To be fairly consistent in definitions, we can say that information security began precisely with the advent of DLP systems. Prior to this, all products that were engaged in "information security" actually protected not information, but infrastructure - places for storing, transmitting and processing data. The computer, application, or channel that hosts, processes, or transmits confidential information is protected by these products in the same way that the infrastructure that circulates completely harmless information is protected by these products. That is, it was with the advent of DLP products that information systems finally learned to distinguish confidential information from non-confidential. Perhaps, with the embedding of DLP technologies in the information infrastructure, companies will be able to save a lot on information protection - for example, use encryption only when confidential information is stored or transmitted, and not encrypt information in other cases.

However, this is a matter of the future, and in the present, these technologies are used mainly to protect information from leaks. Information categorization technologies form the core of DLP systems. Each manufacturer considers its methods of detecting confidential information unique, protects them with patents and comes up with special trademarks for them. After all, the rest of the architecture elements that are different from these technologies (protocol interceptors, format parsers, incident management and data storage) are identical for most manufacturers, and for large companies they are even integrated with other information infrastructure security products. Basically, two main groups of technologies are used to categorize data in products for protecting corporate information from leaks - linguistic (morphological, semantic) analysis and statistical methods (Digital Fingerprints, Document DNA, anti-plagiarism). Each technology has its own strengths and weaknesses that determine the scope of their application.

Linguistic analysis

The use of stop words ("secret", "confidential" and the like) to block outgoing email messages in mail servers can be considered the progenitor of modern DLP systems. Of course, this does not protect against intruders - it is not difficult to remove a stop word, most often placed in a separate stamp of a document, while the meaning of the text will not change at all.

The impetus for the development of linguistic technologies was made at the beginning of this century by the creators of email filters. First of all, to protect email from spam. It is now reputational methods that prevail in anti-spam technologies, and at the beginning of the century there was a real linguistic war between the projectile and armor - spammers and anti-spammers. Remember the simplest methods for tricking filters based on stopwords? Replacing letters with similar letters from other encodings or numbers, transliteration, random spaces, underscores or line breaks in the text. Anti-spamers quickly learned to deal with such tricks, but then graphic spam and other cunning varieties of unwanted correspondence appeared.

However, it is impossible to use anti-spam technologies in DLP products without serious improvement. Indeed, to combat spam, it is enough to divide the information flow into two categories: spam and non-spam. The Bayes method that is used in spam detection only gives a binary result: "yes" or "no". This is not enough to protect corporate data from leaks - you cannot simply divide information into confidential and non-confidential. You need to be able to classify information by functional affiliation (financial, industrial, technological, commercial, marketing), and within classes - categorize it by the level of access (for free distribution, for limited access, for official use, secret, top secret, and so on).

Most modern systems of linguistic analysis use not only contextual analysis (that is, in what context, in combination with what other words a particular term is used), but also semantic analysis of the text. These technologies work more efficiently, the larger the analyzed fragment. On a large fragment of text, the analysis is carried out more accurately, the category and class of the document are more likely to be determined. When analyzing short messages (SMS, Internet pagers), nothing better than stop words has yet been invented. The author faced such a task in the fall of 2008, when from the workplaces of many banks, through instant messengers, thousands of messages went to the Net like “we are being cut,” “the license will be taken away,” “the outflow of depositors,” which should have been immediately blocked from their clients.

Advantages of technology

The advantages of linguistic technologies are that they work directly with the content of documents, that is, they do not care where and how the document was created, what signature is on it and what the file is called - documents are protected immediately. This is important, for example, when processing drafts of confidential documents or for protecting incoming documents. If documents created and used within the company can still be named, stamped or labeled in a specific way, then incoming documents may have stamps and marks not accepted in the organization. Drafts (unless, of course, they are created in a secure workflow system) may also already contain confidential information, but do not yet contain the necessary stamps and marks.

Another advantage of linguistic technologies is their trainability. If at least once in your life you clicked the "Not spam" button in your email client, then you already imagine the client part of the language engine's learning system. I note that you absolutely do not need to be a certified linguist and know what exactly will change in the category database - it is enough to indicate a false positive to the system, and it will do the rest by itself.

The third advantage of linguistic technologies is their scalability. The speed of information processing is proportional to its quantity and absolutely does not depend on the number of categories. Until recently, the construction of a hierarchical category database (historically it is called BKF - content filtering base, but this name no longer reflects the real meaning) looked like a kind of shamanism of professional linguists, so setting the BKF could be safely attributed to shortcomings. But with the release in 2010 of several “autolinguist” products at once, building the primary database of categories became extremely simple - the system indicates the places where documents of a certain category are stored, and it itself determines the linguistic features of this category, and in case of false positives, it learns on its own. So now ease of customization has been added to the advantages of linguistic technologies.

And one more advantage of linguistic technologies, which I would like to note in the article, is the ability to detect categories in information flows that are not related to documents located within the company. A tool for monitoring the content of information flows can define categories such as illegal activities (piracy, distribution of prohibited goods), the use of a company's infrastructure for its own purposes, harming the company's image (for example, spreading defamatory rumors), and so on.

