Full Report
Automatic Remediation Tracking (ART) aligns your organization’s incident backlog with what’s actually happening today
Analysis Summary
# Best Practices: Automatic Remediation Tracking (ART)
## Overview
Automatic Remediation Tracking (ART) is a feature within Symantec DLP High Speed Discovery (HSD) designed to solve "incident bloat." It synchronizes the DLP incident backlog with the current state of the file system by automatically verifying if past violations still exist during subsequent scans. This addresses the common issue where SOC teams waste time investigating incidents for files that have already been deleted, modified to remove sensitive data, or are no longer violations due to updated policies.
## Key Recommendations
### Immediate Actions
1. **Identify High-Discovery Targets:** Locate your File System High Speed Discovery (HSD) scan targets that have large incident backlogs.
2. **Enable ART Manually:** Since ART is not enabled by default, navigate to the **Advanced tab** of your File System HSD scan target configuration and opt-in.
3. **Perform a Baseline Scan:** Run a new scan with ART enabled to allow the system to reconcile existing incidents against the current environment.
### Short-term Improvements (1-3 months)
1. **Update Triage Workflows:** Educate the SOC team on the new remediation classifications (e.g., "Item No Longer Exists") so they can filter out closed incidents.
2. **Dashboard Integration:** Update DLP dashboards and reports to exclude or categorize status-remediated incidents, providing a more accurate view of "Live" risk.
3. **Policy Tuning:** Utilize ART data to identify "Item Modified" trends, which can indicate whether users are successfully self-remediating based on DLP notifications.
### Long-term Strategy (3+ months)
1. **Automated Governance:** Use the REST API to export ART-cleared incident data into GRC (Governance, Risk, and Compliance) tools to demonstrate proactive risk reduction.
2. **Scan Schedule Optimization:** Align HSD scan frequencies with business needs to ensure the incident backlog never stays "stale" for more than a set period (e.g., weekly reconciliation).
## Implementation Guidance
### For Small Organizations
- Use ART to act as a "force multiplier." If you lack a dedicated team to manually close incidents, let ART handle the cleanup so the part-time admin only sees active, valid threats.
### For Medium Organizations
- Focus on the **"Policy Change"** aspect of ART. When security policies are updated, use ART-enabled scans to automatically clear old incidents that no longer violate the new, refined rules.
### For Large Enterprises
- Integrate ART with existing SOAR (Security Orchestration, Automation, and Response) platforms via REST API. Use the automatic closure classifications to trigger downstream cleanup in ticketing systems like Jira or ServiceNow.
## Configuration Examples
**Enabling ART in Symantec DLP:**
1. Open the **Enforce HTML console**.
2. Navigate to **Manage > Discover > Scan Targets**.
3. Select a **File System High Speed Discovery** target.
4. Click the **Advanced** tab.
5. Check the box/option for **Automatic Remediation Tracking**.
6. Save and **Run** the scan.
**Classification States Generated:**
- `Item No Longer Exists`: File deleted or moved from the scanned repository.
- `Item Modified`: File exists, but sensitive "matches" are gone.
- `Policy Changed`: Item remains, but the underlying policy no longer flags it as a violation.
## Compliance Alignment
- **NIST SP 800-53:** Supports SI-4 (Information System Monitoring) and CP-2 (Contingency Planning) by ensuring data integrity in monitoring reports.
- **ISO/IEC 27001:** Aligns with A.12.4.1 (Event logging) and A.18.1.1 (Identification of applicable legislation/requirements) by maintaining an accurate audit trail of remediation.
- **CIS Controls:** Supports Control 3 (Data Protection) by maintaining accurate inventories of sensitive data locations.
## Common Pitfalls to Avoid
- **Assuming Default Enablement:** Admins often expect systems to clean up after themselves automatically; ART requires a deliberate "opt-in" in settings.
- **Ignoring API Updates:** Failing to update custom reporting scripts to account for the new ART status attributes can lead to "ghost" incidents appearing in custom-built executive reports.
- **Over-reliance for Forensics:** Remember that ART tells you the incident is *now* resolved; it does not replace the need to investigate *why* or *how* sensitive data was there in the first place if a breach is suspected.
## Resources
- **Technical Documentation:** [https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/26-1/managing-discover-scan-targets/high-speed-discovery/high-speed-discovery-features/automatic-remediation-tracking-for-hsd.html]
- **Symantec DLP REST API Guide:** [Contact vendor for specific defanged links]
- **Symantec Network Discover Overview:** [https://www.broadcom.com/products/cybersecurity/information-protection/data-loss-prevention]