Home > Data-Centric Security, DLP, Information Centricity, Information Survivability > Understanding & Selecting a DLP Solution…Fantastic Advice But Wholesale Misery in 10,000 Words or More…

Understanding & Selecting a DLP Solution…Fantastic Advice But Wholesale Misery in 10,000 Words or More…

Secbreach
If you haven’t been following Rich Mogull’s amazing writeup on how to "Understand and Select a DLP Data Leakage Prevention Solution" you’re missing one of the best combinatorial market studies, product dissection and consumer advice available on the topic from The Man who covered the space at Gartner.

Here’s a link to the latest episode (part 7!) that you can use to work backwards from.

This is not a knock on the enormous amount of work Rich has done to educate us all, in fact it’s probably one of the reasons he chose to write this opus magnum; this stuff is complicated which explains why we’re still having trouble solving this problem… 

If it takes 7 large blog posts and over 10,000 words to enable someone
to make a reasonably educated decision on how to consider approaching the purchase of one of these solutions, there are two possible reasons for this:

  1. Rich is just a detail-oriented, anal-retentive ex-analyst who does a fantastic job of laying out everything you could ever want to know about this topic given his innate knowledge of the space, or
  2. It’s a pie that ain’t quite baked.

I think the answer is "C – All of the above," and t’s absolutely
no wonder why this market feature has a cast of vendors who are
shopping themselves to the highest bidder faster that you can say
"TablusPortAuthorityOakelyOnigmaProvillaVontu."

Yesterday we saw the leader in this space (Vontu) finally submit to the giant Yellow Sausage Machine.

The sales cycle and adoption attach rate for this sort of product must
be excruciating if one must be subjected to the equivalent of the Old
Testament just to understand the definition and scope of the solution…as a consumer, I know I have a pain that needs amelioration in this category, but which one of these ointments is going to stop the itching?

I dig one of the first paragraphs in Part I which is probably the first clue we’re going to hit a slippery slope: 

The first problem in understanding DLP is figuring out what we’re
actually talking about. The following names are all being used to
describe the same market:

  • Data Loss Prevention/Protection
  • Data Leak Prevention/Protection
  • Information Loss Prevention/Protection
  • Information Leak Prevention/Protection
  • Extrusion Prevention
  • Content Monitoring and Filtering
  • Content Monitoring and Protection

And I’m sure I’m missing a few. DLP seems the most common term, and
while I consider its life limited, I’ll generally use it for these
posts for simplicity. You can read more about how I think of this progression of solutions here.

So you’ve got that goin’ for ya… 😉

In the overall evolution of the solution landscape, I think that this iteration of the DLP/ILP/EP/CMF/CMP (!) solution sets raise the visibility of the need to make decisions on content in context and focus on information centricity (data-centric "security" for the technologists) instead  of the continued deployment of packet-filtering 5-tuple network colanders and host-based agent bloatscapes being foisted upon us.

More on the topic of Information Centricity and its relevance to Information Survivability soon.  I spent a fair amount of time talking about this as a source of disruptive innovation/technology during my keynote at the Information Security Decisions conference yesterday.

Great conversations were had afterwards with some *way* smart people on the topic, and I’m really excited to share them once I can digest the data and write it down.

/Hoff

(Image Credit: Stephen Montgomery)

  1. Kyle C Quest
    November 6th, 2007 at 17:41 | #1

    Rich does do a good job giving a thorough management level overview that even non-technical audience can follow, which is definitely a good thing. Hopefully somebody else can supplement it with a good overview of the backend technology.
    Either way, it's interesting that you call Vontu the leader in DLP space 🙂 I'd like to know what you base it on…

