McAfee also has an entire case workflow system, which provides the ability to automatically assign violation events to a particular user or group for analysis. To this end, a violation can be passed on to another party, such as HR, security, or the employee's supervisor for further analysis. This allows them to discuss the violation with the employee and explain why the action was not allowed.
To assist us with analyzing breaches, both vendors included methods of quarantining or redirecting violating items. This means quarantining data on the endpoint in the same manner that viruses are quarantined, or re-routing (to another server), redirecting (to another user), duplicating (to another server), or tagging the subject line of violating e-mails.
Monitoring, notification, and workflow
Having all of those nifty features isn't worth much without an interface with which the administrator, compliance officers, security officers, human resource personnel, or some other entity can monitor this data and take action to improve the organization's security standing.
Both Sophos and McAfee's solutions provided dashboards that gave us a birds-eye view into the current status of the DLP solution. Both allow historical analysis and report generation to help drill-down and find more information.
McAfee also provides the ability to customize these dashboards, reports and workflow per-user or per-group. For example, we were able to create a dashboard for HR that only showed acceptable use violations, and another for security that highlighted compliance issues. The reporting functionality allowed us to view various cross-sections of the data to help find patterns and trends in the data.
A unique feature of McAfee is the case workflow interface. In this system, new violations are shown as events. As mentioned above, a rule action can be to assign an event to a particular group for further analysis. As with the dashboards, this partitions the potentially vast amount of data coming in into manageable chunks for different audiences.
An analyst viewing these events can group them together into cases, including adding past events discovered from the network traffic capture. This entire case is treated as a single entity, and can be passed on to someone else for further action. While this functionality seems particularly suited for large organizations with a large compliance, security, and human resources staff, it does an excellent job of bridging the gap between the technical world of DLP and the non-technical world of business management. McAfee is the only one of the nine vendors we've evaluated during our three reviews to implement this.