Has anyone here used DLP alongside ICA? If so, could you please share some of the upsides on how machine learning within ICA made things easier for prioritization of security alerts, reporting, policy tuning and etc. Also, in what instances did policy tuning still require more manual effort?
James, I'll throw out some comments here, from an ICA Sales Engineer standpoint. Happy to provide some additional whitepapers or case studies if desired. Generally, ICA running alongside DLP provides some significant benefits. From a perspective of security alerts, ICA utilizes UEBA capabilities to determine the "risky" incidents that are occurring and highlights those in various stack-ranked lists and scenario groupings for simple analysis. The idea is to essentially show the "needles" in the haystack without having to pore through the haystack itself. ICA also contains many OOTB reports/dashboards centered around DLP content, with the added ability to easily create ad hoc reports, metrics, and dashboard views without having to understand query languages. ICA can assist with policy tuning by monitoring areas where employees are consistently violiating policies during the course of getting their job done. Generally, remediation efforts can move from Enforce into ICA, although policy tuning efforts still occur in Enforce. It's easy to classify false positives and ICA will utilize that information to auto-classify future events.
Thanks Daryl for providing some insight from an ICA Sales Engineer standpoint. Please provide me with some whitepapers and case studies when you have the time. I would still like to know though some user experience with the product from the consulting side of things. I'm more interested in the positives if someone else here can provide them.