My test lab lab manager has requested that I configure the lab network HDLP to monitor the insertion and use of all forms of removable media, as well as when users use sftp, ftp copy, etc to copy/move files either to the local workstation from a test lab server, or from a local workstation to a test lab server.
My problem is Block/Monitor/Notify. I wrote a rule that uses a Device Rule to Monitor use of All Removable media, but nothing is being logged to the HDP monitor.
Has anyone done this?
Screenshots? Of what? Are you asking for screenshots of my workstation wallpaper?
The rules that I have written to Block access to USB drives that are NOT on the allowed usage list seem to work perfectly.
I asked for information on where I would start looking to wrtie a rule that logs ALL access to any monitored system's CDROM or USB drives, as well as when specific applications are used. I don't have a rule, I don't truely know where to look to find the instructions to write such a rule.
Thank you for your assistance.
In the intial post you said "I wrote a rule that uses a Device Rule to Monitor use of All Removable media, but nothing is being logged to the HDP monitor." so I magined to found where to create this rule and I was asking for screenshots of this rule.
Are you using the NDLP+HDLP unified solution or just HDLP? Because if you`re using NDLP+HDLP with unified management you`ll lose the device control functionality.
A screenshot of your wallpaper won`t help, but neighter sarcasm.
Maybe saying 'I wrote a rule" was incorrect. I have since deleted it from ePO 4.5 and HDLP 9.0.1, because I know the rule, as written, would not work. The reason that it iwll not work is that there is no policy violation. HDLP seems to fire an event to the DLP Monitor when it "Blocks" access or funtion. I don't want it to block access, I want it to keep track of access, and monitor and keep track of a few applications (sftp, ftp, scp tftp, etc). Let me explain my quandary:
What the lab manager has asked for is the ability to monitor workstations and servers attched to a network. We want to record access to removable media (CD-ROM, USB, etc.) as well as record what the media was used for. Did they copy files from the CD-ROM to the harddrive, or did they copy files from the harddrive to an encrypted USB drive. In that way, we can monitor compliance with the policy that all software will come into the network from approved CM media sources. For those that violat the policy, we will have forensic evidence from the HDLP tool to back up any claim of violation.
In addition, the lab manager need to know IF the users are moving files from the workstation to network servers, or from the network servers to the workstation (thus sftp, ftp, scp tftp, etc use reporting.) This policy evolved from the requirement to follow the program PTR process for software changes, and the requirement that every piece of software installed/deinstalled from a server/workstation be documented in our configuration management.
Does that make a little more sense?
Unfortunately this tool is not a forensic one. The point of this tool is to prevent accidental/intended data loss by normal users. This is not particulary strong against knowleadgeble IT users, but before they manage to take the data out...you'll probably have a couple of events.
You won't be able to monitor if they copy data from external sources to your hard drive, but you will be able to monitor when it leaves. You can create a location based tagging rule and activate it for removable media and CD/DVD. Then create protection rules that monitor which way the data that came in the machine that way went.
Again, you won't be able to know if they copy data from network servers to their machines in real time, but you will be able to monitor if they send data to a network share. If you do want to know what they copy to their machines from network servers, you can create a location based tagging rule for network share, activate it for any network share, and then create a discovery task for the tag assigned to the rule. You will find the files copied from the network, but you won`t know exactly from where on the network.
You can use network communication to monitor network connected applications, but this works only with tagged file, or application protection rule to monitor what applications they use on certain files. For the second one you can create a whitelist of applications and then whenever they try a different one... you'll get events.
There's no way of protecting your data 100%, but you can try to slow them down.