Detection Accuracy

In order to prevent data loss, it is necessary to accurately detect all types of confidential data wherever the data is stored, copied, or transmitted. Without accurate detection, data loss prevention systems generate numerous false positives (messages or files identified as violations that are not violations), as well as false negatives (messages or files not identified as policy violations that are violations). False positives create high costs in time and resources required to further investigate and resolve apparent incidents. False negatives obscure gaps in security by allowing data loss and the potential for financial losses, legal exposure and damage to the reputation of the organization.

"Every enterprise needs to monitor and manage confidential information across all types of electronic communication. Vontu Data Loss Prevention solutions protect both our information assets and our customers' privacy."

- Trevor Odell, Manager of Security Administration
Pitney Bowes

Vontu Data Loss Prevention TrueMatch™ detection suite

Vontu TrueMatch detection suite from Symantec delivers the highest accuracy Data Loss Prevention solution available by analyzing both content and context at enterprise scale.

Content

Confidential data comes in many forms, including:

  • Personally Identifiable Information (PII) exposing identities of patients or customers
  • Intellectual property like design documents or source code
  • Corporate data such as sensitive marketing plans and financial statements
  • Previously classified data and documents.

TrueMatch detection

Vontu DLP TrueMatch detection technology delivers high accuracy

Detection Accuracy Diagram
Click to enlarge

To accurately detect the range of data types, a Data Loss Prevention solution requires advanced detection technologies far beyond simple keywords and pattern matching. Our TrueMatch Detection Suite offers three key detection technologies:

Exact Data Matching (EDM)

Exact Data Matching (EDM) accurately detects your structured data; that is, data stored in databases and other tabular formats. Structured data generally includes customer, employee, patient or pricing information. EDM allows policy authors to manage fingerprints of protected data to be matched against information that is copied, stored, or sent. The detection algorithm can find entire records (rows), partial rows, or individual cells of data that are inappropriately exposed.

Indexed Document Matching (IDM)

Indexed Document Matching (IDM) accurately detects your unstructured data stored in documents from file systems or other document repositories. This includes design plans, source code, CAD drawings, financial reports, and any other sensitive or proprietary information stored in documents. IDM allows policy authors to manage fingerprints of protected documents to be matched against information that is copied, stored, or sent. The detection algorithm can find full binary matches of documents or partial matches including extracts, versions or derivatives.

Described Content Matching (DCM)

Described Content Matching (DCM) accurately detects all types of data in cases where it is impossible or impractical to fingerprint the information to be protected. The technology uses a combination of lexicons, pattern matching, contextual validation, and file and message attribute information to find confidential data.

^ back to top

Context

The second dimension of detection accuracy is the context in which the particular sensitive content appears. Context refers to any information about the message or file under analysis other than the content itself.

Elements of context include the sender, recipients, logged-in user, protocol of communication, language, and file type. Some elements of context change depending on the data loss threat; for example, "senders" and "recipients" only make sense for network data loss prevention and have no meaning for endpoint data loss prevention. Other pieces of context hold true across the board; "file type" and "language" have meaning for any type of data loss detection.

Context is a critical piece of the detection puzzle because it reveals how data is being stored or moved and can completely change the outward appearance of the data. This may completely change the seriousness of a data loss incident or determine whether there was an incident at all. A confidential design document sent to an outsourcing partner may be part of a normal business process, but that same document sent to a competitor is a critical data loss event. The same data can look vastly different unless a solution can understand different languages, encryption methods, and file formats.

^ back to top

Scale

The third and final dimension to detection accuracy is the ability to operate at enterprise scale. Detection technologies that only work in a lab or test environment may not hold up in real life. Without full scale load testing and proven enterprise deployments in the largest environments, any solution is incomplete. Backed-up queues will stop the flow of business and result in angry calls to the Help Desk; reverting to a "sampling" mode or falling over completely will result in massive potential for missed events and dramatically reduce total system accuracy.

Detecting a single violation in a lab setting is relatively simple; only Vontu DLP TrueMatch detection suite delivers full accuracy at scale across high levels of data throughput, hundreds of millions of elements of protected information, and across network architectures of Fortune 100 companies. Customers use Vontu DLP TrueMatch detection suite to:

  • Scan terabytes of stored data
  • Monitor gigabytes per second of data
  • Scale to dozens of network access points and thousands of data repositories and end user machines
  • Fingerprint millions of individual documents for partial and exact matches
  • Fingerprint over two billion structured data elements on a single server.

^ back to top