The DLP is not, as some may imagine, blocking the release of all confidential data, because in a lot of companies, even the most sensitive information must be transferred to third parties for legitimate reasons (regulators, business partners, customers ...). This can be translated among others by the need to:

• send an email to external auditors,
• post documents on data room outside the company,
• copy a document to a USB key,
• print a document to be signed by a partner.

In a perfect world, all these processes would be well known so we could know in advance these potential destinations and who is allowed to perform these actions. Unfortunately, I have rarely encountered this perfect world J

To overcome this problem, it is necessary to provide the possibility for employees of the company to request security exceptions (which will of course be duly validated according to company existing processes). These exceptions can be anticipated by business and then be asked following the detection of an information output and in this case, I recommend setting up a specific status in the DLP that will identify events that were source of exception request.

Then the transfer of these security exceptions in the DLP can be done differently:

• Added exception rules (detection, person or destination) in DLP policies
• Change detection rules to add or update a specific criteria
• Adapting the rules severity levels to trigger different response rules actions depending on the severity of the incident
• ....

These methods works well and reduce the number of events to be qualified by the people in charge of the DLP incident handling process. From security point of view, they are still a major drawback, because you lose all trace of the release of this confidential information. This is why one can consider a third method, which is to implement a custom lookup plugin analyzing the incident to see if it matches or not a security exception, it has several advantages:

• It maintains the traceability of its confidential information outputs (output number, content, ...)
• Exception can rely on more criteria because this plugin will have access to all the "custom attribute" (for example the user's department, his contract type ...)

It also has some disadvantages that must not be neglected:

• This plugin is not provided out of the box, so you will have to develop it.
• These exceptions cannot be taken into account when deciding to start or not actions of remediation (blocking, encryption, quarantine ...) because they will be executed by enforce server so after execution of user action.

There are perfect ways to implement the management of these exceptions but not take them into account will result in an extra workload for people in charge of incident assessment and feeling for business teams that security team does not take their needs into account.

The tuning of DLP policy is a mandatory task that will better protect your information assets and simplify the activity of those to assess DLP incidents.

Unfortunately there are no magic rules or tools to perform policy tuning. Each DLP expert has his own based on CSV or XML export to help tuning DLP policies and they need to add some courage, cleverness and imagination.

However, there are a number of guidelines that can help you cleaning your cluster of DLP incidents:

• Analyze false positives as you analyzed documents and information to protect in order to find meaningful patterns. Pattern recognition for these false positive incidents could be done by asking yourself the following question:
  • Does this incident are raised by the same user?
  • Does this incident are sent to same destination?
  • Does this incident are triggering by same keyword?
  • Does this incident are triggering just above rules threshold?
  • Does this incident are triggering by same EDM fields combination?
  • Does this document triggering my policies contain something specific I will never find in documents I want to protect?
  • …..(This is where imagination comes into play)
• In SYMANTEC DLP, a message can raise more than one incident. According to the incident assessment process, it can double the workload for DLP stakeholders. It is therefore necessary to analyze messages that have raised more than one incident. If it always happens for the same set of policies it means that there may be an overlap between them. So you may check following:
  • Does this double incident were triggered by same source document in my IDM
  • Does this incident were triggered by same keywords?
  • Does this incident were triggered by different components?
  •  …..(This is where imagination comes into play)

These analyzes should allow you to greatly reduce number of unexpected incident, the last will be the most recalcitrant (and most interesting) and you must also accept that some will not be removed automatically. In order to perform them, it is important to provide access to these incidents to people in charge of your DLP policies management especially few weeks after policy creation/update.

Then you have to translate analysis results into your DLP policies:

• By adding exclusions (some rule types may not be available for exception definition)
• By deleting some criteria in your detection rules (Ex: In your list of 200 keywords, the little disruptive generating all these false positives is it really fundamental?)
• By using another rule type than the one firstly chosen (keyword or regular expression? Regular expression or data identifier? Pre-defined file type or custom file type? …)
• By transforming a simple rule into a compound  rule
• By changing the content of your IDM
• By adding a field from your EDM source in your search criteria
• ...... (This is where imagination comes into play)

Lot of these tasks could be performed before going live if you have a dedicated environment to perform some testing and some tools to simulate network flows (mail, web, …) or workstation activities (copy to usb, printing, application…). This environment may also help you validating that your detection rules are really able to detect what you want to protect.

