Data Loss Prevention

Hi ,

My client has a requirement that if it is possible to monitor the content on the user screen inside a browser. FOr example : If we have a web application that is running on IE, say if user opens a page that contains customer information i.e. its credit card number and account number.

Would it be possible to have an incident regarding this?

Regards,

Yusuf

Using Network Prevent for Web you can monitor HTTP GET requests for things like that but it is generally not recommended for 2 main reasons:

DLP is for preventing data loss. It is impossible to lose data by viewing a web page (only by posting to it)

You'd have to spec your servers double what they would normally have because of the sheer volume of requests. It's better to use a completely different server if you need this functionality

Hope this helps
~Xavier

If this post helps you or solves your problem, please don't forget to vote up or mark as a solution so other people can find it.

Agree with Xavier on the above, except I'd probably triple it, and you'll have to turn the min size of content to inspect down significantly for Request processing.  For Response processing, the default is 4096 bytes.  I usually turn that down to 2048 to inspect lower volume posts.  For request processing, you're going to need that at less than 1k, so you're going to get a whole lot of traffic.

The ONLY time I've seen this scale well in a production environment was when there was significant filtering done on the ICAP service on the proxy for the Request Mod action.  Without that, we estimated that where we needed only 1 Web Prevent server for Response Mod processing, we needed 3 for doing both Response and Request Mod processing.

Also, to Xavier's point, the Req Mod poses very little risk with regards to data loss, at least at a significant level.  Yes, a site not coded to standard HTTP conventions can use a request to capture data, but I believe a request is limited to 1024 bytes.

~Keith

Thanks for fleshing that out Keith!

Thanks Xavier and xlloyd.

We are in process of deploying Network DLP. Just wanted to confirm "Network Prevent - Web" will do or "Network monitor" to achieve solution of my problem.

Thanks.

Both 'Network Prevent - Web' and 'Network Monitor' can archive your requirement. Both these two kinds of Detection Server can be configured to monitor HTTP get.

Thanks for confirming yang.

Got to know that our client has also some mainframe and java apps, so I would also like to know If the network monitor/prevent can also do this for mainframe applications and java based desktop applications.

Will endpoint prevent will do this for mainframe and java based desktop applications?

The root of the problem should be addressed by the source application itself via audit logs or real-time alerts, not after the fact with DLP.

Hi Yusuf

Above solution are correct.You can prevent this using Network prevent for Web, endpoint prevent this will not only monitors the application that you implemented but also all web traffic.

add ons

You can also monitor/scan tha confidential data if print screen is used called as cliparts etc.

Hope you got answer.

Regards

Kishorilal

Hi yusuf,

this can also b work on endpoint prevent on ftp ,http and https protocol.so when user uses IE and these communiaction protocol then as per polict it can block.Endpoint DLP agent can do this.