Tracking a DeviceID for use in a Symantec DLP Policy



Symantec Endpoint Prevent for DLP has the ability to track and limit data being copied to removable storage (USB drives, etc.).  Within a DLP policy we can leverage the DeviceID of a removable storage device as either an inclusion or exclusion to our policy. This document will cover how to set it up.


The first tool we need to leverage is “DeviceID.exe” which is a part of the Tools folder under the DLP agent source directory.  This executable will allow us to gather both the Device ID and the Regex that is needed for either the exclusion or inclusion.

This information is taken from the Help file for DLP and the DLP Admin Guide.

  1. Connect the USB Device to your computer
  2. From the command prompt navigate to the folder where the “Tools” directory is located
  3. Execute “DeviceID.exe” to get a list of the devices attached to your computerdevice id `1
  4. There are two values displayed per device connected to your laptop/desktop
    1. Dev ID: Contains the full string for the device connected to your laptop
    2. Regex: The value we want to put in our exclusion or inclusion
    3. NOTE: If you have a large amount of devices attached to your laptop or desktop the output can be directed to a text file via “DeviceID.exe > textfile.txt”
  5. Open up the DLP Console and navigate to System -> Agents -> Endpoint Devicesdevice id 2
  6. Select “Add Device” and fill out the form
    1. Note: Use the Regex value from DeviceID to fill out the device definition portion of things
    2. NOTE: The goal is to be both as generic and specific as possible to make sure there is not a giant list of device ids

device id 3

Leveraging the DeviceID in a DLP Policy

Once the DeviceID is created it can be used as either an exclusion or an inclusion within the policy

  1. Login to the DLP Console
  2. Navigate to Policy Portion (Policy -> Policy List)
  3. Edit (or create) the policy you would like to use this in
  4. Select “Add Exception”
    1. Towards the bottom of the Exception Type is “Endpoint Device Class or ID”
      1. Select this option and select “Next”
      2. device id 4
      3. Select the DeviceID you would like to use for an exclusion and select next
      4. device id 5
      5. Select “OK” to save your exception
  5. NOTE: This same process can be used to create an inclusion in your DLP Policy as well



Configuring scanning in Data Insight 5.0


In version 14 of their DLP product Symantec introduced the ability to scan corporate accounts via Network Discover to see what confidential data is stored within an organization’s environment. In Data Insight 5.0 we now have the ability to process to understand the context of the files in our account.

In previous posts I covered:

This guide will cover configuring scanning and then also provide some screenshots around what it looks like.

How it works

After logging into the Data Insight Console we will need to access the Settings tab of the Management Console to setup our “Cloud Sources” which can be found on the left side of the Console.

data insight box 21

In the above screenshot (Figure 1) it shows there is one Cloud Service enabled and we would like to add an additional source by clicking on “Add a new cloud service.” (While I have not seen an official roadmap, I would assume additional services are forthcoming.)

data insight box. 1PNG

In order to perform the scanning, we will need to authorize the account against the API

data insight box

In order to process everything correctly, make sure the owner account is used to connect and use the system. The above screenshot (Figure 3) shows the demo system being authenticated to the system.
One the indexer and collecter are assigned, we can then start the scanning of the account.


Now that the Cloud Source is configured we can start the Data Insight scan (or wait for the normal schedule). In the below figure (Figure 4) we have clicked on the “Actions” drop down and have selected “Scan Now.”

data insight box 4

Once the scan has been completed and the information has been processed, information will be in the Data Insight system.

data insight box 5

Figure 5 shows the result of the scan against the demo system.

Configuring a Network Discover Scan in DLP 14


New to Symantec DLP 14 we have the ability to do Network Discover Scans (Data at Rest) of content that is stored in Cloud Storage locations.  The first service this is available for is

This post will cover how to configure a Network Discover Scan for Cloud Storage once you have applied the Cloud Storage License.

Steps to create a Discover Scan

Once the license for Cloud Storage DLP is loaded into the system a new entry to create a Discover Target will be listed.

Once the license for Cloud Storage DLP is loaded in the system a new entry to create a Discover Target will be listed./

  1. Navigate to Manage -> Discover Scanning -> Discover Targets
  2. Under the drop down for “New Target” select Box
  3. new target

  4. Just like any Discover Target configure the target with Name, Scan Type and Schedule under the “General Settings.”
  5. We need to Authorize the scanning account which is new
    1. Click on the authorize button
    2. box pre ath

    3. Provide the username and password for the Administrator of your environment and click Authorize
    4. The DLP system will be authorized for 60 days and after that time the system can be reauthorized
    5. box authorization

  6. Within the scan we can filter out which files within the Box environment can be scanned within the environment and the filters tab allows us to control this
  7. box filtering

  8. Along with being able to scan a folder on we have the ability to “tag” a file with a response rule and this needs to be enabled in the protect tab of things.
    1. A separate blog post will cover this

Once this is all done, a Cloud Storage Target for will be configured and setup.  THis target can then be run just like any network discover target.

