We changed our name from IT Central Station: Here's why
Get our free report covering Forcepoint, Broadcom, Microsoft, and other competitors of Digital Guardian. Updated: January 2022.
563,208 professionals have used our research since 2012.

Read reviews of Digital Guardian alternatives and competitors

Security Architect at a tech services company with 11-50 employees
Real User
Top 10
Enables us to search for keywords, a process which is a critical part of our security operations
Pros and Cons
  • "There are effectively two areas of DLP to look at from a technical perspective. One is how it performs the pickup of information traversing the system and the other is how the policy engine, which analyzes the data, works. On the first aspect, CoSoSys is probably best of breed for macOS because they're reasonably well-integrated into the operating system. They're looking at the file system operations level, not at the execution level."
  • "The policy engine could use a bit of work. They're definitely going in the right direction. We've been working with them over the last few weeks to try and optimize that. But it's reasonably clear that they're just not putting as much effort into the policy engine as into other things, like content discovery."

What is our primary use case?

We use it for detecting the traversal of data through endpoints. We keep a multi-tier isolated environment, so we have inner and outer cordons of access control. And over VPN, users could potentially be one of the exfil points, at least the privileged ones with access. Being able to identify when information enters the system and leaves, based on a number of complex criteria, because we work with medical information from all over the world, is the purpose of it in our organization.

The solution is all on-premises. We're a healthcare organization, and that's actually one of the reasons we use it. We can't have a lot of our security functionality in the cloud.

How has it helped my organization?

We operate a Waterfall scene mechanism. We trickle up data from a bunch of different endpoint and network solutions to a central event and processing correlation mechanism. We're able to detect when somebody accesses data internally and correlate that to a DLP event when a file lands on their system. It actually provides a data point within our global view. It's an ongoing operation.

We also use it to monitor all clipboard activity. When a detection occurs, we can generally identify it pretty quickly, but someone would have to be copying some pretty specific data to match the policies we've created. When it occurs, we know. Generally, it's also in the line of business. We have healthcare analysts here, and that's what they do all day.

What is most valuable?

There are effectively two areas of DLP to look at from a technical perspective. One is how it performs the pickup of information traversing the system and the other is how the policy engine, which analyzes the data, works. On the first aspect, CoSoSys is probably best of breed for macOS because they're reasonably well-integrated into the operating system. They're looking at the file system operations level, not at the execution level. Whereas things like Forcepoint are looking at the applications being run and they try to apply policy to that. The pickup paradigm is a lot better than their competitors.

The search for keywords, in our security operations, is critical and we use Endpoint Protector for that. We're a HITRUST-certified organization, and one of the things we need to do is be aware of the movement of personally identifiable health information. Since we work multi-nationally, we have to be able to identify PHI from across different countries and their different medical coding standards.

Another valuable feature is the  Content Aware Protection. We use the device thing to some degree, but it's the Content Aware Protection that's critical for us. That's the aspect of it which is DLP. The content protection engine is what detects the data when it's traversing, and the rest of it is other ways to lock down the system from being able to move data in and out. But the detection aspect of it, that's the really key part for us, because we have to be able to record that, even if it's completely legitimate.

It's quite easy to manage DLP in a hybrid environment because you have the centralized server that receives telemetry from all of the agents. And because that's what's forwarding the telemetry on to subsequent log ingests, you get a single data stream across all of the agents. We also have host intrusion detection, which is backing a lot of this stuff for us. We have full command execution logging in every machine. Every command that is run is recorded. We can cross-correlate very tightly between the DLP and what's being done on the machine itself. That way, we know execution and data movement.

We use the role-based access features, for the teams that administer it, to some degree, because we have an auditing agency that reviews our policy compliance. It's satisfactory. We don't have complex requirements for it. We've got a couple of internal admins with equal privileges and then we have an auditor role. It seems to work fine.

What needs improvement?

The policy engine could use a bit of work. They're definitely going in the right direction. We've been working with them over the last few weeks to try and optimize that. But it's reasonably clear that they're just not putting as much effort into the policy engine as into other things, like content discovery.

