Forcepoint Data Loss Prevention alternatives and competitors

We use it for detecting the traversal of data through endpoints. We keep a multi-tier isolated environment, so we have inner and outer cordons of access control. And over VPN, users could potentially be one of the exfil points, at least the privileged ones with access. Being able to identify when information enters the system and leaves, based on a number of complex criteria, because we work with medical information from all over the world, is the purpose of it in our organization.

The solution is all on-premises. We're a healthcare organization, and that's actually one of the reasons we use it. We can't have a lot of our security functionality in the cloud.

We operate a Waterfall scene mechanism. We trickle up data from a bunch of different endpoint and network solutions to a central event and processing correlation mechanism. We're able to detect when somebody accesses data internally and correlate that to a DLP event when a file lands on their system. It actually provides a data point within our global view. It's an ongoing operation.

We also use it to monitor all clipboard activity. When a detection occurs, we can generally identify it pretty quickly, but someone would have to be copying some pretty specific data to match the policies we've created. When it occurs, we know. Generally, it's also in the line of business. We have healthcare analysts here, and that's what they do all day.

There are effectively two areas of DLP to look at from a technical perspective. One is how it performs the pickup of information traversing the system and the other is how the policy engine, which analyzes the data, works. On the first aspect, CoSoSys is probably best of breed for macOS because they're reasonably well-integrated into the operating system. They're looking at the file system operations level, not at the execution level. Whereas things like Forcepoint are looking at the applications being run and they try to apply policy to that. The pickup paradigm is a lot better than their competitors.

The search for keywords, in our security operations, is critical and we use Endpoint Protector for that. We're a HITRUST-certified organization, and one of the things we need to do is be aware of the movement of personally identifiable health information. Since we work multi-nationally, we have to be able to identify PHI from across different countries and their different medical coding standards.

Another valuable feature is the  Content Aware Protection. We use the device thing to some degree, but it's the Content Aware Protection that's critical for us. That's the aspect of it which is DLP. The content protection engine is what detects the data when it's traversing, and the rest of it is other ways to lock down the system from being able to move data in and out. But the detection aspect of it, that's the really key part for us, because we have to be able to record that, even if it's completely legitimate.

It's quite easy to manage DLP in a hybrid environment because you have the centralized server that receives telemetry from all of the agents. And because that's what's forwarding the telemetry on to subsequent log ingests, you get a single data stream across all of the agents. We also have host intrusion detection, which is backing a lot of this stuff for us. We have full command execution logging in every machine. Every command that is run is recorded. We can cross-correlate very tightly between the DLP and what's being done on the machine itself. That way, we know execution and data movement.

We use the role-based access features, for the teams that administer it, to some degree, because we have an auditing agency that reviews our policy compliance. It's satisfactory. We don't have complex requirements for it. We've got a couple of internal admins with equal privileges and then we have an auditor role. It seems to work fine.

The policy engine could use a bit of work. They're definitely going in the right direction. We've been working with them over the last few weeks to try and optimize that. But it's reasonably clear that they're just not putting as much effort into the policy engine as into other things, like content discovery.

It's somewhat lacking in terms of the granularity of the policies that you can create. Because this is a Mac environment, you have slim pickings. You have really good detection mechanisms, like Code42, but a lot of those players don't operate at the medium business size. So, in terms of the market segment, CoSoSys is really the only player that will be able to still effectively pick up on it, so they're the only game in town on policy. They don't really have much competition in this segment.

I've been using CoSoSys Endpoint Protector for two years.

The stability has been quite good. They did have one shaky patch cycle in the last two years, but compared to the ginormous mess in this industry right now, they're definitely doing better than most.

The scalability works for our use case. It's actually quite resource-light for what it's doing. Being an OSSEC author, I'm writing a C application that does a lot of the same stuff for processing of live-streaming, textual telemetry. They did a lot of optimization work to make this efficient. It's an expensive operation, inherently. What they're doing is really CPU-costly. Most of the time they don't match on anything, and the worst thing that an expression engine can do is not find anything.

We are constantly growing. We're probably going to be growing by 30 or 40 percent again this year. We're going to have to bump up our license counts.

Our experience with their technical support has been better over the last year. Initially it was a little bit shaky, but they've definitely gotten better. There's always room to improve, but on a scale of one to 10, they're probably at a six or seven. They're doing better than the rest of the industry, like Cisco for example, which is a one out of 10.