I am currently using the following string in my autoexec.bat file: ghost\ghost -clone,mode=restore,src=c:\ghost\adtd3.gho,dst=2 -sure -fx

I would like to use -ntexact but am not sure what the string woould look like. When I use the above string in a spanned image the Ghost Image hangs at about 25%.

Any help would be appreciated. The entire .bat file is shown below:

rem C:\DOS\SMARTDRV.EXE /X
rem @ECHO OFF
rem PROMPT $p$g
rem PATH C:\DOS
rem SET TEMP=C:\DOS

echo off
echo About to write with Image image.gho
echo
rem echo ******** CTRL-C  to ABORT**************
rem pause
echo
ghost\ghost -clone,mode=restore,src=c:\ghost\adtd3.gho,dst=2 -sure -fx

echo Image restore complete
echo Please remove USB memory stick and reboot (cycle power)
pause

Hi,

In Symantec Endpoint, is it possible to track the gmail & skype used by the company employees like if anyone attach an unrelated files(Gmail), it should be intimated to the IT admin.

Text from the minidump file:

100516-28984-01.dmp    10/5/2016 9:48:18 PM    DRIVER_IRQL_NOT_LESS_OR_EQUAL    0x000000d1    00000000`0000fffe    00000000`00000002    00000000`00000000    fffff880`077d67e0    IDSvia64.sys    IDSvia64.sys+967e0                    x64    ntoskrnl.exe+6f400                    C:\Windows\Minidump\100516-28984-01.dmp    8    15    7601    289,992    10/5/2016 9:51:40 PM

Running SEP 12.1 RU6 MP5 on a Windows 2008 R2 SP1 server

I've serched around and haven't fount anything. Any ideas?               

We are facing serious issues due to ransomeware viruses (Zepto, ODIN). It has hit 6 systems and the files are becoming unrecoverable.

could you please provide us the necessary stp against this virus and also step we need to perform in this situation.

Would like the ability to password protect disabling specific SEP components.

For example, requiring a password for smc -disable -ntp

https://support.symantec.com/en_US/article.TECH103...

We have a DLP Configuration Challenge I'd like to see if someone can assist with:

Background: Currently we encrypt outbound SMTP traffic by two automatic response rules and allow the email to bypass (DLP exception) if the email contains the keyword. All incidents are based on severity (Low=1-249, med=250-499, high=500+). We recently lowered the block threshold ‘without Send Secure in the subject line' to a medium severity. The encryption is accomplished by an Cisco IronPort rule that detects the presence of [Send Secure] in the subject line of the outbound email and encrypts the email accordingly. The DLP blocking auto response rule action is the same in that DLP inserts a value into the email's header and Cisco IronPort rejects the email. We currently do not use groups, so all policies apply to all users.

Project in a nutshell: We would like to drop the global exception (if email contains [send secure]) while allowing and enforcing Low severity email to still sent encrypted, keep the block the same, and have a means of allowing approved emails to be sent encrypted that exceed the block threshold. (special keyword, white list, . . . )

There is no way to check in the Portal (for Symantec.Clould) for account information.

Which email is this registered with (people do come and go and it would be nice to know who gets the renewal notices).

What date does the subscription expire?  Also since we don't receive confirmation of the renewal, it would be nice to have a place to check.

Company name & address.  We are consultants and have had these small companies change name/address/domain several times.  It would be nice to be able to see what the name is listed and even if we are not able to change it, be able to put a request online for it.

Hi,

Does DLP has below features, this are the customer reqruiements.

    Find out how many way for data leakage ?
    User ID should be synchronize with DLP software.
    Data can’t be move or transfer through any remove media , CD R/W, Network drive.
    Data can’t be move or transfer through any internet protocol like Datacard, Hotspot, Bluetooth, WiFi Network, mobile connectivity
    We can freeze workstation and server for move or transfer any type of data transfer.
    If any case data transfer then system will demand admin password
    Data should be convert into inscription format    

Appreciate any help....thanks in advance.

