DLP « A Conservative Techie

Burton Group names Symantec, RSA, and Websense as best DLP vendors

Recently came across an article, from my Google News feed in regards to a recent study about DLP products.

A great point from the article is that DLP is no longer just concerned about monitoring the network and what happens there, there is an even bigger need to monitor data on the endpoint and also on file shares. Data at Rest (DAR) is only a click away from being Data In Motion (DIM) and needs to be protected just as well.

Another interesting point is the convergence via acquisition that is occurring as the big companies are snapping up the smaller DLP players and integrating them into the existing product suite.

October 25, 2009 Posted by Jonathan | DLP, Symantec | datalossprevention, dlp, Symantec | No Comments Yet

9 out of 10 firms??? – Really???

Saw this linked from Kevin Rowney, from Symantec, head of the DLP product and wanted to respond.

The article, “Nine out of 10 firms use data leakage prevention tools" and I wanted to respond “Oh Really?” What exactly is their definition of data leakage tools? A lot of the companies I work with and talk have no data loss prevention tools and in fact most of them don’t have anything budgeted in regards to these types of tools

A DLP purchase is often times not a budgeted purchase, but something that is driven by a business need and not an IT need.

Interested in DLP, drop me a note

October 16, 2009 Posted by Jonathan | DLP, Symantec | datalossprevention, dlp, Symantec | No Comments Yet

Could DLP have saved Goldman Sachs from a big headache

In an article on Channel Insider, the author raises the question, Could a solid Data Loss Prevention product stopped the transfer of data from Goldman Sachs to a third part web hosting.

For those that don’t remember the whole story, a quick Google news search will be a quick refresher or from a New York Times article

“Mr. Aleynikov, who is free on $750,000 bond, is suspected of having taken pieces of Goldman software that enables the buying and selling of shares in milliseconds. Banks and hedge funds use such programs to profit from tiny price discrepancies among markets and in some instances leap in front of bigger orders.”

One key point of the article states

“DLP is often seen as the panacea for stopping the accidental or unauthorized release of data… Even the market-leading products by companies such as Websense, Symantec, McAfee, RSA, CA and Trend Micro are limited to detecting mostly static data strings and content, such as Social Security numbers and credit card numbers.”

However this is not true within the Symantec DLP product. Symantec acquired the market leader Vontu and rebranded it as Symantec DLP (for more information, drop me a note or visit their website).

Symantec DLP can detect both structured and unstructured data based on the indexing technology it uses can track data such as source code, drawings or other intellectual property.

Let me give you an example of Symantec DLP protecting this type of data. A client I was working with receives a PDF from subcontractors with payroll information on it. This document needs to be either faxed in or brought in person, not emailed in. Using the indexing technology of Symantec DLP, we indexed the PDF and created a policy saying if we saw X% of the PDF flag it as an incident. We able to see several examples of this happening.

So there is the possibility of tracking unstructured data with Symantec DLP.

August 27, 2009 Posted by Jonathan | DLP, Symantec | datalossprevention, dlp, Symantec | 1 Comment

Managing the DLP Endpoint Agent with the Integrated Component

Summary:

In an earlier article I talked about installing the DLP Integrated Component within the Symantec Management Console. This article will cover how to manage the endpoint agent with this component

What can the DLP Agent Do?

The DLP Endpoint Agent provides control of Data Loss Prevention policies and manage the data on those machines. The DLP Endpoint Agent is made up of two agents, the endpoint agent and the watchdog agent. These two agents watch each other to make sure they are still running and will restart the service If one of those services are started.

With the endpoint agent, policies applied to the Data at Rest targets and the network via Data in Motion can be applied to laptops and desktops. All scans on endpoints are controlled through the agent and information is reported to the Enforce server.

Another important feature of the Endpoint Agent is it can control removable media and also can monitor the copy & paste buffer along with monitoring fax and print information. This controls information that is flowing on the endpoint.

For more information, see

Installing the DLP Agent

In order to install the DLP Agent from the Symantec Management Console, we first need to discover the computers, and then push the Altiris Agent followed by the DLP Endpoint Agent.

All work in deploying and configuring the Endpoint Agent is done through the Symantec Management Console and the Data Loss Prevention Portal. The portal looks like the following:

Discovering Computers

Before we deploy the Altiris Agent and the DLP Endpoint Agent we need to discover the computers to add them to the database. There are two types of discovery that can be done through the DLP Portal, a Domain Browse or an AD Import.

