McAfee Total Protection Jun09

8/3/2019 McAfee Total Protection Jun09

1/17

SANS Review: McAfees Total

Protection for Data

A SANS Whitepaper June 2009

Written by Dave Shackleford

Executive Summary

Data Protection in Review

Requirements

Methodology

SANS Review of McAfee

Endpoint Encryption for PC

(v5.1.8) and for Files and

Folders (v3.1.3)

SANS Review of McAfee Host

and Network Data Protection

SANS Review: NDLP, HDLP,

and Endpoint Encryption

Integration


2/17

SANS Analyst Program 1 SANS Review: McAees Total Protection or Data

Executive Summary Data Protection in Review

1www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pd

Data in Motion: Data moving

across the network. Network-based

tools that can sni trac are used

or detection and prevention.

Data at Rest: Data that is stored

in various fle types and databases.

Host-based protections ranging rom

encryption to localized detection and

prevention agents address security

or this data.

Data in Use: Data that is currently

being accessed by applications and

users. This data may require both

host-based and network-based tools

and techniques to adequately moni-

tor and protect.

Ninety major breaches last year resulted in 285 million records being used in criminal activity,

according to Verizons 2009 Data Breach Report.

1

With breach reports like these, data protec-tion has now become a central ocus in IT environments. Resulting regulatory requirements,

along with concerns over negative publicity (and its associated costs), have spawned a market

or data-centric protections. So now, in addition to their traditional network security ocus,

organizations are looking more closely at where their critical data resides, how its used, how it

leaves the protected network, and how to protect sensitive and regulated data throughout its

liecycle.

However, when it comes to managing data at its source, organizations ace a key challenge:

How can they apply policy to their data in motion, data at rest, and data in use in any unied

manner? As organizations lay out their data protection roadmaps to accomplish these goals,they need policies and procedures that evolve as new tech-

nologies and regulations dictate.

Over the past several years, the market or data protection tools

evolved in ragmentsstarting with encryption thanks to

Payment Card Industry and state privacy requirements. Host-

based data ngerprinting and detection/prevention sotware

ollowed, along with data-centric network-based monitoring

and analysis. Now, the challenge is bringing these capabili-

ties together to work and be managed in tandema chal-

lenge McAees Data Protection suite, Total Protection or Data,

addresses robustly in Phase I integration o several acquired

data protection components including SaeBoot (encryption),

Reconnex (network policies) and others. Full integration into

its overall centralized management ramework, ePO (ePolicy

Orchestrator), is scheduled or the next release, according to

product managers.


3/17


In this document, we describe the results o our review o a broad range o eatures and unc-

tions within McAees Total Protection or Data suite. This includes McAees Phase I integration

o host (Host DLP v3.0) and network (Network DLPDiscover, Manager, Monitor, and Prevent

v8.5) data protection tools and management dashboards, along with McAees host-based ull

disk, le/older and device control encryption (Endpoint Encryption (EE) or PC v5.1.8 and EE

or Files and Folder v3.1.3).

Each o these products met or exceeded review objectives in all categories. Furthermore,

McAee has made strong headway in integrating management among the products, starting

with its Host DLP integration into the ePO ramework. Some o the grades the products received

refect elements that are prioritized and planned or integration in McAees next release, but

which arent integrated in the versions in this review.

Overall Report Card: Total Protection for Data by McAfee

In the ollowing pages, we include more detailed report cards or DLP, encryption, and dash-

board integration, with descriptions o review results or both the EE and DLP toolsets. Preced-

ing the report cards is a description o review requirements and methodology.

