18
250-438: Symantec Data Loss Prevention Administration – 15.5 Exam Study Guide v2.0
250-438:SymantecDataLossPreventionAdministration–15.5
ExamStudyGuidev2.0
2
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamDescriptionCandidatescanvalidatetechnicalknowledgeandcompetencybybecomingaSymantecCertifiedSpecialist(SCS)basedonyourspecificareaofSymantectechnologyexpertise.Toachievethislevelofcertification,candidatesmustpassthisproctoredSCSexamthatisbasedonacombinationofSymantectrainingmaterial,commonlyreferencedproductdocumentation,andreal-worldjobscenarios.ThisexamtargetsITProfessionalsusingtheDataLossPreventionproductsuiteinanadministrativerole(includingthoroughknowledgeofpolicyauthoringandincidentreporting).Thiscertificationexamteststhecandidate’sknowledgeonhowtoplan,implement,andadministerSymantecDataLossPrevention.FormoreinformationabouttheSCSprogram,seehttps://www.broadcom.com/support/symantec/services/education/certification.
RecommendedExperienceItisverystronglyrecommendedthatthecandidatehas6-9monthsregularexperienceworkingwiththeentireSymantecDataLossPreventionproductsuiteinaproductionorlabenvironment.
StudyReferences
DataLossPrevention15.5Administration(5-DayInstructor-Ledwithhands-onlabs)
• DataLossPreventionLandscape• OverviewofSymantecDataLossPrevention• IdentifyingandDescribingConfidentialData• LocatingConfidentialDataStoredonPremisesandintheCloud• UnderstandingHowConfidentialDataisBeingUsed• EducatingUserstoAdoptDataProtectionPractices• PreventingUnauthorizedExposureofConfidentialData• RemediatingDataLossIncidentsandTrackingRiskReduction• EnhancingDataLossPreventionwithIntegrations
DataLossPrevention15.5PlanningandImplementation(1-DayInstructor-Ledwithhands-onlabs)
• OverviewofSymantecDataLossPreventionProductsandArchitecture• DesignConsiderationsforImplementingSymantecDataLossPrevention• InstallingSymantecDataLossPrevention
Courses https://www.broadcom.com/support/symantec/services/education***[UPDATE]
3
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
DataLossPrevention15.0Differences(eLearning)
• DLP15.0:DifferencesTraining–EndpointEnhancements• DLP15.0:DifferencesTraining–CloudSOCIntegration• DLP15.0:DifferencesTraining–Discover• DLP15.0:DifferencesTraining–Enforce• DLP15.0:DifferencesTraining–Appliance• DLP15.0:DifferencesTraining–ApplianceDemo
• SymantecDataLossPrevennton15.5ProductDocumentation:https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/information-security/data-loss-prevention/15-5.html
Productdocumentationreferencedinthisexam:• SymantecDataLossPreventionAdministrationGuide• SymantecDataLossPreventionSystemRequirementsandCompatibilityGuide• SymantecDataLossPreventionSystemMaintenanceGuide• SymantecDataLossPreventionInstallationGuide(WindowsorLinux)• SymantecDataLossPreventionUpgradeGuide(WindowsorLinux)• SymantecDataLossPreventionCloudPreventforMicrosoftOffice365ImplementationGuide• SymantecDataLossPreventionIncidentReportingandUpdateAPIDevelopersGuide• SymantecDataLossPreventionCloudDetectionServiceGettingStartedGuide• SymantecDataLossPreventionOracle12cEnterpriseImplementationGuide
• SymantecDataLossPreventionlandingpage:https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention
ExamObjectivesThefollowingtableslisttheSymantecSCSCertificationexamobjectivesfortheexamandhowtheseobjectivesaligntothecorrespondingSymanteccoursetopicsandtheirassociatedlabexercisesaswellasthereferencedproductdocumentation.Candidatesarestronglyrecommendedtocompleteallapplicablelabexercisesinpreparationfortheexam.
Documentation https://support.broadcom.com/security
SymantecWebsites
4
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
DataLossPreventionArchitectureandOverview
ExamObjectives ApplicableCourseContentandProductDocumentation
DescribeDataLossPreventionasitpertainstotheindustry.
Course:SymantecDataLossPrevention15.5Administration
• Module:DataLossPreventionLandscape
Documentation:SymantecDataLossPrevention15.5AdministrationGuide
• IntroducingSymantecDataLossPrevention
DescribethefeaturesandfunctionalityofSymantecDataLossPrevention.
