Endpoint Security Cigital

A client recently asked me to help her compare the two DLP solutions.  Here is what I said:

Consider business, functional and technical perspectives when comparing Websense Data Security Suite with Verdasys Digital Guardian. From a business perspective

Look at your threat scenarios and decide if you need an agent DLP solution or a network DLP solution – it depends mostly on network topology – if you have a lot of field sales/service agents – you will probably want agent DLP, in a central transaction processing data center will be easier to implement network DLP. If you like agent DLP – there is the 64K question of scalability and reliability of agents that run on Windows. Verdasys Digital Guardian has 2M agents installed in the field at the world’s largest  institutions (like JP Morgan and Deutsche Bank) on highly heterogeneous IT infrastructure. Websense has been successful in schools and small to mid-sized credit unions. The Websense Data security agent was released October 2008 and doesn’t have an install base yet with proven stability and scalability.     Ask if Websense can produce a third-party software security assessment on the robustness of their agent.

From a functional perspective

DG is a pure endpoint/point of usage kernel agent solution with an extremely wide range of security countermeasures (such as on-demand encryption) with excellent central control DG uses Autonomy for content inspection, WS uses PreciseID (a sliding hash algorithm – you can read the patent) – I would give WS high grades for non-structured content and fairly low grades for structured content. Websense is a network endpoint DLP solution – which increases cost of ownership vis-a-vis a best of breed agent DLP solution (DG) or network DLP solution (Fidelis).   You have to maintain the gateway systems and worry about agents.  This is a non-trivial task that involves different skill sets in the IT and network security teams. Websense Data Security gateway doesn’t scale (it melts down at 100mb/s in our experience) Websense Data Security gateway assumes that you know what files to protect and can afford the cost of file fingerprinting (due to the complexity of banking documents andtransactions, this is a bad assumption for a bank) Websense Data security  gateway uses inline forward proxies to scan outbound traffic. For example, WS gateway cannot prevent data theft using an HTTP GET query string. The  forward proxy architecture assumes that data loss is primarily from insiders – which is a bad assumption. Most data loss is by malicious outside attackers who exploit network and software vulnerabilities – not internal uses using Windows applications to steal data.

From a technical perspective:

The Websense agent appears to rely on the gateway to ship out signatures to the agent – which may generate large spikes of data traffic between the agents and the gateway, for example when profiling large data sets of files or large databases of PII (personally identifiable information).  The data traffic can be minimized by using regex instead of the original Port Authority sliding hash algorithm but then they lose the advantages of PreciseID. Websense  Data security gateway appliance can be exploited using fragmented/segmented HTTP exploits. Websense Data security requires Windows authentication – i.e. rogue network users who get an IP address with DHCP can bypass the system with a variety of exploits. Requires scanning of file and database servers to create the PreciseID™ signatures Creates a Man in the middle vulnerability with file scanning server. If an attackers gains control of the scanning server – they will have access to everything. Additional load on Windows file serversThe Websense file scanning server is like a “Red Flag” to malicious attackers.