The Active Directory Import provides the best way to discover and import your machines into the Symantec Management Console. An important note is this is just a read of the Active Directory, we do not modify AD or even need to do an AD Schema modification.

To begin an Active Directory discovery, click on the link “AD Import” which will bring up the following page:

A couple of notes about this screenshot are that I have already selected the correct domain, subnet and sites to import. Also I have filled out a schedule, under “specified schedules” to automatically import and update the Management Console.

The second type of discovery is a Domain Browse import and can be run by clicking on the link in the Data Loss Prevention Portal and looks like the following:

Provide the domain information to browse and discover computers.

Installing the Altiris Agent

Once we have discovered the computers, we can install the Altiris Agent. After the Altiris Agent is installed we will push out the DLP Endpoint Agent. From the DLP Portal page under “2. Deploy Endpoint Data Loss Prevention,” select “Install Altiris Agent.” This will open up the following screen:

As you can see from the screenshot, the computers we have discovered show up in the list of computers. To install the Altiris Agent, highlight a computer and select “Install Altiris Agent.” Multiple machines can be selected by using either the shift key or control key.

Installing the DLP Endpoint Agent

Once the Altiris Agent is installed on the managed device we will install the DLP Endpoint Agent. From the Data Loss Prevention Portal in the Symantec Management Console, select “Install Symantec DLP Agent,” which will open up the following screen.

What is unique to this install is that it is a part of an ongoing policy on the Symantec Notification Server. By default any computer in the filter “Computers managed without DLP Agent” will receive the DLP Endpoint Agent the next time the computer checks in.

A brief note of explanation for those not familiar with the Notification Server. Polices are applied to groups of computers called “Filters.” A computer will be added into this filter when they have the Altiris Agent installed on them (managed) and do not have the DLP agent on them. Once the DLP agent is installed, the computer will automatically move out of the Filter.

This policy is not enabled by default. To do so, click on the Red button next to “Off” and select “On.” This will turn it to green. A client with the Altiris Agent will check in, receive this policy and install the DLP Agent.

Upgrading the DLP Agent

The first policy we talked about was the DLP Agent Install policy. This is the second policy in the DLP Portal page. To enable this policy, click on “Upgrade Symantec DLP link within the Symantec Management Platform. This will open up a window that looks like the following:

This policy is not enabled by default. To do so, click on the Red button next to “Off” and select “On.” The policy will then become active and will upgrade automatically any endpoint whose agent is older then the current policy.

Endpoint Agent Tasks

Within the DLP Portal Home page there are 8 default tasks created. The Symantec Management Console allows us to create and manage tasks to control the Altiris Agent and a managed (computer wit Altiris Agent on it) computer.

Start Agents/Stop Agents/Kill Agents/Restart

The first three agents are all about agent control and look and act the same way. This task allows us to control the status of the Endpoint Agent through the Altiris Agent. In case someone stops the Watchdog Agent or the Endpoint Agent, this task can reset the agent. The screenshot shows the Start Agent task

There are two ways we can execute this task, either via a quick run task or via a schedule. A quick run tasks executes immediately and through the drop down you can select the computer to run the task on. If you want to schedule one of these tasks over a time, you can do so through the scheduler.

Pull Agents Logs

The Pull Agent Logs task will copy the DLP Agent Logs from the managed computer to the Symantec Management Console server allowing you to review what is happening on the endpoints.

This task functions similar to the other tasks where you could schedule the task or run it immediately.

Set Log Level to Info/Set Log Level to Finest

This task allows you to change the logging level of the Endpoint Agent without having to interact with the agent locally or change things manually.

Get Agents Configuration

The final pre-built task allows you to get the configuration of the Endpoint Agent without visiting the machine.

July 14, 2009 Posted by Jonathan | DLP, Symantec | | No Comments Yet

Installing the DLP Integrated Component in Altiris

Summary

This article is part I of II on the DLP Integrated Component and how it works within the Symantec Management Console (Altiris). Part II will cover using the Integrated Component (IC) to manage your Endpoint Agents. We will discuss installation of the Symantec Management Console and then installation of the DLP Component

Contents

Summary 1

Introducing the DLP Endpoint Agent 1

Installing the DLP Integrated Component 1

Installing the Symantec Installation Manager 1

Installing the Symantec Management Console 2

Installing the DLP IC 4

Introducing the DLP Endpoint Agent

Installing the DLP Integrated Component

Installing the Symantec Installation Manager

The Symantec Management Console utilizes the Symantec Installation Manager (SIM) to install all parts of the Management Console. SIM can be downloaded from the Symantec Website (http://www.symantec.com/business/products/trialware.jsp?pcid=pcat_infrastruct_op&pvid=cm_suite_1) Once this is downloaded launch the executable and you will be greeted with this screen:

Select Next and you will be presented with the directory to install SMC into. A quick word of warning, the directory you select here is the directory all of the Console will be installed to.

