Combining Classification

and DLP To Prevent

Information Leaks
White Paper

Information in this document is subject to change without notice. Complying with all applicable
copyright laws is the responsibility of the user. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written consent of Titus.
Titus may have patent applications, trademarks, copyrights or other intellectual property rights covering
subject matter in this document.
Copyright 2011 Titus Inc.
Microsoft Windows, Windows 2000, Windows XP, Windows Server 2003, Microsoft Windows Rights
Management Services, and Microsoft SharePoint are either registered trademarks or trademarks of
Microsoft Corporation in the U.S.A. and/or other countries.
At Titus we work to help businesses better manage and secure valuable corporate information. Our
focus is on building policy management solutions that make it easier for IT administrators to protect and
manage corporate correspondence including email and documents.
For further information, contact us at (613) 820-5111 or email us at info@titus.com
http://www.titus.com

Combining Classification and DLP To Prevent Information Leaks | 2

www.titus.com www.mcafee.com

Table of Contents

1.0 | Introduction ......................................................................................................................................... 4

2.0 | Background .......................................................................................................................................... 5
3.0 | Classification Enables Controls ........................................................................................................... 6
4.0 | Integrated McAfee/Titus Solutions .................................................................................................... 7
4.1 | Titus Message Classification and Document Classification .............................................................. 7
4.2 | McAfee Host Data Loss Prevention and ePolicy Orchestrator ......................................................... 7
4.3 | Solution Overview ............................................................................................................................ 8
5.0 Conclusion ............................................................................................................................................ 12
6.0 About McAfee ...................................................................................................................................... 12
7.0 About Titus ........................................................................................................................................... 12

Combining Classification and DLP To Prevent Information Leaks | 3

www.titus.com www.mcafee.com

1.0 | Introduction
Rapid sharing of electronic information is crucial to effective collaboration and decision making. When
that information is sensitive in nature great care must be taken to safeguard it without overly impacting
the work of those who rely on it.
The task would be greatly simplified if mistakes and malicious behavior did not need to be considered.
Unfortunately they are part of the reality of information protection, and will continue to be as long as
humans are involved.
Recent events involving WikiLeaks have clearly illustrated that and have shown that additional data
leakage controls are required to account for the identified exposures.
This paper will discuss a number of information security advances made possible through the
combination of commercially available products from McAfee and Titus. The paper will specifically
address leakage of sensitive information originating from user desktops. An important aspect of these
technologies is the ability to prevent data loss without resorting to mechanisms which would impede
rapid and efficient collaboration. The approach described combines information classification
techniques with data leakage prevention tools.

Combining Classification and DLP To Prevent Information Leaks | 4

www.titus.com www.mcafee.com

2.0 | Background
Protection of sensitive information has recently come to the forefront as a result of the exposure of
sensitive information on the WikiLeaks site. Based on the alleged flow of events, two security issues
were central to the leakage of information related to Afghanistan, Iraq, and diplomatic cables:
1. Analysts had access to everything at their security clearance level, with minimal consideration
given to need to know or relevance.
2. Removable media was enabled with no controls on what information could acceptably be
removed through this channel. This risk can also be extended to other methods of removing
information such as webmail, email, printing and other techniques.
The first issue will require a long term effort to redesign information sharing systems. Post 9/11 there is
a greater understanding of the need to provide broad, seamless information sharing to allow analysts to
do their job. Enforcing overly strict need to know policies may be counterproductive. There are
certainly ways to reduce the risks inherent with this approach without impacting analysts work, but
many are longer term and require significant changes to infrastructure and workflow.
This paper addresses the second issue what can be done to prevent the removal (exfiltration) of
sensitive information. Disabling removable media and other exfiltration channels is an option, but may
also have impacts on day to day productivity of users. A more palatable approach is to enforce controls
on the types of information that can acceptably be removed from workstations. This requires that
information is consistently and reliably classified, and that the classification metadata be readily
available to security systems.

