What Protection Does Symantec DLP Provide? A Note for Beginners
What Protection Does Symantec DLP Provide?
In this article, I would try to provide some basics about DLP. This article is for beginner who wants to understand the following about DLP:
Where does DLP fit?
What does DLP do and what protection it provides?
To start with let’s see endpoint protection. Endpoint protection has antivirus, anti spyware, network threat protection (host based firewall and host based intrusion prevention) and proactive threat protection which protects based on behavior of a program. But, it doesn’t warn or stops user from copying something which is sensitive on CD/DVD or USB drive, say for example, thousands of customer sensitive information being written on USB drive.
Similarly, perimeter security also does not stop a user from sending sensitive information over email or over HTTP/HTTPS or FTP. There is no way endpoint or perimeter or network security identifies that which data is sensitive.
Therefore, DLP technology came into picture where security is built around data itself. So, once DLP is in place, data loss through endpoints (CD/DVD or USB drive or floppy drive), and data loss through network (email, HTTP/HTTPS or FTP or any TCP/IP protocol for that matter) can be prevented. So, we can say DLP fits around data itself.
Sensitive information can be defined by writing ‘rule’ in DLP.
DLP primarily focuses on the following channels for preventing data loss:
1. Endpoints (desktop/laptop)
2. Network (email, HTTP/HTTPS or FTP)—also called as data in motion
3. Data residing at file server, NAS, hard drive of server – also called as Data at rest.
For endpoints there is an agent which is installed on the endpoints. That agent monitors all data going outside that endpoint against the ‘rule’ which is defined centrally. Rule is very critical and important aspect of DLP. Endpoint agent communicates with DLP server located centrally whenever user connects on network. It generates an incident whenever DLP rule is violated. Depending on how DLP is configured, endpoint agent can monitor or even prevent the data copy to external drive. Now question arises here is- desktop admin can always uninstall the DLP endpoint agent once he comes to know about it? Answer is no, uninstalling the DLP endpoint agent requires uninstallation password. Also, we are assuming that user may not have admin rights on his laptop/desktop. There are many advanced control in latest version of DLP (ver 11.x.x) to hide and protect DLP agent on endpoints from damage.
Network DLP requires DLP network component to be present inline (or like a sniffer) with email traffic (corporate email) and/or web traffic (proxy servers)
Data at rest component scans for target mentioned, for any sensitive information. Once found, it can generate incident and/or move the data to safer location and leave a mark there, stating that this data is moved to safer location. It can also provide the contact information of the person, in case user wants to retrieve the data.
In the heart of all three channels resides the ‘rule’. Defining the rule is very critical and should be done very carefully. Defining the rule is a huge subject in itself. Symantec, however, helps with many templates across different kind of industries- viz- Pharma, Banking and finance etc. Organizations mature in years in terms of defining the rule to block the traffic. Rules are required to be fine-tuned over a period of time to reduce false positives.
DLP has the following components:
1. DLP Enforce where policy can be defined and administration can be done. Incidents can also be viewed.
2. Database Server- DLP uses Oracle as database to store incidents and other information.
3. Endpoint Servers- These are used to manage endpoint agents.
4. Network Prevent / Web Prevent Servers for protection with respect to email/web.
5. Discover Server used for identifying sensitive data on various storage like NAS, HDD, file server etc.
I hope this article has at least given the very basic understanding of how DLP works. DLP is very vast solution in itself and can be configured to achieve many objectives. It is a must for organizations who wants to protect their information from leaking/theft. Data loss/theft is mostly done from an insider, knowingly or unknowingly.
Comments
Hi A R, Really nice write
Hi A R,
Really nice write up!!
It will be helpfull if you can provide us with the more info. of DLP components & techniques in which this components can be configured.
Regards,
Avkash K
Gud overview of the product
Gud overview of the product and nicely described its importance in the eyes of a LAYMAN....Thx !!!
Thanks!
Thanks Avakash and Shahnawaz for your good words!
Thanks & Regards,
AR Sharma,
IBM Certified System Admin- Lotus Domino V7
ITIL V2 Certified
Yah, really easy to understand DLP and its components
Thanks AR
I like ur article which is very easy to understand for anyone about DLP.
could u plz share the implementation aspects.Thanks once again for ur effort to make this easy.
Really use full
Really use full information............
Albert L
This article, expalins basic
Thanks a lot AR, actually, this article, expalins basic concepts of DLP very nicely.
To start with, every information security enthusiast should read this article before going in depth to know about DLP
AR, and others, I have a question!
I have never understood why DLP is Data Loss Prevention when actually it does not stop data from losing (Accidental deletion/corruption) nor does it address integrity of data, well, what it actually does is - stops information from LEAKING out.
So it looks like Data Loss Prevention is a misnomer - it should be Data Leak Prevention.
Do you agree?
both acronims work
Actually you're right, but both acronims make sense.
Symantec and Gartner (where SDLP leads 4th year in a row) use Data Loss Prevention for DLP.
STS: DLP and Storage Foundation for Windows
If this post was helpful please vote +1
If this post was useless or just for points please vote -1
This is the excellent
This is the excellent article :)
Thanks,
-Syed Hussain
Data Insight
Good and useful article! A lot of Symantec customers are interested in this globally leading solution.
I'd like to mention one more SDLP component - Data Insight.
Data Insight is fully developed by Symantec and it's purpose to help investigate incidents. Data Insight could tell a lot about document under investigation. It tells who is the owner, who is editing document frequently, etc. Very useful SDLP component. Data Insight is located in corporate LAN and works with storage (data at rest).
STS: DLP and Storage Foundation for Windows
If this post was helpful please vote +1
If this post was useless or just for points please vote -1
Detection Accuracy?
We're looking to protect source code, how accurate is the detection based on content? We've heard it's difficult to move from monitoring to blocking due to false positives. Any suggestions?
source code
Available starting version 11.1 a new technology Vector Machine Learning is available in Symantec DLP. This self educated approach uses set of sample documents to generate incedents then based on confidential and non-confidential data samples. As experience shows Vector Machine Learning works very effective with source code. None of other DLP providers has such technology in their products.
STS: DLP and Storage Foundation for Windows
If this post was helpful please vote +1
If this post was useless or just for points please vote -1
source code protection
Thank you for your comment, we're doing a poc on GTB Technologies Content Aware Reverse Firewall and are very impressed with the results. Detection is accurate and can block all ports /protocols in realtime.
I understand from linkedin forum users that the machine vector learning, while built for souce code has many false positives
Which ports/protocols can be blocked with sym. version 11.1?
VML false positives
1. Lets clarify: Vector Machine Learning is not component that blocks something. VML is technology that helps detect confidential information. Along with other detection methods it helps to make incedent generation process accurate and precise. VML supplements DCM, EDM, and IDM. VML value is in real time mode of content analysis. While other methods use descriptions or digital snapshots which should be corrected/made every time new document added to the system, VML can detect documents in real time. You 'feed' VML with not less than 50 confidential and the same qty of non-confidential docs with the similar structure. VML analyzes them and then makes detection rule. As every detection method VML should be initially fine tuned for some period of time. Then it works fine.
By the way, IDM (Indexed Document Matching) does detect source code with almost 100% accuracy, too.
2. As for ports/protocols. Monitor: SMTP, HTTP, FTP, IM, any TCP-based. Prevent: SMTP, HTTP, HTTPS, FTP.
STS: DLP and Storage Foundation for Windows
If this post was helpful please vote +1
If this post was useless or just for points please vote -1
Would you like to reply?
Login or Register to post your comment.