Since data security encompasses a wide range of tools, technologies, and processes we will highlight top-level management issues on this page, and encourage you to explore the subtopics for more details on database security, DLP, encryption, and other specific areas.

We keep all of our Research Library pages updated with our latest research. Content is added where it fits best, not in chronological order, so we mark new material with the month/year it's added to help you find changes more easily.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments).

1. The most important piece of work we've published on data security is the following: The Business Justification for Data Security. We recommend you download the white paper as it provides a condensed (and professionally edited) review, and here are the links to the individual blog posts to add additional color and commentary: Part 1, part 2, part 3, part 4, part 5, and part 6. (03/09).
2. Next, you should read our series of posts on the Data Security Lifecycle which shows how all the various bits and pieces plug in together. Keep in mind that some of these technologies aren't completely available yet, but the series should give you a good overview of how to take a big picture approach to data security. Start with the Lifecycle, then read the details on the technologies, organized by phase: Part 1, Part 2, Part 3.
3. The general principles of Information-centric/Data Security.
4. Data Verification Issues.
5. Data And Application Security Will Drive Most Security Growth For The Next 3-5 Years.
6. Defensive Security Stack; showing where data security fits in with network, host, and application security (I mention CMF, which is the same as DLP): Data Protection - it's More than A + B + C.
7. We believe that two existing technologies are evolving into the "core" of data security- Data Loss Prevention and Database Activity Monitoring. The are evolving into what we call Content Monitoring and Protection (DLP, for protecting productivity applications and communications), and Application and Database Monitoring and Protection (DAM, for protecting applications and the data center). We define both technologies in Definitions: Content Monitoring and Protection And Application and Database Monitoring and Protection.
8. Continuation of Content Monitoring and Protection: How Data Loss Prevention and Database Activity Monitoring Will Connect.
9. Data classification comes up all the time when discussing data security. Here's an overview that starts to introduce the idea of practical data classification: The Five Problems With Data Classification, an Introduction To Practical Data Classification. We followed it with a post: Practical Data Classification: Type 1, The Hasty Classification. But the truth is, classification is usually quite problematic, and we don't recommend manual classification to most enterprise users, as we wrote in: Data Classification is Dead. (We haven't finished our data classification series yet).
10. Related to data classification, here is a post on Information Governance.
11. Before you start digging in too deep on data security, we recommend you prepare by understanding your users and infrastructure, as we wrote in: Information-Centric Security Tip: Know Your Users and Infrastructure.

General Coverage

1. Sorry, Data Labeling is Not the Same as DRM/ERM
2. Data Labels Suck.
3. Security Requirements for Electronic Medical Records.
4. The Data Breach Triangle.
5. Data Harvesting and Privacy.

Presentations

These PDF versions of presentations may also be useful, although they don't include any audio (for any audio/video, please see the next section).

• This is the Business Justification for Data Security Presentation that Rich and Adrian provided in February 2009.
• This presentation is on Mobile Data Security for the Enterprise.
• Our presentation on Information Centric Data Security and the Data Centric Security Lifecycle.
• Here's the current version of Pragmatic Data Security which provides a good, practical process overview with specific implementation details.
• Presentation on Data Protection in the Enterprise. Kind of a corporate overview.
• Presentation on XML Security.

Podcasts, Webcasts and Multimedia

Vendors/Tools

• About Our Research
• About the Research Library

About Our Research

• Securosis is a new breed of IT research firm focusing on the broad information security and compliance markets. As opposed to relying on big sales forces and high pay walls, we publish our primary research for free on our blog. Yeah, we know, it's different and scary. But it works.

In terms of our primary research model, our focus is to help mid-market IT and security professionals successfully execute on their projects, by providing actionable information to accelerate their progress. It doesn't mean our research isn't relevant to large enterprises and government agencies. It just means our primary constituency is someone who wears a security hat as well as a number of other hats on a daily basis.

Each week, Securosis publishes a ton of research on what's happening in the security business, all focused on keeping our readers connected and focused on what's important, not on the noise. Our weekly research includes:

• Securosis FireStarter: Each week Securosis holds an internal, no-holds-barred research meeting. Each analyst prepares a topic and the other analysts typically rip it to shreds. The end result is a thought generator that challenges our perspectives and demands further discussion. Each Monday, we publish the findings of that research meeting to "stir the pot" a bit and get the echo chamber vibrating.