Technology deficiencies

The main disadvantage of linguistic technologies is their dependence on the language. It is not possible to use a language engine designed for one language to parse another. This was especially noticeable when American manufacturers entered the Russian market - they were not ready to face Russian word formation and the presence of six encodings. It was not enough to translate categories and keywords into Russian - word formation in English is quite simple, and cases are taken out as prepositions, that is, when the case changes, the preposition changes, and not the word itself. Most nouns in English become verbs without word changes. Etc. In Russian, everything is different - one root can give rise to dozens of words in different parts of speech.

In Germany, American manufacturers of linguistic technologies met with another problem - the so-called "compounds", compound words. In German, it is customary to attach definitions to the main word, resulting in words, sometimes consisting of a dozen roots. There is no such thing in English, there a word is a sequence of letters between two spaces, so the English linguistic engine was unable to process unfamiliar long words.

In fairness, it should be said that now these problems are largely resolved by American manufacturers. The language engine had to be heavily reworked (and sometimes rewritten), but the big markets in Russia and Germany are definitely worth it. It is also difficult to process multilingual texts with linguistic technologies. However, most engines still cope with two languages, usually it is the national language + English - this is quite enough for most business tasks. Although the author came across confidential texts containing, for example, Kazakh, Russian and English at the same time, but this is more an exception than a rule.

Another disadvantage of linguistic technologies for controlling the entire range of corporate confidential information is that not all confidential information is in the form of coherent texts. Although information is stored in databases in text form, and there are no problems extracting text from the DBMS, the information received most often contains proper names - full names, addresses, company names, as well as digital information - account numbers, credit cards, their balance, etc. . Processing such data with the help of linguistics will not bring much benefit. The same can be said about CAD / CAM formats, that is, drawings that often contain intellectual property, program codes and media (video / audio) formats - some texts can be extracted from them, but their processing is also inefficient. Three years ago, this also applied to scanned texts, but the leading manufacturers of DLP systems quickly added optical recognition and coped with this problem.

But the biggest and most often criticized shortcoming of linguistic technologies is still the probabilistic approach to categorization. If you've ever read an email with the "Probably SPAM" category, you'll understand what I mean. If this happens with spam, where there are only two categories (spam / not spam), you can imagine what will happen when several dozen categories and privacy classes are loaded into the system. Although 92-95% accuracy can be achieved by training the system, for most users this means that every tenth or twentieth movement of information will be erroneously assigned to the wrong class with all the ensuing business consequences (leakage or interruption of a legitimate process).

It is usually not customary to attribute the complexity of technology development to the disadvantages, but it is impossible not to mention it. The development of a serious linguistic engine with categorization of texts in more than two categories is a science-intensive and rather complex technological process. Applied linguistics is a rapidly developing science that received a strong impetus in development with the spread of Internet search, but today there are units of workable categorization engines on the market: there are only two of them for the Russian language, and for some languages ​​they simply have not been developed yet. Therefore, there are only a couple of companies in the DLP market that are able to fully categorize information on the fly. It can be assumed that when the DLP market increases to multi-billion dollar sizes, Google will easily enter it. With its own linguistic engine, tested on trillions of search queries in thousands of categories, it will not be difficult for him to immediately grab a serious piece of this market.

Statistical Methods

The task of computer search for significant quotations (why exactly "significant" - a little later) interested linguists back in the 70s of the last century, if not earlier. The text was broken into pieces of a certain size, each of which was hashed. If a certain sequence of hashes occurred in two texts at the same time, then with a high probability the texts in these areas coincided.

A by-product of research in this area is, for example, the "alternative chronology" of Anatoly Fomenko, a respected scholar who worked on "text correlations" and once compared Russian chronicles from different historical periods. Surprised at how much the annals of different centuries coincide (by more than 60%), in the late 70s he put forward the theory that our chronology is several centuries shorter. So when a DLP company enters the market with a "revolutionary citation search technology," it's safe to say that the company has created nothing more than a new brand name.

Statistical technologies treat texts not as a coherent sequence of words, but as an arbitrary sequence of characters, so they work equally well with texts in any language. Since any digital object - even a picture, even a program - is also a sequence of characters, the same methods can be used to analyze not only textual information, but also any digital objects. And if the hashes in two audio files match, one of them probably contains a quote from the other, so statistical methods are effective means of protecting against audio and video leakage, which are actively used in music studios and film companies.

It's time to return to the concept of "meaningful quote". The key characteristic of a complex hash taken from a protected object (which in different products is called either Digital Fingerprint or Document DNA) is the step with which the hash is taken. As can be understood from the description, such a "fingerprint" is a unique characteristic of the object and, at the same time, has its own size. This is important because if you print millions of documents (which is the storage capacity of an average bank), then you need enough disk space to store all the prints. The size of such a print depends on the hash step - the smaller the step, the larger the print. If you take a hash in increments of one character, then the size of the print will exceed the size of the sample itself. If, to reduce the "weight" of the print, the step is increased (for example, 10,000 characters), then at the same time the probability that a document containing a quote from a 9,900-character sample will be confidential, but will slip unnoticed, increases.

On the other hand, if a very small step, a few symbols, is taken to increase the accuracy of the detection, then the number of false positives can be increased to an unacceptable value. In terms of text, this means that you should not remove the hash from each letter - all words consist of letters, and the system will take the presence of letters in the text as the content of a quote from the sample text. Usually, manufacturers themselves recommend some optimal hash removal step so that the quote size is sufficient and at the same time the weight of the print itself is small - from 3% (text) to 15% (compressed video). In some products, manufacturers allow you to change the size of the significance of the quote, that is, increase or decrease the hash step.