Category

DLP

Endpoint Encryption

Integration

Products

Network DLP (NDLP)

Host DLP (HDLP)

Endpoint Encryption (EE) for PCs

Endpoint Encryption for Files and

Folders (EEFF)

HDLP Integration with ePO

NDLP Integration with ePO

EE Integration with ePO

Score

A

A

A

A

A

A

B


4/17


Requirements

Data protection tools need to include ast, deep and accurate content identication or a variety

o use scenarios that involve data at rest, data in use and data in motion. Policy creation andtuning must be fexible and intuitive or monitoring, discovering and taking appropriate action

on critical data traversing the networkon data at rest or in use on the host, and as it attempts

to leave the host on removable media, via e-mail or by other means. Any data protection toolkit

should also include broad environmental coverage (network and host platorms, integration

with directory services and e-mail platorms, and auxiliary unctions like encryption.) While there

are myriad requirements to consider, they essentially all into the ollowing ve categories:

Discovery and Capture: Both host and network discovery tools should be capable o

discovering sensitive content stored on key systems across the enterprise, a critical rst

step many organizations still need to takeand one that large enterprises cannot rea-sonably conduct without leveraging automated tools.

Monitoring: Data in use and in motion should be monitored at line-speed as it traverses

network links. Monitoring o data on critical applications and systems, including storage

devices, should be comprehensive, port agnostic and fexible enough to change policy

on the fy when needed.

Alerting and Prevention: Host and network tools should be able to match detected

events to policies, which then tie into an incident response (alerting and blocking specic

actions). Workfow/alerting should involve specied participants rom aected business

units (Compliance, Human Resources, Legal, Help Desk, etc.). The system should also be

sel-learning, that is able to discover and alert on unknown or unclassied data types.

Encryption: Deployed encryption models should be fexibly and easily created and

enorced or a variety o uses, such as le, older, e-mail and ull disk encryption as well as

copying data to USB devices and other removable media.

Compliance: Policies and reports should be available out o the box, with the ability to

easily modiy these or internal compliance standards and changing regulations.

See our accompanying Data Protection Requirements Worksheet, which can be

used to create individually tailored lists o requirements based on organiza-

tional needs and rank vendor ability to meet those requirements.


5/17


Methodology

The ollowing McAee products were included in the review:

Endpoint Encryption (EE) or PC version 5.1.8

EE or Files and Folders version 3.1.3 (V3.2 now available but was not yet released at time

o review)

Host DLP version 3.0

Network DLP (Discover, Manager, Monitor, and Prevent) version 8.5

Integration o these into the ePolicy Orchestrator version 4.0 (version 4.5 available soon)

For this product review, a number o separate products and components were installed and

congured. In the lab, the ollowing systems were congured as illustrated in Figure 1:

One Windows 2003 Server Domain Controller

One Windows 2003 Server running Exchange Server 2003

One Windows 2003 Server acting as a le server

One Cisco 2960 switch with a span port activated, connected to a hub

One Cisco 2800 connected to the Internet

One Red Hat Linux Enterprise server running NFS and TCPreplay

Four Windows workstations (two each o XP and Windows 2000)

One Windows Server 2003 system running ePolicy Orchestrator

(ePO)

Figure 1: Review Lab Architecture


6/17


The data ormats used or testing included Microsot Oce documents and spreadsheets, text

les, e-mail content, and PDF documents. Sensitive data types o interest included Social Secu-

rity numbers, payment card data, customer lists, board meeting minutes, pharmaceutical or-

mulas, tax inormation, and other intellectual property.

The product review methodology, at a high level, involved the ollowing:1. Installing and conguring the products, including integration with Active Directory

and an e-mail server, as well as pointing components and agents to the ePO and the

McAee network DLP management platorm.

2. Creating host and network DLP policies to implement within the test network and

on workstations and servers.

3. Conducting network and host content discovery, capture and ngerprinting.

4. Testing modication o data on endpoints and attempting to remove data to exter-

nal media, create screen captures, and so on.

5. Testing network data leakage detection by sending data across the network usingTCPreplay and precongured PCAP les, as well as custom e-mails, le transers and

other such transmissions.

6. Testing encryption capabilities by dening policies or handling certain documents

and data types and then moving the les to removable media or transmitting them

via e-mail to determine whether encryption was properly maintained.

In this review, we reer to our accompanying Data Protection Requirements Worksheets sever-

ity level ratings as we set up scores or eatures and unctions. Priorities are described as ollows:

Priority 1: Essential, critical eatures that must be considered or all organizations when

evaluating DLP solutions.

