Data Loss Prevention

I drafted this an idea for this one, however like before - I thought of putting this up as a discussion item - to investigate whether/if there is a known workaround this already

sounds unlikely to me though :-)

Below is the link to the idea - like it/click agree, if you feel this feature would really make any positive difference to all of us managing large DLP environments.

https://www-secure.symantec.com/connect/ideas/ability-choose-store-incident-data-locally-instead-database

For DLP this feature was delivered in v14 this year. The feature is called External blob Storage. The incident data is stored on the file system instead of in the Oracle database. This keeps the DB small while allowing for incidents not to bloat the DB size.

As a roadmap consideration we are also looking to the cloud and with that new product comming next year the Oracle database will no longer be an issue for end users.

Is this optional or from v14 onwards all data is stored on the file system?

What happens during upgrade where TBs of information is stored already in the Oracle Database?

It is optional. We dont migrate items in to or out of an existing database. To be clear this does not eliminate the need for Oracle but just reduces the DB size for future events.

Excellent! So if someone has a incident retention requirement, lets say for 90 days. How do we phase out and phase into the new architecture gradually? Any thoughts on that would be appreciated.

Has someone been through this already? Is there a phased migration strategy (considering the existing retention plans)?

My understanding is this is a setting you select and from that time forward attachments are stored externally.
You can also change back but as previously stated you can't import attachments that are stored externally.

It is also my understanding that you can delete the externally stored attachments without impacting DLP or the database, as only a link to the attachment is stored, so if the attachment is not there it doesn't impact DLP operation.

Okay - but you can access all incidents simultaneously from enforce right? irrespective where they are stored (database or externally)?

All incidents are still accessed from the UI.  It's just the attachments that are stored externally.  Clicking the link in the UI takes you to the attachment.  If the attachment is gone (as in deleted) it's just a dead link it doesn't impact the other incident data stored in the database so you will still see the matches highlighted, incident history, can change status, etc.

To further understand this - I have incident a, b, c, & d on external storage & I have x, y, z incidents on database.

UI can access all a, b, c, d, x, y, & z?

In other words, would the incidents tab in enforce, show ALL incidents irrespective of where it is stored??

This site is having issues.  I tried to post an answer, it went to "awaiting moderation" then I'm told the moderator deleted the answer.  Sorry but I tried!

Is it not a yes/no type of an answer. Why would that get moderated?

@Moderators: Appreciate if you could help in this case.

@DLP_Security_Engineer: could you send me a PM then in that case.

Yes, all incidents are still in the database and hense in the UI only the attachments are stored externally with a link to them in the UI.

Thank you!!! Much appreciate that DLP_Security_Engineer

Symantec has posted an alert with regards to the external storage of incident attachments feature.  Please see the posted alert for more details:

https://support.symantec.com/en_US/article.ALERT1905.html 

Thank you Andy Etzel. This Alert is an absolute shocker. We've dropped all plans to use this feature untill this stabilizes.

Issues with Data Loss Prevention 14 external storage for incident attachments
http://www.symantec.com/docs/ALERT1905

A hotfix is now available from support for the alert mentioned earlier in the thread. If you have external blob storage turned on or are looking to do so reach out to support and they will be able to provide the hotfix.