Data Loss Prevention

Hi All

We have to create a policy for all detection servers ( Email prevent , Web prevent, Endpoint ). Therefore created a policy group for all the detection servers.

**

Policy :

Detection -  Keywords OR IDM documents

Groups - User group as per AD integrated

Response Rule - Email (Quarantine) ; Web (Monitor) ; Endpoint (Monitor)

**

Issue : we are receving incidents for Email and Endpoint both, especially at endpoint (HTTP/S) traffic as well.

But we are not getting incidents as network web prevent level. ( HTTP/ HTTPS).

Can anyone help this is a big issue and couldnt find the solution.

Regards,

Juilee

Juilee,

Make sure to configure the Web Prevent server and change the minimum file size for inspection to 100K or less. This way you know it will capture small files. 

Next make sure that Web Prevent is talking to the Proxy and the ICAP setting is working properly. You should be able to log on the Proxy and Test if it can talk to the DLP Web Prevent server.

When esting this from a browser, make sure that the broswer is configured to go through the proxy.

I would also remove he AD group settings so you are testing just for a Keyword. 

Also use dlptest.com to test some basic functionality.

Good Luck,

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE

Hello, 

We already have one blanket policy in environment, we were getting HTTPS incidents with huge files as well.

Now when we create a user group policy adding as detection parameter we arent getting any incidents for HTTP/S traffic.

we need the testing in DLPTEST.COM, there are well we are reflecting incidents only for blanket policy and not for user group policy specifc for business.

Request for help...

Regards,

Juilee

Juliee,

Ahh,.. 

The issue is going to be with the Proxy.. when it comes to Web Prevent you will need to make sure that the proxy also requires Authentication so that it can get the username that is making the Web Prevnt Traffic,

What Proxy are you using and have you turned on Authentication on the proxy end... This means that a user will need to provide a Username and password to the proxy to even get by it.

You should see a username in the Web Prevent Incidents.

Good Luck,

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE

Hello Ronak,

Thank you for response.

The Proxy used here is - Websense Proxy.

Can you tell me what would exactly to check at proxy level to verify at  websense end.

Regards,

Juilee

Juliee,

I am ot a Websense guru, so you will need to ask them.

When creating ANY Web Prevent event, does DLP it have the username in the incident?

If you do not see a username like (WINNT:\\someing\username) or something like that, it means that the proxy does NOT require user authentication. Which means the Proxy is not providing any information on WHO created the Web Event.

All you see is an IP address.

If there is NO username in the Web prevent events, that means there is no way to match based on an AD user... hence the policy will not work.

Overall you will need to configure the Proxy to require the user authenticate in order to get access to the outside world

I did a quick search for User Authentication.. 

https://www.websense.com/content/support/library/web/hosted/getting_started/enduser_auth.aspx

https://www.websense.com/content/support/library/web/v80/triton_web_help/user_id_explain.aspx

Good Luck,

Ronak

PLEASE MARKED SOLVED WHEN POSSIIBLE

Hello,

I checked with symantec support they are saying the DGM doesnt work with WEB prevent.

that means if you apply policy based on content for certain user group ( integrated with AD) then you will not get incident based on that group.

Is that how DGM works ?

Regards,

Juilee

Hi Juilee,

I do know that the issue one might see is that the authenticated user information presented to DLP in ICAP (akin to what Ronak provided: WINNT:\\someing\username) must match exactly with the information within the import of AD for the directory group, which likely only contains the username. Thus, you might have one option: Ask Websense if the presented authenticated username can be stripped down to just the username within the authenticated user field in ICAP. Then, when DLP compares that infor with the info in the Directory Group, you're more likely to get a match.

Did Symantec support provide you with any documentation in Admin Guide, Release Notes, or other that notes DGM not working with Web Prevent? If not, do they have an “issue ID” for the Known Issue?

Hope this helps :)
Nick

Juilee,

If DGM does not work, I would at least try to use either Sender based matching on just a username. You can try to list the usernames and see if it does a partial match to the username that Websense provides.

It might work, not sure.

Another option would be to see if you can use an EDM match as well. You can then have a process to update the EDM on a regualr basis and have another LDP.exe (Ldap query etc) process to output the information on an AD group into a file that is used to update an EDM.

You may need to append the EDM file to include the Winnt:\\... as part of the username.

Again the requirement is to make sure that Websense has autentication turned on.. and it shows the username in the event window. 

Good Luck,

Ronak

PLEASE MARKED SOLVED WHEN POSSIIBLE

Hello Juilee,

Synchronized DGM that is AD group does not work with Web Prevent since we are expecting the username in different format as mentioned in the Admin guide however you can use profiled DGM with web Prevent , please refer Admin guide.