Device Lock. Why Consider An Endpoint DLP Solution? ENDPOINT DATA LEAK PREVENTION SUITE FOR PROTECTING SENSITIVE INFORMATION

Transcription

1 Device Lock ENDPOINT DATA LEAK PREVENTION SUITE FOR PROTECTING SENSITIVE INFORMATION Why Consider An Endpoint DLP Soltion? The data yo are striving to protect behind firewalls and passwords is likely still slipping throgh yor fingers. Data leaks can be initiated by either nwitting employees or sers with malicios intent who copy proprietary or sensitive information from their PCs to flash memory sticks, smartphones, cameras, PDA s, DVD/CDROMs, or other convenient forms of portable storage. Or, leaks may spring from ser s, instant messages, web forms, social network exchanges or telnet sessions. Wireless endpoint interfaces like Wi-Fi, Bletooth, and Infrared as well as device synchronization channels provide additional avenes for data loss. Likewise, endpoint PCs can be infected with vicios malware that harvest ser keystrokes and send the stolen data over SMTP or FTP channels into criminal hands. While these threat vectors can evade conventional network secrity soltions and native Windows controls, the DeviceLock Endpoint Data Leak Prevention (DLP) Site addresses them. It enforces data protection policies with awareness of both the context and content of data flows across endpoint channels where leaks can otherwise occr.

2 DeviceLock Endpoint DLP With Context & Content Awareness The most efficient approach to data leakage prevention is to start with contextal control that is, blocking or allowing data flows by recognizing the ser, the data types, the interface, the device or network protocol, the flow direction, the state of encryption, the date and time, etc. Some scenarios call for a deeper level of awareness than context alone can provide; for example, when the data being handled contains personally identifiable information, when the inpt/otpt channel is conventionally open and ncontrolled, and when the sers involved have sitations or backgronds considered "high risk." Secrity administrators can gain greater peace of mind by passing data flows that fall into any of these categories throgh an additional content analysis and filtering step before allowing the data transfer to complete. DeviceLock Endpoint DLP Site provides both contextal and content-based control for maximm leakage prevention at minimm pfront and ownership cost. Its mlti-layered inspection and interception engine provides fine-grained control over a fll range of data leakage pathways at the context level. For frther confidence that no sensitive data is escaping, content analysis and filtering can be applied to select endpoint data exchanges with removable media and Plg-n-Play devices, as well as with network commnications. With DeviceLock, secrity administrators can precisely match ser rights to job fnction with regard to transferring, receiving and storing data on media attached to corporate compters. The reslting secre compting environment allows all legitimate ser actions to proceed nimpeded while blocking any accidental or deliberate attempts to perform operations otside of preset bonds. DeviceLock spports a straightforward approach to DLP management that allows secrity administrators to se Microsoft Windows Active Directory Grop Policy Objects (GPOs) and DeviceLock consoles for dynamically managing distribted endpoint agents that enforce centrally defined DLP policies locally on their host compters. With DeviceLock in place, yo can centrally control, log, shadow-copy, and analyze end-ser access to, and data transfers throgh, all types of peripheral devices and ports, as well as network commnications on corporate compters. In addition, its agents detect and block hardware keyloggers to prevent their se in the theft of passwords and other proprietary or personal information. Importantly, DeviceLock does all this while consming a minimm of disk space and memory, remaining as transparent as desired to the end sers, and while rnning in tamper-proof mode. With its fine-grained endpoint contextal controls complemented by content filtering for the most vlnerable data channels, DeviceLock Endpoint DLP Site significantly redces the risk of sensitive information leaking from employees compters, whether de to simple negligence or malicios intent. At the same time, it acts as a secrity platform that enforces stated data protection policies and promotes compliance with corporate information handling rles, as well as legal mandates like HIPAA, Sarbanes-Oxley, and PCI DSS. NetworkLock Network Channel Corporate Data DeviceLock ContentLock Removable Media Local Syncs Printing Channel Who What When How Where to What content Core DeviceLock fnctionality enforces device access policy by port (interface), device class, device type, device model, niqe device ID, hor-of-day, day-of-the-week, as well as by discrete access parameters sch as write, read-only, and format. Device types can be configred to only allow access to verified file types and to adhere to enforced se-of-encryption rles. NetworkLock extends the ability to control the context of data commnications to network protocols and applications. ContentLock provides advanced content filtering rles across the data channels that DeviceLock and NetworkLock manage.

