Data Loss Prevention

There could be some requirements of audit where we need to monitor the users/administrators for their activity in DLP. Since Symnatec DLP is very sensitive and highly confidential apllication and data in Symnatec DLP is precious data of the organisation. So, Symantec DLP is must for monitoring different activities around it by admin, users, security team, etc.

One way of achieving this could be - Symantec makes the events in the AUDITLOG table available in the Enforce console under System-Events.  We could then develop alerts to send these events to a SSIM tool (Symantec Security Information Manager)

We can write an Stored Procedure in Oracle that triggers when there is an insert into the AUDITLOG table. That stored procedure would send the data to some SSIM tool for correlation and alerting.

Alternatively, develop a process to query the AUDITLOG table on a scheduled basis to extract the newest records.  This could be scheduled to run at a scheduled time (minutes/hours). The results of the query would be sent to your SSIM tool for correlation and alerting

A point of caution: Create an Oracle user with READ ONLY access to JUST the AUDITLOG table.  Don’t use the same oracle account you used when installing the Enforce server.

Here is a description and a sample SQL query for the AUDITLOG table.

SQL> desc auditlog

 Name                                      Null?    Type

 ----------------------------------------- -------- -------------------------

 AUDITLOGID                      NOT NULL NUMBER(38)

 TIME                                 NOT NULL TIMESTAMP(6)

 IPADDRESS                      VARCHAR2(2048 CHAR)

 USERNAME                      NOT NULL VARCHAR2(2048 CHAR)

 ROLE                                VARCHAR2(2048 CHAR)

 ENTITY                              NOT NULL VARCHAR2(2048 CHAR)

 ACTION                             NOT NULL VARCHAR2(2048 CHAR)

 DETAIL                              CLOB

# This SQL CODE  USES  “|” as a delimeter between the fields.  Watch out for the last field, detail,  it’s a big one.

SET HEAD OFF

SET TRIM ON

SET WRAP OFF

SET LINESIZE 5000

SET PAGESIZE 9999

SELECT

auditlogid                                      || '|' ||

to_char(time,'DD-MON-YYYY HH24:MI:SS')       || '|' ||

ipaddress                                     || '|' ||

username                                     || '|' ||

role                                                 || '|' ||

entity                                             || '|' ||

action                                             || '|' ||

REPLACE(REPLACE(dbms_lob.substr( detail, 3500, 1 ),CHR(13), ' '), CHR(10), '')

FROM auditlog

ORDER BY auditlogid;

This can give real time auditing/monitoring of activities being done on DLP. These logs can be stored for audit purpose also.