2. The Elevator Pitch – Digital Guardian in a nutshell
We Have the Deepest Visibility, Most Flexible Controls and Best Analytics
Internal Use Only 2
We offer a next generation security platform that combines Data Loss Prevention (DLP),
Endpoint Detection & Response (EDR) and User Entity Behavior Analytics (UEBA) to deliver
what we call Threat Aware Data Protection. Digital Guardian is the only data centric
security provider who fully understands data is the ultimate asset to protect.
The DG Platform provides a singular cloud-based user interface where security professionals
can visualize their data like never before. Leveraging our cloud-based big data architecture
and machine learning, InfoSec and SOC analysts can build advanced workspaces to interact
with their rich data to detect issues before they become real security problems.
TADP takes full advantage of unsurpassed, 360 degree visibility provided across endpoints
and the network to protect your data against all threat vectors with flexible controls and
granular, yet practical, enforcement.
There is simply no other solution that combines Threat Detection with Data Awareness.
3. Confidential 3
Digital Guardian
Founded 2003 to protect all data against
theft
Began with protecting IP on the endpoint
- the most challenging use case
Simplified compliance and cloud data
protection with DG appliance
Launched industry’s first Managed
Security Program for DLP
Only security company 100% focused on
protecting sensitive data from loss or
theft
Growing 50% per year – fastest growing
vendor in MQ
Magic Quadrant
Leader
Wave
Leader
6. 2 Main Data Types
Customer data (PII, PCI, PHI)
Structured data
Can be recognized on network via content
inspection & fingerprinting
Compliance driven use cases (e.g. GDPR)
Healthcare, Consumer Banking, Insurance,
Retail, Government (citizen services) –
consumer industries
Company Data, IP
, Product Plans (CAD), Source
Code, Formulas, Trade Secrets, R&D data, Business
Processes
Structured & Unstructured data
Requires context from endpoint to recognize;
fingerprinting unreliable and complex
Protection oriented use cases
Manufacturing, Pharma, Chemical, Oil & Gas, Top-
secret Government, Financial Services
Confidential 6
Personal Information Intellectual Property
7. Understand: What Data to Protect
Confidential 7
Content-based
File inspection to identify, tag
and fingerprint sensitive data for
lowest false positives
Context-based
Identify & tag sensitive data
(structured and unstructured)
even before you develop policies
User-Based
Enable users to classify
sensitive data based on
business requirements
Classified
Mac
Joe Smith
462-81-5406
42 Wallaby
Cook
Source/Destination
Application
Network State
Operation
Drive Type
Time of Day
Upload/Download
User
Computer
Classification
Email
Session
DWG
200+
Parameters
Most comprehensive data discovery & classification on the market today
8. DGMC
Digital Guardian Architecture
Tap/SPAN Port
DG Network
MS Exchange
Web Proxy
ICAP
MTA
DG Discovery
Share, CIF, NAS
Database
Cloud Storage
DG Cloud DLP
DG Endpoint
Endpoint
Classification
Control
Forensics
MS, OSX, Linux
Citrix, VMware, Hyper-V
Threat Analysis
IOC Creation
Attack Forensics
Reporting
Analytics
Customization
Case Management
Forensics
DeviceControl
EDR / ATP as Managed Service
9. Digital Guardian Server (DGMC)
Digital Guardian Management Console
(DGMC)
• A Web-based management console to
administer and monitor the DG system.
DGComm
• An IIS Web Application used by the DG Agent
to capture user activities (bundles) in the
Collection database. (Could be also installed
remotely)
Bundle Processor
• A service that processes the encrypted data
on user activities. The processed information
is available in the DG Management Console
through a variety of reports.
Job Scheduler
• A process for scheduling DG activities, such as
Active Directory synchronization, and email
alert notifications. You can schedule and
monitor jobs using DGMC.
Confidential 9
Agentsvia HTTP(S)
Port 80 or 443
10. Database
• Digital Guardian uses two databases
• Collection Database which is an operational database that stores all DG Agent
activity for the current day.
• Reporting Database which is a centralized database that stores aggregated data
from the Collection database.
• Digital Guardian uses the aggregated data to prepare enterprise-wide
reports.
• Digital Guardian requires the SQL Server database application to
maintain a database environment.
• The Collection and Reporting databases must be located on the same
database application.
13. Digital Guardian Agent
Communication:
• Communication between the agents and the DG server is asynchronous and is initiated by the agents towards the
server and usually occurs at a set frequency by the agent (default is 30 minutes, but this is configurable). Network
utilization of an agent is estimated at approximately 300KB per user per day.
Secure communication:
• DG Server can either use hTTP or hTTPS to communicate with DG Agents. All agent/server communication is
encrypted, regardless of whether hTTP or hTTPS is selected as the communication protocol.
