This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DLP & Outlook - seems to have a massive flaw?

I'm trying to get DLP working through Central and have found something that I can't quiet believe hence this post.

If I have a policy that detects content and I do a new email in Outlook and use the paperclip "Attach" icon to attach a file with sensitive content the Sophos DLP catches it.

If I do a new email and simply drag the file with sensitive content onto the blank email, like most of the planet does, it attaches it.

Erm... that doesn't seem right?

This thread was automatically locked due to age.

Parents

0 jak over 7 years ago

I assume that this is the cause:

https://community.sophos.com/products/sophos-cloud/f/sophos-central/87508/dlp-option-in-central/322192#322192

Regards,

Jak

EDIT: I notice that the link in the older post is redirected now. A quick Google now brings up:

http://www.slipstick.com/outlook/securetemp-files-folder/
Cancel
Vote Up 0 Vote Down

Cancel
0 Paul Hutchings over 7 years ago in reply to jak

I don't recall seeing that at the time, sorry :) Either way that doesn't feel acceptable if that's the issue - you can't sell a "DLP" package where you can just drag a file onto an email and it won't scan it.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Paul Hutchings over 7 years ago in reply to jak

I don't recall seeing that at the time, sorry :) Either way that doesn't feel acceptable if that's the issue - you can't sell a "DLP" package where you can just drag a file onto an email and it won't scan it.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 QC over 7 years ago in reply to Paul Hutchings

Hello Paul Hutchings,

there's an article on the limitations of Data Control. It just states though what's scanned and what not, furthermore it makes no mention of the fact that certain locations are excluded from scanning. Outlook 2013 - Data Control does not detect the copying of files to an email does so and also refers to the temp folder.

I'm not Sophos, I'm not selling it, I don't have a solution. I don't know what you need and expect from DLP (on the endpoint), anyway I'll try to give some background and maybe it is of some value.
DLP is a by-product of AV scanning. This means that it can only assess content that is read from disk and processed by the scanner - files excluded from on-access scanning are not passed to DLP (see How to configure data control exclusions and Sophos data control is not scanning files as you would expect when you upload or attach them).
As to supported applications: Again DLP sees only what the scanner sees, it does not hook into or otherwise augment applications. Thus it can only determine that an application opens a certain file but not what it will do with it. For example if you block Email address lists the rule would likely trigger when a mail application opens an address book. DLP can't tell whether the application intends to attach this file to a message or just provides it to the user. Therefore certain locations (in a user's profile) are also excluded - and if you attach a file from one of these locations DLP won't kick in.

Of course it is possible to have a near-perfect DLP solution on an endpoint but these are neither simple, or inexpensive, nor do they work out-of-the box on arbitrary platforms and in arbitrary environments. It's more efficient to complement endpoint-DLP with a gateway solution.

Christian
Cancel
Vote Up 0 Vote Down

Cancel