Priority 2:Important eatures that deserve attention, but may not be deemed as critical

depending on the organization.

Priority 3: Interesting eatures that may be worthy o ocus and attention.

Assigned grades in this review are subjective. They are based on the reviewers experience

with the products, interviews with McAee product managers, and discussions with inorma-

tion security proessionals working with data protection tools in enterprise situations. Grades

were assigned as ollows:

A = Product met or exceeded expectations.B = Product met all requirements with some exceptions.

C = Product met most requirements but was decient in many.

D = Product met some requirements but was decient in most.


7/17


SANS Review of McAfee Endpoint Encryptionfor PC (v5.1.8) and for Files and Folders (v3.1.3)

McAees Endpoint Encryption or PC (EEPC) and or Files and Folders (EEFF) allow or policy-based application and device control that can maintain persistent le and older encryption

across a variety o statesincluding sensitive les being transerred onto USB devices. EE or

removable media is integrated into McAees central management platorm, e Policy Orchestra-

tor (ePO). McAee plans to oer central management or third party, hardware-based Encrypted

USBs and hard disk drives through ePO in the uture.

Although not reviewed in this paper, the suite also includes encryption, as well as data and

device management tools or protecting mobile devices using the Windows Mobile and Sym-

bian platorms, with support or additional platorms planned or the uture.

Key eatures reviewed in the EEEF and EEPC products include disabling system ports, dening

what applications are trusted/untrusted (and what the applications are allowed to do on each

system), and maintaining persistent encryption as data moves rom the system via e-mail,

removable media or other transmission method. Other eatures o note include:

Complete encapsulation o the operating system on a users system, replacing all login and

system access unctions.

A central management console that keeps a running directory o users, systems, policies and

other objects.

Support or multiple two-actor authentication types like smart cards and hardware

tokens.

EEEF extends this level o protection to les and olders on systems, allowing extremely granular

policies to be established and maintained or dierent le types, system types and specic

users.


8/17


The EEPC products were reviewed by rst installing the Endpoint Encryption Manager, EE

Server, and Object Directory on a Windows 2003 Server and then creating install packages

with a variety o password, audit, and le/older policies enabled. For both products, the review

process consisted o the ollowing:

Selecting a Password Only token option ater installation o the management components.Then selecting the deault Program Files list and creating a variety o user and machine

groups.

Creating user-based policies that restrict several applications and logging attempts to use

those applications.

Creating machine groups and adding user groups to them. For EEFF, this included creation

o several classes o encryption keys and policies including automatic encryption or Word

documents and data copied to USB drives, user and group policies, etc.

Generating and copying install packages to a USB or deployment to PCs.

Ater installation, policies were tested or each individual machine and ound to work as speci-

ed without exception. All encrypted data remained encrypted while moving rom the sys-

tems to devices. The user experience was easy, and users could not decrypt data that they had

no rights to view.


9/17


Feature

Installation, Setupand Deployment

Platorm Support

User Transparencyand Friendliness

IdentityManagement

CentralizedAdministration andRole-Based Access

Algorithm Support

Key Management

RecoveryCapabilities

Security andAuditing

Priority

1

1

2

1

2

2

1

1

1

Grade

A

B

A

A

A

A

A

A

A

Comments

Deployment o the EE products was straightorward. There are several componentsthat need to be installedthe EE Manager, Object Directory, and communicationscomponents. These are simple to install and manage. Users, Machines, and MachineGroups are all then easily created and modied. Finally, an installation package orclients is created, which can then be installed rom removable media or via ePO, SMS orother sotware distribution tools.

EE products support Windows 2000, XP, Vista (32/64 bit), and Windows Server 2003.Mac OSX and Linux support are on the current McAee DLP product roadmap, but notavailable at the time o this review.

The level o user transparency or the EE line is magnicent. Encryption and decryptiono disk, les and olders had minimal impact on perormance. Enorcement o policiesand policy updates is per ormed seamlessly in the background without any userinteraction required. As an option, a system tray icon can be made visible, allowing theuser to perorm some simple actions at the administrators discretion.

