Embed Size (px)
Citation preview
Using CloudSOC CASB with Symantec DLP Cloud Symantec CloudSOC Tech Note
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
Copyright statement Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
Copyright © 2020 Symantec Corp. 2
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
Table of Contents
Copyright statement
Introduction
Provisioning
Provisioning Symantec DLP Cloud Detection Service in CloudSOC
Enabling DLP content inspection
Configuring Policies on Symantec DLP Enforce
Configuring custom end-user messages
Reviewing incidents
Viewing operational statistics for DLP Cloud
Related documentation
Revision history
Copyright © 2020 Symantec Corp. 3
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
Introduction
This Tech Note describes how to configure CloudSOC to refer files to the Symantec Data Loss Prevention (DLP) Cloud Detection Service for content inspection and remediation. When so configured, Symantec DLP blocks or remediates content-related policy breaches, often in real time.
Combining Symantec DLP and CloudSOC in this manner lets you leverage the Symantec DLP Enforce policies that currently protect your email, web, endpoint and storage resources to cover the cloud as well. It also lets your incident response teams use your existing Symantec DLP Enforce Management Console to address cloud-related incidents, with rich contextual data from CloudSOC CASB.
This solution does not require that data be transferred from cloud services to an on-premises DLP appliance. Instead, the files and documents are scanned while in the cloud, reducing latency and network traffic.
Once you enable Symantec DLP Cloud Detection Service as your content inspection solution, you use Symantec DLP for all content-related policies. For policies without content inspection features, you continue to create and manage CloudSOC Protect policies as before.
Provisioning
The following sections describe how to provision CloudSOC and Symantec DLP to work together.
Provisioning Symantec DLP Cloud Detection Service in CloudSOC
Follow this procedure to configure CloudSOC to connect with DLP Cloud Enforce:
1. On the CloudSOC Settings page, click the Content Inspection tab to bring it to the front.
2. In the Configured External DLP Systems area, click Add External DLP System to add a new one.
Copyright © 2020 Symantec Corp. 4
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
The External DLP System panel opens, as shown in the following.
3. On the External DLP System panel, configure the following settings:
Field Setting
Name Enter any descriptive name.
Vendor Select Symantec DLP Cloud from the menu.
Token Enter the token you were provided when you subscribed to Symantec DLP Cloud.
File size limit (Optional) Select the maximum file size that CloudSOC submits to Symantec DLP Cloud for processing.
Timeout (Optional) Select the maximum number of seconds CloudSOC waits for a file to be processed by Symantec DLP Cloud.
Copyright © 2020 Symantec Corp. 5
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
Note: When the configured file size limit is exceeded, CloudSOC does not submit the file for processing on Symantec DLP Cloud. When this happens, or when CloudSOC submits a file but does not receive a response within the specified timeout interval, Protect does not enforce policies that depend on DLP processing.
Whenever the file size or timeout limits are exceeded, CloudSOC posts an error that you can view in the Investigate application, as shown in the following.
4. Click Save Changes, then click Cancel to close the panel.
5. On the Settings, and then select Content Inspection tab, select Activate Appliance in the Actions menu for Symantec DLP Cloud to activate it, as shown in the following.
6. Make sure that Symantec DLP Cloud is the active DLP system, indicated by the green circle in the Status column as shown in the following.
Copyright © 2020 Symantec Corp. 6
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
7. Click Connect Appliance in the Actions menu for Symantec DLP Cloud as shown in the following to test the connection between CloudSOC and Symantec DLP Cloud.
● If CloudSOC connects successfully with Symantec DLP Cloud, a green banner appears across the top of the CloudSOC page.
● If a red banner appears across the top of the page, it means CloudSOC could not communicate with Symantec DLP Cloud. Check to make sure that the Symantec DLP Cloud information is correct.
Enabling DLP content inspection
In order to refer files to Symantec DLP Enforce console, you must enable External DLP on the CloudSOC settings page:
1. On the CloudSOC menu bar, click your username and select Settings. Then click the Content Inspection tab.
2. On the Content Inspection tab, make sure the Content Inspection slider is set to Enabled as shown in the following.
3. On the Content Inspection tab, make sure the External DLP risk type is enabled, as indicated by the green check mark shown in the following.
Copyright © 2020 Symantec Corp. 7
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
4. If External DLP is not enabled, click Edit near the upper right corner of the Risk Types and mark the checkbox for External DLP as shown in the following. Then click Save.
