Data Loss Prevention

Hello all,

Had a query regarding Email DLP. I have Endpoint Prevent and Network Prevent for Email configured in my environment. Endpoint agent monitors Emails via Outlook and OWA which is working fine. Once the Network Prevent for Email is configured completely, will the mails be monitored twice? Once by endpoint and then by Network Prevent server? And will it trigger duplicate incidents?

I saw something regarding incident reconciliation in Cloud prevent for email guide however the steps are specific to Linux server. Are there any steps for Windows server?

hello,

 Reconciliation works for both linux and windows but usually it is used for same detection channel to take into account that one copy of email is sent to all recipient so if your system is plugged after this operation (done by a mail gateway), you will screen several times same email content and may raise many incident for same original message.

 I dont think it will work in your case.

If it does not work you have different possibilities :

- Remove email monitoring in DLP agent configuration

- Define different policies for endpoint and mail prevent

- Add some exceptions in policies (mainly prevent ones as they are executed on server side) to avoid some overhead

each solution has some pros and cons depending  on your DLP solution setup and risk you cover with it.

 Regards.

 Even I had this option in my mind.

- Remove email monitoring in DLP agent configuration

I think that's the one I will go with. Currently I'm stuck with establishing a mail flow from office 365 -> Network Prevent for Email -> Symantec security.cloud.

I see the messages reaching Network Prevent from office 365 however they are getting refused at messagelabs.

Below are the logs

13/Sep/16:04:32:43:024-0700 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=2d cid=c343a2d2-f696-4955-a9b6-9a8436bd5503 mta=cluster4out.us.messagelabs.com reason=Connection refused: no further information)
13/Sep/16:04:32:45:728-0700 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=2d cid=c343a2d2-f696-4955-a9b6-9a8436bd5503 mta=cluster4.us.messagelabs.com reason=Connection refused: no further information)
13/Sep/16:04:32:48:368-0700 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=2d cid=c343a2d2-f696-4955-a9b6-9a8436bd5503 mta=cluster4a.us.messagelabs.com reason=Connection refused: no further information)
13/Sep/16:04:32:50:103-0700 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=2d cid=c343a2d2-f696-4955-a9b6-9a8436bd5503 mta=216.82.242.179 reason=Connection refused: no further information)
13/Sep/16:04:32:51:696-0700 [SEVERE] (SMTP_CONNECTION.5203) Forward connection error (tid=2d cid=c343a2d2-f696-4955-a9b6-9a8436bd5503 mta=216.82.251.230 reason=Connection refused: no further information)
13/Sep/16:04:32:51:696-0700 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=2d cid=c343a2d2-f696-4955-a9b6-9a8436bd5503 local=32.60.55.198:10025 remote=198.199.98.246:40385 messages=0 time=11.41s)
13/Sep/16:04:37:18:229-0700 [INFO] (SMTP_CORE.1101) SMTP Prevent is shutting down
13/Sep/16:19:37:26:104+0800 [INFO] (SMTP_CONNECTION.1200) Listening for incoming connections (local=0.0.0.0:10025)
13/Sep/16:19:37:26:417+0800 [INFO] (SMTP_CORE.1100) Starting SMTP Prevent
14/Sep/16:09:36:06:575+0800 [INFO] (SMTP_CORE.1101) SMTP Prevent is shutting down
14/Sep/16:09:36:14:106+0800 [INFO] (SMTP_CONNECTION.1200) Listening for incoming connections (local=0.0.0.0:10025)
14/Sep/16:09:36:14:200+0800 [INFO] (SMTP_CORE.1100) Starting SMTP Prevent
14/Sep/16:09:37:37:638+0800 [INFO] (SMTP_CONNECTION.1201) Connection accepted (tid=26 cid=f08c18c3-3a67-4112-824a-bca956559a2e local=32.60.55.198:10025 remote=88.198.46.51:60634)
14/Sep/16:09:37:37:856+0800 [INFO] (SMTP_CONNECTION.1203) Forward connection established (tid=26 cid=3579fcc4-e72e-4c19-91e4-df10bf4d96e0 local=32.60.55.198:6190 remote=216.82.242.179:25)
14/Sep/16:09:37:38:200+0800 [INFO] (SMTP_CONNECTION.1204) Forward connection closed (tid=26 cid=3579fcc4-e72e-4c19-91e4-df10bf4d96e0 local=32.60.55.198:6190 remote=216.82.242.179:25)
14/Sep/16:09:37:38:200+0800 [INFO] (SMTP_CONNECTION.1205) Service connection closed (tid=26 cid=f08c18c3-3a67-4112-824a-bca956559a2e local=32.60.55.198:10025 remote=88.198.46.51:60634 messages=0 time=0.56s)
14/Sep/16:09:37:38:200+0800 [SEVERE] (SMTP_CONNECTION.5204) Peer disconnected unexpectedly (tid=26 cid=f08c18c3-3a67-4112-824a-bca956559a2e local=<> remote=<> reason=End of stream)
14/Sep/16:10:15:59:965+0800 [INFO] (SMTP_CORE.1101) SMTP Prevent is shutting down
14/Sep/16:10:16:06:794+0800 [INFO] (SMTP_CONNECTION.1200) Listening for incoming connections (local=0.0.0.0:10025)
14/Sep/16:10:16:07:012+0800 [INFO] (SMTP_CORE.1100) Starting SMTP Prevent