Data Loss Prevention

 View Only
Back to Library

What Protection Does Symantec DLP Provide? A Note for Beginners 

Jan 18, 2012 10:04 AM

What Protection Does Symantec DLP Provide?

In this article, I would try to provide some basics about DLP. This article is for beginner who wants to understand the following about DLP:

Where does DLP fit?

What does DLP do and what protection it provides?

To start with let’s see endpoint protection. Endpoint protection has antivirus, anti spyware, network threat protection (host based firewall and host based intrusion prevention) and proactive threat protection which protects based on behavior of a program. But, it doesn’t warn or stops user from copying something which is sensitive on CD/DVD or USB drive, say for example, thousands of customer sensitive information being written on USB drive.

Similarly, perimeter security also does not stop a user from sending sensitive information over email or over HTTP/HTTPS or FTP. There is no way endpoint or perimeter or network security identifies that which data is sensitive.

Therefore, DLP technology came into picture where security is built around data itself. So, once DLP is in place, data loss through endpoints (CD/DVD or USB drive or floppy drive), and data loss through network (email, HTTP/HTTPS or FTP or any TCP/IP protocol for that matter) can be prevented. So, we can say DLP fits around data itself.

Sensitive information can be defined by writing ‘rule’ in DLP.

DLP primarily focuses on the following channels for preventing data loss:

1. Endpoints (desktop/laptop)

2. Network (email, HTTP/HTTPS or FTP)—also called as data in motion

3. Data residing at file server, NAS, hard drive of server – also called as Data at rest.

For endpoints there is an agent which is installed on the endpoints. That agent monitors all data going outside that endpoint against the ‘rule’ which is defined centrally. Rule is very critical and important aspect of DLP. Endpoint agent communicates with DLP server located centrally whenever user connects on network. It generates an incident whenever DLP rule is violated. Depending on how DLP is configured, endpoint agent can monitor or even prevent the data copy to external drive. Now question arises here is- desktop admin can always uninstall the DLP endpoint agent once he comes to know about it? Answer is no, uninstalling the DLP endpoint agent requires uninstallation password. Also, we are assuming that user may not have admin rights on his laptop/desktop. There are many advanced control in latest version of DLP (ver 11.x.x) to hide and protect DLP agent on endpoints from damage.

Network DLP requires DLP network component to be present inline (or like a sniffer) with email traffic (corporate email) and/or web traffic (proxy servers)

Data at rest component scans for target mentioned, for any sensitive information. Once found, it can generate incident and/or move the data to safer location and leave a mark there, stating that this data is moved to safer location. It can also provide the contact information of the person, in case user wants to retrieve the data.

In the heart of all three channels resides the ‘rule’. Defining the rule is very critical and should be done very carefully. Defining the rule is a huge subject in itself. Symantec, however, helps with many templates across different kind of industries- viz- Pharma, Banking and finance etc. Organizations mature in years in terms of defining the rule to block the traffic. Rules are required to be fine-tuned over a period of time to reduce false positives.

DLP has the following components:

1. DLP Enforce where policy can be defined and administration can be done. Incidents can also be viewed.

2. Database Server- DLP uses Oracle as database to store incidents and other information.

3. Endpoint Servers- These are used to manage endpoint agents.

4. Network Prevent / Web Prevent Servers for protection with respect to email/web.

5. Discover Server used for identifying sensitive data on various storage like NAS, HDD, file server etc.

I hope this article has at least given the very basic understanding of how DLP works. DLP is very vast solution in itself and can be configured to achieve many objectives. It is a must for organizations who wants to protect their information from leaking/theft. Data loss/theft is mostly done from an insider, knowingly or unknowingly.

Statistics
0 Favorited
13 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jun 25, 2015 07:05 AM

Appreciated for making this useful document.

Migration User
Jun 09, 2014 03:18 AM

Good information for Biginers

 

Regards,

Mohan

m@ntec
Jun 10, 2013 01:56 AM

if this quarantine, can view data? example, user will send data? can i view the data before sending??

is that somehting like filtering the incoming data??, sorry that makes me wonder how?

but i am thankful if you advise me thru this.

pete
Jun 09, 2013 11:56 PM

you can configure the policy accordingly to quarnatine if SMG is used or block.

m@ntec
Jun 09, 2013 11:37 PM

hi,

please correct me if i'm wrong Data lost prevention will protect the data, which pass through network and endpoint?  

if user will send thru network like email?? is the data will quarantine or monitor to the DLP monitoring??

