Rolling Review: Symantec's DLP-9

Symantec's DLP software provides robust leak prevention for endpoints and on the network.

Randy George, Director, IT Operations, Boston Red Sox

July 30, 2009

8 Min Read

InformationWeek Green - August 3, 2009 InformationWeek Green Download the entire August 3 issue of InformationWeek, distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree
for each of the first 5,000 downloads.

In the InformationWeek Labs, we take pride in exposing bugs, flaws and security holes in the products we test. Today, we bury our pride and tip our hats to Symantec for bringing to market almost everything we look for in a comprehensive data loss prevention suite via its DLP-9, formerly from Vontu.

We challenged vendors to submit products to satisfy a wide range of DLP needs for midsize and large organizations, including robust endpoint protection, agentless data discovery, quality reporting and alerting, threat detection, and mitigation, along with centralized management and policy distribution. Symantec DLP-9 delivers an impressive array of features in each category.

Starting At The End
Symantec DLP-9 has three core modules: Endpoint DLP, Network DLP, and Storage DLP. Policies can be defined, distributed, and reported on centrally via the Enforce Server, Symantec's Web-enabled management platform.

The DLP-9 Endpoint agent is a relatively small client, around 25 MB. When a user is off the corporate network but still online via a home or public Internet connection, or if you haven't deployed the network components of the DLP suite, the endpoint agent enforces policy so that users can't expose sensitive data through actions such as attaching a document with sensitive information to Web mail or copying and pasting protected content to a Web site.

The agent takes a different approach to enforcement compared with other products we've tested, and it's not necessarily better. Rather than wrapping policy around physical ports on an endpoint, policy is applied to the data you want to protect. For example, you can't shut down a USB port on a given endpoint completely, but you can prevent confidential data from being copied to removable media. This allows for greater flexibility for end users, because they can use their USB ports for legitimate business needs, while the policy engine stops unauthorized copying of sensitive information. However, this setup puts the onus on IT to identify and fingerprint sensitive files and documents and then ensure the appropriate polices are in place on all endpoints.

This is not a one-time operation and will require ongoing effort, particularly for large or distributed enterprises and those companies with a significant population of mobile workers. To help alleviate this issue, Symantec provides for broad policies to identify data types, such as Social Security numbers, that shouldn't be allowed to be copied to removable media.


The Rise Of Data Loss Prevention

Our analysis of DLP tells you everything you need to know.

Download this
InformationWeek Report

See all our InformationWeek Reports

The endpoint agent is extremely configurable in terms of the amount of resources you can allocate to various tasks. For example, during an endpoint data discovery task, in which the agent scans the computer for sensitive information, you can set a bandwidth threshold in megabits per second. You can also throttle back the agent during periods of high CPU use or disk I/O, or low battery life.

The only weak link we see on the endpoint is that Symantec's ability to detect various peer-to-peer protocols is port based, so you'll need to rely on upstream security devices to detect and block P2P apps using a signature-based detection engine. We'd also like to see more physical-layer control, such as the ability to completely disable USB/Firewire ports and other removable media devices. Built-in encryption and robust application control capabilities would also be welcome. Those features can be had by licensing Symantec Endpoint Encryption separately, but we'd like to see them merged into the agent.

Our Take


DLP-9 met every challenge in our Rolling Review of comprehensive data loss prevention suites

Symantec's componentized architecture lets IT shops license and deploy various DLP features on an à la carte basis.

Enterprises pick their own hardware, and the software maintains impressive scalability.

With a list price starting at $25,000, DLP-9 is aimed at midsize and large enterprises.

On The Network
Symantec Network DLP was equally impressive. This module is broken into two components, Network Monitor and Network Prevent. They identify sensitive information traveling across the corporate network. Before you can monitor data in motion, you'll need to mirror all traffic to a Network Monitor or Network Prevent server for deep content inspection.

Network Monitor passively scans for data leaks via SMTP, IM, HTTP, FTP, or any other TCP-based protocol, and will alert an administrator if it detects sensitive data leaving the enterprise.

To block outgoing communications, you'll need to use Network Prevent in tandem with a third-party ICAP proxy, such as Bluecoat's ProxySG or Secure Computing's Webwasher. At this time, Network Prevent can only block traffic via SMTP, HTTP/HTTPS, and FTP.

The policy engine is well designed and relatively easy to use. Administrators can configure a range of response actions, including blocking, logging, alerting, quarantining, and escalating for approval. Any number of policies, responses, and actions can be tied together with Boolean logic to create complex rule sets. While this isn't a unique feature, it's the easiest to use among the other suites we've tested thus far.

Rolling Review


Business value
An ounce of loss prevention can be worth thousands of dollars of remediation and damaged reputation. We'll test DLP options' ability to detect, report, and remediate trouble on handheld devices and PCs.

Reviewed so far
Safend Protector Endpoint:
Delivers impressive endpoint security but lacks application awareness and can't stop data leaks via printing of sensitive data or screen captures.

Code Green CI 1500:
Offers solid data discovery and complex pattern matching is tops, which means fewer false positives, but its endpoint protection capabilities could be better.

Vendors invited
McAfee, RSA, Trend Micro, Safend, Sophos, Symantec, Vericept, Websense

Still to come
RSA, Sophos, Trend Micro, Vericept

More about this rolling review >>

Symantec Storage DLP contains two components, Network Discover and Network Protect (yes, the branding of these components is confusing). Storage DLP is responsible for enterprise-wide data discovery, and it can query the widest range of structured and unstructured data sources we've seen thus far, including CIFS, NFS, DFS, and HFS file systems; databases; Exchange; SharePoint; Documentum; public Web sites; and wikis.

Using the same policy definition interface, administrators can perform a quick and dirty risk analysis via agentless data discovery. Agents can also be placed on high-value PCs and servers. Agent-based scans consume more system resources on the endpoint but will also complete the job more quickly than an agentless scan conducted over the network.

One feature of Storage DLP we particularly like is the ability to set a policy that automatically relocates sensitive data discovered in an unauthorized location. For instance, if a discovery sweep finds credit card numbers on an open file share, that information can be removed and sent to a secure repository.

The DLP-9 suite is completely software-based. A single executable contains all of the components, and each set of features can be deployed alone or in tandem. Extracting list pricing for DLP-9 from Symantec was extremely difficult. While you can purchase Endpoint, Network, and Storage DLP separately, the only guidance we were given was that DLP-9 starts at $25,000 and license costs are based on the number of users and the products purchased.

DLP-9 sets a high bar, but we fully expect RSA, the next vendor in our Rolling Review, to give Symantec a run for its money.

On a housekeeping note, Websense and McAfee have dropped out of this review due to resource constraints. Trend Micro and Sophos will replace them.

About the Author(s)

Randy George

Director, IT Operations, Boston Red Sox

Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a senior-level systems analyst and network engineer in the professional sports industry. Randy holds various professional certifications from Microsoft, Cisco and Check Point, a BS in computer engineering from Wentworth Institute of Technology and an MBA from the University of Massachusetts Isenberg School of Management.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights