























DLP is the detect-or-die friend of every SOC worth their salt. It’s that hypervigilant, head-on-a-swivel partner, monitoring sensitive data and exposing potential compliance violations that threaten its security. Without solid DLP, sensitive data would flow freely into unauthorized hands.
In many cases, organizations devote a whole team of humans to ensure even the best DLP keeps running smoothly. Tasked with monitoring how many violations (DLP incidents) have been detected and resolved, this team works tirelessly to ensure compliance business processes are in place and enforcement stays consistent.
But this model isn’t always sustainable, especially for smaller or resource-strapped SOCs. ART changes that.
We all love DLP (I’m wearing my “I Heart DLP” shirt right now), so what’s the problem?
Well, DLP can have a hard time letting go of the past. Organizations of all sizes face DLP’s historic inability to identify if and when an incident has been resolved. Unchecked DLP risks dragging SOCs back to old issues when it’s time to move on.
How does this communication issue happen? In many cases, organizations align their resources to resolve the DLP violation, however, before they can even get to it, the file may have been deleted, or the owner removed the sensitive content, leaving the DLP incident hanging there unresolved. In some cases, the policy was re-tuned such that the same file no longer violates the organization's current policies. But when the incident that was generated still exists it can keep sounding the alarm by indicating that the compliance issue is ongoing, even if the original exposure story is over.
This is where the Symantec® feature, Automatic Remediation Tracking (ART), comes in as the perfect pairing for hard-working DLP. The latest release of Network Discover High Speed Discovery masters the ART of resolution. This new feature of Symantec DLP’s High Speed Discovery helps organizations distinguish active violations from past incidents that the scan has already resolved. ART enables High Speed Discovery File System scans to make sure past incident reports stay up to date, without losing valuable intel on the reason behind the original red flag.
ART steps in with a time-and-truth reckoning that reconciles past incidents, preserves valuable insights, and lets SOC live in the present and strategize for the future.
ART is recursive, constantly re-evaluating items that have already generated DLP incidents when the target is scanned again. As long as ART is enabled, when teams re-run DLP scans, ART steps in with a relevance comparison that reflects the relevance of the file that generated the incident. When the re-scan concludes that the same file no longer violates the relevant policy, ART updates the incident with a clear remediation classification. This classification leaves a helpful explanation of why the incident can be put to rest, and closes the loop between “what we saw then” and “what the scan sees now.”
Let’s break it down with some commonly asked questions about the ART feature:
ART is Powered by High Speed Discovery (HSD), a system built for fast, large-scale inspection of data at rest. ART adds an incident lifecycle dimension to HSD, asking key questions about what sensitive info was found and whether that info still needs attention after file and policies have changed.
ART does not replace human judgment on every alert just yet. However, it is crucial to triage. ART enables closure of past incidents or policy violations, helping organizations stay focused on real and existing concerns.
It’s hard to overstate the value of ART as an enabled feature of Symantec DLP. ART reevaluates past incidents on an ongoing basis so that SOC teams don’t have to. ART equips teams with—
Automatic Remediation Tracking helps teams answer a question that every security program eventually faces, and too often: does this finding still deserve our attention?
ART completes the picture for File system High Speed Discovery incidents—not only detection, but whether the situation still holds after items and policies change. As they change, this helps teams determine whether an earlier incident still reflects today’s risk.
High Speed Discovery is built for fast, large-scale inspection of data at rest; ART adds an incident lifecycle dimension to it, such as what sensitive info was found, and whether it still matters after items and policies change. As long as ART is enabled, when you re-run the scans, the relevance comparison becomes possible.
And it does it all on your terms. ART doesn’t add extra work to the SOC because it uses the same reporting and API surfaces teams already use for remediation-style incident attributes, so filtering, export, and automation don’t require a parallel model. SOCs rejoice!
ART is not enabled by default, but administrators can enable it with ease. Simply use the Advanced tab on the File System High Speed Discovery scan target. This extra “opt-in” step ensures the behavior is aligned with deliberate program design.
For step-by-step configuration, version-specific behavior, and REST API details, check out the technical documentation.
For teams yet to start their data security journey, reach out to your in-region expert for a demo.

Namrata Shiggaon
Product Manager, Information Security

Abhishek Sardana
R&D Software Engineer, Information Security

Bishnu Chaturvedi
Sr. Principal Software Engineer, Information Security
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。