Course:SymantecDataLossPrevention15.5Administration
• Module:OverviewofSymantecDataLossPrevention
• CourseLabs:
o IdentifyingandDescribingConfidentialData(PolicyConfigurations)
o UnderstandingHowConfidentialDataisBeing
o PreventingUnauthorizedExposureofConfidentialData
Documentation:SymantecDataLossPrevention15.5AdministrationGuide
• IntroducingSymantecDataLossPrevention• DetectionServerTechnologies• DeployingtheCloudDetectionService• ImplementingandworkingwithAppliances• WorkingwithInformationCentricEncryption• EndpointAgentCapabilities(Protectand
Discover)• Otherchapterswithoverviewsofproductsin
theSymantecDataLossPreventionproductsuite
5
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContentandProductDocumentation
DescribetheSymantecDataLossPreventionarchitectureincludingeachproduct’sarchitecture.
Course:SymantecDataLossPrevention15.5Administration
• Module:OverviewofSymantecDataLossPrevention
Documentation:SymantecDataLossPrevention15.5AdministrationGuide
• IntroducingSymantecDataLossPrevention• InstallingandImplementingDetectionServers• OpticalCharacterRecognition• Network/EndpointDiscover• Otherchapterswithoverviewsofproductsin
theSymantecDataLossPreventionproductsuite
SymantecDataLossPrevention15.5SystemRequirementsandCompatibilityGuide
• HardwareRequirements
DataLossPreventionInstallationandConfiguration
ExamObjectives ApplicableCourseContent
DescribehowtoinstallDataLossPrevention.
Documentation:SymantecDataLossPreventionAdministrationGuideInstalladditionalDetectioncapabilities
• ManagingEnforceServerservicesandsettings
SymantecDataLossPreventionInstallationGuide(WindowsorLinux)
• PlanningaDLPInstall
6
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
Describetheprocessforinstallingand/orregisteringDLPcomponentsinthecloud.
Course:SymantecDataLossPrevention15.5Administration
• Modules:
o LocatingConfidentialDataStoredonPremisesandintheCloud
o UnderstandingHowConfidentialDataisBeingUsed
Documentation:SymantecDataLossPreventionAdministrationGuide
• Installingandmanagingdetectionserversandclouddetectors
SymantecDataLossPreventionCloudPreventforMicrosoftOffice365ImplementationGuideSymantecDataLossPreventionInstallationGuide
• SecurityConfigurations• UnderstandingPost-InstallTasks
Givenascenario,determinehowtoconfigurepoliciestoeffectivelycaptureincidents,includingalldetectionmethods.
Course:SymantecDataLossPrevention15.5Administration• Module:IdentifyingandDescribingConfidential
Data• CourseLabs:
o IdentifyingandDescribingConfidentialData(PolicyConfigurations)
o UnderstandingHowConfidentialDataisBeing
o PreventingUnauthorizedExposureofConfidentialData
Documentation:SymantecDataLossPreventionAdministrationGuide
• DetectionTechnologies(DCM,EDM,IDM,VML,etc.)
• TestingandTuning• Authoringpolicies
7
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
Givenascenario,describehowtoconfigureandmanageautomatedandsmartresponserulestoappropriatelyremediatespecifictypesofincidents.
Course:SymantecDataLossPrevention15.5Administration
• Module:PreventingUnauthorizedExposureofConfidentialData
• CourseLabs:
o RemediatingDataLossIncidentsandTrackingRiskReduction
Documentation:SymantecDataLossPreventionAdministrationGuide
• Configuringpolicyresponserulesandactions
DescribehowtoconfigureNetworkPreventwithappropriateMTAsorwebproxiestocaptureincidentsandblocknetworkcommunications.
Course:SymantecDataLossPrevention15.5Administration
• Module:UnderstandingHowConfidentialDataisBeingUsed
• CourseLabs:
o UnderstandingHowConfidentialDataisBeingUsed
Documentation:SymantecDataLossPreventionAdministrationGuide
• Configuringpolicyresponserulesandactions
DescribehowtoconfigureNetworkDiscover/CloudStoragetargets(repositories)tocaptureincidentsandconfigureNetworkProtectactions.
Course:SymantecDataLossPrevention15.5Administration
• Module:LocatingConfidentialDataStoredonPremisesandintheCloud
• CourseLabs:
o UnderstandingHowConfidentialDataisBeingUsed
Documentation:SymantecDataLossPreventionAdministrationGuide
• Discoveringwhereconfidentialdataisstored• WorkingwithInformationCentricEncryption
8
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
DescribehowtoconfigureEndpointPreventagentstoperformendpointactionsandconfigureEndpointDiscovertargetstocaptureendpointincidents.
