Configuring a Tagging Response Rule for in DLP 14


New in DLP 14 is the ability to scan for confidential data that may be stored in an enterprise’s BOX.COM environment.  See this post for more information on how to configure this.

This post will cover how to configure the the response rule.

Configuring the Response Rule

The first step to configure the response rule is to enable the response rules for scanning within the Discover Target.  If the check box is not enabled the response rule will not trigger.

box remediation

The response rule needs to be created and then assigned to the policy in order for it to work. Within the system add a new response rule and select the type “Automatic.”

box response rule

What this looks like

The incident report will show a new icon (the tag) next to the incident.incident report

The incident snapshot shows further information in regards to the tagging response rule showing up

incident detail

Finally we can see the “Visual Tag” applied within the interface.

visual tag


If you are using Symantec DLP, you should be using IT Analytics

Overview of IT Analytics

IT Analytics provides cube based reporting (pivot tables), additional reports, and Key Peformance Indicators (KPIs) for various Symantec products:

  1. Symantec IT Management Suite (Altiris)
  2. Symantec Data Loss Prevention (DLP)
  3. Symantec Critical Systems Protection (CSP)
  4. Symantec Endpoint Protection (SEP)

IT Analytics is developed by Bay Dynamics but is available as part of your Symantec license.  For more information visit:

One of the concerns in the past for using IT Analytics has been the requirement for a Symantec Management Platform (SMP also known as Altiris) to be configured first before you install and manage the cubes.  This is no loner the case as there is a stand-alone version of IT Analytics available (this will be covered in a separate blog post).  This post will cover why you should be using IT Analytics for your DLP system.

Why IT Analytics for Symantec DLP

Within the Symantec DLP console there are a bunch of ways to slice and dice the data that is generated in the system (Incidents, etc.) either by filtering the data or by creating various summarizations of the data.  IT Analytics adds several items that are not exposed without having to write a SQL query or leverage the API.  IT Analytics allows for someone who does not have access to the DLP console to run reports against the information.  Also IT Analytics can easily create trending reports to demonstrate how risk is being reduced over time.

Whenever people ask me why I should bother with IT Analytics there are two reports that I point to that demonstrate the value of IT Analytics.

User Action Audting

User Login Report

User Action Auditing - User Action Audting

User Action Auditing Report

The first screenshot (User Login Report) shows which users have logged into the DLP system and the second report (User Action Auditing Report) shows who has changed what policies in the DLP system.  These two reports are requested over and over by customers.  How can I prove to my auditors or management that no one is changing a DLP policy randomly?  This information is coming out of the Oracle Database but without ITA you would have to write a SQL statement and then clean it up to provide auditors or management.

Incident Trend by Product Area

Incident Trend By Product Area

A third common request is “how can I show trends” in my DLP system and the above screenshot shows this trend.

Finally IT Analytics provides Key Performance Indicators (both predefined or custom created) demonstrate how your Symantec DLP system is reducing risk over time and how the system is performing.Key Performance Indicators

How do  I get IT Analytics?

IT Analytics is provided free of charge however a license key and the MSI is needed before you can install ITA..  If you have Symantec Endpoint Protection in your environment the MSI for performing the installation is located on the Tools portion of the media.  However if you are not a SEP customer, please contact either your Symantec Account Manager or Bay Dynamics.  NOTE:  MY company (ITS Partners) can help you obtain the license

4.5 Cool Things about Data Insight 4.5

Symantec Data Insight (DI) can help customers who struggle ith identifying data users and owners for their unstructured data.  DI helps a customer answer the following questions:

  1. Who owns the data?
  2. Who is responsible for remediation of that data?
  3. Who has seen the data?
  4. Who has access to the data?
  5. What data is most at risk?

So what’s new in Data Insight 4.5?  Here are 4.5 (get it???) things that I find awesome in this release:

  1. Self service portal to help make remediation easier:  A portal that allows data owners and/or custodians of data to be able to remediate items directly potentially without the need for IT Security.  Actions can come from either the Data Loss Prevention (Enforce) Console or the Data Insight Management Server depending on the workflow.  A custom can create workflows that are specific to their own environment or use one of the pre-defined workflows such as:
  • Entitlement Review: Review the user permissions on the folders and suggest changes to the permissions
  • DLP Incident Management: Review policy actions and take actions on the files that violate DLP policies without having accounts on the Enforce Console.  Actions are Smart Response Rules that are used to remediate the items that violate a DLP policy.  An example would be triggering a Smart Response rule to encrypt a specific file.
  • Ownership Confirmation: Confirm the ownership of files or folders.  DI will infer the ownershiop of a file, this lets you confirm the file is actually yours.

This portal will be installed on a separate server from the Data Insight Management Console, is a separate                   license and requires DLP 12.5 or higher to be installed.

