Don’t Be Spooked By Ghost DLP Incidents

Anyone who operates a management system knows the importance of good data. If you are not dealing with up to date information, then you can’t react in the right way - in short you waste time, effort and quality by using out of date information.

In DLP systems one barrier to good data is the problem of ghost incidents - incidents that have been created from an earlier scan that persist in the system even though the underlying situation has now been resolved.  Why are they still there?  Because managing data risk is complex. Many organizations rely on manual intervention to close out these ghost incidents. However, this process can be time-consuming and prone to errors, so the data does not get removed. This results in ghost records and a management information system that is out of date.

As a consequence, we see customers are forced to deal with: 

• Too many ghost incidents cluttering up their management console. 
• Incident Response teams being overwhelmed by a high volume of DLP incidents that require manual intervention. 
• How to satisfy compliance requirements without adding to the workloads of DLP teams?

To address these challenges, we recommend leveraging the automation capabilities of Symantec DLP. And to achieve a high degree of compliance using automation, we suggest configuring the Remediation Detection Preference, which verifies the sanity of the data before automatically closing the Symantec DLP incidents using REST APIs. Remediation Detection Preference is the linkage between DLP incidents for files found in earlier scans and the current state observed in the subsequent scans for those same files. This linkage between scans can be used for the safe closure of DLP Incidents.

Steps to follow to setup automation using Symantec DLP:

1. Create a Symantec DLP Network Discover target with the following configuration: Scheduling, Incremental Index, Remediation Detection Preference.
2. Setup End User Remediation to recruit a wider army of remediators.
3. Create a Cron job or Scheduled Tasks using Symantec DLP REST API to close incidents when appropriate Remediation Detection Status is set on DLP Incident.

With Symantec DLP, you can automatically identify DLP Incidents using scheduled Network Discover scans, inform data owners about incidents via End User Remediation, receive confirmation of data sanitization, verify data with DLP policies in combination with Remediation Detection Preference and automatically close verified incidents—all without manual intervention. 

By automating the DLP process, your team can save time and reduce the risk of manual errors. We at Symantec are committed to helping you modernize, optimize, and protect your security programs. If you need help implementing these automation features, please don't hesitate to contact Symantec.