Data Loss Prevention

 View Only

  • 1.  DLP 12.1 Automated Gathering Additional Data for IP Incident

    Posted Jun 11, 2014 05:17 PM

    I have been looking around the net and did find a few things that might help me out, but I'm suprised this issue isn't more pervasive on the forum.

     

    The situation is, I get an Incident like FTP/PHI and all I have in the incident is the IP.  I have databases where I can link the IP to a username [realtime] which will allow me to offload the incident to a data owner instead of the security team doing work.  I could automatically export the database daily or hourly into CSV and pull it from there.

    How do you guys deal with it?

    I do see this from a couple of years ago:

    https://www-secure.symantec.com/connect/forums/liveldaplookup-using-substrings

     

    Thanks,

    Rich



  • 2.  RE: DLP 12.1 Automated Gathering Additional Data for IP Incident

    Trusted Advisor
    Posted Jun 11, 2014 09:29 PM

    Rich,

    So you could do this with a CSV lookup. I would create your CSV file and make sure that it is automatically updated every night and saved to the SymantecDLP\plugins directory. I am not sure but you may have issues with writing over an existing file when it is being used.. try and see.

    You will then need to create a CSV lookup that has 2 columns (IP address and Username)

    You will then need to set the

    attr.sender-ip = ipcolumn

    attr.Username=usernamecolumn

    keys=ipcolumn

    This should work.. though keep in mind that this will RUN ON ALL events.. Endpoint, Web, Network, and Discover.. so it migh break some things.

    You might want to look at a Script, that you can control the type if incidents.

    Ronak

    If this answers your question please marked this solved.



  • 3.  RE: DLP 12.1 Automated Gathering Additional Data for IP Incident

    Posted Jun 12, 2014 04:02 PM

    Thanks Ronak for your reply.

    I'm pondering writing a scripted SQL query to retrive these attributes because DHCP changes constantly and having that data being old isn't ideal.  I'm glad you brought up the file in use issue too because I'm pretty sure I'll run into that problem too.  

    I'll keep searching for answers.  In a different post someone was referencing a plugin guide for DLP 11.  I just looked through my DLP12 documentation and I don't see that PDF, so I'm looking for that as well.

     

    Rich



  • 4.  RE: DLP 12.1 Automated Gathering Additional Data for IP Incident

    Trusted Advisor
    Posted Jun 13, 2014 01:45 AM
    Rich, You may not run into the file issue, because the lookup is stored in memory so there may not be a file lock on it.. I don't remember but try it out. Also as far as a SQL script goes, keep in mind the overhead of running another program that is not naitive to the application. In addition there might be permission issues with running a program from within a JVM. This is why I run VB or other scripting languages. Ronak