Palo Alto Enterprise DLP is a cloud-based service, but it can protect data held on sites and other cloud platforms. Palo Alto is a large and innovative company that is a significant player in the cybersecurity field.
Data loss prevention (DLP) is a field of security that is particularly important for businesses that deal with public members. Hackers have many ways to generate income from personally identifiable information (PII). For example, they can sell lists of email addresses to spam systems; they can sell the data to con artists that want to set up bank accounts in other people’s names, and they can buy tickets and open credit accounts with other people’s identities. These examples are just the tip of the iceberg.
The mess that identity theft can cause individuals drove governments to create laws that punished the businesses that disclosed PII. Industry organizations also have produced their standards for data protection. All this amounts to is that companies will be severely penalized if PII leaks out of their system. It has got to the point that neglecting data security can lose all of the profit they made by concentrating on their core business activity.
Leaks might be unintentional and the result of a failure in procedures in dealing with the public. Con artists can trick system credentials out of an employee and get unrestricted access to data. Hackers can get in and hide their presence while working out how to break into databases. Another problem is intentional data theft by a disgruntled employee, which is called an insider threat.
To be effective, a DLP system needs to track down every store of sensitive data within the business, narrow down the search to discern between types of sensitive data, and then control access to it and block movements by patrolling exit points from the system.
About Palo Alto Networks
Palo Alto Network began operations in 2005. Nir Zuk created the company. Mr. Zuk had built his career in cyber security first as an engineer for Check Point, where he started the first stateful firewall, and then as the principal developer for NetScreen Technologies.
Nir Zuk is a geek who made it to the top. He started as a 16-year-old in Israel writing viruses. He then turned legit and applied his genius to detecting and blocking the viruses of others. He moved to the USA in 1997 and became a major corporate asset. Branching out into his own company seemed the only logical next step.
After 16 years, Zuk is still involved in Palo Alto Networks. However, he doesn’t take the Chairmanship. Instead, he is the Chief Technology Officer (CTO) of the company. His first product at Palo Alto Networks wasn’t released until 2007. This was claimed to be the first “next-generation” firewall.
The firewall is a hallmark product of Palo Alto Networks, and it implements many of its products on the edge of networks. Since the trend to move services into the cloud, Palo Alto has shifted its focus to what is known as “edge services”. Effectively, off-site firewalls filter traffic in both directions and link through to the protected network via a VPN.
Enterprise DLP features
As can be seen from the description of Palo Alto Networks, the company is all about firewalls. Therefore, the challenges of creating an effective DLP are a bit of a problem for the company’s usual stance. Traditional DLPs start by getting into the network and searching through every endpoint for data stores. Just watching the periphery of the network from a firewall misses out on that essential system search task.
However, the Enterprise DLP does reach into the network and search through endpoints. The service’s three units are:
- Discover
- Monitor
- Protect
The Protect phase can easily be performed at the firewall. However, one big problem with understanding the Enterprise DLP strategy is its determination to depict itself as operating on the edge. Thus, they don’t like to admit that their software works within a network.
Discover
Palo Alto Networks explains that it searches through a system to find sensitive data in the forms of PII, credit card data, and intellectual property (IP). The system doesn’t wait until data arrives at the reverse firewall to determine whether its exit should be blocked.
The system uses a library of regular expressions, which can be modified according to a selection made in the service’s dashboard. For example, you can set the system to find all data instances that are subject to GDPR. The service scours both structured and unstructured data stores.
Individual data fields don’t usually provide much meat for hackers – there isn’t much value in stealing a list of first names. It is only when adjacent or nearby data fields are linked together that meaningful data can be gleaned. Therefore, the Enterprise DLP service uses machine learning to spot the relationships between data categories that human eyes can see straight away but traditional programmatic scans miss. This association between fields is called “fingerprinting”.
The Discover process can also scan images and electronic document formats using optical character recognition (OCR). So, the process will scour just about every format of data store, log their locations, list their sensitive content, and assign a degree of confidence. It is also possible to screen data stores with specialist third-party sensitive data discovery tools, and the Enterprise DLP system will recognize the tags created by those systems.
Monitor
Here is another task that requires action inside the network. However, Palo Alto’s edge standpoint makes that problematic. Therefore, monitoring takes place at the firewall and focuses on data movements outside of the network. This specifically applies to data transfers that travel out through the network’s gateway to the internet.
The firewall, or in this case, reverse firewall, can trace the origin of a data transfer by referring to the list of sensitive data locations.
Palo Alto Networks runs an authoritative threat intelligence feed, a vital part of the “delivered from the cloud” promise of the DLP system’s website.
