What is dlp. DLP systems - what is it? Selecting a DLP system. Consider an incident response algorithm

About the problem Today, information technology is an important component of any modern organization. Figuratively speaking, information technology is the heart of the enterprise, which maintains the performance of the business and increases its efficiency and competitiveness in the conditions of modern, fierce competition. Business process automation systems, such as document flow, CRM systems, ERP systems, multidimensional analysis and planning systems allow quickly collect information, systematize and group it, accelerating management decision-making processes and ensuring transparency of business and business processes for management and shareholders. It becomes obvious that a large amount of strategic, confidential and personal data is an important information asset of the enterprise, and the consequences of leakage of this information will affect the efficiency of the organization. The use of today's traditional security measures, such as antiviruses and firewalls, perform the functions of protecting information assets from external threats, but do not in any way ensure the protection of information assets from leakage, distortion or destruction by an internal attacker. Internal threats to information security may remain ignored or, in some cases, unnoticed by management due to a lack of understanding of the criticality of these threats to the business. It is for this reason protection of confidential data so important today. About the solution Protecting confidential information from leakage is an important component of an organization’s information security complex. DLP systems (data leakage protection system) are designed to solve the problem of accidental and intentional leaks of confidential data.

Comprehensive data leak protection system (DLP system) are a software or hardware-software complex that prevents the leakage of confidential data.

It is carried out by the DLP system using the following main functions:

• Traffic filtering across all data transmission channels;
• Deep traffic analysis at the content and context level.

• Web (HTTP/HTTPS protocols);
• Internet - instant messengers (ICQ, QIP, Skype, MSN, etc.);
• Corporate and personal mail (POP, SMTP, IMAP, etc.);
• Wireless systems (WiFi, Bluetooth, 3G, etc.);
• FTP connections.

• Servers;
• Workstations;
• Laptops;
• Data storage systems (DSS).

• Secret information;
• Confidential information;
• Information for official use;
• Public information.

• Linguistic information analysis;
• Statistical analysis of information;
• Regular expressions (patterns);
• Digital fingerprint method, etc.

• Protection of information assets and important strategic information of the company;
• Structured and systematized data in the organization;
• Transparency of business and business processes for management and security services;
• Control of processes of transfer of confidential data in the company;
• Reducing the risks associated with loss, theft and destruction of important information;
• Protection against malware entering the organization from within;
• Saving and archiving of all actions related to the movement of data within the information system;

• Monitoring the presence of personnel at the workplace;
• Saving Internet traffic;
• Optimization of the corporate network;
• Control of applications used by the user;
• Increasing staff efficiency.

DLP ( Digital Light Processing) is a technology used in projectors. It was created by Larry Hornbeck of Texas Instruments in 1987.

In DLP projectors, the image is created by microscopically small mirrors that are arranged in a matrix on a semiconductor chip called a Digital Micromirror Device (DMD). Each of these mirrors represents one pixel in the projected image.

The total number of mirrors indicates the resolution of the resulting image. The most common DMD sizes are 800x600, 1024x768, 1280x720, and 1920x1080 (for HDTV, High Definition TeleVision). In digital cinema projectors, the standard DMD resolutions are considered to be 2K and 4K, which correspond to 2000 and 4000 pixels along the long side of the frame, respectively.

These mirrors can be quickly positioned to reflect light onto either a lens or a heatsink (also called a light dump). Rapidly rotating the mirrors (essentially switching between on and off) allows the DMD to vary the intensity of light that passes through the lens, creating shades of gray in addition to white (mirror in the on position) and black (mirror in the off position). ).

Color in DLP projectors

There are two main methods for creating a color image. One method involves the use of single-chip projectors, the other - three-chip ones.

Single chip projectors

View of the contents of a single-chip DLP projector. The yellow arrow shows the path of the light beam from the lamp to the matrix, through the filter disk, mirror and lens. The beam is then reflected either into the lens (yellow arrow) or onto the radiator (blue arrow).

In projectors with a single DMD chip, colors are produced by placing a rotating color disk between the lamp and the DMD, much like the Columia Broadcasting System's "sequential color television system" used in the 1950s. The color disk is usually divided into 4 sectors: three sectors for the primary colors (red, green and blue), and the fourth sector is transparent to increase brightness.

Due to the fact that the transparent sector reduces color saturation, in some models it may be absent altogether; in others, additional colors may be used instead of the empty sector.

