Data Loss Prevention (DLP)

DLP Capability Analysis

McAfee DLP Endpoint

January 2021

Department of Veterans Affairs

Data Loss Prevention Program

 Table of Contents

1. Executive Summary............................................................................... 2
2. McAfee DLP Endpoint Analysis ........................................................... 3
2.1. Analysis Highlights ................................................................................................. 3
2.2. Recommendations................................................................................................... 4
3. VA DLP Holistic Requirements Mapping............................................ 5
4. References .............................................................................................. 6

1
1. Executive Summary
Department of Veterans Affairs (VA) is currently analyzing the DLP endpoint capabilities that
will best fulfill VA’s requirements in preventing data loss on the endpoint.
Based on the authoritative information provided by McAfee team (Mike Namvar, John Amorosi,
and Cuong Vuong), we have developed Pros and Cons table and mapped capabilities to VA DLP
Holistic Requirements in the following sections. Based on DLP Program’s analysis we have
determined that McAfee DLP Endpoint can align to VA DLP Holistic Requirements as it
pertains to the DLP endpoint capabilities. McAfee DLP Endpoint has been identified as the
“Best of Breed” solution for VA based on the following:
• McAfee’s DLP experience in the Federal space is long lasting and proven. McAfee has
been in the Federal DLP space for more than 14 years with numerous customers
supporting 1M+ nodes each.
• The McAfee ePO architecture is able to scale to support the Enterprise-level workloads
while also providing centralized, consolidated reporting across the McAfee ePO
infrastructure.
• McAfee DLP Endpoint can apply Microsoft Information Protection (MIP) classification
while data is in motion (DIM)
• McAfee DLP Endpoint can perform DLP blocking functions with various DLP policies
without the need to use MIP classification to perform blocking
• McAfee DLP Endpoint agent also can be used for data at rest (DAR) discovery scanning
on VA workstations and laptops which currently is a gap in Data Discovery Architecture
In conclusion, DLP Program recommends using McAfee DLP Endpoint as the active DLP
endpoint tool while running an enterprise grade, VA-approved Endpoint Detection and Response
(EDR) solution as a cyber-focused endpoint tool. This configuration will enable the best
protection at the endpoint based on the DLP tools that VA is currently evaluating. In order to
accomplish this, VA needs to exercise a contract for McAfee DLP Endpoint as it is not currently
owned by VA.

2
2. McAfee DLP Endpoint Analysis
As part of the capability analysis, the DLP Program has interviewed VA technical stakeholders
to review current McAfee infrastructure state and to identify pre-existing licensing, The DLP
Program has also installed the McAfee Data Loss Prevention (DLP) suite inside DLP Program’s
development sandbox environment, the Architecture, Configuration, and Test (ACT). Below are
a few key highlights and recommendations that came from the analysis process.
2.1. Analysis Highlights
• McAfee ePO is already integrated with VA-owned Splunk Enterprise Security (ES)
through a DB Connect data input. As of now, only the McAfee agents’ anti-virus events
are being analyzed and forwarded but future DLP events can be filtered upon with
minimal efforts.
• McAfee’s framework package is already deployed within VA, which will allow VA to
deploy an endpoint DLP policy to the existing framework package’s registered in the
ePO’s System Tree. Today, there are over 595K+ VA system nodes covered by McAfee
ePO. Many of these system nodes (112K nodes) are already covered by McAfee Device
Control which means that McAfee DLP software has been already been tested, verified
and deployed to VA systems.
• McAfee DLP Endpoint has the capability to build detection/prevent policy based on
predefined data patterns, custom data patterns, limited file indexing and OCR.
• Unlike many of the competitors, McAfee can distinguish between corporate and non-
corporate connections, permitting VA administrators to provide “block, justify, and audit
controls” based on their connectivity state. This level of granularity when building
protection and prevention policies allows VA to deploy a dynamic DLP endpoint security
posture by analyzing the end users’ location and how they are coming into the VA
network infrastructure (public Internet, on/off Rescue VPN).
• McAfee DLP ePO can integrate into many leading third party IRM vendors. Specifically,
it is capable of integrating into Microsoft Information Protection (MIP) and the endpoint
agent can insert Azure Information Protection (AIP) sensitive labels (classification tag)
and underlying IRM protection polices via the McAfee ePO API integration.
• McAfee DLP suite is capable of performing document and email classification and
labeling within the McAfee ePO/MVISION ePO architecture.
• McAfee DLP policies can provide user notification of triggered events in order to provide
user coaching and training.
• McAfee DLP Endpoint agent is able to scan VA GFE workstations’ and laptops’ local
data repositories for sensitive data classification and tagging, which is a major gap in the
data discovery architecture.
• McAfee DLP Endpoint event detection violations are captured quicker leading to quicker
remediation actions and decreased exposure time of sensitive information . This quick
processing time allows the administrator to catch a violation before a user is able to put
the event into a non-violation state.

3
 • McAfee Data Exchange Layer (DXL) can integrate into many third party security
sensors. The VA will own the code that is developed as it is open-sourced. Specifically
within the VA, Threat Information Exchange (TIE), which holds VA security information
around software and their executables, can be integrated to provide real-time DLP
analysis of applications accessing sensitive information within the VA and application of
DLP protection policies based on TIE executable reputations.
• Unlike many of their competitors, McAfee DLP products and reporting features are
consolidated to a single product line and user interface (UI). McAfee can reduce
complexity and IT burden by consolidating the technology stack into a converged, cloud -
delivered network security framework.
2.2. Recommendations
• Analyze McAfee ePO vs MVISION ePO for complete feature parity and if suitable,
migrate existing on premises McAfee ePO infrastructure to MVISION ePO for simpler
device-to-cloud security platform that will allow VA to capture more actionable insights
on remote devices not connected to VA internal network as well as lessen VA
Administrator burden as MVISION ePO is a complete SaaS platform kept up to date by
McAfee.

4
3. VA DLP Holistic Requirements Mapping
The excel file below is the DLP Endpoint tool comparison via VA DLP Holistic Requirements.

DLP%20Endpoint%
20Capability%20Matrix%20-%20McAfee%20DLP.xlsx

5
4. References

McAfee Team PoC:

• Cuong Vuong. [email protected]
• John Amorosi. [email protected]
• Mike Namvar. [email protected]
McAfee DLP Endpoint. https://docs.mcafee.com/bundle/data-loss-prevention-11.0.500-product-
guide/page/GUID-916E5282-2B84-4150-A8CD-5F6F82238F81.html
McAfee DLP Endpoint Guide. https://docs.mcafee.com/bundle/data-loss-prevention-11.0.500-
product-guide/page/GUID-916E5282-2B84-4150-A8CD-5F6F82238F81.html#