The document provides the structure and content for a general technical proposal based Symantec Data Loss Prevention. Please ensure that if being used, the latest information is provided.

1. Symantec Data Loss Prevention
TECHNICAL PROPOSAL
Iftikhar Ali Iqbal
https://www.linkedin.com/in/iftikhariqbal/

2. Tableof Contents
Executive Summary...................................................................................................................3
Solution Overview.....................................................................................................................5
Common Use Cases...................................................................................................................5
Components.............................................................................................................................6
Symantec Data Loss Prevention Enforce Platform....................................................................6
Symantec Data Loss Prevention forNetwork........................................................................... 6
Symantec Data Loss Prevention for Endpoint........................................................................... 6
Symantec Data Loss Prevention for Storage............................................................................. 6
Symantec Data Loss Prevention for Cloud................................................................................ 6
Symantec Data Loss Prevention for Mobile.............................................................................. 7
Symantec Data Loss Prevention IT Analytics ............................................................................ 7
High-Level Architecture.............................................................................................................8
Content Detection Technologies ............................................................................................12
Detection Technology Overview.............................................................................................. 12
Exact Data Matching............................................................................................................ 12
Indexed Document Matching................................................................................................ 12
Described Content Matching................................................................................................ 12
Vector Machine Learning...................................................................................................... 13
Form Recognition ................................................................................................................ 14
Remediation and Reporting....................................................................................................15
Operations and Maturity ........................................................................................................17
System Requirements and Recommendations......................................................................19
Deployment Planning Considerations...................................................................................... 19
Minimum Hardware Requirements (Sample)........................................................................... 20
Single-Tier Deploymentfor Small/Medium Size Organization ................................................. 20
Multi-Tier Deployment for Small/Medium Size Organization.................................................. 20
Software Requirements .......................................................................................................... 21
Enforce and Detection Servers.............................................................................................. 21
Symantec DLP Agent............................................................................................................ 21
Oracle Database Requirements............................................................................................... 22
Virtual Server Support ............................................................................................................ 23
Available Suites and Bundles..................................................................................................24

3. Executive Summary
Symantec are committed to deliveringthe technology and expertise required by ‘XXX’ to protect sensitivedata
stored throughout the network, thereby reducing the risk of data loss to ensure confidence, demonstrate
complianceand maintain competitiveadvantage.Weare grateful for the opportunity to build a partnership with
‘XXX’ based on this current requirement.
‘XXX’, like many significant companies are challenged to determine where their most sensitive information is
stored, how it is being used, who has access to it and how to prevent it from being lost or compromised. To
address the risk of data loss, ‘XXX’ are planning to adopt a comprehensive solution that enables to locate,
monitor and prevent confidential data from being copied or sent outside the company, with automatically
enforced data protection policies.
Consideringthe nature of the ‘XXX’ workforce, network and partners, it’s not surprisingto find data protection
a challenge.With the increaseof data mobility and access,itisimportantthatwe support‘XXX’in understanding
the associated risks.Together we can ensure that security policies required to obtain and retain data protection
are not only implemented but are followed and managed.
Provided within this response are the following:
 Management summary of how Symantec DLP covers key requirements.
 Management summary of our Implementation Methodology.
 Management summary of our key detection technologies.
 Solution options, detailing the schedule of licenses and annual maintenance/support costs.
It is our proposal that Symantec DLP will help ‘XXX’ to understand:
 The location of sensitive information that is exposed in open file shares and desktops
 Quantity and type of confidential and sensitive information that is exiting the network
 Who is transmitting confidential and sensitive information outside the organization
 How much confidential and sensitivedata is copied to USB drives and other removablemedia, and who
is responsible
 The network protocols that carry the most violations
 The business processes that need to be have risk reduced
 The regulations and internal policies that are being violated
Developed since2001,Symantec DLP is the market leadingtechnology providingdata lossprevention solutions.
By building upon Symantec’s long history of innovation and strength in enterprise security solutions, we are
uniquely positioned to help ‘XXX’answer today’s importantquestions - where confidential information isstored,
how it is being used, and how best to prevent its loss?
Symantec Data Loss Prevention delivers a proven solution to discover, monitor and protect confidential data
wherever it is stored or used. It enables enterprises to measurably reduce their risk of a data breach,
demonstrate regulatory compliance, and safeguard customer privacy, brand equity and intellectual property.
Additionally,with the integration of Veritas Data InsightData Insight,Symantec is the only data loss prevention
solution to deliver an integrated data owner and remediation capability. Unstructured data on shared file
systems is a large source of critical business information, and over-exposed content presents a significant risk
for data breaches. The technology monitors who has accessed or modified individual files, and can notify
information security teams and data owners that data has been exposed.