The DMD chip is synchronized with the spinning disk so that the green component of the image is displayed on the DMD when the green sector of the disk is in the path of the lamp. Same for red and blue colors.

The red, green and blue components of the image are displayed alternately, but at a very high frequency. Thus, it seems to the viewer that a multi-colored picture is being projected onto the screen. In early models, the disk rotated once every frame. Later, projectors were created in which the disk makes two or three revolutions per frame, and in some projectors the disk is divided into a larger number of sectors and the palette on it is repeated twice. This means that the components of the image are displayed on the screen, replacing each other up to six times in one frame.

Some recent high-end models have replaced the rotating color disk with a block of very bright LEDs in three primary colors. Due to the fact that LEDs can be turned on and off very quickly, this technique allows you to further increase the refresh rate of the colors of the picture, and completely get rid of noise and mechanically moving parts. Refusal of the halogen lamp also facilitates the thermal operation of the matrix.

"Rainbow Effect"

Rainbow DLP effect

The rainbow effect is unique to single-chip DLP projectors.

As already mentioned, only one color is displayed per image at a given time. As the eye moves across the projected image, these different colors become visible, resulting in the perception of a "rainbow" by the eye.

Manufacturers of single-chip DLP projectors have found a way out of this situation by overclocking the rotating segmented multi-color disk, or by increasing the number of color segments, thus reducing this artifact.

Light from LEDs made it possible to further reduce this effect due to the high frequency of switching between colors.

In addition, LEDs can emit any color of any intensity, which has increased the gamma and contrast of the image.

Three-chip projectors

This type of DLP projector uses a prism to split the beam emitted by the lamp, and each of the primary colors is then directed to its own DMD chip. These rays are then combined and the image is projected onto a screen.

Triple-chip projectors are capable of producing more shade and color gradations than single-chip projectors because each color is available for a longer period of time and can be modulated with each video frame. In addition, the image is not subject to flickering and the “rainbow effect” at all.

Dolby Digital Cinema 3D

Infitec has developed spectral filters for the rotating disc and glasses, allowing the projection of frames for different eyes in different subsets of the spectrum. As a result, each eye sees its own, almost full-color image on a regular white screen, in contrast to systems with polarization of the projected image (such as IMAX), which require a special “silver” screen to maintain polarization upon reflection.

see also

Alexey Borodin DLP technology. Portal ixbt.com (05-12-2000). Archived from the original on May 14, 2012.

Wikimedia Foundation. 2010.

See what "DLP" is in other dictionaries:

DLP- Saltar a navegación, búsqueda Digital Light Processing (en español Procesado digital de la luz) es una tecnología usada en proyectores y televisores de proyección. El DLP fue desarrollado originalmente por Texas Instruments, y sigue siendo el... ... Wikipedia Español

DLP- is a three letter abbreviation with multiple meanings, as described below: Technology Data Loss Prevention is a field of computer security Digital Light Processing, a technology used in projectors and video projectors Discrete logarithm problem,… … Wikipedia

These days you can often hear about such technology as DLP systems. What is it and where is it used? This is software designed to prevent data loss by detecting possible irregularities in data transmission and filtering. In addition, such services monitor, detect and block its use, movement (network traffic), and storage.

As a rule, leakage of confidential data occurs due to the operation of equipment by inexperienced users or is the result of malicious actions. Such information in the form of personal or corporate information, intellectual property (IP), financial or medical information, credit card information and the like requires enhanced protection measures that modern information technologies can offer.

The terms “data loss” and “data leakage” are related and are often used interchangeably, although they are somewhat different. Cases of information loss turn into information leakage when a source containing confidential information disappears and subsequently ends up in the hands of an unauthorized party. However, data leakage is possible without data loss.

DLP categories

Technological tools used to combat data leakage can be divided into the following categories: standard security measures, intelligent (advanced) measures, access control and encryption, as well as specialized DLP systems (what these are is described in detail below).

Standard measures

Standard security measures such as intrusion detection systems (IDS) and antivirus software are common mechanisms available that protect computers from outsider as well as insider attacks. Connecting a firewall, for example, prevents unauthorized persons from accessing the internal network, and an intrusion detection system detects intrusion attempts. Internal attacks can be prevented by checking with an antivirus that detects those installed on PCs that send confidential information, as well as by using services that operate in a client-server architecture without any personal or confidential data stored on the computer.

