Configuring and running SQL database scans in DLP
search cancel

Configuring and running SQL database scans in DLP

book

Article ID: 174871

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover Data Loss Prevention Endpoint Discover

Issue/Introduction

Configuring and running SQL database scans in DLP

You can configure and run scans on SQL databases to identify which databases contain confidential data, or to locate the inappropriate presence of confidential data.

Scanning of SQL databases occurs for a specific set of column data types. The SQL Database scan extracts data of the following Java Database Connectivity (JDBC) types: CLOB, BLOB, BIGINT, CHAR, LONGVARCHAR, VARCHAR, TINYINT, SMALLINT, INTEGER, REAL, DOUBLE, FLOAT, DECIMAL, NUMERIC, DATE, TIME, and TIMESTAMP. The mapping between these column types and those of a specific database depends on the implementation of the JDBC driver for the scan.

Resolution

To set up a scan for a SQL Database

  1. In the Enforce Server administration console, go to Manage > Discover Scanning > Discover Targets.

  2. Click New Target, and use the pull-down menu to select the SQL Database target type.

  3. On the General tab, type the Name of this Discover target.

    Type a unique name for the target, up to 255 characters.

  4. Select the Policy Group.

    If no other policy group has been selected, the Default Policy group is used. To apply a policy group, select the policy group to use for this target. You can assign multiple policy groups to a target.

  5. Specify scheduling options.

    Choose Submit Scan Job on Schedule to set up a schedule for scanning the specified target. Select an option from the Schedule drop-down list to display additional fields. Choose Pause Scan between these times to automatically pause scans during the specified time interval. You can override a target's pause window by going to the Discover Targets screen and clicking the start icon for the target entry. The pause window remains intact, and any future scans that run up against the window can pause as specified. You can also restart a paused scan by clicking the continue icon in the target entry.

  6. On the Targeting tab, under Scan Server and Target Endpoints, select the Discover Server (or multiple Discover Servers) where you want to run the scan.

    Only the detection servers that were configured as Discover Servers appear on the list. If there is only one Discover Server on your network, the name of that server is automatically specified. You should configure your Discover Servers before you configure targets. You must specify at least one server before you can run a scan for this target.

  7. On the Scanned Content tab, select or enter the credentials.

  8. Select one of the following methods for entering the databases:

     

    • Use database servers from an uploaded file

      Create and save a plain text file (.txt) with the servers you want to scan. Click Browse to locate the list and Upload to import it. The user name and password that is specified on the Scanned Content tab of the Add SQL Database Target page is used.

      Enter the databases using the following syntax. The vendor name can be oracle, db2, or sqlserver. The data source is the subname of the JDBC connection string for that driver and database. The documentation for the JDBC driver describes this subname. You can optionally enter the maximum rows to scan per table in the database.

      vendor_name:datasource[, maximum-rows-to-scan]

      For example:

      oracle:@//oracleserver.example.com:1521/mydatabase
db2://db2server.example.com:50000/mydatabase,300

      For some SQL Servers, you must also specify the SQL instance name, as in the following example:

      sqlserver://sqlserver.example.com:1433/mydatabase;
instance=myinstance

    • Specify Database Servers

      Click Add Content Roots > By Manual Entry to use a line editor to specify the databases you want to scan. SQL Database information that is entered here takes precedence over the default values and applies only to the database specified. You can optionally enter the maximum rows to scan per table in the database.

      Use the following syntax:

      vendor-name:datasource[, [username, password] 
[, maximum-rows-to-scan]]

  9. On the Filters tab, enter the optional Include and Exclude filters.

    Use the Include Filters and Exclude Filters to specify SQL databases and the tables that Symantec Data Loss Prevention should process or skip.

    When both Include Filters and Exclude Filters are used, the Exclude Filters take precedence. Any table that matches the Include Filters is scanned, unless it also matches the Exclude Filters, in which case it is not scanned.

    If the Include Filters field is empty, Symantec Data Loss Prevention performs matching on all tables. These tables are returned from the table query of the target SQL databases. If you enter any values in the field, Symantec Data Loss Prevention scans only those databases and tables that match your filter.

    The syntax is a pattern for the database, a vertical bar, and a pattern for the table name. Multiple patterns can be separated with commas. Standard pattern matching applies. For example, "?" matches a single character.

    Because the table name matching is not case-sensitive for many databases, upper case conversion occurs. The table name in the pattern and the table name it is matched against are converted to upper case before the match.

    The following example would match the employee table in all databases.

    *|employee

    The following example would match all tables in all Oracle databases.

    oracle:*|*

    For SQL Server 2005 and DB2, the default table query returns table names in the format schema_name.table_name. Include Filters and Exclude Filters for SQL Server and DB2 should match this format.

    See the following examples:

    sqlserver:*|HRschema.employee
sqlserver:*|*.employee

  10. Select the Advanced tab for options to optimize scanning. On the Advanced tab, you can configure throttling options or Inventory Mode for scanning.

    • Throttling Options

      Enter the maximum number of rows to be processed per minute per detection server or the maximum number of bytes to be processed per minute per detection server. If you select both options, then the scan rate is slower than both options. The scan rate is slower than the specified number of rows per minute and the specified number of bytes per minute. For bytes, specify the unit of measurement from the drop-down list. The options are bytes, KB (kilobytes), or MB (megabytes).

    • Inventory Scanning

      Enter the number of incidents to produce before moving on to the next item to scan. The next item is the next database from the list in the Scanned Content tab. To audit whether confidential data exists on a target, without scanning all of it, set up Inventory Mode for scanning. Setting incident thresholds can improve the performance of scanning by skipping to the next item to scan, rather than scanning everything.

Powered by Wolken Software