4. The 2016 Gartner Magic Quadrant for Content-Aware Data
Loss Prevention report makes Symantec the only 9-time
leader in this quadrant. Data Loss Prevention is the market
leader with a track record of successful customer
deployments at the largest global companies and public
organizations, including over half of the FORTUNE 100.
The Forrester Wave: Data Loss Prevention Suites, Q4 2106
report marks Symantec as a Leader with the highestscores in
Current Offering, Strategy and Market Presence.
Furthermore, the report states that Symantec provides a
comprehensive DLP suite with robust capabilities for
intellectual property protection, information management,
incidentmanagement, and encryption support. It also offers
a rich set of capabilities to help firms meet privacy
requirements. Symantec has the most staffingand resources
dedicated to DLP compared with other vendors evaluated in
this Forrester Wave. Symantec continues to innovate in this
space and has strong brand recognition in the DLP market.
Symantec was also marked Leaders in the Forrester
Wave™: Cloud Security Gateways, Q4 2016, this report
not only covers threat detection, fraudulent activities in
cloud but also the detect, monitor and protect against
leaks of confidential information in cloud platforms.Blue
Coat/Symantec was give the highest score on Current
Offerings and Strategy.

5. Solution Overview
Symantec Data Loss Prevention delivers a unified solution to discover, monitor, and protect confidential
data wherever it is stored or used. It is built on a structured, risk-based approach to develop, tune, and
expand policies and protection, effectively remediate violations, monitor metrics to demonstrate
decreased data loss risk, and consistently make employees aware of the company’s information security
policies and their role in safeguarding confidential data. It requires a firm foundation of security
governance to guide the program and ensure these elements are working effectively together.
The following summarizes all Symantec Data Loss Prevention components:
Common Use Cases
The below table shows which product or module is appropriate for protecting the storage or movement of
sensitive data in various scenarios.
Use Case Symantec Data Loss Prevention Module
Information stored in on-premises and cloud
collaboration platforms, shared servers, and data
repositories
Network Discover, Cloud Storage Discover, Network
Protect (Data Loss Prevention for Storage), Veritas
Data Insight
Information exiting the network by cloud email Cloud Prevent for Email and Cloud Service for Email
Information exiting the network by email, web mail,
or other Internet protocols
Network Monitor, Network Prevent for Email, and
Network Prevent for Web (Data Loss Prevention for
Network)
Information exiting mobile devices by corporate
email, web mail, web posts, or mobile applications
Symantec Data Loss Prevention for Mobile
Information exiting endpoints to cloud storage
applications; by USB, CD/DVD, network protocols,
and popular email applications; from the Clipboard;
to and from network shares;stored on Windows and
Mac endpoints; and all while on or off the corporate
network
Endpoint Discover and Symantec Data Loss
Prevention Endpoint Prevent (Data Loss Prevention
for Endpoint)
Advanced reporting capabilities Symantec Data Loss Prevention IT Analytics

6. Components
Symantec Data Loss Prevention Enforce Platform
The Enforce Platform is the central web-based management console and incident repository that is included
with Symantec Data Loss Prevention. It is where you define, deploy and enforce data loss policies, respond to
incidents, analyze and report policy violations, and performs system administration
Symantec Data Loss Prevention for Network
 Network Monitor inspects all ‘XXX’ network communications for sensitive data.
 Network Prevent for Email redirects, quarantines, or stops outbound messages containing sensitive data.
 Network Prevent for Web stops or removes sensitive data from outbound Web communications.
Symantec Data Loss Prevention for Endpoint
 Endpoint Discover scans for sensitivedata stored on laptops and desktops to inventory, secure, or relocate
the data. It monitors and blocks confidential data from being transferred, sent, copied, or printed by ‘XXX’
desktop or laptop users.
 Endpoint Prevent monitors and blocks confidential data frombeing transferred, sent, copied, or printed by
desktop or laptop users.
Symantec Data Loss Prevention for Storage
 Network Discover identifies sensitivedata exposed on ‘XXX’ fileservers, collaboration platforms,websites,
desktops, laptops, and other data repositories.
 Network Protect remediates exposure of sensitive data.
 Typically residingin the data center, Data Insightcollects information on top fileusers as well as complete
fileaccess history to help determine who owns the data.Italso provides visualization of accesspermissions.
Data Insight integrates with Network Discover to display data owner and access details in Symantec DLP
storage incidentsnapshots. Symantec resells Data InsightfromVeritas for the usewith Symantec Data Loss
Prevention only.
Symantec Data Loss Prevention for Cloud
 DLP Cloud Service for Email combines our industry-leadingDLP and email security into a single,convenient
cloud-based service hosted by Symantec. It catches more sensitive data before it leaves your cloud email
services such as Microsoft Office 365 and Gmail for Business with real -time monitoring that leverages
advanced and accurate content-aware detection; it also stops malware, spam, and malicious links from
getting into users’ inboxes with Symantec Skeptic heuristic technology and Real -Time Link Following.
 DLP Cloud Prevent for Office365 provides accurate,real-timemonitoringand prevention of data in motion,
and seamless integration with Symantec Email Security.cloud to ensure mail delivery. It also gives you the
flexibility to deploy in a public cloud environment such as Rackspace or Microsoft Azure.
 DLP for Cloud Storage provides powerful content discovery capabilities so you can easily scan Box Business
and Enterprise accounts and understand what sensitivedata is being stored, how it’s being used, and with
whom it’s being shared. Cloud Storage even engages users to self-remediate policy violations by placing
visual tags on Box files and enablingincidentremediation froman intuitiveonlineportal, the Symantec DLP
Self-Service Portal.

