Symantec has recently released an update to its DLP (Data Loss Prevention) product, version 10 and this article will provide a brief overview of some of the changes and differences. More posts to follow will highlight other parts of DLP 10.
The first thing one will notice when connecting to a DLP 10 system is how the console has changed from previous versions. The DLP 10 console has been simplified and streamlined to help it to be easier to navigate and make the system easier to be managed. The new console looks like the following:
The menu is broken up into 4 areas, Home, Incidents, Policies, and System. Home will open up what is set as your home page, in my system I have it setup for the Executive Summary for Endpoint. Under Incidents we have the Incident Reports, then they are broken out by Network, Endpoint Protect and Discover, providing a simple way to find the incidents you are looking for. Under Policies we find information related to the following: Policy List, Response Rules, Endpoint User Groups, Discover Scanning, and Protected Content. The Discover Scanning section is broken out further into Discover Targets and Discover Servers. Under Protected Content you will also find Exact data and Indexed Documents.
Hopefully you will find it easier to navigate like I do.
A lot of work has been done in the Incident section of DLP 10. The goal is to be able to understand the incident in under 5 seconds. Is this a false positive? Is this something I need to deal with right away? What information can you tell me about this incident? All questions that need to be dealt with as soon as possible and the changes made help you answer them quickly.
The example below shows a screenshot of a discover scan using sample data:
The incident is broken down into 3 sections or panes. The first pane provides the key info, history and correlations about the incident (see the following screenshot).
By seeing the Key Info right away I know what is going on with this incident at a quick glance and make a decision on whether or not i need to spend more time on it. In DLP 9 this information was scattered a bit about but can bee seen quickly at a glance.
The second pane of an incident shows the match count behind this incident. Based on the information I’ve read in the first pane, I will then spend time in the second taking a look at match count and also checking for false positives.
The third pane of an incident shows any custom attributes I am looking for or using.
There have been some changes and additions to the default policies that ship with DLP however the way to write a policy has not been changed. One of the policies has been modified to take a part some of the changes in the HITECH act.
As mentioned previously, under the menu Policies, you have the ability to configure the discover servers and scans and also edit the exact data and indexed documents.
There have been many changes to this part of the console as well. The system section is broken up into the following areas: Servers, Agents, System Reports, Settings, Incident Data, and User Management.
One really nice change is the addition of a credential manager, which is found under Credentials. This allows me to save a credential and re-use it in different scans, etc. This is found under System –> Settings –> Credentials and looks like the following:
Thanks for spending the time to read this overview of DLP. In February I will be doing a webinar on DLP and if you are interested you can visit my company’s website (ITS Partners) here for more information and to sign up.