Course:SymantecDataLossPrevention15.5Administration
• Modules:
o UnderstandingHowConfidentialDataisBeingUsed
o LocatingConfidentialDataStoredonPremisesandintheCloud
• CourseLabs:
o LocatingConfidentialDataStoredonPremisesandintheCloud
Documentation:SymantecDataLossPreventionAdministrationGuide
• UsingEndpointPrevent• Discoveringandpreventingdatalosson
endpoints• WorkingwithInformationCentricEncryption• Configuringpolicyresponserulesandactions• WorkingwithAgentConfigurationsandDevices
Givenascenario,describehowtouseAPIstointegrateDLPwithotherSymantecsolutions(suchasCloudSOCandICE)andthird-partyproducts.
Course:SymantecDataLossPrevention15.5Administration
• Module: Enhancing Data Loss Prevention withIntegrations
Documentation:SymantecDataLossPreventionIncidentReportingandUpdateAPIDevelopersGuide
• AbouttheUpdateandReportingAPI
9
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
DataLossPreventionManagingandReporting
ExamObjectives ApplicableCourseContent
Givenascenario,describeandapplythevarioustasksandtoolsassociatedwithserverandsystemadministration.
Course:SymantecDataLossPrevention15.5Administration
• CourseLabs:o UnderstandingHowConfidentialDatais
BeingUsedDocumentation:SymantecDataLossPreventionAdministrationGuide
• ManagingtheEnforceServerplatform• Installing and managing detection servers and
clouddetectors• AdvancedServerSettings
DescribehowtomanageDLPAgents.
Course:SymantecDataLossPrevention15.5Administration
• Modules:
o LocatingConfidentialDataStoredonPremisesandintheCloud
o UnderstandingHowConfidentialDataIsBeingUsed
• CourseLabs:
o UnderstandingHowConfidentialDataIsBeingUsed
Documentation:SymantecDataLossPreventionAdministrationGuide
• ManagingAgents• AgentConfigurations• ApplicationMonitoring
10
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
Describehowtocreate,use,anddistributereportsinDLPusingtheavailabletools(EnforceGUI,ITAnalytics,ReportingandUpdateAPI,andIncidentDataAccessViews).
Course:SymantecDataLossPrevention15.5Administration
• Modules:
o RemediatingDataLossIncidentsandTrackingRiskReduction
o EnhancingDataLossPreventionwithIntegrations
• CourseLabs:
o RemediatingDataLossIncidentsandTrackingRiskReduction
Documentation:SymantecDataLossPreventionAdministrationGuide
• Remediatingandmanagingincidents
Describehowtoremediateincidentseffectivelyincludinguseofrole-basedaccesscontrol.
Course:SymantecDataLossPrevention15.5Administration
• Module:RemediatingDataLossIncidentsandTrackingRiskReduction
• CourseLabs:o RemediatingDataLossIncidentsand
TrackingRiskReductionDocumentation:SymantecDataLossPreventionAdministrationGuide
• Remediatingandmanagingincidents• Managingrolesandusers
11
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
Describehowtomanageandmaintainpolicies.
Course:SymantecDataLossPrevention15.5Administration
• Modules:
o IdentifyingandDescribingConfidentialData
o PreventingUnauthorizedExposureofConfidentialData
• CourseLabs:
o RemediatingDataLossIncidentsandTrackingRiskReduction
Documentation:SymantecDataLossPreventionAdministrationGuide
• Authoringpolicies• Configuringpolicyresponserules• DataRetention
Givenascenario,determinehowtoreduceriskovertime.
Course:SymantecDataLossPrevention15.5Administration
• Module:DataLossPreventionLandscape
Documentation:SymantecDataLossPreventionAdministrationGuide
DataLossPreventionBasicTroubleshooting
ExamObjectives ApplicableCourseContent
NOTE:Foreachexamobjectivesinthistable,pleasefamiliarizeyourselfwiththerelevantarticlesintheTechSupportKnowledgeBase(inadditiontotheparticulardocumentationspecifiedforeachobjective).ToaccessKBarticles,gotohttps://support.broadcom.com/security,clickonProductInformation,andsearchforproductsintheDataLossPreventionsuite.(KBarticlesaregroupedbyindividualproductsinthesuite.)
12
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
Givenascenario,identifydatabaseissuesinSymantecDataLossPrevention.
Documentation:SymantecDataLossPreventionOracle12cEnterpriseInstallationGuide
• InstallingOracle12c• VerifyingDatabasereadiness
SymantecDataLossPreventionSystemMaintenanceGuide
Givenascenario,troubleshootEnforceissuesinSymantecDataLossPrevention.
