DLP condition is flawed?

Hello all,

I want to ask if anyone has a solution or work around.  I have talked to Sophos support and their answer is "not capable" and "cannot cover all the leaks currently".

Currently, DLP condition for destination is not really destination.  It is transport mechanism, ie, email client, browser, etc. I asked if I could restrict by hostname or domain name and they said no.  However, Opera is not one of the browsers and ftp is not listed.  Therefore, my user can easily download a portable version of Opera or Filezilla portable and send anything out anywhere and totally bypass the DLP rules without being logged, needless to say blocked.

I believe blocking by transport mechanism is flawed because there must be 100 ways you can "send" out a file to the internet and trying to block all transport mechanism is not practical, that even Sophos can list all of them.

So how would I be able to block sending of files to true destinations (host or domain) instead of destining transport mechanism?  I still can't believe Sophos's definition of a destination is transport mechanisms.



Added tags
[edited by: Gladys at 3:26 PM (GMT -7) on 23 Aug 2022]
Parents
  • There is a caveat with this work around.  If I use "Block", I have to go thru the entire list of applications.  If I use "Allow", I am basically restricting the list of apps that users can use.  I am also constrained to the Sophos list of apps, not knowing on a daily basis whether new mechanism pops up on the internet.  In either situation, it does not completely solve the problem.  The destiny is to white list destination hosts or domains so when users are transferring "things" with DLP listed info, white listed hosts or domains will automatically allow and logged without prompting, while for any others, user will be prompted to confirm and logged.

    On a different note, I must allow Chrome as a browser.  If a user uses Chrome browser to attach a file via Gmail to a domain, how do I configure DLP policy so if the domain is on a company allow list, will automatically send and logged, otherwise, prompt user to confirm and logged?

  • Hello ,

    excuse me for chiming in. Maybe I can shed light on what DLP does and what it can't do (disregarding devices as destination). May I point out the following sentence from Overview of Data Control: Sophos data loss protection (DLP) is designed to reduce the risk of accidental data transfer by employees. [emphasis mine]

    DLP originates from on-access scanning. When a file is opened for reading first the application requesting the open is determined. If it's among the destinations in one or more rules these rules are checked and the open is either allowed or denied. DLP has no insight regarding the application's (or user's) intention and further actions. You simply can't determine the (actual) destination from outside the application. If at all only a plug-in could do it.
    Please see also the Known limitations with data control.   

    Christian

  • Thanks for chiming in.  I agree with the "reduce" but not necessarily the "accidental" part unless this is the design purpose of Sopho's implementation of DLP.  I believe that's why there is logging.  

    Your 2nd part mentioned "the application requesting the open is determined" and "among the destinations in one or more rules", which tells me the policy is capable of seeing what application is matched because the rules allows the selection of specific applications.  However, the log does not contain that information, which makes discovery very difficult when doing audits.  As far as actual destination (the place where user is actually sending to, not application destination as what Sophos defines in DLP), I agree it is more difficult but should not be impossible.  Even an ip address can be helpful.  For example, if the log shows a file was sent via Outlook, I can go search email archive.  If the log shows it was sent via Filezella or FTP, I can search firewall logs, etc.

    I am simply trying to bring out the shorts of Sophos's DLP implementation and there are a lot of rooms for improvement, especially in a regulated environment.  Or maybe someone can point out that in a regulated environment, Sopho's Advanced Intercept X is just not the right product to use?

  • Hello Sophos User6628,

    when DLP was introduced over ten years ago there was no Intercept X but DLP hasn't been redesigned or significantly amended since then. There are not many discussions you'll find some interesting ones on this page.

    The accidental is owed to the fact that not only DLP can easily be bypassed but also that it can't fulfil a rather simple requirement: Documents sent by email must be encrypted but highly sensitive documents must not be sent. You can't combine the Encrypt file before file rule and content rules.     . 

    the log does not contain [the destination] correct, hm, can't remember that I've missed it or that someone has requested it.

    actual destination [...] should not be impossible not without an add-on or plug-in. From the outside the scanner just sees an open/read. In case of email it might be able to scan the email headers when a copy is stored in the Sent folder - but this is after the fact anyway. And with a browser you can't be sure that a file is opened because it is uploaded - might as well just display the file, e.g. a PDF. Furthermore, several connection to various IPs - how could DLP tell where to? 

    Intercept X is just not the right product I daresay that all endpoint only DLP falls short in a similar way. "Tighter" solutions employ also gateway devices. I'm not Sophos and I don't speak for them, methinks DLP as it's here is here because it was already there. Can't say if there will be an integrated successor. Right now DLP is in three places: Intercept X, Email Security, and Firewall. AFAIK  they don't team up.

    in a regulated environment what constitutes an acceptable measure depends on the sector and who does the audits. DLP together with Application Control might suffice for compliance but it won't give you control over destinations.

    Christian

Reply
  • Hello Sophos User6628,

    when DLP was introduced over ten years ago there was no Intercept X but DLP hasn't been redesigned or significantly amended since then. There are not many discussions you'll find some interesting ones on this page.

    The accidental is owed to the fact that not only DLP can easily be bypassed but also that it can't fulfil a rather simple requirement: Documents sent by email must be encrypted but highly sensitive documents must not be sent. You can't combine the Encrypt file before file rule and content rules.     . 

    the log does not contain [the destination] correct, hm, can't remember that I've missed it or that someone has requested it.

    actual destination [...] should not be impossible not without an add-on or plug-in. From the outside the scanner just sees an open/read. In case of email it might be able to scan the email headers when a copy is stored in the Sent folder - but this is after the fact anyway. And with a browser you can't be sure that a file is opened because it is uploaded - might as well just display the file, e.g. a PDF. Furthermore, several connection to various IPs - how could DLP tell where to? 

    Intercept X is just not the right product I daresay that all endpoint only DLP falls short in a similar way. "Tighter" solutions employ also gateway devices. I'm not Sophos and I don't speak for them, methinks DLP as it's here is here because it was already there. Can't say if there will be an integrated successor. Right now DLP is in three places: Intercept X, Email Security, and Firewall. AFAIK  they don't team up.

    in a regulated environment what constitutes an acceptable measure depends on the sector and who does the audits. DLP together with Application Control might suffice for compliance but it won't give you control over destinations.

    Christian

Children
No Data