Protect
An intrusion prevention system is an intrusion detection system with automated actions that shut down detected malicious activity. Nir Zuk is famous for his innovative evolution of the firewall and firewalls to create IPSs. Palo Alto Networks Enterprise DLP looks a lot like an IPS. The primary prevention routine of the system involves cutting off transmissions where the contents have been identified as containing sensitive data.
Deployment options
Palo Alto Networks headlines its DLP service as Cloud-delivered data protection. However, to fully implement DLP, the system needs to get inside the network. The protection of on-site data is offered as a service added to a Palo alto Network firewall. Two product lines can integrate this service:
- PA Series – a range of network appliances
- VM Series – edge services delivered from the Palo Alto cloud servers
Palo Alto Networks doesn’t publish a price list. Instead, the first point of contact for any potential customer is the 90-day free trial that the company offers on its VM series of edge services.
Strengths and weaknesses
Palo Alto Network provides exceptional next-generation firewalls, and they have extended that expertise into creating reverse firewalls and edge services. However, that doesn’t automatically build a useful DLP system.
Here is our assessment of the Palo Alto Networks Enterprise DLP.
Pros:
- A robust reverse firewall to block sensitive data transfers
- An active research team that keeps threat intelligence feeds updated
- A strong brand with authority and reliability
- A 90-day free trial
Cons:
- Not very strong within a network
- Doesn’t control transfers within a network, such as to printers or onto USB drives
- It doesn’t include user access control tightening or logging
A sound DLP system needs to segment data stores and rejig access rights management systems so that only specific roles in specific departments can access a particular datastore – the Palo Alto system doesn’t provide that. In addition, the Palo Alto philosophy of checking for transfers out of the network misses the option of insiders transferring data onto a memory stick or taking a hard copy and walking out of the building with it.
Alternative to Palo Alto DLP
You might need a Palo Alto firewall or an edge service from the company. In which case, you will be very well served. Adding on the DLP service is a good option, but it won’t give you total protection. There are other options. You can choose a different DLP service or select a better sensitive data tracker that will feed into the edge service. An endpoint protection system that can control peripheral devices and track printer activity would also be an excellent addition to the Palo Alto service.
Our methodology for selecting a Palo Alto DLP alternative
We reviewed the market for data loss prevention systems and analyzed the options based on the following criteria:
- A sensitive data discovery and classification service that can be tailored to specific standards requirements
- File access tracking and logging
- A fine-tuning of access proper management strategies
- Controls overall data exfiltration points
- Behavioral tracking to identify account takeover and insider threats
- A free trial or a demo system for a no-obligation assessment opportunity
- Value for money represented by a complete monitoring and control system at a reasonable price
With this set of criteria in mind, we have identified a group of data loss prevention options that will protect your business from the catastrophic financial consequences of data disclosure.
Here is our list of the five best alternatives to Palo Alto DLP:
- ManageEngine Endpoint DLP Plus (FREE TRIAL) This data loss prevention system includes sensitive data discovery and classification and a file protection system that is based on containerization. Sensitive data can only be accessed through trusted applications. Data movement is controlled according to user privileges and covers peripheral devices, email systems, cloud upload facilities, and file transfer systems. All data-related activities are logged for compliance auditing. The software installs on Windows Server. There is a Free edition to control data on 25 endpoints and the paid version, called Professional, is available for a 30-day free trial.
- Endpoint Protector A DLP system with a discovery and classification system for PII, credit card data, PHI, and IP. This system includes file activity tracking and data movement control. This service is available as a SaaS platform, as a service on AWS, GCP, or Azure, or as a virtual appliance on site. The service installs endpoint agents on Windows, macOS, and Linux, giving immediate responses and controlled removable devices. Assess Endpoint Protector through a demo system.
- Digital Guardian DLP A SaaS platform in the cloud installs endpoint agents on Windows, macOS, and Linux. This system has a data discovery and classification service for PII and intellectual property. It also controls peripheral devices, printers, faxes, file transfer systems, messaging services, and emails. There is a demo account available for you to assess Digital Guardian DLP.
- Teramind DLP A SaaS platform that discovers data stores across sites and on cloud platforms that give centralized control to data protection. This system includes OCR scanning on digital documents and images. Other features include user behavior tracking to detect insider threats and account takeover, plus controls on data exfiltration points. Teramind DLP is available for a 14-day free trial.
- Rapid7 InsightIDR Packaged as a SIEM, this is a cloud with endpoint agents. It includes user and entity behavior analytics (UEBA) to spot insider threats, account takeover, and intruder activity. In addition, the system consists of sensitive data discovery, file integrity monitoring, and a vulnerability scanner. This system qualifies as a data leak prevention service because it includes processes for the immediate shutdown of data movements when malicious activity is detected. Access a 30-day free trial.