Advantages of technology

As can be understood from the description, a sample object is needed to detect a quote. And statistical methods can tell with good accuracy (up to 100%) whether there is a significant quote from the sample in the file being checked or not. That is, the system does not take responsibility for the categorization of documents - such work lies entirely on the conscience of the one who categorized the files before fingerprinting. This greatly facilitates the protection of information in the event that infrequently changing and already categorized files are stored in an enterprise in some place (s). Then it is enough to remove the imprint from each of these files, and the system will, in accordance with the settings, block the transfer or copying of files containing significant quotations from the samples.

The independence of statistical methods from the language of the text and non-textual information is also an indisputable advantage. They are good at protecting static digital objects of any type - pictures, audio / video, databases. I will talk about the protection of dynamic objects in the "disadvantages" section.

Technology Disadvantages

As in the case of linguistics, the disadvantages of technology are the reverse side of the advantages. The ease of training the system (indicated the file to the system, and it is already protected) shifts the responsibility for training the system to the user. If suddenly a confidential file was in the wrong place or was not indexed due to negligence or malicious intent, then the system will not protect it. Accordingly, companies that care about protecting confidential information from leakage should provide a procedure for controlling how confidential files are indexed by the DLP system.

Another drawback is the physical size of the print. The author has repeatedly seen impressive pilot projects on prints, when the DLP system with 100% probability blocks the transfer of documents containing significant quotations from three hundred sample documents. However, after a year of operating the system in combat mode, the fingerprint of each outgoing letter is no longer compared with three hundred, but with millions of sample fingerprints, which significantly slows down the mail system, causing delays of tens of minutes.

As I promised above, I will describe my experience in protecting dynamic objects using statistical methods. The time it takes to print a print depends on the file size and format. For a text document like this article, it takes a fraction of a second, for an hour and a half MP4 movie, it takes tens of seconds. For files that rarely change, this is not critical, but if the object changes every minute or even second, then a problem arises: after each change in the object, a new imprint must be removed from it ... The code that the programmer is working on is not the greatest complexity, much worse with databases used in billing, ABS or call centers. If the fingerprinting time is greater than the object persistence time, then the problem has no solution. This is not such an exotic case - for example, the imprint of a database that stores the phone numbers of customers of a federal mobile operator is removed for several days, but changes every second. So when a DLP vendor claims that their product can protect your database, mentally add the word "quasi-static".

Unity and struggle of opposites

As you can see from the previous section of the article, the strength of one technology is manifested where the other is weak. Linguistics doesn't need patterns, categorizes data on the fly, and can protect information that hasn't been imprinted by accident or design. The print gives the best accuracy and is therefore preferred for use in automatic mode. Linguistics works great with texts, prints - with other formats for storing information.

Therefore, most leading companies use both technologies in their developments, with one of them being the main one, and the other one being additional. This is due to the fact that initially the company's products used only one technology, in which the company advanced further, and then, at the request of the market, a second one was connected. For example, InfoWatch previously used only licensed Morph-OLogic linguistic technology, and Websense used PreciseID technology, which belongs to the Digital Fingerprint category, but now companies use both methods. Ideally, these two technologies should not be used in parallel, but in series. For example, prints will do a better job of identifying the type of document - is it a contract or a balance sheet, for example. Then you can connect a linguistic database created specifically for this category. This greatly saves computing resources.

There are a few more types of technologies used in DLP products outside the article. These include, for example, a structure analyzer that allows you to find formal structures in objects (numbers of credit cards, passports, TINs, and so on) that cannot be detected either using linguistics or using fingerprints. Also, the topic of different types of labels is not disclosed - from entries in the attribute fields of a file or just a special file name to special cryptocontainers. The latter technology is becoming obsolete as most vendors choose not to reinvent the wheel themselves but rather integrate with DRM vendors such as Oracle IRM or Microsoft RMS.

DLP products are a rapidly growing information security industry, with some vendors releasing new versions very frequently, more than once a year. We look forward to the emergence of new technologies for analyzing the corporate information field to increase the effectiveness of protecting confidential information.

The choice of a specific DLP system depends on the required level of data security and is always chosen individually. For assistance in choosing a DLP system and calculating the cost of its implementation in the company's IT infrastructure, leave a request, and we will contact you as soon as possible.

What is a DLP system

DLP system(Data Leak Prevention in translation from English - means of preventing data leakage) are technologies and technical devices that prevent the leakage of confidential information from information systems.

DLP systems analyze data flows and control their movement within a certain perimeter of the information system, which is protected. These can be ftp connections, corporate and web mail, local connections, as well as sending instant messages and data to the printer. In case of transformation of confidential information in the stream, the system component is activated, which blocks the transmission of the data stream.

In other words, DLP systems stand guard over confidential and strategically important documents, the leakage of which from information systems to the outside can cause irreparable damage to the company, as well as violate Federal Laws No. 98-FZ “On Trade Secrets” and No. 152-FZ “On Personal Data”. Protection of information from leakage is also mentioned in GOST. "Information technology. Practical rules for information security management” - GOST R ISO/IEC 17799-2005.

