EMEA Data Loss Prevention User Group

 View Only
  • 1.  DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Broadcom Employee
    Posted Jul 29, 2015 09:58 AM

    I'm looking to understand what settings are required to perform HTTP monitoring? 

    As I understand, in the Agent Configuration, Agent Monitoring tab the "Web" channel checkbox for "HTTP" must be checked.

    Assuming that is correct, what, if any, impact do the Application Monitoring settings have to do with what is and isn't detected with HTTP?  For example, within Application Monitoring there is the option for "Network Access" to be checked. Microsoft IE is listed and "Network Access" is checked, however Chrome is not listed.  Yet, in our environment we see HTTP incidents from both IE and Chrome.  So my question is does checking "Network Access" for Application Monitoring have impact on HTTP monitoring? 

    Neither the help or admin guide is clear, and it doesn't seem nessaccary because Chrome incidents are detected despite Chrome not being registered in Application Monitoring.

     

    Any help would be appreciated.



  • 2.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access
    Best Answer

    Trusted Advisor
    Posted Jul 29, 2015 10:30 AM

    Ensweiler,

    Couple of things when it comes to the Agent configuration.

    THe HTTP checkbox, is NOT a browser hook. Since this protocol is in the clear, just like FTP and other protocols the agents is able to monitor this WITHOUT hooking to the browser so this is a Protocol signature recognition/detection capability.

    HTTP is done at the Network layer and independent to the applications period!

    It will work no mater what browser or application is using FTP or HTTP.

    Keep in mind that HTTPS is completely different for it needs to hook into the browser, since it is the application that is createing or managing the Secure SSL connection to the HTTPS Website.

    The network access or other options for Applicaiton File access is monitoring a SPECIFIC executable or program as how it will Access the network or FIle System or File Access I/O. So it is VERY specific as to what that Porgram does. So for example when Chrome.exe tries to open or attach a file, that application is being monitored when it tries to acces that file. Th sam would apply to all of the other applications listed there. In some cases when it comes to Custom or user specific applications there might be a sub routine application that does the actual File reading or network access, so the monitored exectuable may not be the original application.

    If this answers your question please mark as solved!

    Ronak



  • 3.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Broadcom Employee
    Posted Jul 29, 2015 10:47 AM

    Hi Ensweller, 

    See below. Please mark solved if this helped. There is also a good write up on Application Monitor here:
    https://www-secure.symantec.com/connect/articles/application-monitoring

    Assuming that is correct, what, if any, impact do the Application Monitoring settings have to do with what is and isn't detected with HTTP?  So my question is does checking "Network Access" for Application Monitoring have impact on HTTP monitoring? 

    This question has me a bit confused, but the HTTP(S) checkbox (Agent Config) is a browser hook. This will be able to inspect content "inside" the supported browser, SSL. Application Monitoring, say for Chrome, is not a hook into the broswer. It is watching what the EXE is doing, and inspecting where instructed to. If you were to only check "network access" for Chrome, and attempt to send off sensitive data over an HTTPS link, the encrypted data would be missed by Application Monitoring. You are probably seeing detections because Chrome is being monitored on "File Read" or "File Access". FYI, in version 14, Chrome has a supported browser hook.

     

    Hope this helps.

    Joseph  



  • 4.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Broadcom Employee
    Posted Jul 29, 2015 11:05 AM

    Hi Joseph, thanks for the quick reponse.  The differences in v12 & earlier between Application Monitoring Network vs AFAC for Chrome are clear.

    My question is specific to HTTP.



  • 5.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access
    Best Answer

    Broadcom Employee
    Posted Jul 29, 2015 11:19 AM

    Ronak, thank you for the quick reply.  I think you've answered it regarding HTTP (not HTTPS).  Let me restate for clarity:

    To monitor HTTP only the Agent Monitoring HTTP box must be checked.  (Application Monitoring does NOT need to be checked for HTTP monitoring).

     

    Assuming that is correct, then what does the "Network Access" option in Application Monitoring do?  Not HTTPS (which requires the browswer hook), not AFAC, and presumably not network shares because that is indicated under "Filesystem Activity".  The help menu (see screenprint) indicates monitors data moved over the network including HTTP and FTP. 

     

    Thanks

     

     



  • 6.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Trusted Advisor
    Posted Jul 29, 2015 11:43 AM

    Ensweiler,

    The network Access portion of the Application Monitoring will apply to any other type of Network Access. Keep in mind that you can send information via MANY different protocols and ports so this will look at those "other" network type access.

    For example there is RDP transfer access, or another type of file transfer or communication that might be specific to an application that is NOT HTTP or FTP. So this is where it will try to look at the content of those transmissions. There are MANY ways to move data over the network that dose not have to use FTP or HTTP. So it will look at the data transmissions of those applications.

    For example, there is sruff that DLNA servers do over the network that is not done via HTTP or FTP, or even Bonjour for Itunes and other applications.

    It may not always be able to see the content but we can detect when an application does try to do something on the network.

    It's a broad range of things.

    If this answers your question please mark as solved!

    Ronak



  • 7.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Broadcom Employee
    Posted Jul 29, 2015 11:45 AM
      |   view attached

    What does Network Access do?

     

    Help menu reference to HTTP and FTP



  • 8.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Broadcom Employee
    Posted Jul 29, 2015 11:59 AM

    Hi Ronak - so this might be a dumb question, but where do you define if "network access" monitoring should be enabled in the agent configuration?

    For example, to monitor CD/DVD writing from Roxio both the agent config (Agent Monitoring -> CD/DVD) and Application Monitoring CD/DVD writing for Roxio must be checked.

    To use the RDP example, if I want to monitor, what is the equivalent channel to select in the Agent Config Agent Monitoring tab?



  • 9.  RE: DLP Endpoint Agent Configuration - Difference between Monitoring Web Channel and Application Monitoring Network Access

    Trusted Advisor
    Posted Jul 29, 2015 12:30 PM

    Once it is registered, it will then monitor that applications access to the network..

    Honeslty, I am not 100% sure, but believe that is the case. 

    You can play with it and see.. register an file transfer application and see.