Data Loss Prevention

I am evaluating DLP tools for a client.  It has been suggested that the Symantec tool creates a record of the information being targeted (SSN/TIN, PAN, etc) when it is found that includes the sensitive information.  This approach would in fact create a problem by proliferating the target information the tool is being used to search for. 

1. Is this accurate?

2. Can the tool be configured to only record and report on the meta-data and type of information found as opposed to storing a copy of the sensitive information?

 

Thank you in advance.

DLP will check for the data and any sensitive information thats going out of endpoint, network will be detected based on the policy been set, this will trigger incident and can be reported and actions can be taken based on policy set.

hi,

 that is quite true but :

- all information are stored encrypted in DLP database. they are accessible only through enforce UI in which you can set a (not too bad) seggregation which will prevent non authorized people to view sensitive information. (they can have access to general information (username, email, date ...) but not content if you want)

- technically speaking, you have to put your DB and enforce server in DMZ, to prevent any non authroized access to server.

 You will detect incident in DLP which has to be assessed by some people and in order to do that they will need to identify data sensitivity and context in which the action was performed. Of course these people have to be trusted.

regards.

The requirement here is for data at rest as well as data in flight.  In fact the need to discover data at rest is somewhat more critical.  The issue is that your tool creates a repository of the sensitive data that in fact exacerbates the issue.

Stephane;

 

Thank you for the reply.  The challenge here is that for something like CC PAN data the requirements for where and how it may be stored are quite rigid.  There are also other data elements that may be discovered that may never be retained, so called Sensitive Authentication Data (SAD).  So while there may be controls over the information retrieved the problem remains that a second copy of the information discovered is in fact created.

 

Are you working w/ a Symantec Sales Engineer or person?  I'm sure they have had to answer these questions several times whether dealing with PCI or things like classified data.  The Symantec rep can put you in touch with more technical people if need be who would be able to address your specific concerns.

 

As mentioned above the data thayt is stored is encrypted and the only way to get to the data is through the encryption key created upon installation.  This is why it is recommeded to backup the crypto.properties file or whatever the exact term is.

Good luck

Enforce console users can be put into Roles. A common role is an Incident Responder. Users in this role will usually have access to the incident summary, but not the PCI or PII data that triggered the policy violation.