Rolling Review: Symantec's DLP-9

Symantec's DLP software provides robust leak prevention for endpoints and on the network.
On The Network
Symantec Network DLP was equally impressive. This module is broken into two components, Network Monitor and Network Prevent. They identify sensitive information traveling across the corporate network. Before you can monitor data in motion, you'll need to mirror all traffic to a Network Monitor or Network Prevent server for deep content inspection.

Network Monitor passively scans for data leaks via SMTP, IM, HTTP, FTP, or any other TCP-based protocol, and will alert an administrator if it detects sensitive data leaving the enterprise.

To block outgoing communications, you'll need to use Network Prevent in tandem with a third-party ICAP proxy, such as Bluecoat's ProxySG or Secure Computing's Webwasher. At this time, Network Prevent can only block traffic via SMTP, HTTP/HTTPS, and FTP.

The policy engine is well designed and relatively easy to use. Administrators can configure a range of response actions, including blocking, logging, alerting, quarantining, and escalating for approval. Any number of policies, responses, and actions can be tied together with Boolean logic to create complex rule sets. While this isn't a unique feature, it's the easiest to use among the other suites we've tested thus far.

Rolling Review
Business value
An ounce of loss prevention can be worth thousands of dollars of remediation and damaged reputation. We'll test DLP options' ability to detect, report, and remediate trouble on handheld devices and PCs.
Reviewed so far
Safend Protector Endpoint:
Delivers impressive endpoint security but lacks application awareness and can't stop data leaks via printing of sensitive data or screen captures.

Code Green CI 1500:
Offers solid data discovery and complex pattern matching is tops, which means fewer false positives, but its endpoint protection capabilities could be better.

Vendors invited
McAfee, RSA, Trend Micro, Safend, Sophos, Symantec, Vericept, Websense
Still to come
RSA, Sophos, Trend Micro, Vericept
Symantec Storage DLP contains two components, Network Discover and Network Protect (yes, the branding of these components is confusing). Storage DLP is responsible for enterprise-wide data discovery, and it can query the widest range of structured and unstructured data sources we've seen thus far, including CIFS, NFS, DFS, and HFS file systems; databases; Exchange; SharePoint; Documentum; public Web sites; and wikis.

Using the same policy definition interface, administrators can perform a quick and dirty risk analysis via agentless data discovery. Agents can also be placed on high-value PCs and servers. Agent-based scans consume more system resources on the endpoint but will also complete the job more quickly than an agentless scan conducted over the network.

One feature of Storage DLP we particularly like is the ability to set a policy that automatically relocates sensitive data discovered in an unauthorized location. For instance, if a discovery sweep finds credit card numbers on an open file share, that information can be removed and sent to a secure repository.

The DLP-9 suite is completely software-based. A single executable contains all of the components, and each set of features can be deployed alone or in tandem. Extracting list pricing for DLP-9 from Symantec was extremely difficult. While you can purchase Endpoint, Network, and Storage DLP separately, the only guidance we were given was that DLP-9 starts at $25,000 and license costs are based on the number of users and the products purchased.

DLP-9 sets a high bar, but we fully expect RSA, the next vendor in our Rolling Review, to give Symantec a run for its money.

On a housekeeping note, Websense and McAfee have dropped out of this review due to resource constraints. Trend Micro and Sophos will replace them.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading