Structure Targets
Scan and inspect content of files in the corporate IT environment
Detect content stored at wrong places
Remediate, alert, log and report data-at-rest policy violations
Structure
DeviceLock Discovery Server
DeviceLock Discovery Agent
Optionally – discovery module built in DeviceLock Agent
DeviceLock Management Console
Targets
SMB file shares and NAS
Windows endpoints
Local file system & connected storage devices
Local synchronization folders of cloud-based file sharing applications
repositories (.OST, .PST)
DeviceLock Discovery is a separate functional component of DeviceLock DLP that enables organizations to gain visibility and control over confidential “data-at-rest” stored across their IT environment in order to proactively prevent data breaches and achieve compliance with regulatory and corporate data security requirements.
By automatically scanning files residing on network shares, storage systems and Windows endpoint computers inside and outside (with DL agent) of the corporate network, DeviceLock Discovery locates documents with exposed sensitive content and provides options to protect them with remediation actions, as well as initiate incident management procedures by sending real-time alerts to Security Information and Event Management (SIEM) systems and/or data security personnel in the organization.
Structurally, DeviceLock Discovery includes the DeviceLock Discovery Server, Discovery Agents and DeviceLock Management Console. Optionally, when used together with DeviceLock Endpoint DLP Suite, discovery modules built in DeviceLock Agents can be used for scanning protected computers.

37. Content Discovery (2) Operation modes Content detection methods
Agentless ► Discovery Server via SMB
Agent-based ► Discovery Agent or DeviceLock Agent scan local files, connected removable storage and accessible network shares on protected computers
Hybrid ► configurable combination of scans performed by Server and Agents
Automatic non-interruptive Discovery Agent installation & removal centrally from Discovery Server
Content detection methods
Textual content – files, archives, images in graphical files and documents
Types of data – file types, file/document properties, embedded image properties
Remediation actions
Delete, Safe Delete, Delete Container, Set Permissions, Log, Alert, Notify User, Encrypt (EFS)
Depending on the network topology and specifications, DeviceLock Discovery can perform scans in agentless, agent-based and hybrid scanning modes.
In the agentless mode, DeviceLock Server scans files on network shares and storage systems accessible via the SMB protocol.
Both DeviceLock Discovery Agents and DeviceLock Agents could be used in the agent-based mode for scanning data stored on their host computers and accessible network shares.
It is very convenient for Security Administrators that DeviceLock Discovery Agents can be installed on and removed from target computers remotely by DeviceLock Discovery Server in a fully automatic and transparent manner.
By using the full set of ContentLock features, DeviceLock can discover textual data in more than 120 file formats and 40 types of nested archives, as well as within pictures in documents and graphical files. In addition, data types can be used as parameters for content discovery including file types, file and document properties, as well as properties of images embedded in documents.
When a file with exposed sensitive content is discovered, a set of automatic remediation actions can be enforced including Delete, Safe Delete, Delete Container, Set Permissions (for NTFS files), Log, Alert, Notify User, as well as Encrypt the file (with EFS for NTFS files).

