Preventing data loss or reacting to data loss.

I love New York but I live in Israel.

DLP (Data Loss Prevention or extrusion prevention) is an important category of IT security that helps protect data from leaving the network. Keeping the good stuff in, as opposed to keeping the bad guys out.

Israel has a booming IT security industry with Checkpoint, Radware, Algosec, Cyberark, Aladdin, Allot, Yoggie, Adi Shamir and numerous small security startups.  It’s hard to show a customer something new.   There is a lot of innovation in security here and  just about everybody has a Checkpoint firewall.  In Israel, Checkpoint is a de-facto gold standard for security product features.  Gil Schwed would like to see DLP in the gateway but Checkpoint is still at the strategy stage with DLP apparently – as a result a lot of Israeli companies have passed on this technology.

Websense acquired an Israeli company a couple years ago called Port Authority, which is a really strange name for a content inspection system and even more weird if you had ever been in the seedy old Port Authority terminal in New York on 42d street back in the 60s and 70s – with the dirt, gasoline fumes and the most variegated types of humanity to be found on a New York street – prostitutes, con men and transvestites….

Anyhow, I digress.

A colleague asked me this week to compare Fidelis XPS Extrusion Prevention system with Websense DLP. This is more or less what I told him:

For larger firms – Fidelis XPS is the best fit you can get, being extremely scalable, easy to install and economical to maintain.  If you run a business unit with a Microsoft network of up to 1000 users and well defined requirements to prevent leakage of MS Office documents; Websense is a viable option.  See points 1-3 below:

1) With Websense you have to classify and index your documents.  The server that does that creates a  man in the middle vulnerability and adds load to your Windows file server – since the scanner is constantly hitting documents on the file server.  Introducing MITM vulnerabilities and more load on your Windows file and print servers are two headaches I would try to avoid.

2) Conceptually, the Websense DLP product is designed for outbound traffic and doesn’t play in the internal security space.

Fidelis XPS is based on NCP – a Layer 2 sniffer with full session reassembly running at full 1GB/s. Websense uses inline forward proxies and appears to melt down at less than 100MB/s.  A forward proxy can be exploited and is blind to a wide variety of data leakage attacks – for example -  sending data with an HTTP GET command to an external server. That’s a trivial exploit and easy way to steal data, The new Fidelis XPS Internal product supports DB2 and Oracle and is an effective way for preventing data loss inside the network, elevation of privilege and abuse of privilege.   Abuse of privilege by an outsourced Oracle DBA is a vulnerability that is mitigated extremely well by Fidelis XPS Internal.

3) Conceptually, Websense DLP assumes that you know how to classify your data   Fidelis XPS enables data classification, of course, but  all  my active Fidelis XPS  users have found that Fidelis XPS is extremely good at discovering new vulnerabilities. The Fidelis XPS Command Post is a lot like one of those real-time early warning systems where you can see terrorists spinning up mobile missile launchers.

It’s like this, I told my friend. it depends if you think about security from a defensive or a strategic perspective.

If you think about security from a defensive perspective, you think you know everything and you don’t have too big a business unit to manage (i.e. you’re an Israeli) – go ahead and buy Websense.

If you think about security from strategic perspective, you think you have a lot to learn and you’d rather block high-profile attacks (first shooter advantage) and get an early warning of new inbound threats – you are thinking about security from a strategic perspective. Get Fidelis XPS.