Report on the use of the DLP system. Data Loss Preventional Technologies Prevent Leaks of Confidential Information from the Information System

Rapid development information technologies Promotes global informatization of modern companies and enterprises. Every day, the volume of information transmitted through corporate networks of large corporations and small companies is rapidly growing. There is no doubt that with increasing information flows grow and threats that can lead to loss of important information, its distortion or theft. It turns out that the information loses much easier than any material thing. For this it is not necessary that someone perform special actions to master the data - sometimes there are enough non-accurant behavior when working with information systems or inexperienced users.

There is a natural question, how to protect yourself to eliminate the factors of loss and leakage important information. It turns out that it is quite realistic to solve this task and do it at a high professional level. For this purpose, special DLP systems are used.

Definition of DLP Systems

DLP is a system to prevent data leakage in the information environment. It is a special tool with which system administrators of corporate networks can track and block attempts to unauthorized information transfer. In addition to the fact that such a system can prevent the facts of illegal pleasing information, it also allows you to track the actions of all network users who are associated with the use of social networks, communication in chat rooms, sending e-mail messages, etc. The main goal for which leakage prevention is aimed at DLP confidential information is to support and fulfill all the requirements of the Privacy Policy and Information Policy, which exist in a particular organization, company, enterprise.

Application area

The practical application of DLP systems is the most relevant for those organizations where confidential data leakage may entail huge financial losses, a significant blow to reputation, as well as the loss of customer base and personal information. The presence of such systems is mandatory for those companies and organizations that establish high demands on "information hygiene" of their employees.

The best tool for protecting data such as numbers bank cards Customers, their bank accounts, information about the conditions of tenders, orders for work and services will be the DLP system - the economic efficiency of such a safety solution is quite obvious.

Types of DLP systems

The means used to prevent information leaks can be divided into several key categories:

1. standard security tools;
2. intelligent data protection measures;
3. data encryption and access control;
4. specialized DLP security systems.

A standard security set, which should be used by each company includes antivirus programs, built-in firewalls, systems for identifying unauthorized intrusions.

Intelligent information security tools provide for use special Services and contemporary algorithms that will calculate non-dominant access to data, incorrect use of electronic correspondence, etc. In addition, such modern security tools allow you to analyze requests to the information system coming from the outside of various programs and services that can play the role of a kind of spies. Intelligent protection means allow you to carry out a deeper and detailed check. information system For possible information leakage in various ways.

Encryption of important information and the use of restricting access to specific data is another effective step to minimize the likelihood of loss of confidential information.

A specialized DLP information leak prevention system is a complex multifunctional tool that is able to identify and prevent the facts of unauthorized copying and transmitting important information beyond the corporate environment. These solutions will allow to identify the facts of access to information without having permission or using the powers of those persons who have such permission.

Specialized systems use such tools such as:

• mechanisms for determining accurate data compliance;
• various statistical analysis methods;
• use of code phrases and words methods;
• structured Dactyloscopy, etc.;

Comparison of these systems on functionality

Consider a comparison of the DLP system Network DLP and Endpoint DLP.

Network DLP is a special solution on a hardware or programmatic level, which is used at those points of the network structure, which are located near the "perimeter of the information environment". With this set of tools, a thorough analysis of the confidential information is taken, which is trying to send beyond the corporate information environment with a violation of the established information security rules.

Endpoint DLP is special systems that are used on the end-user workstation, as well as on server systems of small organizations. The final information point for these systems can be used to control both the internal and the outside of the "perimeter of the information environment". The system allows you to analyze information trafficThrough which data is exchanged both between individual users and user groups. DLP protection of this type of systems is focused on a comprehensive check of the data exchange process, including email messages, Communication in social networks and other information activity.

Do I need to implement these systems to enterprises?

The implementation of DLP systems is mandatory for all companies that value their information and try to do everything possible to prevent cases of its leakage and loss. The presence of such innovative security tools will allow companies to exclude the dissemination of important data outside the corporate information environment for all available canals Data exchange. Having installed a DLP system, the company will be able to control:

• sending messages using corporate Web-mail;
• using FTP connections;
• local connections using wireless technologies such as WiFi, Bluetooth, GPRS;
• exchange instant messages using customers such as MSN, ICQ, AOL, etc.;
• application of external drives - USB, SSD, CD / DVD, etc.
• the documentation that is sent to print with the use of corporate printing devices.

Unlike standard security solutions, the company that the DLP is installed by the SecureTower system or is similar to it.

• control all types of exchange channels of important information;
• identify the transfer of confidential information regardless of how it is transmitted to and in what format corporate network;
• block information leak at any time;
• automate the data processing process in accordance with the security policy adopted at the enterprise.

The use of DLP systems will guarantee enterprises to efficient development and maintain their production secrets from competitors and ill-wishers.

How is the introduction?

In order to establish at the enterprise in 2017, the DLP system should pass several stages, after which the enterprise will receive the effective protection of its information medium from external and internal threats.

At the first stage of implementation, an enterprise information environment is examined, which includes the following actions:

• the study of organizational and administrative documentation, which regulates information policies in the enterprise;
• study of information resources used by the enterprise and its employees;
• coordination of the list of information that may relate to category of data with limited access;
• survey of existing methods and data channels and data reception.

