Video Screencast Help

How To Use Custom Attributes in Symantec Data Loss Prevention (Part 1 of 2)

Created: 17 Mar 2009 • Updated: 17 Mar 2009 | 1 comment
Language Translations
Swathi Turlapaty's picture
+2 2 Votes
Login to vote

In this two-part TechTip we’ll discuss how Symantec Data Loss Prevention (DLP) customers use custom attributes to drive more proactive security measures in their organizations. DLP customers who use custom attributes have better insight into data loss incidents and their origins, and can more easily automate incident responses and metrics reporting.

Enterprise customers use Symantec DLP to discover, monitor, and protect vital data on the network, on endpoints, and in storage. But DLP users won’t realize the full potential of this solution if they are not leveraging the lookup API and custom attributes to expand critical incident-related information. Custom attributes are data fields that provide a way to capture and store additional information related to an incident so that it can be used to drive workflow, execute incident response actions, and report metrics. The lookup API allows connection to a variety of other systems (such as LDAP) to populate the custom attributes. By using custom attributes, companies can more effectively enforce their data protection policies, isolate patterns of violation, assemble detailed reports on security violations, and disseminate these reports appropriately throughout an organization.

Custom attributes and incident response

One of the most basic but powerful ways of using custom attributes is to use the built-in API to look up the person causing the DLP incident in LDAP or Active Directory and extract key information related to that person such as business unit, department, phone number, and manager name. DLP incident responders can then use this information to:

  • Gather more information on the incident, by contacting the person involved
  • Find similar incidents in the same department and identify possible insecure business processes
  • Manage their own work queue by using the business unit to filter incidents
  • Respond to a severe incident by sending an email notification to the violator’s manager

Without enabling custom attributes, none of the actions listed above would be possible without a significant amount of manual research. The lookup API and custom attributes allow this information to be retrieved and made available automatically for the incident responder.

Custom attributes and security compliance

Custom attributes can lead to more proactive security compliance in an organization. Using the custom attributes described above, DLP incidents can be grouped by business unit, manager, or any other organizational structure captured in LDAP, Active Directory, or other systems. Then, for example, DLP reports summarizing the violations that occurred per business unit can be automatically sent to the CISO on a weekly or monthly basis. The DLP system can also automatically send reports summarizing each business unit’s incidents to the manager of that business unit, including the quantity, severity, and type of violations the group committed. Managers can then be held more accountable for security in their divisions. These reports can also be used to identify which groups or individuals require better security policy training.

Stay tuned for Part 2 of this TechTip, which explains how custom attributes can be used to automatically generate email responses targeted to specific violators. We’ll also discuss how to aggregate multiple incidents into threat cases.

Related Links

DLP Solution Specialists can assist in configuring the DLP lookup API and in extracting the right information for workflow, remediation and reporting.

Click here to visit our web site. To speak with a Product Specialist in the U.S. Call toll-free 1 (800) 745 6054 To speak with a Product Specialist outside the U.S.

For specific country offices and contact numbers, please visit our website.

Comments 1 CommentJump to latest comment

kishorilal1986's picture

Hi Swathy Nice one but if both part in single page then its easy to see and reduce search difficulties.

0
Login to vote