7. Symantec Data Loss Prevention for Mobile
 Mobile Email Monitor detects confidential email downloaded by ‘XXX’ users to iPads, iPhones, and now
Android devices over the Microsoft Exchange ActiveSync protocol.
 MobilePrevent monitors and protects outbound network communications sentfrom the nativemail client,
browser and other apps (e.g., Dropbox, Facebook) on iPads and iPhones
Symantec Data Loss Prevention IT Analytics
Symantec Data Loss Prevention IT Analytics isan advanced reportingand analytics module.On a scheduled basis,
it extracts the data contained within the Symantec Data Loss Prevention database(s) into summarized tables
that span mostof the Symantec Data Loss Prevention functions such as auditinformation,incident remediation,
agent health,Discover scans,policy changes,and so on.Italso provides an easy to use,pivot-tablelikeinterface
to create ad-hoc, multi-dimensional, graphical or tabular reports, scorecards, and dashboards. In addition, it
provides features to analyze the data, such as data drill-downs, filtering, and custom formulas.

8. High-Level Architecture
The following illustrates the physical architecture of Symantec Data Loss Prevention, including where in the
network the various products reside.The Network products residein the DMZ, the Endpoint productcan reside
in the DMZ or within the corporateLAN, whilethe other products residewithin thecorporateLAN or data center.
All products are server-based except for the Endpoint products; these use both a server component (Data Loss
Prevention Endpoint Server) and a DLP Agent (Data Loss Prevention Endpoint Agents).
Alongwiththe environmentcomponentsrequired,acondensedversionof the architecturebe below.

9. The Enforce Server is the central management platform which will be used to define,deploy,and
enforce datalosspreventionandsecuritypolicies.The Enforce Serveradministrationconsole provides
a centralized, Web-based interface for deploying detection servers, authoring policies, remediating
incidents, and managing the system.
The NetworkMonitorwill capture andanalyzestrafficonyournetwork thoroughthe SPAN/TAPport,
detectingconfidential data,andsignificanttrafficmetadataoverprotocolsyouspecify.Forexample,
SMTP, FTP, HTTP, and variousIM protocols.Youcan configure a NetworkMonitorServerto monitor
custom protocols and to use a variety of filters (per protocol) to filter out low-risk traffic.
The NetworkPreventforWebServerintegrateswithanHTTP, HTTPS, or FTP proxyserverusingICAP
for in-line active Web request management. If it detects confidential data in Web content, it causes
the proxy to reject requests or remove HTML content as specified in your policies.
The NetworkPreventforEmail monitorsand analyzesoutboundemail trafficin-line and(optionally)
blocks,redirects,ormodifiesemail messagesasspecifiedin yourpolicies.NetworkPreventforEmail
integrates with industry-standard mail transfer agents (MTAs) and hosted email services to let you
monitor and stop data loss incidents over SMTP. Policies that are deployedon the Network Prevent
for Email Server direct the Prevent-integrated MTA or hosted email server. The Prevent-integrated
mail server blocks, reroutes, and alters email messages based on specific content or other message
attributes.
Endpoint Prevent and Endpoint Discover both apply Data Loss Prevention policies to protect your
sensitiveorat-riskdata.Sensitiveorat-riskdatacanincludecreditcardnumbersornames,addresses,
and identification numbers. You can configure both products to recognize and protect the files that
containsensitive data.EndpointPreventstopssensitive datafrommovingoff endpointsandEndpoint
Discover examines the local fixed drives of an endpoint and locates every file that contains the
information that matches a policy.