Additional Security Measures

Additional security measures use highly specialized services and timing algorithms to detect abnormal data access (i.e., databases or information retrieval systems) or abnormal email exchanges. In addition, such modern information technologies identify programs and requests with malicious intent and perform deep scans of computer systems (for example, recognizing keystrokes or speaker sounds). Some such services can even monitor user activity to detect unusual data access.

Custom designed DLP systems - what is it?

Designed for information security, DLP solutions are designed to detect and prevent unauthorized attempts to copy or transfer sensitive data (either intentionally or unintentionally) without permission or access, typically by users who have access rights to the sensitive data.

In order to classify certain information and regulate access to it, these systems use mechanisms such as exact matching of data, structured fingerprinting, acceptance of rules and regular expressions, publication of code phrases, conceptual definitions and keywords. The types and comparison of DLP systems can be presented as follows.

Network DLP (also known as data in motion or DiM)

As a rule, it is a hardware solution or software that is installed at network points originating near the perimeter. It analyzes network traffic to detect sensitive data being sent in violation of

Endpoint DLP (data when using )

Such systems operate on end-user workstations or servers in various organizations.

As with other network systems, an endpoint can face both internal and external communications and can therefore be used to control the flow of information between types or groups of users (eg firewalls). They are also capable of monitoring email and instant messaging. This happens as follows - before messages are downloaded to the device, they are checked by the service, and if they contain an unfavorable request, they are blocked. As a result, they become uncorrected and are not subject to the rules for storing data on the device.

A DLP system (technology) has the advantage that it can control and manage access to physical devices (for example, mobile devices with storage capabilities), and sometimes access information before it is encrypted.

Some endpoint-based systems can also provide application control to block attempts to transmit sensitive information, as well as provide immediate feedback to the user. However, they have the disadvantage that they must be installed on every workstation on the network, and cannot be used on mobile devices (for example, cell phones and PDAs) or where they cannot be practically installed (for example, , at a workstation in an Internet cafe). This circumstance must be taken into account when choosing a DLP system for any purpose.

Data Identification

DLP systems include several methods aimed at identifying secret or confidential information. This process is sometimes confused with decryption. However, data identification is the process by which organizations use DLP technology to determine what to look for (in motion, at rest, or in use).

The data is classified as structured or unstructured. The first type is stored in fixed fields within a file (such as a spreadsheet), while unstructured refers to free-form text (in the form of text documents or PDF files).

According to experts, 80% of all data is unstructured. Accordingly, 20% are structured. is based on content analysis focused on structured information and contextual analysis. It is done at the place where the application or system in which the data originated was created. Thus, the answer to the question “DLP systems - what is it?” will serve to determine the information analysis algorithm.

Methods used

Methods for describing sensitive content are numerous today. They can be divided into two categories: accurate and inaccurate.

Accurate methods are those that involve content analysis and reduce false positive responses to queries to virtually zero.

All others are imprecise and may include: dictionaries, keywords, regular expressions, extended regular expressions, data meta tags, Bayesian analysis, statistical analysis, etc.

The effectiveness of the analysis directly depends on its accuracy. A DLP system with a high rating has high performance in this parameter. The accuracy of DLP identification is essential to avoid false positives and negative consequences. Accuracy can depend on many factors, some of which may be situational or technological. Accuracy testing can ensure the reliability of the DLP system - almost zero false positives.

Detection and prevention of information leaks

Sometimes the data distribution source makes sensitive information available to third parties. After some time, some of it will most likely be found in an unauthorized location (for example, on the Internet or on another user’s laptop). DLP systems, the price of which is provided by developers upon request and can range from several tens to several thousand rubles, must then investigate how the data was leaked - from one or more third parties, whether it was done independently of each other, whether the leak was provided by any then by other means, etc.

Data at rest

“Data at rest” refers to old archived information stored on any of the client PC's hard drives, on a remote file server, on a disk. This definition also applies to data stored in a backup system (on flash drives or CDs). This information is of great interest to businesses and government agencies simply because a large amount of data sits unused in storage devices and is more likely to be accessed by unauthorized persons outside the network.

(Data Loss Prevention)

Systems for monitoring user actions, a system for protecting confidential data from internal threats.

DLP systems are used to detect and prevent the transfer of confidential data at various stages. (during movement, use and storage). The DLP system allows:

Control the work of users, preventing uncontrolled waste of working time for personal purposes.