According to the results of the survey, the technical task is drawn up, which will describe those security policies that will need to be implemented using the DLP system.

At the next stage, it should be regulated by the legal side of the use of DLP systems in the enterprise. It is important to exclude all the subtle moments so that later there was not lawsuits on the part of the staff in terms of what the company follows them.

Having graduated from all legal formalities, you can proceed to the choice of information security product - this may be, for example, the DLP system InfoWatch or any other functionality from this kind.

After selecting a suitable system, you can start it with its installation and configuration for productive work. Customize the system should be configured to ensure that all security tasks are determined in the technical task.

Conclusion

The introduction of DLP systems is a rather complicated and painstaking activity that requires a lot of time and resources. But it is not necessary to stop halfway - it is important to pass all the steps to fully and get a highly efficient and multifunctional system for protecting your confidential information. After all, the loss of data can turn into tremendous damage to an enterprise or company both financially and in terms of its image and reputation in the consumer environment.

Even the most fashionable IT terms need to be used to the place and most correctly. At least in order not to mislead consumers. You definitely entered the manufacturers of DLP solutions. For example, at the recent CEBIT-2008 exhibition, "DLP Solution" was often able to see on the stands of manufacturers not only lively-known antiviruses and proxy servers, but even firewalls. Sometimes there was a feeling that in the next angle it will be possible to see any CD Ejector (the program that opens the CD drive) with the proud slogan of the corporate DLP solution. And, oddly enough, each of such manufacturers, as a rule, had a more or less logical explanation for such positioning of its product (naturally, in addition to the desire to obtain "Gesheft" from the fashionable term).

Before considering the market for the manufacturers of DLP systems and its main players, it should be declared that we will mean under the DLP system. Attempts to define this class of information systems was a lot: ILD & P - INFORMATION LEAKAGE DETECTION & PREVENTION ("Identifying and preventing information leaks", the term was proposed by IDC in 2007), ILP - Information LEAKAGE PROTECTION ("Protection against Information Leaks", Forrester , 2006), ALS - Anti-Leakage Software ("Anti-Turee", E & Y), Content Monitoring and Filtering (CMF, Gartner), Extrusion Prevention System (by analogy with INTRUCION-PREVENTION SYSTEM).

But as a commonly used term, the name DLP - Data Loss Prevention (or Data Leak Prevention, protection against data leaks), proposed in 2005, as Russian (rather not a translation, but a similar term) was adopted by the phrase "confidential protection system Data from internal threats. " At the same time, under the inner threats are understood as abuse (intentional or random) by employees of the organization, having legal rights to access the relevant data, their powers.

The most slender and consistent criteria for accessories to DLP systems were nominated by the Forrester Research Research Agency during their annual study of this market. They offered four criteria, according to which the system can be attributed to the DLP class. one.

Multichannel. The system must be able to monitor several possible data leakage channels. In a network environment, this is at least E-Mail, Web and Im (Instant Messengers, and not just the scanning of the postal traffic or database activity. At the workstation - monitoring file operations, work with data exchange buffer, as well as control E-mail, Web and Im. 2.

Unified management. The system must have unified management of information security policies, analysis and event reports on all monitoring channels. 3.

Active protection. The system should not only detect the facts of violation of the security policy, but, if necessary, forced it to compliance. For example, block suspicious messages. four.

Based on these criteria, in 2008 for review and evaluation, Forrester selected a list of 12 manufacturers. software (below they are listed in alphabetical order, while in brackets indicate the name of the company, absorbed by this vendor in order to enter the DLP-System):

1. Code Green;
2. InfoWatch;
3. McAfee (Onigma);
4. Orchestria;
5. Reconnex;
6. RSA / EMC (Tablus);
7. Symantec (VONTU);
8. Trend Micro (Provilla);
9. Verdasys;
10. Vericept;
11. WebSense (PortAuthority);
12. Workshare.

To date, only InfoWatch and WebSense and WebSense are represented from the above-mentioned 12 vendors on the Russian market. The rest either do not work at all in Russia, or only announced their intentions about the start of sales of DLP solutions (Trend Micro).

Considering the functionality of DLP systems, analytics (Forrester, Gartner, IDC), the categorization of protection objects - types of information objects to be monitored are introduced. Such categorization allows in the first approximation to assess the scope of application of a system or another. Allocate three categories of monitoring objects.

1. Data-in-Motion (data in motion) - email messages, Internet pagers, Peer-to-Peer networks, file transfer, Web traffic, as well as other types of messages that can be transmitted via communication channels. 2. Data-AT-REST (stored data) - information on workstations, laptops, file servers, in specialized storage facilities, USB devices and other types of storage devices.

3. Data-in-Use (data to use) - information processed at the moment.

IN currently About two dozen domestic and foreign products with some DLP-system properties are represented in our market. Brief information About them in the spirit of the above classification are listed in Table. 1 and 2. Also in Table. 1 This parameter is made as the "Centralized Data Storage and Audit", which implies the ability to save data in a single depository (for all monitoring channels) for their further analysis and audit. This functionality has recently acquires special significance not only by virtue of the requirements of various legislation, but also due to the popularity of customers (by the experience of implemented projects). All information contained in these tables are taken from open sources and marketing materials of the relevant companies.

