Showing results for 
Search instead for 
Did you mean: 
Level 7

Unified DLP Solution


Can anyone help me to answer the below query for the McAfee DLP host and network supports,

Vendor Response Clause ReferenceOffered / SupportedRemarks
1Data Loss Prevention Hardware & Software Requirements & Solution ScalabilityOffered
bOne time licensing with no recurring cost and lifetime patches /definitons updates for same version of the productOfferedright to use product indefinite but pataches and upgrades will comes with the support renewals only
1.1References and general requirements
aProvide complete details and references of two local Data Loss Prevention reference customers with more than 999 DLP users  (Name, email, Contact number)
bProvide complete details and references of three International Data Loss Prevention reference customers with more than 999 DLP users  (Name, email, Contact number)
cPrinciples or Platinum/Gold partners can participateOfferedElite
As part of overall risk mitigation, Would evaluate vendors partially based upon previous success, including market share. What is your DLP market share as designated by a major industry analyst (i.e. Gartner, Forrester, IDC)
1.2Technical Requirements
aIntegrated Management: OEPO
seeks a unified DLP system to minimize IT and operational system management and operational costs. The following questions apply to a full Network, Endpoint, and Large Data Store Discover DLP configurationOHDLP and Networkd DLP Solution
bActive Directory: O
The comapny seeks to minimize IT integrations. Solution should provide simple Active Directory integration (AD2003, 2008)for full integration across, Network, Endpoint, and Large Data Store Discovery DLP.
cWeb Proxies:
The company  uses Microsoft ISA web proxies. Solution should support ISA, forefront / Huawei iCache,
dPrivacy Control:
As per company. privacy policy and experience, contractors and other individuals are not to be given access to other employees’ privacy data. Explain how your DLP solutions provides privacy control with redaction of certain DLP incident data (such as sender email address, username, and sensitive incident content) from specific users such as contractors who may be first-level incident responders/analysts?
eSeverity and Escalations:
As per company. experience, some DLP incidents may be of higher severity than others due to content (such as classified data, VIP PII data) or amount of data in an incident (hundreds or thousands of records as opposed to a handful of records.)
fSeverity Levels:
Does your DLP system provide different incident severity levels?
gAutomatic Escalation:
Does your DLP system support automatic initiation of different notifications and remediation tasks based upon varying DLP incident severity level?
The company. is required to automatically notify IT Security Department for certain Network, Endpoint, or Large Data Store Discovery DLP incidents. The questions below apply to Network, Endpoint, and Large Data Store Discovery DLP incidents, i.e. an employee writes policy violating data to a CD/DVD or emails policy violating data to one’s personal email account.
Does your DLP system support simultaneous notification to IT Security and HR for a particular type of DLP incident?
iSimultaneous Notifications:
Does your DLP system support simultaneous notification the company. IT Security Department, the employee’s manager, and system owner for a particular type of DLP incident?
2DLP Product / Service
Solution should incorporate automatic remediation of DLP incidents based on certain policy/policies
2.2Employee / User Notification:
A DLP component to automatically notify employees of policy violating actions and escalation to higher level based on severity and as per policy
2.2.1Target Coverage
aScan Windows file systems via CIFS
bScan Unix file systems via NFS
cScan local Windows file systems
dScan local UNIX file systems (Linux, AIX, and Solaris)
eScan Novell file systems
fScan NAS filers such as NetApp filers
gScan relational databases (Oracle, SQLServer, DB2, Sybase )
hScan SharePoint servers via Windows SharePoint Services (WSS) API
iScan SharePoint servers via WebDAV or any other alternative
jScan Lotus Notes databases
kScan Documentum
lScan LiveLink
mScan Microsoft Exchange
nScan web sites, including corporate web sites, intranets, extranets, wikis, etc.
oScan Microsoft .pst files with the ability to identify confidential data on a per message basis
pAPI to enable the scanning of essentially any data repository, including custom or legacy repositories
2.2.2Data Protection Actions
aAutomatically copy or relocate (quarantine) files which violate policy
bAutomatically collect files that match policy criteria for use in investigation or e-discovery request
cLeave customizable marker files in place of files that are relocated
dCreate customized responses for storage incidents
eUn-quarantine or roll-back a relocated file to its original location
fApply file encryption and DRM protection via products from Microsoft RMS, Oracle IRM, GigaTrust, and PGP
2.2.3Actionable Incident Details
aDisplay file location and owner information for files which violate policy
bDisplay incident match details for files which violate policy
cOffers a method to identify file owners when the owner does not exist in the file system being scanned
dDisplay file Access Control Lists (ACLs) for files which violate policy
2.2.4Scan Management
aConfigure and control all scanning from a single, centralized console
bApply filters to only scan (or conversely ignore) files of a certain type or in a certain directory
cConfigure incremental scans in which only new or changed files are scanned
dApply filters to only scan files added, accessed, or modified in a certain date range
ePreserve original file attributes including 'last accessed' attribute while scanning
fSchedule automatically recurring scans
gAbility to manually pause a scan
hThrottle scans to limit network bandwidth usage
iCapable of performing quick inventory scans that complete when pre-defined incident count threshold is met
