Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec DLP console should show incidents based on "Reported On" instead of "Occured On"

Created: 12 Jul 2012 | 3 comments
Mohammed Safder's picture
4 Agree
0 Disagree
+4 4 Votes
Login to vote

Well I am bringing this highly critical issue to notice of Product Management Team.

While DLP does a fantastic job in identifying the incidents and reporting to Enforce server, the console has a limitation because of sorting with "Reported On".

In my environment, consultants frequently go for business visits for 4-12 weeks carrying their laptops. When they are back, all incidents raised from that particular laptop during there onsite visit are reported to Enforce server but because console sorts incidents based on "Reported On" time stamp, the new incidents go and creep in to 250th page or 300th page on console for example. This poses a serious security threat, where in incidents creep into the back dated pages. This way DLP Admins never come to know about new incidents which does not show up on the 1st page of console. I strongly believe any new incident has to come up at top of the 1st page.

Solution: Console UI should be sorted based on "Reported On" or "Incident ID". Advantage will be any new incident reported to server, irrespective of date occured will come up on 1st page as soon as we login to DLP console

If you are willing to see demonstration of this issue, how it is a nightmare in production or understand gravity of it, feel free to reach me.

Overall Product works wonderfully and I AM A HAPPY CUSTOMER.

Comments 3 CommentsJump to latest comment

stephane.fichet's picture

Mohammed,

 I agree with your point. Possible workaround for that (waiting for DLP to provide this functionnality) is

- ordering by incidentID (clicking on it will perform this)

- using xml export of incident as it contains three different date

      - Detection date, this is the "occured on"

      - creation date, this is "reported on"

there is also some other date included in this export. So information is available, even if enforce dont use it (yet). I hope Symantec will be able to provide this feature soon (and also using all "note" date as when you perform some audit of confirmed data leakage and processing done by analyst, it is quite difficult to do it in the enforce).

- Performing some status update once incident was assess by analyst, so like that you can always check "New" incident event if they detected few month ago.

 I hope my comment will help you.

0
Login to vote
Mohammed Safder's picture

Stephane,

I am aware of these work arounds and using same for my day to day operations. In interest of large community of DLP Admins, this feature has to be included in product, hence this post.

Thank you.

0
Login to vote