  1. Additional supported platforms for filers: Data Insight 4.5 now supports the monitoring of NetApp Cluster Mode, EMC Isilon, and Windows Server 2012.  Table 2-4 in the Data Insight Release Notes covers the supported platforms for DI 4.5.
  2. Enhanced Reporting with Data Insight:  There have been improvements and changes to reporting with the addition of some enhanced reports including:
    1. Reports based on User Reporting including the ability to track unresolved or migrated SIDs
    • Additional charts and statistics to help understand what is happening on the Data Insight server(s) in your environment
    • A Health Audit report that runs automatically at 5am that helps you and Symantec Support (if needed) understand any issues in the Data Insight environment.
  1. Enhanced data owner computation: Data Insight can calculate the the owner of a file and then populate that within the DLP console.  In DI 4.5 we can exclude deleted or disabled users (or their SID) when calculating the actual Data Owner.  However if you would like to still display this you can show it on the Inferred Owner report.
  2. Data Insight now provides an API specification for the Data Insight Query Language (DQL): The DQL provides a way to extract and interface with Data Insight data.  This is now available vian an API so you can integrate with 3rd party applications.


2010 in review

The stats helper monkeys at mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:

Healthy blog!

The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

Featured image

About 3 million people visit the Taj Mahal every year. This blog was viewed about 43,000 times in 2010. If it were the Taj Mahal, it would take about 5 days for that many people to see it.

In 2010, there were 47 new posts, growing the total archive of this blog to 397 posts. There were 67 pictures uploaded, taking up a total of 6mb. That’s about 1 pictures per week.

The busiest day of the year was May 12th with 992 views. The most popular post that day was What is missing from Ubuntu?: Manageability.

Where did they come from?

The top referring sites in 2010 were,, Google Reader,, and

Some visitors came searching, mostly for ubuntu one windows client, evolution exchange 2007, kubuntu server, live mesh linux, and ubuntu one windows.

Attractions in 2010

These are the posts and pages that got the most views in 2010.


What is missing from Ubuntu?: Manageability May 2010


Ubuntu One, Live Mesh, and Dropbox: A Comparison May 2009


Configure Evolution to to access MS Exchange 2007 May 2010


Introduction to Altiris Deployment Solution 7.1 February 2010


Frustrations w/ OpenSuSE and enabling SSH access October 2007

Rumor: Symantec to be bought by Microsoft

Was on vacation so I wasn’t around to blog anything but saw several interesting stories floating around from a Google Alert.

In several blogs, basically reposting each other in regards to a rumor that Symantec was available for Merger and Acquisition following the purchase of McAfee by Intel.  The following links have information:

DLP links from the weekend

Didn’t have time to blog much this weekend but wanted to pass along a couple of links:

How to choose a DLP Provider” by David Storm, where he states 10 questions to ask before choosing a DLP product.  Good news, Symantec DLP is successful at answering all of these questions.

Symantec announced Data Loss Prevention Standard:  More on this to follow as I wrap my brains around how this affects people and what it means

8 Steps to a Data Security and Backup Strategy” an article from Symantec on DLP and Backup.  Interesting read

What I’ve been working on lately

This blog has been pretty quiet lately, so I thought I would drop a few notes to discuss what’s been going on in my life:

Work:  Been doing a lot related to developing a new practice within ITS.  I have started working with Symantec’s DLP product and have done several Risk Assements/Proof of Concepts which has opened up my eyes to the amount of data loss that is occuring within companies, and most of the time the company doesn’t even know it.  DLP is a great product but is only a leg of what CEO Enrique Salem calls “operationalizing” your security.  The other parts of this include DLP, Control Compliance Suite, Symantec Endpoint Encryption, and Symantec Endpoint Protection.  We at ITS are working on a team to handle these products and I am currently doing some of the heavy lifting to get this up and runnin.

Kubuntu/Ubuntu life:  Been doing a lot of thinking in regards to Ubuntu and how it relates to the enterprise.  Also started back to think about Kubuntu and KDE docs again.  Starting to contribute again to the whole process.

Personal life:  Travel with work is keeping me busy.  Also my family is keeping me busy.  Interested in what is going on family wise?  Follow our blog

Have you prayed for the President Obama lately?

I am caught up in the bashing of the President way to often, even here on this site.  I have at times forgotten to pray for our President.  To pray that he makes wise decisions and that he seeks Godly council when he needs to make those decisions.  It was easy to pray for President Bush, a guy who wore his faith openly and publicly.  He was one of “our” guys, Christians could claim him, not only was he Republican but he admitted more openly then some presidents did to being a man of faith.  I remember there were bumper stickers and pray for the president clubs.  I don’t see this for the current president and have been convicted of late to pray for him.

Just because I don’t agree with the President, just because I don’t think he isn’t making the right decisions doesnt’ mean I shouldn’t pray for him and it shouldn’t mean that other Christians shouldn’t be praying for him either.  Don’t pray for bad things to happen for him, don’t pray for his defeat, or for him to fail.  We as a country can’t afford his presidency to be a failure.

So next time you as a Christian start to bash the President, say a prayer for him.  No that doesn’t mean you can’t be critical of him, but as the leader of the our Country, he needs our prayer just as much as the last guy did.