  2. P
    November 6th, 2007 at 18:59 | #2

    The whole problem with this space is that most customers are not thinking about securing their environments with a focus on what you call information centricity or a data centric approach. This drives vendors to come up with all sorts of "catchy" terms to describe a space their customers can relate to, problem is they can't – relate that is.
    I completely agree that organizations are far too focused on the next multi-giga-network-packetcrunching-filter-everything appliance. In fact, most of the DLP vendors out there are still focusing on rehashed network content tools now calling these "data leak loss" solutions, so I can't see how any of these network centric vendors can be categorized as a leader – Vontu included.
    At the end of the day it is about securing the information, and in most environments this information is no longer locked up in IT's "look-but-don't-touch" glass room. The information is sitting on the laptop in the back of an employee car, on the iPhone in a field-tech's pocket, on the home personal computer of some employee just trying to be more productive, or at a ultra-secure SaaS provider (ultra-something…but secure is probably not the right term). We all have that itch and need some ointment (no need to elaborate on the source of your itch Hoff – we don't want to know :-), unfortunately we are all stuck on trying to understand the packaging and not the active ingredients.
    -P

  3. November 6th, 2007 at 19:42 | #3

    @Kyle & @P
    How/why do I describe Vontu as the leader in the space? Easy. Revenue, strategy, relative robustness and maturity of solution compared with competitive landscape, customer interviews and M&A research. That, and the guy who covered the space for Gartner (what's his name again?) positions them as such, also…within the context of what ends up being a $150-200M "market," they would qualify this way in a no-tie ranking.
    This shouldn't be construed as an endorsement, however.
    @P
    Good points, all of them. With virtualization, SaaS, Outsourcing, Mobility, etc. data isn't centralized, so pretending we can "protect" it with centralized solutions is silly.
    At the risk of dragging the conversation back a couple of posts (which I plan on doing anyway) access to data needs to be regulated by attaching/embedding a standardized metadata format that describes the attributes required to "secure" it.
    In fact, we can already use technology we have today to do this.
    I covered some of it before, I will do it again as an example in a follow-on post.
    You're right (and I talked about it in my presentation at ISD) that we keep focusing on the new shiny wrappers — the latest incarnation of permutated threatscapes that prey on the same set of fundamentally flawed architectural issues.
    I made reference to this iteration of the product space, meaning we'll see another generation evolving soon — probably integrated into the mega application suites which will serve the few that can afford (in every sense of the word) to deploy them.
    The rest of the folks will be forced into the waiting game and using (per Mr. Rothman's description) hope as a strategy…
    Thank you for your comments.
    /Hoff

  4. Kyle C Quest
    November 6th, 2007 at 21:40 | #4

    Well, Gartner is only one of the analyst companies. And obviously it's not surprising that Rich positioned them that way because he was, after all, working for them. Others have slightly different standings… Either way, I was just curious about your sources. I don't want to start a discussion about which solution is better, etc.

  5. November 6th, 2007 at 22:55 | #5

    I haven't been able to take DLP seriously as a concept, for many of the reasons you cite. And it didn't help when a colleague of mine confused "Onigma" with "Olestra."
    Data leakage, anyone?

  6. November 7th, 2007 at 04:01 | #6

    @Kyle: I'm not beholden to Gartner; the other elements I listed were used to form the basis of the statement, not just a glance at the MQ 😉
    @Shrdlu:
    Ew.

  7. November 7th, 2007 at 05:29 | #7

    So Hoff, are you gotta be one of those revisionist security guys who claim that security has been a struggle between attackers and data since the beginning of knowledge transfers in speech?

  8. November 7th, 2007 at 05:44 | #8

    No. Revisionists are folks who try to undo the past or construct it in a light that suggests it happened differently. I'm looking forward which means I don't disregard the past, but rather try to learn from it.
    I'm not apologizing for the present, it's our own doing.
    Lots of opportunities to improve and we have the capacity, capability and some of the technology to do it.
    /Hoff

  9. October 22nd, 2010 at 14:54 | #9

    After working with 3 leading DLP solutions, not in great depth but enough to give me a good insight, I found Symantec's Vontu DLP to be the best. It is powerful, granular and a complete solution than any of the others. But that's just my opinion going by experience.

    However a data loss prevention strategy should be more than just a technical solution as I have talked about on my site – http://www.internet-computer-security.com/Securit

  1. No trackbacks yet.