• Securosis Incite: Something we've adopted from Security Incite is a hard-hitting summary of the news happening in our industry. Each Wednesday we send out 8-10 links with analysis of what's happening out there and why it's important.

• Securosis Weekly Summary: Just in case you don't have anything better to do over the weekend, on Friday we send out a list of things we've posted on the blog and also each analyst's favorite outside post. This keeps you up to date on what we've been up to.

• Ad Hoc Posts: Yes, the art of blogging is far from dead. During the week, once or twice a day we post something of interest. It could be a more detailed treatment of an announcement, something that's been bothering us, or part of our primary research (which is always posted to the blog first).

In case you are some kind of dinosaur and don't use an RSS reader, you can sign up for email distribution of our blog posts. Sign up for the Daily Digest or the Weekly Summary.

For each of our coverage areas, we have a defined hierarchy of primary research documents we prepare to ensure deep coverage and actionable advice:

• Understanding and Selecting: This series of posts provides the backdrop for each security domain. The research takes a product category perspective and helps readers understand why and how they'd use certain technology, and what is important when evaluating products and offerings. As an example, check out our work on Understanding and Selecting a Database Activity Monitoring Solution.

• Building a [Topic] Program: The next level in our research is how to structure a security program to solve a specific problem. This is about more than just figuring out what product to buy, but the underlying processes and techniques required to address a specific problem. You can see our Building a Web Application Security Program for an example of this research.

• Project Quant: For a select few coverage areas, we go very deep and actually define very granular process maps and establish metrics to quantify those processes for an aspect of security. We do a public survey to make sure we nail the process map and publish the survey results when we get a statistically significant sample. Check out Project Quant for Patch Management to understand this research.

About the Research Library

Are you tired of having to hunt through screen after screen of crappy search results just to find the few bits of information you need? Or trawl through endless forums and unrelated blog entries just to educate yourself on a new topic? We are too... that's why we created the Securosis Research Library.

The Library is designed to be your first stop when researching a new topic. We've collected our best blog posts, white papers, and multimedia materials together in a structure designed to help you find what you need as quickly as possible. Unlike search results or a wiki, we've organized the material for each topic in the order we think it will be most useful, rather than by date or some other arbitrary sorting method. We don't cover every security topic you could think of, but we're constantly expanding into new areas and filling in coverage that's lighter than we'd like.

Where possible, for technology-related topics we include a list of Free/Open Source and commercial products. We try to keep these lists updated, but if you see something we are missing please email us so we can add it. This is just a list of what's available in alphabetical order -- we aren't endorsing any particular products.

We update the material in the Library on an ongoing basis, and each entry is dated with the last update.

If you'd like to keep your own copy, just subscribe to the RSS feed. Since we update the date on each entry when we make changes, your RSS reader should keep a current, local copy of the entire library. Pretty cool, eh?

We hope you find it useful, and please email us with any suggestions, errors, or omissions.

• Understanding and Selecting a Database Encryption or Tokenization Solution
• Understanding and Selecting a Database Assessment Solution
• Project Quant for Database Security
• Project Quant for Network Security Monitoring and Management
• Quick Wins with DLP
• Pragmatic Data Security
• Network Security Fundamentals
• Endpoint Security Fundamentals
• Understanding and Selecting a SIEM/Log Management Product
• Understanding and Implementing Network Segregation
• Data Security for the Cloud

Some of these papers will be sponsored, some won't, but all will be released for free under a Creative Commons license on our blog and within the Research Library.

This section covers compliance topics and several general security issues related to compliance with industry and governmental regulations. This is a new section for us, and while we have a ton of information on this topic, we will be evolving how we present the material over time. These articles are strategic in nature, but we will be adding videos and podcasts for hands-on guidance in the coming weeks.

General Coverage

1. It Isn’t Risk Management If You Can’t Lose
2. Visa’s Data Field Encryption
3. Tokenization Will Become the Dominant Payment Transaction Architecture
4. Some Follow-Up Questions for Bob Russo, General Manager of the PCI Council
5. We Know How Breaches Happen
6. New Details, and Lessons, on Heartland Breach
7. Heartland Hackers Caught; Answers and Questions
8. An Open Letter to Robert Carr, CEO of Heartland Payment Systems

Presentations

• Presentation on Data Breaches and Encryption.
• Presentation on Data Protection in the Enterprise. This is a corporate overview.
• Presentation on Encrypting Mobile Data for the Enterprise.