Blog Feature Image: 

RansomwareGraphic-1.png

A nightmare scenario occurs: your computer system locks up, files are suddenly encrypted and inaccessible, and a menacing message demands a ransom payment to restore it. Ransomware has struck—and you’re the target.

According to Symantec’s ISTR Special Report: Ransomware and Business 2016, the past 12 months have seen ransomware reach a new level of maturation as cybercriminals target consumers and businesses. The report found new ransomware families discovered annually reached an all-time high of 100 in 2015; the average ransom demanded by attackers has jumped to $679.

And it’s not just consumers targeted by ransomware attackers; organizations need to be fully aware of the threat posted by ransomware.

“Organizations should certainly be concerned about ransomware. The most widely distributed forms of ransomware are spread through major spam campaigns which are completely indiscriminate, hitting both consumers and organizations,” said Dick O’Brien, co-author of the ISTR Special Report: Ransomware and Business 2016 and Senior Information Developer, Symantec. “Furthermore, a growing number of ransomware attack groups are specifically focusing on organizations with targeted attacks designed to infect multiple computers and cripple the organization.”

The rise of crypto-ransomware

The ISTR special report found the shift towards crypto-ransomware explained by the effectiveness of ransomware. The victim may remove the malware but the files will still be inaccessible due to unbreakable encryption. If no files are backed up, the victim must pay the ransom as the only way to recover the files. The report found that this crypto-ransomware model has been perfected over the past two years and is now one of the rising types ransomware.

“Virtually all of the new ransomware families emerging at present are crypto-ransomware. This trend isn’t surprising, since crypto-ransomware is the most dangerous form of ransomware. It’s capable of locking the victim’s files with unbreakable encryption. Unless they have backup copies, the only way to retrieve them would be through paying the ransom. It took a while for ransomware groups to perfect crypto-ransomware, but now that most have mastered effective encryption, it’s become ubiquitous,” explained O’Brien.

Which organizations are likely to be infected?

While almost all sectors have been hit by ransomware, some types of organizations appear to be harder hit than others. The report found that the Services sectors, with 38 percent of infected computers, was the most affected sector by ransomware between January 2015 and April 2016. Manufacturing, Finance, Insurance, Real Estate, and Publication Administration followed as top targeted sectors.

While it’s unclear why some sectors are more affected than others, one potential explanation is that organizations with high levels of integration and different internet services tend to have higher exposure to infection risks.

Ways ransomware can infect a computer

Malicious spam email is one of the most common methods to spread ransomware and malware in general. Botnets, or networks of compromised computers, distribute a large number of spam emails that use social-engineering tactics to trick victims. Ways to compromise computers and invite infection include opening malicious attachments or clicking on a link that points to an exploit kit.

Exploit-kit attackers comprise third-party web servers and inject iframes into web pages hosted on them. Malicious links in spam email or social media posts and malvertisments are other tactics criminals use.

Mobile ransomware leads the way as a top malware type in 2015, according to the Symantec/Blue Coat 2015 State of Mobile Malware report. With the increased performance capabilities of modern smartphones, it was only a matter of time before more advanced cryptographic ransomware, such as SimpleLocker, started showing up on mobile devices. These threats render music files, photographs, videos, and other document types unreadable—while typically demanding an untraceable form of payment such as Bitcoin—and employing a strict time limit for payment before the files become permanently inaccessible to the owner.

Businesses: the next big target

The Symantec ISTR Special Report: Ransomware and Business 2016 found that cyber criminals are increasingly targeting the business space for higher profits. The report found the following trends in attack campaigns:

• Business email contain scams that try to trick C-level executives into making large wire transfer payments.
• Bug-poaching attacks involve attackers compromising corporate servers, stealing data, and requesting a fee for information on how the attack was carried out.
• The Carbank Gang targets banks directly rather than bank customers.

While some organizations are hit in indiscriminate campaigns, where employees open a malicious email or visit a malicious website, some enterprises are becoming victims of more targeted ransomware attacks.