jCapable of running multiple scans against multiple physical targets concurrently
kManage all scan target credentials on a single UI page, including applying a single credential to multiple targets
2.2.5Scale and Security
aScan systems at remote locations with limited network bandwidth
bScan machines with agent-based or agent less deployment options
cSupports storage scanning products running in a VMware image
dCommunications limited to fixed ports between target system and scanning server
2.3Endpoint DLP:
aAgent less and agent-based scanning options
bAgent-based discovery of confidential data on endpoints (desktops/laptops), including reporting on Access Control Lists (ACLs) for files which violate policy
cAgent offers full coverage when machine is on or off the corporate network (policies reside on the agent)
dAgent stores incident-causing files in a cache until user reconnects to the corporate network
2.3.2User Action Coverage
aMonitor data downloaded to local drive
bMonitor/block data copied to removable storage devices (USB, Firewire, SD and compact flash cards)
cMonitor/block data copied to CD/DVD
dMonitor/block corporate email via Microsoft Outlook or Lotus Notes and other email clients and protocols
eMonitor/block HTTP transmissions
fMonitor/block HTTPS transmissions via Internet Explorer, Mozilla Firefox and other known web browsers
gMonitor/block IM transmissions via Yahoo, MSN, and AIM (AOL)
hMonitor/block FTP transmissions
iMonitor/block data sent to any type of local or networked printer
jMonitor/block data sent to a local or networked fax
kMonitor/block copy or paste actions done via the Windows clipboard
lBlock print screen actions
mDetection based upon real-time file content data analysis, previous tags or human tagging definitions
nTo reduce calls to helpdesk and other operations, company. requires the Endpoint DLP component to provide pop-up information notifications for policy violating actions when in logging/audit mode and pop-up notifications for blocking actions
2.3.3Agent Deployment and Management
aSingle agent performs all the functions including endpoint scanning and monitoring/blocking data leaving the endpoint
bCan be deployed using any standard systems management tool as an MSI package
cDeploy and manage using mature, dedicated agent management console
dCan target agent deployment by AD groups or Windows groups
eSupports agent troubleshooting and diagnostic tools designed for not-IT users
fSet caps on % of CPU and disk, and amount of bandwidth used by agent for minimal impact on endpoint and network
gManage software updates, policies, logging, alerts and configuration through a centralized console
hIntegrates with Windows OS drivers and various applications to ensure stability, interoperability, and security. Not a potentially destabilizing rootkit approach.
iSupported on Microsoft Windows 7, Vista, XP and Server 2003, 2008 (32 & 64 Bit)
jWhen primary Endpoint Server is not available, Agent can automatically failover to secondary Endpoint Servers
kSingle console to install agents and ability to deploy agents using SMS/SCCM.
aAgent-based scanning enables parallel scanning of thousands of endpoints
bAbility to protect large volumes of data - entire database of customer records, large number of fingerprinted documents
Ability to support global distributed deployments of endpoint machines
2.3.5Agent Security
aTamper proof agent that cannot be inappropriately disabled; if somehow stopped, a separate service restarts it
bAgent does not appear in “Add/Remove Programs” and System Tray, and obfuscated in Services and Task Manager
cCommunications between agent and server are encrypted and authenticated
2.3.6Scan Management
aSame policies can be deployed to both agent less and agent-based scans
bConfigure and control all scanning from a single, centralized console
cConfigure incremental scans in which only new or changed files are scanned
dAgents report progress to a central location for up-to-date progress report while scans are running
eFilter scans based on file size, type, and location
fAbility for scan to run only when machine is idle, thus eliminating any adverse machine impact
2.3.7Real Time Enforcement
aOn-screen, pop-up notification with fields for user justification can appear upon the generation of an incident
bPop-up notification has automatic ability to present itself in one of 25+ languages based on underlying OS
cAutomatic email notification can be sent to user and/or manager upon the generation of an incident
2.4Network DLP:
2.4.1Multi-Protocol Monitoring Capabilities
aMonitors any TCP-based protocol such as SMTP including attachments, HTTP including uploaded files, active and passive FTP including fully correlating transferred file data with control information, and NNTP including uploaded files
bAbility to monitor popular IM protocols (AIM, Yahoo, MSN, IRC) and properly classify tunneled IM traffic (HTTP)
cAble to correlate IM traffic (native) for long lived sessions
dCan properly classify all protocols even when running on non-standard ports
eMonitor gigabit speed lines without packet loss or requiring packet sampling to compensate for excessive load; does not require specialized NIC hardware
fAbility to handle traffic bursts, buffer traffic, and provide insight into packets that can not be processed
gAbility to filter out network traffic for inspection based on protocol, IP range, or email sender/recipient email
hProvide detailed traffic statistics for overall data throughput, # of messages, and # of incidents on a per protocol basis and summarized down to an hourly level
2.4.2Multi-Protocol Prevention Capabilities
aConditionally block, reroute or quarantine SMTP messages based on message content
bConditionally block HTTP messages based on message content
cConditionally remove message body or specific attachments in a web mail or HTTP POST action including "Web 2.0" sites (e.g. Facebook) for better user experience.
dConditionally block encrypted web transmissions (HTTP over SSL) based on message content
eConditionally block FTP messages based on message content