3 Modlar Strctre and Licensing DeviceLock Endpoint DLP Site is comprised of a modlar set of complementary fnction-specific components that can be licensed separately or in any combination that meets crrent secrity reqirements. Existing cstomers have a secre pgrade path for DeviceLock fnctionality and the option to expand endpoint secrity with their choice of new modles. Likewise, new cstomers can incrementally move p to fll-featred endpoint DLP by adding fnctionality as it is needed and bdgets allow. The DeviceLock component incldes an entire set of context controls together with event logging and data shadowing for all local data channels on protected compters. These inclde peripheral devices and ports, connected smartphones/pda s, and docment printing. DeviceLock provides the core platform, central management and all administrative components for the other fnctional modles of the prodct site. The pre-integrated NetworkLock component provides contextal control fnctions over network commnications with port-independent protocol/application detection and selective control, message and session reconstrction with file, data, and parameter extraction, as well as event logging and data shadowing. The pre-integrated ContentLock component implements content monitoring and filtering of files transferred to and from removable media and Plg-n-Play devices, as well as of varios data objects from network commnications that are reconstrcted and passed to it by NetworkLock. These inclde s, instant messages, web forms, attachments, social media exchanges, file transfers, and telnet sessions. DeviceLock Search Server (DLSS) is another separately licensed component that performs fll text searches on data in the central shadowing and event log database. DLSS is designed to make the labor-intensive processes of information secrity compliance aditing, incident investigations, and forensic analysis more precise, convenient and time-efficient. The core DeviceLock component is mandatory for every prodct installation. All other modles, inclding NetworkLock, ContentLock, and DeviceLock Search Server, are separately licensed, optional and pre-integrated add-ons. This modlar prodct strctre and flexible licensing scheme enable DeviceLock cstomers to cost-effectively deploy endpoint DLP featres in stages. They can start with the essential set of port and device control fnctions incorporated in the core component and then incrementally add new fnction-specific modle licenses to activate additional capabilities as secrity and compliance reqirements grow. Active Directory Domain Controller Network Grop Policies DeviceLock Service iphone/ipad Palm BlackBerry Windows Mobile CD/DVD/BD Memory Card USB FireWire Printer WiFi IrDA Bletooth Instant Messenger Clipboard Social Network Webmail (SMTP) HTTP/HTTPS FTP/FTPS Telnet Enterprises can secre any nmber of remote endpoints with DeviceLock Endpoint DLP Site by leveraging its integration with Active Directory and the Windows Grop Policy Management Console. NOTE: For a fll list of network data channels protected by NetworkLock, refer to the Prodct Specifications section.

