Enhance or replicate your Symantec Data Loss Prevention (DLP) workflow using Information Centric Analytics' (ICA) Data in Motion (DIM) Remediation Actions.
Version : 6.x
Component : Symantec DLP Integration Pack
Remediation Actions are found on the Data In Motion toolbar in the ICA console. ICA has three pre-defined default actions: Escalate, Resolve, and Dismiss.
Figure 1: Remediation Action buttons on the DIM toolbar
Figure 2: Example of a Remediation Action prompt
Actions can be configured to set an incident status, assign a selected reason or resolution, or assign an incident to a queue. An action can also be configured to simply add a comment to an incident. Additional actions can be created corresponding to your organization's DIM incident remediation workflow in DLP.
To create a remediation action, navigate in the ICA console to Admin > Settings > Data In Motion > Remediation Action Types. Once there, click on the Remediation Action button to open the Remediation Action Type configuration window, which is divided into four main sections:
This section controls how the remediation action prompt is displayed to the user.
Figure 3: Window Configuration options
Figure 4: Glossary
This section controls how the remediation action button is displayed in the toolbar.
Figure 5: Toolbar Configuration options
This section controls the remediation actions fields available to the user. These actions include setting the status of an incident, entering a comment, etc. If writeback to Symantec DLP is enabled, this section will also identify the source system field that will be updated in DLP.
Figure 7: Actions configuration options
This section allows the ICA administrator to assign a notification template to e-mail notifications sent to users. E-mail notifications are used to notify users or groups of users when an item requires action (e.g., remediation, review, etc.), or when an action has been taken.
Figure 10: Notifications configuration options
The following swim lane diagram shows an example workflow and lifecycle for an incident from when it was first identified by Symantec DLP to the point when no further action is required and the incident can be considered closed or resolved.
Figure 11: Example of a DLP incident lifecycle and workflow
Each swim lane represents a different group that is or could be involved at some point in the investigation and remediation process. Each group represents a different queue (the Assigned To selection from a remediation action). Each queue has its own process to review and eventually close or resolve an incident. As part of this process, each queue can have its own remediation actions that are customized to represent their internal processes.
This queue is the initial queue to which an incident is assigned once it comes into ICA. The members of this queue will review the incident and decided whether it needs to be escalated to the Investigation queue or if it incident can be resolved. If the incident needs to be escalated, the user will use a remediation action to escalate the incident to the Investigation queue by using the Escalate to Review remediation action. If the incident can be resolved without further investigation, the user will use one of two remediation actions (Dismiss or Resolve) and the incident lifecycle will be complete.
Based on this example workflow, remediation actions could be configured as follows:
This queue is the first level of escalation for an incident. Only the Analyst queue can assign incidents to this queue. The users assigned to this queue will review the incident and decided whether the incident needs to be escalated to the Escalation queue (this could be HR, SOC, Legal, etc.), or determine whether some other action has been taken to resolve the incident. If the incident needs to be escalated, the user will use a remediation action to escalate the incident to the Escalation queue. If some other action has been taken to resolve the incident, then the user will only have the Resolve remediation action available in order to complete the incident lifecycle process.
Based on this example workflow, remediation actions could be configured as follows:
This queue is the last level of escalation for an incident. Only the Investigation queue can assign incidents to this queue. The users assigned to this queue will review the incident and decide whether further action is required or whether some other action has been taken and the incident can be resolved. Notice that this queue only has one remediation action. The Resolve remediation action allows the user to close the incident and specify any additional actions required such as escalating to another area outside of the ICA/DIM workflow. This remediation action is used to complete the incident lifecycle process.
Based on this example workflow, remediation actions could be configured as follows: