Posted: 3 Min ReadProduct Insights

The Game Changer - Incident Reporting in DLP 16.0

A complete refresh of incident reporting - customized for improved efficiency and control

Incident response is one of the most important functions of a DLP solution. In order for remediators to be effective, they need access to the right information and fast.  The information they need can also vary by organization and even over time as priorities change.

With DLP 16.0, we went back to the drawing board to see how we could support even more effective incident response. Through working closely with customers, we recognize the high pressure environments incident response teams work in. We understand the challenges. On one hand they have to handle large volumes of alerts with limited resources, while on the other hand, they have to ensure that the privacy and security of user data is maintained.    

In response, we have introduced an intuitive user interface based on direct customer input. This new interface is a game changer.  Providing access to all incident data in one place speeds up workflows.  We’ve also designed controls to ensure compliance with privacy requirements.  In short, allowing your incident responders rapid access to the right data without compromising on compliance.

All Incidents in One Place

Symantec DLP now has a brand new “All Channels” report that provides a single unified view of incidents against all control points - Cloud Applications, Discover, Network and Endpoint. This unified report serves as a single pane of glass and provides a quick view of all the incidents in an organization, so remediators no longer need to navigate to separate reports for each channel to see incidents.

Figure 1: Example of the new “All Channels” report showing incidents for all control points in a single view
Figure 1: Example of the new “All Channels” report showing incidents for all control points in a single view

Fully Customized Reporting - Your Data, Your Way

Customers told us that default reports can be limiting.  The data an incident remediator may need might not be available in a single report, therefore adding workload and delay while multiple reports are viewed and correlated.  The problem is further complicated as different remediators need different information.  A front line responder may need to know if data protection has been applied, another incident responder may be more interested in understanding what policy rule triggered the event. Teams that manage different computing environments (Endpoint or Cloud) may need different attributes (eg Device ID vs URL).

With DLP 16.0 we solve this.  Now users can customize the incident report view, by specifying the attributes or columns that they want to see in their incident report, reordering them in the order that makes sense to them.  In essence they can make the report more useful by being able to focus on the things that they care about the most. The ultimate goal here is to make remediation quicker and more efficient. This customization and selection of incident attributes is also available for the CSV export of incidents.

Also available in DLP 16.0 is the Export as JSON capability which can be used to export incidents in a JSON format that can be consumed by external applications


Figure 2: Example of the customized column view - you choose what to display - and the order - in your report
Figure 2: Example of the customized column view - you choose what to display - and the order - in your report

Less is More - Privacy Compliance Control

Incidents contain sensitive data and organizations want to prevent any sensitive data or PII like credit card numbers, SSNs, SINs, DL numbers etc from being exposed to incident remediators for privacy and compliance reasons. 

DLP 16.0 provides the ability to partially or fully mask sensitive or high-risk data within incidents. DLP Administrators can now control whether or not violation matches should be masked as well as the percentage of the matches that should be masked. The configured masking applies to incident matches displayed in email notifications, incident snapshots, incident reports, web archives etc. This allows them to strike the right balance between giving incident responders enough context to understand an incident, while ensuring sensitive data is not being over-exposed.

Data masking is where a portion of sensitive data is not displayed.  A simple example is a credit card, where the first 9 digits are replaced by an ‘x’ so only the last 4 digits are shown (e.g. xxxx-xxxx-xxxx-1234).  In DLP 16.0, masking can be enabled or disabled depending on user role and configured to specify what percentage of the match should be masked, and where to begin the masking from - the beginning, the middle, the end. We also have default masking patterns like PCI-DSS or credit card numbers that can be used.

Here is what masking configurations apply to:

  • Matches in the Incident snapshot
  • Matches in Incidents exported via CSV, JSON
  • Matches in Incidents retrieved via REST APIs
  • Matches in Incidents in web archives etc.
Figure 3: Example of ‘data masking’ applied to credit card numbers displayed in an Incident Report
Figure 3: Example of ‘data masking’ applied to credit card numbers displayed in an Incident Report

More Context 

Symantec DLP includes integration with Symantec Web Gateway (SWG) products.  Where incidents originate from DLP Network Prevent for Web, DLP 16.0 uses the integration with SWG to show additional attributes and provide more context for remediation.  This means that Administrators can better understand an incident from the DLP Enforce console, removing the need to access another console in order to correlate information.

Game Changing Incident Reporting with DLP 16.0

We are excited about the improved incident reporting that has been delivered in DLP 16.0 -  you asked and we delivered:

  • Single “All Channels” report
  • Report column customization
  • Privacy controls by masking data accessed by Incident Responders 
  • Enhanced SWG context in DLP Enforce 

Visit the Symantec DLP 16.0 Help Center for more information and let us know what you think!

About the Author

Juhi Kotkar

Product Manager, Information Security

Juhi has been working on the Symantec Data Loss Prevention product for over 10 years where she is responsible for driving the roadmap for the Symantec DLP Management Console, Core Infrastructure and DLP Network Monitor, DLP Network Prevent for Web and Email.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.