Video Screencast Help

DLP incidents response rule configuration

Created: 22 Jun 2011 | 3 comments
Muhammad Ishaq Khan's picture

 

Hi there:

 

I have a query regarding Symantec Data Loss Prevention response rule:

  • When some specific user tries to violate a DLP policy I approval request generated to his manager, if he/she approved then DLP delivered normally other case block.

Is this possible through DLP, kindly guide me.

Best regards

Ishaq

Comments 3 CommentsJump to latest comment

xlloyd's picture

This is the DLP scenario you're looking for:

  1. User does something to violate policy
  2. DLP user CANCEL dialog appears and gives options on whether or not to send
  3. User selects "My manager approved this transaction"
  4. Transaction completes and alert is sent to manager to show that the file is sent even though it violates policy and includes the reason user selects
  5. If the transaction wasn't approved by manager (the user was trying to get around the system) then disciplinary measures are taken

OR

  1. User does something to violate policy
  2. DLP user BLOCK dialog appears and gives options on what message to attach to incident
  3. User selects "My manager approved this transaction"
  4. Transaction is blocked and alert is sent to manager
  5. Manager sees that a transaction was blocked even though it is an approved action
  6. Modification is made to policy
  7. User attempts transaction a second time
  8. Success

This is only possible with DLP Endpoint.

The second option is more secure as it denies by default but is less userfriendly. The first option is more user-friendly but if the user is trying to trick the system, then it can't be stopped.

Hope that helps

~Xavier

If this post has helped you, please vote up or mark as solution
Muhammad Ishaq Khan's picture

Dear Xavier,

 

I need little more help regarding this query. I want a automatic process, when approval request is approved automaticall release else block

 

Best regards

ishaq

Best Regards,                                     &nbsp

xlloyd's picture

Hi Ishaq,

DLP doesn't have that kind of automated process. If you imagine trying to send an email with a restricted attachment, copy a file to USB or something...it's very likely that the connection would timeout or the host computer's resources would be eaten away before a manager or an administrator actually gets notification of the issue.

That wouldn't be very useful to either party unless the manager gives express permission to "break the rule" beforehand. In which case it would be a simple task to inform the DLP administrator to exclude a certain user from a certain policy for a certain date/time.

Hope that explains it a bit better.

Cheers
~Xavier

If this post has helped you, please vote up or mark as solution