We did not have a previous solution.

We just used a Zen appliance, so it was incredibly straightforward; it was effectively drop-in.

Configurations are ongoing. As we get new data in, we do continue to configure. And, obviously, with updates and new features and features being removed, changes are made all the time, but the initial deployment took about half a day.

Our implementation strategy was to understand our data first. We do a lot of in-house software development, so we understand regular expressions, pattern matching, and mechanisms like that; what's expensive and what's cheap. We defined what was identifiable in our data, figured out an identification strategy and policy mechanism first, and then went to implement it across the board. We knew that the number of endpoints we had was relatively small.

In terms of the staff employed in the deployment, we're probably not typical. We hire top-tier talent. Everybody here starts out well into the six-figure range. So it takes one of us to deploy this. We're not your average shop.

In terms of maintenance, there's the occasional update. There is almost no downtime. The hypervisor is more unstable than the VM itself.

We have about 100 people using Endpoint Protector across our organization. It's literally everybody in the organization, including me and the CTO and the CEO. We're all beholden to this. There are no exceptions.

You get ROI in the first year. Endpoint Protector is a facet of our visibility into the environment, but it's a daily-use facet. It's like the passenger-side mirror on your car; you use it all the time. You could probably live without it, but you use it all the time. It's a necessity and it's a useful one. It's one that I endorse within our company to relicense every year.

Pricing is quite reasonable. For smaller organizations, it lets them get into the product domain, whereas a lot of vendors won't even talk to them. Endpoint Protector is just about at that sweet spot of being serious enough that you have to budget for it, but at the same time, affordable enough that the value is well worth it.

I work across the industry. I've used just about every solution. In the Mac space, CoSoSys is probably the market leader, because of the level of detail that they've put into the platform is very significant. They really did bother to optimize it and to make it run efficiently. A lot of these tools are afterthoughts on Mac and, if they do run at all, they destroy the machine. When you have a bunch of engineers trying to code, they notice.

This solution is right up there with Forcepoint Data Loss Prevention and Digital Guardian, but Code42 Next-Gen DLP is probably the closest comparable thing. But that is not a data loss prevention tool, it's just an identification and tagging tool. But it has a very similar semantic of pickup and analysis. 

Endpoint Protector is in the same market space as Forcepoint, in terms of pricing, but it's an apples-to-oranges comparison. Forcepoint is pretty well-known for having a good policy engine, but their detection and pickup mechanism, especially on the Mac platform, is just not practical. I can walk around it in my sleep. Again, we hire highly-talented engineers who can do the same thing, so if one of them decided to go rogue on us, Forcepoint just wouldn't help.

In my private practice, I work with a lot of other firms, including some design firms that are Mac-based and, as they start to ramp up their security—because they're now becoming vectors of attack into their own customer bases—this product is definitely something that's on the radar.

The ability to lock down a wide variety of USB devices is a secondary thing for us, because we do central policy management through another solution, so we have devices locked down through other policy engine mechanisms. But it is very convenient how CoSoSys has implemented it. That ability is definitely on the list for us but not at the top because for us, for policy regulatory compliance, we have to be able to tell when the data is moving in and out. That's the big thing we look at.

In terms of Endpoint Protector's support for Windows, macOS, and Linux, in our case, Linux is a non-starter. We operate big-data clusters. DLP just doesn't work in that context. The information is broken out into multiple pieces and spread all over the environment and traverses between the nodes as part of computation. DLP can't work in that kind of technique. As far as the Windows mechanisms go, we currently don't have Windows workstations or any Windows assets. I'm a red-teamer by trade, one of the people who gets paid to break into places, and Windows has a shared authentication model, meaning that if I compromise one of your servers or workstations, I can basically move unfettered throughout your network. Our environment is a mix, a heterogeneous environment, so that attackers would have to adapt to every different point they want to compromise.

Overall, Endpoint Protector really provides what you expect from it. There are no huge surprises one way or another. If you do your research, it's exactly what they say in their advertisements. They are not promising things they can't deliver. It does its job well.

We are a consulting house for various clients. We provide consultancy to our clients in terms of which product they should use based on their requirements and environment.

Our clients use this solution for DLP. They are using it for the basis of endpoint protection, prevention of malware infection, detection, and management of the endpoint.