10. The NetworkDiscover/CloudStorage Discoverlocatesexposedconfidential databyscanninga broad
range of enterprise datarepositories.These datarepositoriesinclude Box cloudstorage,file servers,
databases,MicrosoftSharePoint,IBM(Lotus) Notes,Documentum, Livelink,MicrosoftExchange,Web
servers, and other data repositories. Symantec Data Loss Prevention Network Protect reduces your
risk by removing exposed confidential data, intellectual property, and classified information from
open file shares on network servers or desktop computers.
Additionally, with Veritas Data Insight (separate solution offered by Veritas), users can monitor file
access to automatically identify the data user of a file based on the access history. The usage
informationthen automaticallyentersintothe incidentdetailof filesthatviolate SymantecDataLoss
Prevention policies. This method enables users to identify sensitive data along with the responsible
users to enable more efficient remediation and data management.
The Mobile Email Monitor monitors corporate email that are sent through Microsoft Exchange
ActiveSync and downloaded to the native email client on supported mobile devices.
The Mobile Prevent monitors email, Web, and application communications from mobile devicesto
prevent sensitive informationfrom leaving your organization. After the connectionto the corporate
networkisestablished,all networktrafficissenttothe Mobile PreventforWebServerforanalysis.In
thisway,youcanprotectyourorganization'ssensitive informationwhile allowingmobile deviceusers
to access sites and apps such as Facebook, Dropbox, and Twitter.
To provide data loss prevention for Microsoft Office 365, with Symantec there two methodologies
available:
SymantecCloudPreventforOffice 365 monitorsand analyzesoutboundemail trafficin-line andcan
block, redirect, or modify email messages as specified in your policies. Cloud Prevent for Email
integrateswithyourData Loss PreventionEnforce Serveradministrationconsole andwithSymantec
Email Security.cloud and Microsoft Office 365 Exchange. You manage the Cloud Prevent for Email
Servers that are installed in a public cloud, such as Rackspace, Microsoft Azure, or Amazon Web
Services. Symantec Email Security.Cloud is only used as an MTA for final delivery of the emails.

11. SymantecCloudService forEmail monitorsandanalyzesoutboundMicrosoftOffice 365 Exchange or
Gmail email trafficandcan block,redirect,ormodifyemail messageswithantispam andantimalware
functionality from Symantec Email Security.Cloud. Cloud Provisioning is directly provided by
Symantec.

12. Content Detection Technologies
To prevent data loss,itisnecessary to accurately detectall types of confidential datawherever the data is stored,
copied, or transmitted. Without accurate detection, data security systems generate numerous false positives
(messages or files identified as violations that are not actually violations), as well as false negatives (messages
or files not identified as policy violations that are violations). False positives create high costs in time and
resources required to further investigate and resolve apparent incidents. False negatives obscure gaps in
security by allowing data loss and the potential for financial losses, legal exposure, and damage to the
organization’s reputation.
Detection Technology Overview
To ensure the highest accuracy, Symantec Data Loss Prevention employs five main types of detection
technologies:
 Exact Data Matching (EDM)
 Indexed Document Matching (IDM)
 Described Content Matching (DCM)
 Vector Machine Learning (VML)
 Form Recognition – This requires an additional purchase
Exact Data Matching
Exact Data Matching (EDM) protects customer and employee data, as well as other structured data that is
generally stored in a database.For example, a customer could write a policy usingEDMdetection that looks for
any three of FirstName, Last Name, SSN, Account Number, or Phone Number occurringtogether in a message
and correspondingto a record from the customer database.EDM technology is designed to scaleto very large
data sets and is currently protecting over 300 million customer records on a single server at each of several
customer deployments. Additionally,on a singleserver, Symantec has tested EDM on a databaseof 500 million
rows of data, each with four columns, for a total of two billion individual data elements. This capacity scales
linearly with additional servers.
Indexed Document Matching
Indexed Document Matching (IDM) ensures accurate detection of unstructured data stored in the form of
documents such as Microsoft Word and PowerPoint files, PDF documents, design plans, source code files,
CAD/CAM images, financial reports, mergers and acquisition documents, and other sensitive or proprietary
information.IDM creates document fingerprints to detect extracted portions of the original document, drafts,
or different versions of protected documents, as well as exact matches against the bi nary content. Symantec
Data Loss Prevention IDM also provides the ability to "white list" content such as standard boilerplate text to
reduce falsepositives.On a singleserver,Symantec has successfully created and detected with IDM fingerprints
of over two million documents. As with EDM, the capacity to scale increases linearly with additional servers.
Described Content Matching
Described Content Matching (DCM) delivers a high degree of accuracy and is mostuseful when it is impossible
or impractical to get a copy of the information for indexing,or when the precisecontent is unknown but readily
described. DCM works with both structured and unstructured data, using Data Identifiers, keywords, lexicons,
pattern matching,filetypes,filesizes,sender, recipient,user name,endpointuser groups (for EndpointPrevent),
and network protocol information entered into the Enforce Platform by the user to detect data loss incidents.

