Data Loss Prevention

Hello all,

I've been facing an issue lately that you guys might be able to help.

I created a policy based on a IDM Indexed profile with 50 documents (mainly pdf with text/images).

With two-tier ON in agent config, the DLP is able to detect all data transfered by email/usb/print protocols. If I switch the two tier to OFF, all emails are still being captured on Network & Endpoint but only 3 out of 50 documents are captured/identifyed on usb/print. These 3 files which are always identified "matched exactly" while most of the other are "100% match" type.

Obviouslty, the test was done using the same files indexed.

My questions/doubts are:

1) whats the difference from "matched exactly" to "matched 100%" taking in consideration that all files were indexed correctly?

2) why only 3 out of 50 documents are identidified on usb/print protocols with two-tier OFF if they are all indexed?

3) why with two-tier ON I am not able to have any block (just a normal log on console) even on those incidents which are blocked with two-tier OFF? Does the two tier ON send always the documents to endpoint even if the agent can match it exactly?

4) why there are incidents which "matched exactly" on Network and are not captured on Endpoint (even as duplicate)? - So we lose the possiblity to use block/user cancel/notify automated response rules.

.

I am trying to avoid the two-tier ON feature due to it's high traffic/bandwidth demand (specially in a corporation with over 40K agents)

Technical details:

IDM policy created with 10% Minimum Document Exposure and Index archiving on Enforce Server local path

Enforce Svr and Endpoint Svr using 12.5.1 version with Network Monitor and Endpoint Prevent

Agent version: 12.5.0.20035

We do not own Network Prevent license

Different scenarios tested but with same issues:

- no use of response rules at all

- activate just endpoint channel

- split policy in two, one with Endpoint channel, other with Network

- different % of minimum document exposure

- added different profiles using upload document (zip) and local path on enforce (zip and pdf filetypes) - indexing runned smoothly

.

.

Thanks in advance,

Morgado

Any input would be more than welcome.

Thank you.

Endpoint only matches 100% documents AFAIK.

Assumptions: 100% and exactly might be the difference between Endpoint and Network. Should be easy to check.

Thanks for your message Thomas.

I am already only considering on endpoint 100% match or matched exactly. However the response rules still dont work. 

Would be happy to find someone which actually has an IDM policy working at his fullest, as it should...

Regarding the difference between exact match and 100%, the indexing method used is also a variable to join this huge party..

Morgado,

I am assuming you are using 12.5.x?

2 Tier detection will NOT allow for a block. This is for the 2 Tier detection sends the incident data to the Endpoint Server for the FULL analysis. This is where it might be getting the difference between 100% and Exactly Matches. 

Keep in mnd that a 2 tier detection is where it will send the file up to the Endpint Server for further analysis, it works the same way for EDM's. If you can you might wnat to find a specific word or phrase that is in all of those files (IDM) that is unique enough to have an AND along with the IDM statement to look for the keyword and if it finds that word it will send it up for 2 tier detection to check agains the IDM. This will limit the amount of information sent to the endpoint server for 2 tier detection. You shoudl do the same for EDM too. (Look for SSN pattern and the EDM)

So there might be certain cases and specific files (Size or type) that allows it to work ONLY at the endpoint, but for others it needs the 2 Tier Detection.

Just remember that if the incident happens when the 2 tier detection is on and does not work when it is off, means that the block response will not work, but you will have an incident generated.

Hope this helps.

Ronak

If this answers your question please marked as solved.

Hello,

I am using the lastest version. Just speaking about two-tier OFF...

Are you saying that even with exact match or 100% match if I try to make incidents with the same documents that were indexed, the Endpoint is not able to identify them ??  Right now only 6% of these incidents are gettin' caught.. sounds to me quite low figure for the same type of documents (pdfs - with few pages and written material).

Below a quote from Admin quide:

"Enabling agent IDM
You enable exact match IDM on the endpoint by setting the advanced agent
configuration parameter Detection.TWO_TIER_IDM_ENABLED.str to OFF. Once
two-tier detection is OFF, the DLP Agent performs exact file and exact file contents"

Pag.495

Thank you,

Hello Morgado

There are 2 'IDM Types' for the Endpoint.

1. Exact File Contents - The endpoint does exact text based matching  . However, derivitive and passage matching is not possible. This means on the endpoint the matched text must be found exactly as it was when indexed. (after we normalise the content to be scanned) So this is a 100% match.

2. Exact File - The endpoint matches a file based on its Binary Signature/ checksum. This would be for non text based files. Such as image files or drawings.

can you provide information on the file types you are indexing / trying to match on.

Steve Randall

Hello Steve,

The filetypes are mainly PDFs (some created in Office 2010 using the export/save-as feature and other with Acrobat Pro). Though it seems not be relevant since I can't get any console logs/response rules working from a wide range of documents indexed..

As I mentioned above, the documents I am using for test are the same that were indexed.

From the last batch of documents tested, only 2 out of 50 documents managed to create a log/block. Lower number of documents do not react at all.

Thanks,