4 DeviceLock DeviceLock Featres and Benefits DeviceLock Endpoint DLP Site delivers essential content filtering capabilities and reliable control over network commnications on top of DeviceLock s best-in-indstry context-based controls, whereby access to local ports and peripheral devices on corporate endpoint compters is nder a DeviceLock administrator s centralized control. Active Directory Grop Policy Integration. DeviceLock s most poplar console integrates directly with the Microsoft Management Console (MMC) Active Directory (AD) Grop Policy interface. As Grop Policy and MMC-style interfaces are common knowledge for AD administrators, there is no proprietary interface to learn or appliance to by to effectively manage endpoints centrally. The simple presence of the DeviceLock MMC snap-in console on a Grop Policy administrator s compter allows for direct integration into the Grop Policy Management Console (GPMC) or the Active Directory Users & Compters (ADUC) console with absoltely zero scripts, ADO templates, or schema changes. Secrity administrators can dynamically manage endpoint data leakage prevention and adit settings right along with other Grop Policy atomated tasks. In addition to the MMC snap-in console for Grop Policy, DeviceLock also has classic Windows-style administrative consoles that can centrally manage agents on any AD, Novell, LDAP, or workgrop network of Windows compters. XML-based policy templates can be shared across all DeviceLock consoles. RSoP Spport. The Windows standard Resltant Set of Policy snap-in can be sed to identify which DeviceLock grop policy is crrently being applied and to predict which policy wold be applied in a given Organizational Unit (OU) membership scenario. Device Whitelisting. Among the five layers of Windows device control spported by DeviceLock, the USB device model and device ID levels are handled sing a whitelist approach, whereby the DeviceLock administrator can explicitly assign sers/grops to a USB device. Administrators can whitelist a specific corporate-issed model of USB drive, for example, and DeviceLock will allow only designated sers to have access with these, while blocking all other nlisted devices and nlisted sers by defalt. Administrators can even whitelist a single, niqe device, while locking ot all other devices of the same brand and model, as long as the device manfactrer has implemented a standard niqe identifier. There is also a powerfl Temporary Whitelist applet that sers can rn to secrely reqest short-term se of a USB monted device from a DeviceLock administrator, even while off the network. Meanwhile, the rest of the original secrity policy remains intact and enforced dring this athorized 'exception device' sage period. Network Commnications Control. An optional component of the DeviceLock Endpoint DLP Site, the NetworkLock modle adds comprehensive contextal control over endpoint network commnications. NetworkLock spports port-independent network protocol and application detection with selective blocking, message and session reconstrction with file, data, and parameter extraction, as well as event logging and data shadowing. NetworkLock controls heavily trafficked network protocols and applications. These inclde plain and SSL-tnneled SMTP commnications with messages and attachments handled separately. NetworkLock also controls web access and other HTTP-based applications with the ability to extract the content from encrypted HTTPS sessions. See the Prodct Specifications section for a list of all webmail and social media applications controlled by NetworkLock. With NetworkLock yo can set ser permissions for the network commnications sed for web mail, SMTP mail, social networking applications, instant messaging, file transfers, telnet sessions and more.

5 Content Filtering. Extending DeviceLock and NetworkLock capabilities beyond context-based secrity mechanisms, the ContentLock modle can filter the content of files copied to removable drives and other Plgn-Play storage devices, as well as varios data objects from within network commnications. These inclde , web access and other HTTP-based applications like webmail and social networking, many poplar instant messaging applications, FTP file transfers, and telnet sessions. The text analysis engine can extract textal data from more than 80 file formats and other data types and then apply effective and reliable content filtering methods based on Reglar Expression (RegExp) patterns with nmerical conditions and Boolean combinations of matching criteria. To ease the task of specifying content-aware rles, pre-bilt indstry-specific keyword lists can be sed as filter criteria, as well as common RegExp data pattern templates for sensitive information types like social secrity nmbers, credit cards, addresses, etc. The configration screens here show high-level samples of content-aware rles per specific device (above) and per specific network protocol (below). ContentLock's template-driven interface eases definition of content-aware filtering policies. Tre File Type Control. Administrators