 

sorry just very confused, i'm just only a beginner here, i wanna know how it works with the network infrastructure. 

 

 

thank you for help, i apppreciate it,

marj

Migration User
Apr 28, 2012 05:26 AM

1. Lets clarify: Vector Machine Learning is not component that blocks something. VML is technology that helps detect confidential information. Along with other detection methods it helps to make incedent generation process accurate and precise. VML supplements DCM, EDM, and IDM. VML value is in real time mode of content analysis. While other methods use descriptions or digital snapshots which should be corrected/made every time new document added to the system, VML can detect documents in real time. You 'feed' VML with not less than 50 confidential and the same qty of non-confidential docs with the similar structure. VML analyzes them and then makes detection rule. As every detection method VML should be initially fine tuned for some period of time. Then it works fine.

By the way, IDM (Indexed Document Matching) does detect source code with almost 100% accuracy, too.

2. As for ports/protocols. Monitor: SMTP, HTTP, FTP, IM, any TCP-based. Prevent: SMTP, HTTP, HTTPS, FTP.

Migration User
Apr 23, 2012 11:27 AM

Thank you for your comment, we're doing a poc on GTB Technologies Content Aware Reverse Firewall and are very impressed with the results.  Detection is accurate and can block all ports /protocols in realtime.

I understand from linkedin forum users that the machine vector learning, while built for souce code has many false positives

Which ports/protocols can be blocked with sym. version 11.1?

 

Migration User
Apr 23, 2012 09:18 AM

Available starting version 11.1 a new technology Vector Machine Learning is available in Symantec DLP. This self educated approach uses set of sample documents to generate incedents then based on confidential and non-confidential data samples. As experience shows Vector Machine Learning works very effective with source code. None of other DLP providers has such technology in their products.

Migration User
Mar 02, 2012 06:24 PM

  We're looking to protect source code, how accurate is the detection based on content?  We've heard it's difficult to move from monitoring to blocking due to false positives.  Any suggestions?

Migration User
Jan 26, 2012 04:15 AM

Actually you're right, but both acronims make sense.

Symantec and Gartner (where SDLP leads 4th year in a row) use Data Loss Prevention for DLP.
 

Migration User
Jan 26, 2012 04:12 AM

Good and useful article! A lot of Symantec customers are interested in this globally leading solution.

I'd like to mention one more SDLP component - Data Insight.

Data Insight is fully developed by Symantec and it's purpose to help investigate incidents. Data Insight could tell a lot about document under investigation. It tells who is the owner, who is editing document frequently, etc. Very useful SDLP component. Data Insight is located in corporate LAN and works with storage (data at rest).

Migration User
Jan 19, 2012 10:56 PM

This is the excellent article  :)

Migration User
Jan 19, 2012 09:18 AM

Thanks a lot AR, actually, this article, expalins basic concepts of DLP very nicely.

To start with, every information security enthusiast should read this article before going in depth to know about DLP

AR, and others, I have a question!

I have never understood why DLP is Data Loss Prevention when actually it does not stop data from losing (Accidental deletion/corruption) nor does it address integrity of data, well, what it actually does is - stops information from LEAKING out.

So it looks like Data Loss Prevention is a misnomer - it should be Data Leak Prevention.

Do you agree?

Migration User
Jan 19, 2012 03:12 AM

Really use full information............

DLP kishorilal
Jan 19, 2012 03:03 AM

Thanks AR

I like ur article which is very easy to understand for anyone about DLP.

could u plz share the implementation aspects.Thanks once again for ur effort to make this easy.

Migration User
Jan 19, 2012 02:37 AM

Thanks Avakash and Shahnawaz for your good words!

Migration User
Jan 19, 2012 02:18 AM

Gud overview of the product and nicely described its importance in the eyes of a LAYMAN....Thx !!!

Avkash K
Jan 19, 2012 01:47 AM

Hi A R,

Really nice write up!!

It will be helpfull if you can provide us with the more info. of DLP components & techniques in which this components can be configured.

Related Entries and Links

No Related Resource entered.