Configuring Policies on Symantec DLP Enforce
In order for Symantec DLP Cloud Detection Service to flag files for CloudSOC to block or remediate, you must configure it with at least one policy. The following procedure shows how to create an example policy that checks messages and files for the word "secret." See your Symantec DLP Enforce documentation for complete instructions on creating and managing policies.
Important: Every time you add or update policies in the DLP Enforce console, you must re-scan content for each of the CloudSOC Securlets for file-sharing apps such as G-Suite and Office 365 for the new or updated policy to apply to data already at rest in those apps. Note: if you have a lot of data at rest in these apps this re-scan will use API calls which could impact response time for scans of new data added to these apps so you may want to strategically schedule re-scans to times when usage is low or limit re-scans to after high significance policy changes have been made.
1. If you have not already done so, login to Symantec Data Loss Prevention.
2. In Symantec DLP Enforce console, select Manage, then select Policies, and then select Policy List.
3. Near the upper left corner of the page, click New to create a policy.
Copyright © 2020 Symantec Corp. 8
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
4. On the next page, mark the checkbox for Add a blank policy and click Next.
Copyright © 2020 Symantec Corp. 9
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
5. On the General page, enter a name for the policy, and optionally a description and policy label as shown in the following.
6. On the Detection tab, click Add Rule to add a new rule to the policy.
7. On the Add Detection Rule page, mark the Content Matches Keyword button as shown in the following, then click Next.
Copyright © 2020 Symantec Corp. 10
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
8. Configure the new rule with a name and the desired keywords, then click OK as shown in the following.
9. Click Save to save the new policy.
10. Make sure that the new policy shows up in the policy table as shown in the following.
Copyright © 2020 Symantec Corp. 11
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
11. For each Securlet for a file-sharing app to which you are subscribed, open the CloudSOC Securlet Dashboard and select Re-scan Content as shown in the following. You must re-scan content every time you add or modify policies in DLP Enforce for the new or updated policy to apply to data already at rest in that app.
Configuring custom end-user messages
CloudSOC can show end users custom messages that you configure in the DLP Enforce console when they violate a DLP policy. This feature works with both the Reach agent and with traffic steering with the CloudSOC PAC file.
In the Symantec DLP console, navigate to Manage, then select Policies, and then select Response Rules and configure a custom message as shown in the following:
CloudSOC shows the message to users whenever they violate the policy in question, as shown in the following:
Copyright © 2020 Symantec Corp. 12
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
Reviewing incidents
To view incident details for “Symantec Cloud Detection Service” in the DLP Enforce Console:
1. In DLP Enforce console, select Incidents, and then select Applications.
2. Find the incident of interest on the list.
You can use the filter tools at the top of the list to filter the list by status, date, or severity as shown in the following. You can also use the advanced filters and summarization tools for more complex filtering. Click Apply after setting the filters.
3. Click the incident to view detailed information about it, as shown in the following.
Copyright © 2020 Symantec Corp. 13
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
If the Incident Details list on the left edge of the page shows an attachment, you can click its link to view the file containing the policy violation.
Viewing operational statistics for DLP Cloud
CloudSOC shows you operational statistics for external DLP Cloud systems. Use this information to monitor the status of the DLP Cloud Detection Service.
1. In CloudSOC, select username, and then select Settings and click the Content Inspection tab.
2. In the Configured External DLP Systems area, click a Symantec DLP Cloud system to view its details. The details panel shows you the current operational statistics, as shown in the following.
Copyright © 2020 Symantec Corp. 14
Tech Note — Using CloudSOC CASB with Symantec DLP Cloud Enforce Console
Related documentation
https://support.symantec.com/en_US/article.DOC9414.html
https://support.symantec.com/en_US/article.ALERT2395.html
Revision history
Date Version Description
7 October 2016 1.0 Initial release
15 November 2016 1.1 Revise UI elements
18 November 2016 1.2 Add step to activate DLP system
4 January 2017 1.3 Refine procedure to activate DLP system
1 August 2017 1.4 Address new configuration token, update screenshots
10 August 2017 2.0 Address operational statistics feature
29 September 2017 3.0 Address new model in which DLP Cloud also handles context and remediation for content-related policies
15 December 2017 3.1 Update branding
9 March 2018 4.0 Add response messages
8 November 2018 4.1 Add step and note about re-scanning content, update screenshots for activating and connecting DLP Cloud
9 September 2019 4.2 Corrected to add DLP Cloud Enforce console nomenclature for consistency with product naming.
28 September 2020 4.3 Update for content inspection.
Copyright © 2020 Symantec Corp. 15