Based on the data given in Tables 1 and 2, it can be concluded that today only three DLP systems are presented in Russia (from InfoWatch, Perimetrix and WebSence companies). They also include a newly announced integrated product from the Jet Info System (SCW + SMAP), as it will cover multiple channels and have a unified security policy management.

It is quite difficult to talk about the shares of the market of these products in Russia, since most of the manufacturers mentioned do not disclose sales, the number of customers and protected workstations, limited to marketing information. You can only say that the main suppliers at the moment are:

• systems "Dosor" present on the market since 2001;
• infoWatch products sold from 2004;
• Websense CPS (started to be sold in Russia and around the world in 2007);
• Perimetrix (a young company, the first version of the products of which is announced on its website at the end of 2008).

In conclusion, I would like to add that belonging or not to the class DLP systems, does not make products worse or better - it's just a question of classification and nothing more.

Table 1. Products presented in the Russian market and possess certain DLP-System properties

Company	Product	Product Opportunity
		Data-In-Motion Data Protection	Data-In-Use Data Protection	Data-AT-REST protection	Centralized storage and audit
InfoWatch	IW Traffic Monitor	Yes	Yes	Not	Yes
	IW CryptoStorage	Not	Not	Yes	Not
Perimetrix.	SafeSpace.	Yes	Yes	Yes	Yes
Jeth Info Systems	Dzor Jeth (SKVT)	Yes	Not	Not	Yes
	Dzor Jet (Smak)	Yes	Not	Not	Yes
Smart Line Inc	DeviceLock.	Not	Yes	Not	Yes
Securit.	Zlock	Not	Yes	Not	Not
	SECRECYKEEPER.	Not	Yes	Not	Not
Spectorsoft.	Spector 360.	Yes	Not	Not	Not
Lumension Security	SANCTUARY DEVICE CONTROL	Not	Yes	Not	Not
WebSense.	WebSense Content Protection.	Yes	Yes	Yes	Not
Informzeschita	Security Studio.	Not	Yes	Yes	Not
Primetek	Insider.	Not	Yes	Not	Not
Atompark Softtar	Staffcop.	Not	Yes	Not	Not
Sofinform	SearchInform Server	Yes	Yes	Not	Not

Table 2. Compliance of the products presented in the Russian market, the criteria of accessories to the class DLP systems

Company	Product	Criterion accessories for DLP systems
		Multichannel	Unified management	Active defense	Accounting both content and context
InfoWatch	IW Traffic Monitor	Yes	Yes	Yes	Yes
Perimetrix.	SafeSpace.	Yes	Yes	Yes	Yes
"Jet Infosystems"	"Dzoror Jet" (SKVT)	Not	Not	Yes	Yes
	"Dzoro Jet" (Smak)	Not	Not	Yes	Yes
"Smart Line Inc"	DeviceLock.	Not	Not	Not	Not
Securit.	Zlock	Not	Not	Not	Not
Smart Protection Labs Software	SECRECYKEEPER.	Yes	Yes	Yes	Not
Spectorsoft.	Spector 360.	Yes	Yes	Yes	Not
Lumension Security	SANCTUARY DEVICE CONTROL	Not	Not	Not	Not
WebSense.	WebSense Content Protection.	Yes	Yes	Yes	Yes
"Informschita"	Security Studio.	Yes	Yes	Yes	Not
"PRIMTEK"	Insider.	Yes	Yes	Yes	Not
"Atpark Softwar"	Staffcop.	Yes	Yes	Yes	Not
"Softinform"	SearchInform Server	Yes	Yes	Not	Not
"InfoConal"	"Infoperimeter"	Yes	Yes	Not	Not

D LP system is used when it is necessary to protect confidential data from internal threats. And if information security specialists sufficiently mastered and apply tools for protection against external violators, then the internal affair is not so smooth.

The use in the information security structure of the DLP system assumes that the IB specialist understands:

• as company employees can organize leakage of confidential data;
• what information should be protected from the threat of confidentiality violations.

Comprehensive knowledge will help the specialist to better understand the principles of the DLP technology and set up protection against leaks in a correct way.

The DLP system should be able to distinguish confidential information from non-confidential. If you analyze all the data within the organization's information system, the problem of excessive load on IT resources and personnel arises. DLP works mostly "in a bundle" with a responsible specialist, who not only "teaches" the system to work correctly, introduces new and removes irrelevant rules, but also monitors current, blocked or suspicious events in the information system.

To configure the "Kib Sirchinform" used- rules for responding to IB-Ibsindents. The system has 250 pre-installed policies that can be adjusted with the Company's tasks.

The functionality of the DLP system is built around the "kernel" - a software algorithm that is responsible for finding and categorizing information in need of protection against leaks. In the core of most DLP solutions, two technologies are laid: linguistic analysis and technology based on statistical methods. Also, less common techniques can be used in the kernel, such as the use of labels or formal analysis methods.

The developers of counteraction systems complement the unique programmatic algorithm system agents, incident control mechanisms, parsers, protocol analyzers, interceptors and other tools.

Early DLP systems were based on one method in the kernel: either linguistic or statistical analysis. In practice, the disadvantages of two technologies were compensated by the strong sides of each other, and the evolution of DLP led to the creation of systems, universal in terms of "nuclei".

