Managed Security Services (MSS): Value MSS Provides by Monitoring DLP
Updated On:21-10-2016 01:48
Managed Security Services
MSS Monitoring of Symantec DLP provides unique additional value and business context into security incidents.
DLP is not a "primary indicator" for us, meaning we are not raising an incident from DLP (otherwise we would be a very expensive DLP alerting service, DLP does this already). Customers continue to manage their data loss incidents using the rich work flow capabilities built into the Symantec Data Loss Prevention product.
However, Security Monitoring of Symantec Data Loss Prevention is an add-on to monitoring of endpoints and network security devices to elevate the severity of existing incidents using correlated data loss to trigger additional escalation.
You can easily make this a customer specific use-case.
For example, a bank may have a DLP alert for "Credit Card Details Moving in Plain Text". Normally, when we detect a host communicating with a C&C server (via firewall monitoring) we raise that incident as Critical. However, the analyst is also presented the above DLP event for the same host, then the system indicates that a compromised host is also sending credit card details – a strong indication of data exfiltration. In this case, the incident is raised from Critical to Emergency,
The Symantec DLP product, like any device we monitor, has to be configured correctly. Given that it is a Symantec product, clients may naturally think MSS can troubleshoot or be consulted on DLP if it is not working correctly, but MSS will not be able to help. It needs (via a/c management) consultants, BCS, and partners for configuration as it is a complex product.
A common concern is that clients think that we will see the actual data that DLP sends alerts on. We do not, we only see the meta alert from DLP.
MSS cannot match the integrated workflow of the Symantec DLP product, our platform has no model to manage data-at-rest detections and little opportunity to add Analyst value as we are not permitted access to sensitive data.
In a nutshell, MSS doesn't add value to DLP, rather DLP adds value to MSS.
There is a white paper attached here, but please check on SAVO and with PM to ensure that it is the latest.