Data Loss Prevention

 View Only
  • 1.  Endpoint - detect copying to non-company file share

    Posted Mar 10, 2011 09:29 AM

    We are trying to configure the endpoint agent  (or an endpoint policy) to behave this way:

     

    - If the endpoint is copying a file to a company network share, ignore the event, do not log an incident. (For example, do not count this as a violation of copying confidential documents.   We "want" people to use company network file servers.

     

    - If the endpoint is copying a file to a non-company network share, log the event.   In other words, if the client takes a laptop, connects it to a home network, we want to know if the confidential documents have been copied to a file-share on the client's home computer network.

     

     

    We have tried this combination of exception:

    "exclude copy to network share (protocol) AND "exclude copy to network share: (Endpoint location is on the corporate network)"

     

    Your suggestions?

     



  • 2.  RE: Endpoint - detect copying to non-company file share

    Posted Mar 10, 2011 10:30 AM

    I would think that if you did an exception as follows:

    Endpoint Location is On the Corporate Network

    - AND -

    Protocol/Endpoint Destination is Network File Share

     

    ...that you'd be ignoring all copies to network file shares when the user is on the corporate network, and inspecting all copies to network file shares when the endpoint was in a disconnected state.  It's a little unclear how you set up your exception based on how you stated it in your post...maybe a screen shot would help clarify.

     

    ~Keith



  • 3.  RE: Endpoint - detect copying to non-company file share

    Posted Mar 10, 2011 11:17 AM

    Well you could do it one of two ways...

    The first is that you create the policy and have the exception like you have (which I figured would work but apparenly doesn't).

    The second which would cut out unnecessary processing would be:

    Endpoint is off the network

    AND

    Protocol is Network File Share

    Could you test that and tell us how it behaves?



  • 4.  RE: Endpoint - detect copying to non-company file share

    Posted Mar 29, 2011 08:53 PM

    But if the endpoint is using a split tunnel VPN then they would have access to two networks effectively so the Endpoint is off network rule wouldn't be helpful. 



  • 5.  RE: Endpoint - detect copying to non-company file share

    Posted Mar 30, 2011 08:24 AM

    Thanks for your suggestions.  I will try to remember to post an update, once this particular issue gets back to our priority list.    :-(

     



  • 6.  RE: Endpoint - detect copying to non-company file share

    Posted Mar 30, 2011 09:27 AM

    Remember you can define "off the network" as one of two things in Enforce.

    1. You can base it off communication to the Enforce server

    2. You can base it off a particular subnet

    If the user is on a split tunnel VPN then I'd assume that there is a specific pool of IP addresses for them to use. Once that is identified then you can just plug it in and you'll be good to go =]