Linguistic analysis method Works directly with the content of the file and document. This allows you to ignore parameters such as the file name, the presence of either the absence in the grind document, who and when created the document. Linguistic analytics technology includes:

• morphological analysis - Search for all possible wordware information that needs to be protected from leakage;
• semantic analysis - search for entry important (key) information in the contents of the file, the effect of occurrences on the qualitative characteristics of the file, the assessment of the context of use.

Linguistic analysis shows high quality work with a large amount of information. For volumetric text, the DLP system with a linguistic analysis algorithm will more accurately select the correct class, will assign to the desired category and start the configured rule. For documents of a small volume, it is better to use a method of stop-words that effectively proven itself in the fight against spam.

Trainability in systems with a linguistic analysis algorithm is implemented at a high level. Early DLP complexes have difficulties with the task of categories and other stages of "training", but modern systems The debt self-learning algorithms are laid: identifying signs of categories, the ability to generate and change the rules of response. To configure information systems such software data protection systems, linguists no longer need to attract.

The shortcomings of linguistic analysis are binding to a specific language, when it is impossible to use the DLP system with the "English" core to analyze Russian-speaking information flows and vice versa. Another disadvantage is related to the complexity of a clear categorization using a probability approach, which keeps the accuracy of response within 95%, while the leakage of any volume of confidential information may be critical.

Statistical methods of analysis, on the contrary, demonstrate accuracy close to 100 percent. The lack of a statistical core is associated with the algorithm of the analysis itself.

At the first stage, the document (text) is divided into fragments of an acceptable value (not prevailing, but enough to ensure the accuracy of the trigger). The hash is removed from the fragments (in DLP systems it is found as the term Digital FingerPrint - "digital print"). Then hash is compared with a hash reference fragment taken from the document. When coincided, the system marks a document as confidential and acts in accordance with security policies.

The lack of a statistical method is that the algorithm is not able to study independently, form categories and type. As a result, the dependence on the competencies of the specialist and the likelihood of the task of the hash of this size, in which the analysis will give an excess number of false positives. Eliminate the lack of easy if you adhere to the Developer Recommendations for System Setup.

With the formation of haze is connected and another drawback. In developed IT systems that generate large amounts of data, the print base can achieve such a size that the testing of the traffic on the coincidence with the standard will seriously slow down the operation of the entire information system.

The advantage of decisions is that the effectiveness of statistical analysis does not depend on the language and the presence in the document of nonetistic information. Hash is equally well removed from english phrase, and from the image, and from the video device.

Linguistic and statistical methods are not suitable for detecting a specific format data for any document, such as account numbers or passport. To identify information in an array of similar typical structures in the DLP system core, formal structural analysis technologies are introduced.

In a high-quality DLP solution, all means of analysis that work consistently complement each other is used.

Determine which technologies are present in the kernel, you can.

Not less than the functionality of the kernel, there are control levels on which the DLP system works. There are two of them:

The developers of modern DLP products abandoned the separate implementation of the level protection, since the leaks need to be protected and end devices, and the network.

Network level control This should ensure the maximum possible coverage of network protocols and services. It is not only about the "traditional" channels (, FTP,), but also about new network exchange systems (Instant Messengers,). Unfortunately, it is impossible to control encrypted traffic on the network level, but this problem DLP systems solved at the host level.

Host controlallows you to solve more monitoring and analysis tasks. In fact, the IB service receives a complete control tool for the user's actions on the workstation. DLP with host architecture allows you to keep track of what documents, what is closed on the keyboard, record audio materials, do. At the level of the ultimate workstation, encrypted traffic () is intercepted, and data is open to check, which are currently processed and which are stored for a long time on the user's PC.

In addition to solving conventional tasks, DLP systems with a host-level control provide additional measures to ensure information security: installation of installation and changes in software, blocking I / O ports, etc.

The cons of host implementation is that systems with an extensive set of functions are more difficult to administer, they are more demanding on the resources of the workstation itself. The managing server regularly refers to the "Agent" module on end deviceTo check availability and relevance of settings. In addition, part of the user workstation resources will inevitably "ease" the DLP module. Therefore, at the stage of selecting a solution to prevent leakage, it is important to pay attention to hardware requirements.

The principle of separation of technologies in DLP systems remained in the past. Modern software solutions To prevent leaks, methods involve methods that compensate for the shortcomings of each other. Thanks to the integrated approach, confidential data within the perimeter of information security becomes more resistant to threats.

The term DLP is often decrypted as Data Loss Prevention or Data Leakage Prevention - prevent data leakage. Accordingly, DLP systems are software and software and hardware to solve the problem prevention of data leaks.

Counteraction to leaks of information on technical channels can be divided into two tasks: the fight against the external threat and the fight against the internal intruder.

Valuable corporate data that your organization is trying to protect with firewall and passwords, literally tee through the fingers of insiders. This happens both randomly and as a result of intentional actions - illegal copying of information from work computers to flash drives, smartphones, tablet computers And other storage media. In addition, the data may be uncontrolled by insiders through email, instant messaging services, web forums, forums and social networks. Wireless interfaces - Wi-Fi and Bluetooth Along with the channels of local data synchronization with mobile devices, open additional paths for information leaks from user computers organization.

