1 Reply Latest reply on Jan 1, 2012 12:12 PM by SafeBoot

    Unified DLP Solution



      Can anyone help me to answer the below query for the McAfee DLP host and network supports,


      Vendor Response Clause ReferenceOffered / SupportedRemarks
      1Data Loss Prevention Hardware & Software Requirements & Solution ScalabilityOffered
      bOne time licensing with no recurring cost and lifetime patches /definitons updates for same version of the productOfferedright to use product indefinite but pataches and upgrades will comes with the support renewals only
      1.1References and general requirements
      aProvide complete details and references of two local Data Loss Prevention reference customers with more than 999 DLP users  (Name, email, Contact number)
      bProvide complete details and references of three International Data Loss Prevention reference customers with more than 999 DLP users  (Name, email, Contact number)
      cPrinciples or Platinum/Gold partners can participateOfferedElite
      As part of overall risk mitigation, Would evaluate vendors partially based upon previous success, including market share. What is your DLP market share as designated by a major industry analyst (i.e. Gartner, Forrester, IDC)
      1.2Technical Requirements
      aIntegrated Management: OEPO
      seeks a unified DLP system to minimize IT and operational system management and operational costs. The following questions apply to a full Network, Endpoint, and Large Data Store Discover DLP configurationOHDLP and Networkd DLP Solution
      bActive Directory: O
      The comapny seeks to minimize IT integrations. Solution should provide simple Active Directory integration (AD2003, 2008)for full integration across, Network, Endpoint, and Large Data Store Discovery DLP.
      cWeb Proxies:
      The company  uses Microsoft ISA web proxies. Solution should support ISA, forefront / Huawei iCache,
      dPrivacy Control:
      As per company. privacy policy and experience, contractors and other individuals are not to be given access to other employees’ privacy data. Explain how your DLP solutions provides privacy control with redaction of certain DLP incident data (such as sender email address, username, and sensitive incident content) from specific users such as contractors who may be first-level incident responders/analysts?
      eSeverity and Escalations:
      As per company. experience, some DLP incidents may be of higher severity than others due to content (such as classified data, VIP PII data) or amount of data in an incident (hundreds or thousands of records as opposed to a handful of records.)
      fSeverity Levels:
      Does your DLP system provide different incident severity levels?
      gAutomatic Escalation:
      Does your DLP system support automatic initiation of different notifications and remediation tasks based upon varying DLP incident severity level?
      The company. is required to automatically notify IT Security Department for certain Network, Endpoint, or Large Data Store Discovery DLP incidents. The questions below apply to Network, Endpoint, and Large Data Store Discovery DLP incidents, i.e. an employee writes policy violating data to a CD/DVD or emails policy violating data to one’s personal email account.
      Does your DLP system support simultaneous notification to IT Security and HR for a particular type of DLP incident?
      iSimultaneous Notifications:
      Does your DLP system support simultaneous notification the company. IT Security Department, the employee’s manager, and system owner for a particular type of DLP incident?
      2DLP Product / Service
      Solution should incorporate automatic remediation of DLP incidents based on certain policy/policies
      2.2Employee / User Notification:
      A DLP component to automatically notify employees of policy violating actions and escalation to higher level based on severity and as per policy
      2.2.1Target Coverage
      aScan Windows file systems via CIFS
      bScan Unix file systems via NFS
      cScan local Windows file systems
      dScan local UNIX file systems (Linux, AIX, and Solaris)
      eScan Novell file systems
      fScan NAS filers such as NetApp filers
      gScan relational databases (Oracle, SQLServer, DB2, Sybase )
      hScan SharePoint servers via Windows SharePoint Services (WSS) API
      iScan SharePoint servers via WebDAV or any other alternative
      jScan Lotus Notes databases
      kScan Documentum
      lScan LiveLink
      mScan Microsoft Exchange
      nScan web sites, including corporate web sites, intranets, extranets, wikis, etc.
