Tracking a DeviceID for use in a Symantec DLP Policy

 

Overview

Symantec Endpoint Prevent for DLP has the ability to track and limit data being copied to removable storage (USB drives, etc.).  Within a DLP policy we can leverage the DeviceID of a removable storage device as either an inclusion or exclusion to our policy. This document will cover how to set it up.

Process

The first tool we need to leverage is “DeviceID.exe” which is a part of the Tools folder under the DLP agent source directory.  This executable will allow us to gather both the Device ID and the Regex that is needed for either the exclusion or inclusion.

This information is taken from the Help file for DLP and the DLP Admin Guide.

  1. Connect the USB Device to your computer
  2. From the command prompt navigate to the folder where the “Tools” directory is located
  3. Execute “DeviceID.exe” to get a list of the devices attached to your computerdevice id `1
  4. There are two values displayed per device connected to your laptop/desktop
    1. Dev ID: Contains the full string for the device connected to your laptop
    2. Regex: The value we want to put in our exclusion or inclusion
    3. NOTE: If you have a large amount of devices attached to your laptop or desktop the output can be directed to a text file via “DeviceID.exe > textfile.txt”
  5. Open up the DLP Console and navigate to System -> Agents -> Endpoint Devicesdevice id 2
  6. Select “Add Device” and fill out the form
    1. Note: Use the Regex value from DeviceID to fill out the device definition portion of things
    2. NOTE: The goal is to be both as generic and specific as possible to make sure there is not a giant list of device ids

device id 3

Leveraging the DeviceID in a DLP Policy

Once the DeviceID is created it can be used as either an exclusion or an inclusion within the policy

  1. Login to the DLP Console
  2. Navigate to Policy Portion (Policy -> Policy List)
  3. Edit (or create) the policy you would like to use this in
  4. Select “Add Exception”
    1. Towards the bottom of the Exception Type is “Endpoint Device Class or ID”
      1. Select this option and select “Next”
      2. device id 4
      3. Select the DeviceID you would like to use for an exclusion and select next
      4. device id 5
      5. Select “OK” to save your exception
  5. NOTE: This same process can be used to create an inclusion in your DLP Policy as well

 

Advertisements

If you are using Symantec DLP, you should be using IT Analytics

Overview of IT Analytics

IT Analytics provides cube based reporting (pivot tables), additional reports, and Key Peformance Indicators (KPIs) for various Symantec products:

  1. Symantec IT Management Suite (Altiris)
  2. Symantec Data Loss Prevention (DLP)
  3. Symantec Critical Systems Protection (CSP)
  4. Symantec Endpoint Protection (SEP)

IT Analytics is developed by Bay Dynamics but is available as part of your Symantec license.  For more information visit: http://baydymanics.com/Products/ITAnalytics/Symantec/

One of the concerns in the past for using IT Analytics has been the requirement for a Symantec Management Platform (SMP also known as Altiris) to be configured first before you install and manage the cubes.  This is no loner the case as there is a stand-alone version of IT Analytics available (this will be covered in a separate blog post).  This post will cover why you should be using IT Analytics for your DLP system.

Why IT Analytics for Symantec DLP

Within the Symantec DLP console there are a bunch of ways to slice and dice the data that is generated in the system (Incidents, etc.) either by filtering the data or by creating various summarizations of the data.  IT Analytics adds several items that are not exposed without having to write a SQL query or leverage the API.  IT Analytics allows for someone who does not have access to the DLP console to run reports against the information.  Also IT Analytics can easily create trending reports to demonstrate how risk is being reduced over time.

Whenever people ask me why I should bother with IT Analytics there are two reports that I point to that demonstrate the value of IT Analytics.

User Action Audting

User Login Report

User Action Auditing - User Action Audting

User Action Auditing Report

The first screenshot (User Login Report) shows which users have logged into the DLP system and the second report (User Action Auditing Report) shows who has changed what policies in the DLP system.  These two reports are requested over and over by customers.  How can I prove to my auditors or management that no one is changing a DLP policy randomly?  This information is coming out of the Oracle Database but without ITA you would have to write a SQL statement and then clean it up to provide auditors or management.

