Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 0 subscribers
  • Views 19864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control Policy - security hole?

nerohero

I have created a new data control policy where destination is optical or removal storage, allow transfer and log event and for any of the default files. The policy works to a degree however there are some interesting results.

I have two excel doc's, now if I open doc A and file save as to the removable media nothing gets logged nor do I receive a triggered email? on the client this doesn't even register that an event had taken place? and in the sec console nothing?

If I drag & drop doc B to the removable storage bingo, events are logged both on the client and sec console and I receive my triggered email.

I have sent Sophos all the information, diag logs and even the XML policy however  still no joy?

:23167


This thread was automatically locked due to age.
Parents
  • 0

    Just having something logged is not considered security in this context. DLP is designed to prevent data loss, no to state the fact in retrospect. Or do you intend that upon receiving the alert someone jumps up, speeds to the client and seizes the USB stick or whatever :smileywink:. 

    It works if you turn on blocking (whether unconditionally or by acceptance). Admittedly monitor mode (log only) is not useful to assess the impact of turning on blocking in your case.

    Christian

    :23195
Reply
  • 0

    Just having something logged is not considered security in this context. DLP is designed to prevent data loss, no to state the fact in retrospect. Or do you intend that upon receiving the alert someone jumps up, speeds to the client and seizes the USB stick or whatever :smileywink:. 

    It works if you turn on blocking (whether unconditionally or by acceptance). Admittedly monitor mode (log only) is not useful to assess the impact of turning on blocking in your case.

    Christian

    :23195
Children
No Data
Unfiltered HTML