Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Data Discovery

Created: 25 Mar 2010 • Updated: 27 Sep 2010 | 8 comments

I have inherited a DLP that was in place before any data discovery.  What tools are good to scan all shares, networks, PC, etc to determine where all PII or PCI data is?  This tool would need to be smart enough to go an find all shares, all data on the entire network.

Comments 8 CommentsJump to latest comment

Naor Penso's picture

First of all,
What version of Symantec DLP do you have installed?
Have you installed the Network Discover server?
If you wish to scan Endpoints you can install the Endpoint Server.

Secondly,
You need to define what is your final goal, if you will "just scan" all shares, you wont get anything i can promise you that.
By creating a correct method of work you will find the information you are after,
Have you defined what information are you looking for yet?

Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Dan Tanna's picture
  1. I am not sure what version of Vontu I have, how can I tell?
  2. Yes, it is installed.
  3. I have SEP in the works for purchase and delpoyment within the next few weeks.

 

Goals:

  1. Initially I want to scan the entire network to determine where PCI data is stored.  I am currently monitoring the typical protocols for DLP however I want to ensure that I know where all PCI data is so that it can be addressed.
  2. Correct Method of work will be based on best practice unless I learn a better way here in these discussions.
Naor Penso's picture

1) Inside the DLP console look at the top left, you should have a button called "about" that will tell you which version is installed.
2) Great start.
3) If you would like to scan Endpoints on your network (and block confidential data transfer in the future) you will also need to install the DLP Agent. The agent will give you the searching ability you are looking for and proactive abilities as well.

about your goals,
1) since you know that you are looking for PCI data, It would be very easy to run those scans since Symantec DLP has PCI compliance scans out of the box.

About the ability to find network locations,
Symantec DLP has no method of knowing where in the network there is data. you will need to find out on your own, i would suggest that you start with your file servers.

I recommend you read a these articles:

Chapter 1 - The Concept of DLP - Define What is Confidential and Find Where it is Stored
Chapter 2 - The Concept of DLP - Monitoring and Blocking Confidential Data

It should help you as best practices, Also use the Admin Guide for more technical information.

Kind Regards,
Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Neil Christie's picture

Naor is correct that you will need to determine what shares exist on your network.  We used a utility called sharenum.  I have also used SMS to produce a list of logical drives on every server and workstation.  I then just input all those into a bunch of scan targets and found where the sensitive data resides regardless of whether it was shared or not.  I did this for workstation as well.  The DLP agent is only required if you want to protect the data.

Good Luck.

Dan Tanna's picture

I may have confused this situation.  You see I was talking about Vontu, which is our DLP product (Agent?) and we have used it for more than a year.  On my GUI there is no About and the Help does not offer one either however the comment about the Admin guide was useful becuase I have it by my desk and it says we have 9.0.

Thank you for the advice on Sharenum and DLP Agent.

jjesse's picture

A couple of things to help you figure this out more:

Naor was talking about in the DLP Management Console, which you should access through your web browser, once when you login to the management console you can then select Help and About to figure out which version of DLP you are using.  If you do indeed have the DLP 9 Admin guide that is a good idea to start learning DLP

Do you have a network inventory tool such as Microsoft's System Center or even the Altiris Inventory Solution?  Some way to enumerate all the shares on your network? What you could do is from some inventory system then you could dump that list into a CSV or text file and then use this list of shares to create a new discover list.

Do you have a Symantec Partner or a support contract to help you get the two goals accomplished?  Drop me a message if you would like to talk further in private

Jonathan Jesse Practice Principal ITS Partners

Neil Christie's picture

The about information is not available under all profiles.  Ensure that you are logged in as an administrator.  The agent that was spoken about is an offering from Symantec to push the scan to the system itself.  If you are not licenses it is not 100% necessary.  It just give you a faster scan time and allows for some other functionality (the big limitation at this point is no EDM capability on the desktop agent).

Dan Tanna's picture

Thank you everyone.  Please consider this request resolved.