Incident Trend by Product Area

Incident Trend By Product Area

A third common request is “how can I show trends” in my DLP system and the above screenshot shows this trend.

Finally IT Analytics provides Key Performance Indicators (both predefined or custom created) demonstrate how your Symantec DLP system is reducing risk over time and how the system is performing.Key Performance Indicators

How do  I get IT Analytics?

IT Analytics is provided free of charge however a license key and the MSI is needed before you can install ITA..  If you have Symantec Endpoint Protection in your environment the MSI for performing the installation is located on the Tools portion of the media.  However if you are not a SEP customer, please contact either your Symantec Account Manager or Bay Dynamics.  NOTE:  MY company (ITS Partners) can help you obtain the license

Can I install Symantec DLP on a Red Hat Linux system with a pre-defined user name?

Recently I was doing an install of Symantec DLP on a Red Hat Linux box that was a member of LDAP and had the /home folder automounted and didn’t allow for us to write to that folder.  When a new local user was created via the adduser command it would not work without passing a command line option to change the location of the home directory (adduser -b /opt/users/).

During the install of Symantec DLP, the installer creates a user (protect, protect_update) and would fail because the home directory (/home/protect) could not be created.

So the question was asked… Can we create a user, populate the home directory outside of /home and then perform the install of the system?

Answer:  No… The installer for Symantec DLP needs to create the correct users and must be able to write /home when creating the user.  There is currently an enhancement request within Symantec to allow a pre-created account.

Symantec Connect Posts Round Up #5

So its been a couple of weeks since my last round up and there are ton of links/posts from Symantec Connect that I thought were very interesting.  I hope you find these interesting, if you do, please drop me a note in the comments section so I know someone is reading them 🙂
So the first one is not a Connect Post but comes from the Symantec Knowledge Base…
  • Symantec Encryption Management Server and DLP Integration Guide:  I haven’t had a chance to walk through this in my test lab yet, but I’m waiting for some time off from engagements to implement this.  Once that’s done I’ll try to provide some feedback.  Symantec has laid out a pretty aggressive roadmap for integration between the 2 products and I’m hoping they can deliver on it.  Talk to your Symantec Rep for more information on what’s being talked about.
And back to the Connect Posts
  • What to consider for a DLP 11.6 and SEP 12.1 upgrade:  This person is looking for help on upgrading to the current versions of the SEP and DLP products.  The best recommendation is to read the user guides for both products before upgrading.  Also reach out to your Symantec Partner (you do have one don’t you?) as they would love to help out with the upgrade to the new products.
  • Extending DLP Agent for Google Drive monitoring:  The reason for linking to this post is there is frequent conversations around how to extend DLP monitoring for various cloud based storage systems (Dropbox, Box.net, etc) and preventing data from leaving from those vectors.
  • SEP and Vshield integration: I’m pretty excited about what SEP 12.1.2 brings to the virtualized infrastructure one might use.  This post has a bunch of links in it for setting up the VShield integration that VMware uses.  VShield integration reduces overhead in scanning in your Virtual Environment.
  • SEP support for Ubuntu: So this is a long and somewhat confusing thread to follow.  The original poster is asking what support there is for SEP on Ubuntu.  The confusion comes down to the naming of the product.  SAV (Symantec Antivirus) is the product supported for Linux devices.  As of this post SAV for Linux runs in an unmanaged state but can be installed on Ubuntu 12.04 LTS.
  • Sending CSP information to Splunk: Good article on sending info ration to Splunk from Symantec Critical Systems.  The answer is that if you have access to the database you can get the information that you would like out and be able to send that information to Splunk.
  • Is PGP supported for Windows 8?:  A lot of posts around whether or not Symantec supports Windows 8.  On the PGP side this is not the case and at least on a touch device, the pre-boot authentication is not supported.  See http://www.symantec.com/docs/TECH199095 for more information or subscription for when this supported is added.  On a side note are you seeing Windows 8 in the Enterprise?
  • Can DLP inspect an email header?:  Short answer Yes… Long answer read the linked articles in the answers.
  • Creating a rule for tracking registry key modification:  The poster is looking for help in writing a rule to help him track changing of registry keys.  If you know the answer to this question, it would be greatly appreciated.
Thanks for reading these (if you are?) and post me a message or a comment if you actually are.
Jonathan

Symantec Connect Posts Round Up #4

This is week #4 of clearing out the various Symantec Connect Posts that I’ve found interesting (Week #3Week #2, and Week #1).  If you have found these interesting or like reading them, please let me know.  Hope you are finding these interesting and learning something, maybe even answering some of these questions/posts yourself.