Documentation:SymantecDataLossPreventionAdministrationGuide
• VariousDetectionServerKnowledge• WorkingwithUserRisk• AccessingtheEnforceConsole
Givenascenario,troubleshootendpointagentissuesinSymantecDataLossPrevention.
Documentation:SymantecDataLossPreventionAdministrationGuide
• ManageDLPAgents(Installation/Removal)
SymantecDataLossPreventionSystemMaintenanceGuide
Givenascenario,troubleshootdetectionissuesinSymantecDataLossPrevention.
Documentation:SymantecDataLossPreventionAdministrationGuide
• InstallingandManageDetection/Clouddetectionservers
• DetectionServersBasicConfiguration
SymantecDataLossPreventionSystemMaintenanceGuide
Givenascenario,troubleshootdetectionserverissuesinSymantecDataLossPrevention.
Documentation:SymantecDataLossPreventionAdministrationGuide
• EnforceandDetectionServerServices
SymantecDataLossPreventionSystemMaintenanceGuide
13
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
ExamObjectives ApplicableCourseContent
Troubleshoottheinstallation/upgradeprocessusingSymantectools.
Documentation:SymantecDataLossPreventionUpgradeGuide
• UpgradePhases• Databasepreparation
SymantecDataLossPreventionInstallationGuide
DescribehowtoconfigureCloudDetectionServiceandintegrateitwithSymantecCloudSOCtomonitorandprotectdatainmotionanddataatrestincloudapplications.
Documentation:SymantecDataLossPreventionAdministrationGuide
• WorkingwithCloudConnectors• ApplicationDetection
SymantecDataLossPreventionInstallationGuide
• InstallinganEnforceServer
14
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
SampleExamQuestionsReview the following sample questions prior to taking an exam to gain a better understandingof the types ofquestionsasked.
1. WhatSymantecDataLossPreventionproductcanmonitorandblockFTPtransmissions?
A. NetworkMonitorB. NetworkPreventforWebC. NetworkPreventforEmailD. NetworkDiscover
2. AnorganizationwantstoimplementEndpointPreventandEndpointDiscoverfor120,000endpointcomputersusingtransientconnections.WhatistheminimumnumberofEndpointServersthatanorganizationwouldneedtoinstall??
A. 4B. 6C. 8D. 10
3. Inwhichtwo(2)wayscanthedefaultlistenerportforadetectionserverbemodified?(Selecttwo.)
A. ThroughtheEnforceuserinterfaceunderSystem>OverviewB. ByeditingtheCommunication.propertiesfileonadetectionserverC. ThroughtheEnforceuserinterfaceunderManage>PoliciesD. ByeditingtheMonitorController.propertiesfileonadetectionserverE. Byeditingthemodel.notification.portfileonadetectionserver
4. Astategovernmentalagencyhasdigitizedpaperapplicationsreceivedfromresidentsoverthepastseveralyears,andrecentlytheagencydeployedaFormMatchingpolicytopreventthesecompletedapplicationsfromleavingtheirnetwork.However,whenemployeestrytosendofficialpublications,blankapplicationforms,orothernon-confidentialPDFdocumentsexternally,theFormMatchingprocessseemstorunmuchslowerthanexpected.WhatcantheagencydotoimproveFormMatchingperformance??
A. Replaceall the files in the FormMatchingprofile's imagegallerywithhigher resolutionPDFs.
B. ReducetheFillingThresholdsettingintheFormMatchingpolicy'srulestoavalueof4orless.
C. CreatefewerFormMatchingprofileswithalargernumberofblankformsineachimagegallery.
D. ProtectthefileswithanEDMpolicyinsteadbecauseEDMisinherentlymoreefficient.
15
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
5. AnorganizationismonitoringemailbasedonDLPpoliciesbutisnowreadytoimplementautomatedblocking.Aspartofthedesignedincidentresponseprocess,theIncidentResponseteamwantstofosterawarenessamongendusersbykeepingtheminformedofanyemailthatisblocked.WhichresponseruleconfigurationwillallowaDLPAdministratortoblocktheemailwhileprovidingcontextandincidentinformationtotheemailsender?
