Video Screencast Help

DGM for USB Endpoint detection

Created: 06 Oct 2011 | 2 comments
madstan's picture

Does anyone one know if I can use DGM static profiles for USB endpoint detection? I see some conflicting information if it is possible. My goal is to notify users for USB events for a certain group of IP addresses. Consquently, I will need to use EDM to create the DGM profile. However, from some of the documentation, it appears EDM can not be used on the endpoint agent, but in fact implemented on the Endpoint server. Thereby, not allowing user notification. Has anyone tried this method?


Discussion Filed Under:

Comments 2 CommentsJump to latest comment

Bill.Hayes's picture

When we implimented endpoint DLP, our consultant disuaded us from using EDM . Instead we are using in part regex and data types to help identify endpoint incidents.

Keith Reynolds - ExchangeTek's picture

Your understanding is correct.  EDM, IDM, and DGM are implemented on the Endpoint server, not on the Endpoint itself, so you can not perform a block on the Endpoint based on indexed data.

In reference to Bill's response, the reason why your consultant disuaded you from using EDM on the Endpoint is due agent performance and network bandwidth utilization.  If you have an EDM based rule deployed to Endpoint Agents, the agent needs to "ship" each file it inspects over to the Endpoint Server for deeper inspection.  Multiply that by the number of files an agent inspects per day on average, then by the number of agents you have deployed, and you're typically looking at a TON of traffic.  I've heard of customers having significant production network issues due to poorly designed policies using EDM on the Endpoint.  It can be done, but you have to be VERY careful in how you design it.