13. Vector Machine Learning
Recently, a new category of DLP detection technology has emerged that enables organizations to use software
that learns to detect the types of confidential data that require protection. Through training, this approach
continuously improves the accuracy and reliability of finding sensitive information. By applying the concept of
machine learning to DLP, Vector Machine Learning (VML) helps to quickly and efficiently protect IP and
confidential information among increasing amounts of unstructured data.
Vector Machine Learning has specific advantages that complement existing describing and fingerprinting
technologies,improvingthe ability of organizations to protect sensitiveinformation especially for unstructured
data that resides in highly dispersed and diverse locations, such as:
 Automated processes help streamline set up and management – By automating the policy definition and
tuning process,VML significantly reduces staff timerequired to set up and maintain DLP technologies.Since
trainingrequires only examples of data to beprotected, setup can beachieved quickly and efficiently.Many
manual tasks such as maintainingkeyword lists or tryingto collectall data for fingerprintingareeliminated,
and the incidenceof falsepositives and tuningis minimized as the technology learns to recognize targeted
information and improves in accuracy over time.
 Dynamic learningimproves Accuracy and Timely Protection – Much likezero-day protection with antivirus
software, Vector MachineLearning is capableof delivering“zero-day protection” for confidential data with
the accuracy of fingerprinting. The dynamic learning characteristics of VML make it possible to recognize
newer or never seen before information more easily and accurately and therefore provide coverage for
sensitive data that has yet to be created. Given the accelerating growth of unstructured data, therefore,
VML complements the content analysis of both fingerprinting and described content technologies to
enhance enforcement of DLP policies.

14. Form Recognition
With Symantec DLP Form Recognition, you can protect data stored in images of handwritten and typed forms
such as tax returns, insuranceclaims,patientforms or any form that might contain PII.DLP Form Recognition is
a new content detection technology that leverages intelligent image processingto catch and stop confidential
data that would otherwise go undetected in scanned or photographed forms.
Symantec Data Loss Prevention analyzes thefeatures of your blank forms and stores the results as key points in
the Form Recognition profile. This process is called indexing. Then the detection server compares images in
network traffic or stored in data repositories to the forms you have indexed. The extent that the detected form
matches key points in indexed blank form is called the alignment.
The comparison between the detected image and the indexed blank form also allows Symantec Data Loss
Prevention to determine how much of the form has been filled in.
Form Recognition works with Network Monitor, Network Prevent for Email,Network Prevent for Web, Network
Discover and Network Protect.

15. Remediation and Reporting
The Enforce Platform includes robust reporting and incident workflow features to support effective incident
remediation. It has fully customizableworkflowthat allows you to build any kind of remediation and detection
process needed. The user interface allows you to define various case management statuses that indicate an
incident’s position within the workflow. Typically, customers choose status flag names that are customized to
their own internal processes like:“Escalated to Security & Risk”,“To be reviewed by HR”, or “Dismissed due to
Broken Business Process”.
The user interface is web-based and extremely easy to use for non-IT users,containing all information relevant
to a business user for diagnosing and responding to an incident. The Incident Snapshot provides highlighted
violation information fromany attachment or message content. This makes it easy to see where the violation
exists within the message transmission,as well as the specific data that was put at risk (such as specific Credit
Card numbers). Additionally, the Incident Snapshot contains a clear indication of calculated severity as well as
the total match count (for example, the number of customer records exposed).
Workflow can be established through the use of incident work queues for each role. Each queue contains
incidents for which a given user is responsiblefor processing.A very simpleworkflow would work as follows:A
firstresponder work queue may includeall incidents of status "New". A manager may have a work queue with
incidents of status "Escalated". An investigator may see incidents of status "Investigation Required". To pass an
incident between roles, the status is changed and the incident passes between queues.

16. More complex workflows also include segmentation by business unit, such that work queues include only
incidents of the specified status from senders in the specified business unit.
Symantec DLP Solution Packs deliver out-of-the-box industry best practices for incident response and
remediation. Functionality includes:
 Industry-focused detection policies like PCI, Data Protection Regulations etc
 All commonly used automatic response rules such as notifications, escalate to forensics, set incident
reason codes, send syslog event, and so on
 Pre-configured workflow and roles, including role-based risk reports
 Defined custom attributes and statuses
Symantec DLP reporting functionality includes the ability to view, save, and create custom dashboards for
executive-level reporting. Dashboards can combine up to six portlets (each summarizing an out-of-the-box
system report or custom saved report), presenting data on network, storage, and endpoint incidents in a single
dashboard.Each report within the dashboard is hyperlinked so users can drill down to the summarized reports
directly from the dashboard.
Dashboards,likeall other reports in the system, can be defined as either personal reports or role-based reports.
There are over 40 pre-configured reports to help customers manage their information risk.These allowthem to
meet compliance requirements, assess business risk, provide oversight and manage remediation operations,
whilst viewing trends across business units within the organization.