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Please email info@securosis.com if you have any additions or corrections.

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments).

1. The most important piece of work we've published on encryption is Your Simple Guide to Endpoint Encryption.
2. Post on the Three Laws of Data Encryption.
3. Tokenization Will Become the Dominant Payment Transaction Architecture
4. Format and Datatype Preserving Encryption
5. Post on When to Layer Encryption.
6. Application vs. Database Encryption.
7. The post for Database Media Protection focuses on threats to the media that need consideration.
8. The Data Security Lifecycle covers encryption during the movement and storage of data.

General Coverage

1. Visa’s Data Field Encryption
2. Boaz Nails It- The Encryption Dilemma
3. “PIN Crackers” and Data Security, looking at attacks on encryption.
4. Part of the core value of Data Centric Security is the ability to protect data regardless of where it moves or resides, which is facilitated by encryption. This is discussed in Part 1 and Part 2 of the Best Practices for Endpoint Security, as well as:
5. An editorial on how parts of the U.S. intelligence community discourage the adoption of encryption, as it is counterproductive for their mission.
6. This post discusses Digital Rights Management (DRM) as it pertains to Cloud Computing and content protection.

Presentations

• Presentation on Data Breaches and Encryption.
• Presentation on Data Protection in the Enterprise. This is a corporate overview.
• This presentation is on Encrypting Mobile Data for the Enterprise.

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). Being here does not imply any endorsement; this list is simply meant to assist you if should you should start looking for tools. Please email info@securosis.com if you have any additions or corrections.

Enterprise/General Encryption Providers

• Certicom
• CheckPoint
• Entrust
• GuardianEdge
• IBM
• PGP
• RSA
• SafeNet
• Sophos (Utimaco)
• Thales (nCipher)
• TruCrypt
• Venafi
• Voltage
• WinMagic

Endpoint Encryption Vendors

• beCrypt
• Credant
• DESLock
• McAfee (SafeBoot)
• Microsoft (BitLocker)
• Namo
• Secude
• Secuware

Database Encryption Vendors

• Application Security Inc.
• NetLib
• Oracle
• Relational Wizards
• RSA (Valyd)
• SafeNet (Ingrian)
• Sybase
• Thales (nCipher)
• Voltage

Key Management, Certificate and other tools

• Entrust
• Verisign

Database Vulnerability Assessment (VA), access control & user management, and patch management are all areas where preventative security measures can be applied to a database system. For securing the data itself, we include such topics as Database Activity Monitoring (DAM), auditing, data obfuscation/masking, and database encryption. Technologies like database auditing can be used for either, but we include them in the later category because they provide a transactional view of database usage. We also include some of the database programming guidelines that can help protect databases from SQL injection and other attacks against application logic.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and comments).

1. Database Activity Monitoring research paper remains a reader favorite and can be downloaded here: "Understanding and Selecting a Database Activity Monitoring Solution" white paper, and here are links to the individual blog posts: Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6.
2. Database Assessment paper will soon be released, with the blog series here: Part 1, Part 2, Part 3, Part 4, Part 5, Part 6.
3. The post on Database Activity Monitoring and Event Collection Methods is designed to supplement some of the considerations any IT practitioner should consider when selecting a DAM solution.
4. The Database Encryption paper will be released soon. Here are the posts for our Database Encryption series.
   Part 1 - The Reboot!, Part 2: Selection Process Overview, Part 3: Transparent Encryption, Part 4: Credentialed User Protection, Part 5, Part 6, Part 7.
5. Database Audit Events is a comprehensive list of database events available through native database auditing techniques.
6. Many supporting posts on Database Encryption: Application vs. Database Encryption and Database Encryption: Fact vs. Fiction, Format and Datatype Preserving Encryption, An Introduction to Database Encryption, Database Encryption Misconceptions, Media encryption options for databases,and threat vectors to consider when encrypting data.
7. The 5 laws of Data Masking.

