Using Sophos to find protected (customer) information.

HI,

Well DataControl does pretty much all of that however it's not something that can be scheduled to run in the same was as a AV scan to find the documents.  It can be configured to find the documents that match your expressions should they be:

1. Opened by Firefox, IE, Outlook, Lotus Notes, Windows Mail, Webex, Microsoft communicator, Adobe Flash file uploader.

2. Copied to Removable storage, optical or floppy disk.

The number of "applications" sometimes gets updated, Webex and Adobe Flash file uploader were not in the original release so it can be updated.

I'm trying to think of the potential performance hit of a scheduled scan, scanning potentially (depending on the rules) the contents of thousands of documents with regex.  It would be pretty slow I fear.  Doing it real-time before being opened by an application is potentially bad enough but usually it's only one file at a time and the nature of the actions do not typically need to be that quick.  

I would suggest contacting Support with a feature request to maybe configure a data control scheduled scan, it can't hurt :)

Thanks,

Jak

Hi,

We are looking at implementing what the DLP market calls "data at rest" scanning on the endpoint. One element will be a serperate tool which enables you to off load file scanning to a seperate workstation or server but our intention is to also provide integrated scanning from within the endpoint agent. We'll probably use technology similar to that in ESC 9.7 to reduce the scanning impact on end users. I'd welcome any feedback / requirements on either approach.

Best regards,

John Stringer (product manager)

Hi John,

It's great that you're looking at this - do you have a plan/schedule for testing/release?  It's a problem that every organization working with "protected information" has to deal with - how do you know where this information is stored and how do you prove it to auditors?

And once you know where it is, you'll want to answer questions like:

- is there a "need to know", i.e., does the role of the employee justify them having access to this information?  If the "data at rest" scan could be customized to the role of the user(s) of that workstation, it would make the scan results more relevant.

If there were multiple users of the workstation, I suppose you'd want to set it to the role with the least "need to know".

- should this data be moved to a more appropriate storage area (e.g., from someone's desktop to a server), or marked for destruction?  Again, if the scan can be customized to the type of resource being scanned, it would make the scan results more relevant.

It's not obvious to me how the separate file scanning workstation/server approach would work.  I would think most SMB folks are still using 100 Mbit LANS (like us) and I'd immediately be worried about clogging the network trying to push the data from all the workstations through to get scanned.

Intuitively, the end point scan makes sense.  We do a nightly full disk AV scan anyway, so combining that with a "data at rest" scan seems efficient.  Extending the paradigm, the ability to do "on-access scanning" for protected data would be desireable, as would having pre-defined categories of protected information customized to regulatory requirements, like HIPAA, GLBA, PCI, SOX - etc.

Having the capability added to the ESC agent would be great - one less source of compatiblity issues to worry about.  We already have two agents running on every endpoint, Sophos and KACE, and I dont' want to add another.

Finally, it would be good to have something look at things from a "file level" view, rather than a "text in a file" view.  I've seen a feature in other products where you define a network share or other folder resource as a reference, and store all your critical files there.  The product then looks for signatures in "data at rest" and "data in motion" that match any file in the reference and alerts/blocks when it gets a hit.

Owen