So without further ado here’s this weeks (actually last week but got a little behind):

  • Register for Vision 2013 and get a discount and Connect posts:  Are you going or interested in going to Symantec Vision, if you sign up using the Connect code get a discount off it and some points.  I’ve enjoyed the couple of times I’ve been to Vision and have learned a lot.  Hope to see you there
  • ITA ports for SEP 11 SQL Database:  IT Analytics seems to be a pretty popular discussion point around Symantec Connect and this person is looking for specific ports and configuration information.  Drop me a note if you are interested in learning more about IT Analytics and how it can help you with reporting around Symantec Security products
  • An Illustrated Guide to Installing Symantec Mobile Security 7.2: So I haven’t wrapped my brain around Symantec Mobile Security and need to.  This article covers installing/configuring the product.  Great article, give this dude lots of votes on this post
  • 2 Tier Install of DLP 11.6 needs more than 2 servers?: This is an interesting article about how to setup a 2 Tier install of Symantec DLP and what type of servers are needed.  I’ve been doing a lot of work (consulting and architecture) around Symantec DLP so drop me a note if you need any help.
  • DLP false positive incident: This is a common question when it comes to Symantec DLP.  How can I reduce the # of false positives that I’m getting within the system.  You will spend your entire DLP life working on incident count and how many you have.  A lot of time it comes to just changing the breadth of an incident or adding additional keyword requirements.  This might become a separate blog post in and of itself
  • PGP Desktop and DLP Scanning: Yet something else I haven’t quite figured out… The person would like to scan encrypted SMTP traffic when the keys are stored at the Universal Server.  I have heard there is further integration coming along between DLP and Universal Server that might help the person out.  Also there is a KB article that might help out as well.  Will have to spend sometime figuring this out
  • Do I have to use the Enterprise version of SQL for CSP?: No you don’t have to use SQL Enterprise for Critical Systems Protection.  There is an embedded Database that can be used but then you will not have access to IT Analytics for reporting.  SQL Standard edition is a supported database version as well.
  • Migrating SCSP and DB:  This link is more of a place holder for me in case I ever have to deal with this.  The associated KB’s and links within the answers are the best place to get started.
  • SEPM alerts if GUP is unreachable:  This Connect question is looking for a report for notification if the GUPs are unreachable and is a pretty interesting question.  The good part is the tool linked out of the comment created by the SEP product team (will be looking into it as well) found at this article.  Also one of the answers has a report that might be useful to do what the poster is asking for
  • Embedded to SQL: A lot of people when they install SEP and the SEP Manager use the default install of the embedded database and then want to move to full SQL.  We at ITS always recommend using a full SQL database when doing an install.  This allows for better performance and also use of IT Analytics for reporting.  There a lot of links within this forum question on the best way to transition from the embedded database to a full SQL db.  Also this is something that we can help out from a services opportunity.  Drop me a note if you need help or interested.

Symantec Connect Posts Round Up #3

I’ve really enjoyed writing these posts and hope you are finding something interesting from the various Symantec Connect posts that I’ve been linking to.  IF you are wondering why most of them (if not all) focusing on the Security Community within Symantec Connect it is because that is the focus of my job.

