An overview of DLP 10

Symantec has recently released an update to its DLP (Data Loss Prevention) product, version 10. This article will provide a brief overview of some of the changes and differences. More posts to follow will highlight other parts of DLP 10.

Console Changes

• The first thing one will notice when connecting to a DLP 10 system is how the console has changed from previous versions.  The DLP 10 console has been simplified and streamlined to help with navigatation and make the system easier to be managed.  The new console looks like the following:
  

  As highlighted in the next screenshot the menu system has been completely changed as well:
  

   

The menu is broken up into 4 areas, Home, Incidents, Policies, and System. 

Home -  will open up what is set as your home page, in my system I have it setup for the Executive Summary for Endpoint. 
Incidents - we have the Incident Reports, broken out by Network, Endpoint Protect and Discover, providing a simple way to find the incidents you are looking for. 
Policies - we find information related to the following:  Policy List, Response Rules, Endpoint User Groups, Discover Scanning, and Protected Content. 

The Discover Scanning section is broken out further into Discover Targets and Discover Servers.  Under Protected Content you will also find Exact data and Indexed Documents.

Hopefully you will find it easier to navigate like I do.

Incident Changes

A lot of work  has been done in the Incident section of DLP 10.  The goal is to be able to understand the incident in under 5 seconds.  Is this a false positive?  Is this something I need to deal with right away?  What information can you tell me about this incident?  All questions that need to be dealt with as soon as possible and the changes made help you answer them quickly.

The example below shows a screenshot of a discover scan using sample data:

The incident is broken down into 3 sections or panes.

1)  The first pane provides the key info, history and correlations about the incident (see the following screenshot).

By seeing the Key Info right away I know what is going on with this incident at a quick glance and make a decision on whether or not i need to spend more time on it.  In DLP 9 this information was scattered a bit about but can bee seen quickly at a glance.

2)  The second pane of an incident shows the match count behind this incident.  Based on the information I’ve read in the first pane, I will then spend time in the second taking a look at match count and also checking for false positives.

3)  The third pane of an incident shows any custom attributes I am looking for or using.

Policy Changes

There have been some changes and additions to the default policies that ship with DLP: however, the way to write a policy has not been changed.  One of the policies has been modified to take a part some of the changes in the HITECH act.

As mentioned previously, under the menu Policies, you have the ability to configure the discover servers and scans and also edit the exact data and indexed documents.

System Changes

There have been many changes to this part of the console as well.  The system section is broken up into the following areas:  Servers, Agents, System Reports, Settings, Incident Data, and User Management.One really nice change is the addition of a credential manager, which is found under Credentials.  This allows me to save a credential and re-use it in different scans, etc.  This is found under System –> Settings –> Credentials and looks like the following:

Thanks for spending the time to read this overview of DLP.  In February I will be doing a webinar on DLP and if you are interested you can visit my company’s website (ITS Partners) here for more information and to sign up.