Data Loss Prevention

Hello,

This is a query on symantec DLP - We are using endpoint prevent for our environment.

If we have a end user machine which is not connecting to network - how long would the incidents be retained in endpoint. ?

(say if there is an employee who is not connecting to corporate network(endpoint server) for a year - will the incidents be logged in enforce after the machine connects to network after 1 year)

In above scenario what will the maximum data that will show up in incidents - User has copied or transfered data upto 100 Gb or 200 Gb during this period will all this transfer be showing in the enforce console when the machine connects back to network?

Thanks.

interested

The endpoint will store incidents as long as it has space on the hard drive to store them up to the limit set in the agent config. Incidents for endpoint tend to be small so you likely wont lose incident data even for long periods of disconnect like you describe.

Having said that, starting in DLP 12.5, this scenario can be avoided altogether as the endpoint server is DMZ friendly with the updated communicaitons layer we shipped in 12.5. This allows you to put an endpoint server into the DMZ such that they can get the full benefits of being on the network (and thus commincaiting with the endpoint server) from the internet. The communcation is secured with certificates and is load balancer friendly. Given that DLP is primarily a risk manangement tool, this would also allow for timely remediation of incidents regardles of where they occur.

By default the DLP Agent won't retain the real data that violates the policy (just the incident metadata), so like John said the incidents will take up a very small amount of space and will likely still be available upon rejoining depending on your Agent Configuration settings and how many incidents were generated in that period.