In addition to insider threats, another dangerous leakage scenario is implemented when making computers with malware, which can record text entered from the keyboard or separate species stored in random access memory Computer data and subsequently transfer them to the Internet.

How does the DLP system prevent information leaks?

While none of the above vulnerabilities are eliminated by the traditional network security mechanisms nor the built-in OS control tools, the DeviceLock DLP software package effectively prevents information leakage from corporate computers using a complete set of contextual control mechanisms for data operations, as well as technology their content filtration.

Support for virtual and terminal environments in the DeviceLock DLP system significantly expands the capabilities of information security services in solving the task of preventing information leaks when using various working media virtualization solutions created as in the form of local virtual machinesand terminal sessions of desktops or published applications on hypervisors.

Contextual control and content filtering in the DLP system

Efficient approach to protection against leaks of information from computers begins using contextual control mechanisms - data control for specific users depending on data formats, interface types and devices, network protocols, transfer directions, time of day, etc.

However, in many cases, a deeper level of control is required - for example, checking the contents of the transmitted data for the presence of confidential information under conditions when data transmission channels should not be blocked in order not to violate production processes, but individual users enter the "risk group" because they are suspected In involvement in corporate policy violations. In such situations, in addition to contextual control, it is necessary to use content analysis technologies to reveal and prevent the transfer of unauthorized data without preventing the information exchange within the framework of employee duties.

The DeviceLock DLP software package uses both context and content analysis methods, providing reliable protection From information leaks from user computers and corporate IP servers. DeviceLock DLP contextual mechanisms implement granulated user access control to a wide range peripheral devices and I / O channels, including network communications.

Further improvement of the level of protection is achieved by applying content analysis methods and filtering data, which makes it possible to prevent their unauthorized copying to external drives and plug-and-play devices, as well as transmission over network protocols beyond the corporate network.

How to administer and manage a DLP system?

Along with the methods of active control, the efficiency of DeviceLock DLP is provided by the detailed logging of user and administrative personnel, as well as selective shadow copying of the transmitted data for their subsequent analysis, including using full-text search methods.

For information security administrators, DeviceLock DLP offers the most rational and convenient approach to controlling the DLP system - using the Microsoft Active Directory domain group policy objects and integrated into the Windows Group Policy Editor. In this case, DeviceLock DLP policies automatically apply to the directory as an integral part of its group policies on all domain computers, as well as virtual environments. Such a solution allows the information security service to centrally and promptly manage DLP policies across the organization, and their execution of DEVICELOCK distributed agents provides accurate compliance between the business functions of users and their rights to transfer and storing information on working computers.

Introduction

The review is intended for all the solutions interested in the DLP solutions and, first of all, for those who want to choose a DLP solution suitable for their company. The review examines the market for DLP systems in a wide understanding of this term, gives short description world market and more detailed - Russian segment.

The valuable data protection systems existed from the moment they appear. For centuries, these systems developed and evolved along with humanity. With the beginning of a computer era and the transition of civilization in the post-industrial era, the information gradually became the main value of states, organizations and even individuals. And computer systems have become the main tool for its storage and processing.

States have always defended their secrets, but states have their own means and methods that, as a rule, did not affect the formation of the market. In the post-industrial era, banks and other credit and financial organizations became frequent victims of computer leakage of valuable information. World banking system The first began to need to legislative protection of my information. The need to protect privacy was aware of medicine. As a result, for example, in the United States, Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) were adopted, and the Basel Banking Committee issued a number of recommendations called "Basel Accords". Such steps gave a powerful impetus to the development of a computer information protection system. Following the growing demand, companies proposed the first DLP systems began to appear.

What is a DLP system?

The generally accepted decodes of the term DLP multiple: Data Loss Prevention, Data Leak Prevention or Data Leakage Protection, which can be translated into Russian as a "data loss prevention", "Prevent data leakage", "Data leakage protection". This term was widely widespread and gained in the market in about 2006. And the first DLP systems arose somewhat earlier precisely as a means of preventing the leakage of valuable information. They were intended to detect and block network transmission of information identified by keywords or expressions and in advance created digital "prints" of confidential documents.

Further development of DLP systems was determined by incidents, on the one hand, and legislative acts of states, on the other. Gradually, the needs for protection against various types of threats have led the company to the need to create integrated protection systems. Currently, developed DLP products, except for direct protection against data leakage, provide protection against internal and even external threats, accounting for employee working time, control of all their actions at workstations, including remote work.

At the same time, blocking the transmission of confidential data, the canonical function of DLP systems has been absent in some modern solutions attributable to developers to this market. Such solutions are suitable exclusively for monitoring the corporate information environment, but as a result of the manipulation of the terminology, DLP became referred to and refer to this market in a wide sense.

Currently, the main interest of DLP-systems developers has shifted towards the breadth of the coverage of potential channel leakage channels and the development of analytical tools of investigating and analyzing incidents. The latest DLP products intercepting document viewing, printing and copying to external media, launching applications on workstations and connecting external devices to them, and a modern analysis of the intercepted network traffic allows you to detect leakage even by some tunneling and encrypted protocols.

