Data Loss Prevention

hi everyone,

I've been asked if we can integrate between symantec DLP and HP Open view such that incidents created on the enforce platform can be viewed in Openview. so that they can monitor all the systems through a single view and once they see an incident on HP Open view only then they can open the enforce platform to manage the incident cycle.

if this can be done, how?

thanks in advance

HP Openview, I believe, does have a Syslog receiver.  So you could syslog your incidents to it via a response rule, including a link to the incident snapshot via the $INCIDENT_SNAPSHOT$ variable in the syslog message.  By role and configuration of an attribute to control access, you could limit access as well to only incidents that have been syslogged (set a "flag" in an attribute on the same syslog response rule).

~Keith

Or any other Security Information and Event Management (SIEM) system?  Where can I find a list of what information (variables) can be passed onto a third party system via syslog response rule?  You gave the example of $INCIDENT_SNAPSHOT$.  Where can I find a complete list of what can be added to the syslog message?  Also is there a character limitation?

Yes.  Arcsight actually already has a DLP connector, so if you follow their guides with regards to the message format, you don't need to do anything around configuring the connector.  SYSLOG of incident data is a response rule that can be configured on any policy.  So you can send syslog events to any other SIEM system that will receive them. 

Best place to get a "list" of variables that can be included is to go to look at the Email response rule (build a dummy one, for instance).  On that screen, they list all the variables that can be included in the email message.  These same variables can be used in the syslog message.

There is a message length constraint on syslog messages, but I don't recall what it is.  This is dictated by the protocol, not the DLP application.

~Keith