McAfee Buyer's Guide to Data Protection

Sponsored by McAfee
Data Protection Prospective
Vendor Checklist
A SANS Whitepaper - July 2009 Written by Barbara FilkinsSummary
Data-centric protections need to address data discovery and classification, incident work-flow, policy creation/management and data movement detection. The breadth of technology required to accomplish all of this is broad, covering:
. F ully-integrated encryption for end points for data in use, in motion and at rest within applications (e-mail, file servers, etc.), including sensitive data transferred onto portable storage devices
. H ost-based DLP for localized detection and prevention of data leakage for data in use, data in motion, and data at rest
. N etwork DLP with data discovery and analysis, network monitoring (with extensive protocol and application parsing support), and prevention capabilities for both inbound and outbound content
How should a management team go about evaluating today's encryption and emerging data leakage prevention (DLP) tools? What questions should they ask of the vendor provider(s)? How does a management team determine which solution being proposed will meet the most requirements for today-and in the future? How do they even set requirements without due diligence and discovery technologies to assist in locating and classifying what it is they need to protect? How do they weigh specific business requirements to product features? How do they gauge the stability of the vendor? How do they compare pricing models (per user, per server) and such additional factors as growth potential and integration with other vendor products to optimize their investments?
Organizations need a way to map business needs against all these challenges in procuring a technical solution. To help, SANS has developed the following Prospective Vendor Checklist. In it, requirements have been organized into broad categories to include:
. H ost/network data leakage protection and encryption (how the product functions)
. Management and support (how the product can be managed)
. Company profile and pricing (how viable the vendor is, what services it offers, and product pricing)
This checklist can be sent to prospective vendors, and can be used in combi-nation with our interactive Data Protection Requirements Worksheets to calculate ratings and compare vendors.
SANS Analyst Program 1 Data Protection Prospective Vendor ChecklistProspective Vendor Checklist
Section Data Protection Requirements MEETS? COMMENTSYES NO1 Data Leakage Protection1.1 Discovery, Retention, Searching for Data at Rest (on end points, servers, file shares), In Use and In Motion (on the network over email and in Web traffic, being copied onto external devices, etc.)1.1.1 Discovery: Ability to discover unmarked or unknown dataMarks, indexes, and securely retains:Unfiltered data analyzed by network sensors Unfiltered files that have been analyzed from end points and servers Unfiltered files analyzed from Wiki, FTP and Web serversDocuments sent over unfiltered traffic1.1.2 Retention Registration (fingerprinting a repository's files)Provide inventory (i.e., full listing of files, fingerprinted or not)1.1.3 SearchSearch based on specified time periodsSearch for indexed content based on: Keywords, expressions, content patterns, document type (Word, Excel, CAD, etc.)Hash functions (i.e., MD5 hash)Location, system/device typeFile owner, port, path, age of fileActions and tools related to the operating system (e.g., clipboard, screen capture)Email and email attachments, based on specified sender/recipient Applications, including Web applicationsOther (i.e., not covered by existing rules, client defined)
SANS Analyst Program 2 Data Protection Prospective Vendor ChecklistProspective Vendor Checklist
Section Data Protection Requirements MEETS? COMMENTSYES NO1.2 Monitoring, Alerting, and Enforcement1.2.1 Monitoring: Discover, identify, correlate, analyze and log every instance of sensitive data movement or use (e.g., removal, modification, or transmission attempt) to include:Host Data processed within application on hostApplication being accessed (clipboard, printscreen, others that commonly capture data)Content traversing endpoint by application access (including from clipboard, printscreen)Over I/O channels (bus, Bluetooth, LPT, etc.)Archive tools (winzip, tar... [download for more]