At the core of Symantec DLP, lies the policy of it, which determines the successful or not so successful implementation of Symantec DLP at organizations. Since DLP is not the perimeter security or the endpoint security, it is the security built around data itself, therefore, it can cause huge impact if policy is not defined properly. And this is the reason, why Symantec DLP is always implemented in monitor mode initially! This means that if policy is violated, incident will be raised but there won't be any blocking.
In this article, we will briefly look into the policy of Symantec DLP. This should give beginner a kick start understanding of policy of Symantec DLP in few minutes of time. Before that, if you wish, you can see the below links for Symantec DLP basics for beginners.
Whether it is data loss prevention through endpoints(PC, Laptop) or data in motion (network, email) or data at rest (SAN, NAS etc), Symantec DLP matches the data against the policy that is defined. If data matches with policy, defined action is taken (monitor or block or move to safer location etc)
Policy is defined and resides on Enforce platform and on detection servers. For defining and modifying policy, you must have access to administrator account of DLP. Policy can be built from scratch or we can choose to create from 60+ templates which is already defined by Symantec. These templates are grouped according to different industry like pharma, banking and finance etc.
Policy has two different parts:
1. Detection Rules
2. Response Rules
There are two main ways of detection.
1. Described data: Where we can describe the data clearly with the help of keywords, data identifiers, regular expressions etc. This is most simple way to define rules. For example- in regular expression, we can define a number(say account number). We can define that the account number is 10 digits, where first 5 digits is only 0 and 1, and next 5 digits are 0 to 8. In this case, if the number in a file which is going out through email is 1230945689, then no policy is triggered. But, if the number is 0001180012, then policy will be triggered and incident will be generated if other conditions of policy also match. As per the regular expression definition, 1st number is not the account number, but 2nd number is account number.
2. Fingerprinted data: This consists of structured data, also called as Exact Data Match (EDM) and unstructured data, also called as Index Data Match (IDM). In EDM, we can defined database, its table or its combination. If anything from that is sent out, policy is triggered. Whereas in IDM, we have to provide the whole document in the policy. Symantec DLP makes an index from that document. Now, policy can be defined that if, say 60%, of this document is being sent out, policy should be triggered.
Threshold count can also be defined. This will say that if an email contains 10 account numbers then only incident should be generated. Also And, Or, If logic can be defined. Exceptions can also be defined.
There are many response rule that can be set. One of them is notification where email can be sent to sender/manager/IT security. On-screen pop up can be enabled.Another response rule is blocking. With blocking data leakage can be prevented. Another response rule can be conditional encryption of data, data being moved to other location etc. Custom response rule can also be created.
All detection capabilities (EDM/IDM/DCM) are compatible and accurate with many Western European and Asian languages. For unsupported languages, many detection processes may still work, but are not fully tested. User interface localized many languages too. For details, you may need to contact Symantec.
Defining policy rules in Symantec DLP is so flexible and dynamic, that almost any condition can be met and policy can be written for that. Obviously, with the flexibility, also comes the complexity.
With this, I tried to provide a glimpse of what policy and rules are in Symantec DLP. This is a very huge subject in itself and learning to define policy takes substantial amount of time. For more details, one can refer to Symantec Admin Guide for DLP or help files on policy page of Symantec DLP.