So here’s week #2 and week #1 and without further ado, here is week #3

  • Update the DLP system from version 10.5 to version 11.5 — This one goes on the record for longest connect post that I’ve seen in a long time (I actually shortened it for this blog post).  But it covers the process for updating your DLP system as you move from version 10.5 to 11.6 along w/ updating the server that everything runs on.  Remember if you are using 10.5 Windows Server 2008 R2 was not supported for hosting the Enforce platform on it.  Now with the latest version (11.6.1) Server 2008 R2 is supported and recommended for running the DLP Product on.  Read along with how to set this up.
  • Choice of Symantec product for business security — what programs — While this is not as long as the other post listed above it i interesting.  What we have hear is someone who uses Backup Exec and is looking to understand what security products Symantec has to help him/her out
    • This is something I help out my customers with each day.  Let’s sit down and have a conversation about how Symantec can help you out and advance your security posture.  What is the real question or goal of your organization as it becomes more mature in your security practice.  Drop me an email, would love to help you out.
  • SCCM (Systems Center Configuration Manager) — In this post the customer is looking to understand the best way to deploy Symatnec Endpoint Protection (SEP) by leveraging System Center for the deployment solution. Take a look at this article for a more complete answer to the question.  I know that my company will have a video up shortly about deploying SEP w/ both Altiris and Systems Center.
  • Implementing change management and configuration management for vontu — So this is going to be a full article/blog post and once I post it I’ll link it here as well.  Stay tuned but this is VERY IMPORTANT to handle and take care of
  • How to install DLP Client — This person is looking for help on deploying the Endpoint Agent on various machines in his/her organization.  There are numerous links in the comment section that can help out.  Also my company will putting up a video on this shortly as well.
  • Comparing Symantec cMobile Security 7.2 and Norton Mobile Security   — This one fascinates me and I haven’t spent any time reading or digging into the differences between the products.  This article is more of an FYI to myself so I can further figure out what the two products are
  • DLP – Let the User Decide — This post is still looking for answer, so if you can help awesome…  The end user is looking to see if there is a way to allow the end user to decide if an email that is blocked should be released or not.  I’m not quite sure if this is the best way to setup DLP but if you can help out this questioner let me know and I’ll try to give you extra Connect points.
  • GnuPg PGP Desktop Email — This is a question that I have long wondered about as well and the answer is MAYBE.  That is it depends on the version of GnuPGP and PGP Desktop.  Try it out it should work.

So that’s that… I hope you are finding these links interesting and maybe can help some people out still looking for support.

Drop me a note and let me know if you find them worthwhile or not.

Symantec Connect Post Round Up #2

Last week I posted a round up of various articles or posts that I’ve found interesting or exciting or something I wanted to save. One of the items that I posted here has since been solved so that’s pretty exciting.

This week was pretty light, not quite if it was due to me being busy or not finding a lot of information that made me excited.  One of the posts will warrant a further blog entry here.  So off to the round up…

  • eWeek agrees with Symantec: Server Security is different than Laptop Security: I’m not sure why “Laptop Security” and “Server Security” is capitalized but whatever.  The important thing here is the article from eWeek that talks about reasons why securing a server is different than securing a laptop.  While it is pretty basic stuff, the article does bring up some good points.  Interested in securing your critical systems (not just servers)?  Look into Symantec Critical Systems Protection
  • Search for a SSN inside DLP incidents:  The poster is looking if there is a specific way to search for a particular social security number within a bunch of incidents. As one poster mentions this might be possible with exporting the XML of all of incidents and then dumping it into a query.  Another person says you might be able to do it with IT Analytics.  ANyone have any great ideas for this person?
  • Standard Operating Procedure — Where to Start?: So this is a fascinating question to me, something that I’ve helped many many customers with.  Where does one start with during an implementation of a DLP product?  This forum post has spawned another blog post and I will link it, once I got it up and going (maybe the football games tomorrow will be boring and I’ll have a chance to be productive?).
  • How does DLP work with Images?: This is an interesting question and address within another forum entry.  Long story short I can fingerprint (IDM) a document or image to help track it down.  However Symantec DLP does not track specific images (flesh tones, colors, etc) but some products attempt to do tis.  Tracking down data stored in images is a complex tasks.

Well this was bit light on the round up, but some of the things I was looking at/reading on Symantec Connect.  Would like some feedback if you find this helpful or even interesting.

Jonathan