Data Loss Prevention

I have a question about how Network Monitor works with HTTP.

I know that it works great and creates incidents when a message goes from a client on the local network to a server on an outside network. So basically, when a client does a POST to an outside server.

What about scenarios where an outside user requests data from one of our webservers and we respond back with some sensitive data that matches a DLP rule(in the clear, non-https)? Would that get captured by the network monitor?

Thanks for the help, I really hope this made sense.

-Tom

So, what you said is to monitor the HTTP GET request.

Defaultly, the PacketCapture of the DLP Monitor will discard HTTP GET request. But, you can enable it by modify an advanced server settings.

Just open the Advanced Server Settings of your monitor, find out the option:

PacketCapture.DISCARD_HTTP_GET

change the value from true into false

Then, the HTTP GET request will be captured and monitored.

hi tom,

 i dont think it will raise any incident because it is a HTTP post response, and when you capture a message you are only able to start with a HTTP post request.

 So if it is "normal" request (or at least one that you know its signature/parameters/..) you can try to track them (on incoming request) and check where it comes from...if it is not (like for example a malware or an apt) it will be quite difficut to track them with DLP because as DLP is a content aware solution, usually you need to know what you are looking for (this also avoid having too many DLP incident which you cannot process).

 regards.