      oScan Microsoft .pst files with the ability to identify confidential data on a per message basis
      pAPI to enable the scanning of essentially any data repository, including custom or legacy repositories
      2.2.2Data Protection Actions
      aAutomatically copy or relocate (quarantine) files which violate policy
      bAutomatically collect files that match policy criteria for use in investigation or e-discovery request
      cLeave customizable marker files in place of files that are relocated
      dCreate customized responses for storage incidents
      eUn-quarantine or roll-back a relocated file to its original location
      fApply file encryption and DRM protection via products from Microsoft RMS, Oracle IRM, GigaTrust, and PGP
      2.2.3Actionable Incident Details
      aDisplay file location and owner information for files which violate policy
      bDisplay incident match details for files which violate policy
      cOffers a method to identify file owners when the owner does not exist in the file system being scanned
      dDisplay file Access Control Lists (ACLs) for files which violate policy
      2.2.4Scan Management
      aConfigure and control all scanning from a single, centralized console
      bApply filters to only scan (or conversely ignore) files of a certain type or in a certain directory
      cConfigure incremental scans in which only new or changed files are scanned
      dApply filters to only scan files added, accessed, or modified in a certain date range
      ePreserve original file attributes including 'last accessed' attribute while scanning
      fSchedule automatically recurring scans
      gAbility to manually pause a scan
      hThrottle scans to limit network bandwidth usage
      iCapable of performing quick inventory scans that complete when pre-defined incident count threshold is met
      jCapable of running multiple scans against multiple physical targets concurrently
      kManage all scan target credentials on a single UI page, including applying a single credential to multiple targets
      2.2.5Scale and Security
      aScan systems at remote locations with limited network bandwidth
      bScan machines with agent-based or agent less deployment options
      cSupports storage scanning products running in a VMware image
      dCommunications limited to fixed ports between target system and scanning server
      2.3Endpoint DLP:
      aAgent less and agent-based scanning options
      bAgent-based discovery of confidential data on endpoints (desktops/laptops), including reporting on Access Control Lists (ACLs) for files which violate policy
      cAgent offers full coverage when machine is on or off the corporate network (policies reside on the agent)
      dAgent stores incident-causing files in a cache until user reconnects to the corporate network
      2.3.2User Action Coverage
      aMonitor data downloaded to local drive
      bMonitor/block data copied to removable storage devices (USB, Firewire, SD and compact flash cards)
      cMonitor/block data copied to CD/DVD
      dMonitor/block corporate email via Microsoft Outlook or Lotus Notes and other email clients and protocols
      eMonitor/block HTTP transmissions
      fMonitor/block HTTPS transmissions via Internet Explorer, Mozilla Firefox and other known web browsers
      gMonitor/block IM transmissions via Yahoo, MSN, and AIM (AOL)
      hMonitor/block FTP transmissions
      iMonitor/block data sent to any type of local or networked printer
      jMonitor/block data sent to a local or networked fax
      kMonitor/block copy or paste actions done via the Windows clipboard
      lBlock print screen actions
      mDetection based upon real-time file content data analysis, previous tags or human tagging definitions
      nTo reduce calls to helpdesk and other operations, company. requires the Endpoint DLP component to provide pop-up information notifications for policy violating actions when in logging/audit mode and pop-up notifications for blocking actions
      2.3.3Agent Deployment and Management
      aSingle agent performs all the functions including endpoint scanning and monitoring/blocking data leaving the endpoint
      bCan be deployed using any standard systems management tool as an MSI package
      cDeploy and manage using mature, dedicated agent management console
      dCan target agent deployment by AD groups or Windows groups
      eSupports agent troubleshooting and diagnostic tools designed for not-IT users
      fSet caps on % of CPU and disk, and amount of bandwidth used by agent for minimal impact on endpoint and network
      gManage software updates, policies, logging, alerts and configuration through a centralized console
      hIntegrates with Windows OS drivers and various applications to ensure stability, interoperability, and security. Not a potentially destabilizing rootkit approach.
