3 Replies Latest reply on Jul 6, 2012 11:21 AM by Regis

    Unified policy network/host DLP   - anyone doing it?  Heard this surprise?

    Regis

      So... I had an interesting support touch today.

       

      First, how many people were sold on DLP 9.2 as being a wonderous thing with the ability to used registered documents indexed by Discover and use that registered document concept across both network DLP with email and web,  as well as using that concept inside of Host DLP, to say, prevent sensitive registered documents from going out via USB?  Sounds great right?    Superb evolution of the two products, one place to manage, etc.    Anyone else told by SE's to go in that direction because it's going to be such a win, and the way management will be done going forward?

       

      If this story is compelling to you, would you be surprised to hear that support told me today that unified DLP policy is going away and that according to an L2 "why would a customer want to deploy unified--it doesn't work very well."       And that support for it is going away when 9.2 goes away?    Granted, arguably they never really did support this functionality despite selling it, but can you imagine our surprise hearing this news from a support touch rather than any other way?

       

      I've reached out to my sales team, and am really interested to talk to a product manager, but I'm curious to hear what others have experienced in this realm. 

       

      I'd also be curious on what if anything you're doing that subtends network and host DLP with respect to registered documents.

        • 1. Re: Unified policy network/host DLP   - anyone doing it?  Heard this surprise?

           

          Thank you for you feedback

           

          You are correct that the current Unified DLP does not support protection on the endpoint for documents that are registered by a network registration scan, the reason being that the registered document signatures database is actually pushed to the endpoints.

          We took this approach in order to allow enforcement on the endpoint while offline (e.g. laptops), as well as to be able to block based on the registered documents (as opposed to monitor-only, as some of the competitors do.)
          The drawback of this approach is size limit: you cannot push to the endpoint 2-3GB of registered document signatures, as it will cause severe performance impact as well as network saturation.

          That is why we designed the system to use registered documents created from a registration scan on the network appliances and not push them to the endpoints.

          On the endpoint, you should use the McAfee-unique technology of tagging rules to tag, on the fly, files that are copied from network shares or downloaded from SharePoint ( that you would configured as registered documents locations), so that any file that is copied from the network share or downloaded from SharePoint will be “registered on demand”, will be protected on the endpoint, and will not have the performance or size limitations that common registered document solutions provide. (i.e. every document that is sent out or copied to USB will only be compared to the tagging signatures created for the files that this end-user touched/copied and not matched against all of the 2-3 GB of registered document signatures.)

           

          Going forward, we are considering adding the capability to perform registered document signature matching of endpoint files using a network device.

          This, in turn, will enable monitoring only (not blocking) and reporting incidents based on the registered document signatures.

           

          As for the unified solution, it is working today with 9.2. It does has several limitations (e.g. the registered documents) but we are not moving away from unification!

          Actually, we are investing in improving the unification and working on improved usability, resolving current limitations, running natively in ePO infrastructure (removing the DLP Manager appliance), and adding more workflows around DLP management.

          • 2. Re: Unified policy network/host DLP   - anyone doing it?  Heard this surprise?
            Regis

            Thank you for the detailed and thoughtful reply.  

             

            So... I guess I'm left with the very very puzzled state of support telling me essentially "what idiot would want to deploy a very broken, undocumented marginally-supported-today-but-slated-to-be-unsupported-entirely-after-9.2 unified DLP solution"  versus the happy thoughts you've expressed here that indicates ongoing investment in unified host/network DLP, and our early 2012 SE saying that this unified stuff was the greatest thing since sliced bread and the way of the future going forward?

             

            Removing the DLP Manager appliance... heh.  I guess that's another decent-used-car's worth of money we just spent that won't be part of the future.    

             

            Tagging is swell and all, but when the stuff you really care about isn't sitting in a happy windows UNC share, but is visible to an NDLP Discover appliance (which aren't cheap by the way), tagging doesn't really do ya much for your data interactions with removable media.   Which is among the reasons I'm currently very irritated at this turn of events.  Not to worry though--that irritation is being expressed through the sales channel that sold me this solution and maybe one day the product manager might reach out to me and find out what an utter nightmare this has been and why. 

             

            Message was edited by: Regis; typo on 7/5/12 3:53:21 PM CDT
            • 3. Re: Unified policy network/host DLP   - anyone doing it?  Heard this surprise?
              Regis

              hovavb wrote:

               


              As for the unified solution, it is working today with 9.2. It does has several limitations (e.g. the registered documents) but we are not moving away from unification!

              Actually, we are investing in improving the unification and working on improved usability, resolving current limitations, running natively in ePO infrastructure (removing the DLP Manager appliance), and adding more workflows around DLP management.

               

              This for what it's worth is in tremendous tension with what I'm hearing from support who, to paraphrase (as is my idiom) seems to almost be emphatically encouraging me to run away screaming from Unified, and has carefully said  that not everything you've said here is necessarily accurate.      I'll leave y'all in McAfee to duke it out internally. 

               

              It also sounds like (if I'm reading the carefuly constructed tea leaves correctly) unified is going to go away for a time until something that actually works gets developed.   No timelines (even rough ones) offered.

               

               

              To poor customers like me:   don't believe what sales tells you about unified host and network DLP.  What's there today (if I'm being charitable) barely works, and is definitely poorly supported by  support, QuickStart (Accuvant) consulting, and even on site pro service that you pay through the nose for doesn't even have a decent handle on it.    And, by the way, it's going away apparently before it comes back.   

               

              Message was edited by: Regis typo on 7/6/12 11:21:31 AM CDT