Data Loss Prevention

This has been bugging me for the past few days. Our policy is to block cloud based storage providers at the firewall. So I can't access box.com, dropbox.com, Google Drive, Amazon Drive, OneDrive; the common ones, via web browser. Even with their app installed I can't upload or download files, with one exception, OneDrive. We are running O365 and utilize OneDrive on a corporate level. No issue with sensitive files being placed there. The problem is with the personal version of OneDrive. This is the one app I can install and use to upload and download sensitive data to my personal account. I've created a policy with rules for Compressed Files, Recipient; box.com, dropbox.com, ondrive.live.com, etc., and Protocol, FTP,HTTP and HTTPS/SSL. I upload a zip file containing sensitive data, no detection.

Now our DLP implementation is still in its infancy; 2 months old. Our active components are Monitor and Network Discover with Prevent for Email on the way. Monitor is active on SMTP, FTP and HTTP. Is what I'm trying to accomplish possible with Monitor? If so, what am I missing?

Djacobs

I'm not see Web Prevent in your list as deployed detection servers so I'm assuming your outbound network traffic is captured using Network Monitor. Network Monitor does not have out of the box visibility into HTTPS traffic.

Correct. Outbound is being detected by Moitor. Web Prevent is not in our lineup. What we have done is configured the Decryption Port Mirror on our Palo Alto firewall which makes the encrypted traffic visible thru one of the interfaces on our Monitor server. We can see it but not prevent it, and for now, that's accepted.

try adjusting the rule to just detecting the file types in question. forget about other criteria for now.  Once you know it's detecting file types, try adding the destination criteria, specifically for onedrive since you know you can get there.