Data Loss Prevention

Hi everyone,

I’m currently trying to detect data leakage scenarios involving RDP sessions brokered by CyberArk PSM, and I’d appreciate any advice or best-practice guidance.

Use case

After users connect to a target server via RDP through CyberArk, I want to detect situations where data is exfiltrated from the server back to the user’s machine, including:

• Accessing client drive mappings (RDP-mounted local drives) and copying sensitive files into them

• Copying files from the RDP session to the local machine (Ctrl-C / Ctrl-V, drag & drop)

• Opening sensitive files on the server and copying their contents back to the local machine (clipboard)

What I’ve tried

• Followed the Symantec guide to monitor RDP activity by configuring Global Application Monitoring for:

  • mstsc.exe

  • rdpclip.exe

• However, no DLP incidents are generated

Current understanding

After further research, I realized that:

• The user is not directly connecting to the target server

• The RDP session is brokered through an intermediate CyberArk PSM server

• As a result, standard RDP processes (mstsc.exe, rdpclip.exe) on the user endpoint may not actually handle the file/clipboard operations

Current architecture

• Symantec DLP Endpoint Agent is installed only on the user machine

• The target server does NOT have the DLP Endpoint Agent installed

Questions

1. How are others handling this DLP + CyberArk PSM RDP exfiltration use case?

2. Is installing the DLP Endpoint Agent on the target server considered best practice in this scenario?

3. If installing the agent on the server:

   • What should I be careful about? (performance, compatibility, supported use cases)

   • Any known limitations with CyberArk PSM?

4. Are there alternative or recommended approaches?

Any insights, real-world experiences, or architecture recommendations would be greatly appreciated!