For more detailed information, “Case Study: Anatomy of an Advanced Ransomware Attack” and “Case Study: Ransomware as a Decoy” are included within the ISTR Special Report: Ransomware and Business 2016. The two case studies not only provide narratives of the attack campaign, but share insights on lessons learned.

Protection against ransomware

Whatever you do, don’t pay the ransom. There's no guarantee your files will be released, and if you succumb to the scam, you may make yourself vulnerable to more scams.

“The most common method of ransomware distribution is spam email and everyone needs to exercise extreme caution. We would advise people to immediately delete any suspicious emails they receive, especially those containing links and/or attachments. They should also be very wary of Microsoft Office attachments that prompt users to enable macros. Attackers often use malicious macros to deliver malware through Office documents,” said O’Brien.

But there are strategic/tactical ways you can protect yourself and your organization from falling victim to ransomware. Symantec recommends the following five steps to prevent ransomware:

1. Back up your computers and servers regularly.
2. Lock down mapped network drives.
3. Deploy and enable all Symantec Endpoint Protection technologies.
4. Download the latest patches and plug-ins.
5. Use an email security product to handle email safely.

View the full Symantec ISTR Ransomware infographic.

“Adopting a multi-layered approach to security minimizes the chance of infection," said O’Brien. "Using an email security solution should remove the chance of you accidentally opening malicious email and malicious attachments in the first place. Symantec intrusion prevention system (IPS) technology can detect and block malicious traffic from exploit kit activity, preventing the installation of ransomware. Meanwhile Symantec Endpoint Protection technologies can detect and block known ransomware families, in addition to detecting suspicious behavior by new and previously unknown malicious files.”

Be sure to check out the following for more insights:

ISTR Special Report: Ransomware and Business 2016

“The Evolution of Ransomware” Symantec white paper 

Also, don't miss the upcoming October 18th Symantec webcast,"Anatomy of a Ransomware Attack". 

Blog Feature Image: 

Shankar_Frost_Award.jpg

Recently, I was lucky enough to be one of the honored recipients of the 2016 North America Frost & Sullivan Award for Embedded Security for Industrial Internet of Things (IIoT) Customer Value Leadership. Held at a banquet in Santa Clara, California, I was surrounded by elegance and excitement, the event brought together top executives to celebrate their achievements.                  

Each year, Frost & Sullivan presents this award to the company that has demonstrated excellence in implementing strategies that proactively create value for its customers with a focus on enhancing the return on the investment that customers make in its services or products. The award recognises the company's inordinate focus on enhancing the value that its customers receive, beyond simply good customer service, leading to improved customer retention and ultimately customer base expansion. We were praised for our IoT portfolio, our traction in the market and of course our strength as a security company and the scale at which we already operate in enterprise security.

This award is particularly significant because it comes from Frost & Sullivan, a firm that possesses deep relationships and insights into the Enterprise IoT world. The companies that were recognized at the event were not just security or software companies. I had the pleasure of meeting a wide range of individuals who are working on some exciting tools, from creating new connected medical devices or industrial sensors to companies that provide services that determine the location of these connected devices. 

This was a great event and I am honored to be part of Symantec and recognized by Frost & Sullivan. I believe that IoT is still in its infancy and we have a lot to do but events like this not only give us a chance to get together but also provide us with an opportunity to learn, collaborate and make a difference.  

Hi,

I have setup a new Enforce Server on 14.0 version of Symantec DLP.  I have broke the connection on my old system of the 2 Endpoint Detection Servers.  I have connected them to my Enforce Server (they were running 12.5), after I connected them I ran the upgrade wizard to upgrade the Endpoint Detection servers to 14.0.  That successfully completed.  Now after a reboot of those 2 Detection Servers I am only getting 40 endpoint agents that will connect.  These agents are still running 12.5, however, I am needing them to connect so I can start upgrading them to 14.0.  So I am having issues getting them to report in.  I have telnet over the ports from my computer which is running 12.5 and that was successful.  I have done the same from other computers that is still not reporting in.  So there is a solution to getting this fix.  I have also rebooted the Database Server, thinking this might be the issue as well.  However, when the server came back up, still having the same issue.  Does anyone have a solution for this?  I have looked at all the logs from the Enforcer and Detection Servers not errors, no warnings.  Nothing out of the normal information.  Everything connected successful.