LDAP, Active Directory, and other user identity repositories are supported. The productwas specically tested with Active Directory and integrated with no issues. All usermanagement is per ormed at the repository level, and rules then propagate to the EEManagement Server.

Administration and creation o agents are handled through a single console called theEndpoint Encryption Manager. Within this console, packages were generated withspecic user and machine policies, token-based and other types o authenticationcongured, and deployment options set. Multiple administrator accounts were created,each with a variety o roles and permissions that were assigned according to businessunit, machine groups, and so on.

FIPS 140-1/140-2 algorithms are supported, including AES and RC5 with strong key

lengths (256-bit and up).

Keys are not stored in plaintext on the server side and can be generated on the client andserver. Authentication is required to access keys, and all key transer communication isencrypted. This was observed by watching the trac with a snier while managing andupdating keys with clients.

Password and token recovery and resets were simple to perorm, and recoveryadministrators can be created that dont have any additional privileges (great orHelp Desk and Support teams that dont need ull access). The sotware was robust,maintaining the encrypted state even ater sudden power loss. One interesting eatureis a challenge-response password reset option or users who orget passwords, whichalso allows users with lost tokens or smart cards to temporarily become password-onlyusers at the local machine.

The EE products do not provide any sort o master key. Only the keys used to encryptdata can decrypt the data. This provides an additional level o protection against anyone administrator having the ability to access all encrypted data with a single key.Separation o duties was achieved by assigning specic roles or dierent administrators:encryption administrators or user and machine administrators. In this way, certainadministrators can be responsible or key management and encryption control, whileothers control user, group and machine administration. All boot and logon events arelogged centrally, and audit trails can be exported in a number o ormats.

Report Card: McAfee End Point Encryption for PC 5.1.8 and Files/Folders 3.1.3


10/17


McAees Host DLP 3.0 and Network DLP 8.5 products cover a wide variety o dierent data

protection use cases.

McAee has integrated its agent-based Host DLP (HDLP) into the ePolicy Orchestrator (ePO)

console with a robust Policy Manager that centers on several key areas. First, a number o tags

and tagging rules are created. These are the oundation o HDLP and are used to classiy content

and dene rules that identiy content on systems on which agents are installed. Tagging rules can

be based on applications, specic content patterns or locations. The classication methods pro-

vided are fexible, including regular expressions, dictionaries and registered documents. Users

can also apply manual tags to les not covered by existing rules. Files being copied rom sensi-

tive shares can be tagged, and new les generated by applications can be tagged on the fy.

Protection rules are then created to dene the actions taken when violations are ound. A vari-ety o applications and system types (including printers) can be included in these rules. To help

locate applications that contain critical content, there are several major categories that dene

applications that edit content, archive content, and so on. Whitelists or applications and data

can be created, and other rules or controlling the clipboard, screen capture, and device con-

trols are also easily dened.

Host-based policies were then initiated through ePO and tested on workstations in various

ways, including attempts to take screenshots or to copy protected inormation to removable

media. All such attempts were successully blocked and reported per policy requirements.

McAees Network DLP (NDLP) suite includes Discover (identies sensitive data in the environ-

ment); Monitor (scans the network or sensitive data movement); Prevent (integrates with WebProxies and Mail Transer Agents to block sensitive content leakage); and Manager (manages all

network DLP unctions, policies and alerts). Once these products were installed in the test lab,

data discovery was initiated to determine whether the NDLP platorm could locate sensitive

data at rest on the NFS and SMB le shares. Numerous document types were included (e.g.,

XLS, DOC, and PDF), and the DLP tools ound and identied them accurately without advance

knowledge o what or where they were.

