Data Loss Prevention

 View Only
  • 1.  DLP - Why some Endpoint incidents do not show a source path?

    Posted Mar 06, 2014 01:21 AM
    I have noticed that some of the incidents generated , do not show a path for the source file, only destination. In other words, if an incident is generated because there was a file copied from an internet site or a SharePoint site into a USB drive. The incident details do not show a path for the file source, just the file name and destination path, but no source path... Any guidance on this will be appreciated.
     
    DLP 11.6
     
    Thank you.
     
    Amit 


  • 2.  RE: DLP - Why some Endpoint incidents do not show a source path?

    Trusted Advisor
    Posted Mar 10, 2014 02:22 PM

    Aashok,

    You will need to also look at the Program that created the incident. There can be cases where the file was created in a Program from scratch and then saved to the USB device.

    For example if I open Word and create a document and for the first time I save it to the USB drive. Also if I download a file from the Web and save it directly to the USB device.

    Also keep in mind that many laptops NOW have Hard Drives that are considered USB devices by Windows and are represented as a device string in the Incidents.

    So it is up to the application on how itmight have been created or utilized.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 3.  RE: DLP - Why some Endpoint incidents do not show a source path?

    Broadcom Employee
    Posted Apr 23, 2014 03:31 AM

    I have stated the reasons for the blank fields in the Worksheet  " Reason".

    Please download the below file....

    https://www-secure.symantec.com/connect/downloads/why-some-endpoint-incidents-do-not-show-source-path

    Please make sure to mark this as a solution to your problem, when possible.



  • 4.  RE: DLP - Why some Endpoint incidents do not show a source path?

    Broadcom Employee
    Posted Apr 25, 2014 12:03 AM

    Dear Aashok,

    please ge the updated link.....

    https://www-secure.symantec.com/connect/downloads/reasons-respective-fields-why-they-are-left-blank-while-exporting-endpoint-incidents

    Thanks

    Please make sure to mark this as a solution to your problem, when possible.yes



  • 5.  RE: DLP - Why some Endpoint incidents do not show a source path?

    Broadcom Employee
    Posted Apr 25, 2014 06:42 AM
    Sr. No Blank Field Type Reason
    1 Destination HTTPS/SSL In endpoint Incidents Destination field is used for file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information destination is only populated for CD/DVD & Removable storage Incidents. But still we get the destination URL for http/s incidents which is given in recipient field.
    HTTP
           
    2 Destination Path CD/DVD For CD/DVD Incidents destination path would be CD/DVD Drives and since at the time of writing the files on CD/DVD drives they become un-readable for the internal applications due to which DLP is unable to monitor/ keep track of path where the files are geting copied. Hence Dlp monitors only detination for CD/DVD incidents and not its path.
    FTP Destination path is used for the file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information destination path is only populated for Removable storage. But still we get the destination URL for http/s incidents which is given in recipient field.
    HTTP
    HTTPS/SSL
           
    3 Source File FTP Source File is populated only for the file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information Source File is only populated for Removable storage.
    HTTP
    HTTPS/SSL
    Removable Storage There are multiple reasons :
    1. If user is transfering a file to removable storage directly from lotus notes then DLP might not get the source file or its path.
    2. If user downloading/ copying the file directly from ftp/filesharing services to removable storage.
    3. If user is working on excel sheet and instead of saving it locally he saves it directly to removable storage device then dlp would not understand the source file path as the application has copied the file directly.
           
    4 Source File Path FTP Source File Path is populated only for the file transfer incidents i.e.( where files are transfered from source to destination) and since https/ssl or http transactions do not have this information Source File Path is only populated for Removable storage.
    HTTP
    HTTPS/SSL
    Removable Storage There are multiple reasons :
    1. If user is transfering a file to removable storage directly from lotus notes then DLP might not get the source file or its path.
    2. If user downloading/ copying the file directly from ftp/filesharing services to removable storage.
    3. If user is working on excel sheet and he tries to save the file directly to removable storage device instead of his local drive then dlp would not understand the source file path as the application has copied the file directly.
           
    5 Device Instance ID FTP Device Instance ID is basically a unique ID assigned to all type of plug-n-play devices and since ftp/http/s does not have Device instance ID it is kept blank.
    HTTP
    HTTPS/SSL
    Removable Storage Will have to investigate for these specific incidents with the user as how he had copied files since all removable storage incidents are not showing as blank for this field.
           
    6 Subject All Types Since this field is monitored only for Email/smtp incidents these will be left blank for all other type of incidents
           
    7 Recipient(s) CD/DVD In Endpoint Incidents Recipient field is used to populate end URL/s or Email recipients where the data has been uploaded/mailed respectively.
    Hence for CD/DVD & Removable storage incidents this field is left blank.
    Removable Storage
           
    8 Data Owner Name All Types Only available if Data insight is implemented
           
    9 Data Owner Email All Types Only available if Data insight is implemented
           


  • 6.  RE: DLP - Why some Endpoint incidents do not show a source path?

    Broadcom Employee
    Posted Apr 28, 2014 05:46 AM

    If you have received your answer please Mark A Solution. If multiple post help you please select the "Request split solution "Option



  • 7.  RE: DLP - Why some Endpoint incidents do not show a source path?

    Broadcom Employee
    Posted May 04, 2014 01:39 PM
    If you have received your answer please Mark As a Solution.