Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

correlation in Vontu DLP 11.6.2

Created: 27 Dec 2013 • Updated: 03 Jan 2014 | 9 comments
This issue has been solved. See solution.

There are basically two policies that I am concerned with.  One is a policy that violates emails that are flagged as encrypted either by a subject line or  confidential flag.  The other is our Hipaa policy which has the encryption policy as an exception.  However, despite that it is listed as an exception we are still seeing in our Hipaa violations the encrypted email.  I was led to understand that this is due to the correlation being turned and I just need to know how to turn them off so that this filters correctly as well as what the risks are.  Any assistance is greatly appreciated.

Operating Systems:

Comments 9 CommentsJump to latest comment

yang_zhang's picture

I'm really not very understanding your scenario...

The correlation is a function of the incidents, but, what you mentioned is your policy.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
stephane.fichet's picture

Hi,

 i dont think there is any relationship between correlation and policy.

What you describe looks more like a wrong rule configuration for your exclusion. This happens to me several times when i didnt check "Apply this exception to ENTIRE MESSAGE" but only apply the exception to "matched component" (which  is the default for fiel type rules).

 Regards

Ariphaneus's picture

Did recieve the following document however also did look to find that the exception was NOT set to ENTIRE MESSAGE.  I have made both changes and will monitor and test.

 

Article ID: 42298

How Do I Turn Off Correlations?

Applies To

 

• Vontu DLP Enforce DLP Enforce

Problem Summary

 

UI performance is slow; want to turn off correlations to improve processing time.

Solution

 

If UI performance is slow, you can turn off correlations to improve processing time.

To turn off correlations:

  1. From the Enforce Server, go to the directory, Vontu\Protect\config\Manager.properties.
  2. Set the property underneath the entry, #whether to display correlations on the incident detail page:
    From:
    com.vontu.manager.incidentdetail.showcorrelations=true
    To:
    com.vontu.manager.incidentdetail.showcorrelations=false
  3. Restart the Vontu Manager service.

 

DLP Enthusiast's picture

Can anybody explain to me what Correlation means in DLP ?.. And what Effect does it have on the performance.. ?

Lion Shaikh's picture

Dear Enthusiast,

 

Incident snapshot correlations tab

You can view lists of the incidents that share various attributes of the current incident.

For example, if the copying of a file triggered the current incident, you can bring up a list of all the incidents that are related to the copying of this file. The Correlations tab shows a list of correlations that are matched to single attributes. Click on attribute values to view lists of the incidents that are related to those values.

To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents dialog box that appears, select the desired search attributes. Then click Find Incidents. Archived incidents are not displayed when you search for similar incidents.

Ariphaneus's picture

After turning off correlation and ensuring that the policy rule is applied to the whole message still it continues that we cannot filter out emails with the encryption flag set. 

Ariphaneus's picture

In looking at the items in question I am wondering if it is violating attachments seperate from the email?  Does this seem likely?  We do filter on keywords in the subject line to exclude and that works successfully and doesn't violate on attachments though so I'm a bit unclear. 

Ariphaneus's picture

Put in a feature request as I am told that you cannot filter based on the violations of another policy.

SOLUTION
DLP Enthusiast's picture

I have a scenario. I have a simple credit card policy and I need to see all the incidents related to a particular Credit Card No ..? Can I do that using the correlations ??..