The client has not fully utilized the DLP because they have not done the data classification well enough to actually get the full value of the DLP solution.

If a DLP is implemented correctly, the value is that you can address the human error issues. You can manage your compliance in line with legislation such as GDPR and POPIA. 

The value proposition is great if it is implemented correctly.

If you do not have a team that is supporting your DLP implementation, there may be a challenge, which is a concern.

The support in South Africa should have more knowledgeable and professional McAfee resources.

Our client is not very happy with the lack of support, the skills, and the effectiveness of the tool.

Our client has been using McAfee Total Protection for Data Loss Prevention for three years.

It works and is stable if it is implemented correctly.

It is a scalable solution. We have two customers who are using it and one who will be moving onto another solution. They are considering Cynet or CrowStrike.

The support in South Africa could be much better.

I was the chief information security officer at one of the largest banks in Africa. I have used all of the products including McAfee DLP, McAfee Endpoint, and Forcepoint DLP as well.

I wasn't involved in the implementation for this client in particular. 

My experience with McAfee from a vendor perspective is if you have the right skills, it can be deployed quite easily. The only challenge is it uses a lot of hardware.

The time it takes for deployment depends on the variety of clients. Some clients have 1,000 users, so it's quite easy. 

The actual deployment before rollout to all of your users is not long. It takes approximately two weeks.

The number of people required to maintain this solution depends on the scale of the project, the customer itself, and the number of users. There is a lot of awareness that needs to go into DLP and Endpoint DLP to train the user.

We utilized specialists to implement it for us because we are not a vendor. 

We are vendor agnostic. We advise our clients, and then we get professional people like McAfee Professional Service to install it. We wouldn't get involved in it.

We use integrators.

If the client purchases the entire suite of McAfee Endpoint, the license is included.

We evaluated Cynet and CrowdStrike in comparison to McAfee. Our client wants to find an alternative to McAfee Endpoint Security.

We are purely consultants. We do not get involved primarily with the implementation. 

What we do is advise clients. For example, we are doing a lot of work for Coca-Cola and we advise them on how to configure.

It doesn't matter whether you're using Defender, or whether you are using MCAS as a cloud solution, we help you configure according to the standard that is applicable, whether it's a legislative standard or an internal policy. 

We ensure that the necessary implementation and configuration settings are aligned. Then we give it back to the technical integrators to implement according to the standard that we have set. That is the level of involvement we have. We don't do the implementation, but we advise on how the implementation should be done in line with the internal policy or the legislation.

I would not recommend this solution to others. I think there are better products available at the moment.

I would rate this solution a six out of ten.

The solution handles risk and compliance aspects for our company. It handles everything including uploading documents, etc.

I don't use the solution in a technical way, so the technical aspects of the solution I'm not clear on.

The central management console is the solution's most valuable aspect.

The solution needs to be more clear about the licensing. They should have a way for users to educate themselves on the costs so that companies can figure out how to reduce costs.

There needs to be support for Mac computers. Currently, McAfee does not work on iOS.

I've been working with the solution for the last five years.

The solution has been quite stable for us. We haven't had any issues at all.

We have about 2500 people using the solution in our organization. They're a mix of people, including engineers and architects. We use it quite extensively - on a regular basis.

The solution is scalable, but the issue for us is that the pricing can be quite high.

We've been in touch with technical support in the past. They've been quite good. We've been satisfied with their level of service.

In the past, we've worked with Symantec, ForcePoint, and Barracuda. McAfee has some features that aren't part of other competitor's feature sets. Overall, however, from a technical point of view, they are all mostly the same.

The initial setup is quite simple. We didn't find it complex at all.

I was not there during the original implementation. I'm very new to this organization. I had just joined the team a few months ago. This solution has been running for the last five years, so I don't have more historical data in relation to the original setup.

We have two software engineers overseeing the project.

Comparatively, the pricing is quite low.

We're a McAfee customer. We don't have a specific relationship with the organization. We are using the latest version of the solution.

The solution is quite good and stable right now, but there are a lot of other products coming to the market. I'm currently investigating what other features customers need or are using to see if we can develop these out on this solution or not. 

Many organizations will find the solution has may features that would suit their needs and reduce the number of issues they face. However, it does depend on the individual company and what their unique requirements are.

I'd rate the solution eight out of ten.