My client is a small startup who wants to protect their Source code, have basic network security, USB disable etc. are in place.
Wondering what are DLP options suitable for a small startup, mainly to protect intentional or accidental Source Code exposure.
Thanks
You need to identify your requirement and specially you need to understand what level of security they need. Simply if your client is antivirus company, source code needs to be highly secured. Therefore you have to provide somewhat high level security solution. It should not be single layer protection. Company size does not matter. Value of data is a important.
According to that You can use, DLP,DRM solutions. DLP provide very high level security Including
Definitely it is providing high level of security to intentional or accidental data exposure.
In addition to that You can use DRM solution. It is a data right management tool and It will provide somewhat similar protection as DLP.(DRM!=DLP)
In your other question, USB disabling is generally provided by Antivirus solution. Network Security can be provided by Antivirus. But they are expertise in separate job. But you can purchase one single product which include both Antivirus and DLP.Currently all major antivirus systems are providing these capabilities. But For DLP solution you will have to pay additionally.
For Network Security You can use firewall, IDS/IPS system. If they consider cost,reputed opensource firewalls are available.
I don't think this is as easy as simply plugging in some DLP product into some arbitrary environment.
I would say it is practically impossible to actually prevent intentional stealing of information by a insiders who needs on the one hand to have access to the code for working and on the other to have some way to communicate with externals (like surfing the web to get information). While one could probably prevent direct channels between the communication part and the code writing part by having these in physically separate networks and systems this will noticeable impact the productivity and is thus impractical for most environments. It is probably especially unacceptable for startups where a high trust in each other is often necessary to achieve the necessary flexibility and high productivity.
Accidental spilling of source code by insiders is a bit different. DLP might maybe prevent that employees post snippets of the code into some external sites like stackoverflow. But this comes at the cost of not allowing to post anything (which again impacts productivity) or by somehow inspecting every traffic (include SSL interception) and comparing posts to parts of the source code - which somehow requires the DLP to get information about the code it should protect. But the question is if leaking small snippets of the code is even a significant problem at all.
More of a problem is likely leaking major parts of the code. Accidentally leaking major parts by insiders suggests that there is some problem of how the source code is handled internally, i.e. it is more a process problem where a DLP does not really help. Thus make sure from how processes are designed and lived that there is not even a need to have source code outside the company, i.e. that there is no need to have source code available on some cloud systems in order to run your product or that source code has to be shipped to customers so that they can run your product. Unfortunately there are not enough specific information about your use case so these can only be very broad recommendations.
Leaking major parts of the code by attackers is a problem where DLP is probably the less relevant part. Instead the usual recommendations apply, i.e. proper security in the first place in order to make intrusion into your network and lateral movement inside the network sufficiently hard, proper monitoring what happens. And then make sure that it is clear who has access to the data and when and how (from which systems) etc. And make sure that it is not only clear but that it gets actually enforced and monitored against unusual usage pattern. And the more restrictive this access is the better - but more restrictions come again with a loss in flexibility and productivity. Zero-Trust concepts like BeyondCorp might help here. But if they can be implemented depends a lot on the specifics of the infrastructure and environment, used applications ... So again, these can only be broad recommendations.
In all of my experience with Data Loss Prevention systems, simply giving away a bag of money doesn't guarantee you that no data would be leaked. DLP usually does what it is told to do, but it is hard for anybody as a DLP administrator to predict all the ways in which data could leak from their organization. After all, you're trying to stop a human with a machine and people still tend to outsmart computers (and the people who configure them) ocsasionally.
Then again, even if you had the perfect system which prevents leakage of all required data over all existing channels, somebody could just flip out their phone and take a photo of the monitor with the sensitive data on it. Therefore, strict internal practices should be developed and applied in order to secure the data as much as possible.
Now, to directly answer your question:
Wondering what are DLP options suitable for a small startup
I've had pleasant experience with Forcepoint DLP and I believe it would be best suited for your case because:
The latter two options might appear to be too much for a startup, but, as serverAdmin123 mentioned, it's not the company size that matters but the value of the data.
Most likely there are other solutions on the market which could be more beneficial for your customer or they might require a custom-built solution, but this is subject to discussion between you and them.
What is your threat?
If your client afraid of outsiders breaking into their system and stealing the source code? If so, the various DLP solutions would work well, and you should combine their mechanics. You firstly want to tag all the files appropriately and implement rules for automatic tagging (e.g. directory based). You should also fingerprint the source files, but this is unreliable if they are being worked on. Better is adding identifying information to the files, such as a standard header, that you can write a rule for. Sure, an attacker can edit the file and remove that header, but only if he understands what you're doing and has sufficient access to do that. And since that's not the only thing you are relying on, you're good.
If your client is afraid of insiders leaking the source code, it becomes quite a bit tougher. In addition to tags and fingerprints (headers are useless, your insiders know about them and have access) you need to implement rules on who can change them and how and a DLP system that supports these management aspects. You need to define workflows and permissions. All doable, but might be too much to handle for a startup.
As far as products are concerned:
All of them will require someone familiar with the product to implement. There are others, but I don't have 1st hand experience with them.
Here are few ideas for your consideration:
Security cameras - Preventing anyone from taking a picture with cell phone is very hard. Have a company policy against it and continuously monitor developer room.
Remove external network access - Do not allow developer machines to access internet.
Uninstall browser, and only allow email client that is monitored and authorized. If it's a really small company and everyone is in the same room, you might even eliminate email client.
Using your AV product, blacklist known browser, email clients, setup alerts so that if anything new is installed, you are notified.
Do not allow printers.
Using your proxy server, monitor browsing activities if you do allow internet access. But block / monitor cloud services and email websites.
There are some software tools for protecting source codes, you can explore those. If someone needs just "viewing" rights, do not provide extra privileges. In addition, do not show entire codes if there is no need. Show only what's essential for the task.
The McAfee Endpoint DLP could be a reasonable choice, among some notable features - you can monitor clipboard content, setup and monitor specific network share, setup your own secret keywords, usual email and file modification and relevant activities, audit logs, prevent printing, setup workflow if someone needs to email a file it will go to superior for authorization and whole process is logged, collect evidence. It is a pretty sweet endpoint DLP product I must say.
Lastly, these are some ideas. You have to decide what is appropriate. Some are very restrictive. Hope you find this useful. Good luck.
