Video Screencast Help

DLP Data Insight

Created: 03 Sep 2012 • Updated: 10 Sep 2012 | 6 comments
This issue has been solved. See solution.

 Good afternoon,

I have a few questions regarding DLP’s Data Insight component:

1) How is the tracking of classification done on the files?

a)  Imagine the following scenario –

File A on folder A is classified as “Confidential IT” with DLP platform via Indexed Documents

User A sends file A to user B (via e-mail, file copy, etc…)

User B attempts to send this information to outside of the company

Does file A retain the classification it originally had as “Confidential IT” or is the classification lost since it was passed from User A to User B?

b) Imagine the following scenario –

If we are using manual tagging of files to classify the type of information and assuming User B is malicious and is trying to send information to outside of the company.

User A creates File A and adds the tag “Confidential IT File” to the file, which is then saved in a shared area of the department classified by DLP as “Confidential IT”.

User B who also has access to the same shared area of the department but not to send confidential information outside of the company, edits File A and removes only the tag “Confidential IT File”.

After doing this, the file is no longer classified as Confidential since it has no tag, so User B should have no problem in sending this information outside.

Is there a way to prevent this problem from occurring? What is the best way to do it?

Thanks to anyone that can provide some knowledge on this.


Comments 6 CommentsJump to latest comment

stumunro's picture


depending on what it is you can do a VML or a DCM rule to match the document with DLP. Data Insight by its self will not stop the file from leaving. Data Insight will tell you who is accessing the file and who as accessed the file. Also depending on the reponse rule you can choose to block the email or encrypt is if you have a solution in place.

ARRKNINE's picture


Hope the following example answers your question..

User A creates an Execl file with company confidential information.

A policy has been created in the DLP system which can identify the confidential information contained in the Excel file

A malicious user B who has legitimate access to this information renames this file with extension .pdf and attempts to email it to his personal account.

Symantec DLP Detection server will identify the file type based on the file signature and will treat it as an .xls file.  Further, it will run a check on the content - and if a positive match is found with a policy an incident will be generated and an appropriate content action will be taken.

If you need further clarification please contact me directly.

ShawnM's picture


I guess the additional info I would put out here is about Data Insight itself. Data Insight is not meant to be a DLP component in the sense that it will tag sensitive data. Data Insight adds context to incident information. Specifically, Data Insight is used to monitor user access, permissions, and file changes for the data at rest in your environment. This includes Windows Servers, Sharepoint, and NAS devices. It's main purpose is to help ensure the right people have access to the right information, and help identify access to files in your environment.

The added benefit of the Data Insight component in a DLP deployment, is the added context that can be provided. Imagine your scenarios but without the context of the data going out. Imagine you simply haven't identified your sensitive data at rest. You decide to put a scan out there and look for a new classification of sensitive information. If you hit File A, and find that it is sensitive, Data Insight can quickly and easily identify the true permissions and file owner of that file. Employee A may have a need to access it, but Employee B does not, within the incident you can easily see who the last 5 users to access the file were to identify the exposure your organization may have. If Employee B is on that list, and doesn't have a need to access the file, you can quickly take action.

Further usage could include taking the data that has been scanned at rest, being moved to a secure location. With that, you could then use the example given above to create an IDM index or use the content contained therein, for a VML profile. This would allow you to have more coverage of potential sensitive information within your organization.

The example you pointed out about a user stripping a tag off, is part of the reason we don't rely on using the tagging type system that some other vendors use. Data Insight is more about adding context and giving you the ability to help remediate incidents that you do find, but more so on the Data at Rest front as opposed to the Data in Motion vector.

Hope that helps!

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

JustAnotherBloke's picture


Data Insight is used to monitor user access, permissions, and file changes.

Could I for example use Data Insight as to verify that a specific portion of the file is not changed? (for example, the tag that classifies the file as confidencial)

ShawnM's picture


I should probably clarify, when I say "file changes" I more mean, last actual touch/modification of a file. We don't monitor the content of the file, or any data changes to the content, but we monitor the metadata of the file. So we can see things like when the last access changes, last modified, etc. So it's likely we wouldn't see these Tags inside your file, especially if it's from some type of RMS system applying tags.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.