Automatically, unnoticed by the user, record all actions, including emails sent and received, chats and instant messaging, social networks, websites visited, data typed on the keyboard, files transferred, printed and saved, etc. .

Monitor the use of computer games in the workplace and take into account the amount of working time spent on computer games.

Monitor network activity of users, take into account the volume of network traffic

Control the copying of documents to various media (removable media, hard drives, network folders, etc.)

Control user's network printing

Record user requests to search engines, etc.

Data-in-motion - data in motion - email messages, transfer of web traffic, files, etc.

Data-in-rest - stored data - information on workstations, file servers, USB devices, etc.

Data-in-use - data in use - information being processed at the moment.

The architecture of DLP solutions may vary among different developers, but in general there are 3 main trends:

Interceptors and controllers for different information transmission channels. Interceptors analyze passing information flows emanating from the company’s perimeter, detect confidential data, classify information and transmit it to the management server for processing a possible incident. Data-at-rest discovery controllers run discovery processes on network resources for sensitive information. Controllers for operations on workstations distribute security policies to end devices (computers), analyze the results of employee activities with confidential information, and transmit possible incident data to the management server.

Agent programs installed on end devices: notice confidential data being processed and monitor compliance with rules such as saving information to removable media, sending, printing, copying via clipboard.

Central management server - compares information received from interceptors and controllers and provides an interface for processing incidents and generating reports.

DLP solutions offer a wide range of combined information discovery methods:

Digital prints of documents and their parts

Digital fingerprints of databases and other structured information that is important to protect from distribution

Statistical methods (increasing the sensitivity of the system when violations are repeated).

When operating DLP systems, several procedures are typically performed cyclically:

Training the system in the principles of information classification.

Entering response rules in relation to the category of detected information and groups of employees whose actions should be monitored. Trusted users are highlighted.

Execution of a control operation by the DLP system (the system analyzes and normalizes information, performs a comparison with the principles of data detection and classification, and when confidential information is detected, the system compares it with existing policies assigned to the detected category of information and, if necessary, creates an incident)

Processing incidents (for example, inform, pause or block sending).

Features of creating and operating a VPN from a security perspective

Options for building a VPN:

Based on network operating systems

Router-based

Based on ITU

Based on specialized software and hardware

Based on specialized software

For VPN to work correctly and securely, you need to understand the basics of interaction between VPN and firewalls:

VPNs are capable of creating end-to-end communication tunnels passing through the network perimeter, and therefore are extremely problematic in terms of access control from the firewall, which finds it difficult to analyze encrypted traffic.

Thanks to its encryption capabilities, VPNs can be used to bypass IDS systems that are unable to detect intrusions from encrypted communication channels.

Depending on the network architecture, the all-important network address translation (NAT) feature may not be compatible with some VPN implementations, etc.

Essentially, when making decisions about implementing VPN components into a network architecture, an administrator can either choose the VPN as a stand-alone external device or choose to integrate the VPN into the firewall to provide both functions in a single system.

ITU + Separate VPN. VPN hosting options:

1. Inside the DMZ, between the firewall and the border router

   Inside the protected network on ITU network adapters

   Inside the shielded network, behind the firewall

   In parallel with the ITU, at the entry point into the protected network.

Firewall + VPN, hosted as a single unit - such an integrated solution is more convenient for technical support than the previous option, does not cause problems associated with NAT (network address translation) and provides more reliable access to data, for which the firewall is responsible. The disadvantage of an integrated solution is the high initial cost of purchasing such a tool, as well as the limited options for optimizing the corresponding VPN and Firewall components (that is, the most satisfying ITU implementations may not be suitable for building VPN components on their basis. VPN can have a significant impact on Network performance and latency may occur during the following phases:

1. When establishing a secure connection between VPN devices (authentication, key exchange, etc.)

   Delays associated with encrypting and decrypting protected data, as well as transformations necessary to control their integrity

   Delays associated with adding a new header to transmitted packets

Email Security

Main mail protocols: (E)SMTP, POP, IMAP.

SMTP - simple mail transfer protocol, TCP port 25, no authentication. Extended SMTP - client authentication has been added.

POP - post Office Protocol 3 - receiving mail from the server. Cleartext authentication. APOP - with authentication capability.