In addition to the development of its own functionality, modern DLP systems provide ample opportunities for integration with various adjacent and even competing products. As examples, you can bring common support for the ICAP protocol provided by proxy servers and the integration of the DeviceSniffer module included in the SearchInform Information Safety Contour, with Lumension Device Control. Further development of DLP systems leads to their integration with IDS / IPS products, SIEM solutions, document management systems and protection of workstations.

The DLP system is distinguished by the method of detecting data leakage:

• when using (Data-in-Use) - at the workplace of the user;
• when transmitted (Data-in-Motion) - in the company's network;
• when stored (Data-AT-REST) \u200b\u200b- on servers and workstations of the company.

DLP systems can recognize critical documents:

• according to formal features, it is reliably, but requires preliminary registration of documents in the system;
• on the content analysis, this can give false responses, but allows you to detect critical information as part of any documents.

Over time, the nature of the threats and the composition of customers and buyers of DLP systems have changed. The modern market places the following requirements for these systems:

• support multiple data leakage detection methods (Data in-Use, Data -in-Motion, Data-AT-REST);
• support for all popular data transfer network protocols: HTTP, SMTP, FTP, OSCAR, XMPP, MMP, MSN, YMSG, Skype, various P2P protocols;
• availability of built-in directory of websites and correct processing of traffic transmitted to them (webmail, social networks, forums, blogs, job search sites, etc.);
• support for tunneling protocols: VLAN, MPLS, PPPoE, and the like;
• transparent control of protected SSL / TLS protocols: HTTPS, FTPS, SMTPS and others;
• support VoIP-telephony protocols: SIP, SDP, H.323, T.38, MGCP, SKINNY and others;
• the presence of hybrid analysis - support for several methods of recognition of valuable information: according to formal features, by keywords, on the coincidence of content with regular expression, based on morphological analysis;
• it is desirable to selectively block the transfer of critical information on any controlled channel in real time; selective blocking (for individual users, groups or devices);
• the ability to control the actions of the user over critical documents are desirable: view, printing, copying to external carriers;
• it is desirable to control the network protocols of working with Microsoft Exchange mail servers (MAPI), IBM Lotus Notes, Kerio, Microsoft Lync, etc. For analyzing and blocking real-time messages by protocols: (MAPI, S / MIME, NNTP, SIP, etc.);
• capture, recording and voice traffic recognition are desirable: Skype, IP telephony, Microsoft Lync;
• the presence of graphics recognition module (OCR) and content analysis;
• support for analyzing documents in several languages;
• conducting detailed archives and magazines for the convenience of investigating incidents;
• it is desirable to have developed means of analyzing events and their connections;
• ability to build various reporting, including graphic reports.

Thanks to new trends in the development of information technology, the new features of DLP products are becoming popular. With the widespread virtualization in corporate information systems, it has been necessary to support it and in DLP solutions. The widespread use of mobile devices as a business tool served as an incentive for the emergence of Mobile DLP. The creation of both corporate and public "clouds" demanded their protection, including DLP systems. And, as a logical continuation, led to the emergence of "cloud" information security services (Secury As A A SERVICE - SECAAS).

The principle of operation of the DLP system

The modern system of protection against information leakage, as a rule, is a distributed software and hardware complex consisting of a large number of modules. various destination. Part of the modules functions on highlighted servers, part - on the workstations of the company's employees, part - in the workplace of security officers.

Selected servers may be required for such modules as a database and, sometimes, for information analysis modules. These modules are, in fact, are a kernel and no DLP system without them do not.

The database is necessary for storing information, ranging from the rules of control and detailed information about incidents and ending with all documents in the field of view of the system during a certain period. In some cases, the system can even store a copy of the company's entire network traffic intercepted for a specified period of time.

Information analysis modules are responsible for analyzing texts extracted by other modules from various sources: network traffic, documents on any information storage devices within the company. Some systems have the ability to extract text from images and recognition of intercepted voice messages. All analyzed texts are compared with predetermined rules and are noted accordingly when coincidence is detected.

Special agents may be installed to control the actions of employees on their workstations. Such an agent should be protected from user intervention in its work (in practice it is not always like this) and can lead both passive observation of its actions, and actively impede the fact that the user is prohibited by the Company's security policy. The list of controlled actions may be limited to the input / output of the user from the system and the connection of USB devices, and may include interception and blocking of network protocols, shadow copying of documents for any external media, printing documents to local and network printers, transmission of information on Wi-Fi and Bluetooth And much more. Some DLP systems are able to record all keypads on the keyboard (key-logging) and save screen copies (SCREEN-SHOTS), but it goes beyond generally accepted practices.

Usually, the DLP system contains a control module designed to monitor the operation of the system and its administration. This module allows you to monitor the performance of all other system modules and make their settings.

For easy operation, the security analyst in the DLP system can be a separate module that allows you to configure the company's security policy, track its violations, to conduct their detailed investigation and form the necessary reporting. Oddly enough, other things being equal exactly the possibilities of analyzing incidents, carrying out a full investigation and reporting to the first plan of importance in the modern DLP system.

World DLP market

The DLP-systems market began to form already in this century. As it was said at the beginning of the article, the very concept of "DLP" spread in about 2006. The greatest number Companies created by DLP systems arose in the United States. There was the greatest demand for these solutions and a favorable environment for creating and developing such a business.

