DLP Sizing Guidlines
Updated: 03 May 2012 | 8 comments
This issue has been solved. See solution.
Hello,
We have DLP with Network Discover and Endpoint Prevent modules for 500 node. I need the sizing and long-term retention (archiving) guidlines, as well as database maintenance guidlines to use in our environment - especially that we've recently purchased additional 3500 licenses and are very concerned about storage and data retention needs. For our 500 users, the DB size is approaching 150 GB for a period of about only 6 months!!
Any KB article or user manual will be absolutely appreciated.
Thanks.
- Moh
Discussion Filed Under:
Group Ownership:
Comments
The system requirements guide
The system requirements guide would be a great place for you to start.
Symantec will release updates to it's product (like it did in 11.5) that would require DB maintenance to be performed. Any DB maintenance like applying CPU's is up to your organization.
Data retention is something your organization should sit down and discuss internally as well as looking for some of the regulatory compliance standards for Data Retention (example PCI).
If you are concerned about storage I would be more concerned about the policiess you have in place and what is taking up that much storage for 500 total users. I would also like to know how many scans you are performing against what size of file systems in order to accumulate that much data. Before you add 3500 users it might be a good time to discuss policies and tune them so that you don't have so much data to work with.
Maybe...
We also have 500 clients and our database hasn't grown alot since the start. Maybe you mean that the DB is ~150GB? Thats the initial size, or at least it was for us.
It started of at 133GB and i believe it's at 142GB now avter 6 months.
Longshot but had to share my thoughts.
There's no specific
There's no specific guidelines with regard to the DLP database maintenance but here are a couple of tips that could help;
1- Archive old incidents then purge them from the database.
2- Set a response rule "Limit Incident Data Retention". This will instruct the system not to keep original messages as these will increase your database space significantly.
you have two choces.
Hi Mohamad,
You can keep manual or autimated back up and purge the old data as per your requirement and internal stds.ther is oracle DB tool by which you can purge old data. Also if you have Admin rights you can delete those incident data from enforce console.Since you have two choces.
1)From enforce console(Front end)
2)Oraclle DB tool (Back end -SQL query)
Regards
Kishorilal
No need to run oracle cleanup tool.
Hi Kishor,
As per my knowledge, if you delete the incidence from Symantec enforce server then incidence data will be purge automatically from the oracle database but oracle table space couldn’t purge. It will reuse for newer incidence, so no need to run oracle db tool or any extra query for purge the database table space. This is oracle functionality that reuses the table space.
Regards,
Amol Sahare
Few things needs to be considered
Hi MD,
I totally agree with Amol. You wont be able to free the space but you would able to use them in future and that will be automaticall taken care by Oracle.
All you have to do is discuss this with Sr. Mgt regarding what incidents needs to be retained in DLP and what can be disposed. The strategy what we recommend to the customer is from Audit point of view is to keep all the incidents which are either Closed or Esclated ones (Policy wise) and rest like dismissed can be deleted (post the analysis is done) Example: What kind of incidents are getting generated. This will help you in tune the policy. You can also consider Web Archiver to keep the incidents as and when required and then delete them from Oracle/DLP console. The retention period I would suggest is to keep it for a year Example: March 31, 2011 to April 1, 2012 and rest of them can be deleted.
Deletion can be done through console (easiest way) or can also be done through oracle but here you wont be able to customize (Standard, delete all the incidents for policy wise or date wise).
I hope this information will streamline your process :)
Thanks,
-Syed Hussain
Nice suggestion
Hi Syed,
Nice suggstion you have given, I also agree as per youe internal IT security mgmt and Audit req. and data retention strategy you can purge data from databse.
No matter how you purge, as i provided both way to do.
Regarsd
Kishorilal
Thanks Guys!
Many thanks. All are awesome answers and each has given me a deeper insight into the issue. Really appreciated.
I should re-visit my rules, and Web Archive seems to be an attractive solution to my pains.
-Moh-
Would you like to reply?
Login or Register to post your comment.