First of data loss prevention vendors touts downloadable DLP software

Many information security pros fear the amount of work they think goes into a DLP deployment, but Websense Inc. claims that doesn't have to be the case with its new downloadable DLP. UK Bureau Chief Ron Condon reports.

Security vendor Websense Inc. is confronting the accepted view among enterprises that data loss prevention (DLP) technology is complex and needs a labour-intensive data classification exercise before it can be effective.

As an alternative to such complex DLP products, the vendor is offering DLP software as a free download for 30 days, and is challenging companies to try it out and see what sensitive information is already leaking out of their organisations. Websense is the first among data loss prevention vendors to offer such a product.

I don't want to oversimplify it because there is quite a lot of work involved in a long-term DLP deployment. But many organisations manage to get DLP up and running quickly.

Rich Mogull,
analyst and CEO, Securosis LLC

Lior Arbel, a managing consultant with San Diego, Calif-based Websense, said that many companies are put off by DLP because they believe they need to do a lot of preparation and carry out a company-wide data classification project before implementing a DLP product. "It's not true," he said, "There is lot of generic data that can be easily identified."

The Websense DLP product comes with 1,100 pre-defined policy templates covering the most common types of data and regulations, Arbel said. Using a configuration wizard, users are able to select the policies which are likely to apply to their geography and industry, and begin monitoring their networks immediately for any sensitive information leaving the organisation.

Under the free offer, companies can download the full product to use in monitoring mode, which can help them see the extent of any leakage problem they might have. If organisations decide to buy, they receive a licence code to unlock the policy enforcement functions of the package.

Arbel conceded that special policies would need to be developed to protect a company's proprietary information, but said most deployments start with the common data types, such as credit card data and customer records.

"All the big news reports of leakages concern this type of data -- patient records, customer records, pensioner records -- and they can be easily identified," Arbel said. He added that he has been involved in hundreds of DLP deployments, and that companies always discover sensitive data being released or shared in contravention of policy. "It may not always be malicious. Users may have a good reason for sending the data, but it is against the company policy and without DLP, no one would know," he said.

It may sound like an easy (and free) way to detect leakages, but companies still need to make some preparations, according to Rich Mogull, an analyst with Phoenix-based research company Securosis LLC, and one of the world's leading DLP experts.

"Even if you are going to do this free download, I highly recommend that you check with management first and have a process and procedures in place to deal with any major [policy] violations that you might find," he said. "You may find information that may lead to employees needing to be disciplined. You need to have an incident-management process in place before you go ahead and do anything with [this software]."

Mogull agreed that many companies are intimidated by the perceived complexities of a DLP deployment. "They should realise that there are things you can do to get value out of [DLP] right away. I don't want to oversimplify it because there is quite a lot of work involved in a long-term DLP deployment. But many organisations manage to get DLP up and running quickly, especially if they just focus on passive network monitoring," he said.

He said there are two ways to approach DLP: the quick win and the more in-depth approach. "Installing a DLP product can provide a sense of what is happening on the network and deliver some quick results, while a more thorough tuning of policies is a more in-depth process. The two are not mutually exclusive," Mogull said.

Garry Sidaway, director of security strategy for Reading-based systems integrator Integralis Ltd., warned that implementing DLP with no attempt at classifying data could generate a lot of false alerts. "It's like the old IDS syndrome, where you get inundated with alerts and you become desensitised to them," he said. "Any DLP programme has to be done in a business context. Companies need to think about what information really matters to them."

Read more on Network security management