Almost all companies starting the creation of DLP systems and achieved notable success in this were purchased or absorbed, and their products and technologies are integrated into larger information systems. For example, Symantec acquired Vontu Company (2007), Websense - PortAuthority Technologies Inc. (2007), EMC Corp. Acquired RSA Security (2006), and McAfee absorbed a number of companies: Onigma (2006), Safeboot Holding B.V. (2007), Reconnex (2008), TrustDigital (2010), TENCUBE (2010).

Currently, the world's leading manufacturers of DLP systems are: Symantec Corp., RSA (EMC Corp. division), Verdasys Inc, Websense Inc. (in 2013 bought by Vista Equity Partners private company), McAfee (in 2011 purchased by Intel). Fidelis Cybersecurity Solutions is played by Fidelis Cybersecurity Solutions (2012 purchased by General Dynamics), CA Technologies and GTB Technologies. A visual illustration of their position on the market, in one of the cuts, can serve as a magic quadrant of the Gartner analytical company at the end of 2013 (Figure 1).

Figure 1. DistributionpositionsDLP.- Systems in the global market byGartner.

Russian DLP market

In Russia, the DLP-systems market began to form almost simultaneously with the world, but with its own characteristics. It happened gradually, as the emergence of incidents and attempts to deal with them. The first in Russia in 2000 began to develop a DLP solution "Jet Info Systems" (at first it was the mail archive). A little later in 2003 was founded by InfoWatch as the subsidiary of Kaspersky Lab. It is the solutions of these two companies and asked landmarks for the rest of the players. In their number, a little later, Perimetrix entered, SearchInform, DeviceLock, Secureit (2011 renamed to Zecurion). As the state creates legislative acts relating to the protection of information (Civil Code of the Russian Federation Article 857 "Banking Mystery", 395-1-FZ "On Banks and Banking Activities", 98-FZ "On Commercial Secret", 143-FZ "On Civil Acts ", 152-FZ" On Personal Data ", and others, just about 50 types of secrets), increased the need for protection tools and grow demand for DLP systems. And after a few years, the "Second Wave" of developers came to the market: Falcongaze, MFI Soft, Trafica. It is worth noting that all these companies had operations in the DLP area much earlier, but became the market's damages relatively recently. For example, the company "MFI Soft" began developing his DLP-decision back in 2005, and declared itself on the market only in 2011.

Even later, the Russian market has become interesting to foreign companies. In 2007-2008, Symantec, WebSense and McAfee products have become available. Most recently, in 2012, the company GTB Technologies brought its decisions to our market. Other world market leaders also leave attempts to come to the Russian market, but so far without noticeable results. In recent years, the Russian DLP market demonstrates a stable growth (over 40% annually) for several years, which attracts new investors and developers. As an example, you can call the Iteranet company, since 2008, the developing elements of the DLP system for internal purposes, then for corporate customers. Currently, the company offers its BUSINESS GUARDIAN solution to Russian and foreign buyers.

The company separated from the Kaspersky Lab in 2003. According to the results of 2012, InfoWatch takes more than a third of the Russian DLP market. InfoWatch offers a full range of DLP solutions for customers, ranging from medium-sized businesses and ending with large corporations and government agencies. The most in demand in the InfoWatch Traffic Monitor solution market. The main advantages of their solutions: developed functionality, unique patented traffic analysis technologies, hybrid analysis, support for many languages, built-in directory of web resources, scalability, a large number of pre-installed configurations and policies for different industries. The distinctive features of InfoWatch solutions are a single management console, the control of the actions of employees under suspicion, an intuitive interface, the formation of a security policies without using boolean algebra, creating user roles (security officer, company head, HR-director, etc.). Disadvantages: lack of control over the actions of users at workstations, Heavyweight InfoWatch Traffic Monitor for medium-sized businesses, high cost.

The company was founded back in 1991, today is one of the pillars of the Russian DLP market. Initially, the company developed a system for the protection of organizations from external threats and its output to the DLP market is a natural step. The company "Infosystem Jet" is an important player of the Russian IB market, providing system integration services and developing its own software. In particular, the own DLP solution "Dosor Jet". Its main advantages: scalability, high performance, the ability to work with Big Data, a large set of interceptor, built-in directory of web resources, hybrid analysis, optimized storage system, active monitoring, work "in the gap", quick search and analysis of incidents, developed technical support, Including in the regions. The complex also has the ability to integrate with SIEM, BI, MDM, Security Intelligence classes, System and Network Management. Own know-how is the "Dossier" module designed to investigate incidents. Disadvantages: Insufficient functionality of agents for workstations, weak development of user actions, the orientation of solutions only on large companies, high cost.

The American company starting his business in 1994 as a software manufacturer. In 1996, he submitted its first independent development "Internet Screening System" to control the actions of personnel on the Internet. In the future, the company continued to work in the field of information security, mastering new segments and expanding the range of products and services. In 2007, the company strengthened its position on the DLP market, acquiring PortAuthority. In 2008, Websense came to the Russian market. At the moment, the company offers a comprehensive WebSense Triton product to protect against leaks of confidential data, as well as external species Threats. Main advantages: Unified architecture, performance, scalability, several delivery options, pre-installed policies, developed reporting and event analysis. Disadvantages: No support for a number of IM protocols, no support for the morphology of the Russian language.

