Too many data-loss prevention tools become shelfware, says Gartner

But DLP price is falling

The good, the bad and the ugly of data-loss prevention tools and technologies got a solid once over from Gartner analyst Eric Ouellet, who spared no punches during his presentation on the topic during the first day of Gartner's Security and Risk Management Summit.

DLP content-filtering, where the vendor options typically include a network-based appliance, host-based software and a discovery tool, in many cases remains a high-priced technology that organizations often spend a lot for in components that don't even get fully deployed over a two- to three-year timeframe, Ouellet said.

And although the corporate move to DLP is typically sponsored by the risk or financial office, the IT department drives the technology rollout but without engaging the business divisions enough. However, strong participation from divisions such as human resources and finance is needed in order to effectively set up policies and interact with employees whose data-sharing behavior is being monitored by the DLP hardware or software in use.

"DLP is an IT technology but it's not managing IT data, it's managing compliance," Ouellet said. DLP may focus on sensitive customer information such as payment-card data or healthcare records from being transmitted in an unauthorized way, such as without encryption, or DLP may try to monitor for loss of important intellectual property.

"Organizations underestimate the need for the involvement of non-IT business units," Ouellet said. In many instances, it's not really appropriate for IT people to be in the middle of looking at what DLP systems can report about data compliance issues, but the practical use of DLP monitoring sometimes doesn't make it into the hands of the right business people, he noted.While vendor DLP products are improving in terms of the number of false positives they generate in comparison to two years ago, "pricing is still at a premium," Ouellet said.

This is especially true when it comes to the DLP network appliance and discovery tools in the more sophisticated systems he categorized as "Enterprise DLP," in which DLP software agents, network and discovery tools are used throughout the enterprise for a comprehensive review from a common dashboard.

Acquisitions are based on a lot of detailed and sometimes confusing component costs that quickly add up to a high bill, with consulting and professional services ranging from $10,000 to $250,000 and three-day training costing $2,500 to $3,500 per student, he said. Maintenance costs might typically be 18% to 25% of costs, so multi-million acquisitions costs are easily possible for DLP. Ouellet said he even reviewed an acquisition a client was considering that listed an eye-popping 28% maintenance fee.

The only good news is that pricing for DLP endpoints has gone down dramatically from two years ago when they were in the $110 to $140 range but today are now in the $30 to $40 range. But the network appliance and discovery tool costs haven't changed, he noted.

"What we've learned over five or six years is that organizations overall seem to be buying more DLP than they need for the real-world case," Ouellet noted. "Routinely, they do not deploy all of the components within the two- to three-year timeframe."

However, the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.

The ugly truth about DLP is that it's almost always being used for just monitoring employee mistakes or misbehavior concerning data transmissions, not blocking them.

"The cost of supporting blocking can be too much or network use is too much," Ouellet said.

But just using DLP for monitoring isn't necessarily a bad thing since the course many organizations are finding that is that automated warnings about DLP misdeeds can help employees to do better, and talking to them does help them improve. "It can be more effective than seeing a big red screen blocking it," he added.

DLP has several weak points, such as it can't filter for content when it's encrypted in a way the DLP system doesn't know how to de-crypt, and it can't make sense of content sent as CAD diagrams, graphics, pictures or non-text-based media. Vendors also said to seldom support Mac, Unix or Linux.

Gartner still puts out its coveted "Magic Quadrant" for DLP. But it has also refined how it categorizes the market somewhat so that it will now detail market leaders, niche players and "visionaries' according to how they appear to serve the separate markets of "small-to-mid-sized business (SMB)", "mid-sized enterprise," "large enterprise" and "international."

For instance, this June's analysis from Gartner showed RSA, Symantec, Websense, McAfee, CA and Trustwave (which acquired Vericept late last year) as options suitable for large enterprises, while Code Green, Palisade Systems, Websense, Trend Micro and Fidelis were regarded as a good fit for SMBs mainly concerned with a basic compliance need, such as meeting the Payment Card Industry (PCI) rules.

The "international" category is where a lot of work remains to be done, Ouellet said, because there's not a lot of multi-lingual support and "the management console is typically English-langauge only."

DLP customers should also be aware that their choices contain some elements of lock-in. "Right now DLP policies are individualized by vendors," Ouellet said. "You can't take a policy and apply it to another vendor's products." But that may change over the next few years if a push towards standardization in XML-based formats gains steam.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartnersecuritydata loss prevention

More about DLPetworkGartnerLinuxLPMcAfee AustraliaRSASymantecTrend Micro AustraliaVericeptWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place