Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 0 subscribers
  • Views 19863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control Policy - security hole?

nerohero

I have created a new data control policy where destination is optical or removal storage, allow transfer and log event and for any of the default files. The policy works to a degree however there are some interesting results.

I have two excel doc's, now if I open doc A and file save as to the removable media nothing gets logged nor do I receive a triggered email? on the client this doesn't even register that an event had taken place? and in the sec console nothing?

If I drag & drop doc B to the removable storage bingo, events are logged both on the client and sec console and I receive my triggered email.

I have sent Sophos all the information, diag logs and even the XML policy however  still no joy?

:23167


This thread was automatically locked due to age.
  • 0

    Hello nerohero,

    from your description this is the expected behaviour. To make sure I've understood you correctly:

    destination is optical/removable

    action is Allow transfer and log event - neither ... on acceptance ... nor Block

    Before you read on please try the following:

    Change the action to one of the other two values and press OK. You should get a pop up. If you don't, close the policy editor, select Tools from the SEC menu bar and there Confirmation dialogs. Tick the bottom item (Request user authorization ...) and try again.

    A short explanation is given here, the complete text can be read in section 8.3 of the SEC 5.0 policy setup guide.

    Christian

    :23183
  • 0

    Hey QC, thanks for your responce.

    The rule is allow file transfer and log event for any file, which is why I'm confused.

    :23185
  • 0

    Admittedly it is - but if you read carefully you'll see that it is working as designed and specified:

    Storing with an application is not intercepted. "File transfers" using Explorer are. Therefore only the latter get get logged (and IIRC not necessarily each one - it's in one of the older threads). Actually DLP does not scan on write as this would be very complicated (and resource consuming).

    Christian

    :23187
  • 0

    Hey Christian,

    So DLP ultimately is useless as 50% at a guess save their documents from said menu to the removable media, this not getting logged leaves and enormous holes in ones security.

    I understand the complexities of it however very misleading  DLP well sort of :)

    :23193
  • 0

    Just having something logged is not considered security in this context. DLP is designed to prevent data loss, no to state the fact in retrospect. Or do you intend that upon receiving the alert someone jumps up, speeds to the client and seizes the USB stick or whatever :smileywink:. 

    It works if you turn on blocking (whether unconditionally or by acceptance). Admittedly monitor mode (log only) is not useful to assess the impact of turning on blocking in your case.

    Christian

    :23195
  • 0

    Hi nerohero,

    As QC describes the behaviour you are experiencing is as designed as we only hook the explorer process for monitoring writes to storage devices. This decision was made to minimize the impact on system stability but I agree it would be preferable for the solution to log all writes to removable storage or optical media no matter what the source when in audit only mode.

    When a request user authorization or block action is specified within a rule then all writes to removable storage or optical media that don't originate from explorer are blocked.

    I've raised a feature request to request a change to the solution for audit only mode.

    Best regards,

    John 

    Product Manager

    :23375
Unfiltered HTML