Database Security Patch Coverage

1. Oracle Critical Patch Update, July 2009.

General Coverage

1. SQL Injection Prevention
2. Database Audit Performance in this Friday Summary introduction
3. Database Encryption Benchmarking
4. Three Database Roles: Programmer, DBA, Architect
5. Database Security: The Other First Steps
6. Sentrigo and MS SQL Server Vulnerability.
7. Amazon’s SimpleDB.
8. Information on Weak Database Password Checkers.
9. Database Connections and Trust, and databases are not typically set up to validate incoming connections against SQL injection and misused credentials, and this post on recommending Stored Procedures to address SQL Injection attacks
10. Separation of Duties and Functions through roles and programmatic elements, and putting some of the web application code back into the database.
11. Native database primary key generation to avoid data leakage and inference problems, and additional comments on Inference Attacks.
12. Your Top 5 Database Security Resolutions.
13. Posts on separation of duties: Who "Owns" Database Security, and the follow-up: DBAs should NOT own DAM & Database Security.
14. A look at general threats around using External Database Procedures and variants in relational databases.
15. Database Audit Events.
16. Database Security Mass-Market Update and Friday Summary - May 29, 2009
17. Database Patches, Ad Nauseum
18. Acquisitions and Strategy
19. Comments on Oracle’s Acquisition of Sun
20. Oracle CPU for April 2009
21. Netezza buys Tizor
22. More Configuration and Assessment Options. Discusses recent Oracle and Tenable advancements.
23. Policies and Security Products applies to database security as well as other product lines.
24. Oracle Security Update for January 2009.
25. Responding to the SQL Server Zero Day: Security Advisory 961040 includes some recommendations and workarounds.
26. Will Database Security Vendors Disappear? and Rich's follow-on Database Security Market Challenges considerations for this market segment.
27. Behavioral Monitoring for database security.
28. NitroSecurity acquired RippleTech.
29. Database Monitoring is as big or bigger than DLP.

Presentations

• Rich's presentation on Understanding and Selecting a Database Activity Monitoring Solution. (PDF)
• Oracle database Security in a Down Economy. (PDF)

Podcasts, Webcasts and Multimedia

None at this time

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). It does not imply endorsement, and is meant to assist you should you start looking for tools. Please email info@securosis.com if you have any additions or corrections.

Database Activity Monitoring

• Application Security Inc. (DBProtect)
• Fortinet.
• Guardium.
• Imperva. (SecureSphere)
• IPLocks Japan. (UBM)
• Netezza. (Tizor)
• nitrosecurity.
• Sentrigo.
• Secerno.

Database Vulnerability Assessment

• Application Security Inc. (AppDetective, DBProtect)
• Fortinet. (IPLocks)
• Imperva. (DAS, Scuba)
• Tenable Network Security. (Nessus)
• Next Generation Security Software NGS. (Squirrel)

Database Encryption

• NetLib.
• Oracle.
• Protegrity.
• Relational Wizards.
• RSA. (Valyd)
• SafeNet. (Ingrian)
• Sybase.
• Thales. (aka nCipher)
• Voltage.

Database Auditing

• Oracle.
• SoftTree Technologies. (DB Audit Expert)
• Quest. (InTrust for DB)

Database Masking

Coming soon.

Database Vendors

• IBM.
• Oracle.
• Sybase.
• Sun Microsystems. (MySQL)
• Teradata.
• Apache. (Derby)
• PostgreSQL. (Postgres)
• Ingres. (Open Ingres)

There are dozens of vendors, both big and small, who offer databases -- many with specific competitive advantages. We aren't even attempting to comprehensive, and specifically ignored any without widespread mainstream adoption. There are also dozens more open source databases with small numbers of deployments, perhaps primarily embedded in applications or backending non-commercial web applications.

By our definition, Web Application Security is a super-set of traditional application security. Why? Because more often than not, web applications are backed by enterprise applications. They have all of the same problems, along with a handful of new security issues that are specific to offering distributed programs and functions across the Internet. For example web applications offer features and functions to users outside the corporate network, so they cannot make any assumptions about the security of the network transmission nor the intentions of the user. They run on top of a complex conglomeration of services, consist primarily of custom code, produce dynamic content, and provide their UI entirely through a browser.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments).