It's somewhat lacking in terms of the granularity of the policies that you can create. Because this is a Mac environment, you have slim pickings. You have really good detection mechanisms, like Code42, but a lot of those players don't operate at the medium business size. So, in terms of the market segment, CoSoSys is really the only player that will be able to still effectively pick up on it, so they're the only game in town on policy. They don't really have much competition in this segment.

For how long have I used the solution?

I've been using CoSoSys Endpoint Protector for two years.

What do I think about the stability of the solution?

The stability has been quite good. They did have one shaky patch cycle in the last two years, but compared to the ginormous mess in this industry right now, they're definitely doing better than most.

What do I think about the scalability of the solution?

The scalability works for our use case. It's actually quite resource-light for what it's doing. Being an OSSEC author, I'm writing a C application that does a lot of the same stuff for processing of live-streaming, textual telemetry. They did a lot of optimization work to make this efficient. It's an expensive operation, inherently. What they're doing is really CPU-costly. Most of the time they don't match on anything, and the worst thing that an expression engine can do is not find anything.

We are constantly growing. We're probably going to be growing by 30 or 40 percent again this year. We're going to have to bump up our license counts.

How are customer service and technical support?

Our experience with their technical support has been better over the last year. Initially it was a little bit shaky, but they've definitely gotten better. There's always room to improve, but on a scale of one to 10, they're probably at a six or seven. They're doing better than the rest of the industry, like Cisco for example, which is a one out of 10.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

We just used a Zen appliance, so it was incredibly straightforward; it was effectively drop-in.

Configurations are ongoing. As we get new data in, we do continue to configure. And, obviously, with updates and new features and features being removed, changes are made all the time, but the initial deployment took about half a day.

Our implementation strategy was to understand our data first. We do a lot of in-house software development, so we understand regular expressions, pattern matching, and mechanisms like that; what's expensive and what's cheap. We defined what was identifiable in our data, figured out an identification strategy and policy mechanism first, and then went to implement it across the board. We knew that the number of endpoints we had was relatively small.

In terms of the staff employed in the deployment, we're probably not typical. We hire top-tier talent. Everybody here starts out well into the six-figure range. So it takes one of us to deploy this. We're not your average shop.

In terms of maintenance, there's the occasional update. There is almost no downtime. The hypervisor is more unstable than the VM itself.

We have about 100 people using Endpoint Protector across our organization. It's literally everybody in the organization, including me and the CTO and the CEO. We're all beholden to this. There are no exceptions.

What was our ROI?

You get ROI in the first year. Endpoint Protector is a facet of our visibility into the environment, but it's a daily-use facet. It's like the passenger-side mirror on your car; you use it all the time. You could probably live without it, but you use it all the time. It's a necessity and it's a useful one. It's one that I endorse within our company to relicense every year.

What's my experience with pricing, setup cost, and licensing?

Pricing is quite reasonable. For smaller organizations, it lets them get into the product domain, whereas a lot of vendors won't even talk to them. Endpoint Protector is just about at that sweet spot of being serious enough that you have to budget for it, but at the same time, affordable enough that the value is well worth it.

Which other solutions did I evaluate?

I work across the industry. I've used just about every solution. In the Mac space, CoSoSys is probably the market leader, because of the level of detail that they've put into the platform is very significant. They really did bother to optimize it and to make it run efficiently. A lot of these tools are afterthoughts on Mac and, if they do run at all, they destroy the machine. When you have a bunch of engineers trying to code, they notice.

This solution is right up there with Forcepoint Data Loss Prevention and Digital Guardian, but Code42 Next-Gen DLP is probably the closest comparable thing. But that is not a data loss prevention tool, it's just an identification and tagging tool. But it has a very similar semantic of pickup and analysis. 

Endpoint Protector is in the same market space as Forcepoint, in terms of pricing, but it's an apples-to-oranges comparison. Forcepoint is pretty well-known for having a good policy engine, but their detection and pickup mechanism, especially on the Mac platform, is just not practical. I can walk around it in my sleep. Again, we hire highly-talented engineers who can do the same thing, so if one of them decided to go rogue on us, Forcepoint just wouldn't help.

