Data Loss Prevention

 View Only

  • 1.  Endpoint Discover (EDM) and Quarantine response

    Posted Jun 18, 2014 09:39 AM

    Hi all,

    I'm struggling to identify the best way of conducting some local drive scanning that I want to put in place.

    I have a large (circa 20,000 records) spreadsheet of sensitive data I want to match on, with an associated EDM policy. The policy has response actions of "Endpoint Discover: Quarantine File" and a "Network Protect: Quarantine File" assigned, however the Endpoint Discover response action gives the following warning:

    Marked EDM, IDM, and/or DGM rules will not trigger Endpoint Prevent: Block and Endpoint Prevent: Notify response rules. For the policy to exhibit correct behavior, you may either modify the marked detection rule(s) or the marked response rule(s).

    I wish to implement Endpoint scanning based on this policy. I have set up the scan profile to scan the required file types and folders to limit the number of file types sent back to the Endpoint Discover server.

    The scan triggers correctly on the documents, but they are not quarantined. I understand that I cannot use Endpoint Prevent responses against EDM/IDM policies, however why can't I use Endpoint Discover responses? I plan on running the scans outside of regular hours and thus latency isn't really an issue.

    Thanks in advance,

    Nic



  • 2.  RE: Endpoint Discover (EDM) and Quarantine response

    Posted Jun 18, 2014 12:27 PM

    You cannot run any active reponses using EDM/IDM on the endpoints.  You could probably design a flexresponse plugin (or a custom lookup script) that would perform the quarantine action for you.



  • 3.  RE: Endpoint Discover (EDM) and Quarantine response

    Posted Jun 19, 2014 07:42 AM

    Do not create a policy that combines a server-side detection rule with an Endpoint Prevent response rule. For example, do not combine an EDM, IDM, or DGM rule with an Endpoint Block or Endpoint Notify response rule. If a server-side detection rule triggers an Endpoint Prevent response rule, Symantec Data Loss Prevention cannot execute the Endpoint Prevent response rule.

    When creating an endpoint policy that includes a server-side detection rule, combine that detection rule with an agent-side detection rule in one compound rule. This practice helps Symantec Data Loss Prevention perform detection on the endpoint without sending the content to the Endpoint Server. Symantec Data Loss Prevention saves network bandwidth and improves performance by performing detection on the endpoint.

    For example, you can couple an EDM detection rule with a Sender detection rule in one compound rule. In a compound rule, all conditions must be met before Symantec Data Loss Prevention registers a match. Conversely, if one condition is not met, Symantec Data Loss Prevention determines there is no match without having to check the second condition. For example, to register a match the content must meet the first condition AND all other conditions. When you set up the compound rule in this way, the Symantec DLP Agent checks the input content against the agent-side rule first. If there is no match, Symantec Data Loss Prevention does not need to send the content to the Endpoint Server. However, if you create a compound rule that involves a DCM or an EDM policy, the content is still sent to the Endpoint Server.

    Before you combine a server-side detection rule (for example, an EDM, IDM, or DGM rule) with an All: Limit Incident Data Retention response rule that retains original files for endpoint incidents, consider the bandwidth implications of retaining original files. When it sends content to an Endpoint Server for analysis, the Symantec DLP Agent sends either text data or binary data according to detection requirements. Whenever possible, Symantec DLP Agents send text to cut down on bandwidth use. By default, Symantec Data Loss Prevention discards original files for endpoint incidents. If a response rule retains original files for endpoint incidents, Symantec DLP Agents must send binary data to the Endpoint Server. In this case, make sure that your network can handle the increased traffic between Symantec DLP Agents and Endpoint Servers without degrading performance.

    Combine agent-side detection rules (for example, DCM) with an Endpoint Prevent response rule in the same policy. Symantec Data Loss Prevention can execute an Endpoint Prevent response rule only when a Symantec DLP Agent detection rule triggers the response.

    Incompatible detection rules and response rules :

    Do not combine these server-based detection rules =.with these Endpoint Prevent response rules.

    Content Matches Exact Data (EDM)                           =       Endpoint: Block

    Content Matches Document Signature (IDM)             =      Endpoint: Notify

    Sender/User Matches Directory (DGM)                      =       Endpoint: User Cancel

    Recipient Matches Directory (DGM)                          =  
     

     


     

     


     



  • 4.  RE: Endpoint Discover (EDM) and Quarantine response

    Posted Jun 19, 2014 10:31 AM

    Hey,

    So I read all this, but Endpoint Prevent and Endpoint Discover I assumed were different. I'm not looking to conduct live blocking of files access. I want an out of hours scan that identifies and quarantines files.

    I get that the detection happens server side, but I was hoping that this detection could send back a list of files back to the endpoint that required quarantining. Given this isn't a Prevent action, it doesn't matter if this whole process takes 5 minutes or 30 minutes per machine.

    But I'm guessing Endpoint Discover still counts as an Endpoint Prevent action?

    Thanks,

    Nic