Secret Agent - A Decade of Stealth

We don’t normally draw attention to work that leaves little to show, but when we’re talking about agent footprints and memory consumption less is definitely more!  The lightweight, high performance DLP Endpoint agent that we deliver has taken many years to develop.  In this interview, Stefano Emiliozzi, Technical Director of DLP Detection met with Sunil Choudrie, PMM to talk about the engineering journey to deliver these improvements.

Sunil: Stefano, in case people haven’t already had the pleasure of meeting you, can you explain your role and focus?

Stefano: Sure, as Technical Director I oversee our engineering efforts around DLP Detection, including some of our most important DLP detection engines such as Exact Data Matching, Index Data Matching and EMDI.  

Sunil: That makes you the perfect person to talk about DLP Endpoint.  Here is my question; When it comes to DLP at the endpoint, why does performance matter?

Stefano: To answer that, it’s helpful to start with a fundamental goal. My mission is to ensure that we help customers correctly reduce their data loss risk - and we deliver this by ensuring we can accurately scan content.  As the volume of data that organizations generate has increased, the pressure to scan every file with acceptable performance gets higher.  So, you can see that if you have an inefficient, or heavy endpoint footprint, you impact performance - degrading the user experience and stretching your system resources.

How can we solve this?  An easy solution in the face of increased data volumes is to scan less, using a sampling approach to scan a percentage of files.  I’m sure you can instantly see the problem with this - if I don’t scan 100% of files, how can I possibly know what my data risk is?  The standard Symantec works to is that we look at every file.  This is a better, but harder path as it means that the performance of our agent needs to be optimized to support that.

Sunil: A classic dilemma - scan everything but don’t affect performance. So, how did we go about solving that?

Stefano: We’ve been looking at the way we deliver DLP technology to customers for many years.  We know that the endpoint agent can upset the balance between efficacy and efficiency - memory footprint, scan times, content extraction methods etc.  Let me illustrate this with an example.  If the method used to extract content from a file takes 30 seconds, and the scan of that content takes just milliseconds, the customer sees a slow scanning time.  Improving scanning speed is meaningfully delivered by improving content extraction methods.  This, and other problems such as Policy Evaluation are what my team looks at.

Sunil: You mentioned Policy Evaluation, can you talk a little more about this?

Stefano: We started by fundamentally rethinking our approach.  We found that under certain circumstances the way policies were evaluated was a big resource drain.  As we were developing agents for Windows, Mac, and other platforms we were able to step back and look at the bigger picture.  In doing so, we implemented an alternative way to evaluate policies that delivered two prime advantages.  First, this new implementation used significantly fewer resources in areas that deliver high impact improvements to customers.  Secondly, we are now using a single implementation that can be applied across many operating systems which allows us to offer a broad range of operating system support that is easier for us to develop and maintain.

Sunil: I’m sure your team faces hard decisions when considering new technology - particularly to strike the right balance between effectiveness and performance.  How do you go about navigating these decisions? 

Stefano: This is a complex area and one that creates lots of healthy debate.  On the face of it, it’s very easy to implement new technology for the sake of it, but that probably won’t lead to a better product for our customers.  We start with an advanced development team that is continually assessing new technology and working out ways to apply this to improving data protection.  But before we take these concepts and develop them further, we consider four attributes that matter to customers.  These are:

• Reliability
• Scalability
• Performance
• Memory

We keep this framework in mind throughout the development process to ensure we release features that don’t just improve existing data protection technologies, but also help customers deliver better data protection outcomes.

Sunil: Thanks Stefano, as we wrap up, what feature are you most proud of developing and why?

Stefano: The feature I am the proudest of is the new Policy Evaluation Engine. It's a complete rewrite of the core Detection engine and brings dramatic improvements in memory footprint, faster execution, and extensibility to the on-prem Server, Cloud Service and Endpoints. It's particularly significant for the Endpoints where memory footprint is always a paramount factor.

Find out more about the improvements delivered in Symantec DLP 16 by visiting our website.