As a rule, the leakage of confidential information can be carried out both as a result of hacking and penetration, and as a result of inattention, negligence of employees of the enterprise, as well as the efforts of insiders - the intentional transfer of confidential information by employees of the enterprise. Therefore, DLP systems are the most reliable technologies for protecting against the leakage of confidential information - they detect protected information by content, regardless of the document's language, script, transmission channels and format.

Also, DLP system controls absolutely all channels that are used daily to transmit information in electronic form. Information flows are automatically processed based on the established security policy. If, however, the actions of confidential information conflict with the security policy established by the company, then the data transfer is blocked. At the same time, the authorized person of the company responsible for information security receives an instant message with a warning about an attempt to transfer confidential information.

Implementation of a DLP system, first of all, ensures compliance with a number of requirements of the PCI DSS standard regarding the level of information security of the enterprise. Also, DLP-systems carry out automatic audit of protected information, according to its location and provide automated control, according to the rules for moving confidential information in the company, processing and preventing incidents of unlawful disclosure of secret information. The data leakage prevention system, based on incident reports, monitors the overall level of risks, and also, in the modes of retrospective analysis and immediate response, controls information leakage.

DLP systems are installed in both small and large enterprises, preventing information leakage, thereby protecting the company from financial and legal risks that arise when important corporate or confidential information is lost or transferred.

The rapid development of information technology contributes to the global informatization of modern companies and enterprises. Every day, the volume of information transmitted through the corporate networks of large corporations and small companies is growing rapidly. Undoubtedly, with the growth of information flows, there are also threats that can lead to the loss of important information, its distortion or theft. It turns out that losing information is much easier than losing any material thing. For this, it is not necessary that someone perform special actions to master the data - sometimes careless behavior when working with information systems or inexperienced users is enough.

A natural question arises, how to protect yourself in order to eliminate the factors of loss and leakage of important information for yourself. It turns out that it is quite possible to solve this problem and it can be done at a high professional level. For this purpose, special DLP systems are used.

Definition of DLP systems

DLP is a system for preventing data leaks in the information environment. It is a special tool that system administrators of corporate networks can use to monitor and block unauthorized information transfer attempts. In addition to the fact that such a system can prevent the facts of illegal acquisition of information, it also allows you to track the actions of all network users that are associated with the use of social networks, chatting, sending e-mail messages, etc. The main goal that leak prevention systems are aimed at confidential information DLP is the support and implementation of all the requirements of the policy of confidentiality and security of information that exist in a particular organization, company, enterprise.

Application area

The practical application of DLP systems is most relevant for those organizations where the leakage of confidential data can lead to huge financial losses, a significant impact on reputation, as well as loss of customer base and personal information. The presence of such systems is mandatory for those companies and organizations that set high requirements for the "information hygiene" of their employees.

DLP systems will become the best tool for protecting such data as bank card numbers of clients, their bank accounts, information about the conditions of tenders, orders for work and services - the cost-effectiveness of such a security solution is quite obvious.

Types of DLP systems

The tools used to prevent information leaks can be divided into several key categories:

1. standard security tools;
2. intelligent data protection measures;
3. data encryption and access control;
4. specialized DLP security systems.

The standard set of security that should be used by every company includes anti-virus programs, built-in firewalls, intrusion detection systems.

Intelligent information security tools provide for the use of special services and modern algorithms that will allow you to calculate illegal access to data, incorrect use of electronic correspondence, etc. In addition, such modern security tools allow you to analyze requests to the information system coming from outside from various programs and services that can play the role of a kind of spies. Intelligent protection tools allow for a deeper and more detailed check of the information system for possible information leakage in various ways.

Encrypting sensitive information and using restricted access to certain data is another effective step in minimizing the chance of losing sensitive information.

A specialized DLP information leakage prevention system is a complex multifunctional tool that is able to detect and prevent unauthorized copying and transfer of important information outside the corporate environment. These decisions will reveal the facts of access to information without permission or using the powers of those persons who have such permission.

Specialized systems use tools such as:

• mechanisms for determining the exact match of data;
• various statistical methods of analysis;
• use of techniques of code phrases and words;
• structured fingerprinting, etc.;

Comparison of these systems by functionality

Consider a comparison of DLP systems Network DLP and Endpoint DLP.

Network DLP is a special solution at the hardware or software level, which is applied at those points of the network structure that are located near the "perimeter of the information environment". With the help of this set of tools, a thorough analysis of confidential information is carried out, which they try to send outside the corporate information environment in violation of established information security rules.

Endpoint DLP are special systems that are used on the end user workstation, as well as on the server systems of small organizations. The end point of information for these systems can be used to control both the internal and external sides of the "information environment perimeter". The system allows you to analyze information traffic, through which data is exchanged both between individual users and groups of users. The protection of DLP systems of this type is focused on a comprehensive check of the data exchange process, including electronic messages, communication in social networks and other information activity.

Is it necessary to implement these systems in enterprises?

