Data Loss Prevention

  • Private Community
 View Only

  • 1.  Data Loss Prevention inspecting encrypted content

    Posted Jul 07, 2020 07:46 PM
    Hello,

    I would like to understand what features Data Loss Prevention has in inspecting encrypted content. Can it inspect encrypted emails? or can it only detected encrypted file formats, but not actual inspect the content of those files?

    Can you provide some clarity on what DLP can and cannot do with encrypted content.


  • 2.  RE: Data Loss Prevention inspecting encrypted content

    Broadcom Employee
    Posted Jul 09, 2020 12:41 PM
    Hi,  I've seen some good community discussions on the subject of Network Prevent for Web and Email and the ability to detect encrypted attachments.  To briefly summarize some of those discussions, DLP can detect encrypted attachments but they cannot be decrypted through DLP.  This would be true for any DLP solution on the market since these solutions don't hold the necessary keys for decryption.  Network Prevent for Web integrates into web proxies to be able to inspect http/https traffic. 

    If you are looking at DLP Endpoint Prevent, the DLP Endpoint Agent has a plugin for Outlook where it will inspect SMTP messages before they are encrypted.  See this KB article.

    Here are a couple more links to aid you in your research:


    Original Message


  • 3.  RE: Data Loss Prevention inspecting encrypted content

    Posted Jul 09, 2020 06:56 PM
    Thank you. As you mention Network Prevent for Web would integrate with something like ProxySG that can perform SSL decryption/interception and handoff the connection to Prevent for Web through ICAP? It would then see the unencrypted payload. Have you seen Network Prevent for Email have a similar type setup? Where there is an in-line device perform SSL decryption for Prevent for Email?
    Original Message


  • 4.  RE: Data Loss Prevention inspecting encrypted content

    Broadcom Employee
    Posted Jul 13, 2020 05:37 PM
    No, if emails have already been encrypted on the client I'm not aware of any in-line integrations that would decrypt them for Network Prevent for Email to analyze.  DLP can create incidents for outbound emails that are encrypted, but without any ability to decrypt them.  If it were possible to read the email prior to the encryption process, for example if the DLP detection server was placed between the MTA and email encryption gateway, then DLP could detect on the email contents before they were encrypted. Another thought is if you know what applications are used on the endpoint to encrypt the messages, you could leverage DLP Endpoint Prevent to enforce your policies and potentially block that application.
    Original Message


  • 5.  RE: Data Loss Prevention inspecting encrypted content

    Posted Jul 13, 2020 06:48 PM
    It looks like there is an integration piece between AIP and DLP which leverages Azure RMS. This does provide detection server some ability to view encrypted files. Have you implemented this previously or know about it:

    https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/AIP_Insight_for_DLP_Guide.pdf
    Original Message


  • 6.  RE: Data Loss Prevention inspecting encrypted content

    Broadcom Employee
    Posted Jul 15, 2020 06:51 PM
    Good find on AIP Insight for DLP.  I see that similar details are also posted in the DLP Help Center.  I have not personally implemented this integration yet but from the online documentation see that if you are already a user of Azure RMS that you can deploy AIP Insight so that your DLP detection server have the access credentials needed to detect sensitive information in RMS-encrypted files and email messages.  In your organization, do you already have an encryption infrastructure set up that you are trying to integrate DLP into, or are you exploring potential ideas with the capabilities such as this one with Azure and AIP Insight solution?
    Original Message