Data Loss Prevention

Hi,

We installed a DLP pilot which contains a Network Prevent for Web server. The NP server successfully integrated to a Websense web gateway via ICAP, and we can see HTTP/HTTPS messages.The problem is that in the incident details tab, at the sender we only have IP address instead of the Username. Some incident contains the username, not sure but maybe the IDM/EDM detection dont get this information? The customer use DHCP so the IP address does not give any information for further investigation of the incidents.

I think we must use some lookup plugin but we dont know exatly how to start it and where we can find the required information for the lookups (IP - User pairs).

Is there any solution to get this information from the IP address?

Thanks,

Laszlo

 

hi laszlo,

 not easy to answer your question as it will depend on your infrastructure. DLP will be able to provide you the IP address, but after that it is your custom plugin script which has to find a way to get username from this address. You could do a LDAP request to your AD (in this case use std LDAP plugin) , you could do a reverse DNS, you could call a webservice which manage workstation.....It relally depends what is available on your infra.

 But yes after that you will have to use lookup plugin and populate a custom attribute with this value. Or an other solution is to ask your first response team to find the information manually in a system available on your infrastructure for non false positive incident (of course it is not the best one but a possible workaround until you have a good solution).

 Regards

Laslo,

There are many ways to skin a cat in order to get the information you require.

In either case when it comes to Network Prevent for Web you will need to do some scripting, even if you can use the LDAP lookup feature. There are a couple of things you will need to decide upon:

1. Does the Websense Proxy require authentication in order to get to the Web? If this feature is turned on, then then DLP incidents will have a username, but probably has the Domain in the field (Domian\username). So the only way to make sure this happens to configure Websens to require Authentication. This way EVERY incident will have a username that can be used to do a further lookup. You would need to script a process to remove the Domain information and then do an LDAP lookup with the username information. Otherwise you will have some that have a username and some that don't, which I believe is what you have now.

https://www-secure.symantec.com/connect/forums/icap-and-winntdomainname

1. If you want to lookup based on IP address, you will need to have some things as a requirement for a username lookup to happen. First is that there is some sort of system or way that you can decipher a username from an IP address or from the machine name. This could be through DNS or another system that you can query and get a username. For example, I had a customer who had EVERY laptop name also had the username in it. (jdoe_laptop_win7). What I needed to do was then do a reverse lookup via DNS and then parse the output of the laptop nam (remove everything after the first _) and then pass that to the LDAP lookup. This then populated the atttributes in the UI. *** This would be done via a daisy chained lookup (script then LDAP). you can then ONLY have the script run ONLY if it was a Web based incident) ****

As far as a way to get more information via the IP, there are a few different ways outlined here.

https://www-secure.symantec.com/connect/downloads/dlp-vontu-custom-script-lookup-network-incident-hostnames

 

Overall you need to be able to script a process that you can pass some good information and then call some other process and get the information you need.

 

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Thanks Stephane and DLP Solution :) I will walk trough the articles and try to solve it with a script.

Regards

Laszlo

Hi,

I walked trough the articles but did not find the solution yet. 

1. The lookup script doesn't work because we don't have the source information to lookup. In the environment all user are using a terminal server so user lookup based on the IP address is not possible.

2. We've checked the Websense settings and configured it to require authentication to access the web. In the WebPrevent_Access log we've found the Base64 encoded usernames, but on the DLP web interface the incident snapshot still not contains this information.

Anybody has some experience with Websense - Symantec DLP integration? Why the DLP doesn't show the username altough they are in the ICAP log?

Sample from the log (without IP, encoded username and the URL):

XXX.XXX.XXX.XXX "wefiwebflibjlikjblijde" 14/aug./2013:13:23:52:414+0200 "POST http://google.com HTTP/1.1" 204 1350 "http://google.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" 218 26 172.16.1.212 52903 5 1 2 77527BAB-B0D8-483B-A4B6-FC1C3828172B

Regards

Laszlo

Any idea? I'll open a techinal case and update the thread asap.

Regards,

Laszlo

did you have a look at HTTP headers available in message processed by DLP ?

No I didn't but in the ICAP log file there is a username in every record. I check the header.

Laszlo...

I do not think you have it configured properly. It does NOT matter what is in the ICAP log on the Websense server. It only depends on what is on the Web Prevent server, nothing else.

What version of DLP are you running.

Also what verion of Websense are you integrated with.

Here is how to see if you are getting any information.

1. Go to System > Logs and on the configuration tab you will need to configure the Enforce Server to start collecting the "Custom Attribute Lookup Logging". Enable that.
2. Also enable the "ICAP Prevent Message Processing"
3. You will then need to go to System > Lookup Plugins > PLugin Parameters. Enable "Sender" and "Incident".
4. Then create an incident on the Web Prevent server and then start looking at the logs.
5. See what comes in the logs as far as the ICAP data.. you will need to see if Websense is sending you any type of information in the ICAP packet.
6. You may need to configure Websense to send you the User information. Make sure that you have enabled NTLM proxy authentication and pass that via ICAP.

Overall if the Sender field in the Incident Data is not populated with some user information and ONLY an IP address, then DLP is not getting it from Websense.

 

Hope this makes sense.

If this solves your questions please marked as solved.

Ronak

Hi,

It looks like point 3 solved the problem. I don't really understand how because there aren't any lookup script now. The DLP use theese parameters for the native lookups too?

