DeviceLock Discovery Stops Data Breaches
A functional component of the DeviceLock DLP, DeviceLock Discovery enables organizations to gain visibility and control over confidential “data at rest” stored across their IT environment in order to proactively prevent data breaches and achieve compliance with regulatory and corporate data security requirements.
By automatically scanning data residing on network shares, storage systems, and endpoint computers accessible to the DeviceLock Discovery Server, it locates documents with exposed sensitive content, provides options to protect them with remediation actions, and can initiate incident management procedures by sending real-time alerts to Security Information and Event Management (SIEM) systems used in the organization.
Depending on the network topology and other specifics of the protected IT environment, DeviceLock Discovery can perform scans in several modes: agentless, agent-based, and mixed scanning.
DeviceLock Discovery scans can be initiated by administrators manually or can be configured to run on a schedule. DeviceLock Discovery Agents can be remotely installed on and removed from target computers by the DeviceLock Discovery Server in a fully automatic and transparent process to end users.
DeviceLock Discovery can identify and inspect three general categories of content: textual data, binaries, and various other data/metadata types.
For detecting structured and categorized textual content, DeviceLock Discovery uses “keywords” (singularly listed or whole word phrases) and Regular Expression (RegExp) patterns, which can be combined with numerical thresholds and other parameters to specify triggering conditions in DLP rules. To ease the task of specifying data patterns, the product ships with hundreds of pre-built industry-specific, topic-specific, and country-specific keyword dictionaries, as well as RegExp templates for common sensitive information types, such as Social Security Numbers, credit cards, bank accounts, addresses, driving licenses, etc. In addition, customers can develop their own keyword dictionaries and templates, as well as modify pre-built ones for customized filtering needs. The accuracy of content detection is increased by morphological analysis of keywords in English, French, German, Italian, Portuguese, Russian, Spanish, and Catalan Spanish.
For detecting unstructured textual and binary content, DeviceLock Discovery uses data fingerprinting. The set of data fingerprints of an object, for instance a document, uniquely identifies both the entire document and its contents. By using data fingerprinting for content inspection, full copies or parts of textual and binary content can be reliably detected in scanned documents and files. The percentage thresholds of detected sensitive content that trigger DLP rules can be configured by security administrators to optimally fit the data security policy of the organization. In addition to textual and binary content detection, DeviceLock Discovery uses data fingerprinting to detect exact copies of any nontext files – such as images, design drawings, multimedia, and more. To simplify the data fingerprinting process for content inspection, DeviceLock Discovery supports automatic classification of corporate data into pre-built or user-defined classification levels. The database of classified data fingerprints is automatically populated by processing examples of sensitive documents when DeviceLock administrators place them into the folders of their relevant classification levels. There are five basic classification levels pre-built int the product, but customers can add or define their own categories as well. The built-in categories include “Unclassified”, “Restricted”, “Confidential”, “Secret”, and “Top Secret”, but customers can use a combination of prebuilt classifications and any of their custom-built ones in DLP policies.
Validated File Type Detection (more than 5300 file types are recognized) is another content-aware method that can be used in DeviceLock Discovery independently or in combination with textual content inspection. A binary content signature-based method is used to detect the verified file type regardless of its extension or header.
In addition to content discovery in textual-based data objects, a built-in optical character recognition (OCR) engine allows DeviceLock Discovery to extract and inspect textual data from pictures in documents and graphical files of many image formats. With more than 30 languages recognized, DeviceLock keyword dictionaries and regular expressions used to improve recognition, as well as dozens of other advanced features supported, this highly efficient OCR engine delivers the ability to discover and protect exposed confidential data in information assets presented in graphical form to DeviceLock customers. The distributed OCR architecture tremendously improves the overall performance of the solution, primarily because the graphical objects stored on endpoints can be scanned and inspected locally by Agent-resident OCR modules, thus significantly decreasing any load on the Discovery Server and reducing the scan traffic in the corporate network.
Once confidential content has been detected in a file stored in the wrong place, the following preventive actions can be enforced to remediate the exposure:
- Safe Delete
- Delete Container (if a violation found in a file inside the container/archive)
- Set Permissions (for NTFS files)
- Notify User and
- Encrypt (with EFS for NTFS files only).