Combining Classification and DLP To Prevent Information Leaks | 5

www.titus.com www.mcafee.com

3.0 | Classification Enables Controls

Important considerations in securing information are an understanding of what information is truly
sensitive, who that information can be shared with, and how to safely handle it.
Individuals creating content such as emails or documents in government and military contexts generally
have a good understanding of how that information should be classified. Tools that assist those users to
quickly and consistently apply visual labels based on classification are critical to avoiding clerical errors.
These tools can also provide in-context guidance to aid users unsure of policy, as well as applying
machine readable metadata containing classification information.
Many existing classification tools add only a visual label within the document, but do not add any
classification metadata to the information. A classification tool that also adds metadata is a much more
powerful tool for security. Once applied this classification metadata is an extremely powerful asset
since it remains with the information and can be used by automated systems to enforce security
controls. Many people have a good understanding of how such controls work at network boundaries
and in cross domain guards. In most cases sensitive content is blocked from crossing while non-sensitive
content is allowed to pass.
In the alleged scenario of a security analyst in a remote facility inappropriately removing sensitive
information, no network boundary was crossed and no cross domain guard was involved. The
exfiltration channel used was removable media. To address this scenario a technology called host-based
data leakage prevention is required (hDLP), and the hDLP must be aware of the classification policy.
Consistent data classification metadata allows hDLP to be even more effective as it provides a source
uniformity and context to data that might not otherwise be so structured. Once the hDLP system is
aware of classification metadata, exfiltration policies can be defined and enforced to block specific
classifications, to block non-classified information, and to allow non-sensitive communications and
information to pass. Such technologies prevent the leakage of sensitive information without preventing
information sharing within the organization.

Combining Classification and DLP To Prevent Information Leaks | 6

www.titus.com www.mcafee.com

4.0 | Integrated McAfee/Titus Solutions

Together McAfee and Titus products provide a powerful combination to extend defense in depth
strategies addressing the problem of information leaks. The integrated solution can block information
from being copied to removable media or transmitted over inappropriate network channels based on
the classification metadata.
Relevant Titus products include:

Titus Message Classification for the classification of emails in Microsoft Outlook, Outlook
Web Access , and mobile devices

Titus Document Classification for the classification of Microsoft Office Word, PowerPoint,
and Excel documents

Relevant McAfee products include:

McAfee Host Data Loss Prevention provides protection against theft and accidental disclosure
of confidential data across networks, through applications, and via removable storage devices

McAfee ePolicy Orchestrator provides unified management of endpoint, network, and data
security with end-to-end visibility and powerful automations that slash incident response times

4.1 | Titus Message Classification and Document Classification

Titus Message Classification and Document Classification are information classification tools that embed
classification metadata in emails and documents based on user input, in addition to applying visual
labels and markings. These tools can also trigger additional levels of protection based on the
classification, such as the automatic application of Microsoft Active Directory Rights Management
Services (AD/RMS) or S/MIME protection for email. With features like caveat support, signed trusted
labels, guided classification for more complex classification processes, and customizable markings and
metadata, Titus Message Classification and Document Classification products provide a full featured
solution to government, military and commercial organizations which help them enforce their
classification policies and prevent inadvertent disclosure of information.

4.2 | McAfee Host Data Loss Prevention and ePolicy Orchestrator

McAfee Host Data Loss Prevention (hDLP) delivers unrivaled protection against theft and accidental
disclosure of confidential data. Installed at the endpoint, hDLP protection works across networks,
through applications, and through removable storage devices. This protection works both in and out of
the office, while employees are using corporate networks, as well as when they are out of the office
connected to non-corporate network resources, or disconnected entirely. McAfee ePolicy Orchestrator
(ePO) is widely acknowledged as the most advanced and scalable security management software in the
industry. With ePO software, organizations of all sizes can efficiently manage security across endpoints,
networks, and data; integrate third-party solutions; and automate workflows to create efficiencies,
streamline compliance, and provide visibility into security and compliance postures.
Combining Classification and DLP To Prevent Information Leaks | 7
www.titus.com www.mcafee.com

4.3 | Solution Overview

This sample configuration combines Titus and McAfee products to block content classified at sensitive
levels from being copied to removable media.
Titus Document Classification is used to prompt and guide users to make appropriate classification
decisions. Once the user had made classification decisions the classification markings and labels are
automatically applied in a consistent manner and classification information is also saved within the
document in the form of metadata. This metadata is then used by McAfee hDLP to accurately determine
whether the document can be removed from the computer.

