• DLP incidents can outlive the data, policies, or conditions that first triggered them.
• Automatic Remediation Tracking helps File System High Speed Discovery incidents reflect what is still relevant today.
• Enable ART and get the incident closure your SOC deserves.

DLP is the detect-or-die friend of every SOC worth their salt. It’s that hypervigilant, head-on-a-swivel partner, monitoring sensitive data and exposing potential compliance violations that threaten its security. Without solid DLP, sensitive data would flow freely into unauthorized hands. 

In many cases, organizations devote a whole team of humans to ensure even the best DLP keeps running smoothly. Tasked with monitoring how many violations (DLP incidents) have been detected and resolved, this team works tirelessly to ensure compliance business processes are in place and enforcement stays consistent. 

But this model isn’t always sustainable, especially for smaller or resource-strapped SOCs. ART changes that.

It ain’t over till it’s over

We all love DLP (I’m wearing my “I Heart DLP” shirt right now), so what’s the problem? 

Well, DLP can have a hard time letting go of the past. Organizations of all sizes face DLP’s historic inability to identify if and when an incident has been resolved. Unchecked DLP risks dragging SOCs back to old issues when it’s time to move on. 

How does this communication issue happen? In many cases, organizations align their resources to resolve the DLP violation, however, before they can even get to it, the file may have been deleted, or the owner removed the sensitive content, leaving the DLP incident hanging there unresolved. In some cases, the policy was re-tuned such that the same file no longer violates the organization's current policies. But when the incident that was generated still exists it can keep sounding the alarm by indicating that the compliance issue is ongoing, even if the original exposure story is over.

Reconciling past and present policy is ART

This is where the Symantec® feature, Automatic Remediation Tracking (ART), comes in as the perfect pairing for hard-working DLP. The latest release of Network Discover High Speed Discovery masters the ART of resolution. This new feature of Symantec DLP’s High Speed Discovery helps organizations distinguish active violations from past incidents that the scan has already resolved. ART enables High Speed Discovery File System scans to make sure past incident reports stay up to date, without losing valuable intel on the reason behind the original red flag. 

ART steps in with a time-and-truth reckoning that reconciles past incidents, preserves valuable insights, and lets SOC live in the present and strategize for the future. 

• When ART is enabled, it evaluates whether the offending incident is still an issue in the subsequent scan.
• These scans can determine that a file is no longer in violation of the policy that created the earlier incident.
• Best of all, ART records why the incident is now cleared, enabling informed triage, dashboards, and governance aligned with present-day policy reality.

ART is recursive, constantly re-evaluating items that have already generated DLP incidents when the target is scanned again. As long as ART is enabled, when teams re-run DLP scans, ART steps in with a relevance comparison that reflects the relevance of the file that generated the incident. When the re-scan concludes that the same file no longer violates the relevant policy, ART updates the incident with a clear remediation classification. This classification leaves a helpful explanation of why the incident can be put to rest, and closes the loop between “what we saw then” and “what the scan sees now.” 

How does Automatic Remediation Tracking work?

Let’s break it down with some commonly asked questions about the ART feature:

How does ART for DLP work?

ART is Powered by High Speed Discovery (HSD), a system built for fast, large-scale inspection of data at rest. ART adds an incident lifecycle dimension to HSD, asking key questions about what sensitive info was found and whether that info still needs attention after file and policies have changed. 

Can ART for DLP replace human decision-making? 

ART does not replace human judgment on every alert just yet. However, it is crucial to triage. ART enables closure of past incidents or policy violations, helping organizations stay focused on real and existing concerns.

What kind of DLP incidents can ART mark as closed?

• Item No Longer Exists. The file that generated the incident cannot be observed in the repository anymore at the boundaries your scan understands. For example, the sensitive file was removed, deleted, or is no longer present for DLP to report. In these cases, ART can mark the violation’s subject as gone, so effort isn’t spent on a now-irrelevant incident.
• Item Modified. The file is still present but its content or attributes have changed such that it no longer violates the DLP policy the way it did when the incident was created. ART ties that story to the incident so analysts see self-healing or owner action, not a frozen snapshot of an old match.
• Policy Modified. The file is effectively unchanged from the scan’s point of view, but the DLP policy configuration changed (or was disabled) so the same content no longer violates policy. ART records the resolution as policy-side, which matters for audit narratives as it clearly distinguishes “data changed” and “rules changed” resolutions.

Why does Automatic Remediation Tracking matter for operations and compliance? 

It’s hard to overstate the value of ART as an enabled feature of Symantec DLP. ART reevaluates past incidents on an ongoing basis so that SOC teams don’t have to. ART equips teams with—

• Triage that matches reality. ART makes a clear distinction between incidents that still represent a live match and those whose underlying story belongs in the past.
• Metrics that reflect SOC success. ART makes the SOC look good by eliminating backlog inflation caused by an excess of stale incidents.
• Complete and expedient incident analysis. ART tells the whole story—in terms humans can grasp. And it tells it quickly, so that humans don’t waste valuable time.
• Evidence-backed governance. ART shows not only that something was once sensitive, but also indicates whether the item and policy story still supports urgent action, clarifying human priorities quickly.

Bring your team into its ART era

Automatic Remediation Tracking helps teams answer a question that every security program eventually faces, and too often: does this finding still deserve our attention? 

ART completes the picture for File system High Speed Discovery incidents—not only detection, but whether the situation still holds after items and policies change. As they change, this  helps teams determine whether an earlier incident still reflects today’s risk. 

High Speed Discovery is built for fast, large-scale inspection of data at rest; ART adds an incident lifecycle dimension to it, such as what sensitive info was found, and whether it still matters after items and policies change. As long as ART is enabled, when you re-run the scans, the relevance comparison becomes possible.

And it does it all on your terms. ART doesn’t add extra work to the SOC because it uses the same reporting and API surfaces teams already use for remediation-style incident attributes, so filtering, export, and automation don’t require a parallel model. SOCs rejoice!

ART is not enabled by default, but administrators can enable it with ease. Simply use the Advanced tab on the File System High Speed Discovery scan target. This extra “opt-in” step ensures the behavior is aligned with deliberate program design.

For step-by-step configuration, version-specific behavior, and REST API details, check out the technical documentation.

For teams yet to start their data security journey, reach out to your in-region expert for a demo.