IMAP - internet message access protocol - is an unencrypted mail protocol that combines the properties of POP3 and IMAP. Allows you to work directly with your mailbox, without the need to download letters to your computer.

Due to the lack of any normal means of encrypting information, we decided to use SSL to encrypt the data of these protocols. From here the following varieties emerged:

POP3 SSL - port 995, SMTP SSL (SMTPS) port 465, IMAP SSL (IMAPS) - port 993, all TCP.

An attacker working with an email system may pursue the following goals:

Attacking a user's computer by sending email viruses, sending fake emails (forging the sender's address in SMTP is a trivial task), reading other people's emails.

An attack on a mail server using email with the aim of penetrating its operating system or denial of service

Using a mail server as a relay when sending unsolicited messages (spam)

Password interception:

1. Interception of passwords in POP and IMAP sessions, as a result of which an attacker can receive and delete mail without the user’s knowledge

   Interception of passwords in SMTP sessions - as a result of which an attacker can be illegally authorized to send mail through this server

To solve security problems with the POP, IMAP and SMTP protocols, the SSL protocol is most often used, which allows you to encrypt the entire communication session. Disadvantage: SSL is a resource-intensive protocol that can significantly slow down communication.

Spam and the fight against it

Types of fraudulent spam:

Lottery - an enthusiastic notification of winnings in lotteries in which the recipient of the message did not participate. All you need to do is visit the appropriate website and enter your account number and card PIN code, which are allegedly required to pay for delivery services.

Auctions - this type of deception consists in the absence of goods that the swindlers are selling. After paying, the client receives nothing.

Phishing is a letter containing a link to some resource where they want you to provide data, etc. Luring gullible or inattentive users of personal and confidential data. Fraudsters send out a lot of letters, usually disguised as official letters from various institutions, containing links leading to decoy sites that visually copy the sites of banks, stores and other organizations.

Postal fraud is the recruitment of personnel for a company supposedly in need of a representative in any country who can take care of sending goods or transferring money to a foreign company. As a rule, money laundering schemes are hidden here.

Nigerian letters - ask to deposit a small amount before receiving money.

Letters of happiness

Spam can be mass or targeted.

Bulk spam lacks specific targets and uses fraudulent social engineering techniques against large numbers of people.

Targeted spam is a technique aimed at a specific person or organization, in which the attacker acts on behalf of the director, administrator or other employee of the organization in which the victim works or the attacker represents a company with which the target organization has established a trusted relationship.

The collection of addresses is carried out by selecting proper names, beautiful words from dictionaries, frequent word-number combinations, the method of analogy, scanning all available sources of information (chat rooms, forums, etc.), stealing databases, etc.

The received addresses are verified (checked that they are valid) by sending a test message, placing in the text of the message a unique link to a picture with a download counter or an “unsubscribe from spam messages” link.

Subsequently, spam is sent either directly from rented servers, or from incorrectly configured legitimate email services, or through the hidden installation of malicious software on the user’s computer.

The attacker complicates the work of anti-spam filters by introducing random texts, noise or invisible texts, using graphic letters or changing graphic letters, fragmented images, including the use of animation, and prephrasing texts.

Anti-spam methods

There are 2 main methods of spam filtering:

Filtering by formal characteristics of an email message

Filter by content

Formal method

1. Fragmentation by lists: black, white and gray. Gray lists are a method of temporarily blocking messages with unknown combinations of email address and sending server IP address. When the first attempt ends in a temporary failure (as a rule, spammer programs do not resend the letter). The disadvantage of this method is the possible long time interval between sending and receiving a legal message.

   Checking whether the message was sent from a real or false (fake) mail server from the domain specified in the message.

   “Callback” - upon receiving an incoming connection, the receiving server pauses the session and simulates a working session with the sending server. If the attempt fails, the suspended connection is terminated without further processing.

   Filtering by formal characteristics of the letter: sender and recipient addresses, size, presence and number of attachments, sender’s IP address, etc.

Linguistic methods - working with the content of the letter

1. Recognition by the content of the letter - the presence of signs of spam content in the letter is checked: a certain set and distribution of specific phrases throughout the letter.

   Recognition by letter samples (signature-based filtering method, including graphic signatures)

   Bayesian filtering is strictly word filtering. When checking an incoming letter, the probability that it is spam is calculated based on text processing, which includes calculating the average “weight” of all words in a given letter. A letter is classified as spam or not spam based on whether its weight exceeds a certain threshold specified by the user. After a decision is made on a letter, the “weights” for the words included in it are updated in the database.