Network trac was then generated with SMTP and other applications, and sensitive data within

the applications were all discovered and identied through the NDLP Monitor. Prevention

rules were then tested with Microsot Exchange. Sensitive e-mails were successully

blocked, and various types and methods o notications were sent in accor-dance with pre-set policy. The Case Management system and workfow

within the NDLP Manager was leveraged with multiple users and vari-

ous roles. From a orensics standpoint, this tool is valuable because

evidence was gathered and attached to cases. Case data, searches

and reports history and other critical data are stored and indexed

or examination and chain o custody i needed.

SANS Review of McAfee Hostand Network Data Protection


11/17


Feature

Installationand InitialConguration

Integration withDirectory Servicesand MTA (MailTranser Agent)

Data Discovery,Retention, andArchived Search

Policy and RuleCreation andManagement

Detection o Datain Motion, at Rest,and in Use

Priority

2

1

1

1

1

Grade

A

A

A

A

A

Comments

Installation o NDLP appliances was simple and intuitiveas close to plug andplay as possible. Installation o HDLP was also simple. Documentation is excellent.Conguration o out-o-the-box policies is easy.

Integration with Microsot Active Directory and Exchange servers was seamless and astdue to readily accessible conguration options within the NDLP and ePO consoles.

NDLP supports three scan modes: Registration (ngerprinting a repositorys les),Discover (nding previously-ngerprinted les), and Inventory (generating a ull listingo les, whether they are ngerprinted or not). Both CIFS and NFS network shares werereviewed using simple authentication via directory credentials. Scheduling scans andtying scans to existing rules and policies was simple. Perorming searches based onviolations and content types was also easy and fexible.

HDLP discovery crawls each endpoint looking or sensitive content (regular expressions,

dictionaries, content orm registered document) and/or previously tagged les.

Detected content les can be quarantined or encrypted using Endpoint Encryptionproducts. Rules and policies based on the tags were easily created and monitored orviolations. Events are then easily monitored within the ePO console, which archivesand indexes event data with ull search capabilities suitable or orensics, compliance orincident drill down.

Within NDLP, standard policies (known as Electronic Risk Modules) are installed bydeault and have a wide variety o fexible rules assigned to them. Compliance-specicpolicies are also available, and custom policies can be created easily by cloning anexisting policy. NDLP rules are fexible and use standard Boolean and Regex-like syntax.Rules can also be tuned rapidly as dictated by logged events to rene and eliminate alse

positive and alse negative behavior on the fy. Rule exceptions are also simple to add.

For HDLP, classication rules are used to dene sensitive categories according to regularexpression, dictionaries, and registered documents. Tagging rules are used to tag lescopied rom sensitive location, or les generated by sensitive applications. Protectionrules are then created to determine particular actions taken when data is transerredor transmitted. These rules are robust and use fexible syntax or tying data to specicapplications, le servers, network shares, printers and unique content patterns. Finally,device rules are used to speciy external devices like USB drives with a large variety ounique identier data. Loading HDLP rules and policies into ePO was simple.

The NDLP and HDLP products capably detected every attempt at sensitive data removal,modication, or transmission. Sensitive data in motion and use was successullydetected and logged in a variety o situations, including data sent in e-mail trac,sent as e-mail attachments, processed within applications on hosts, and transerred toUSB drives and CDs (CD-R). Attempts to capture screenshots and numerous other lemanipulations were all successully detected and logged.

Report Card: McAfee Host DLP 3.0 and Network DLP 8.5


12/17


Feature

Incident Workfowand Management

CentralizedManagement andRole-based Access

Reporting

Product Security

Compliance

Priority

1

2

2

2

2

Grade

A-

A-

A

A

B

Comments

The NDLP console is a robust, built-in case creation and management system thatallows multiple incidents to be assigned or data at rest, in use and in motion. Theonly downside is that ePO does not directly manage the cases. It is only a minorinconvenience to launch the NDLP management console rom within ePO and managecases rom all products there. Full case management integration is on McAees roadmapor next release.

All events and systems could be managed rom within ePO 4.0. Some o the NDLPunctions within ePO launch a separate NDLP management console, but this is aminimal issue. Numerous roles can be assigned, including administrator, reviewer,agent administrator, auditor, and so on. Roles can be assigned to any user within theorganization, and audit trails or user actions within the console are maintained.

