Four Tools For Better DLP Hygiene

Is poor data hygiene derailing the way you manage information security?  Let the data related to how you manage your cybersecurity systems, specifically your alerts and reports, go unmanaged and you end up with duplicate or missing records, and bloated management databases.  The result?  Inefficient processes due to confusion over what actions have been taken, and delays in deciding on the next priority.

Symantec DLP provides complete data security spanning endpoints, networks, storage, web, and cloud.  To help administrators manage the volume of alerts, we provide various tools to help you keep on top of your management data records, i.e. helping you keep the records you need and removing those that you don’t. 

Read on to see how to improve your DLP system data hygiene!

Incident Hygiene - storing and deleting records

Whenever Symantec DLP detects content that violates a policy, it creates an incident.  Organizations have systems and people in place to assess, handle and resolve these incidents.  It can also be important to maintain records related to these incidents, both to store, and where appropriate, delete records.  Managing the hygiene of these records involves the four stages detailed below.  Each of these tools is a complete feature in DLP and is easily available via the Enforce management console. 

1. INCIDENT STORAGE

The DLP Administrator chooses whether to store the entire incident in the database, or if some parts will reside on disk.  This is normally configured during the initial system set up, although it can be modified later.  This is achieved via the BLOB (Binary Large Objects) Externalization feature that enables you to move or store all incident BLOBs to the disk instead of the database. 

This feature can also be enabled on your currently active DLP installation by simply changing one property.  Note, you should allow some time for the physical movement of these BLOBs.  

Refer to “Enabling BLOB externalization” to know more.

2. DATABASE USAGE

As new incidents are generated and the size of the database grows, this feature lets you get a sneak peak at your database usage.  This is called “Database Diagnostics View” and is designed especially for customers using the standard Oracle version.  It shows a wealth of information in the Enforce UI, thus allowing you to know the queries underneath used to fetch all this usage information. 

This feature shows the tablespace and their data files usage, allocation details for all DLP owned tables, indexes, LOB (Large binary Objects) usage so you can determine where the storage stands and take necessary actions.

Refer to “Database Diagnostics” to know more.

3. MARK INCIDENTS FOR DELETION

As the incident ages, or if there are incident records that do not need to be stored (e.g. false positive detections, or alerts that have already been acted on) they can be removed in an automated fashion.  This is possible via the Incident Aging feature in Enforce, allowing you to automatically mark incidents meeting a certain criterion for deletion. 

These incidents can be viewed by saving a report using the necessary filters and then setting this report to flag incidents for deletion.  You can set one report for each channel to fully utilize this feature.

Refer to “Incident Aging” to know more.

4. PURGE INCIDENTS 

Now that we explored how to view space usage and to automatically flag incidents for deletion, we need to physically purge them.  DLP offers a feature called “Incident Deletor'' that will come to your rescue.  This feature will scan DLP tables and delete all the incidents and data associated with the incidents from your database. 

The feature can be accessed via the Enforce UI.  One can start this job on demand or scheduled to run on based on your needs.  The job status is updated in real time to monitor the progress during a big purge.  Historical information of the jobs is displayed in a table which shows the count of incidents deleted in each job and detailed failure information if a job could not finish successfully.

Refer to “Incident Deletion” to know more.

As I’ve just shown, Symantec DLP includes simple steps to help manage your incident data and to free up database capacity by deleting and purging records that are no longer needed.  If you need more information about these capabilities please contact your Symantec DLP representative and request an Information Protection Program Review.