1. The most important piece of work we've published on Web Application Security is Building a Web Application Security Program. For those of you who followed along with the blog series, this is a compilation of that content, but it's been updated to reflect all the comments we received, with additional research, and the entire report was professionally edited. The original blog series can be found here (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7, and Part 8. As well as a couple points we forgot to mention.
2. Rich's post on How the Cloud Destroys Everything that I Love (About Web App Security).
3. The Risks of Trusting Content.
4. Web Application Security: We Need Web Application Firewalls to Work. Better.

General Coverage

1. XML Security Overview
2. It’s Thursday the 13th—Update Adobe Flash Day
3. Heartland Hackers Caught; Answers and Questions
4. Using a Mac? Turn Off Java in Your BrowserWere All Gonna Get Hacked is about the browser, not the app, but we'll cross reference here.
5. There Are No Trusted Sites: Security Edition
6. Click-jacking Details, Analysis, and Advice.
7. Comments on "Containing Conficker", a brief analysis of the Honeynet Project's Know Your Enemy paper, an examination of how the Conficker worm attacks and behaves in general.
8. WAF vs. Secure Code vs. Dead Fish.
9. Adrian's comments on structured software development security programs and the problems moving from Waterfall to Agile Software Development.

Presentations

• Our presentation on Building A Web Application Security Program. This was presented as supplementary material to the white paper of the same name.
• Presentation on Integrating Penetration Testing Into a Web Application Vulnerability Assessment Program. (PDF)

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). It does not imply endorsement, and is meant to assist you should you start looking for tools. Please email info@securosis.com if you have any additions or corrections.

Remember that web application security is over and above the standard application security practices and technology, and these should be considered alongside other tools. We strongly encourage you to learn about the specifics of subcategories in the navigation menu.

Web Application Assessment

• Cenzic
• HP
• Secure Works
• WhiteHat Security

Penetration Testing

• AppLabs
• Bonsai
• CGISecurity
• Core Security Technologies
• McAfee (Foundstone)
• Plynt
• Rvasi
• WindowSecurity.com

Static Source Code Review

• Aspect Security
• Cigital
• Fortify
• IBM
• Ounce
• Veracode

Dynamic Source Code Review

• Coverity
• Ounce
• Veracode

Web Application Firewalls

• ArtofDefense Hyperguard
• Barracuda Networks.
• Breach.
• Cisco.
• F5.
• Fortify.
• Fortinet
• Imperva.
• Protegrity.

Monitoring

(All WAF vendors can monitor as well.)

Education & Training

• SANS Institute
• SAIC Most regional ISSA and ISACA chapters can provide assistance as well.

The intended audience for this page is those interested in security products for their business, to keep their users' inboxes free of spam, and ensure Internet browsing stays within company policy. In the past we would just have said 'porn', as that is why many of these platforms are purchased. In reality there are many other security and compliance uses for these technologies, which are as least as important.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments).

1. Barracuda Networks Acquires Purewire
2. McAfee Acquires MX Logic
3. The Symantec acquisition of MessageLabs demonstrates that the battle for this fully commoditized market is not over.
4. Marshal8e6 Buys Avinti, and how the smaller vendors need to innovate and re-position their technologies to compete.

General Coverage

1. The First Phishing Email I Almost Fell For
2. I Heart Creative Spam
3. Spam Levels and Anti-Spam SaaS.
4. Hackers 1, Marketing 0.

Presentations

PDF versions of presentations (when available) may also be useful, although they don't include any audio (for any audio/video, please see the next section).

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). It does not imply endorsement, and is meant to assist you should you start looking for tools. Please email if you have any additions or corrections.

Vendors

• Aladdin
• Astaro
• Axway (Tumbleweed)
• Barracuda Networks
• Cisco (Ironport)
• Clearswift (MIMESweeper)
• Cloudmark
• CommTouch
• Google (Postini)
• Marshal8e6 (Mail Marshal + 8e6 Technologies)
• McAfee (IronMail, WebWasher, Secure Computing, CipherTrust)
• Proofpoint
• SonicWall (MailFrontier)
• Symantec (BrightMail and MessageLabs)
• WebSense

We define CMP/DLP as:

Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis.