can selectively grant or deny access to over 4,000 specific file types for removable media. When a file type policy is configred, DeviceLock will look into a file s binary content to determine its tre type (regardless of file name and extension) and enforce control and shadowing actions per the applied policy. For flexibility, Content-Aware Rles for file types can be defined on a per-ser or per-grop basis at the device type layer. Tre file type rles can also apply to pre-filtering of shadow copies to redce the volme of captred data. Clipboard Control. DeviceLock enables secrity administrators to effectively block data leaks at their very embryonic stage when sers deliberately or accidentally transfer nathorized data between different applications and docments on their compter throgh clipboard mechanisms available in Windows operating systems. Copy and Paste operations can be selectively filtered for data exchanges between different applications (e.g. from Word to Excel or OpenOffice). At the context level, DeviceLock spports the ability to selectively control ser access to data objects of varios types copied into the clipboard inclding files, textal data, images, adio fragments (like recordings captred by Windows Sond Recorder), and data of nidentified types. Screenshot operations, inclding the Windows PrintScreen fnction and similar featres of thirdparty applications, can be blocked or mitigated for specific sers/grops and at specific compters. Mobile Device Local Sync Control. Administrators can se DeviceLock's patented local sync technology to set granlar access control, aditing, and shadowing rles for mobile devices that se the Microsoft Windows Mobile, Apple iphone /ipad /ipod toch or Palm operating systems' local data synchronization. Permissions are presented with fine granlarity and define which types of data (files, pictres, s, contacts, calendars, etc.) specified sers and/or grops are allowed to synchronize between managed PCs and their personal mobile devices regardless of the connection interface. BlackBerry smartphones are also spported with device presence detection, access control and event logging. Printing Secrity. DeviceLock pts local and network printing nder the strict control of corporate secrity administration. By intercepting Print Spooler operations, DeviceLock enables administrators to centrally control ser access to local, network, and even virtal printers from DeviceLock-managed PCs. In addition, for USB-connected printers, specified printer vendor models and/or niqe printer device IDs can be allowed for designated sers and grops. Printing events can be logged and the actal print job data can be shadow-copied, collected, and stored centrally for adit and post-analysis.

6 DeviceLock Removable Media Encryption Integration. DeviceLock takes an open integration approach to enforced se of encryption for removable media. It recognizes vendorspecific encryption on media when encontered, and it blocks, allows or mitigates access to the device according to predefined encryption policies. Cstomers have the option of sing the encryption soltion that best fits their secrity scenarios among best-of-breed technologies that inclde: Windows 7 BitLocker To Go, PGP Whole Disk Encryption; TreCrypt ; SafeDisk, SecrStar DriveCrypt Pls Pack Enterprise (DCPPE); and Lexar Media s S1100/S3000 series USB flash drives. DeviceLock allows for discrete access rles for both encrypted and nencrypted partitions of removable media that se any of the integrated encryption soltions mentioned above. With its partnering approach, DeviceLock is positioned to qickly add spport for more encryption vendors as the market demands. In addition, any pre-encrypted USB media can be selectively whitelisted with sage strictly enforced. DeviceLock MMC snap-in to Grop Policy Management: DeviceLock administrators have fll central control over access, adit, shadow, and content rles covering potential local data leakage channels across the entire Active Directory domain forest. Network-Awareness. Administrators can define different online vs. offline secrity policies for the same ser accont and compter. A sefl setting on a mobile ser's laptop, for example, is to disable Wi-Fi when docked to the corporate network to avoid network bridging data leaks and then to enable Wi-Fi when ndocked. Anti-Keylogger. DeviceLock detects USB keyloggers to generate alerts or even block keyboards connected to them. This featre allows administrators to secrely allow all singlefnction USB mice and keyboards by their generic device class. DeviceLock also obfscates PS/2 keyboard inpt and forces PS/2 keyloggers to record nintelligible text instead of real keystrokes. Tamper Protection. Configrable 'DeviceLock Administrators' featre prevents anyone from tampering with settings locally, even sers that have local PC system administration privileges. With this featre activated, only designated secrity administrators working from a DeviceLock console or Grop Policy Object (GPO) Editor can install/ninstall the program or edit DeviceLock policies.

