Data Loss Prevention

 View Only

  • 1.  Symantec - DLP 14.6 release function for prevent incidents

    Posted May 17, 2018 10:44 AM

    Hello,

     

    We currently have a range of incidents that are being blocked where we would would like the ability to release a blocked incident in certain situations.

     

    Does the Symantec DLP 14.6 solution provide the ability to release incidents which have been blocked by policy in the tool? If so, is this easy to implement?

     

    Many thanks,

     

    AJ



  • 2.  RE: Symantec - DLP 14.6 release function for prevent incidents

    Trusted Advisor
    Posted May 19, 2018 09:49 PM

    hi,

     You could not released "blocked" incident. If you want to manage a release there is two ways to do it :

    - good one : dont block but quarantine message. DLp itself is not able to do this, so DLP will just add a header to mail that has to be quarantined and you need to setup a gateway to manage quarantine after DLP servers. If you use SMG (symantec gateway) there is some existing plugin which allow you to release message based on incident assessment (incident coul dbe reviewed in DLP console and then release by person who review it).

    - "bad" one (at least it is a workaround if you do not have a gateway to manage quarantine) : use a specific code to bypass policy and add it as an exception in your policy. So if someone want to release message he will have to request the code and resend same email adding code in it.

     

     Regards



  • 3.  RE: Symantec - DLP 14.6 release function for prevent incidents
    Best Answer

    Trusted Advisor
    Posted May 21, 2018 02:24 PM

    AJ,

    As Stephan mentioned, the best way is to Quarantine the Email and then use your MTA to hold the email for an X number of days (Configurable in most MTA's). Once quarantined the email will need to be released and sent, based on someones approval.

    SYMC Mail gateway has the integration done seamlessly, so the release aspect works through the DLP console. In order to do this with a different MTA, it would require someone to log into the MTA's console and manually release it OR build a custom Flex Response API that you can call from the DLP console. (I know that ProofPoint is building (about to release) an API process so someone can build this)

     

    Hope this helps..

    Good Luck,

    Ronak

    PLEASE MARKED SOLVED WHEN POSSIBLE.



  • 4.  RE: Symantec - DLP 14.6 release function for prevent incidents

    Posted Jul 02, 2018 10:31 AM

    Hi both,

     

    Thank you for the guidance, we are currently exploring the Quarantine option through MTA.

     

    Can mark this as resolved