We’re planning to implement several CAP policies across the firm, covering approximately 1,200 endpoints. These policies will monitor specific file types - such as Office documents and PDFs - as they move through various exit points including browsers, applications, and Outlook.
As part of our assessment, we’re evaluating whether this implementation might impact endpoint performance or place additional load on our on-premises EPP infrastructure.
File type policies can be quite noisy as they will report on on the type of the file, without taking into consideration the content of the file. File type policies are used for example by architecture firms working with Autocad files where the content can’t be properly inspected, so they just report on all Autocad files leaving the endpoints.
Best practice is to create DLP policies based on sensitive content like predefined identification (ID numbers, credit card numbers, emails etc.), custom content (keywords) or ideally classified data if you have a data classification tool like MIP or Netwrix Data Classification. This kind of policies would generate less events and more relevant logs.
However, if you are implementing a DLP solution for the first time in your organization, it’s not uncommon to set it up in monitoring mode and report on all Office/PDF files to get a baseline.
This was kind of a long introduction for a relatively short answer. So to answer your question, there shouldn’t be a performance impact on the endpoints if you set up a File Type policy. However, you should keep an eye out on the EPP server to make sure you don’t run out of HDD space and the server can ingest all the logs generated by your 1200 endpoints.
Best practice would be to set up an Audit Log Backup under System Maintenance to clear the logs older than X number of days. This functionality will automatically back up the logs into CSV files, so you don’t lose them, but they will take up less space on the server.
If you have a SIEM solution, you can also set up log forwarding to your SIEM server without keeping the logs in the EPP database, this way you take the load off the EPP server and never run out of space.
we are currently monitoring 900 clients with several CAP policies.
In our experience you can neglect the performance impact for example for standard browser uploads or MSTeams uploads. If you have massive amounts of data being uploaded you will probably experience a bigger impact.
However there are 3 areas you have to keep an eye on in our experience: OCR scanning, New Outlook and USB filetransfer.
In the past there was a noticable performance impact when you had OCR enabled. But I can’t tell you have it performs with the new OCR engine - this might be solved.
Where we had the most impact in the past was with long outlook mails and OCR enabled - we again do not have experience with the new OCR engine.
We are currently trying to implement the addin for the new outlook and at the moment it looks like it is not as performant as with the old outlook.
If you are transfering a lot of files via USB then you also will notice a impact, but as we are not transfering that much, it is not a problem