The implementation of DLP systems is mandatory for all companies that value their information and try to do everything possible to prevent its leakage and loss. The presence of such innovative security tools will allow companies to prevent the distribution of sensitive data outside the corporate information environment through all available data exchange channels. By installing a DLP system, the company will be able to control:

• sending messages using corporate Web-mail;
• using FTP connections;
• local connections using wireless technologies such as WiFi, Bluetooth, GPRS;
• instant messaging using clients such as MSN, ICQ, AOL, etc.;
• the use of external drives - USB, SSD, CD / DVD, etc.
• documentation that is sent for printing using corporate printing devices.

Unlike standard security solutions, a company that has a DLP Securetower or similar system installed will be able to:

• control all types of channels for the exchange of important information;
• detect the transfer of confidential information, regardless of how and in what format it is transferred outside the corporate network;
• block information leakage at any time;
• automate the data processing process in accordance with the security policy adopted by the enterprise.

The use of DLP-systems will guarantee the effective development of enterprises and the preservation of their production secrets from competitors and ill-wishers.

How is the implementation going?

To install a DLP system at your enterprise in 2017, you must go through several stages, after which the enterprise will receive effective protection of its information environment from external and internal threats.

At the first stage of implementation, a survey of the information environment of the enterprise is carried out, which includes the following actions:

• study of organizational and administrative documentation that regulates the information policy at the enterprise;
• study of information resources that are used by the enterprise and its employees;
• agreeing on a list of information that may be classified as data with restricted access;
• examination of existing methods and channels for transmitting and receiving data.

Based on the results of the survey, a terms of reference is drawn up that will describe the security policies that will need to be implemented using the DLP system.

At the next stage, it is necessary to regulate the legal side of the use of DLP systems in the enterprise. It is important to eliminate all subtle points so that later there will be no lawsuits from employees in terms of the fact that the company is watching them.

Having settled all the legal formalities, you can start choosing an information security product - it can be, for example, the Infowatch DLP system or any other with similar functionality.

After choosing the right system, you can start installing and configuring it for productive work. The system should be configured in such a way as to ensure the fulfillment of all security tasks stipulated in the terms of reference.

Conclusion

The implementation of DLP systems is a rather complicated and painstaking task that requires a lot of time and resources. But do not stop halfway - it is important to go through all the stages to the fullest and get a highly efficient and multifunctional system for protecting your confidential information. After all, the loss of data can result in huge damage to an enterprise or company, both financially and in terms of its image and reputation in the consumer environment.

28.01.2014 Sergei Korablev

The choice of any enterprise-level product is not a trivial task for technical specialists and decision makers. Choosing a Data Leak Protection (DLP) data loss prevention system is even more difficult. The lack of a unified conceptual system, regular independent comparative studies and the complexity of the products themselves force consumers to order pilot projects from manufacturers and independently conduct numerous tests, determining the range of their own needs and correlating them with the capabilities of the systems being tested

Such an approach is certainly correct. A balanced, and in some cases even hard-won decision simplifies further implementation and avoids disappointment in the operation of a particular product. However, the decision-making process in this case can be delayed, if not for years, then for many months. In addition, the constant expansion of the market, the emergence of new solutions and manufacturers further complicate the task of not only choosing a product for implementation, but also creating a preliminary shortlist of suitable DLP systems. Under such conditions, up-to-date reviews of DLP systems are of undoubted practical value for technical specialists. Should a particular solution be included in the test list, or would it be too complex to implement in a small organization? Can the solution be scaled to a company of 10,000 employees? Can a DLP system control business-critical CAD files? An open comparison will not replace thorough testing, but will help answer basic questions that arise at the initial stage of the DLP selection process.

Members

The most popular (according to the Anti-Malware.ru analytical center as of mid-2013) DLP systems of InfoWatch, McAfee, Symantec, Websense, Zecurion and Jet Infosystem companies in the Russian information security market were selected as participants.

For the analysis, commercially available versions of DLP systems were used at the time of preparation of the review, as well as documentation and open reviews of products.

Criteria for comparing DLP systems were selected based on the needs of companies of various sizes and industries. The main task of DLP systems is to prevent leaks of confidential information through various channels.

Examples of products from these companies are shown in Figures 1-6.

Figure 3 Symantec product

Figure 4. InfoWatch product

Figure 5. Websense product

Figure 6. McAfee product

Operating modes

Two main operating modes of DLP systems are active and passive. Active - usually the main mode of operation, which blocks actions that violate security policies, such as sending sensitive information to an external mailbox. Passive mode is most often used at the stage of system configuration to check and adjust settings when the proportion of false positives is high. In this case, policy violations are recorded, but restrictions on the movement of information are not imposed (Table 1).

In this aspect, all the considered systems turned out to be equivalent. Each of the DLPs can work both in active and passive modes, which gives the customer a certain freedom. Not all companies are ready to start operating DLP immediately in blocking mode - this is fraught with disruption of business processes, dissatisfaction on the part of employees of controlled departments and claims (including justified ones) from management.

Technology

Detection technologies make it possible to classify information that is transmitted via electronic channels and identify confidential information. Today, there are several basic technologies and their varieties, similar in essence, but different in implementation. Each technology has both advantages and disadvantages. In addition, different types of technologies are suitable for analyzing information of different classes. Therefore, manufacturers of DLP solutions try to integrate the maximum number of technologies into their products (see Table 2).