7 DeviceLock Observation Mode DeviceLock is often sed at first to collect an adit record of the data objects that end sers are moving to removable media, DVD/CD-ROMs, PDAs, throgh Wi-Fi, and via web , web forms etc. DeviceLock adit/shadow records are sefl in determining the crrent level of non-compliance exposre and can be sed to provide a non-repdiable adit trail for compliance officials. When a leak is discovered or even sspected, DeviceLock provides tools to captre and forensically view objects and associated logs for se as evidence or for corrective policy action. Adit Logging. DeviceLock s aditing capability tracks ser and file activity for specified device types and ports on a local compter. It can prefilter aditable events by ser/ grop, by day/hor, by tre file type, by port/device type, by reads/ writes, and by sccess/failre events. DeviceLock employs the standard event logging sbsystem and writes adit records to a Windows Event Viewer log with GMT timestamps. Within DeviceLock s colmn-based viewers, logs can be sorted by colmn data and filtered on any stringbased criteria with wildcard operators to achieve a desired view of the captred adit data. Logs can also be exported to many standard file formats for import into other reporting and log management soltions. Data Shadowing. DeviceLock s data shadowing fnction can be set p to mirror all data copied to external storage devices, printed or transferred throgh serial, parallel, and network ports (with NetworkLock add-on). DeviceLock can also split ISO images prodced by CD/DVD brners into the original separated files pon ato-collection by the DeviceLock Enterprise Server (DLES). A fll copy of the files can be saved into the SQL database or to a secre share managed by the DLES. Shadow data can be prefiltered by ser/grop, day/hor, file type, and content to narrow down what is copied and then collected. DeviceLock s adit and shadowing featres are designed for efficient se of transmission and storage resorces with stream compression, traffic shaping for qality of service (QoS), local qota settings, and optimal DLES server ato-selection. Agent Monitoring. DeviceLock Enterprise Server can monitor remote compters in real-time by checking DeviceLock agent stats (rnning or not), version, policy consistency and integrity. The detailed information is written to the Monitoring log. Shold this process ncover that some DeviceLock agents are older versions or are inconsistent with the crrent secrity policy template, DeviceLock can then be sed to remotely pdate those agents to the crrent version and settings that will keep the local endpoint policy in compliance. Report Plg-n-Play Devices. The PnP Report allows administrators and aditors to generate a report displaying the USB, FireWire, and PCMCIA devices crrently and historically connected to selected compters in the network. This report also allows for efficient poplation of the USB whitelist as a first step to adding select device models or niqe devices to DeviceLock access policies. Graphical Reporting. DeviceLock can generate graphical canned reports in HTML, PDF or RTF format based on analysis of DLES-collected adit log and shadow file data. These reports can be ato- ed to a data secrity management list or compliance officers when generated. Data Search. The optional and separately licensed DeviceLock Search Server (DLSS) modle enhances the forensic abilities of DeviceLock by indexing and allowing comprehensive fll-text searches of centrally collected DeviceLock adit log and shadow file data. The DLSS aids in the labor-intensive processes of information secrity compliance aditing, incident investigations, and forensic analysis by making fact-finding faster, more precise, and more convenient. It spports indexing and searching in more than 80 file formats. Langage independent word, phrase, and nmber qeries take only seconds to execte once the data has been indexed. Stemming and noise-word filtering are trned on by defalt for words and phrases in English, French, German, Italian, Japanese, Rssian, and Spanish. DLSS ses all words logic (AND logic), with some special character wildcards available to refine or expand searches. Reslts are sorted by hit cont by defalt, thogh term weighting or field weighting for particlar words are available options. The DLSS also spports fll-text indexing and searching of printots in PCL and PostScript langages to adit virtally all docment printing. We fond DeviceLock to be the most cost-effective soltion for endpoint device management after months of prodct evalation. It has proven itself to be one of the biggest bangs for the bck in or arsenal of information secrity controls. David Gardner, Data Secrity Specialist, University of Alabama at Birmingham Health System

