Data Loss Prevention

 View Only

  • 1.  USB monitoring by DLP

    Posted Jun 15, 2017 11:18 AM

    Is it possible for DLP to monitor all files that are copied especially to USB irrespective to the policies? I am assuming that DLP detects as per policy.



  • 2.  RE: USB monitoring by DLP

    Posted Jun 15, 2017 01:05 PM

    Though by design & Best Practices this ideally should be accomplished via an Application & Device Control Solution. However technically DLP can do that.

    You could follow the below steps to accomplish it:

    (1) Create a Policy & Leave the Groups & Response Tab Blank (No Rules)
    (2) In the Detection Tab - Add Rule - Add rule for "Protocol or Endpoint Monitoring" and Check only "Removable Storage"

    Do not add any more conditions to this Policy and Save

    This shoud set this policy to log events for all data transferred to USB Drive.

    Test it on a subset of users first, as this would generate a lot of events in the Database. Additionally the overall chain of Agent -to- Endpoint Servers -to- Enforce -to- Oracle could get pretty busy & heavy. Though this is a pretty common use-case for DLP these days, however its still better to proceed with caution (from the sizing/performance perspective).



  • 3.  RE: USB monitoring by DLP

    Trusted Advisor
    Posted Jun 15, 2017 02:55 PM

    Ravi,

    The question is what are you looking for? Overall there needs to be a real reason for this.

    You can do what is mentioned above, but it will not show you the contents of the file as being matched just that it was a transfer to the USB device. This is a catch all, but you will probably spend more time "looking' through the events and NOT find anything or give up because of the 'noise'.

    If you do a catch all , then make sure to also TRY and use the exclusion list of file types when possible (MP4, MP3, Wav, exe, dll etc)

    Also keep in mind that bny default the system will not retain the file for an Endpoint Event. So if you do only look for the USB protocol you will also need to have a response rule to 'Limit the Data Retention" to keep the files for endpoint.

    Good luck

    Ronak



  • 4.  RE: USB monitoring by DLP

    Posted Jun 16, 2017 06:10 PM

    Hello,

    You can perform the operation as explained above, but additional I consider that you must be more specific in the detection, that you want to search or detect?, because if you apply it by the protocol Removable Storage.
    You will generate enough unnecessary incidents.
    Good luck.



  • 5.  RE: USB monitoring by DLP

    Posted Jun 19, 2017 04:44 PM

    Great. Then we need to have separate policy for USB monitoring only..correct?



  • 6.  RE: USB monitoring by DLP

    Posted Jun 21, 2017 11:28 AM

    Can we block the USb usage from DLP with the policy mentioned above?



  • 7.  RE: USB monitoring by DLP
    Best Answer

    Posted Jun 21, 2017 05:12 PM

    Hello RaviChand:


    If you can make a policy as you mentioned before, if you already analyzed it is very basic:
    Name of policy: USB
    Policy Group: (XXX)
    Detection:
    Protocol is Removable Storage
    Groups: N / A
    Response:
    Endpoint Prevent: Block
    Conditions of response rule:
    Protocol: Endpoint Removable Storage Device
    Incident type: Endpoint
    Endpoint Notification Content:

    This should be under your consideration notifying the user why it has been blocked or simply not enabling this Display Alert Box with this message and Allow user to choose explanation.

    Only if it is a big organization is going to generate a lot of incident and you will take resource in your BD, I recommend to be more specific in your detection for better results.

    Regards,