Monday, April 26, 2010

New tool makes end users responsible for data loss prevention

New tool makes end users responsible for data loss prevention

IT Best Practices Alert By Linda Musthaler

Check Point just entered the market with its first data-loss prevention product, and the approach that Check Point took with this solution is quite different from other DLP products. If you are an overworked IT professional or security specialist, you are going to like how Check Point DLP works. That's because this product takes the burden off IT and puts the onus on end users to get involved in protecting sensitive data.

Like every other DLP product, Check Point DLP uses a set of rules and policies to determine what information should not be allowed to go outside the company or even outside a specific workgroup. But unlike other products, Check Point sends the alert for a rule or policy violation to the worker who triggered it with his inappropriate actions. This user-based approach makes the individual more aware of what he is doing and teaches him to be a better steward of the organization's important information. And, it relieves the IT department from having to view the content in question and make a decision about whether it's OK to send it.

When a worker violates a data-handling rule, he gets a pop-up on his screen that prompts him with several options: continue to send the data, discard the inappropriate activity (i.e., don't send), or review the action to make sure he really wants to send this data. When the worker clicks on one of these choices, Check Point DLP immediately remediates the situation as directed.

Over time, both the worker and the system learn what is and isn't appropriate to send via e-mail or file transfer, or copy to a removable medium, and so on. The worker comes to understand company policies and observes them by not performing an activity that is going to trigger an alert. Eventually the number of alerts decrease as the worker becomes more efficient in his job as well as more observant of company policies.

What happens if a worker deliberately violates a policy and remediates the alert by sending the data anyway? Or, in a rushed moment, he mindlessly clicks "send" instead of "discard." Yes, these are possibilities. However, every alert is logged so that company authorities can go back and review what actions took place. This audit trail will show if a particular worker is a repeat offender when it comes to data policies.

The system also has self-learning capabilities that can be turned on if you choose. You create rules to tell the system not to prompt with alerts on the same things over and over. For example, perhaps there is a document with sensitive information that needs to be shared with an outside party every month. Ordinarily Check Point DLP would question the action, but you can tell it to ignore this document. Coming in a future release of the software, you'll be able to create granular "earning" rules based on specific users in your directory system.

The heart of this product is the DLP MultiSpect Correlation Engine. This engine allows you to correlate more types of information in a single rule so you get more granularity. The MultiSpect engine draws from more than 600 file formats out of the box; more than 250 pre-defined data types; internal and proprietary templates and forms; several hundred pre-defined policies; and of course, your own custom rules and policies. This engine helps to reduce false-positives and deliver better accuracy in the alerts.

If you use a Check Point management dashboard now for other Check Point security products, the DLP product just becomes another tab on the dashboard. This lowers the learning curve for managing the DLP service.

There are several deployment options. Check Point DLP can be installed: as a software blade on any Check Point Power-1 or UTM-1 gateway; on any open server from HP, Dell or other vendors; or as a dedicated appliance. All configurations can be deployed in-line for prevention mode. Check Point has a product that it believes will get companies up and running quickly and into prevention mode in very little time.

No comments: