Data Loss Prevention

Hi everyone!

I would like to ask the advise regarding combining Web Prevent and Network Monitor (email)/Discover in one instance. 

Currently, we are running two separate instances for historical and legacy reasons (different versions, etc...). We are upgrading the entire environment, and we would like to combine two environments together. We are running aggressive 60 days incidents purging job, so the capacity is not a problem. Incidents are loaded in to the external system for the triage and escalation. The incidents are processed by the same reviewers team, both instances use the same custom attribute look up process, EDMs and similar set of policies. 

Are there any potential downsides of the combined instance beside the capacity?

Thanks!

Alex

Hello,

With 12.5 we now support a single tier deployment for small/medium enterprise. However, we do not support multiple detection channels per server. The reason for this is that when you deploy a detection server, we use the first channel to set the advanced server settings, specificaly timeout and memory settings. So if you have more than one detection channel on one server, you will likely run into some issues. For example on an Endpoint Server, we use Filereader settings, but they may not be tuned the same as a Network Monitor or Email Prevent. We are not saying this won't work, but it would be considered an alternative configuration and as such support may not be able to help you with an issue unless it is replicated on a supported configuration. We will always give our best effort to resolve any issue, but I would recommend deploying in a supported configuration.

Best,

Ryan

Hy Ryan,

Thanks for the reply.

In our case, we do not plan to share multiple roles on one detection servers. There will be a dedicated servers for Web Prevent (bluecout proxies), Network Monitors (of a span feed) and Network Detect. There is no immediate plans to add any Endpoint monitors for now.

The plan is to have a single Enforce server (in a fail over pair) and a dedicated Oracle database supporting dedicated Detection servers.

Thanks!

Alex

I would not recommend that for a productio n environment. The settings/values for each detection server have been carefully calibrated by Symantec.

The volume of data being processed in the smallest size production environments too is significant. You will certainly expect issues with such a configuration.. Moreover, even Symantec may not be a position to fix this later!!

Hi Denis,

Thanks a lot for your reply. 

Let me give a bit more details. We are not planning to combine multiple Detection server roles on a single server, but run them on an individual nodes. Thus a single Enforce platform would combine Mail, Web and Discover Detection servers, each running a single detection server role.

Currently, our Mail monitoring and Web prevent instances generate about ~3000 incidents per day. Both Enforces do not appear to be overloaded. I am about to do a detailed performance analysis to see how "hot" they are running in terms of disk, memory and CPU utilization. Also, we are on ver 10.5 on one instance and 11.1 on other, both are Windows. The plan is to upgrade to 12.5 on Linux. We groom incidents older than 60 days on both incidents, incidents information is transferred internally for the triage and followup. We have the same reviewers team for Web, Mail and Discover.

Having a single Enforce platform would save a lot of management overhead to maintain two separate instances: single custom attributes plug-in, EDMs, grooming, Reporting integration, etc...

Are there any specific performance considerations should we be concerned with? Any specific performance counters to collect to assess the feasibility of joining two instances in one without performance degradation?

Thanks!

Alex