Once implemented DLP solution with its entire ecosystem, it is a bit annoying to end up with some of your colleagues still having a way to exchange information without any control (I do not speak here communication systems in the cloud that are increasingly managed natively by SYMANTEC DLP). This is particularly the case when these employees, as part of their activity, need to use external systems shared between several companies (for example, in the financial world trading teams daily serve systems such as Bloomberg or Reuters which propose mail and instant messaging systems).
It is very difficult to control these systems at the network level because the streams are encrypted and often on dedicated network lines, and also difficult using DLP endpoint because these systems could be accessed from a dedicated terminal or terminals outside of your company. These organizations often offer internal control systems but if they are not based on the same DLP solution than yours, it will be very hard to get the same level of coverage and implement same qualification process of incidents.
It is possible to use capabilities of "Network monitor" to add this external systems to your DLP control. You will analyze these messages by dropping them into the "drop" directory (this mode is usually used for testing purposes).
These external systems must be able to provide audit trails of actions performed by your employees. The minimum information required is to know Who? Where (which destination)? What (information and / or documents transmitted)?
From this input you can rebuild a message (e.g. email even if original source is not an email (e.g. for a storage system you put the document as an attachment, sender equal to that who filed the document, the recipient equal to the storage system and sending the same to the date of filing)). These messages will be copied into "drop" directory of your network monitor.
This will end up with incidents containing the same information as if it came from an internal system flow analysis, and same stakeholders involved in the qualification of incidents.
At performance level, "Network monitor" is able to analyze a lot of messages per second (several hundred depending on your infrastructure) when available as files in “drop” directory.
Obviously this type of solution must be tailored according to your DLP and does not say how to perform the transformation of inputs into message. However, it shows that it is possible when using SYMANTEC DLP solution with all its capabilities.