Once the installation is finished, the Symantec Installation Manager will start allowing you to install other portions of the console.

Installing the Symantec Management Console

When the Symantec Installation Manager is launched it will be default open up to Install New Solutions. While you can install both the DLP component and also the Management Console at the same time, I recommend installing just the Console and then the component.

From the Installation Manager scroll down until you find the Symantec Management Console

After selecting “Review selected products” and then Next, aceept the license agreement and continue. Fill out the required information. This information is required to verify export controls.

After the information is filled out, select Next for the systems requirement check

The Symantec Management Console requires ASP.net, IIS, IE 7.0, at least 2.0 gigs of RAM, and Windows 2003 Server along with MS SQL 2005. As you can see in the screenshot I do not meet the requirements. If you do not, close the Installation Manager and resolve any problems.

If you meet the requirements select Next to begin installation of the Symantec Management Console. While it is not necessary to restart after the installation is complete, I have had the best luck rebooting before moving on to other installations.

Installing the DLP IC

Once the Symantec Management Console has been installed, install the DLP Integrated Component. To do so, launch the SIM from Start -> Altiris -> Symantec Installation Manager. Once launched the following screenshot will be displayed showing installed products.

Click on “Install new products” to install the integrated component.

From the filter drop down, select “Filter by all” and scroll down till you find the DLP Integrated Component, see the following screenshot.

Follow the same steps, without making any changes you did during the installation of the management console.

When the Integrated Component is finished, launch the Symantec Management Console to begin using it.

June 13, 2009 Posted by Jonathan | Altiris, DLP, Operationalizing Security, Symantec | Altiris, dlp, Symantec | No Comments Yet

About

I’m a little unsual in the fact that I’m a conservative who also works in the tech industry. Well maybe I’m not really unusal it just seems that way as you spend time searching around the internet and other things.

Anways I have recently switched jobs from being a Windows Network Administrator to working as a full time consultant for a company that specialize in Altiris. Its a great product, but a ton of information to learn.

During my spare time, when I’m not running, spending time with my wife or hanging out w/ my dog, I work on the documentation for Kubuntu (http://www.kubuntu.org) and have somehow become the lead for the Kubuntu side of things. The documentation is great but we always need help. So stop by and help us out…

November 2009

S M T W T F S

« Oct

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30
Recent Posts
Blogroll
Pages
- About
Tweets
- why does choqok always show all the messages since the last time i started the program up? lots and lots of notifrications 9 hours ago
- back from church getting laundry started and then helping out wife with son, going to bbe a long day 9 hours ago
- amidst the debate over health care dont forget to pray for our congress people as well 1 day ago
- @allahpundit read on twitter 11pm 1 day ago
- comgress voting today on health care please urge your rep to vote against 1 day ago

November 2009
S	M	T	W	T	F	S
« Oct
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Archives
- October 2009 (8)
- September 2009 (5)
- August 2009 (8)
- July 2009 (7)
- June 2009 (8)
- May 2009 (5)
- April 2009 (6)
- March 2009 (7)
- February 2009 (8)
- January 2009 (7)
- December 2008 (7)
- November 2008 (8)
Categories
- Channel9
- fedora
- Grand Rapids Marathon
- Hexonyx
- Mac OS X
- michigan
- Offline blog writer
- OpenSuSE
- Personal
- Politics
- RHEL
- Sharepoint 2007
- SoftGrid
- Symantec
  - Altiris
    - Manage Fusion
  - DLP
  - Operationalizing Security
- Tech News
- Technical
- Theology
- Ubuntu/Kubuntu
  - Ichthux
  - Netbook
  - UDS Boston
  - UDS Jaunty
- Uncategorized
- vista
- vmware workstation
- Windows 7
- Wordpress
RSS
Entries RSS
Comments RSS

A Conservative Techie

Thoughts from a Conservative point of view in regards to technology