fIntegrate with any SMTP-compliant MTA (e.g. Barracuda, McAfee websheild, Symantec Brightmail, , Sendmail, etc.)
gIntegrate with web proxies from Microsoft ISA, Huawei iCache, BlueCoat, McAfee (Secure Computing), IronPort, and Squid
hDoes not require use of embedded MTA or web proxy; can use existing or best-of-breed products.
iEmail monitoring and blocking based on policy
jHandles conflicting policies by offering separate multi-policy handling rules
kAutomatic email notification can be sent to user and/or manager upon the generation of an incident
lSupports network prevention products running in a VMware image
3DLP Policy Enforcement Detailed Requirements:
3.1Detection - Fingerprinted Content
aAbility to fingerprint both structured (CNICs, etc) and unstructured data (MS Office docs, PDFs, CAD/CAM diagrams, source code, etc)
bAbility to specify exactly which columns of fingerprinted structured data are needed to find a match (e.g. first name, last name, and CNIC, but not ZIP)
cAbility to specify certain combinations of columns of fingerprinted structured data that are NOT a match (e.g. first name and CNIC without last name)
dFor fingerprinted unstructured documents, ability to detect extracts or derivatives of these documents on a defined threshold percentage (e.g., register a match only if at least 30% of the document is matched)
eAbility to normalize all common variants of data presentation (e.g., if data extract contains "123456789", it should match against "123-45-6789", "123456789", "123.45.6789", etc.)
fFingerprint large volumes of structured data (up to 2 billion cells of database information on a single detection server)
gFingerprint large number of unstructured documents (up to 2 million documents on a single detection server)
3.2Detection - Described Content
aDetect based on fully customizable keywords and key phrases with ability to put multiple keywords in a single detection rule
bDetect against large keyword or key phrase lists (up to 100,000 keywords or key phrases) without performance degradation
cDetect based on fully customizable regular expressions
dDetect based on file type (including encrypted or password-protected files), file name/extension, sender/recipient attributes, or transmission protocol
eAbility to define custom file type signatures to detect file types that are not supported out-of-the-box
f60+ pre-built policy templates that include keywords and data patterns for U.S. and international regulations (e.g., HIPAA, PCI) and corporate best practices that can easily be modified
gDetection relies on real-time content-aware detection, as opposed to "tagging"
3.3Policy Definition
aAbility to create a single policy in a single UI that can be deployed across all products (storage, network, endpoint)
bAll detection done on the distributed detection servers (or endpoint agents), not at the central management server
cConfigure policies to detect/set thresholds based on number of matches on a per policy basis
dCreate policies that combine multiple detection technologies and rules with AND/OR logic and exception rules
eDefine group-based detection rules based on internal directory information, such as department or business unit
fAbility to integrate directly with AD to create user or group-based endpoint detection rules. Different policies can be applied based on logged-in user, even on a shared machine.
gAbility to easily export/import existing detection rules, including importing detection rules from different systems (e.g. test to production)
3.4Automated Enforcement
aAutomatically send customized email notifications to employee, employee's manager, and/or administrators
bAutomatically send message to a Syslog-enabled case management or security event management system
cConfigure multiple automated responses based on severity, match count, policy, etc.
dAbility to automatically assign incident status based on rule triggered and match count
3.5Role-Based Access and Privacy Control
aLimit incident access for a role by policy, by department or business unit, by country or geography, by severity or remediation status, or by any user-defined custom attribute
bRedaction of certain data such as sender identity information (email address, username, file owner, etc.) that may need to be kept confidential from certain users to protect employee privacy
cCreate separate roles for technical administration of servers, user administration, policy creation and editing, incident remediation, and incident viewing for data wherever it is stored or used, both on the network and on the endpoint
4Reporting Console: Reporting & Analysis Console Detail Requirement
4.1Reporting and Analytics
aSingle user interface for all incidents (storage, network, and endpoint) as well as for systems management
bBrowser-based user interface accessible via IE or Mozilla Firefox
cReporting of incidents and trends by organization, by department or by user utilizing enterprise directory
dMulti-level summarization reports (e.g., incidents grouped by business unit, then by policy, and then by severity in the same report)
eAbility to group, filter, and sort reports by different parameters, including department or business unit
fConfigurable risk dashboards simultaneously showing different reports from storage, network, and endpoint
gAbility to configure and save custom reports and dashboards on a per-user basis
hOption to publish saved reports to all users in a role or keep as private report
iAbility to send any report via email, either on command or via regularly defined schedule
jCapability to export reports to HTML, CSV, or XML format so they can be viewed outside the UI
kAble to run reports on large incident databases (over 500,000 incidents) with minimal performance impact
lDrill down on any report to get to addition incident detail without running a new report
mWorkflow aging reports providing incidents in different statuses, grouped by time period
1 Reply
Level 21

Re: Unified DLP Solution

This is really something your McAfee reseller would help you with. You can imagine it would take some time to complete though.

0 Kudos