One of the reasons I spend so much time talking about DLP around here is that it’s one of the first markets I covered as an analyst and I’ve been able to watch it grow from the start.

It also means that over 5-6 years of coverage the odds are pretty high I’ve made some mistakes.

The Usual Disclaimer: There are a lot of good DLP products on the market and I work with some of the companies. This post isn’t an explicit endorsement, and i’ll likely be highlighting competitors in future posts as they come out with their own product updates. Just keeping you informed, and you need to run through a full selection process to pick the best tool for your circumstances.

With the strong rumors about the acquisition of Vontu, and since it was my first big mistake in this space, it’s a good time to come clean. Way back when Vontu was first coming to market they stopped off to meet me for lunch at the Walnut Brewery in Boulder, Colorado. I think I had a turkey burger because it’s only available at lunch, and I really like it.

They described their key differentiator- using real database data to detect leaks, what they call Exact Data Matching (EDM). I wasn’t impressed, and informed them that Vericept could do it all with regular expressions. I walked away thinking I’d never see them again.

A combination of factors proved me wrong. For the next 2 years Vericept didn’t recognize the value of the DLP market, continued to focus on acceptable use enforcement, and got their clocks cleaned by Vontu. A combination of aggressive execution, some key client references, and tight focus on leak prevention put Vontu in the top spot in the market. For the record, Vericept later brought in some new management that turned the company around, putting them in second place in terms of revenue by last year. Nice thing about an early market, you can afford some mistakes.

Most customers still don’t use EDM, but that’s not the point. I thought, at the time, that a general platform would be more successful, but it was the focused solution that clients were more interested in. Even if the Symantec deal doesn’t happen, that laser focus on the business problem has already paid off.

The next example of poor judgement concerns Reconnex. Reconnex is unique in the DLP market in that they can collect all traffic, not just policy violations. I used to call this full forensics since it was essentially structured network forensics. Back when they released the first versions of the product this feature wasn’t an advantage for DLP. There was no reason to collect all that traffic; sure, it might be helpful in an investigation, but few DLP clients were interested. Management at the time (since changed) focused so much on that feature that they let the user interface and performance slack.

With their new release, I may be changing my mind.

They’ve now turned the capture capability from a forensics tool into a data mining and policy validation tool. Aside from still being useful in investigations, you can now generate a DLP policy and run it on old data. Instead of having to tune a policy in production as you go, you can tune it offline and play with changes without affecting production. They’ve also added data mining so you can use the tool to help identify sensitive data that’s not currently protected by a policy by looking at behavior/history. I haven’t talked to any references about this yet, but it looks promising. They’ve also revamped the user interface and it’s much more usable with better workflow.

I know some of the other DLP vendors are working up their next releases and it will be interesting to see what pops. I’ve already heard some good things about the endpoint capabilities of one of them, although they haven’t briefed me.