Authentication in computer systems

Authentication processes can be divided into the following categories:

But based on knowledge of something (PIN, password)

Based on possession of something (smart card, USB key)

Not based on inherent characteristics (biometric characteristics)

Authentication types:

Simple authentication using passwords

Strong authentication using multi-factor checks and cryptographic methods

Biometric authentication

The main attacks on authentication protocols are:

"Masquerade" - when a user tries to impersonate another user

Retransmission - when an intercepted password is sent on behalf of another user

Forced delay

To prevent such attacks, the following techniques are used:

Mechanisms such as challenge-response, timestamps, random numbers, digital signatures, etc.

Linking the authentication result to subsequent user actions within the system.

Periodically performing authentication procedures within an already established communication session.

Simple authentication

1. Authentication based on reusable passwords

   Authentication based on one-time passwords - OTP (one time password) - one-time passwords are valid only for one login and can be generated using an OTP token. For this, the user’s secret key is used, located both inside the OTP token and on the authentication server.

Strict authentication involves the proving party proving its authenticity to the relying party by demonstrating knowledge of a certain secret. Happens:

1. Unilateral

   Double-sided

   Tripartite

Can be carried out based on smart cards or USB keys or cryptography.

Strong authentication can be implemented using a two- or three-factor verification process.

In the case of two-factor authentication, the user must prove that he knows the password or PIN code and has a certain personal identifier (smart card or USB key).

Three-factor authentication requires the user to provide another type of identification, such as biometrics.

Strong authentication using cryptographic protocols can rely on symmetric and asymmetric encryption, as well as hash functions. The proving party proves knowledge of the secret, but the secret itself is not revealed. One-time parameters are used (random numbers, timestamps and sequence numbers) to avoid repeated transmission, ensure uniqueness, unambiguity and time guarantees of transmitted messages.

Biometric user authentication

The most commonly used biometric features are:

Fingerprints

Vein pattern

Hand geometry

Iris

Facial geometry

Combinations of the above

Access control using a single sign-on scheme with Single Sign-On (SSO) authorization

SSO allows a user of a corporate network to undergo only one authentication when they log into the network, presenting only one password or other required authenticator once, and then, without additional authentication, gain access to all authorized network resources that are needed to perform the job. Digital authentication tools such as tokens, PKI digital certificates, smart cards and biometric devices are actively used. Examples: Kerberos, PKI, SSL.

Response to information security incidents

Among the tasks facing any information security management system, two of the most significant can be identified:

Incident Prevention

If they occur, timely and correct response

The first task in most cases is based on the purchase of various information security tools.

The second task depends on the degree of preparedness of the company for such events:

The presence of a trained IS incident response team with already pre-assigned roles and responsibilities.

Availability of well-thought-out and interconnected documentation on the procedure for managing information security incidents, in particular, the response and investigation of identified incidents.

Availability of prepared resources for the needs of the response team (communication tools, ..., safe)

Availability of an up-to-date knowledge base on information security incidents that have occurred

High level of user awareness in the field of information security

Qualification and coordination of the response team

The information security incident management process consists of the following stages:

Preparation – preventing incidents, preparing response teams, developing policies and procedures, etc.

Detection – security notification, user notification, security log analysis.

Analysis – confirming that an incident has occurred, collecting available information about the incident, identifying affected assets and classifying the incident by safety and priority.

Response - stopping the incident and collecting evidence, taking measures to stop the incident and preserving evidence-based information, collecting evidence-based information, interacting with internal departments, partners and affected parties, as well as attracting external expert organizations.

Investigation – investigation of the circumstances of information security incidents, involvement of external expert organizations and interaction with all affected parties, as well as with law enforcement agencies and judicial authorities.

Recovery – taking measures to close the vulnerabilities that led to the incident, eliminating the consequences of the incident, restoring the functionality of the affected services and systems. Registration of insurance notice.

Efficiency analysis and modernization - analysis of the incident, analysis of the effectiveness and modernization of the process of investigating information security incidents and related documents, private instructions. Generating a report on the investigation and the need to modernize the security system for management, collecting information about the incident, adding it to the knowledge base and storing data about the incident.

