Data Loss Prevention

Hello all,

I'm looking for the way to bypass the block of DLP agent (Endpoint Agent).

I'll be glad if I hear some ideas.

Case:

Normally, DLP Agent blocks to write a confidential file to the DVD or send a confidential file via e-mail.

But, in some cases security manager wants to let the enduser bypass the block, cause the writing or the sending is needed on business reasons.

In above case, what is the best way?

Temporarily add the user, who write or send it, to the policy exception?

register the particular external dvd drive's device id as the policy execption device, and only when needed, use it? (this only apply to dvd writing case, though...)

Sincerely,

Kengo

You shouldn't have to do that. If sending data in a particular way is against the company's security policy, you should do it in a way that is in keeping with the policy. For example, you should encrypt private information if you need to send it.

Hi Kengo,

The best way is to add the users into a policy exception.  The reason behind you can achieve the accountability aspect and moreover you need to design a process wherein the data owner has to formally send out an email with specification till what time/date does this user needs to be added/removed.

In case you opt for the other option it will be quite difficult to maintained the accountability for the device when multiple logins are viable.

Thank you Xlloyd and Syed !

I'm glad hearing your thoughts !

This time, I talked with the customer, and decided to try the following both options.

- Add the paticular machine into policy exception, and when security manager approves, user write the data to DVD, using that machine.

- Basically they don't use block response rule, but  use user cancel response rule.

We'll try them and if needed change the process.

Regards,

Kengo

I would create a directory group containing the users, that have an exception. This way you can reuse your entitlement system to add a user (grant exception) and remove a user (revoke exception after time is over) and everything is properly logged etc.

Obviously this (as does the other solutions above), do not work while the user is offline (no update of policies and no update of directory group).

Kengo,

All of the above comments are great and likely what I would have provided or suggested as well. Soemtimes we do hear this from customers and they need that one-off situation to allow the action. I just wanted to add in one other option as well, so you have a lot of ideas of what is/isn't avaialble.

Using the Agent Configuration screen, you can also disable the agent on a specific endpoint if you'd like. The difference between this approach and the others, is that the user would then technically have free roam to do anything on the machine without being blocked (per your normal policies) as no policies would be enforced during that time period. Again, not the best option I don't think, but it is another option none the less.

Further I just wanted to point out something regarding the logging that folks spoke of above. If there is an exception added to a policy, there will be no record within the Enforce system of that user then putting the information on the external device (CD/DVD in this case). One use case was mentioned with the User/Cancel option which WOULD in fact create an incident. This would essentially give you the auditing of that "exception" vs the flat out exception that wouldn't create an incident.

What we have thought about doing is to except the user from the user block policy, but add them to a user cancel policy.  That way you can gather their justification and have the action logged in DLP.

Jeremy

That would be a good approach to ensure you have the capability, but it would require some operational intervention. It's the usual trade off between cost vs risk.