17. Operations and Maturity
Symantec’s recommendation for long-term, sustainable data protection is that the client commit to an
enterprise-wide initiative, involving people, processes and technology, to address data security risk head-on.
With the decision made to address this risk, the client needs a clearly defined plan for success, with specific
steps, tasks, resources, and objectives to reach their short and long term goals.
The maturity of Symantec’s DLP technology and the expertise of our Specialistpartners ensures theDLP program
is effective and successful. We have developed an impressive set of best practices gained through 1100
Symantec DLP deployments across a wide variety of customer environments and industry verticals.
Together with specialist partners we ensure the project team contains the right mix of people, processes and
technology, with the right application of that mix across six projectphases.Companies tha t have followed this
methodology and leveraged the Symantec expertise and best practices haveconsistently achieved measurable
risk reduction within 90 days.
Comprehensive, clearly-defined,business-focused DLP programs achievegreater risk reduction, faster and with
fewer resources,by integratingSymantec DLP into their existingsecurity program and leveragingthe software
to promote enterprise-wide initiatives that drive change across the organization. These successful programs
share five common attributes:
 Executive level involvement. Support to protect data and change business processes and employee
behavior must come from the top.
 A prioritized approach. Confidential data can take many forms and be anywhere in an organization,
targeting the most critical data first proves value immediately.
 Business owner involvement. The information needed to identify new threats, keep policies current,
and fix broken business processes must come from those closest to the data.
 A trained Incident Response Team (IRT). Clearly defined roles, responsibilities, and procedures drive
consistency and organizational buy-in.
 Employee education. Visibility into employee behavior allows focused training on primary risk areas,
and real-time enforcement of company data protection policies promotes a culture of security.
In the first two phases – Planning and Deployment – the goal is to lay the groundwork and infrastructure for
long term success. This is the most critical period in your DLP rollout, because your success in the future will
depend on the work completed here. In the first two phases you will ensure that:
 Your most critical data is identified and protected
 Your system is deployed, operational, and providing maximum coverage based on your goals
 Policies are correctly configured to capture incidents of interest and minimize false positives
 Incident responders are trained, and fully prepared to address policy violations
 Employees are aware of their data protection responsibilities
The further four Risk Reduction phases – Baseline,Remediation, Notification,and Prevent/Protect – are where
the client achieves and measures results. In these phases you will:
 Fine-tune policies
 Identify and change business processes contributing to risk
 Expand, modify, and automate remediation efforts to achieve the greatest impact with the fewest
resources
 Begin real-time notification to employees when their actions cause risk
 Prevent and protect critical data from leaving the organization without impacting business as usual
 Collectspecific metrics to demonstrate and document risk reduction over time.

18. By way of an example, a typical project comprises of addressinga high risk area of the network, namely the web
gateway. The modules deployed in this phase will enable a client to inspect all network communications.
Protocols covered include email (SMTP), web (HTTP), instant messaging (IM), file transfers (FTP), and all other
TCP sessions over any port.
Once deployed and operational with thesemodules, our clientshould address the major business process issues
and change employee behavior through notifications, so that the risk of disrupting business by blocking
communications or moving files is minimal. The next phase of further modules increases the prevention and
protection capabilities.
After progressing through the six phases of a best practice DLP deployment, our client can be confident that:
 Their initial policies aresuccessfully protecting theorganization’s confidential information fromleaving
via the Web
 They have builtgood workingrelationshipsbetween the Security Team and the lineof business owners
and are working to address the faulty business processes uncovered by the Symantec DLP solution
 They have leveraged auto-notification to change employee behavior, and
 They have solid metrics to demonstrate your results.
With the success of this firstdeployment, our clientshould be well positioned to continueexpandingpolicy and
exit/exposure point coverage and continuing to drive their organization’s DLP risk down.

