Data Loss Prevention

At a recent Symantec DLP User Group meeting in Minneapolis, several of us got into a discussion on what is the best way to audit DLP Administrators and users...  here are my thoughts on the topic:

Perfect solution -  Symantec makes the events in the AUDITLOG table available in the Enforce console under System-Events.  We could then develop alerts to send these events to a SIEM tool.

Option 1 - Write an Stored Procedure in Oracle that triggers when there is an insert into the AUDITLOG table.  That stored procedure would then send the data to some SIEM tool for correlation and alerting.

Option 2 – Develop a process to query the AUDITLOG table on a scheduled basis to extract the newest records.  This could be scheduled to run every 5/10/15 minutes – however often you desire.  The results of the query would be sent to your SIEM tool for correlation and alerting.

Option 3 - Some SIEM tools can actually query databases to grab log records.  Per our conversation, it didn’t sound like yours could do this.

Remember, create an Oracle user with READ ONLY access to JUST the AUDITLOG table.  Don’t use the same oracle account you used when installing the Enforce server.

Here is a description and a sample SQL query for the AUDITLOG table.

SQL> desc auditlog

 Name                                      Null?    Type

 ----------------------------------------- -------- -------------------------

 AUDITLOGID                      NOT NULL NUMBER(38)

 TIME                                 NOT NULL TIMESTAMP(6)

 IPADDRESS                      VARCHAR2(2048 CHAR)

 USERNAME                      NOT NULL VARCHAR2(2048 CHAR)

 ROLE                                VARCHAR2(2048 CHAR)

 ENTITY                              NOT NULL VARCHAR2(2048 CHAR)

 ACTION                             NOT NULL VARCHAR2(2048 CHAR)

 DETAIL                              CLOB

# This SQL CODE  USES  “|” as a delimeter between the fields.  Watch out for the last field, detail,  it’s a big one.

 SET HEAD OFF

SET TRIM ON

SET WRAP OFF

SET LINESIZE 5000

SET PAGESIZE 9999

SELECT

auditlogid                                      || '|' ||

to_char(time,'DD-MON-YYYY HH24:MI:SS')       || '|' ||

ipaddress                                     || '|' ||

username                                     || '|' ||

role                                                 || '|' ||

entity                                             || '|' ||

action                                             || '|' ||

REPLACE(REPLACE(dbms_lob.substr( detail, 3500, 1 ),CHR(13), ' '), CHR(10), '')

FROM auditlog

ORDER BY auditlogid;

thanks for sharing, looks interesting.

Thanks for sharing!

Hi Bob,

This is really awesome information.

Thank you for sharing wih us.

Hi Bob,

Great suggestion, and this subject is really interesting to me personally. Can you provide a bit more 'color' around what you are looking to do with the information? You mentioned auditing Administrators and users, and based on the queries and context it sounds like you want to alert on some things in real time (or as close as possible).

What are you wanting to alert on? User logins? Or something like edits to Users/Roles?

Well - for starters... check out PCI DSS requirements 10.2 and 10.3.

Put on your black hat, log into your DLP console as an Admin.

Go through every tab of the web console and make changes that would "stop/break/circumvent" DLP.  e.g. Disable a policy, Delete a policy, turn off a protocol, change a role, add a user to a role, perform an failed logon, perform a successful logon.

Then, run your DB query against your auditlog table, get the output into Excel.

Prioritize the events based on Entity, Action, Username and Role.  You should be able to see which events you/your organization truly care about.

That should keep you and your auditors busy for awhile... and if you are an auditor, you could come up with a list of what to look for.

Bob. 

I've long looked for, and requested, a method to "post" custom events to DLP so that the email alerting (or syslog alerts if you've configured Enforce to do this) could be leveraged.  As it stands, you can easily insert an event into the database via SQL so it can be seen in the console, but doing it that way still does not allow for the ability to create an automatic Alert (via email or syslog) on your custom event.

Best I've come up with to date...create a custom event in the events table in the database, and send a daily report of events via email to any interested parties.  Not exactly real-time, but it can get you halfway there, and may satisfy some audit requirements. You'd have to be sure you're using event codes that are not already used, as well as be willing to adjust that if Symantec decides to subsequently use the event code that you have assigned.

How about at a minimum, Symantec defines a range of event codes that are reserved for custom configurations?  Or best case...write an API for system events, so that event alerts could be triggered.

~Keith

Interesting, but what kind of custom events would you want to insert/post into the DLP DB?

Also, could it be that those custom events cannot be alerted on via Automatic alert in the DLP console, due to the fact that they are either not being formatted properly, or somehow the Auto alert process is looking for events being inserted/posted from a certain process/account?  Obviously, an engineer could probably easily answer that question...might be worth opening a case?

This is interesting information. We have been concerned over the fact that no easily usable auditing exists in the application. While we were concerned about this, we had not considered handing it off to a SIEM. That is a fabulous idea!

I hope Symantec runs with this. We had submitted "Audit Logs in the Console" as a feature request.

Hi Bob,

Thanks for sharing , can we have any script which can provide audit report as per requirement.

Regards

Kishorilal

Sorry Kishorilal, I don't have any scripts to share with the above suggestions/ideas.  My SIEM tool can read records from databases so that is the route (#3 from original post) I took.

Bob.

To view the table AUDITLOG I am using oracle sql developer.

http://www.oracle.com/technetwork/developer-tools/sql-developer/overview/index.html

It's free graphical tool and supports saving to a csv format.