Do I need a different license for this?

Yes, a license for “Cloud Storage DLP” according to the DLP Licensing Guide.  This is a subscription based license available in a 1-year subscription.


If you are using Symantec DLP, you should be using IT Analytics

Overview of IT Analytics

IT Analytics provides cube based reporting (pivot tables), additional reports, and Key Peformance Indicators (KPIs) for various Symantec products:

  1. Symantec IT Management Suite (Altiris)
  2. Symantec Data Loss Prevention (DLP)
  3. Symantec Critical Systems Protection (CSP)
  4. Symantec Endpoint Protection (SEP)

IT Analytics is developed by Bay Dynamics but is available as part of your Symantec license.  For more information visit:

One of the concerns in the past for using IT Analytics has been the requirement for a Symantec Management Platform (SMP also known as Altiris) to be configured first before you install and manage the cubes.  This is no loner the case as there is a stand-alone version of IT Analytics available (this will be covered in a separate blog post).  This post will cover why you should be using IT Analytics for your DLP system.

Why IT Analytics for Symantec DLP

Within the Symantec DLP console there are a bunch of ways to slice and dice the data that is generated in the system (Incidents, etc.) either by filtering the data or by creating various summarizations of the data.  IT Analytics adds several items that are not exposed without having to write a SQL query or leverage the API.  IT Analytics allows for someone who does not have access to the DLP console to run reports against the information.  Also IT Analytics can easily create trending reports to demonstrate how risk is being reduced over time.

Whenever people ask me why I should bother with IT Analytics there are two reports that I point to that demonstrate the value of IT Analytics.

User Action Audting

User Login Report

User Action Auditing - User Action Audting

User Action Auditing Report

The first screenshot (User Login Report) shows which users have logged into the DLP system and the second report (User Action Auditing Report) shows who has changed what policies in the DLP system.  These two reports are requested over and over by customers.  How can I prove to my auditors or management that no one is changing a DLP policy randomly?  This information is coming out of the Oracle Database but without ITA you would have to write a SQL statement and then clean it up to provide auditors or management.

Incident Trend by Product Area

Incident Trend By Product Area

A third common request is “how can I show trends” in my DLP system and the above screenshot shows this trend.

Finally IT Analytics provides Key Performance Indicators (both predefined or custom created) demonstrate how your Symantec DLP system is reducing risk over time and how the system is performing.Key Performance Indicators

How do  I get IT Analytics?

IT Analytics is provided free of charge however a license key and the MSI is needed before you can install ITA..  If you have Symantec Endpoint Protection in your environment the MSI for performing the installation is located on the Tools portion of the media.  However if you are not a SEP customer, please contact either your Symantec Account Manager or Bay Dynamics.  NOTE:  MY company (ITS Partners) can help you obtain the license

Symantec Connect Post Round Up #2

Last week I posted a round up of various articles or posts that I’ve found interesting or exciting or something I wanted to save. One of the items that I posted here has since been solved so that’s pretty exciting.

This week was pretty light, not quite if it was due to me being busy or not finding a lot of information that made me excited.  One of the posts will warrant a further blog entry here.  So off to the round up…

  • eWeek agrees with Symantec: Server Security is different than Laptop Security: I’m not sure why “Laptop Security” and “Server Security” is capitalized but whatever.  The important thing here is the article from eWeek that talks about reasons why securing a server is different than securing a laptop.  While it is pretty basic stuff, the article does bring up some good points.  Interested in securing your critical systems (not just servers)?  Look into Symantec Critical Systems Protection
  • Search for a SSN inside DLP incidents:  The poster is looking if there is a specific way to search for a particular social security number within a bunch of incidents. As one poster mentions this might be possible with exporting the XML of all of incidents and then dumping it into a query.  Another person says you might be able to do it with IT Analytics.  ANyone have any great ideas for this person?
  • Standard Operating Procedure — Where to Start?: So this is a fascinating question to me, something that I’ve helped many many customers with.  Where does one start with during an implementation of a DLP product?  This forum post has spawned another blog post and I will link it, once I got it up and going (maybe the football games tomorrow will be boring and I’ll have a chance to be productive?).
  • How does DLP work with Images?: This is an interesting question and address within another forum entry.  Long story short I can fingerprint (IDM) a document or image to help track it down.  However Symantec DLP does not track specific images (flesh tones, colors, etc) but some products attempt to do tis.  Tracking down data stored in images is a complex tasks.