38. DeviceLock Virtual DLP
DEVICELOCK DLP 8.2

39. DeviceLock Virtual DLP
Context/content-aware endpoint DLP for BYOD solutions based on remote virtualization
Microsoft RDS, VMware Horizon View, Citrix XenDesktop/XenApp
Prevents data leaks from VDI and shared desktop/app sessions on virtualization hosts
Mapped drives (removable, hard, optical), redirected USB devices, clipboard and serial ports of remote BYOD/terminals
Local channels at the host server
Network communications
DeviceLock DLP Agent is virtually “remoted” to every connected BYOD device
Separate DLP policies for every session/user
Mobile OS-independent endpoint DLP for remote virtualization-based BYOD programs
Low OPEX – corporate IT do not have to maintain/support employee-owned devices
Employees happy to keep full control over their devices and private data
The DeviceLock Virtual DLP feature extends the reach of DeviceLock data leak prevention capabilities to a variety of virtual computing solutions. These include session-based and streamed desktops and applications, as well as local virtual machines on hypervisors. Supported desktop and application virtualization solutions from major vendors include: Microsoft RDS, Citrix XenApp, Citrix XenDesktop and VMware View.
Virtual DLP complements the inherent capabilities of these solutions to isolate virtual and host environments by providing a comprehensive set of contextual and content filtering policies. These policies are enforced over data flows between centrally hosted virtual desktops or applications and redirected peripheral devices of remote terminal endpoints including mapped drives, the clipboard, USB and serial ports. In addition, user network communications from within the terminal session are controlled by DeviceLock DLP mechanisms. Centralized event logging and data shadowing are also fully supported for all Virtual DLP scenarios.
As a result, by using the DeviceLock Endpoint DLP Suite in BYOD implementations based on virtualization platforms from Microsoft, Citrix, VMware and others, organizations can fully control virtual corporate environments on employees’ personal devices. In addition they can monitor, inspect and filter the content of all data exchanges between the protected virtual workspace and the personal part of the BYOD device, its local peripherals and the network – i.e., all those destinations outside of the corporate border that should be treated as insecure.
DeviceLock Virtual DLP controls enforced on the edge of virtual platforms ensure that data from the corporate IT environment and the host BYOD environment are not intermingled. All necessary business-related data exchanges between the two environments are allowed based on least-privilege DLP policies, and employees maintain full control over the device platform, personal applications and their private data. In addition, the employee remains fully responsible for the device maintenance and support, which provides a distinct advantage over the conventional BYOD approach whereby the enterprise can be responsible for causing problems with the personal device and its owner’s private data.
Best of all, the DLP protection delivered by Virtual DLP to BYOD solutions based on desktop and application virtualization is universal and works for all types of BYOD devices. These can include mobile platforms, such as iOS, Android and Windows RT, thin terminal clients with Windows CE, Windows XP Embedded or Linux, as well as any computers that run OS X, Linux or Windows. Organizations standardized on any virtualization platform for their BYOD strategies will benefit greatly from deploying the DeviceLock Endpoint DLP Suite, since it is the most effective, straight-forward and affordable way of implementing comprehensive endpoint DLP services for any type of BYOD devices.

40. What’s New
DEVICELOCK DLP 8.2

41. Main New Features in Version 8.2
Contextual & content-aware controls for Skype for Web, Skype Meetings App/Skype for Business Web App, Skype for Business in Outlook Web Client (OWA 365)
Separate for outgoing messages and files
Browser independent (for web-based versions)
Contextual & content-aware controls for Viber
Content inspection of files transferred from VDI/desktop/app sessions to mapped drives on remote BYOD/terminals
Virtual DLP for Microsoft RDS, VMware Horizon View, Citrix XenDesktop/XenApp
Separate content-aware policies for every local sender & remote recipient combination in user communications
addresses – IBM Notes, MS Outlook (MAPI), SMTP, Webmails
IM identifiers – ICQ/AOL Messenger, IRC, Jabber, Mail.ru Agent, Viber, Yahoo Messenger, Skype & all Skype for Web variants
Contextual controls for Telegram Desktop and Telegram Web
Tor Browser traffic blocking regardless of its obfuscation methods
SYSLOG support for centralized log collection and alerting
Assigning different log servers for collecting logs from particular user accounts or groups
Scheduled indexing and searching by DLSS in the central shadow/audit log database
DeviceLock Agent for Mac supports macOS “Sierra”
Relations Chart – interactive log-based HTML report for easy analysis of user relationships based on their communications inside and outside of the organization
This slide summarizes main new features added in DeviceLock DLP version 8.2. In order to see the full list of new capabilities and improvements please visit the DeviceLock website.

42. Relations Chart – Interactive Reporting & Analysis Tool
With the interactive Relations Chart report generated from log data over user communications, DeviceLock administrators can conveniently review and easily analyze relationships between users within the organization and with their external contacts.
This HTML-based report, which can be viewed in a web browser or in the DeviceLock Management Console, shows user connections for the following applications and protocols: ICQ/AOL Messenger, Jabber, Mail.ru Agent, Skype, Skype for Web, Windows Messenger, Yahoo Messenger, MAPI, IBM Notes, SMTP, Webmails, and Social Networks.
Information on user relationships is presented in the form of a node-link graph with nodes representing domains and users, and links representing communications between them. The graph is zoomable in and out, as well as each of its nodes can be repositioned for the most convenient and informative viewing.
Information displayed for each node can be incrementally expanded in order to show various types and amounts of logged data – including all or part of users belonging to domain nodes, as well as internal and external communications for user nodes.
To ease the task of information mining, the graph supports “visual filtering” by allowing to highlight an individual node with all its connections or a single connection between two nodes while graying out the rest of connections in the graph.
In the “highlight” mode, hovering the cursor over a user node generates a callout bubble with the list of identities used for communications linked to the computers hosting these identities.
If the cursor is placed over a highlighted link, the callout bubble shows a table with statistical data on logged communications between the nodes including channels used (e.g. SMTP, MAPI, Skype), directions, total size of data transferred, and the number of messages sent or sessions opened in each direction.
The graphical format of the report and its interactive visual filtering mechanisms make the tasks of log viewing and analysis by far more convenient and less laborious.

