Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 10 subscribers
  • Views 5675 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Loss Protection - What are we doing wrong here?

TCI

Hi

In an attempt to deploy some Data Loss Protection Rules we are having an issue

 

Situation

We created 6 Content Rules for Belgium region to block content

Accordingly 6 Word documents were created with content to test the rules

Policies were enforced and assigned to a test user

1. IBAN nrs

2. Bank Routing Nrs

3. Combination of PII

4. Contact details

5. Credit or Debit card nrs

6. PINs

Additionally 1 File rule for Europe region was created to block all file transfers

 

Issue

We would expect the rules to be executed from top to bottom as indicated in Sophos Central.

However during our tests it seems only the first rule (on top) is checked. All the rest is not processed anymore:

E.g.: The content rule for IBAN nrs is on top >> Only the word file containing IBAN nrs is blocked. All rest is allowed without any message from Sophos.

However when we put the the content rule for Bank Routing nrs on top >> Only the word file containing BIC nrs is blocked and again all rest is allowed.

 

Please see the screenshot giving some elucidation on the setup:

 

 

Question

How can we have each separate document tested against each of the rules and not only the top one rule.

It looks like DLP stops processing rules after the top one.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    You have created a number of different DLP policies instead of creating different rules in the same policy.

    As per your configuration, it is working as expected. 

    When you assign all the policy to one single user the top policy will be effective for that user, not the other policies.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Jasmin

    Dear Jasmin

    I understand what you are saying but this seems very contra intuitive.

    This would mean we cannot set different blocked warning messages depending on the content.

    We would like to reach a situation where endusers clearly see what rule they are trespassing (e.g. IBAN, BIC, or PINs)

     

    If rules are applied top to bottom like suggested in the GUI our expectations would be:

    Rule 1: Was the rule of providing IBAN nrs trespassed? 

    YES? >> Block

    NO? >> Next rule >> 2. Was the rule of providing a BIC nr trespassed?

    etc...

     

    Is there any way to achieve this goal?

    Kind regards

  • 0 in reply to TCI

    Hi  

    As Jasmin Suggested, there are different policies which are being created here and hence the top policy will be applied for Single user. If you need to block them individually then you need to set up one rule each. Each rule applied in a policy acts as an OR statement while condition follows AND logic in central’s DLP policy. You will need to create a single policy in which you can create multiple rules as per your requirement with the conditions applied. Please check this link for more information on how to create rules in Data loss prevention policy. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Dear Shweta

    It seems you are repeating the statement of Jasmin so this does not assist in my latest question.

    So my guess is that this eliminates the possibility to have separate block messages depending on which rule exactly is trespassed?

  • 0 in reply to TCI

    Hi  

     has correctly mentioned on how you can create the rule for DLP. 

    Even if you have analyzed my answer to the question, I mentioned that you have created different policies for different rules instead of creating a single policy and mentioned the rules in that policy.

    Shweta has provided you with the document which describes, how you can create the policy and define the rules in that policy.

    In GUI, they have mentioned about policy, not about the rules. Please refer to this screenshot.

    Please refer to the below screenshot which illustrates the example, how you can configure the policy. The below screenshot is of the settings of the base policy where I have added multiple rules.

    You can assign only one policy to the machine but that policy can have multiple rules.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to TCI

    Hello TCI,

    I'm using the on-premise product and not Central but the behaviour is AFAIK similar.
    There is one message per policy, i.e. the same message regardless of the rule(s) that matched. The only specific information that can be given to the user is the rule (rule name) that matched.

    Christian

Reply
  • 0 in reply to TCI

    Hello TCI,

    I'm using the on-premise product and not Central but the behaviour is AFAIK similar.
    There is one message per policy, i.e. the same message regardless of the rule(s) that matched. The only specific information that can be given to the user is the rule (rule name) that matched.

    Christian

Children
  • 0 in reply to QC

    Thank you Christian for confirming!

    It's not a big deal but it would have been a nice to have :)

    Users are the first line of defense and the original idea was to increase awareness by using specific on screen messages.

    If we don't we will probably cause confusion with users therefor seeing an increase in Requests on our ticketing system.

    Security and User Friendliness never go hand in hand.

  • 0 in reply to TCI

    Hello TCI,

    nice to have
    indeed. DLP is a byproduct of AV scanning, there you could (and can) define a short custom message (e.g. a contact or support number). There's only one message for all events of the same type (AV detection, blocked applications, blocked documents/files).

    Christian

Unfiltered HTML