Well this was bit light on the round up, but some of the things I was looking at/reading on Symantec Connect.  Would like some feedback if you find this helpful or even interesting.


Upcoming DLP Webcast: DLP 10.5 & Data Insight

One of the things my company does is webcasts hosted twice a month.These are free and provide information about upcoming Symantec products or can provide training on how to use one of the Symantec products.

In June, I am presenting a webcast on DLP 10.5 and the new feature Data Insight.

ITS will answers questions like:
– “Whose Data Is It Anyway?”
-  "Who owns the data?"
– " How is the data used?"
– "How do I protect the data?"
Data Insight and Data Loss Prevention
Data Insight will first be available as part of Symantec Data Loss Prevention and will be the only data loss prevention solution to deliver an integrated data owner and remediation capability. Unstructured data on shared file systems is a large source of critical business information, and over-exposed content presents a significant risk for data breaches. Data Insight with Symantec Data Loss Prevention helps organizations identify their most critical information and enables simplified data clean-up and remediation through automated data owner identification. Data Insight also provides continuous monitoring and auditing of data usage to help ensure adherence with corporate policies and regulatory compliance. In addition, the technology monitors who has accessed or modified individual files, and can notify information security teams and data owners that data has been exposed. Armed with visibility into who is accessing and using the information, organizations can make rule-based ownership inferences and alter access to stored data in order to prevent data breaches.


Data Insight provides information on unstructured data, data that sits in a file share and provides information on how that data is used, who is using, etc.

Join us for the webcast and learn about this great product

OpenDLP: A review

I don’t tend to read many Slashdot articles these days, but follow the RSS feed in Google Reader.  A recent article covered a product that caught my eye: OpenDLP.

The code is pretty raw right now, it is at version .1 in the cycle so hopefully a lot of growth and change will come to the product.  From the project’s homepage:

OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

The first thing I notice about this product is that it only deals with one area of potential data loss: the Endpoint.  It might be the maturity of the product that the author hasn’t looked into the other areas: Data in Motion (data traveling over the network) and Data at Rest (data in storage).

The other issue I have is that right now the database is not encrypted which would be a major data loss issue if the DB was compromised.

The good thing is the product does cover the endpoint and seems to cover it very well.   Looking forward to following the development and will try to contribute to it as much as I can.

Catching up on DLP Links

There’s been a lot of discussion on the web these days in regards to DLP and also some of the moves Symantec made in regards to its purchase of PGP Corporation and also GuardianEdge:  Press Release here

Here are some more links that I’ve come across recently:

  1. Cisco Security Services and also Cisco’s Risk Assessment Service:  Didn’t even know that Cisco offered a DLP Solution, but it is based around the IronPort product.  I don’t know anything in regards IronPort but will plan to learn more as we have one customer who is looking at it instead of Symantec DLP
  2. Whitepaper released: Quick Wins with Data Loss Prevention:  This links to a whitepaper sponsored by McAfee and you can download the white paper from that link as well.  It is an interesting white paper and have added it to my collection
  3. How to shape an effective DLP policy:  An Information Week article that talks about how an organziation should write DLP policies.  More on this later.
  4. Breakout session from Symantec Vision:

Getting caught up on links

Have a lot of links in my browser tonight but haven’t had a chance to digest and really understand all of them.

So this post is a dump of a bunch of them, to come back later with more thoughts on

1.  25 Scenes from Symantec Vision:  Missed Vision this year but didn’t hear much about it.  Find it interesting how they comment on things us old Altiris people take for granted, such as Steve Morton’s Keynote style, Usergroup challenge, etc.

2.  DLP: Million Problems – One Solution:  Haven’t read this one yet, but looking forward to it

3.  DLP – Protecting What Matters Most:  Seems to be an overview of DLP, will have to read this one through

4. States’ Rights Come to Security Forefront

5.  DLP Primer

6.  Data Loss Prevention comes of Age

5 Myths about DLP

Came across this slidedeck, through a Google Alert and wanted to pass it along.  While this is geared towards the Small to Medium sized business DLP is still important and should be implemented.

I would take some issue with “Myth 2 – Expensive Third Party Solution”.  In this myth they argue that “implementing a $100k software solution from Symantec or McAfee is impossible.”  While I would agree that the full solution of DLP from Symantec is expensive, you don’t have to buy the whole suite at one time, thus limiting the expense. What is the primary concern of your data?  Is it leaving the organization?  Then implement DLP at the Network level.  Concerned about data on endpoints? Then take a look at DLP on the endpoint.

One of the benefits of the Symantec solution is that it is very modular, only purchase what you are implementing now.