What is Symantec DLP?
Symantec DLP is software that identifies sensitive information on machines. This allows for departments to control what sensitive information needs to stay within the office, or what needs to be removed.
How Do I Access DLP?
To log into the DLP console, request access at firstname.lastname@example.org.
Once you have access, you will be able to log in to DLP.
You must be connected to the 02 Restricted VPN, which requires ArchPass Duo authentication, in order to visit the DLP login site.
Once on the 02 Restricted VPN, you can use your MyID and password here: https://dlp.infosec.uga.edu/.
Internet Explorer or Firefox are recommended for logging in to DLP.
Two main types of scans:
- Discover Scan - This scan searches for data at rest. This is best used for servers, endpoints, or file shares, to discover sensitive information prior to implementing data loss prevention controls through endpoint agents
- Endpoint Scan - Since endpoint agents are constantly scanning for data in motion (files accessed, saved to desktop, backed up to an external fileshare, etc.). These are best used to find sensitive information being saved to endpoints and being sent from endpoints (through USB, CD/DVD, print jobs, etc.)
We recommend starting off with doing full scans of endpoints and servers in order to find preexisting sensitive information.
How Do I Run a Discover Scan?
- After logging in with your account, navigate to Manage > Discover Scanning > Discover Targets
From this menu, hover the cursor over 'New Target' to bring up a drop-down displaying a list of choices
If you’re planning on scanning a server, or file share, you would select Server > File System, otherwise, to fully scan an endpoint, you would select Endpoint > File System
- Next, you will fill out information on the share/endpoint that you would like to scan here:
- On the next tab, 'Scanned Content', you will be able to define the share that you want to scan
- Click 'Specify Content Roots' and then use the 'Add Content Roots' drop-down to fill in the information needed
- For endpoint scans, instead of defining content roots, you will have to specify, using filters, the devices you wish to scan
- Navigate to the 'Filters' tab, and in the field for 'Include' enter in the IP of the device you wish to scan preceded with the > symbol
- For example: >172.17.x.x/24
- CIDR notation can be used here for massive ranges of IPs; however, to be sure that you get your machine(s), please enter the IPs separated by a comma (i.e. >128.192.x.x, >128.192.x.x)
- Be sure to click save whenever possible, just to be safe. Now you are ready to begin scanning with DLP!
A very brief installation guide can be retrieved here.
- Note: As an alternative to simply uninstalling an agent during troubleshooting, please feel free to contact InfoSec to have the agent disabled remotely
For Discover scans, navigate to Incidents > Discover. Once there, there's a bar just above the list of results with filters:
After going through and marking results as false, or true, you have the ability to filter by status type, the specific scan, target ID, detection date, machine name, and much more.
For even more information on DLP, refer to the manual here.