To all reading, not all data loss prevention solutions are equal. This company had implemented the Vericept product before my time and the intent was to monitor for malicious and fraud activities by our Corporate Security arm. Information Security was using it to try to capture information from leaving via the internet. So when I started to look at the product I was not at all happy with what I found. Creating appropriate policies was quite cumbersome and easily botched. The filtering and querying of information was rather useless. And the database management was a mess. So I started to evaluate new products. One solution was great at capturing information but their interface to structured data was iffy. The reporting was horrible. Another solution was also good but their operations and support was mostly a one man shop. Then I came to the Symantec DLP/Vontu solution. Of course discussing the product and evaluating was quite simple since we have a great relationship with Symantec and the support structure is amazing.
I noticed right away that this solution was built from the ground up and its true goal was to prevent data loss. No adding pieces over time and then trying to mold something else for a best effort DLP attempt. The interface is extremely user friendly, the filtering options are endless, the incident workflow is actually useful, and the reporting is quite useful. The main selling point was that our non-technical Corporate Security team loved it and understood exactly how to use it. In all reality the previous system has just collecting dust. Another point that made the transition a no brainer is how easy Symantec made it to convert solutions. The price point was lowered than before, training and services were included, and the hardware requirements were compatible.
So all we had to do was wipe clean the servers, install the new software, configure and go running. The installation process went extremly smooth and happened in less than a day. Both teams met for a day and we easily were able to create all the policies as previous along with using the out of the box policy templates. For us the templates captured exactly what we were looking for. We were running in less than 3 days total viewing and reporting on incidents.
Now the challenges and tips:
1. Remember to involve IT teams in the decisions and implementation. We did have to procure another server in order to have high availability and redundancy and this was an issue with IT.
2. In order to turn on prevent for email you have to go inline with the prevent portion and all the mail has to route through these systems. The network team had much concerns with email performance. All worked great through our load balancers though
3. Spend more time on training. I had online web training and this never works out well. too many interrruptions and loss of focus
4. EDM indexing requires a custom script to run so make sure to obtain services to assist with this
5. Spend a good amount of time learning how to filter incidents and create custom reports and views, this is important to really understand the incidents
6. The system has a good workflow process for managing incidents. However you have to define how the flow is going to occur. make sure to train on this well or it won't be used.
7. Prep management in the beginning on the difference between monitoring incidents and preventing/blocking incidents. If you go at it alone and don't then you will be stuck on monitoring forever and then you won't get buy in for flipping to prevent mode. The prevent mode is where users will be inconvenienced and you wil take heat. You need management buy in and approval!
Other than that this system is incredible at catching data loss, the best out of any competitor. You will be able to sleep at night. Hope this helps everyone!