Data Loss Prevention

 View Only

  • 1.  Action Response Rule-Prevent and allow

    Posted Jan 30, 2019 04:11 AM

    Hello. I'm new to DLP but so far i have done by my self the deploy of all the application.

     

    I want to know if there is any response rule to activate when a user try to send a doc into USB and he/she trigger the PCI-DSS policy for example.

     

    We as admin are notified and if we think that the word doc is ok to be copied to allow that ?

     

    For example with Trend Micro we block mail trying to go out of the company based on some rules. If the think that is false positive we can allow that.

     

    Thank You



  • 2.  RE: Action Response Rule-Prevent and allow

    Posted Jan 30, 2019 04:24 AM
    Hi Nando, Should be a relevant discussion for you to read on this below: https://www.symantec.com/connect/forums/usb-monitoring-dlp Thanks!


  • 3.  RE: Action Response Rule-Prevent and allow

    Posted Jan 30, 2019 05:46 AM

    Thank You @CraigEV but it's not what i was looking for. Kind of i was able to find what i was loking with User Cancel action but still is the user that is allowing to copy or not the file. I want these option to be done by the admin



  • 4.  RE: Action Response Rule-Prevent and allow

    Posted Jan 30, 2019 08:38 AM
    It sounds like you’d essentially like a quarantine function, but for DLP Endpoint Agent Response Rules. If that’s the case, the capability only exists over Network Email (using a header that the Email Gateway can read and take the quarantine action on) or Endpoint Desktop Scanning.


  • 5.  RE: Action Response Rule-Prevent and allow

    Posted Jan 31, 2019 03:27 AM

    Yes @Kollkash. In fact in TrendMicro solution we have a quarantine function. The mail stays  quarantine till administrator release or decline the mail to go out the company. I was looking at the manual and i found: Configuring the Network Protect: Quarantine File action. I do not know if these is the same for Endpoint



  • 6.  RE: Action Response Rule-Prevent and allow

    Trusted Advisor
    Posted Jan 31, 2019 09:21 PM

    Nando,

    So for the endpoint copy to "destination X' there is no Quarantine function.. its either allow or block the transfer of that file to the destination.

    When it comes to email, MTA's have a process that allows the email to actually be quarantined to a specific location that is NOT on the host but is on the MTA (mail gateway). So doing this on an endpoint is NOT possible.

    The only way this can be done is with a Bypass Key or Term. This is where you can provide a bypass phrase that is provided to the user by the Admin after an event has happened. So DLP systems do that, but they are hardcoded keys, so once you give it to the user, they have the bypass key to bypass all policies. This is a problem as you will need to chage the bypass key, nce you give it out.

    The right approach it to have an event created and IF The user thinks its a mistake, is to have them call the help desk and then the Admin to update the policy to allow their file to go through. This way the Policy is updated to not trigger on that file type again or to make sure the policy is accurate. 

    If the users is allowed to transfer that type of data, then either make the user or machine an exception to the rule.. with mangerial approval.

    Again.. the right process needs to be in place to  manage the accuracy of the policy.

     

    Good Luck,

    Ronak

     

    PLEASE MARKED SOLVED WHEN POSSIBLE

     



  • 7.  RE: Action Response Rule-Prevent and allow
    Best Answer

    Posted Feb 15, 2019 09:45 AM

    Hello. I have configured Symantec Enpoind LOGS ( security logs of agent) to be directed into my SIEM so i'm able to see what is going on

     

    Thank You :)



  • 8.  RE: Action Response Rule-Prevent and allow

    Posted Feb 15, 2019 03:01 PM

    ...how did you do that?