Symantec DLP 11 Technology Refines Detection Rule Creation

The latest version of Symantec's data loss prevention (DLP) suite features new technology for defining search patterns to detect sensitive information, as well as improved risk assessment and remediation capabilities. The enhancements in Symantec DLP 11 are heavily weighted to the protection of intellectual property (IP) in unstructured data on file servers, NAS and groupware applications such as Microsoft SharePoint.

"In an unstructured data environment, organizations have issues with intellectual property, source code, marketing plans, product designs," says David Dorsin, Symantec's director of product marketing. "It's hard to define--what does a product design or an M and A document look like?"

The new technology, dubbed vector machine learning, addresses one of the most difficult aspects of DLP: defining accurate search rules while minimizing false positives. Enabling rules to detect and block patterns for straightforward patterns, such as credit card and Social Security numbers, is a simple matter, and some organizations will deploy some sort of "DLP light" for that sort of limited purpose, often to help PCI Data Security Standard (PCI DSS) compliance.

However, complex enterprise deployments of products such as Symantec DLP, formerly Vontu, are difficult. Organizations will often focus on using DLP to understand the flow of information through the business and track suspicious activities. This helps identify gaps in security and collect evidence of malicious activity, such as the theft of IP. But companies often will shy away from blocking all but obvious violations because of false positives.

Symantec's suite, like most enterprise DLP systems, identifies sensitive data through a combination of keyword/keyword matching and document fingerprinting. Fingerprinting is used to tag known sensitive documents, generally using a hash. But identifying sensitive data everywhere else is problematic, as organizations struggle to define and refine rules to improve accuracy.Vector machine learning works with examples of sensitive documents and applies statistical analysis to look for common keywords and word patterns, where they fit in the document, and so on. The technology streamlines and, to some extent, automates the process of defining search rules.

Organizations can continue to refine rules by examining known false positive documents to determine what triggered an alert. Symantec DLP also introduces "risk scoring" by identifying hot spots of sensitive data, based on quantity, sensitivity and whether access controls are appropriate.

The release also helps put remediation in the hands of the business owners of the data by issuing a report identifying the files at risk, applicable policies and suggested remediation, such as tighter access controls or file encryption. These features are based on Symantec Insight technology, announced last spring, which infers data ownership by monitoring file access activity.