Full Report
Could High Speed Discovery get any better? (Spoiler: It just did.)
Analysis Summary
This article describes features introduced in Symantec DLP 16.1, focusing on enhanced data classification and protection, specifically through integration with Microsoft Purview Information Protection (MPIP) and leveraging High Speed Discovery technology.
# Tool/Technique: Symantec DLP 16.1 with MPIP Integration
## Overview
Symantec DLP 16.1 introduces significant enhancements to data classification and auditing by deeply integrating with Microsoft Purview Information Protection (MPIP) labels. This allows organizations to automatically classify and tag sensitive data residing on endpoints, in the cloud, and on-premises (file shares) using existing DLP policies, coupled with High Speed Discovery for rapid scanning.
## Technical Details
- Type: Tool (Data Loss Prevention Software/Feature Enhancement)
- Platform: Enterprise Environments (Endpoints, Cloud applications, On-premises File/Network Shares)
- Capabilities: Automated data classification using MPIP labels, High-Speed Discovery for file systems, reuse of existing DLP policies, detailed auditing/reporting capabilities, and simultaneous remediation actions (classify, copy, quarantine).
- First Seen: October (for the full feature release in 16.1)
## MITRE ATT&CK Mapping
This tool is a defensive security system; however, the capabilities it *detects* or *manages* relate to defensive measures against common adversary actions. Since the focus here is on the defensive tool itself, direct mapping of a DLP feature to an offensive technique is less common unless detailing a security control bypass. The primary function relates to:
- **TA0010 - Collection** (What the DLP searches for)
- **TA0009 - Collection** (What the DLP searches for)
*Note: As this is a product description for a legitimate security tool, mapping to specific offensive techniques is illustrative of the data the tool is designed to protect.*
## Functionality
### Core Capabilities
- **MPIP Integration:** Ability to read, suggest, and enforce MPIP labels on documents and emails based on content analysis performed by DLP policies.
- **Data at Rest Classification:** Classification and tagging of data residing on file/network shares using MPIP, enabled by High Speed Discovery.
- **Policy Reuse:** Admins can leverage existing, fine-tuned Symantec DLP policies to determine the correct MPIP tag to apply.
- **Automatic Encryption:** Documents labeled via DLP integration that also have RMS encryption enabled in Azure are automatically encrypted upon labeling.
### Advanced Features
- **High Speed Discovery for File Systems:** A rearchitected scanning solution capable of scan speeds up to 1 TB/hour or more, optimizing discovery across large on-premises shared storage.
- **Auditing Flexibility:** Option to generate DLP incidents specifically for audit tracking at the response rule level when applying MPIP tags, allowing targeted reporting on highly sensitive documents.
- **Granular Reporting:** New attribute capture in DLP incidents to record the applied MPIP label, and detailed classification reports showing distribution, attributes, and policies violated per scan.
- **Attribute-Based Control:** Ability to restrict data classification scans based on document size and type.
- **Streamlined Remediation:** Ability to classify, copy, and quarantine files simultaneously within the same scan target run.
## Indicators of Compromise
This section is generally not applicable as Symantec DLP is a security solution, not malware. Indicators would relate to monitoring the health and configuration of the DLP system itself, or indicators related to data exfiltration that the system *prevents*.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on internal policy enforcement and discovery; no external C2 mentioned)
- Behavioral Indicators: N/A
## Associated Threat Actors
Symantec DLP is a widely deployed commercial security product. It is utilized by defenders across virtually all industries.
## Detection Methods
Detection focuses on verifying the integrity and proper functioning of the DLP suite and ensuring data is being classified as expected.
- Signature-based detection: N/A (Focus is on software functionality)
- Behavioral detection: Monitoring for unauthorized modifications to DLP policy configurations or scanning exclusions.
- YARA rules if available: N/A
## Mitigation Strategies
The tool itself serves as a mitigation strategy against unauthorized data exposure (Data Loss).
- Prevention measures: Implementing and enforcing updated DLP policies integrated with MPIP labels across all environments.
- Hardening recommendations: Ensuring the Discover (server) setup is scaled appropriately to handle High Speed Discovery loads and regularly reviewing incident generation settings to prevent database overload.
## Related Tools/Techniques
- Microsoft Purview Information Protection (MPIP)
- Symantec DLP 15.8 (Previous version supporting read/suggest MPIP labels)
- Data Security Posture Management (DSPM) solutions (as a related industry trend)