2 Replies Latest reply on Jan 17, 2017 2:09 PM by nicholas.klebs

    DLP 10 Evidence share on multiple sites

    miguel.galvez@ssperu.com

      Hello,

       

      We are deploying DLP Endpoint 10, we have 2 sites connected through a VPN connection. We have ePO on the main site and an agent handler on remote.

       

      What's the best aproach for the evidence share?

       

      Can I have one share per site to avoid VPN traffic?

       

      Thank you in advance

       

      MG

        • 1. Re: DLP 10 Evidence share on multiple sites
          hhoang

          You can only specify one evidence storage path based on policy configuration.  You can specify a different reaction based on corporate connectivity - i.e. if the system is on VPN it will not store evidence.  Not storing evidence may or may not be a viable option for your environment.  A better solution may be to set up a firewall rule to block file transfers from systems connecting via a VPN IP (assuming that systems connecting to your VPN will be assigned an easily identifiable IP).

          • 2. Re: DLP 10 Evidence share on multiple sites
            nicholas.klebs

            How big is the pipe between the sites?

            I have yet to get a complaint about remote sites or VPN endpoints having issues because of collecting and storing DLP Evidence to a single central server location - I have 2k+ sites with 256kbps and 512kbps connections.  If bandwidth is a concern - My suggestion is to be very purposeful on what DLP Rules you configure to collect evidence. 

             

            Even if you decide to manage and maintain an environment where Site 1 stores evidence on Server 1, and Site 2 stores evidence on Server 2; when evidence is accessed through EPO at Site 1 that is stored on Server 2 in Site 2 - accessing the evidence to review will cause the file to be transferred over that link anyway.

             

            I believe there is a file size cutoff to what gets transferred (50MB) - I believe the setting is configurable.

             

            While you are at it - quick tip on maintaining the evidence share.

            When you delete a DLP Event from the DLP Incident Manager, the evidence is not deleted on the evidence share.

            What we are planning on doing is to update the Evidence Share setting in the DLP Policy quaterly or yearly to modify the location, so after X months we can go back and delete a folder wholesale after its retention schedule has passed.

             

            Yearly - it would look like this:

            \\EvidenceShare\DLP\2016     (Example retention is 6 mos. - delete this folder Q3 2017)

            \\EvidenceShare\DLP\2017     (Example retention is 6 mos. - delete this folder Q3 2018)

            \\EvidenceShare\DLP\2018     (Example retention is 6 mos. - delete this folder Q3 2019)

             

            Quaterly - it would look like this:

            \\EvidenceShare\DLP\2017\Q1     (Example retention is 6 mos. - delete this folder Q4 2017)

            \\EvidenceShare\DLP\2017\Q2     (Example retention is 6 mos. - delete this folder Q1 2018)

            \\EvidenceShare\DLP\2017\Q3     (Example retention is 6 mos. - delete this folder Q2 2018)

            \\EvidenceShare\DLP\2017\Q4     (Example retention is 6 mos. - delete this folder Q3 2018)

            \\EvidenceShare\DLP\2018\Q1     (Example retention is 6 mos. - delete this folder Q4 2018)

            \\EvidenceShare\DLP\2018\Q2     (Example retention is 6 mos. - delete this folder Q1 2019)

            \\EvidenceShare\DLP\2018\Q3     (Example retention is 6 mos. - delete this folder Q2 2019)

            \\EvidenceShare\DLP\2018\Q4     (Example retention is 6 mos. - delete this folder Q3 2019)