Southern California Data Loss Prevention User Group

The Southern CA DLP User Group met on Thursday, March 22 at the Symantec office in Culver City.

Special thanks to our presenters:

• Gavril Lourie, City National Bank, gave a presentation on moving their DLP installation to their new data center
• Paul Johnson, Symantec Sr Product Manager, provided a Data at Rest roadmap presentation and a Data Insight deep dive

There were a few open items from the meeting and Paul has provided the information below as a follow up:

I’ve heard that deleting incidents from the database doesn’t really delete the incidents, is this true?

• When you delete an incident it is cleared out of the database, you can no longer access the data.  It is effectively deleted, however, the space is not reclaimed (even for large amounts of incidents) in order to maximize performance.  What led to the confusion is Oracle’s deletion/ re-claimation structure which has resulted in customers deleting large amounts of incidents without seeing a reduction to db size.  Oracle will re-use this space as needed…

Does Tablet/iphone require separate hardware or can you use existing SMPT server(s)?

• There are two options here to co-locate with web prevent, the requirement is licenses for Web prevent and DLP for Tablet

1) We offer a hybrid solution so that you can leverage one server for Web prevent and DLP for Tablet

2) You can run Web prevent and DLP for Tablet VMs on the same hardware

(expected to stay the same with the iphone release)

Do I need an MDM solution for DLP for Tablet? Which ones are supported?

• We integrate with all MDM solutions.  The benefit of choosing Symantec MDM is that it offers tamper-proofing, effectively forcing a VPN connection which prevents users from disabling the VPN connection and allowing DLP to inspect all traffic from the device.  Other MDMs also offer “forced” VPN but none offer the tamper proofing functionality
• I also wanted to clarify that an MDM solution is not required for DLP for Tablet/ Mobile, however it is recommended for VPN enforcement reasons…

I would like to request consolidating SMTP notification for Network Monitor(enable setting up a digest so that users do not receive a notification for each violation, allow for configuration of how often to send – time based or violation based). This is important because my users do not want to continue receiving a large number of notifications

• I have passed this request along to the DLP Network PM who will create an enhancement request and is tracking

Auto-forward policy – DLP cannot differentiate between auto forwarded emails and ‘auto forwards’ that are replied to or forwarded, is this possible?

• I have communicated your situation with our detection PM and will reach out once I hear back