      iSupported on Microsoft Windows 7, Vista, XP and Server 2003, 2008 (32 & 64 Bit)
      jWhen primary Endpoint Server is not available, Agent can automatically failover to secondary Endpoint Servers
      kSingle console to install agents and ability to deploy agents using SMS/SCCM.
      aAgent-based scanning enables parallel scanning of thousands of endpoints
      bAbility to protect large volumes of data - entire database of customer records, large number of fingerprinted documents
      Ability to support global distributed deployments of endpoint machines
      2.3.5Agent Security
      aTamper proof agent that cannot be inappropriately disabled; if somehow stopped, a separate service restarts it
      bAgent does not appear in “Add/Remove Programs” and System Tray, and obfuscated in Services and Task Manager
      cCommunications between agent and server are encrypted and authenticated
      2.3.6Scan Management
      aSame policies can be deployed to both agent less and agent-based scans
      bConfigure and control all scanning from a single, centralized console
      cConfigure incremental scans in which only new or changed files are scanned
      dAgents report progress to a central location for up-to-date progress report while scans are running
      eFilter scans based on file size, type, and location
      fAbility for scan to run only when machine is idle, thus eliminating any adverse machine impact
      2.3.7Real Time Enforcement
      aOn-screen, pop-up notification with fields for user justification can appear upon the generation of an incident
      bPop-up notification has automatic ability to present itself in one of 25+ languages based on underlying OS
      cAutomatic email notification can be sent to user and/or manager upon the generation of an incident
      2.4Network DLP:
      2.4.1Multi-Protocol Monitoring Capabilities
      aMonitors any TCP-based protocol such as SMTP including attachments, HTTP including uploaded files, active and passive FTP including fully correlating transferred file data with control information, and NNTP including uploaded files
      bAbility to monitor popular IM protocols (AIM, Yahoo, MSN, IRC) and properly classify tunneled IM traffic (HTTP)
      cAble to correlate IM traffic (native) for long lived sessions
      dCan properly classify all protocols even when running on non-standard ports
      eMonitor gigabit speed lines without packet loss or requiring packet sampling to compensate for excessive load; does not require specialized NIC hardware
      fAbility to handle traffic bursts, buffer traffic, and provide insight into packets that can not be processed
      gAbility to filter out network traffic for inspection based on protocol, IP range, or email sender/recipient email
      hProvide detailed traffic statistics for overall data throughput, # of messages, and # of incidents on a per protocol basis and summarized down to an hourly level
      2.4.2Multi-Protocol Prevention Capabilities
      aConditionally block, reroute or quarantine SMTP messages based on message content
      bConditionally block HTTP messages based on message content
      cConditionally remove message body or specific attachments in a web mail or HTTP POST action including "Web 2.0" sites (e.g. Facebook) for better user experience.
      dConditionally block encrypted web transmissions (HTTP over SSL) based on message content
      eConditionally block FTP messages based on message content
      fIntegrate with any SMTP-compliant MTA (e.g. Barracuda, McAfee websheild, Symantec Brightmail, , Sendmail, etc.)
      gIntegrate with web proxies from Microsoft ISA, Huawei iCache, BlueCoat, McAfee (Secure Computing), IronPort, and Squid
      hDoes not require use of embedded MTA or web proxy; can use existing or best-of-breed products.
      iEmail monitoring and blocking based on policy
      jHandles conflicting policies by offering separate multi-policy handling rules
      kAutomatic email notification can be sent to user and/or manager upon the generation of an incident
      lSupports network prevention products running in a VMware image
      3DLP Policy Enforcement Detailed Requirements:
      3.1Detection - Fingerprinted Content
      aAbility to fingerprint both structured (CNICs, etc) and unstructured data (MS Office docs, PDFs, CAD/CAM diagrams, source code, etc)
      bAbility to specify exactly which columns of fingerprinted structured data are needed to find a match (e.g. first name, last name, and CNIC, but not ZIP)
      cAbility to specify certain combinations of columns of fingerprinted structured data that are NOT a match (e.g. first name and CNIC without last name)
      dFor fingerprinted unstructured documents, ability to detect extracts or derivatives of these documents on a defined threshold percentage (e.g., register a match only if at least 30% of the document is matched)
      eAbility to normalize all common variants of data presentation (e.g., if data extract contains "123456789", it should match against "123-45-6789", "123456789", "123.45.6789", etc.)