8 DeviceLock Prodct Specifications Infrastrctre (Installable) Components DeviceLock agent DeviceLock Enterprise Server (DLES) Consoles: DeviceLock Grop Policy Manager (DLGPM) DeviceLock Management Console (DLMC) DeviceLock Enterprise Manager (DLEM) Licensed Modles DeviceLock (core reqired) NetworkLock ContentLock DeviceLock Search Server (DLSS) Ports Secred USB, FireWire, Infrared, Serial, Parallel Device Types Controlled (Partial List) Floppies, CD-ROMs/DVDs, any removable storage (flash drives, memory cards, PC cards, etc.), Hard drives, Tape/ Optical devices, WiFi adapters, Bletooth adapters, Windows Mobile, Palm OS, Apple iphone/ipod toch/ ipad and BlackBerry Devices, Printers (local, network and virtal), Modems, Scanners, Cameras. Clipboard Control Inter-application clipboard copy/paste operations Data types independently controlled: file types, textal data, images, adio, nidentified data Screenshot operations (PrintScreen and 3rd-party applications) Data Types Controlled More than 4,000 file types Data synchronization protocol objects: Microsoft ActiveSync, Palm HotSync, itnes Pictres containing text as image Network Commnications Controlled Web Mail (inclding mobile versions): Gmail, Yahoo!Mail, Windows Live Mail, AOL Mail, Mail.R, Yandex.Mail, WEB.DE, GMX.de Social Networking (inclding mobile versions): Google+, Facebook, Twitter, LiveJornal, LinkedIn, MySpace, Odnoklassniki, Vkontakte, XING.com, Stdivz.de, Meinvz.de, Schelervz.net Instant Messengers: ICQ/AOL, MSN Messenger, Jabber, IRC, Yahoo! Messenger, Mail.r Agent Internet Protocols: HTTP/HTTP over SSL, SMTP/SMTP over SSL, FTP/FTP over SSL, Telnet Content Filtering Technologies Indstry-specific and cstom keyword filter templates Advanced Reglar Expression (RegExp) patterns with nmerical conditions and Boolean combination of matching criteria Pre-bilt RegExp templates (SSN, credit card, bank accont, address, passport, driver s license, etc.) Content Filtering Channels Removable media and other Plg-n-Play storage devices Network commnications File Formats Parsed 80+ file formats inclding Microsoft Office, OpenOffice, Lots 1-2-3, repositories and archives, CSV, DBF, XML, Unicode, GZIP, WinRAR, ZIP, etc. Content-Aware Data Shadowing Removable media and other Plg-n-Play storage devices, network commnications, local syncronizations, clipboard operations All parsed file formats and data types Fll-Text Searching All parsed file formats and data types PCL and Postscript printots Indexing and search based on: log record parameters, word, phrase, nmber Search logic: all words (AND), defalt hit cont weighting, configrable term and field weighting Stemming and noise-word filtering for English, French, German, Italian, Japanese, Rssian & Spanish Encryption Integration Windows 7 BitLocker To Go PGP Whole Disk Encryption TreCrypt SecrStar DriveCrypt (DCPPE) SafeDisk Lexar Media SAFE S1100 & S3000 Series Approved Encrypted Devices IronKey : D20XXX, S-200 & D200 Series Enterprise, Personal & Basic Models Systematic Development Grop: LOK-IT BlockMaster : SafeSticks Lexar Media: SAFE S1100 & S3000 Series SanDisk : Crzer Enterprise Series Component Dependencies ContentLock, NetworkLock and DLSS reqire core DeviceLock modle ContentLock reqires NetworkLock for content filtering of network commnications System Reqirements DeviceLock agent: Windows NT 4.0/2000/XP/Vista/7 or Server 2003/2008 (32-bit/64-bit versions); CPU Pentim 4, 64MB RAM, HDD 25MB DeviceLock consoles: Windows NT 4.0/2000/XP/Vista/7 or Server 2003/2008 (32-bit /64-bit versions); CPU Pentim 4, 2GB RAM, HDD 800GB DeviceLock Enterprise Server: Windows Server 2003 R2; 2xCPU Intel Xeon Qad-Core 2.33GHz, RAM 8GB, HDD 800GB; MSEE/MSDE or MS SQL Server [ For more information: UNITED STATES UNITED KINGDOM ITALY GERMANY 2440 Camino Ramon, Ste. 130 The 401 Centre, 302 Regent Street Via Falcone 7 Halskestr. 21 San Ramon, CA 94583, USA London, W1B 3HH, UK Milan, Italy Ratingen, Germany [email protected] Toll Free: +44 (0) Phone: Phone: Toll Free: Fax: +44 (0) Fax: Fax: Phone: Fax: Device Lock Proactive Endpoint Secrity Copyright DeviceLock, Inc. All Rights Reserved. DeviceLock is a registered trademark.