Data Loss Prevention

We have a need to monitor users that are copying files off their laptops when they are off the corporate network. So we’ve made an Endpoint Monitoring Policy.

 

The problem is we get a big performance hit when users are opening or closing Outlook or adding PST files to Outlook when on the corporate network. When you check out the configuration below you can see I’m attempting to drop the network packets of anything that is not in the 192.168…. address range. (I’ve tried many different syntax ways so far, but makes no difference, but happy to try anything people suggest)

 

I have clearly proven to myself that when I’m part of this policy, my outlook takes 8-10 mins to open (with heavy network utilisation) and the same amount of time to add large PST files. When I remove my laptop from it, Outlook’s speed returns to normal.

 

The solution\design is working as we want it too. I get an incident each time a user copies a file off the laptop when they are not on our corporate network, and not an incident when files are copied to network shares whilst on the corporate network.

 

Anyone got some tips or work out if I’ve done anything wrong?

 

The solution I have designed is this:

 

Agent Configuration:

 

Enable Monitoring:  (I’ve ticked)

Removable Storage

CD/DVD

Copy to Share

 

Filter by File Properties: (default with added exclusions for .ost and .pst)

              

              

1              Ignore   Local Drive        

 

                       $Cookies$\*,

        $InternetCache$\*,

        $LocalAppData$\*,

        $LocalAppData$\..\Temp\*,

        $LocalAppDataLow$\*,

        $RoamingAppData$\*,

        $Windows$\Prefetch\*,

        $Windows$\SoftwareDistribution\*,

        *\System Volume Information\*

 

                              

2    Monitor         CD/DVD, Removable Storage   

 

    *.doc, *.docx, *.jar, *.mpp, *.pdf, *.ppt, *.pptx, *.rar, *.rtf, *.txt, *.wcm, *.xls, *.xlsx, *.zip

 

              

3     Ignore           Local Drive, Removable Storage              

 

  

    *.ost, *.pst, *.tmp, *.url, *.v2i, *.vmdk, *.vmem

 

4      Ignore          Application File Access, Local Drive         

 

    *

 

              

Specify Default File Filter Action

The following action will be applied to any file that does not match any of the file filters configured above:

Monitor

 

Filter by Network Properties

 

IP Filters:

+,192.168.0.0/16,*;-,*,*

 

 

For the test:

 

Agent Group

 

Group Condition

                User Attributes

 

Logged in User, and Always include these Agents.

 

 

Policy

 

Detection

Protocol or Endpoint monitoring > Endpoint Destination >  CD/DVD and Removable Storage and Copy to Network Share

Endpoint Location > Off the Corporate Network

 

Groups

Test group of few users

 

Response

Send email on incident

Hi,

This may seem strange, but can you test this:

- Remove "Endpoint Location > Off the Corporate Network" from Detection Rule

- Add Detection Exception "Endpoint Location > Off the Corporate Network"

Exceptions are on a higher level than Rules, therefore, instead of matching rules (in order) it will look on a first level to exclusions. If user/agent is on Corporate Network it will (or it should) ignore detection Rules.

 

Regards

Hi,

Thanks for your reply, sorry I didn't see it sooner I didnt' get an email notification.

I'll give this a go and let you know if it improves the outlook performance.

Thanks.

Hi,

Any news on this question?

 

Regards.