Data Loss Protection - What are we doing wrong here?

Hi TCI 

You have created a number of different DLP policies instead of creating different rules in the same policy.

As per your configuration, it is working as expected. 

When you assign all the policy to one single user the top policy will be effective for that user, not the other policies.

Dear Jasmin

I understand what you are saying but this seems very contra intuitive.

This would mean we cannot set different blocked warning messages depending on the content.

We would like to reach a situation where endusers clearly see what rule they are trespassing (e.g. IBAN, BIC, or PINs)

If rules are applied top to bottom like suggested in the GUI our expectations would be:

Rule 1: Was the rule of providing IBAN nrs trespassed? 

YES? >> Block

NO? >> Next rule >> 2. Was the rule of providing a BIC nr trespassed?

etc...

Is there any way to achieve this goal?

Kind regards

Hi TCI 

As Jasmin Suggested, there are different policies which are being created here and hence the top policy will be applied for Single user. If you need to block them individually then you need to set up one rule each. Each rule applied in a policy acts as an OR statement while condition follows AND logic in central’s DLP policy. You will need to create a single policy in which you can create multiple rules as per your requirement with the conditions applied. Please check this link for more information on how to create rules in Data loss prevention policy. 

Dear Shweta

It seems you are repeating the statement of Jasmin so this does not assist in my latest question.

So my guess is that this eliminates the possibility to have separate block messages depending on which rule exactly is trespassed?

Hi TCI 

Shweta has correctly mentioned on how you can create the rule for DLP. 

Even if you have analyzed my answer to the question, I mentioned that you have created different policies for different rules instead of creating a single policy and mentioned the rules in that policy.

Shweta has provided you with the document which describes, how you can create the policy and define the rules in that policy.

In GUI, they have mentioned about policy, not about the rules. Please refer to this screenshot.

Please refer to the below screenshot which illustrates the example, how you can configure the policy. The below screenshot is of the settings of the base policy where I have added multiple rules.

You can assign only one policy to the machine but that policy can have multiple rules.

Hi TCI 

Shweta has correctly mentioned on how you can create the rule for DLP. 

Even if you have analyzed my answer to the question, I mentioned that you have created different policies for different rules instead of creating a single policy and mentioned the rules in that policy.

Shweta has provided you with the document which describes, how you can create the policy and define the rules in that policy.

In GUI, they have mentioned about policy, not about the rules. Please refer to this screenshot.

Please refer to the below screenshot which illustrates the example, how you can configure the policy. The below screenshot is of the settings of the base policy where I have added multiple rules.

You can assign only one policy to the machine but that policy can have multiple rules.

Dear

 We have merged all content rules in 1 policy:

1. Contact details
2. Credit or Debit card nrs
3. IBAN nrs
4. PI nrs
5. BIC nrs
6. Combination of PII
7. Confidential Document markers

 We created a file rule in a 2^nd policy below the above content rule

This block all types of files being sent or transferred.

Unfortunately functionality is still not as desired:

- When testing with documents only IBAN and BIC nrs are blocked. More than half of the rules is not responsive.

- Only top policy is applied. Every other policy that comes 2^nd is just not applied anymore.

So

1. CONTENT policy
2. FILE policy

>> Only content policy is executed

and

1. FILE policy
2. CONTENT policy

>> Only file policy is executed

Hello TCI,

to clarify:
Only one policy of a certain type (AV, DLP, Web Control, and so on) applies to a certain computer/user combination, the topmost that matches the device or user.
Consequently, as you have observed, only the "upper" of your policies matches.

It has already been said that the rules within a policy are ORed. Thus you'd have to put the rules for BE and EU into one policy. If more than one rule matches the most stringent action (block→prompt→allow) is applied. If in addition you want to block certain files (by type or name) regardless of their content these rules have to go into this policy as well.

Christian 

That sure is a big turn down.

I mean, that statement of rules being applied top to bottom from my understanding is just incorrect.

As soon as a top policy is matched no others are processed?

Imagine having 2 policies assigned to a user:

1. One with a Content rule (e.g.: blocking IBAN nrs)

2. One with File rule (e.g. plain text files blocked to mail)

A user uploads a .txt file to Outlook.

The result is data loss as Sophos only applies the content rule which states that the sending of the file is ok?

