Data Loss Prevention

 View Only

  • 1.  Removing agents from the DLP console

    Posted Oct 27, 2015 08:53 AM

    Hey, 

    I was wondering what is the best practice for deleting old agents that haven't checked in for a while. What is the recommend course of action?

    • Do you delete the agent from the DLP Console?
    • What impact does leaving the agents that have lost conneciton on the DLP Server (if any)

    Thanks

     



  • 2.  RE: Removing agents from the DLP console

    Posted Oct 27, 2015 09:47 AM

    Hello Moriatty,

    You need to find if they are roaming workstations which "can" get reconnect one day or just workstation that has disappear (mastered, broked etc...)

    So check with an asset management tool (SCCM, Altiris ...) to see status of these workstations.

    And if they are missing, you can delete them from console.

     

    You could also use standard IT process like we have on Active Directory accounts.

    If the agent is disabled for more than X month, you can delete it.

     



  • 3.  RE: Removing agents from the DLP console
    Best Answer

    Posted Oct 27, 2015 04:25 PM

    # Do you delete the agent from the DLP Console?

    Yes, however there are multiple approaches different organizations take on the topic. There are people who:
    1.) filter out a list of systems older than certain date
    2.) compare them with supplementary sources like (a) antivirus dump, (b) active directory dump, (c) DNS/DHCP dump to determine whether these are seriously not connected for that period & rule out the possibility of a DLP agent corruption/tampering
    3.) delete the agent from console

    Others with Organized assets receive a decommissioning report which includes assets that were retired and DLP admins then can delete such clients

    # What impact does leaving the agents that have lost connection on the DLP Server (if any)

    Leaving the agents affects Audits, consumes DB space and at times the left over agent could also be a stale entry and the actual computer might be very well reporting with different name or an IP.

    Some organizations perform ‘DLP agent defect tracking’ - stale entries would keep appearing as corrupt clients, etc.

    Renewal of licenses is another part which I feel would be tough, to figure out

    On the other hand, deleting them does not mean that they lose DLP coverage or the ability to connect back to the Endpoint Server & appear in enforce. Once they are back, they would register back to the Enforce server console (even when deleted)