Data Loss Prevention

 View Only

  • 1.  Monitoring of Exception in DLP

    Posted Dec 18, 2011 05:42 AM

    I have a policy with blocking response that acts on some detection rule and group rules.But as per business requirement our client wants to block sending mail on some particular detection rule for a group of AD users(say g1,g2,g3), but wants for another group(say g4) to not to block but just monitoring.That means they want reporting of incidents for g4.

    Now the problem is that if I add the other group g4 in exceptions then it will also not create incident.Please suggest some solution or alternate way to do this.



  • 2.  RE: Monitoring of Exception in DLP

    Trusted Advisor
    Posted Dec 19, 2011 02:47 AM

    hello

     I think the only way is to create two different policies :

    1 with response rules which block action for g1, g2, and g3

    1 with response rules which not block action for g4 (so you will have monitoring for this group)

     

    And if one day symantec allow to use logical OR in policy definition (and in profile definition will be helpful too)  you will be able to merge these two policies into one. I had the same issue and didnt find any other way to do it.



  • 3.  RE: Monitoring of Exception in DLP
    Best Answer

    Posted Dec 19, 2011 05:05 AM

    The same will be possible with the below well:

    Rule 1 -  g1, g2 & g3 and severity = High

    Rule 2 - g4 and severity = Low

    Response Rule - Block Incidents with condition where severity = High



  • 4.  RE: Monitoring of Exception in DLP

    Posted Dec 19, 2011 05:47 AM

    Thanks to both of you.

    Stephane - I was also thinking for the way suggested by you.Although it requires replication of policies but creating them in two diffrent groups will work clearly.

     

    Denis - It seems quiet well with your solutions.But I dont know what would happen if detection rule(d1) is set to high severity and some group rules with different severity, like  with group rule g1,g2 as medium, g3 as high and g4 as low.Please clarify.

     



  • 5.  RE: Monitoring of Exception in DLP

    Posted Dec 19, 2011 06:17 AM

    The block response rule will only apply to the severity condition specified in the response rule. For eg in this case:

    Response rule (r1) = Block incidents where severity = High

    will only apply to

    Detection rule (g3) = Set Incident severity High\

     

    g1,g2 (Medium) and g4 (Low) will perform Monitoring only, unless an appropriate Response rule has been configured.



  • 6.  RE: Monitoring of Exception in DLP

    Posted Dec 19, 2011 06:56 AM

    Denis,

    As I tested, I need to put detection rule as medium and I can put group rule's severity accordingly for monitoring and blocking.Then I can set response rule for high severity incidents for blocking.

    Its working great now.

     

    Thanks a lot guys.

    Warm regards,

    Yusuf Khan

    -------------------------------------

    Tech Specialist – Wipro Arabia

    --------------------------------------