I do understand your reply but this is what we are seeing during our tests and if you're saying this is as designed by Sophos

we really need to investigate other options.

Hi TCI 

Policy and rules are two different things in Sophos Central Endpoint/DLP.

Please don't compare the policies with the ACL rules of the firewall or router.

You can achieve your goal by creating another rule in the same policy. Once all the content rules are covered, you can add another rule for file extension.

I hope this will clear your thoughts.

Hi Jasmin

Yes I think it has.

So basically we can achieve our goals as next?

4 groups containing users:

- BE (Belgium)

- FR (France)

- DE (Germany)

- UK (United Kingdom)

Policy 1:

- All content rules for region BE

- The EU File rule

>> Assign this to the BE-group

Policy 2:

- All content rules for region FR

- The EU File rule

>> Assign this to the FR-group

Policy 3:

- All content rules for region Germany

- The EU File rule

>> Assign this to the DE-group

Policy 4:

- All content rules for region UK

- The EU File rule

>> Assign this to the UK-group

Hi TCI 

Yes, Exactly, you got my point and the above configuration is perfect for your goal to setup DLP. :-) 

Please let us know if you have any further issue or query regarding this.

We adjusted the set up of the DLP policies for one region as indicated above.

Unfortunately functionality is still way below what we expect here.

We created 5 test files (e.g. one for IBAN, BIC, etc)

But we see some odd things during our tests:

- Drag and dropping to Outlook 2016 does not trigger anything.

- Right-click on a file on the fileserver > Send to mail recipient -> Does not trigger anything

- When opening the transfer a file by Teams , a massive flood of warning messages are triggered. One for EACH file in the default map.

- Half of the required rules doesn't trigger anything. IBAN and BIC nrs are far most the only ones that are functional. Everything else doesn't trigger anything.

Maybe I am still doing something wrong here but data loss protection is only as strong as it weakest link 

and currently I would not consider current situation worthy of the name protection.

Hello TCI.

please see the Known limitations with data control.
Teams might for whatever reason access all the files. Keep in mind that DLP is a byproduct of AV scanning, it reacts on opens and not what an application actually does subsequently.

Everything else doesn't trigger anything
Dunno if you can see/edit a rule's detail in Central, looking for example at the PII rule it says (emphasis mine): Identify files containing ten or more items of personally identifiable information from the following list: national identification or insurance number, credit or debit card number, address, telephone number, email address. Or at the Credit and debit card numbers: Identify files containing ten or more credit or debit card numbers with qualifying phrase (don't ask me what this is exactly).
This might explain why the rules don't trigger as you expect.

Christian

Hi Christian,

When purchasing this endpoint software we were not aware of known limitations with data control.

And IMHO as a paying customer we shouldn't be aware of that either.

I know we are drifting off but the last time I had such high expectations and such disappointing results from software

was when I could not find the start button in my first Windows 8 installation.

You're remark on the phrasing of rules details like  "x or more" or "with qualifying phrase" is valid.

it's unclear to me how this has to be interpreted exactly so we just lowered all settings to one.

Without being really certain how this impacts the execution exactly.

Hello TCI,

my first Windows 8 installation
skipped that one - apparently a good idea.

Client-side DLP (by whatever vendor) is either limited or requires integration with or hooking all applications that could transfer the data. A full-fledged solution normally requires additional configuration at the OS level and in addition scanning on the gateways. I had the opportunity to take part in the DLP "preview" (would now be called EAP) and we discussed these aspects. The conclusion was that DLP is aimed at preventing inadvertent leakage of certain documents. Blocking a, say, single credit card number is impossible without context and a strict workflow - think about it. Just 16 digits, well, not completely arbitrary due to the vendor/country prefix but nevertheless prone to false positives.
Sophos' DLP protects from massive outright blunders, it can't prevent singular "glitches" and definitely it can't stop someone with criminal intent. It can help to raise awareness.

I agree that marketing exaggerates the "power" of DLP. Mind you, I don't insinuate it is defect or useless. But it is not the magic wand as it might be depicted.

Question is, what your requirements and goals are and what you can and want to restrict. As long as users are able to run arbitrary "portable clients" or access online storage sites you can't really prevent leakage.

Just my two late evening cents,
Christian