Reply to Message

RE: How to keep your data secure

edyalmer 21st Jan 2009

Suedell,

Two comments:

The real question about a content inspection product, like any other security product is "Does it reduce your risk ?" and "By how much ?"

A DLP product can reduce a risk by blocking behaviour that creates risk for the organization. It can reduce risk a LOT more by helping a CISO educate the end user what risky behavior is, and through that help reduce that behavior. Only in a few severe cases blocking the user in mid-action is recommended - and this recommendation is from a company whose blocking capabilities were the basis to its content inspection, not the other way around.

As to detection rates - I agree that inaccurate results reduce the effectiveness of the product, as was the case for HIDS.

However, I know of no agreed way of measuring false positive and false negative rates for DLP, or any independent 3rd party doing those tests. Contrary to SPAM or Anti Malware testing where you have a sample you can test across vendors, and a mostly clear outcome - for DLP this is not the case.

Given that FP rates depend not only on the sample, but also on the subjective decisions of a tester and the fine tuning of the rules (and resulting FN rate) to fit with a specific organization, I do not see what is the meaning of "67%" or "99.999%" as a single number for an end user.

I could understand a sentence like "Out of the box 99.95% detection of credit card numbers with less than 0.3% false positives on a sample of 10,000 emails and 20,000 files from N customers", but none of the vendors seems to be as specific.

I did not even see "X% detection with Y% false positives after only 6 weeks of fine tuning"

The advantage for a product that has rich file based port control is that on day 1 you can have 100% accuracy for some flows that reduce risk considerably. Then, it is a lot easier to continue improving the more difficult flows.Part of the improvement will definitely come from end user training, not just rule fine tuning.