McAfee also gave us a few additional types of blocking on the endpoint: the ability to control printing, screen captures, and clipboard usage. These are features we had tested in our endpoint tests, but McAfee has improved upon our experience there. In our previous testing, you could only allow or disallow these actions for an entire application or altogether (with the exception of copying data -- which was based upon the actual data). McAfee allowed us to base this upon the data that was actually in use. So if there wasn't any sensitive data on the screen, screenshots could be allowed.
An exciting feature in the next version of McAfee's DLP solution will be the ability to connect to and browse database servers and tag particular databases, tables, or columns for monitoring by DLP. This extends the file discovery ability into the database, and does so without requiring any knowledge of query languages or database commands. It also allows the data to be analyzed in-place, and not copied off the database server for analysis.
Both vendors also supported controlling external devices on the endpoints. This allowed us to disable optical drives or USB drives, only allow certain types, brands, or models of devices, only allow specific devices (for example by serial number), limit the amount of data copied to a drive, or apply encryption before allowing data to be moved to these devices.
To the end of assisting and educating users, instead of just policing them, comes the ability to take remediation actions when a policy violation is detected. Sure it's easy to just block the transfer, disallow the program, disconnect the device, or take other actions to stop the action. But more often than not, this is only going to frustrate an employee who wasn't trying to do anything wrong, they just didn't know enough to properly secure their data or keep it from leaving the organization. Thankfully, both vendors excelled in this area.
They both gave us options for notifying the user with an explanation when a violation occurred. McAfee by e-mail and Sophos with a pop-up on the client, and both with a system tray balloon message. This at least lets the user know why "it isn't working".
Both products also had the ability to apply encryption to the file to protect it before completing the action. In the next version of McAfee's offering, this will also include the ability to apply Adobe Digital Rights Management (DRM) restrictions to documents before releasing them.