You may think you miss some functionalities in Symantec DLP, especially in DLP incident processing.
In order to workaround this issue, you could implement some plugins which will allow you :
- to add some information to DLP incident using incident custom attributes which will be valued by your plugin
- to interface DLP with a third party system.
By design DLP allow you to use different type of plugin
- Legacy : If you want to use some "old" DLP plugins
- LDAP : If you want to valued some custom attributes using information stored in a LDAP directory (native LDAP, Active directory,...). You could declare as many LDAP plugin as you need.
- CSV : If you want to valued some custom attributes using information stored in a CSV file. You could declare only one plugin of this type.
- Custom : If you want to valued some custom attribute or interface with other system using a home made software/script.
DLP plugins are executed, on enforce server, each time a new incident is generated or each time a user request a manual execution.
This article will be focused on custom plugin configuration and best practices. On my side, i like Python to developp plugins, first because it is compatible with
all DLP compatible operating system (windows, linux)i know python, second because it is efficient in script execution, third is that i know python
Your script will be invoke using your plugin configuration parameters and adding all requested parameters
<main software> <parameters and script> <DLP key parameters> <custom attribute>
All key parameters and custom attributes are passed using "key=value" and separated with a space.
to send back some values to DLP, you must send "<custom attribute name>=value" to standard output.
My advices in order to do an efficient and manageable plugin are:
- Even if you will only devellop a script, be sure to manage it correctly with all controls to avoid a crash.
- Implement some auditable capabilities in your script in order to be able to debug it in case of any issue.
- Use some external file to manage plugin configuration. This will allow you to only update this file and dont edit or modify main script.
- In order to avoid unecessary ressosurce comsumption on your enforce server be sure to used "Protocol filtering" or include this in your
script (especially if it is not necessary to compute a value for some specific incident type)
in order to illustrate this article you will also find a video and a sample script on Symantec connect.