Websense Data Security Suite versus Verdasys Digital Guardian

|Data leakage6 Comments

A client recently asked me to help her compare the two DLP solutions.  Here is what I said:

Consider business, functional and technical perspectives when comparing Websense Data Security Suite with Verdasys Digital Guardian.

From a business perspective

  1. Look at your threat scenarios and decide if you need an agent DLP solution or a network DLP solution – it depends mostly on network topology – if you have a lot of field sales/service agents – you will probably want agent DLP, in a central transaction processing data center will be easier to implement network DLP.
  2. If you like agent DLP – there is the 64K question of scalability and reliability of agents that run on Windows. Verdasys Digital Guardian has 2M agents installed in the field at the world’s largest  institutions (like JP Morgan and Deutsche Bank) on highly heterogeneous IT infrastructure. Websense has been successful in schools and small to mid-sized credit unions.
  3. The Websense Data security agent was released October 2008 and doesn’t have an install base yet with proven stability and scalability.     Ask if Websense can produce a third-party software security assessment on the robustness of their agent.

From a functional perspective

  1. DG is a pure endpoint/point of usage kernel agent solution with an extremely wide range of security countermeasures (such as on-demand encryption) with excellent central control
  2. DG uses Autonomy for content inspection, WS uses PreciseID (a sliding hash algorithm – you can read the patent) – I would give WS high grades for non-structured content and fairly low grades for structured content.
  3. Websense is a network + endpoint DLP solution – which increases cost of ownership vis-a-vis a best of breed agent DLP solution (DG) or network DLP solution (Fidelis).   You have to maintain the gateway systems and worry about agents.  This is a non-trivial task that involves different skill sets in the IT and network security teams.
  4. Websense Data Security gateway doesn’t scale (it melts down at 100mb/s in our experience)
  5. Websense Data Security gateway assumes that you know what files to protect and can afford the cost of file fingerprinting (due to the complexity of banking documents and transactions, this is a bad assumption for a bank)
  6. Websense Data security  gateway uses inline forward proxies to scan outbound traffic. For example, WS gateway cannot prevent data theft using an HTTP GET query string.
  7. The  forward proxy architecture assumes that data loss is primarily from insiders – which is a bad assumption. Most data loss is by malicious outside attackers who exploit network and software vulnerabilities – not internal uses using Windows applications to steal data.

From a technical perspective:

  1. The Websense agent appears to rely on the gateway to ship out PreciseID signatures to the agent – which may generate large spikes of data traffic between the agents and the gateway, for example when profiling large data sets of files or large databases of PII (personally identifiable information).  The data traffic can be minimized by using regex instead of the original Port Authority sliding hash algorithm but then they lose the advantages of PreciseID.
  2. Websense  Data security gateway appliance can be exploited using fragmented/segmented HTTP exploits.
  3. Websense Data security requires Windows authentication – i.e. rogue network users who get an IP address with DHCP can bypass the system with a variety of exploits.
  4. Requires scanning of file and database servers to create the PreciseID™ signatures
  5. Creates a Man in the middle vulnerability with file scanning server. If an attackers gains control of the scanning server – they will have access to everything.
  6. Additional load on Windows file servers
  7. The Websense file scanning server is like a “Red Flag” to malicious attackers.

6 Responses to Websense Data Security Suite versus Verdasys Digital Guardian

  • Truth Hurts

    Ha…. Well at least the author is right about one thing: Verdasys is deployed in many organizations. Thing is, they won’t be for long.

    Aside from the fact that the author is spouting BS (e.g., Websense endpoint doesn’t route traffic back to network components for analysis), just about every one of Verdasys’s customers are looking for a new DLP solution. Bottom line, Verdasys doesn’t have the breadth of capabilities and is too focused on the endpoint to prevent data loss.

    Reply
    • admin

      Regarding the “BS” remark – if I am mistaken on some of the things I wrote – I will be happy to receive exact information and post it in the blog but calling my work bullshit is not going to win you many points for impartiality. That particular statement was based on a Websense product release, which I perhaps misconstrued. PR people don’t always understand the technology very well. I am always happy to learn more about data loss prevention different technologies.

      Regarding your comment that “just about every one of Verdasys’s customer are looking for a new solution” I would be interested in hearing more; you are welcome to contact me offline at my private email.