We use a pretty narrow definition to keep things clear -- CMP/DLP is a defined product category, not some general definition for anything that protects data. Encryption, DRM, portable device control, and all the other things that call themselves DLP can help with data loss, but aren't DLP. We think using a big bucket like that only confuses people. The best way to tell if something is DLP is to focus on the content awareness/analysis. If it only uses keywords or basic regular expressions, it isn't really DLP.

Now why should you care about DLP? Is it just another over-hyped technology? Nope -- we consider it to be one of the most significant security technologies to emerge over the past few years. By adding content and context awareness, we can now protect information based on what it is, as opposed to where it's stored or some silly label someone slapped on it as metadata. CMP tools are also expanding their understanding of business context, not just the data itself, so we can apply intelligent policies that reflect business processes, while only interfering with said processes when there is a policy violation. CMP helps us find our sensitive information, watch how it's being used, and then protect it.

It's far from perfect, but it's still good enough that we recommend it, and we'd use it ourselves if we didn't just give away all of our stuff for free.

We keep all of our Research Library pages updated with our latest research. Content is added where it fits best, not in chronological order, so we mark new material with the month/year it was added to help you find changes more easily.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all of the public comments as well).

1. The most important piece of work we've published on CMP/DLP is our white paper, Understanding and Selecting a Data Loss Prevention Solution. This report covers all the basics- features, architectures, use cases, and a recommended selection process with testing criteria. It was originally released as a series of blog posts: part 1 (introduction), part 2 (content awareness), part 3 (data-in-motion), part 4 (data-at-rest), part 5 (data-in-use/endpoint), part 6 (central administration), and part 7 (selection process). This is really the place to start if you need to learn about DLP.
2. I also wrote a feature for Information Security Magazine that covers similar material, but is much more condensed.
3. We also released a paper on Best Practices for DLP Content Discovery. This covers all the important issues when using DLP for data at rest. It was also a 6 part series: part 1, part 2, part 3, part 4, part 5, part 6 (use cases).
4. The third paper in our CMP/DLP series is dedicated to Best Practices for Endpoint DLP. As always, available in a series of blog posts: part 1, part 2, part 3, part 4, part 5, part 6 (use cases).
5. An early article on DLP as a feature vs. a full solution: DLP Is A Feature, CMF (Or Whatever We'll Call It) Is A Solution.
6. A discussion on the evolution of CMP: DLP/ILP/Extrusion Prevention < CMF < CMP < SILM: A Short Evolution of Data Loss Prevention.
7. A short piece I did for Network World on DLP, and why it's worth looking at now.
8. I'm a big proponent of full DLP solutions- this explains why: Data Protection Isn't A Network Security Or Endpoint Problem.
9. The dirty little secret of DLP.
10. Data protection developments are running along parallel paths -- one for productivity applications and communications (CMP/DLP), and the other in the data center (ADMP). Our definitions of DLP and ADMP.
11. Then a post on how those two worlds will connect.
12. A Network World article I wrote on pitfalls of DLP.
13. A look at the differences between DLP, content classification, and e-discovery.
14. You can also use DLP to help prevent malicious outbound connections from sophisticated attackers.

Presentations

Presentation on Understanding and Selecting a Data Loss Prevention System. This is a companion to the DLP White Paper.

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). It does not imply endorsement, and is meant to assist you should you start looking for tools. Please email info@securosis.com if you have any additions or corrections.

Note that many other products include "DLP light" features, such as basic keyword or regex matching. We are only including dedicated DLP solutions here.

Full Suite DLP

• CA (Orchestria)
• Code Green Networks
• EMC/RSA (Tablus)
• McAfee (Reconnex)
• Symantec (Vontu)
• Vericept
• Websense (PortAuthority)
• Workshare

Partial-suite solutions

• GTB Technologies

Network-only tools

• Clearswift
• Fidelis Security Systems
• Palisade Systems
• Proofpoint

Endpoint-only tools

• NextSentry
• Trend Micro (Provilla)
• Verdasys

Papers and Posts

• Rich's series defining a Cloud Security Data Lifecycle: Introduction, Create, Store, Use, Share, Archive and Delete.
• Securing the Cloud with Virtual Private Storage.
• How The Cloud Destroys Everything I Love about Web Application Security.

Presentations

• Understanding Cloud Security in 30 Minutes or Less!