19. System Requirements and Recommendations
Symantec provides a separateRequirements and Compatibility Guide, before implementation please check for
the latest available guide at https://support.symantec.com/en_US/article.DOC9256.html.
Deployment Planning Considerations
Installation planning and system requirements for Symantec Data Loss Prevention depend on:
 The type and amount of information you want to protect
 The amount of network traffic you want to monitor
 The size of your organization
 The type of Symantec Data Loss Prevention detection servers you choose to install
These factors affect both:
 The type of installation tier you choose to deploy (three-tier, two-tier, or single-tier)
 The system requirements for your Symantec Data Loss Prevention installation
The effect of scale on system requirements
Some system requirements vary depending on the size of the Symantec Data Loss Prevention software
deployment. Determine the size of your organization and the corresponding Symantec Data Loss Prevention
deployment using the information in this section.
 The key considerations in determining the deployment size are as follows:
 Number of employees to be monitored
 Amount of network traffic to monitor
 Size of Exact Data Match profile (EDM) or Indexed Data Match profile (IDM)
 Size of your Form Recognition profile
The tablefollowingin the next section outlines two sampledeployments based on enterprise size. Review these
sample deployments to understand which best matches your organization’s environment.

20. Minimum Hardware Requirements (Sample)
All Symantec Data Loss Prevention servers must meet or exceed the minimum hardware specificationsand run
on one of the supported operatingsystems. If the Oracledatabasefor Symantec Data Loss Prevention is installed
on a dedicated computer (a three-tier deployment), that system must meet its own set of system requirements.
The following provides examples of hardware sizing for small/medium size infrastructure on a single-tier and
multi-tier deployment.
Single-Tier Deployment for Small/Medium Size Organization
Item Description
Processor 8-core 2.5 GHz CPU
Memory 64 GB RAM
Disk 3 TB, RAID 5 configurations (with a minimum of five spindles)
NICs 1 copper or fiber 1 Gb Ethernet NIC (if you are using Network Monitor you will need a
minimum of two NICs)
Multi-Tier Deployment for Small/Medium Size Organization
Item Enforce Server Network Monitor Network Discover/Cloud Storage
Discover, Network Prevent, Cloud
Prevent for Email, Mobile Email
Monitor, Mobile Prevent or
Endpoint Prevent
Processor 4-core 3.0 GHz CPU 4-core 3.0 GHz CPU 4-core 3.0 GHz CPU
Memory 8–10 GB RAM (EDM/IDM and
Form Recognition profilesizecan
increase memory requirements.
Two-tier deployments may
require additional memory for
running Oracle.
6–8 GB RAM
(EDM/IDM and Form
Recognition profilesize
can increase memory
requirements.
6–8 GB RAM (EDM/IDM and Form
Recognition profile size
can increase memory requirements.
Disk 500 GB, RAID 1+0 or RAID 5
configuration is recommended.
RAID 5 is not recommended for
computers that host the Oracle
database.
For Network Discover/Cloud
Storage Discover deployments,
approximately 150 MB of disk
space is required to maintain
incremental scan indexes. This is
based on an overhead of 5 MB
per incremental scan target and
50 bytes per item in the target.
140 GB 140 GB
For Network Discover/Cloud Storage
Discover deployments,
approximately 150 MB of disk space
is required to maintain incremental
scan indexes. This is based on an
overhead of 5 MB per incremental
scan target and 50 bytes per item in
the target.
NICs 1 copper or fiber 1 Gb/100 Mb
Ethernet NIC to communicate
with detection servers.
1 copper or fiber 1
Gb/100 Mb Ethernet
NIC to communicate
with detection servers.
1 copper or fiber 1 Gb/100 Mb
Ethernet NIC to communicate with
detection servers.

21. Software Requirements
Enforce and Detection Servers
Symantec Data Loss Prevention servers can be installed on a supported Linux or Windows operating system.
Different operating systems can be used for different servers in a heterogeneous environment.
Symantec Data Loss Prevention supports thefollowing64-bitoperatingsystems for EnforceServer and detection
server computers:
 Microsoft Windows Server 2008 R2 SP1, Enterprise/Standard Edition
 Microsoft Windows Server 2012, Datacenter/Standard Edition
 Microsoft Windows Server 2016, Database/Standard Edition (Oracle Database not supported)
 Red Hat Linux 6.6 through 6.8
 Red Hat Linux 7.1 and 7.2
Symantec DLP Agent
Symantec DLP Agents can be installed on computers running any of the following operating systems:
 Microsoft Windows Server 2008 Enterprise or Standard Editions R2 (64-bit)
 Microsoft Windows Server 2012 R2 Datacenter, Standard, Essential, or Foundation Editions (64-bit,
Desktop mode only)
 MicrosoftWindows 7 Enterprise, Professional,or Ultimate, including Service Pack 1 (32-bit or 64-bit)
 Microsoft Windows 8 Enterprise 64-bit
 Microsoft Windows 8.1 Enterprise, Pro 64-bit
 Microsoft Windows 8.1 Update 1x Enterprise, Pro 64-bit
 Microsoft Windows 8.1 Update 2 Enterprise, Pro 64-bit
 Microsoft Windows 8.1 Update 3 Enterprise, Pro 64-bit
 Microsoft Windows 10 Update 1511 Enterprise, Pro 64-bit
 Microsoft Windows 10 Anniversary Update Enterprise, Pro 64-bit
 Apple macOS 10.9, 10.10, 10.11, 10.12

