Data Loss Protection - What are we doing wrong here?

That sure is a big turn down.

I mean, that statement of rules being applied top to bottom from my understanding is just incorrect.

As soon as a top policy is matched no others are processed?

Imagine having 2 policies assigned to a user:

1. One with a Content rule (e.g.: blocking IBAN nrs)

2. One with File rule (e.g. plain text files blocked to mail)

A user uploads a .txt file to Outlook.

The result is data loss as Sophos only applies the content rule which states that the sending of the file is ok?

I do understand your reply but this is what we are seeing during our tests and if you're saying this is as designed by Sophos

we really need to investigate other options.

Hi TCI 

Policy and rules are two different things in Sophos Central Endpoint/DLP.

Please don't compare the policies with the ACL rules of the firewall or router.

You can achieve your goal by creating another rule in the same policy. Once all the content rules are covered, you can add another rule for file extension.

I hope this will clear your thoughts.

Hi Jasmin

Yes I think it has.

So basically we can achieve our goals as next?

4 groups containing users:

- BE (Belgium)

- FR (France)

- DE (Germany)

- UK (United Kingdom)

Policy 1:

- All content rules for region BE

- The EU File rule

>> Assign this to the BE-group

Policy 2:

- All content rules for region FR

- The EU File rule

>> Assign this to the FR-group

Policy 3:

- All content rules for region Germany

- The EU File rule

>> Assign this to the DE-group

Policy 4:

- All content rules for region UK

- The EU File rule

>> Assign this to the UK-group

Hi TCI 

Yes, Exactly, you got my point and the above configuration is perfect for your goal to setup DLP. :-) 

Please let us know if you have any further issue or query regarding this.

We adjusted the set up of the DLP policies for one region as indicated above.

Unfortunately functionality is still way below what we expect here.

We created 5 test files (e.g. one for IBAN, BIC, etc)

But we see some odd things during our tests:

- Drag and dropping to Outlook 2016 does not trigger anything.

- Right-click on a file on the fileserver > Send to mail recipient -> Does not trigger anything

- When opening the transfer a file by Teams , a massive flood of warning messages are triggered. One for EACH file in the default map.

- Half of the required rules doesn't trigger anything. IBAN and BIC nrs are far most the only ones that are functional. Everything else doesn't trigger anything.

Maybe I am still doing something wrong here but data loss protection is only as strong as it weakest link 

and currently I would not consider current situation worthy of the name protection.

Hello TCI.

please see the Known limitations with data control.
Teams might for whatever reason access all the files. Keep in mind that DLP is a byproduct of AV scanning, it reacts on opens and not what an application actually does subsequently.

Everything else doesn't trigger anything
Dunno if you can see/edit a rule's detail in Central, looking for example at the PII rule it says (emphasis mine): Identify files containing ten or more items of personally identifiable information from the following list: national identification or insurance number, credit or debit card number, address, telephone number, email address. Or at the Credit and debit card numbers: Identify files containing ten or more credit or debit card numbers with qualifying phrase (don't ask me what this is exactly).
This might explain why the rules don't trigger as you expect.

Christian

Hi Christian,

When purchasing this endpoint software we were not aware of known limitations with data control.

And IMHO as a paying customer we shouldn't be aware of that either.

I know we are drifting off but the last time I had such high expectations and such disappointing results from software

was when I could not find the start button in my first Windows 8 installation.

You're remark on the phrasing of rules details like  "x or more" or "with qualifying phrase" is valid.

it's unclear to me how this has to be interpreted exactly so we just lowered all settings to one.

Without being really certain how this impacts the execution exactly.

Hello TCI,

my first Windows 8 installation
skipped that one - apparently a good idea.

Client-side DLP (by whatever vendor) is either limited or requires integration with or hooking all applications that could transfer the data. A full-fledged solution normally requires additional configuration at the OS level and in addition scanning on the gateways. I had the opportunity to take part in the DLP "preview" (would now be called EAP) and we discussed these aspects. The conclusion was that DLP is aimed at preventing inadvertent leakage of certain documents. Blocking a, say, single credit card number is impossible without context and a strict workflow - think about it. Just 16 digits, well, not completely arbitrary due to the vendor/country prefix but nevertheless prone to false positives.
Sophos' DLP protects from massive outright blunders, it can't prevent singular "glitches" and definitely it can't stop someone with criminal intent. It can help to raise awareness.

I agree that marketing exaggerates the "power" of DLP. Mind you, I don't insinuate it is defect or useless. But it is not the magic wand as it might be depicted.

Question is, what your requirements and goals are and what you can and want to restrict. As long as users are able to run arbitrary "portable clients" or access online storage sites you can't really prevent leakage.

Just my two late evening cents,
Christian