Podcasts, Webcasts and Multimedia

Chris Hoff co-hosts the Network Security Podcast, and talks about the Microsoft/EM partnership, Liquid Machines and Information Centric Security. Oh, he mentions a few things on 'The Cloud' too.

We will continue to fill out our application security offerings, and provide additional specific coverage areas over time. Feel free to make a request if you have something in this area you are interested in seeing.

Papers and Posts

• Adrian's comments on structured software development security programs and the problems moving from Waterfall to Agile Software Development.
• How Common Applications Are (Now) the Weakest Link.
• Comments on "Containing Conficker" considers some of the challenges most application developers are up against.
• Immutable Log technologies help with auditing and event trail verification.
• For application security, the implementation and management of a policy set is a key factor in the cost and effectiveness of just about any security product (and, frankly, your happiness as well).
• Separation of Duties, Concept of Least Privilege, and other role-based user security measures.
• The Perils of the Insider Threat.
• PDF Security Pain, and stuff to think about on all script-enabled applications.
• A very cool way of reverse engineering applications and content with Visual Forensic Analysis tools.

Presentations

• This presentation covers Major Enterprise Application Security.

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments). This research page covers System Information Management (SIM), System Event Management (SEM), and Log Management technologies. Basically anything that collects events from application and host system log files, or provides analysis and reporting on those events. There will be a few other variants in the type of data collected, where it is collected from, and the speed and depth of analysis performed. As these three areas are morphing into one, we felt it would be best at this time to stop pretending they are "differentiated" things and talk about the common business problems they help customers address.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and all public comments).

1. SIEM, Today and Tomorrow is a look back at some of the evolutionary struggles of SIM/SEM, and what is happening with the market space today.
2. LogLogic Acquires Exaprotect.
3. It seems like every other post we mention SIM/SEM and Log Management. We get a briefing from a vendor nearly every week, and we both know and cover this space. Creating this research page, we realized just how few posts we have written that are dedicated to it. We will provide more in the coming weeks.

General Coverage

1. Policies and Security Products, covering the expense of policy creation and maintenance.

Presentations

1. Adrian's presentation on Meeting Compliance with SIM, SEM and Log Management provides an in-depth discussion of using SIM/SEM and Log Management products for meeting compliance, and offers practical tips in dealing with technical and process challenges.

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products we are aware of in this area (including free tools). It does not imply endorsement, and is meant to assist you, should you start looking for tools. Please email info@securosis.com if you have any additions or corrections.

Vendors

ArcSight CA CISCO MARS eIQ ExaProtect IBM Intellitactics LogLogic LogRhythm NetForensics NetIQ NitroSecurity Quest InTrust RSA EnVision Sensage Symantec SSIM Tenable TriGeo Q1 Labs

All of the draft materials and public feedback are available on the project Blog and Forums:

• The Project Quant Blog and Landing Page
• The Project Quant Forums

Published project documents include:

• Version 1.0 of the Project Quant Report
• The Project Quant Survey Results Analysis

Here are the raw survey results from the project's Open Patch Management Survey:

• Project Quant Raw Survey Results, September 2009. (Zip file includes summary results in Excel format, and full raw results in Excel and CVS formats.)
• The survey is still active, and you can participate here.

ADMP is essentially the data center branch of information-centric security, and it combines elements of data and application security into a consistent and specific architecture. The goal is to watch application transactions from the browser through the database, and apply security controls that actually 'understand' what's going on.

Our definition is:

Products that monitor all activity in a business application and database, identify and audit users and content, and, based on central policies, protect data based on content, context, and/or activity.

Papers and Posts

1. The lead-in to this series of thought is Rich's posts on The Future Of Application and Database Security, Part 1 and Part 2.
2. Definitions: Content Monitoring and Protection And Application and Database Monitoring and Protection.
3. What is my motivation, or Why Are We Talking About ADMP.
4. ADMP and Assessment: Linking preventative and detective technologies.
5. ADMP: A Policy Driven Example.
6. Web Application Security: We Need Web Application Firewalls to Work. Better.
7. It's Time To Move Past Vulnerability Scanning To Anti-Exploitation.

Presentations

• Our presentation on Information Centric Data Security and the Data Centric Security Lifecycle.

Podcasts, Webcasts and Multimedia

We do not currently have any multimedia for this topic.