43. Typical Endpoint DLP Scenarios
DEVICELOCK DLP 8.2

44. Saving Documents to Removable Storage
Permissions per user, user group, computer, computer group, OU
Control at the device type level AND/OR port level (USB)
Whitelist as USB device, temporary whitelist
Transfer direction: read-only, write
Format and eject permissions
Plain or encrypted storage: e.g. by BitLocker To Go
Time-based policy: hour-based weekly schedule
Allowed file types
Also types of embedded images and other objects (e.g. excel in word)
Specified file and document properties
Name, size, password-protected, author, accessing process …
Textual content inspection
Char-based data
OCR in embedded images and graphical files
Log, shadow-copy, alert on policy events
Save File Overwrite
DeviceLock
Agent

45. Clipboard Ops & Screenshot Capturing
Permissions per user, user group, computer, computer group, OU
Inter-app controls only or intra-app transfers also controlled
Time-based policy: hour-based weekly schedule
Clipboard
What types of data allowed to copy (files, text, image, audio, unidentified)
For detected files and images: all file type/properties controls
For files, images, text and unidentified: textual content inspection
In char-based data
OCR in embedded images and graphical files
Screenshots
Separate controls for PrintScreen and 3rd party utilities
All file type/properties controls for captured images
OCR-based textual content inspection
Log, shadow-copy, alert on policy events
DeviceLock
Agent

46. Sending SMTP Emails Any SMTP client controlled
Permissions per user, user group, computer, computer group, OU
Time-based policy: hour-based weekly schedule
Both plain and SSL-protected s inspected and controlled
Receive-only mode
Sending s without/with attachments
Whitelisting based on SSL, IP, FQDN, sender and recipient addresses/domains
All file type/property-based controls applied to outgoing attachments
Textual content inspection
Outgoing s, attachments
OCR for inline images, attached graphical files and embedded images
Log, shadow-copy, alert on policy events
DeviceLock
Agent

47. Sending Webmails Web browser-independent controls
Selectively for Gmail, Yahoo!Mail, Hotmail/Outlook.com, AOL Mail, Outlook Web App/Access (OWA), Mail.ru, Yandex Mail, Rambler Mail, GMX.de, Web.de, T-Online.de, freenet.de
Permissions per user, user group, computer, computer group, OU
Time-based policy: hour-based weekly schedule
Both plain and SSL-protected webmails inspected and controlled
Receive-only mode
Sending webmails without/with attachments
Whitelisting based on webmail services, SSL, sender and recipient addresses/domains
All file type/property-based controls applied to outgoing attachments
Textual content inspection
Outgoing webmails, attachments
OCR for inline images, attached graphical files and embedded images
Log, shadow-copy, alert on policy events
DeviceLock
Agent

48. Using Skype, Skype for Web, Skype for Business
Permissions per user, user group, computer, computer group, OU
Time-based policy: hour-based weekly schedule
Receive-only mode for messages
Incoming/outgoing media calls
Send outgoing messages
Send outgoing files
Whitelisting based on sender and recipient Skype names
For chats, files and calls
All file type/property-based controls applied to outgoing files
Textual content inspection
Outgoing messages, files
OCR for graphical files and embedded images
Web browser-independent controls of Skype for Web
Log, shadow-copy (chats & files), alert on policy events
DeviceLock
Agent

49. Web Access to Cloud File Storage
Web browser-independent controls
Selectively for Dropbox, Google Drive, OneDrive, Amazon S3, iCloud, Box, Cloud Mail.ru, Rusfolder.com, Yandex.Disk, GMX.de, Web.de, MagentaCLOUD, freenet.de
Permissions per user, user group, computer, computer group, OU
Time-based policy: hour-based weekly schedule
Both plain and SSL-protected access inspected and controlled
Browse content/download-only mode
Sending comments (POST requests)
Uploading files
All file type/property-based controls for uploaded files
Textual content inspection
Outgoing webform data, files
OCR for graphical files and embedded images
Log, shadow-copy, alert on policy events
DeviceLock
Agent