In general, the products provide a large number of technologies that, if properly configured, provide a high percentage of recognition of confidential information. DLP McAfee, Symantec and Websense are rather poorly adapted for the Russian market and cannot offer users support for "language" technologies - morphology, transliteration analysis and masked text.

Controlled channels

Each data transmission channel is a potential channel for leaks. Even one open channel can negate all the efforts of the information security service that controls information flows. That is why it is so important to block the channels that are not used by employees for work, and control the rest with the help of leak prevention systems.

Despite the fact that the best modern DLP systems are capable of monitoring a large number of network channels (see Table 3), it is advisable to block unnecessary channels. For example, if an employee works on a computer only with an internal database, it makes sense to disable his access to the Internet altogether.

Similar conclusions are also valid for local leakage channels. True, in this case it can be more difficult to block individual channels, since ports are often used to connect peripherals, I / O devices, etc.

Encryption plays a special role in preventing leaks through local ports, mobile drives and devices. Encryption tools are quite easy to use, their use can be transparent to the user. But at the same time, encryption allows you to exclude a whole class of leaks associated with unauthorized access to information and the loss of mobile drives.

The situation with the control of local agents is generally worse than with network channels (see Table 4). Only USB devices and local printers are successfully controlled by all products. Also, despite the importance of encryption noted above, such a possibility is present only in certain products, and the forced encryption function based on content analysis is present only in Zecurion DLP.

To prevent leaks, it is important not only to recognize sensitive data during transmission, but also to limit the distribution of information in a corporate environment. To do this, manufacturers include tools in DLP systems that can identify and classify information stored on servers and workstations in the network (see Table 5). Data that violates information security policies must be deleted or moved to secure storage.

To detect confidential information on the corporate network nodes, the same technologies are used as to control leaks through electronic channels. The main difference is architectural. If network traffic or file operations are analyzed to prevent leakage, then stored information - the contents of workstations and network servers - is examined to detect unauthorized copies of confidential data.

Of the considered DLP systems, only InfoWatch and Dozor-Jet ignore the use of means for identifying information storage locations. This is not a critical feature for electronic leak prevention, but it greatly limits the ability of DLP systems to proactively prevent leaks. For example, when a confidential document is located within a corporate network, this is not an information leak. However, if the location of this document is not regulated, if the information owners and security officers do not know about the location of this document, this can lead to a leak. Unauthorized access to information is possible or the appropriate security rules will not be applied to the document.

Ease of management

Characteristics such as ease of use and control can be as important as the technical capabilities of solutions. After all, a really complex product will be difficult to implement, the project will take more time, effort and, accordingly, finances. An already implemented DLP system requires attention from technical specialists. Without proper maintenance, regular auditing and adjustment of settings, the quality of recognition of confidential information will drop dramatically over time.

The control interface in the native language of the security officer is the first step to simplify the work with the DLP system. It will not only make it easier to understand what this or that setting is responsible for, but will also significantly speed up the process of configuring a large number of parameters that need to be configured for the system to work correctly. English can be useful even for Russian-speaking administrators for an unambiguous interpretation of specific technical concepts (see Table 6).

Most solutions provide quite convenient management from a single (for all components) console with a web interface (see Table 7). The exceptions are the Russian InfoWatch (there is no single console) and Zecurion (there is no web interface). At the same time, both manufacturers have already announced the appearance of a web console in their future products. The lack of a single console in InfoWatch is due to the different technological basis of the products. The development of its own agency solution was discontinued for several years, and the current EndPoint Security is the successor to a third-party product, EgoSecure (formerly known as cynapspro), acquired by the company in 2012.

Another point that can be attributed to the disadvantages of the InfoWatch solution is that to configure and manage the flagship DLP product InfoWatch TrafficMonitor, you need to know a special scripting language LUA, which complicates the operation of the system. Nevertheless, for most technical specialists, the prospect of improving their own professional level and learning an additional, albeit not very common, language should be perceived positively.

The separation of system administrator roles is necessary to minimize the risks of preventing the appearance of a superuser with unlimited rights and other machinations using DLP.

Logging and reporting

The DLP archive is a database that accumulates and stores events and objects (files, letters, http requests, etc.) recorded by the system's sensors during its operation. The information collected in the database can be used for various purposes, including for analyzing user actions, for saving copies of critical documents, as a basis for investigating information security incidents. In addition, the base of all events is extremely useful at the stage of implementing a DLP system, since it helps to analyze the behavior of the DLP system components (for example, to find out why certain operations are blocked) and to adjust security settings (see Table 8).

In this case, we see a fundamental architectural difference between Russian and Western DLPs. The latter do not archive at all. In this case, DLP itself becomes easier to maintain (there is no need to maintain, store, backup and study a huge amount of data), but not to operate. After all, the archive of events helps to configure the system. The archive helps to understand why the transmission of information was blocked, to check whether the rule worked correctly, and to make the necessary corrections to the system settings. It should also be noted that DLP systems need not only initial configuration during implementation, but also regular “tuning” during operation. A system that is not properly maintained, not brought up by technical specialists, will lose a lot in the quality of information recognition. As a result, both the number of incidents and the number of false positives will increase.

Reporting is an important part of any activity. Information security is no exception. Reports in DLP systems perform several functions at once. First, concise and understandable reports allow heads of information security services to quickly monitor the state of information security without going into details. Second, detailed reports help security officers adjust security policies and system settings. Thirdly, visual reports can always be shown to top managers of the company to demonstrate the results of the DLP system and the information security specialists themselves (see Table 9).