What other advice do I have?

In my private practice, I work with a lot of other firms, including some design firms that are Mac-based and, as they start to ramp up their security—because they're now becoming vectors of attack into their own customer bases—this product is definitely something that's on the radar.

The ability to lock down a wide variety of USB devices is a secondary thing for us, because we do central policy management through another solution, so we have devices locked down through other policy engine mechanisms. But it is very convenient how CoSoSys has implemented it. That ability is definitely on the list for us but not at the top because for us, for policy regulatory compliance, we have to be able to tell when the data is moving in and out. That's the big thing we look at.

In terms of Endpoint Protector's support for Windows, macOS, and Linux, in our case, Linux is a non-starter. We operate big-data clusters. DLP just doesn't work in that context. The information is broken out into multiple pieces and spread all over the environment and traverses between the nodes as part of computation. DLP can't work in that kind of technique. As far as the Windows mechanisms go, we currently don't have Windows workstations or any Windows assets. I'm a red-teamer by trade, one of the people who gets paid to break into places, and Windows has a shared authentication model, meaning that if I compromise one of your servers or workstations, I can basically move unfettered throughout your network. Our environment is a mix, a heterogeneous environment, so that attackers would have to adapt to every different point they want to compromise.

Overall, Endpoint Protector really provides what you expect from it. There are no huge surprises one way or another. If you do your research, it's exactly what they say in their advertisements. They are not promising things they can't deliver. It does its job well.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Presales Network & Security Engineer at a tech services company with 51-200 employees
Reseller
Top 5Leaderboard
Prevents the theft of data in motion through email and web channels
Pros and Cons
  • "I like the SaaS solution they're offering now a little bit more. It's a new product but it's easy to install and configure."
  • "You have to monitor the solution all the time."

What is our primary use case?

Our main target is banking, insurance, and pharmacy — my main clientele.

What is most valuable?

I like the SaaS solution they're offering now a little bit more. It's a new product but it's easy to install and configure.

What needs improvement?

There is an admin and you have to monitor the solution all the time. The same is true even if you use Symantec or Digital Guardian's DLP — it's all the same. They all require one administrator to monitor the system every day. In short, DLP solutions are good to have, but they do require maintenance.

In terms of human resources, if you have a DLP solution, you have to monitor it every day. Regardless of budget.

I would like to see some file access rights management. This allows users to access whichever files, folders, and resources they choose. This is something Forcepoint and Symantec both don't offer. 

For how long have I used the solution?

I have been using this solution for roughly four years.

What do I think about the scalability of the solution?

Forcepoint Data Loss Prevention is really scalable. Some of my customers have 20,000 licenses, others have five licenses.

How are customer service and technical support?

The technical support is very good. From a Forcepoint perspective, they're quite responsive. If I were to open a ticket now, they would respond within an hour. They're quite quick.

Which solution did I use previously and why did I switch?

I used to use Symantec DLP. Licensing-wise, Forcepoint is easier to deploy with less infrastructure. But at the end of the day, if you want the full suite, Forcepoint seems a little bit easier.

How was the initial setup?

Deployment can take anywhere from four to five hours. It can take up to two days depending on the infrastructure.

What about the implementation team?

The size of the deployment team can vary. One company could require one admin to check the logs every day and another could need to check only once a week. It depends on the department — DLP is complex.

What's my experience with pricing, setup cost, and licensing?

All of the vendors that I know have the same licensing fee — all of them. The ones that I've used, like Forcepoint, Symantec, and Digital Guardian, all have similar licensing, either perpetual or subscription — it depends on what you want. Do you want only endpoint DLP or do you want a DLP suite? Either way, they do have similar licensing. 

What other advice do I have?

I would certainly recommend this solution to others. It's one of the best DLP solutions on the market.

Overall, on a scale from one to ten, I would give this solution a rating of nine.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Get our free report covering Forcepoint, Broadcom, Microsoft, and other competitors of Digital Guardian. Updated: January 2022.
563,208 professionals have used our research since 2012.