22. Oracle Database Requirements
Symantec Data Loss Prevention requires Oracle11gStandard Edition (or Standard Edition One) version 11.2.0.4
(64-bit) with the most recent Critical Patch Update. Symantec provides Oracle 11g with Data Loss Prevention.
Symantec only supports the Standard Edition and the Standard Edition One of the Oracle database, but the
Symantec Data Loss Prevention database schema is supported on all editi ons of Oracle.
You can install Oracleon a dedicated server (a three-tier deployment) or on the same computer as the Enforce
Server (a two-tier or single-tier deployment):
 Three-tier deployment – System requirements for a dedicated Oracleserver arelisted below. Note that
dedicated Oracleserver deployments also requirethat you install theOracle 11g Client on the Enforce
Server computer to communicate with the remote Oracle 11g instance.
 Single- and two-tier deployments – When installed on the Enforce Server computer, the Oraclesystem
requirements are the same as those of the Enforce Server.
If you install Oracle 11g on a dedicated server, that computer must meet the following minimum system
requirements for Symantec Data Loss Prevention:
 One of the following operating systems:
o Microsoft Windows Server 2008 R2 Standard or Enterprise (64-bit)
o Microsoft Windows Server 2008 R2 SP1 Standard or Enterprise (64-bit)
o Microsoft Windows Server 2012 R2 Standard, Enterprise, or Datacenter (64-bit)
o Red Hat Enterprise Linux 6.6 through 6.8 (64-bit)
o Red Hat Enterprise Linux 7.1 and 7.2 (64-bit)
 6 GB of RAM
 6 GB of swap space (equal to RAM up to 16 GB)
 500 GB – 1 TB of disk space for the Enforce database

23. Virtual Server Support
Symantec supports runningSymantec Data Loss Prevention servers on VMware ESXi 5.x, VMware ESXi 6.x, and
Windows Hyper-V virtualization products,provided that the virtualization environment is runninga supported
operating system.
At a minimum, ensure that each virtual server environment matches the system requirements for servers
described in this document.
Consider the following support information when configuring a virtual server environment:
 Endpoint Prevent servers are supported only for configurations that do not exceed the recommended
number of connected agents.
 Symantec does not support runningthe Oracledatabaseserver on VMware ESXi 5.x, VMware ESXi 5.x, and
VMware ESX 6.x virtual hardware. If you deploy the Enforce Server to a virtual machine, you must install
the Oracle database using physical server hardware.
 Symantec supports running the Enforce Server and Oracle database server in a Windows Hyper-V
environment.
 Symantec does not supportrunning the Network Monitor or MobilePrevent for Web detection servers on
virtual machines.
 Symantec does not support Single Server installations on virtual machines.
A variety of factors influence virtual machine performance, including the number of CPUs, the amount of
dedicated RAM, and the resource reservations for CPU cycles and RAM. The virtualization overhead and guest
operating system overhead can lead to a performance degradation in throughput for largedatasets compared
to a system runningon physical hardware.Use your own test results as a basisfor sizingdeployments to virtual
machines.
You can deploy the DLP Agent on Citrix and VMware virtual machines.

24. Available Suites and Bundles
As of Symantec Data Loss Prevention 14.6, the following suites and bundles are offered:
 DLP ENTERPRISE SUITE
o Network Monitor
o Network Prevent for Email
o Network Prevent for Web
o Network Discover
o Network Protect
o Endpoint Discover
o Endpoint Prevent
o Mobile Email Monitor
o Mobile Prevent
 DLP DISCOVER SUITE
o Network Discover
o Network Protect
 NETWORK PRODUCTS
o Network Monitor
o Network Prevent for Email
o Network Prevent for Web
 STORAGE PRODUCTS
o Network Discover
o Network Protect
 ENDPOINT PRODUCTS
o Endpoint Discover
o Endpoint Prevent
 CLOUD PRODUCTS
o Cloud Prevent for Microsoft Office 365 Exchange
o Cloud Storage (for Box)
 MOBILE PRODUCTS
o Mobile Prevent
o Mobile Email Monitor
 DETECTION
o Form Recognition
 VERITAS PRODUCTS
o Veritas Data Insight
o Veritas Data Insight SelfService Portal
Symantec resells Oracle Standard Edition One and Standard Edition licenses on a per CPU (Processor) basis:
 Oracle Standard Edition One is available for single server with up to 2 Processors.
 OracleStandard Edition,which adds OracleReal Application Clusters,isavailable for singleor clustered
servers with up to 4 Processors.