Data Loss Prevention

 View Only

  • 1.  Can I planning sends incidents DLP ?

    Posted Oct 04, 2013 06:42 AM

    Hello all,

    Please i want to know if it possible to planning sends incidents DLP every days between 12h and 14h, it's urgent.

    Thank's for your help.



  • 2.  RE: Can I planning sends incidents DLP ?

    Broadcom Employee
    Posted Oct 04, 2013 06:51 AM

    where do you want to send? from where server or agent?



  • 3.  RE: Can I planning sends incidents DLP ?

    Trusted Advisor
    Posted Oct 04, 2013 07:26 AM

    if you want to send a report, yes it is possible. in report definition you can schedule it to be send (with or withotu csv export)

    just go to all (network/discover/endpoint) report menu and click on schedule icon on the right part of your report to be send.



  • 4.  RE: Can I planning sends incidents DLP ?

    Posted Oct 04, 2013 09:56 AM

    Hello all,

    It is possible to planning the receipt of incidents (Endpoint & Network) of Agents DLP to Enforce Server every days between 12h and 14h ?

    thank's for your return,



  • 5.  RE: Can I planning sends incidents DLP ?

    Trusted Advisor
    Posted Oct 04, 2013 10:02 AM

    oups sorry didnt get your first question.

     

    not sure there is a nice way to do it (except may starting your endpoint server only during this period and perform all admin operation on agent at this time but does not sounds so clean).

    Did you try to reduce "Bandwidth Throttle" in agent configuration in order to reduce bandwith used in communication to server.



  • 6.  RE: Can I planning sends incidents DLP ?

    Posted Oct 04, 2013 10:26 AM

    no we cant' stop the Endpoint Server, it's not recommanded.

    yes we are reduce it the "Bandwidth Throttle" in agent configuration, but our customer need to planning the receipt of incidents in Enforce Server, i want to know if there's a procedure for that ?

    Thank's 



  • 7.  RE: Can I planning sends incidents DLP ?

    Posted Oct 04, 2013 10:50 AM

    Let me clarify your doubt please,

    You want to ask that the incident should came to enforce server between 12th hrs to 14th hrs only.

    It is not possible. Please note that if any policy/detection rules violate DLP will triger a incident and at the same time it will report/sent it enforce server.

    However if you want to display view/show that incident to user only between 12th hrs to 14th hrs. then you need to use role based access control.

    Roles determine what a user can see and do in the Enforce Server administration
    console. For example, the Report role is a specific role that is included in most
    Symantec Data Loss Prevention solution packs. Users in the Report role can view
    incidents and create policies, and configure Discover targets (if you are running
    a Discover Server). However, users in the Report role cannot create Exact Data or
    Document Profiles. Also, users in the Report role cannot perform system
    administration tasks. When a user logs on to the system in the Report role, the
    Manage > Data Profiles and the System > User Management modules in the
    Enforce Server administration console are not visible to this user. 



  • 8.  RE: Can I planning sends incidents DLP ?

    Broadcom Employee
    Posted Oct 05, 2013 08:04 AM

    Not very clearly with your question.

    You said:

    It is possible to planning the receipt of incidents (Endpoint & Network) of Agents DLP to Enforce Server every days between 12h and 14h ?

    Do you mean send the report to the recipent everyday between 12h and 14h?

    If so, I think you can configure scheduled report, but, the scheduled report only support send the report every day, cannot configure to send between 12h and 14h.



  • 9.  RE: Can I planning sends incidents DLP ?

    Posted Oct 07, 2013 01:03 AM

    By design, DLP endpoint agents, Detection servers and Enforce communicate on demand, whenever network connectivity is available. It is not recommended to play around this. While, not recommended you may still achieve what you are looking for via the below:

    a) Add a secondary NIC card to the concerned detection server. Example:

    • Primary NIC: 192.168.1.2
    • Secondary NIC: 192,168.1.40

    b) Ensure that all other DLP servers are communicating with the hostname and not IP

    c) Configure all DLP servers to use 'hosts' lookup and provide the Primary NIC IP in the hosts file.

    This way all DLP components/servers will communicate with the concerned detection server over the Primary NIC interface. Moreover, any management activity or communication with other Active Directory components will happen via the secondary NIC.

    d) Create two batch files as the below:

    • Enable.bat - netsh interface set interface "Primary interface" ENABLE
    • Disable.bat - netsh interface set interface "Primary Interface" DISABLE

    e) Schedule the Enable/Disable scripts according to your schedule requirements.

    This way the concerned DLP detection server will send incidents only when the NIC card is in an Enabled state

    Note: This is not a recommended configuration as it may cause the below issues:

    • Flood of incidents when the NIC is enabled. This may cause extremely high bandwidth utilization.
    • Too much disk space usage on the DLP detection server due to queuing of incidents in cache.