3 Replies Latest reply on Nov 30, 2016 11:11 AM by hhoang

    Manual encryption of findings, and other questions regarding DLP.


      We're Running DLP Endpoint and Discover 10 on EPO 5.3.1. We don't want to rely on DLP automatic rules to encrypt files, as there are too many false positives (We're specifically scanning for SSN with the built-in regex). Is there a way for us to designate what files should be encrypted when reviewing the results of scans from the Incident Manager? If so, from where do we manage encrypted files?


      Managing scan results: If we work through changing the properties of the information already gathered, do we have to worry about the same files being picked up and reported in the future (assuming the files remain unchanged)? Actually, the best option would be if there is a field for "Last seen" -- to determine whether a user has rectified the issue from our end.


      Email and report generation. I did a few tests with "email selected events". Is there anyway to configure EPO so that it combines the events into a single csv report, rather than an individual email for each event?



        • 1. Re: Manual encryption of findings, and other questions regarding DLP.

          Regarding your encryption question:


          1)  It sounds like the root of your problem is that you are getting false positives.  Ideally, the best solution would be to implement a new regular expression that better suits your needs.  The built-in expression is included for convenience but as you can tell it is lenient with its configuration to allow for testing scenarios. 


          2)  File encryption (in relation to DLP Discover) is a reaction to the discovery of the file (i.e. the scan) so there is not necessarily a way to utilize "manually encrypt files.  DLP leverages EEFF/FRP for the file encryption so you could manually encrypt the files using that product.  DLP is reactionary - i.e. it will only encrypt files after we have scanned them and they have already been moved to that location.  You could take the proactive approach and just set a location based folder encryption policy with EEFF/FRP to encrypt documents if you have a reserved file share that your users are saving sensitive content to.



          Regarding managing scan results:


          The scans will only look for the delta (i.e. what has changed).  Unless the modified time on the file has changed since the last scan it will skip files and should not generate duplicate incidents.



          Regarding automatic emails:


          It sounds like your configuration is too general.  The limitation is that the events can not be aggregated (i.e. it can not "collect X amount of events before sending an email") as the general idea is that as an administrator you should not need to be immediately notified unless it is a serious breach or something that requires immediate attention.  If you are essentially looking for a "rollup report" of incidents that have occurred over X amount of days to be emailed then you may want to look into the default queries for DLP. 


          Menu > Queries and reports > new query > select 'Others' from the left pane > and there are various DLP Data at Rest/Data in motion queries that report what incidents you have received.  You can then set a filter for the timeframe you wish to have reported and set an EPO server task to run this query with a sub-action to email the generated report and schedule this task to run at whatever interval you want to receive this email.



          Hope this helps.

          • 2. Re: Manual encryption of findings, and other questions regarding DLP.



            Is there a way for us to verify the deletion of a file from the interface, once we have asked the end-user to take appropriate action?

            • 3. Re: Manual encryption of findings, and other questions regarding DLP.

              No, that would require the product to have a real time monitor of the file / repository.  Assuming an incident was created and it was assigned to someone within your security team then it would be up to them to track and mark the case resolved/remediated once the file was deleted.