An effective information security incident management system has the following goals:

Ensuring the legal significance of the collected evidentiary information on information security incidents

Ensuring the timeliness and correctness of actions to respond to and investigate information security incidents

Ensuring the ability to identify the circumstances and causes of information security incidents in order to further modernize the information security system

Providing investigation and legal support for internal and external information security incidents

Ensuring the possibility of prosecuting attackers and bringing them to justice as provided for by law

Ensuring the possibility of compensation for damage from an information security incident in accordance with the law

The information security incident management system generally interacts and integrates with the following systems and processes:

Information Security Management

Management of risks

Ensuring Business Continuity

Integration is expressed in the consistency of documentation and formalization of the order of interaction between processes (input, output information and transition conditions).

The process of managing information security incidents is quite complex and voluminous. It requires the accumulation, processing and storage of a huge amount of information, as well as the execution of many parallel tasks, so there are many tools on the market that allow you to automate certain tasks, for example, the so-called SIEM systems (security information and event management).

Chief Information Officer (CIO) – director of information technology

Chief Information Security Officer (CISO) – head of the information security department, director of information security

The main task of SIEM systems is not just to collect events from different sources, but to automate the process of detecting incidents with documentation in their own log or external system, as well as timely informing about the event. The SIEM system has the following tasks:

Consolidation and storage of event logs from various sources - network devices, applications, OS logs, security tools

Presentation of tools for event analysis and incident analysis

Correlation and processing according to the rules of events that occurred

Automatic notification and incident management

SIEM systems are capable of identifying:

Network attacks in internal and external perimeters

Virus epidemics or individual virus infections, unremoved viruses, backdoors and Trojans

Attempts of unauthorized access to confidential information

Errors and malfunctions in the operation of the IS

Vulnerabilities

Errors in configuration, security measures and information systems.

Main sources of SIEM

Access control and authentication data

Server and workstation event logs

Network active equipment

1. Antivirus protection

   Vulnerability scanners

   Systems for accounting for risks, threat criticality and incident prioritization

   Other systems for protecting and controlling information security policies:

   1. DLP systems

      Access control devices, etc.

Inventory systems

Traffic accounting systems

The most famous SIEM systems:

QRadar SIEM (IBM)

KOMRAD (CJSC NPO ESHELON)

Before studying and discussing the DLP systems market in detail, you need to decide what this means. DLP systems usually mean software products that are created to protect organizations and enterprises from leaks of classified information. This is how the abbreviation DLP itself is translated into Russian (in full - Data Leak Prevention) - “avoidance of data leaks”.

Such systems are capable of creating a digital secure “perimeter” for analyzing all outgoing or incoming information. The information controlled by this system is Internet traffic and numerous information flows: documents taken outside the protected “perimeter” on external media, printed on a printer, sent to mobile devices via Bluetooth. Since sending and exchanging various types of information is an inevitable necessity these days, the importance of such protection is obvious. The more digital and internet technologies are used, the more security guarantees are needed on a daily basis, especially in corporate environments.

How it works?

Since the DLP system must counteract leaks of corporate confidential information, it, of course, has built-in mechanisms for diagnosing the degree of confidentiality of any document found in intercepted traffic. In this case, there are two common ways to recognize the degree of confidentiality of files: by checking special markers and by analyzing the content.

Currently, the second option is relevant. It is more resistant to modifications that may be made to the file before it is sent, and also makes it possible to easily expand the number of confidential documents that the system can work with.

Secondary DLP Tasks

In addition to its main function, which is related to preventing information leakage, DLP systems are also suitable for solving many other tasks aimed at monitoring the actions of personnel. Most often, DLP systems solve a number of the following problems:

• full control over the use of working time, as well as working resources by the organization’s personnel;
• monitoring employee communications to detect their potential to cause harm to the organization;
• control over the actions of employees in terms of legality (prevention of the production of counterfeit documents);
• identifying employees who send out resumes to quickly find personnel for a vacant position.

Classification and comparison of DLP systems

All existing DLP systems can be divided according to certain characteristics into several main subtypes, each of which will stand out and have its own advantages over the others.

If it is possible to block information that is recognized as confidential, there are systems with active or passive constant monitoring of user actions. The first systems are able to block transmitted information, unlike the second. They are also much better able to deal with accidental information passing to the side, but at the same time they can stop the company’s current business processes, which is not their best quality in comparison with the latter.