Symantec Corporation is a recognized world leader in the DLP solutions market. It happened after the purchase of VONTU in 2007, a large manufacturer of DLP systems. Since 2008, Symantec DLP has been officially represented in the Russian market. At the end of 2010, the first of foreign companies, Symantec localized its DLP product for our market. The main advantages of this solution are: Powerful functionality, a large number of methods for analysis, the ability to block leakage on any controlled channel, built-in directory of websites, the ability to scaling, a developed agent for analyzing events at the workstation level, rich international implementation experience and integration with others Symantec products. The disadvantages of the system include high cost and lack of control of some popular IM protocols.

This russian company It was founded in 2007 as a developer of information security. The main advantages of solving Falcongaze SecureTower: Easy installation and settings, a convenient interface, to control a larger number of data channels, developed information analysis tools, the ability to monitor the actions of employees at workstations (including viewing desktop screenshots), personnel interconnection graph, scalability, fast Search by intercepted data, a visual reporting system for various criteria.

Disadvantages: Unable to work in the gateway level, limited features for blocking confidential data (SMTP, HTTP and HTTPS only), the absence of a confidential data search module in the enterprise network.

American company founded in 2005. Thanks to its own information security, has great development potential. The Russian market came to 2012 and successfully implemented several corporate projects. The advantages of its solutions: high functionality, control of multiple protocols and channels of potential data leakage, original proprietary technologies, modularity, integration with IRM. Disadvantages: Partial Russian Localization, no Russian documentation, lack of morphological analysis.

The Russian company, founded in 1999 as a system integrator. In 2013, reorganized to the holding. One of the activities is the provision wide spectrum Services and products to protect information. One of the products of the company is the Business Guardian DLP system of its own development.

Advantages: High speed processing speed, modularity, territorial scalability, morphological analysis in 9 languages, support for a wide range of tunneling protocols.

Disadvantages: limited information blocking capabilities (supported only by plugins under MS Exchange, MS ISA / TMG and SQUID), limited support for encrypted network protocols.

"MFI Soft" is the Russian company-developer of information security systems. Historically, the company specializes in integrated solutions for telecom operators, therefore pays great attention to the rate of data processing, fault tolerance and efficient storage. Developments in the information security "MFI Soft" leads since 2005. The company offers in the market DLP system of the APK "Garda Enterprise", oriented on large and medium enterprises. The advantages of the system: simplicity of deployment and settings, high performance, flexible settings for detection rules (including the ability to record all traffic), wide communication channel control capabilities (in addition to the standard dialing include VoIP telephony, P2P and tunneling protocols). Disadvantages: Lack of certain types of reports, no possibilities for blocking information and searches for location of confidential information in the enterprise network.

The Russian company, founded in 1995, initially specializing in the development of information storage and search technologies. Later, the company applied his experience and operations in the field of information security, created a DLP solution called "Information Security Contour". Advantages of this solution: Wide ability to intercept traffic and analyzing events at workstations, employee working time control, modularity, scalability, developed search tools, processing speed search queries, Count-Communications of employees, their own patented search algorithm "Search for similar", own training center for learning analysts and customer technicians. Disadvantages: limited information blocking information, no unified management console.

The Russian company, founded in 1996 and specializing in the development of DLP and EDPC solutions. In the category of DLP manufacturers, the company has moved in 2011, adding to its World-known EDPC Category DeviceLock (control of devices and ports on Windows workstations) Components providing control of network channels and content analysis technologies and filtering. Today, DeviceLock DLP implements all methods for detecting data leakage (DIM, DIU, DAR). Advantages: Flexible architecture and closer licensing, simplicity of installation and management of DLP policies, incl. through group politicians AD, original patented mobile device control technologies, support for virtualized environments, the presence of agents for Windows and Mac OS, full control of mobile employees outside the corporate network, the OCR resident module (used including when scanning storage points). Disadvantages: no DLP agent for Linux, the agent version for MAC computers implements only contextual control methods.

Young Russian company specializing in deep network traffic analysis technologies (Deep Packet Inspection - DPI). Based on these technologies, the company is developing its own DLP system called Monitorium. Advantages of the system: Easy installation and settings, a convenient user interface, a flexible and visual mechanism for creating a politician, suitable even for small companies. Disadvantages: limited analysis capabilities (no hybrid analysis), limited control over the workstation level, lack of opportunities to search for seats of unauthorized copies of confidential information in the corporate network.

conclusions

Further development of DLP products goes in the direction of consolidation and integration with related regions: personnel control, protection against external threats, other information security segments. At the same time, almost all companies work on the creation of facilitated versions of their products for small and medium-sized businesses, where the simplicity of the unfolding of the DLP system and the convenience of its use is more important than the complex and powerful functional. Also, DLP development continues for mobile devices, supporting virtualization and SECAAS technology in "clouds".

Taking into account all the above, it can be assumed that the rapid development of the world, and especially Russian DLP markets, will also attract new investments and new companies. And this, in turn, should lead to a further increase in the number and quality of the proposed DLP products and services.