Una funcionalidad que estaría bien recoger en próximas versiones de Symantec Endpoint Protection Manager, sería poder ver el peso de las definiciones que se distribuyen a los clientes desde el GUP. De esta forma se podría monitorizar la carga de la red durante las distribuciones, y poder definir mejor la política de actualizaciones de cada organización.

Saludos.

We have been using Altiris for a number of years and when deploying software, we usually create a software package then deploy it via a task. When a package have been no longer needed, the tasks have quite often been deleted but the software packages themself remain taking space on the NS/Package servers.

What I would like to do is get a list of packages which are not linked to a task so that we can then go through and delete the ones which are no longer needed. I am assuming this is possible as if we try to delete a software package that still has a task, it blocks us and brings up the dependency report showing where it is used. Is it possible to do this across all of our packages?

Hello,

I'm adjusted "Spam submissions service" . In "Spam Submission" messages have "inactive" status.

as it should be?

Status bar:

Is it possible to create a uefi disk for Windows 7/8/10 with only a Create Partition Disk Task?

When i choose GPT, the size option is grayed out??!!

Are there number of consecutive create partion disk tasks necessary?

Does somebody have a configuration sample?

Like:

https://technet.microsoft.com/en-us/library/hh825686.aspx

My company is no longer using SMP for desktop management.  Due to licensing concerns, I need to remove the agent from ALL OS X machines.  I have found an issue that I cannot get past.  On OS X 10.11+ machines, the removal script does NOT work.  It fails in the early steps.  On systems earlier than 10.11 it works fine.  The powers that be are telling me to remove it ASAP.  Does anyone have a method for uninstalling the agent from OS X 10.11+ machines?  These machines were upgraded to 10.11 from 10.10 or less.  Any new 10.11 from the factory never had the agent, just the upgraded versions.  Please help as Google has yielded zero good leads on this one.  Thanks in advance.

In order for Notification Server to participate in Hierarchy, there must be at least one package server available within the Notification Server site.

When you attempt to add a Notification Server to a hierarchy, the Add Hierarchy Node Wizard checks for the presence of a suitable package server. If no suitable package server is available, the Add Hierarchy Node Wizard does not let you add the Notification Server to the hierarchy.

By default installation, a new Notification Server doesn't install package service, so, before configure replication and hierarchy between two Notification Server, you need to install package service firstly.

1. Log into the Management Console, click 'Settings', select 'Notification Server' --> 'Site Server Settings':

2. Expand 'Site Management' --> 'Site Servers', you will find out that the Package Service is not installed by default:

3. Click 'Install/remove services' under 'Task Service':

4. Select 'Package Service' in the services list, then click 'Next':

5. Confirm the changes and click 'OK' button:

6. It will start the download and installation of the package service:

7. Confirm the Package Service is installed on the Notification Server, and the status shows as OK:

After install the Package Service installed, you need to create a new site for the Notification Server.

8.Click 'New' button on the left panel, select 'Site':

9. Input the name of the new site, then click + button:

10. Select the subnet from the left panel, add into the right panel, then click OK button:

11. Click OK button to save the new site of the Notification Server:

Repeat the above steps on the second Notification Server. Then you can add and configure replication between these two Notification Servers.

12. Under all Settings, expand 'Notification Server' --> 'Hierarchy and Replication' --> 'Hierarchy' --> 'Hierarchy Management', right click the Notification Server name in the right panel, select 'Add' --> 'Child':

13. Input the name of the other Notification Server, the URL will be filled automatically, then input the access credentials of the other Notification Server, click 'Next':

14. Leave the Replication Schedules as default, then click 'Next':

15. Confirm the replication settings, then click 'Finish' button:

16. It will retrieve data from the other Notification Server:

17. After the setup finished, these two Notification Server will be displayed as the following topology. 

According to the above replication and hierarchy relationship, the WIN-NMMRT784E7V is the parent one, and the WIN-IGV35N616FU will be child one.