A Closer Watch

By Andrew Garcia  |  Posted 2007-04-16 Print this article Print

Sanctuary also provides the ability to log—or even keep a copy of—data permitted to be copied from the desktop.

Closer watch
In the months to come, we expect to see increased interest in content-aware technologies. Network DLP (data loss prevention) vendors, including Vontu, Vericept and Reconnex, have recently released new endpoint agents that promise not only to lock down the use of unauthorized storage devices but also to provide policy-based detection of proprietary data content copied to an approved device.
For example, if an authorized user copies a Social Security number or intellectual property to an unapproved location, this new breed of endpoint security would block and log the attempt. However, content detection historically has been a network-based technology, so vendors will need to prove that their products will work on the desktop, intercepting disk IO behavior rather than a network stream without causing harm to the local system. Many of these networking-based vendors have looked outside their own development teams to get going—with one notable exception: While Vericept bought Black White Box back in 2005 and Reconnex partnered with an unnamed third-party endpoint security vendor, Vontu went it alone, developing its own endpoint solution in house. There are drawbacks to cooperative products, as customers need to make sure that the same detection algorithms that are used at the network level are used at the endpoint. Also, the network and endpoint management functions should be fully integrated, with policy management, logging and reporting tied together for better trending and forensic analysis. But Vontus ground-up development comes at a cost as well, as its endpoint product appears less mature than the competitions. We learned in conversations with Vontu representatives that the companys Data At The Endpoint product is a log-only solution. It cannot, at this time, block the copying of data to removable storage, but only notifies an administrator of policy violations via e-mail. While such a notification is marginally useful for accountability reports, the horse has already left the barn at that point. Click here to read more about cashing in on data loss prevention. Steve Roop, Vontus vice president of products and marketing, in San Francisco, asserts that the risk for false positives currently outweighs any reward for automatic blocking: "Our clients value accuracy as a higher priority than automated blocking," Roop said. "If you block things that are false positive, you will aggravate a large number of your employees." Roop added that the same detection algorithms Vontu uses at the network level are available for the endpoint. Automated blocking will come in the next revision, he said, after customers have gotten a handle on exactly what data flows are present and what they mean. eWEEK Labs recommends that corporations evaluate their systems and assess risk tolerance to determine the mix of network and endpoint-based products that will provide necessary auditing features, forensic analysis capabilities and—most importantly—peace of mind. Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel