Data Loss Prevention

 View Only

  • 1.  Can we monitor DLP IDM and EDM by DLP Endpoint

    Posted Sep 08, 2012 02:30 AM

    Hi,

    I am using Symantec DLP 11.1, I made some IDM and EDM policy and want to monitor by DLP endpoint agent but not able to generate incedents.

    I know, in DLP 11.6 we can monitor IDM and EDM by the DLP Endpoint. But can we do the same in DLP 11.1



  • 2.  RE: Can we monitor DLP IDM and EDM by DLP Endpoint

    Broadcom Employee
    Posted Sep 08, 2012 11:10 PM

    The IDM and EDM policy can work on DLP endpoint agent. But, there are some limitations.

    For example, you create a IDM policy, and, the end user copy a IDM violated doc to the USB disk, the DLP agent cannot block such action. But, there will be an incident generated on DLP enforce. The admin can audit this kind of incident.

    This function is OK on DLP 11.1. Could you double check your endpoint incident?



  • 3.  RE: Can we monitor DLP IDM and EDM by DLP Endpoint

    Posted Sep 10, 2012 05:19 PM

    Manish,

    yang_zhang is correct. It does function, but there are restrictions to it. The main thing is that you need to configure the functionality to happen. My understanding is we can leverage the IDM/EDM only if there is whats called a Two-Tier policy.**(See correction below) This would involve putting 2 rules in a policy:

    1. Look for copy to USB
    • AND
    1. Compare data to IDM/EDM

    Because we will hit the first (USB Copy rule), we will then send the data back to analyze against rule 2. This will result in successfully generating an incident.

    To my understanding, we don't yet fully support an explicit IDM/EDM rule by itself in a policy on the endpoint.**(See correction below) The other option is to look into using the VML option. VML is supported on the endpoint, and in some cases can provide just as good a coverage depending on how well the data sets are that are provided to the engine to analyze.

    **CORRECTION**

    I apologize as my above comment wasn't 100% accurate. We do support single tiered IDM/EDM, as yang_zhang had illustrated. I should clarify, that my suggestion would be for the sake of scalability and network bandwidth, you might want to consider the Two-Tier detection method instead. With many types of data needing to be compared to IDM/EDM rules, there is more data which will need to be sent back to the detection server.



  • 4.  RE: Can we monitor DLP IDM and EDM by DLP Endpoint

    Posted Sep 21, 2012 01:37 AM

    EDM and IDM can work whwn endpoints are connected to endpoint server but if they are not connected or offline, they will work on DCM.



  • 5.  RE: Can we monitor DLP IDM and EDM by DLP Endpoint

    Posted Dec 07, 2012 01:05 AM

    yes u can do it but only when endpoint agent is connected to endpoint server. In off the corporate network it will just check for DCM.