A policy is a set of conditions that you configure to monitor access events on files and folders stored on various repositories. Symantec Data Insight policies help you detect the sources of threat, access patterns on sensitive data, and anomalous user behavior. Data Insight receives information about sensitive files from Symantec Data Loss Protection (DLP). You can also import sensitive file information in to Data Insight using a CSV file.
Policies must include at least one condition that is configured to detect abnormal access patterns or user behavior. Data Insight generates an alert whenever it detects any violation of a condition in a configured policy.
Policies can be configured with three severities, namely, high, medium, and low. You can assign the severity level to a policy based on your organizational needs. For example, the Information Security team can define policies to monitor accesses on the share \Finance
. For this purpose, they can configure a policy with a medium severity to monitor accesses on folders containing Finance policies and guidelines files. Whereas, they can configure a policy with a high severity to monitor accesses on files containing payroll information. When an alert is generated for a policy violation, the severity of the policy is associated with the alert.
Data Insight comes packaged with the following out-of-the-box policies that you can configure according to your needs:
Data Activity Trigger policy
Use this policy to define the maximum cumulative count of the meta operations on the selected paths. For example, if you have defined the maximum accesses per day as 500 on the share \\netapp1\finshare
, and the total access count by the active set of users exceeds 500, then Data Insight generates an alert.
User Activity Deviation policy
Use this policy to define the threshold of deviation from the baseline activity. The baseline activity on a file or folder is the average number of accesses that are considered normal based on past access counts. If the activity, by the selected users, on the selected data exceeds the specified threshold of the baseline (for example, three standard deviations above the baseline activity), and the maximum accesses allowed per day, Data Insight generates an alert.
You can configure how many standard deviations a user is allowed to deviate from the defined baseline.
Data Activity User Whitelist-based policy
Use this policy to define a whitelist of users based on the Active Directory custom attributes, who can access selected shares or paths. Also, you can create such a policy with multiple conditions with multiple values for the same custom attributes .
If users, other than those defined in the whitelist, access selected data, Data Insight generates an alert.
Data Activity User Blacklist-based policy
Use this policy to define a blacklist of users based on the Active Directory custom attributes, who should not be accessing selected shares or paths. Also, you can create such a policy with multiple conditions with multiple values for the same custom attributes .
If users, who are included in the blacklist, access selected data, Data Insight generates an alert.