Almost all competing solutions discussed in the review offer both graphical, convenient for top managers and heads of information security services, and tabular reports, more suitable for technical specialists. Graphical reports are missing only in DLP InfoWatch, for which they were lowered.

Certification

The question of the need for certification for information security tools and DLP in particular is open, and experts often argue on this topic within professional communities. Summarizing the opinions of the parties, it should be recognized that certification itself does not provide serious competitive advantages. At the same time, there are a number of customers, primarily government organizations, for which the presence of a particular certificate is mandatory.

In addition, the existing certification procedure does not correlate well with the software development cycle. As a result, consumers are faced with a choice: to buy an already outdated, but certified version of the product or an up-to-date, but not certified version. The standard way out in this situation is to purchase a certified product "on the shelf" and use the new product in a real environment (see Table 10).

Comparison results

Let's summarize the impressions of the considered DLP solutions. In general, all participants made a favorable impression and can be used to prevent information leaks. Differences in products allow you to specify the scope of their application.

The InfoWatch DLP system can be recommended to organizations for which it is fundamentally important to have a FSTEC certificate. However, the latest certified version of InfoWatch Traffic Monitor was tested at the end of 2010, and the certificate expires at the end of 2013. Agent-based solutions based on InfoWatch EndPoint Security (also known as EgoSecure) are more suitable for small businesses and can be used separately from Traffic Monitor. The combined use of Traffic Monitor and EndPoint Security can cause scaling issues in large companies.

Products of Western manufacturers (McAfee, Symantec, Websense), according to independent analytical agencies, are much less popular than Russian ones. The reason is the low level of localization. And it's not even the complexity of the interface or the lack of documentation in Russian. Features of confidential information recognition technologies, pre-configured templates and rules are "sharpened" for the use of DLP in Western countries and are aimed at fulfilling Western regulatory requirements. As a result, the quality of information recognition in Russia turns out to be noticeably worse, and compliance with the requirements of foreign standards is often irrelevant. At the same time, the products themselves are not bad at all, but the specifics of using DLP systems on the Russian market are unlikely to allow them to become more popular than domestic developments in the foreseeable future.

Zecurion DLP is notable for good scalability (the only Russian DLP system with confirmed implementation for more than 10,000 workplaces) and high technological maturity. What is surprising, however, is the lack of a web console that would help simplify the management of an enterprise solution aimed at various market segments. Zecurion DLP's strengths include high-quality confidential information recognition and a full line of leak prevention products, including protection at the gateway, workstations and servers, location detection and data encryption tools.

The Dozor-Jet DLP system, one of the pioneers of the domestic DLP market, is widely distributed among Russian companies and continues to grow its client base due to extensive connections of the Jet Infosystems system integrator, part-time and DLP developer. Although technologically DLP is somewhat behind its more powerful counterparts, its use can be justified in many companies. In addition, unlike foreign solutions, Dozor Jet allows you to archive all events and files.

DLP Technology

Digital Light Processing (DLP) is an advanced technology invented by Texas Instruments. Thanks to it, it was possible to create very small, very light (3 kg - is that really weight?) And, nevertheless, quite powerful (more than 1000 ANSI Lm) multimedia projectors.

Brief history of creation

A long time ago, in a galaxy far far away...

In 1987 Dr. Larry J. Hornbeck invented digital multimirror device(Digital Micromirror Device or DMD). This invention completed decades of Texas Instruments research into micromechanical deformable mirror devices(Deformable Mirror Devices or again DMD). The essence of the discovery was the rejection of flexible mirrors in favor of a matrix of rigid mirrors with only two stable positions.

In 1989, Texas Instruments becomes one of four companies selected to implement the "projector" portion of the U.S. High-Definition Display funded by the Advanced Research and Development Administration (ARPA).

In May 1992, TI demonstrates the first DMD-based system to support the modern resolution standard for ARPA.

A High-Definition TV (HDTV) version of DMD based on three high-definition DMDs was shown in February 1994.

Mass sales of DMD chips began in 1995.

DLP Technology

The key element of DLP multimedia projectors is a matrix of microscopic mirrors (DMD-elements) made of an aluminum alloy with a very high reflectivity. Each mirror is attached to a rigid substrate, which is connected to the base of the matrix through movable plates. Electrodes connected to CMOS SRAM memory cells are placed at opposite angles of the mirrors. Under the action of an electric field, the substrate with a mirror assumes one of two positions that differ by exactly 20° due to the limiters located on the base of the matrix.

These two positions correspond to the reflection of the incoming light flux, respectively, into the lens and an effective light absorber that provides reliable heat removal and minimal light reflection.

The data bus and the matrix itself are designed to provide up to 60 or more image frames per second with a resolution of 16 million colors.

The mirror array, together with CMOS SRAM, make up the DMD chip, the basis of DLP technology.

The small size of the crystal is impressive. The area of ​​each matrix mirror is 16 microns or less, and the distance between the mirrors is about 1 micron. Crystal, and not one, easily fits in the palm of your hand.