A variety o reports that oer many options and chart types are available within the ePOconsole and NDLP manager.

The NDLP appliances are purpose-built, locked-down devices that have only specic

ports and services running. The McAee host-based agents are also protected rom usertampering and disabling.

Although a wide variety o reports or compliance are available in the product, theyare primarily ocused on U.S.-based compliance. International regulatory complianceeatures are on the roadmap or next release, including content analysis and patternmatching in multiple languages, international compliance templates and reports, andadditional languages or the user interace.

Report Card: McAfee Host DLP 3.0 and Network DLP 8.5 (CONTINUED)


13/17


SANS Review: NDLP, HDLP, and EndpointEncryption Integration Data Protection

With their latest developments and acquisitions in encryption, host and network DLP, McAeehas begun the integration to allow users to monitor and manage their critical data at use, data

at rest, and data in motion within one ramework. In this review, several critical rst stages o

this integration were in place, while others are on the product roadmap or next release.

One o the primary areas o ocus or McAee is consolidating management consoles into its

ePO product, which would allow a simple, well-known interace to be leveraged or all policy

and rule creation, package creation, event and incident management and reporting. Today,

McAees integrated deployment, auditing and reporting or data discovery, monitoring, pre-

vention, endpoint protection, device control and encryption can all be handled rom within

ePO. McAee aims to provide automated correlation, central policy conguration and manage-ment rom ePO in its next release.

Current integration o the Endpoint Encryption products with Host DLP is strong, allowing

encryption capabilities to be integrated with HDLP policies or use in the ollowing ways:

Data protection on USB and removable media: Ater dening named encryption

keys in the EEFF product and adding them in the HDLP console, these keys can be used

to encrypt data via HDLP Removable Storage Protection rules.

Network Share rules enforcement: Using HDLP File Access Protection rules, EEFF-

encrypted les can maintain an encrypted state even when copied to network shareswhere the EEFF product is not running.

Automatic encryption on discovered data: Endpoint discovery rules can be created

within HDLP and assigned Encrypt and Monitor actions on sensitive data discovered.

When sensitive data is discovered on a host, the les and/or data can be quarantined

and automatically encrypted.


14/17


In this report card on integration, the Priority column has been removed, as the priority level o

integration actions was too subjective.

Integration Report Card: McAfee Total Protection for Data

Feature

Alerting andReporting

HDLP Integrationinto ePO

Endpoint EncryptionIntegration into ePO

NDLP Integrationinto ePO

Rule and PolicySupport

Workfow

Comments

All HDLP, NDLP and Encryption violation alerts can now be centrally monitored rom within ePO.Numerous other reports in the ePO allow or collection and aggregation o alerts into singlereports, providing a single pane o glass or all data incident inormation. Top-level tabs in theePO Dashboards area provide immediate visibility into violations involving data at rest, in useand in motion. Violations can be broken down into several categories (e.g., severity and types oevent).

The Host DLP product is ully integrated with ePO at this time. The HDLP Policy Manager isavailable rom within the System tab in ePO and can be used to create, modiy, manage andmonitor policies or host DLP agents. Full HDLP reporting is in place within ePO, as well.

Today, both McAees EEPC and EEFF are deployed and audited leveraging the ePO ramework.However, client conguration or EEPC and EEFF is not yet integrated into ePO or centralizedcontrol, so it must be done outside ePO. The next sotware release migrates the EE key escrowinto ePO and will provide or ull client conguration within ePO.

NDLP integrates into ePO to lesser extent than HDLP. ePO can now consolidate NDLP reports intothe Dashboards tab, and the NDLP management console can be launched directly rom withinePO. Multiple levels o NDLP reporting detail are available in ePO without having to launch theconsole. Additional integration o NDLP into ePO is planned or the next release cycle.

