Symantec DLP provides you with the flexibility of indexing and fingerprinting documents (IDM) so that it may detect an approximate % based match of the same. However, there are certain limitations that may cause performance concerns when IDM is used on Endpoints. Hence, customers who admire the beauty of IDM always come up with the question, “How do I leverage IDM on Endpoints?”.
First of all, lets understand the underlying concern. An IDM Index can be significantly huge in size due to which Symantec DLP (by design) does not push an IDM profile to Endpoints. Instead the IDM profile is loaded into the memory of the detection server and all monitored actions on the Endpoint are sent across to the server (over the Network) for true match detection. The resultant outcome of leveraging IDM over Endpoints, is significant Network bandwidth utilization. Let’s consider a scenario where we have a policy configured to simply monitor ‘Copy to Removable Storage’, ‘HTTP’ and ‘Print’ with an IDM profile on endpoints. This means that every time a user copies a file to some Removable storage, browses an HTTP page or prints something, the underlying data is moving over the Network to the Detection server for scanning. In a simpler example, if a user copies 1 GB of data to a Removable drive, an equivalent volume of the data is being transferred over the Network to the Detection server!!
The solution towards addressing this issue is optimized two tier detection, ie. combining an IDM detection rule with DCM. For eg, we have just Indexed a financial report containing the following data:
| |
Full Year
|
2012
|
|
|
|
|
(unaudited)
|
|
Revenues
|
2010
|
2011
|
Q1
|
|
|
Revenues
|
$29,321
|
$37,905
|
$10,645
|
|
|
Y/Y Growth Rate
|
24%
|
29%
|
24%
|
|
|
Q/Q Growth Rate
|
NA
|
NA
|
1%
|
|
|
Business A
|
$19,444
|
$26,145
|
$7,312
|
|
|
Y/Y Growth Rate
|
24%
|
34%
|
24%
|
|
|
Q/Q Growth Rate
|
NA
|
NA
|
0%
|
|
|
Business B
|
$8,792
|
$10,386
|
$2,913
|
|
|
Y/Y Growth Rate
|
23%
|
18%
|
20%
|
|
|
Q/Q Growth Rate
|
NA
|
NA
|
1%
|
|
|
Total Revenues
|
$28,236
|
$36,531
|
$10,225
|
|
|
Y/Y Growth Rate
|
23%
|
29%
|
23%
|
|
|
Q/Q Growth Rate
|
NA
|
NA
|
1%
|
|
|
Other Revenues
|
$1,085
|
$1,374
|
$420
|
|
|
Y/Y Growth Rate
|
42%
|
27%
|
56%
|
|
|
Q/Q Growth Rate
|
NA
|
NA
|
2%
|
|
|
As % of Revenues
|
|
|
|
|
|
Business A
|
66%
|
69%
|
69%
|
|
|
Business B
|
30%
|
27%
|
27%
|
|
|
Other Revenues
|
4%
|
4%
|
4%
|
|
On evaluating this report, we see that the following keywords have been used multiple times:
- Revenues – 6 times
- Growth Rate – 10 times
- Business – 4 times
Thus we may create a policy that looks similar to the below. This would mean that DLP will first parse the data on the Endpoint and look for a match of the three keywords. Only data, qualifying this keyword match will be sent to the detection server for further scanning. Thus, we have filtered out a lot of potentially unwanted data at the Endpoint level, resulting in optimized bandwidth utilization. Moreover, we may tune the DCM detection rule further by configuring a number of keywords to be matched, eg. ‘Revenue’ = 6, ‘Growth Rate’ = 10 & ‘Business’ = 4.
Match “IDM Detection profile”
AND
Match “Revenues” + “Growth Rate” + “Business”
Conclusion: Enabling two tier detection with DCM is a preferred manner of leveraging the benefits of IDM, while yet optimizing bandwidth performance over Endpoints.