Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

What Protection Does Symantec DLP Provide? A Note for Beginners

Created: 18 Jan 2012 • Updated: 18 Jan 2012 | 17 comments
Language Translations
AR Sharma's picture
+15 15 Votes
Login to vote

What Protection Does Symantec DLP Provide?

In this article, I would try to provide some basics about DLP. This article is for beginner who wants to understand the following about DLP:

Where does DLP fit?

What does DLP do and what protection it provides?

To start with let’s see endpoint protection. Endpoint protection has antivirus, anti spyware, network threat protection (host based firewall and host based intrusion prevention) and proactive threat protection which protects based on behavior of a program. But, it doesn’t warn or stops user from copying something which is sensitive on CD/DVD or USB drive, say for example, thousands of customer sensitive information being written on USB drive.

Similarly, perimeter security also does not stop a user from sending sensitive information over email or over HTTP/HTTPS or FTP. There is no way endpoint or perimeter or network security identifies that which data is sensitive.

Therefore, DLP technology came into picture where security is built around data itself. So, once DLP is in place, data loss through endpoints (CD/DVD or USB drive or floppy drive), and data loss through network (email, HTTP/HTTPS or FTP or any TCP/IP protocol for that matter) can be prevented. So, we can say DLP fits around data itself.

Sensitive information can be defined by writing ‘rule’ in DLP.

DLP primarily focuses on the following channels for preventing data loss:

1. Endpoints (desktop/laptop)

2. Network (email, HTTP/HTTPS or FTP)—also called as data in motion

3. Data residing at file server, NAS, hard drive of server – also called as Data at rest.

For endpoints there is an agent which is installed on the endpoints. That agent monitors all data going outside that endpoint against the ‘rule’ which is defined centrally. Rule is very critical and important aspect of DLP. Endpoint agent communicates with DLP server located centrally whenever user connects on network. It generates an incident whenever DLP rule is violated. Depending on how DLP is configured, endpoint agent can monitor or even prevent the data copy to external drive. Now question arises here is- desktop admin can always uninstall the DLP endpoint agent once he comes to know about it? Answer is no, uninstalling the DLP endpoint agent requires uninstallation password. Also, we are assuming that user may not have admin rights on his laptop/desktop. There are many advanced control in latest version of DLP (ver 11.x.x) to hide and protect DLP agent on endpoints from damage.

Network DLP requires DLP network component to be present inline (or like a sniffer) with email traffic (corporate email) and/or web traffic (proxy servers)

Data at rest component scans for target mentioned, for any sensitive information. Once found, it can generate incident and/or move the data to safer location and leave a mark there, stating that this data is moved to safer location. It can also provide the contact information of the person, in case user wants to retrieve the data.

In the heart of all three channels resides the ‘rule’. Defining the rule is very critical and should be done very carefully. Defining the rule is a huge subject in itself. Symantec, however, helps with many templates across different kind of industries- viz- Pharma, Banking and finance etc. Organizations mature in years in terms of defining the rule to block the traffic. Rules are required to be fine-tuned over a period of time to reduce false positives.

DLP has the following components:

1. DLP Enforce where policy can be defined and administration can be done. Incidents can also be viewed.

2. Database Server- DLP uses Oracle as database to store incidents and other information.

3. Endpoint Servers- These are used to manage endpoint agents.

4. Network Prevent / Web Prevent Servers for protection with respect to email/web.

5. Discover Server used for identifying sensitive data on various storage like NAS, HDD, file server etc.

I hope this article has at least given the very basic understanding of how DLP works. DLP is very vast solution in itself and can be configured to achieve many objectives. It is a must for organizations who wants to protect their information from leaking/theft. Data loss/theft is mostly done from an insider, knowingly or unknowingly.

Comments 17 CommentsJump to latest comment

Avkash K's picture

Hi A R,

Really nice write up!!

It will be helpfull if you can provide us with the more info. of DLP components & techniques in which this components can be configured.

Regards,

Avkash K

+2
Login to vote
Shahnawaz's picture

Gud overview of the product and nicely described its importance in the eyes of a LAYMAN....Thx !!!

+2
Login to vote
AR Sharma's picture

Thanks Avakash and Shahnawaz for your good words!