Stealth Mode:
• Stealth mode prevents the DG Agent installation directory and drivers from appearing on the user’s hard drive in
either Windows Explorer or the command prompt. Stealth mode also hides all DG Agent registry settings, and
prevents DG Agent processes from appearing in the user’s Windows Task Manager.
Tamper Resistant Mode:
• Tamper resistant mode prevents users from opening or altering DG Agent files. It also immediately restarts any DG
Agent processes that have been terminated. This ensures that users cannot shut down the DG Agent.
Offline policy enforcement and logging:
• DG policies are applied directly to the agent and do not require any server communication to be enforced. Bundles
(user operations) are also stored on the agent and communicated to the server at pre-configured intervals.
Confidential 13
14. Agent functions – Agent consolidation
Data Classification
• Automatic classification with content, context or user
based options
DLP – Data Leakage Prevention
• Protect the data wherever it goes
Device Control
• Control external devices connected to the system
• Control data movements to this devices
Application Control (light)
Endpoint Detect & Response
• Detect unusual behavior of Users / System /
Applications
• Run remote commands to collect important files,
configurations, log entries, settings from endpoints
Forensic
• Get deepest visibility from User / System / Application
activities
Confidential 14
17. nDLP Modules
Confidential 17
Management
Email (MTA)
Web (ICAP)
Discovery ( On Premise & Cloud)
Network Monitoring
Management
Single Management Console
All events of interest and artifacts detected
Deploys policy , schedule discovery scans, fingerprinting,reporting
Email (MTA)
Receives outbound email and analyses for content
Web (ICAP)
Integrates with Web Proxy to analyse web traffic
Discovery ( On Premise & Cloud)
Scans storage repositories for content and performs remediation
actions
Network Monitoring
Passively monitors network activity for content
nDLP devices can run one or more detection
modules
18. Confidential 18
nDLP Email
Office 365
Outbound Email for
Analysis
Analyzed and
Authorised
nDLP Appliance
On Premise
Exchange
Email Delivery
Server
Office 365
Web Client
Block
Outbound Email for
Analysis
Analyzed and
Authorised
• Connected via MTA with the Mail Gateway
• Scanning outbound Mails on confidential content
19. 19
nDLP Web
Web Posts – Email,
Social Media
Content
Good
Policy Trigger
Block
Confidential 19
• Connected via ICAP on a Proxy Server like Squid or any other ICAP capable device
Proxy
20. 20
nDLP Discovery
File
Server
Scan
Scan Scan Scan
Database
Server
Sharepoint
Server
Remediate
Secure Vault
Remediate
• Ability to connect to databases and use the fingerprint of the
content to discover the real data
• In other databases
• On Fileservers (e.g Excel files, Powerpoint slides etc
• On Sharepoint Servers
• In the cloud
Confidential
23. Expand Your Vocabulary
Risk
• A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may
be avoided through preemptive action
Security Intelligence
• The information relevant to protecting an organization from external
and inside threats. It embodies the processes, policies and tools designed to
gather and analyze that information. Helps identify and manage the threats
that pose the greatest risk to the business and require immediate attention.
Adaptive Security
• An approach to safeguarding systems and data by recognizing threat-related
behaviors rather than the files and code used by virus definitions. The essence
of the approach is the ability to adapt and respond to a complex and constantly
changing environment.
Confidential 23
24. Expand Your Vocabulary
EDR
• Tools primarily focused on detecting and investigating suspicious
activities (and traces of such) and other problems on hosts/endpoints.
Intended to address the need for continuous monitoring and response to
threats.
UEBA
• UEBA utilizes machine learning and other advanced analytics for profiling
and anomaly detection of users and entity behavior (hosts, devices,
etc..). The output are risk scores designed to measure threats and
simplify the work of the security professional.
Confidential 24
25. Threat Aware Data Protection
Threat Aware Data Protection (TADP)
• Convergence of data protection and threat aware capabilities
• Unique in the industry as DG is the only vendor to combine DLP
, EDR and
UEBA use cases into a single solution
Core T
o This Concept Are:
• Deep Visibility into the host: Microsoft, Linux, and MacOS
• Visualization – advanced visualization, workspaces, views, and workflows
• Advanced Data Protection Concepts – incident response and
management
• Threat Awareness and Intelligence
Confidential 25
26. Visibility
System Events
Data Events
User Events
Analysis
Real-time
Flexible
Persona Based
Technology Overview
Intelligent Assessment Enabling Focused Response
Forensic
Artifacts
Threat
Mapping
Improved Detection
State Context
Based
Common Information and Asset Repository
Big Data
Risk
Based
Rule Based
Statistical Historical
Analytics
Workspaces Alarms HUD
Workflow