50. Using Social Media Web browser-independent controls
Selectively for Google+, Facebook (+API), Twitter, LiveJournal, LinkedIn, Tumblr, LiveInternet, MySpace, Disqus, Vkontakte (+API), Odnoklassniki, XING.com, Studivz.de, Meinvz.de
Permissions per user, user group, computer, computer group, OU
Time-based policy: hour-based weekly schedule
Both plain and SSL-protected webmails inspected and controlled
View-only mode
Sending messages, comments, posts
Uploading files
All file type/property-based controls for uploaded files
Textual content inspection
Outgoing messages, comments, posts, files
OCR for graphical files and embedded images
Log, shadow-copy, alert on policy events
DeviceLock
Agent

51. Generic Web Access Controls for any web browser, any web application
Permissions per user, user group, computer, computer group, OU
Time-based policy: hour-based weekly schedule
Both plain and SSL-protected access inspected and controlled
Basic browse/download-only web access
Submitting webforms (POST requests)
Uploading files
Whitelisting based on SSL, IP, host names, URLs
All file type/property-based controls for uploaded files
Textual content inspection
Char-based data
OCR in embedded images and graphical files
Log, shadow-copy, alert on policy events
DeviceLock
Agent

52. Advantages & Value
DEVICELOCK DLP 8.2

53. Technical Differentiators (1)
The widest in industry set of endpoint contextual controls
Ports, physical/virtual/redirected devices, clipboard, network applications/protocols
Agent-resident Deep Packet Inspection (DPI)
Application/web browser-independent control of network communications via SMTP, HTTP(S), WebDAV, FTP(S), SMB, Telnet, Torrent P2P
Web-browser independent access to popular social networks & cloud file sharing services
Native policy management and agent administration from Active Directory
Group Policies from Microsoft GPMC
Agent for Mac computers
Managed from Active Directory
Integration with FileVault
Instant Messaging
Selective content filtering of outgoing messages and files
Additionally for Skype and web-based Skype clients: ID-based access control for media calls
Universal control of Torrent-based P2P file sharing
Ability to block TCP/UDP/HTTP communications of any torrent agents
Tor Browser traffic blocking regardless of its obfuscation methods
DeviceLock product benefits are based on its technical differentiators – those DeviceLock capabilities not supported by other DLP products at all or implemented with substantial deficiencies [in comparison with DeviceLock].
- First of all, DeviceLock Agent enforces the widest in the industry set of endpoint contextual controls over local ports, peripheral, virtual and redirected devices, the Windows clipboard, as well as [data] leak-prone network applications and protocols. Technically, “the widest” means more local channels and network communications controlled, as well as more control parameters and their configurable options (for example, data operation types and network whitelisting parameters).
- In addition, DeviceLock Agent is the only endpoint DLP agent on the market with built-in Deep Packet Inspection (DPI) engine, which provides for universal, application and web browser-independent control of user communications via most risky network protocols and applications [including SMTP, HTTP/HTTPS, WebDAV, FTP(S), Telnet, as well as Torrent-based P2P file sharing].
- DeviceLock DLP can be deployed and fully managed via Group Policies from an Active Directory installation – without any separate DLP management server. In fact, DeviceLock uses Active Directory as its DLP management platform.
- Going beyond DLP for Windows computers, DeviceLock has developed its endpoint agent for Mac computers, which supports essential port and device control capabilities while being conveniently managed via Group Policies from Microsoft Active Directory – in the same uniform way with DeviceLock Agents for Windows. In addition, DeviceLock Agent for Mac integrates with the Apple’s FileVault encryption feature in order to allow users copying data to a removable storage only if it is encrypted by FileVault.
- For most of the Instant Messaging applications controlled by DeviceLock, it can inspect and filter the content of not only outgoing files but also chat messages. An indicative example of such a messenger is Skype desktop and all web-based Skype clients [including those used in Skype for Business]. In addition, DeviceLock can control user permissions to make and receive Skype media calls depending on their identities.
- Another unique DeviceLock feature is its universal control of Torrent-based file sharing communications for any torrent agents.
- DeviceLock can also completely block Tor Browser communications – regardless of which obfuscation methods are used to hide the TOR traffic.