Although not ully integrated, an important eature has been added into NDLP 8.5 that relates toHDLP and EE capabilities. Known as Discover Remediation, this eature allows an administratorto leverage NDLP Discover to search or sensitive data at rest within the network environment(a critical automation point because no IT person knows how or where to nd critical dataoutside the database). When critical data types are discovered, administrators can take actionsbased on context and situation. For example, upon discovery o sensitive data on a le share,an administrator using the NDLP Discover management interace could elect to move, copy,encrypt, and/or delete the data based on system recommendations. This capability is not ullyautomatic and still involves the administrator, which is actually by design, as most enterprises donot currently want ully automated remediation actions involving sensitive data.

Policy and rule conguration is currently done rom dierent management consoles or HDLP,NDLP and EE, although integration is planned or the next release. However, this may or maynot be a big issue or organizations, because many still maintain a separation o duties and havedistinct groups assigned to manage policy creation, rule/control development, and enorcement.

Although not yet integrated into ePO, incidents involving data at rest, in use or in motion can

now be investigated rom within the NDLP Management console. All three event types can beadded to cases, which can then be assigned to individual users/owners and have notes added tothema strong eature or orensics, audit and ollow-up. Extensive details rom each incidentare maintained with the cases in a chain o custody ashion, and the McAee Capture capabilitiesprovide updates on data movement and disposition over time. In addition, the easy-to-useworkfow system allows multiple administrators and role-specic users to monitor and managedierent aspects o each incident and case until its resolved. McAee plans additional case andincident workfow integration within ePO in next release.

Grade

A

A

B

B

B

B


15/17


Conclusion: Looking Forward

McAee has taken great strides in integrating its multiple product acquisitions in the data pro-

tection area into a cohesive and capable solution. In the product versions reviewed, SANS ana-

lysts assessed each individual product line (Network DLP, Host DLP and Endpoint Encryption)

to see i each would perorm as advertised. For the DLP product lines, sensitive data at rest, in

motion, and in use were capably detected and then handled according to previously specied

rules and policies. The Endpoint Encryption products were fexible and easy to use and oered

numerous key denition and management options.

McAee has integrated a number o eatures and unctions so that the products work together,

a value or most enterprises that havent been able to integrate separate data protection com-

ponents on their own. This is also a value rom a orensics standpoint when you consider that

all data incidents, including those that are unknown, can be logged, indexed and archived or

ollow-up searching and reporting. McAees NDLP component can now leverage HDLP data.

All o the HDLP and Endpoint Encryption rules and policies can be monitored and reported on

within ePO. And much o the management can be done in a single console.

McAees eorts to integrate all o the DLP and EE products into their best-o-breed ePO con-

sole are well underway and will be largely complete in the next product releases. This will allow

existing ePO customers to leverage and manage data protection capabilities and processes

without having to learn and build new consoles and management middleware.

Additional international rules and compliance support, and integration with other product

lines and partners, will urther integrate risk management, network security, and data protec-tions where needed. For example, McAee intends to integrate IDS/IPS and GRC (Governance,

Risk and Compliance) products into ePO and DLP, deepen its relationships with orensics solu-

tions providers, and introduce other expansions to its data protection outreach.

These partnerships and integration plans will go a long way in taking risk management,

forensics and compliance to the next level in which the comprehensive protection of sensi-

tive data becomes embedded in security, risk management and operations infrastructures,

as it should be.


16/17


About the Author

Dave Shackleford, SANS GIAC Technical Director and Chie Security Ocer orConguresot. Dave has authored numerous SANS Analysts Program whitepa-

pers, is a SANS course author and instructor, and co-authored Hands-On Inorma-

tion Security, and the Managing Incident Response chapter in Readings and

Cases in the Management o Inormation Security, both published by Course

Technology. Previously, he worked as Chie Technology Ocer or the Center or

Internet Security and or a security consulting rm in Atlanta. He has worked as

a security architect, analyst, and manager or several Fortune 500 companies and

consulted with hundreds o organizations in the areas o regulatory compliance,

security and data protections, and network architecture and engineering.


17/17


SANS would like to thank this papers sponsor

Documents

McAfee Total Protection Jun09