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

0
Login to vote
kishorilal1986's picture

Thanks AR

I like ur article which is very easy to understand for anyone about DLP.

could u plz share the implementation aspects.Thanks once again for ur effort to make this easy.

+1
Login to vote
AlbertL's picture

Really use full information............

Albert L

+1
Login to vote
AP@sil's picture

Thanks a lot AR, actually, this article, expalins basic concepts of DLP very nicely.

To start with, every information security enthusiast should read this article before going in depth to know about DLP

AR, and others, I have a question!

I have never understood why DLP is Data Loss Prevention when actually it does not stop data from losing (Accidental deletion/corruption) nor does it address integrity of data, well, what it actually does is - stops information from LEAKING out.

So it looks like Data Loss Prevention is a misnomer - it should be Data Leak Prevention.

Do you agree?

+2
Login to vote
UFO's picture

Actually you're right, but both acronims make sense.

Symantec and Gartner (where SDLP leads 4th year in a row) use Data Loss Prevention for DLP.
 

STS: DLP

0
Login to vote
Syed Hussain -Compliance Devil's picture

This is the excellent article  :)

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
+1
Login to vote
UFO's picture

Good and useful article! A lot of Symantec customers are interested in this globally leading solution.

I'd like to mention one more SDLP component - Data Insight.

Data Insight is fully developed by Symantec and it's purpose to help investigate incidents. Data Insight could tell a lot about document under investigation. It tells who is the owner, who is editing document frequently, etc. Very useful SDLP component. Data Insight is located in corporate LAN and works with storage (data at rest).

STS: DLP

+1
Login to vote
Infogal's picture

  We're looking to protect source code, how accurate is the detection based on content?  We've heard it's difficult to move from monitoring to blocking due to false positives.  Any suggestions?

0
Login to vote
UFO's picture

Available starting version 11.1 a new technology Vector Machine Learning is available in Symantec DLP. This self educated approach uses set of sample documents to generate incedents then based on confidential and non-confidential data samples. As experience shows Vector Machine Learning works very effective with source code. None of other DLP providers has such technology in their products.

STS: DLP

0
Login to vote
Infogal's picture

Thank you for your comment, we're doing a poc on GTB Technologies Content Aware Reverse Firewall and are very impressed with the results.  Detection is accurate and can block all ports /protocols in realtime.

I understand from linkedin forum users that the machine vector learning, while built for souce code has many false positives

Which ports/protocols can be blocked with sym. version 11.1?

0
Login to vote
UFO's picture

1. Lets clarify: Vector Machine Learning is not component that blocks something. VML is technology that helps detect confidential information. Along with other detection methods it helps to make incedent generation process accurate and precise. VML supplements DCM, EDM, and IDM. VML value is in real time mode of content analysis. While other methods use descriptions or digital snapshots which should be corrected/made every time new document added to the system, VML can detect documents in real time. You 'feed' VML with not less than 50 confidential and the same qty of non-confidential docs with the similar structure. VML analyzes them and then makes detection rule. As every detection method VML should be initially fine tuned for some period of time. Then it works fine.

By the way, IDM (Indexed Document Matching) does detect source code with almost 100% accuracy, too.

2. As for ports/protocols. Monitor: SMTP, HTTP, FTP, IM, any TCP-based. Prevent: SMTP, HTTP, HTTPS, FTP.

STS: DLP

0
Login to vote
m@ntec's picture

hi,

please correct me if i'm wrong Data lost prevention will protect the data, which pass through network and endpoint?  

if user will send thru network like email?? is the data will quarantine or monitor to the DLP monitoring??

sorry just very confused, i'm just only a beginner here, i wanna know how it works with the network infrastructure. 

thank you for help, i apppreciate it,

marj

0
Login to vote
pete_4u2002's picture

you can configure the policy accordingly to quarnatine if SMG is used or block.

0
Login to vote
m@ntec's picture

if this quarantine, can view data? example, user will send data? can i view the data before sending??

is that somehting like filtering the incoming data??, sorry that makes me wonder how?

but i am thankful if you advise me thru this.

0
Login to vote
Mohan Kumar's picture

Good information for Biginers

Regards,

Mohan

0
Login to vote