      Regarding product capabilities – Breadth of technical capabilities is not a good indicator of what makes a security countermeasure the right, cost-effective choice. There will be customers where the best solution is agent DLP (like Verdasys or Mcafee DLP), other customers who need network DLP (like Fidelis Security XPS) and other customers that choose to use network DLP to provide wide coverage and agent DLP for specific business areas and applications. A hybrid network/agent DLP approach is still fairly new and every single one of our customers has chosen to do either network DLP or agent DLP but not both. It’s possible that Websense has cracked the total cost of ownership challenge – in which case I definitely would be glad to learn more and see the solution first hand. Best regards – Danny Lieberman

      Reply
  • Arik

    Danny,

    Please meditate on the following:

    “Websense is a network + endpoint DLP solution – which increases cost of ownership vis-a-vis a best of breed agent DLP solution (DG) or network DLP solution (Fidelis). You have to maintain the gateway systems and worry about agents. This is a non-trivial task that involves different skill sets in the IT and network security teams.”

    I find it interesting that you are taking an advantage (endpoint AND network coverage) and turning into a disadvantage through the spinning of words – “This is a non-trivial task”.

    – Arik

    Reply
  • admin

    Arik

    I’m glad someone from Websense finally came out of the closet on the post! Welcome!

    Actually I meditate on DLP every day – especially on my bike coming up the last big hill to Modiin.

    The assumption that two security countermeasures that overlap are more effective than a single countermeasure is not always correct. As the CEO of one of our payment card processing clients told me this afternoon – “there is no free lunch” (and they’re a Websense user by the way).

    Effectiveness is measured by cost – and in my experience – agent DLP deployments are much more costly to implement and maintain than a best of breed network DLP product like the old Port Authority product or Fidelis Security XPS. Consider the challenge of deploying an anti-virus agent and then having to customize and maintain the signatures for every client. Great work if you can get it.

    The second issue is that two different and often opposing groups of people are involved – the IT operations/IT service people maintain PCs in the organization whereas the security group maintains the network DLP component without having to get involved with Windows issues. Two different skill sets and generally conflicting political agendas. Organizational politics is not always bad but it isn’t free.

    The third issue relates to introducing additional security vulnerabilities with additional software at the endpoint. Arik – you and I both know that with a little effort it’s possible to hack the agent and none of the vendors like Websense, Verdasys, Symantec or Mcafee have openly published a third-party software security assessment. Send me an independent software security assessment of the Websense agent software from someone like Halvar Flake or Mark Dowd and then we ‘ll talk. It’s a lot easier to pay the Ponemon Group or Forrester for some market research than to show end-users the right stuff.

    Shabat Shalom – Danny Lieberman

    Reply
  • Arik

    Hi Danny,

    Although I don’t completely share your disdain from endpoint software – it’s always a tradeoff between the risk and the benefits – I suggest that if your risk analysis determines that an endpoint product is not advisable at some point in time, you can only deploy the network parts only.

    Then later if you change your mind, you already have a DLP policy in place, and it becomes active immediately once you add more channels such as the endpoint.

    I’m not referring to the Websense solution alone – all hybrid network / endpoint solutions can be deployed on just the network or just the endpoint. Most solutions (Websense included) also share policies between endpoint and network.

    – Arik

    Reply
    • admin

      Arik

      I think we both realize the advantages vs the constraints and costs of an endpoint agent – especially one that functions in kernel mode. The number of Windows developers in the world that can do that properly can be counted on your fingers.

      I think I made it clear in my original article that the choice of a DLP countermeasure depends on the business situation of the client. I will give you examples from 2 of our clients: the first client has centralized transaction processing in a corporate data center – since the key threat scenarios are server-oriented and since the security officer wanted to reduce cost of operation he opted for passive monitoring coupled with aggressive enforcement of the security policy, for them, the right solution was network DLP. The second client has a large number of customer sales points in shopping malls etc – and required an agent DLP solution in order to protect sensitive commercial data that is used at the sales outlets (which are generally a single unmanaged PC)

      Choosing an optimal security countermeasure plan according to threat scenarios is security basics and doesn’t relate to Websense or Fidelis or Verdasys, Symantec or Mcafee specifically. I am dismayed by the quantity and quality of marketing b/s that some of the vendors in our industry use in order to prove ROI.

      Danny Lieberman

      Reply

Leave a Reply

Post Comment