A. CombineaBlockSMTPMessagewithanAddNoteactionthatincludesincidentvariablesB. CombineaModifySMTPMessagewithanAddNoteactionthatincludesincidentvariablesC. Create Block SMTP Message and include incident variables in the Bounce Message to
SenderfieldD. CombineaBlockSMTPwithaSendEmailnotificationactionthatincludesincidentvariables
6. Whichtwo(2)incidentconditionsareavailabletoconfigureAutomatedResponseRules?(Selecttwo.)
A. IncidentStatusB. SenderGroupsC. ProtocolorEndpointDestinationD. IncidentMatchCountE. FileSize
7. WhichresponseruleactionwillbeignoredwhenusinganExactDataMatching(EDM)policy?
A. NetworkPrevent:RemoveHTTP/HTTPSContentB. All:SendEmailNotificationC. NetworkProtect:CopyFileD. EndpointPrevent:Notify
8. Whichtwo(2)stepsshouldanDLPAdministratortaketoanalyzetrafficoverport578TCP?(Selecttwo.)
A. Createtheport578underSystem>Settings>Protocols>AddProtocol.B. Addport 578 to the existing signature-basedHTTP protocol underSystem >Settings >
Protocols>HTTP.C. Createport578underSystem>ServersandDetectors>Traffic>AddProtocol.D. EnableNetworkMonitordetectionforport578underSystem>ServersandDetectors>
OverviewServer>DetectorDetail>Configure.E. EnableNetworkMonitordetectionforport578withadetectionruleassignedtoanactive
policyunderManage>Policy>PolicyList.
16
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
9. AChiefInformationSecurityOfficer(CISO)wantstoconsolidateDLPIncidentRemediationtriageandfollowupusingathird-partyHelpDeskthroughWebServices.WhichdocumentadvertisesalloftheavailableoperationsintheIncidentReportingandUpdateAPI?
A. SimpleObjectAccessProtocol(SOAP)B. WebServicesDescriptionLanguage(WSDL)C. SimpleOrientedAccessProtocol(SOAP)D. WebServicesDefinitionLanguage(WSDL)
10. Anincidentresponderisviewingadiscoverincidentsnapshotandneedstodeterminewhichinformationtoprovidetothenextlevelresponder.Whichinformationwouldbemostusefulinassistingthenextlevelresponderwithdatacleanup??
A. IncidentDetails:MessageBodycontentB. DataOwner:FromDataInsightC. IncidentDetails:FileOwnermetadataD. AccessInformation:FilePermissions
11. ADLPAdministratoriscreatingarolethatcontainsanincidentaccessconditionthatrestrictsusersfromviewingspecificincidents.Whichtwo(2)conditionscantheadministratorspecifywhencreatingtheincidentaccessconditioninarole?(Selecttwo.)
A. FiletypeE. CustomattributeF. RecipientG. FilesizeH. Policygroup
12. Anincidentresponderseesbasicincidentdatabutisunabletoviewspecificdetailsoftheincident.Whatcouldbewrongwiththeconfigurationintheincidentresponder'srole?
A. Viewoptionisselected,andalldisplayattributesaredeselected.B. IncidentAccesstabconditionsarespecified.C. AvailableSmartResponserulesaredeselected.D. Serveradministrationrightsaredeselected.
13. WhichdetectionmethodshouldaDLPAdministratorutilizetoblockfilescontainingcreditcardnumbersfrombeingtransferredfromanendpointcomputertoanexternalUSBdrive?
A. KeywordsB. ExactDataMatchingC. VectorMachineLearningD. DataIdentifier
17
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
14. ANetworkMonitorserverhasbeeninstalled.TheserverisreceivingtrafficbutEnforceisNOTshowingincidents.RunningWiresharkindicatesthatthedesiredtrafficisreachingthedetectionserver.Whatisthemostlikelycauseforthisbehavior?
A. Themirroredportissendingcorruptedpackets.B. Thewronginterfaceisselectedintheconfiguration.C. TheconfigurationissettoprocessGETrequests.D. ThecommunicationwithEnforceisinterrupted.
15. Whichtwo(2)piecesofsysteminformationarecollectedbySymantecDataLossPreventionSupportabilityTelemetry?(Selecttwo.)
A. CurrentlyinstalledversionoftheEnforceServerB. NumberofpoliciescurrentlydeployedC. CumulativestatisticsregardingnetworktrafficD. FiletypesforwhichthereareincidentsE. Numberofsystemalertsgenerateddaily
16. UnderwhichcircumstancesdoesCloudSOCreferafileforDLPScanning?
A. WhenitmatchesparametersconfiguredinApplicationDetectionConfigurationB. WhenitmatchesparametersconfiguredintheEnforcepolicyC. WhenitmatchesparametersconfiguredinCloudDetectionServiceD. WhenitmatchesparametersconfiguredinCloudSOC
18
Copyright © 2020 Broadcom Incorporated. All rights reserved. Specifications and product offerings are subject to change without notice.
SampleExamAnswers:
1. B2. A3. A,B4. C5. D6. C,D7. D8. A,D9. B10. B11. B,E12. A13. D14. D15. A,D16. A