Another classification of DLP systems can be made based on their network architecture. Gateway DLPs operate on intermediate servers. In contrast, hosts use agents that work specifically on employee workstations. At the moment, a more relevant option is the simultaneous use of host and gateway components, but the former have certain advantages.

Global modern DLP market

At the moment, the main places in the global DLP systems market are occupied by companies widely known in this field. These include Symantec, TrendMicro, McAffee, WebSense.

Symantec

Symantec maintains its leading position in the DLP market, although this fact is surprising since many other companies could replace it. The solution still consists of modular components that allow it to provide the latest capabilities designed to integrate DLP systems with the best technologies. The technology roadmap for this year was compiled using information from our clients and is today the most progressive available on the market. However, this is far from the best choice of a DLP system.

Strengths:

• significant improvements to Content-Aware DLP technology for portable devices;
• Improved content retrieval capabilities to support a more comprehensive approach;
• improving the integration of DLP capabilities with other Symantec products (the most striking example is Data Insight).

What you need to pay attention to (important disadvantages in the work that are worth thinking about):

• despite the fact that Symantec’s technology roadmap is considered progressive, its implementation often occurs with hitches;
• Even though the management console is fully functional, it is not as competitive as Symantec claims;
• Often clients of this system complain about the response time of the support service;
• the price of this solution is still significantly higher than that of competitors' designs, which over time may take a leading position thanks to small changes in this system.

Websense

Over the past few years, developers have been regularly improving Websense's DLP offering. It can safely be considered a fully functional solution. Websense has provided the modern user with advanced capabilities.

Winning sides:

• Websense's proposal is to use a full-featured DLP solution that supports endpoints and data discovery.
• Using the drip DLP function, it is possible to detect gradual information leaks that last quite a long time.

What deserves special attention:

• You can only edit data while you are at rest.
• The technological map is characterized by low power.

McAfee DLP

The McAfee DLP security system also managed to undergo many positive changes. It is not characterized by the presence of special functions, but the implementation of basic capabilities is organized at a high level. The key difference, aside from integration with other McAfee ePolicy Orchestrator (EPO) console products, is the use of storage technology in a centralized database of captured data. This framework can be used to optimize new rules to test against false positives and reduce deployment time.

What attracts you most about this solution?

Incident management can easily be called a strength of the McAfee solution. With its help, documents and comments are attached that promise benefits when working at any level. This solution is able to detect non-text content, for example, a picture. It is possible for DLP systems to deploy a new solution from this developer to protect endpoints, for example, stand-alone.

Functions aimed at developing platforms, presented in the form of mobile communication devices and social networks, have performed quite well. This allows them to beat competitive solutions. New rules are analyzed through a database containing the captured information, which helps reduce the number of false positives and speed up the implementation of rules. McAfee DLP provides core functionality in a virtual environment. Plans regarding their development have not yet been clearly formulated.

Prospects and modern DLP systems

The overview of the various solutions presented above shows that they all work in the same way. According to experts, the main development trend is that “patch” systems containing components from several manufacturers involved in solving specific problems will be replaced by an integrated software package. This transition will be carried out due to the need to relieve specialists from solving certain problems. In addition, existing DLP systems, the analogues of which cannot provide the same level of protection, will be constantly improved.

For example, through complex integrated systems, the compatibility of various types of “patch” system components with each other will be determined. This will facilitate easy change of settings for huge-scale arrays of client stations in organizations and, at the same time, the absence of difficulties with transferring data from components of a single integrated system to each other. Developers of integrated systems are strengthening the specificity of tasks aimed at ensuring information security. Not a single channel should be left uncontrolled, because it is often the source of probable information leakage.

What will happen in the near future?

Western manufacturers trying to take over the market for DLP systems in the CIS countries had to face problems regarding support for national languages. They are quite actively interested in our market, so they strive to support the Russian language.

The DLP industry is seeing a move towards a modular structure. The customer will be given the opportunity to independently select the system components he or she requires. Also, the development and implementation of DLP systems depends on industry specifics. Most likely, special versions of well-known systems will appear, the adaptation of which will be subordinated to work in the banking sector or government agencies. The relevant requests of specific organizations will be taken into account here.

Corporate Security

The use of laptops in corporate environments has a direct impact on the direction of development of DLP systems. This type of laptop computer has many more vulnerabilities, which requires increased protection. Due to the specific nature of laptops (the possibility of theft of information and the device itself), manufacturers of DLP systems are developing new approaches to ensuring the security of laptop computers.