Figure 1 - Classification Using Titus Document Classification

Figure 1 shows a document that has been classified by a user as SECRET/NOFORN. It includes visual
markings in the top header as well as a watermark.

Combining Classification and DLP To Prevent Information Leaks | 8

www.titus.com www.mcafee.com

Figure 2 - Sample Classification Metadata from Titus Document Classification

Figure 2 illustrates how documents include classification metadata once a document has been classified
and marked. Now that the information has been classified, the McAfee family of DLP solutions can be
used to prevent leakage of certain classifications of information.

Combining Classification and DLP To Prevent Information Leaks | 9

www.titus.com www.mcafee.com

Figure 3 - Defining a McAfee policy to block the copying of sensitive files based on Titus classification metadata.

Figure 3 shows the McAfee ePolicy Orchestrator being used to define a policy that assigns specifically
classified content to a category named Sensitive based on the Titus metadata.

Figure 4 hDLP Protection Rule To Block Sensitive Information in ePO

Combining Classification and DLP To Prevent Information Leaks | 10

www.titus.com www.mcafee.com

Figure 4 shows ePO protection rules defined to block copying of sensitive content to removable media.
Additional protection rules can be defined to block exfiltration via web upload & webmail, instant
messaging, network copy, etc.

Figure 5 - Sensitive Document Blocked from Copy to USB By McAfee hDLP

Once the policy is pushed to computers (end-points) running the McAfee hDLP agent, enforcement
begins and all attempted file copy actions to removable media are screened for any content that
matches the defined category of SECRET.
In this example copying sensitive information to removable storage is blocked, and the user is notified
via an optional popup message as shown in Figure 5. McAfee hDLP can also allow users to request
exceptions via a helpdesk or simply by providing business justifications where appropriate.

Combining Classification and DLP To Prevent Information Leaks | 11

www.titus.com www.mcafee.com

5.0 Conclusion
Sharing information and intelligence effectively requires that many users are given access to large
amounts of sensitive information.
To mitigate the risks of accidental or malicious leakage of this information without overly restricting
users a security approach combining information classification and data leakage prevention technologies
from Titus and McAfee is recommended. This approach has classification information stored within the
content in both human readable visual labels and machine readable metadata by Titus products. This
metadata can then be consistently and reliably used to convey classification and sensitivity to McAfee
data leakage prevention systems for enforcement.

6.0 About McAfee

McAfee, Inc., headquartered in Santa Clara, California, is the world's largest dedicated security
technology company. McAfee delivers proactive and proven solutions and services that help secure
systems, networks, and mobile devices around the world, allowing users to safely connect to the
Internet, browse and shop the Web more securely. Backed by unrivaled Global Threat Intelligence,
McAfee creates innovative products that empower home users, businesses, the public sector and
service providers by enabling them to prove compliance with regulations, protect data, prevent
disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee
secures your digital world. http://www.mcafee.com/

7.0 About Titus

Titus is the leading provider of email, document and SharePoint classification software solutions to help
organizations share information securely while meeting policy and compliance requirements. Our
solutions enable military, government, and large enterprises to raise awareness and meet regulatory
compliance by visually alerting end users to the sensitivity of information. With over 200 military,
government and enterprise customers worldwide including Dow Corning, NATO, Australian Department
of Defence, and the U.S. Department of Veterans Affairs, Titus solutions are deployed to over one
million users around the globe.
To learn more about how Titus can help your organization please visit www.titus.com, email us at
info@titus.com, or call us at 1-866-530-5111.

Combining Classification and DLP To Prevent Information Leaks | 12

www.titus.com www.mcafee.com