I check the other incident types and after that I mark this as a solution.

Thanks,

Laszlo

if you have no plugin at all (nor standard one like csv, ldap,... nor custom ones) it looks strange that point 3 solves you rproblem. but whatever if you solved it, it is nice.

did you get username in a custom attribute or in incident details section ?  

There aren't any lookup so it's really strange, but now the username appears in the incident details section.

Laszlo...

Glad I can help with fixing the situation.

If this solves your questions please marked as solved.

Ronak

It "worked" because you told DLP to return the "sender" attribute, which is the authenticated user that you are receiving from within the ICAP request.  Based on what you're saying, you are not actually doing any subsequent lookup on that data.  All you did was enable DLP to return that data to the standard incident meta-data. 

Now that you're returning that data within the incdient by enabling that attribute, you COULD, if desired, perform subsequent lookups (i.e. via LDAP), to get additional information about the user, like their email address, department, etc, and add that to Custom Attributes.

In Network incident, you can see only user details but not IP details. IP detailes can be seen in incident in Endpoint incidents tab

Keith,

I understood what you said but i didn't know that i have to enable any attribute for native/standard incident meta-data.

I'm waiting for the detailed test results but the customer already signed that some incidents (Network - HTTP) still don't contain the username...

Laszlo

 

Laszlo.

If this solves your questions please marked as solved.

Ronak

Hi,

It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.

With IE it works like a charm, and every packet contains the username (In Base64).

With IE, and with DLP Solution's comment everything works now.

Regards,

Laszlo

This article is what I was looking for. However, my aim is not to associate the incident with a username, but rather be able to apply DLP policies based on this username and her/his AD group. For example for the IT group, don't apply any DLP policy.

Something similar to user groups in Enforce DLP policies, which I don't think work with the Network Prevent for Web.

Kindly
Wasfi
Original Message:
Sent: 09-24-2013 02:54 AM
From: Laszlo Hervai
Subject: Network Prevent Incident Details (IP address-Username)

Hi,

It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.

With IE it works like a charm, and every packet contains the username (In Base64).

With IE, and with DLP Solution's comment everything works now.

Regards,

Laszlo

Hi Wasfi 

You can apply a policy on specific username or AD group or apply a spcific group or username exception for specific policy . 

if you want to apply for all the policies you have to do that in each policy. 

So by default a DLP policy will be applied to everyone that has the agent or anytraffic passed to the other detection servers. 

you have to mention which user or group to apply that policy or which you want to exclude from the policy 

Thanks

------------------------------
Fady Azab
Senior Consultant
CCIT GMBH
------------------------------

Original Message:
Sent: 06-10-2021 10:35 AM
From: Wasfi Bounni
Subject: Network Prevent Incident Details (IP address-Username)

This article is what I was looking for. However, my aim is not to associate the incident with a username, but rather be able to apply DLP policies based on this username and her/his AD group. For example for the IT group, don't apply any DLP policy.

Something similar to user groups in Enforce DLP policies, which I don't think work with the Network Prevent for Web.

Kindly
Wasfi
Original Message:
Sent: 09-24-2013 02:54 AM
From: Laszlo Hervai
Subject: Network Prevent Incident Details (IP address-Username)

Hi,

It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.

With IE it works like a charm, and every packet contains the username (In Base64).

With IE, and with DLP Solution's comment everything works now.

Regards,

Laszlo

Thank you Fady. In my case, I don't have the DLP agents installed on end-user devices. I only have Network Prevent for Web detection servers that are integrated with Proxy SG devices over ICAP.

I guess based on what you said, the Network Prevent for Web will read the username from the Proxy SG "after the Proxy SG has authenticated the user", then it will apply the policy or not apply it based on the user groups defined for that policy on the Enforce server, correct?

In this case, the script mentioned originally in this article is only needed to associate incidents with usernames, but not needed if you want to only apply policies based on user groups?



Original Message:
Sent: 06-10-2021 10:44 AM
From: Fady azab
Subject: Network Prevent Incident Details (IP address-Username)

Hi Wasfi

You can apply a policy on specific username or AD group or apply a spcific group or username exception for specific policy . 

if you want to apply for all the policies you have to do that in each policy.

So by default a DLP policy will be applied to everyone that has the agent or anytraffic passed to the other detection servers.

you have to mention which user or group to apply that policy or which you want to exclude from the policy

Thanks

------------------------------
Fady Azab
Senior Consultant
CCIT GMBH

Original Message:
Sent: 06-10-2021 10:35 AM
From: Wasfi Bounni
Subject: Network Prevent Incident Details (IP address-Username)

This article is what I was looking for. However, my aim is not to associate the incident with a username, but rather be able to apply DLP policies based on this username and her/his AD group. For example for the IT group, don't apply any DLP policy.

Something similar to user groups in Enforce DLP policies, which I don't think work with the Network Prevent for Web.

Kindly
Wasfi
Original Message:
Sent: 09-24-2013 02:54 AM
From: Laszlo Hervai
Subject: Network Prevent Incident Details (IP address-Username)

Hi,

It seems that the reason was, Firefox did not sent auth information in all packages. When I checked the logs I saw username in the first event but after that it disappear.

With IE it works like a charm, and every packet contains the username (In Base64).

With IE, and with DLP Solution's comment everything works now.

Regards,

Laszlo