54. Technical Differentiators (2)
Agent-resident Optical Character Recognition (OCR)
Prevents leakage of textual data in images to removable storage, via local printing and from roaming/offline computers
Facilitates full-text search in images in shadow log database
Universal content filtering for document printing
Printer/application-independent, shadowing in searchable PDF
Printing control of “non-saved-in-file” documents
Comprehensive logging & shadowing
Centralized, automatic, scalable, content-aware, with built-in full-text searching
Tamper-proof endpoint agent
Including protection from local system administrators
DeviceLock Virtual DLP
Content-aware endpoint DLP for BYOD solutions based on remote virtualization
Microsoft RDS, Citrix XenDesktop/XenApp, VMware View
- Major advantages of agent-resident DeviceLock Optical Character Recognition (OCR) in comparison with server-based OCR solutions (for instance, offered in Websense DLP) include its ability to prevent leakage of sensitive data in images via local data channels on the endpoint, as well as from computers used outside of the corporate network.
- With DeviceLock, data leaks via the printing channel are prevented by a printer- and application-independent content filtering technology that also enables for all shadow copies of printed documents to be stored as searchable PDF files – regardless of their original formats. Another capability not supported in competitive DLP products is that DeviceLock can control the content of printed documents even before they have been saved as files in the file system.
- In comparison with competitors, the DeviceLock solution has more comprehensive and scalable logging subsystem with automatic log collection to the central database, content-aware data shadowing and built-in full-text searching.
- The tamper-proof DeviceLock Agent protects itself not only from malicious actions of end users but also from local system administrators – a unique feature not available in competitive endpoint DLP agents.
- In addition to all above, the DeviceLock Virtual DLP feature delivers content-aware endpoint DLP for BYOD solutions based on remote virtualization platforms, such as Microsoft RDS, Citrix XenDesktop and VMware View. Citrix and VMware have certified DeviceLock DLP as Citrix® Ready and VMware® Ready respectively.

55. Business Advantages & Value
Better protection from insider data leakage
More endpoint data channels and communications controlled → leakage scenarios blocked
Higher quality preventive DLP controls
Simple and scalable from SMB to large enterprises
Active Directory as DLP management platform
Cost-saving: easy to learn/deploy/maintain
Managed natively via Group Policies from GPMC
Superior customer investment protection
Modular functional licensing & incremental upgrades
Basic device control → content-aware endpoint DLP
No re-installation, no infrastructure changes
Time-proven and trusted
20 years on the international market
Customers from sensitive industries, defense and governments in 100+ countries
By preventing endpoint data leaks DeviceLock DLP helps organizations
minimize insider-related information security risks and achieve compliance with corporate data use policies, IT security standards and state regulations
DeviceLock technical differentiators complemented by functional incremental licensing, easy learning, deployment and maintenance, unique scalability as well as the worldwide trust in the product altogether define its business advantages over the competition:
- With more endpoint data channels and communications protected at contextual and content levels, more leakage scenarios blocked and a higher control quality, DeviceLock Agent has better preventive DLP controls than its rivals.
- With DeviceLock DLP, there is no need to use a separate management platform – because DeviceLock Agents can be centrally deployed and fully managed natively via Group Policies from the corporate Active Directory. As a result, the solution scales from SMB to large enterprises. To put it simple, DeviceLock DLP is as scalable as Active Directory.
- At the same time, due to its full administrative interface integration with Microsoft GPMC, which is familiar to every system and security administrator, DeviceLock is much easier to learn, deploy and maintain than any other DLP solution.
- Yet any customer investments in DeviceLock products are fully protected, because DeviceLock DLP supports incremental functional upgrades from the basic device control option up to its full content-aware DLP Suite. Important is that the upgrade does not require DeviceLock re-installation and neither system nor network modifications have to be made in the customer’s IT infrastructure.
- And, finally, with its 20-year history on the international market and customers form sensitive industries, defense and government in 100+ countries, DeviceLock is a time-proven and trusted infosecurity product.
What is the value of DeviceLock DLP to its users? By preventing endpoint data leaks it helps organizations minimize insider-related information security risks and achieve compliance with corporate data use policies, IT security standards and state regulations.

56. THANK YOU!