1 of 1 people found this helpful
Cloud storage is a little tricky. Depending on which method the end user is accessing storage you will need various different rules. If they are accessing via the web GUI then it would be a web post protection rule as you have outlined. If this is a desktop app we are discussing then it would be either a cloud protection rule (currently only Box, Dropbox, Google Drive, Syncplicity, OneDrive) or an application file access protection rule (AFAPR). Using the AFAPR is probably your best case scenario for this app though it is limited to monitor only - you would be able to generate incidents for these files being uploaded and collect evidence but not block the transfer.
Hhoang Thank you for taking your time and assisting.
To answer your question, the users are accessing via a Desktop app, I tested the application file access protection rule since cloud protection rule had no option for any Adobe products( this also includes v9.4 & v10).
And and I couldn't tweek it to only log uploads, it captured everything (Upload, download,copy,delete,move).
I tried the Network Protection Rule and I can see the uploads (e.g. Destination IP) only drawback is that it does not show you the host name of the destination,
And it also does not show you any information about the file that is being uploaded.
This was the mail trail when I spoke to the McAfee Specialist:
Adobe Acrobat Reader DC is a local application install and when clicking on the upload button we don't know what the application is doing with the file e.g. where and how it is saving it to.
Uploaded files are accessed via a web browser - https://cloud.acrobat.com
there are no local folder(s) the files are being saved to so, do not think they are being saved locally and then sync'd
I had another customer with the same application and issue - they were advised to
try NCPR and submit a new idea to support Adobe Acrobat Reader DC.
For the web uploads a web application rule should cover it, if we use the URL.
However for the actual Adobe Reader application we have not been able to successfully build a rule to monitor uploads.
- Is there no other protection rule we can build around this on DLP Ver. 9.3?
- Is this currently covered in any of the newer versions of DLP 9.4 or 10?
I cannot understand why such a widely used application by many businesses is not currently covered by DLP, surely this should be on a roadmap for future development.
Once that didn't produce the results I wanted I tried a Network Protection rule which does log uploads but does not give any file information.
The only rule I can think of is a Network Communication Protection Rule? Prof Services may be able to help?
No this is not covered in 9.4 and therefore I doubt 10 either.
I can't comment on how widely it is used, but you are only the 2 customer in regard to DLPe, that I am personally aware of.
The McAfee technician's information is accurate. The core functionality of the rules has not changed between 9.3/9.4/10 - i.e. NCPR / AFAPR rule limitations. You are going to get excessive hits on the AFAPR because it is only looking at when the file is being accessed by the process and not specifically what is being done with the file. NCPR's main limitation, aside from not collecting evidence, is that you have to specify a static host/IP range which can be problematic when talking about web servers (especially 3rd party ones).
Though you may get excess information with the AFAPR it is still technically only triggering on whatever classification you have specified - you could cut down on the hits by being more granular with the configuration but this is dependent on what your security needs are of course. Best case scenario, this sounds like a workaround where it will require more leg work on whoever will be managing DLP incidents in your environment. If your business needs require the use of Adobe cloud I would recommend getting in touch with your McAfee sales rep to arrange a discussion and/or get a statement from the product manager on support for this (I am assuming you have an active entitlement since you were working with a McAfee tech).
Alternatively, the ideas submitted in the following link also go to the PM: Intel Security Ideas Forum: Latest
Thank you hhoang for the input I think I will go for I will look at the AFAPR