In total, if Texas Instruments does not deceive us, three types of crystals (or chips) are produced with different resolutions. This is:

• SVGA: 848×600; 508,800 mirrors
• XGA: 1024×768 with black aperture (inter-slit space); 786,432 mirrors
• SXGA: 1280×1024; 1,310,720 mirrors

So, we have a matrix, what can we do with it? Well, of course, illuminate it with a more powerful light flux and place an optical system in the path of one of the reflection directions of the mirrors, which focuses the image on the screen. On the path of the other direction, it would be wise to place a light absorber so that unnecessary light does not cause inconvenience. Here we can already project monochrome pictures. But where is the color? Where is the brightness?

But this, it seems, was the invention of comrade Larry, which was discussed in the first paragraph of the section on the history of the creation of DLP. If you still don’t understand what’s the matter, get ready, because now a shock may happen to you :), because this elegant and quite obvious solution is the most advanced and technologically advanced in the field of image projection today.

Remember the children's trick with a rotating flashlight, the light from which at some point merges and turns into a luminous circle. This joke of our vision allows us to completely abandon analog imaging systems in favor of completely digital ones. After all, even digital monitors at the last stage have an analog nature.

But what happens if we make the mirror switch from one position to another with a high frequency? If we neglect the switching time of the mirror (and due to its microscopic dimensions, this time can be completely neglected), then the apparent brightness will drop only by a factor of two. By changing the ratio of time during which the mirror is in one position and another, we can easily change the apparent brightness of the image. And since the cycle rate is very, very high, there will be no visible flicker at all. Eureka. Although nothing special, it's all been known for a long time :)

Well, now for the final touch. If the switching speed is fast enough, then we can sequentially place filters in the path of the light flux and thereby create a color image.

Here, in fact, is the whole technology. We will follow its further evolutionary development on the example of multimedia projectors.

DLP projector device

Texas Instruments does not manufacture DLP projectors, many other companies do, such as 3M, ACER, PROXIMA, PLUS, ASK PROXIMA, OPTOMA CORP., DAVIS, LIESEGANG, INFOCUS, VIEWSONIC, SHARP, COMPAQ, NEC, KODAK, TOSHIBA , LIESEGANG, etc. Most of the produced projectors are portable, with a mass of 1.3 to 8 kg and a power of up to 2000 ANSI lumens. Projectors are divided into three types.

Single matrix projector

The simplest type we have already described is − single matrix projector, where a rotating disk with color filters - blue, green and red - is placed between the light source and the matrix. The disk rotation frequency determines the frame rate we are used to.

The image is formed in turn by each of the primary colors, resulting in a normal full-color image.

All, or almost all, portable projectors are built on a single-matrix type.

A further development of this type of projectors was the introduction of a fourth, transparent light filter, which allows you to significantly increase the brightness of the image.

Three matrix projector

The most complex type of projectors is three matrix projector, where the light is split into three color streams and reflected from three matrices at once. Such a projector has the purest color and frame rate, not limited by the speed of the disk, as in single-matrix projectors.

The exact match of the reflected flux from each matrix (convergence) is provided by a prism, as you can see in the figure.

Dual matrix projector

An intermediate type of projectors is dual matrix projector. In this case, the light is split into two streams: red is reflected from one DMD matrix, and blue and green from the other. The light filter, respectively, removes the blue or green components from the spectrum in turn.

A dual-matrix projector provides intermediate image quality compared to single-matrix and three-matrix types.

Comparison of LCD and DLP projectors

Compared to LCD projectors, DLP projectors have a number of important advantages:

Are there any disadvantages of DLP technology?

But theory is theory, but in practice there is still work to be done. The main drawback is the imperfection of the technology and, as a result, the problem of sticking mirrors.

The fact is that with such microscopic dimensions, small parts strive to “stick together”, and a mirror with a base is no exception.

Despite the efforts made by Texas Instruments to invent new materials that reduce the adhesion of micromirrors, such a problem exists, as we saw when testing a multimedia projector. Infocus LP340. But, I must say, she doesn’t really interfere with life.

Another problem is not so obvious and lies in the optimal selection of mirror switching modes. Every DLP projector company has its own opinion on this matter.

Well, the last. Despite the minimum time for switching mirrors from one position to another, this process leaves a barely noticeable trail on the screen. A kind of free antialiasing.

Technology development

• In addition to the introduction of a transparent light filter, work is constantly underway to reduce the inter-mirror space and the area of ​​the column that fastens the mirror to the substrate (black dot in the middle of the image element).
• By splitting the matrix into separate blocks and expanding the data bus, the mirror switching frequency is increased.
• Work is underway to increase the number of mirrors and reduce the size of the matrix.
• The power and contrast of the light flux is constantly increasing. Three-matrix projectors with a power of over 10,000 ANSI Lm and a contrast ratio of over 1000:1 already exist today and have found their way into state-of-the-art cinemas using digital media.
• DLP technology is fully poised to replace CRT display technology in home theaters.

Conclusion

This is not all that could be said about DLP technology, for example, we did not touch on the topic of using DMD matrices in printing. But we will wait until Texas Instruments confirms the information available from other sources, so as not to give you a fake. I hope this short story is quite enough to get, if not the most complete, but sufficient idea of ​​the technology and not torturing sellers with questions about the advantages of DLP projectors over others.

Thanks to Alexey Slepynin for help in preparing the material