Symantec DLP Gives You Power to Query and Filter Incident Data

Data Loss Protection (DLP) Programs are complex. Just think about the huge volume of sensitive data, being accessed by users in many locations, across different devices and data locations (endpoint, storage, email, and cloud).  DLP Systems also create many different data incidents and being able to search for specific data is an important requirement for customers. For example, SOC engineers need to verify if Symantec DLP has previously detected specific national data identifiers (like US Social Security Numbers), credit card numbers, addresses, or other personal identifiable information (PII) data instances.

Adding to this complexity is the need to respect the various privacy regulations in force. According to Gartner, "By 2023, 65% of the World's Population Will Have Its Personal Data Covered Under Modern Privacy Regulations". With the advent of such regulations, Symantec DLP can augment our customers' ability to address data owners' requests for deletion, correction, the right-to-be-forgotten, and other business processes.

We are proud that Symantec DLP has helped our customers detect and protect information for years, finding the needle in the haystack through our comprehensive set of detection technologies. However, as the regulatory requirements of privacy have increased, the problem has gotten harder, and customers need to be able to identify not just the needle in the haystack, but a particular needle among millions of needles.

Symantec’s DLP solution, as part of Broadcom Software, has long provided customers with ways to integrate incident data. With the release of DLP 15.7, we delivered a new set of RESTful APIs with multiple advantages over previous solutions. The APIs have been progressively improved as follows: 

• A native, flexible, powerful, and well-documented RestAPI
• The ability to query incidents across different types 
• Fully-fledged filtering capabilities

(For more information, click here)

A good way to understand the capabilities of the RESTful API is through an example.  indexSymantecDLPMatches.py does the following:

1. Sends data to ElasticSearch or Splunk
2. Queries across multiple incident types, with specific filters to control which incidents have been already processed.
3. Provides telemetry for control (i.e., processed incidents, amount of matches extracted)

NOTE: While the use cases are primarily driven by the need to identify PII, the example applies to other important types of information (like, for instance, source code). The example does not provide matches for VML or image-based incidents.

Prerequisites:

• ElasticSearch and Kibana
• Splunk with HEC
• Python 3.8
  • indexSymantecDLPMatches.py is written in Python 3.8
• Symantec DLP 15.8 MP1
  • A user with API privileges (Example)

Before implementing this or any other similar functionality that involves extracting Symantec DLP matches, customers are strongly encouraged to:

1. Ensure appropriate access, authentication, encryption, and data protection controls for the systems that will store the extracted DLP matches. Enterprise Search solutions provide such capabilities. 
2. Test and validate that the extraction process does not adversely impact the performance of the Enforce server

NOTE: The code is a) an example and b) provided as-is, we do not know your computing environment so you need to assess the script’s function and performance before implementing it.

Symantec is excited to introduce the release of DLP 15.7, delivering a new set of RESTful APIs with multiple advantages over previous solutions.  To learn more or contact us, please visit us here.