      fFingerprint large volumes of structured data (up to 2 billion cells of database information on a single detection server)
      gFingerprint large number of unstructured documents (up to 2 million documents on a single detection server)
      3.2Detection - Described Content
      aDetect based on fully customizable keywords and key phrases with ability to put multiple keywords in a single detection rule
      bDetect against large keyword or key phrase lists (up to 100,000 keywords or key phrases) without performance degradation
      cDetect based on fully customizable regular expressions
      dDetect based on file type (including encrypted or password-protected files), file name/extension, sender/recipient attributes, or transmission protocol
      eAbility to define custom file type signatures to detect file types that are not supported out-of-the-box
      f60+ pre-built policy templates that include keywords and data patterns for U.S. and international regulations (e.g., HIPAA, PCI) and corporate best practices that can easily be modified
      gDetection relies on real-time content-aware detection, as opposed to "tagging"
      3.3Policy Definition
      aAbility to create a single policy in a single UI that can be deployed across all products (storage, network, endpoint)
      bAll detection done on the distributed detection servers (or endpoint agents), not at the central management server
      cConfigure policies to detect/set thresholds based on number of matches on a per policy basis
      dCreate policies that combine multiple detection technologies and rules with AND/OR logic and exception rules
      eDefine group-based detection rules based on internal directory information, such as department or business unit
      fAbility to integrate directly with AD to create user or group-based endpoint detection rules. Different policies can be applied based on logged-in user, even on a shared machine.
      gAbility to easily export/import existing detection rules, including importing detection rules from different systems (e.g. test to production)
      3.4Automated Enforcement
      aAutomatically send customized email notifications to employee, employee's manager, and/or administrators
      bAutomatically send message to a Syslog-enabled case management or security event management system
      cConfigure multiple automated responses based on severity, match count, policy, etc.
      dAbility to automatically assign incident status based on rule triggered and match count
      3.5Role-Based Access and Privacy Control
      aLimit incident access for a role by policy, by department or business unit, by country or geography, by severity or remediation status, or by any user-defined custom attribute
      bRedaction of certain data such as sender identity information (email address, username, file owner, etc.) that may need to be kept confidential from certain users to protect employee privacy
      cCreate separate roles for technical administration of servers, user administration, policy creation and editing, incident remediation, and incident viewing for data wherever it is stored or used, both on the network and on the endpoint
      4Reporting Console: Reporting & Analysis Console Detail Requirement
      4.1Reporting and Analytics
      aSingle user interface for all incidents (storage, network, and endpoint) as well as for systems management
      bBrowser-based user interface accessible via IE or Mozilla Firefox
      cReporting of incidents and trends by organization, by department or by user utilizing enterprise directory
      dMulti-level summarization reports (e.g., incidents grouped by business unit, then by policy, and then by severity in the same report)
      eAbility to group, filter, and sort reports by different parameters, including department or business unit
      fConfigurable risk dashboards simultaneously showing different reports from storage, network, and endpoint
      gAbility to configure and save custom reports and dashboards on a per-user basis
      hOption to publish saved reports to all users in a role or keep as private report
      iAbility to send any report via email, either on command or via regularly defined schedule
      jCapability to export reports to HTML, CSV, or XML format so they can be viewed outside the UI
      kAble to run reports on large incident databases (over 500,000 incidents) with minimal performance impact
      lDrill down on any report to get to addition incident detail without running a new report
      mWorkflow aging reports providing incidents in different statuses, grouped by time period