DLP (Data Loss Prevention) solution
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
Besides storage devices, printers and input what other purpose? Printers should be networked, storage devices are unacceptable from this insurance provider and input devices can be replaced with Bluetooth devices.
It would seem to be way easier to use the KISS method.
-
@Pete-S said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
On windows you can disable USB storage devices but keep other things working.
On mac it looks surprisenly simple as well.
From Terminal
cd /System/Library/Extensions/
sudo kextunload IOUSBMassStorageClass.kext -
@Pete-S said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
On windows you can disable USB storage devices but keep other things working.
We need USB for storage devices - or rather - the client is saying - we want to retain the ability to do so.
so simply disabling it wholesale is not an option. -
@Dashrender said in DLP (Data Loss Prevention) solution:
@Pete-S said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
On windows you can disable USB storage devices but keep other things working.
We need USB for storage devices - or rather - the client is saying - we want to retain the ability to do so.
so simply disabling it wholesale is not an option.Is sharing the USB storage device over the network an option. This way you would have a command and control workstation?
-
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
Besides storage devices, printers and input what other purpose? Printers should be networked, storage devices are unacceptable from this insurance provider and input devices can be replaced with Bluetooth devices.
It would seem to be way easier to use the KISS method.
Windows supports disabling USB for storage devices (I'm pretty sure) while leaving them enabled for everything else.
But the client still wants USB access for storage devices from at least 2 machines.
Now - I could say - you know... the damned insurance company is so narrow sited... that we could just disable all USB, and you could just dropbox/Onedrive for Business/Google Drive/etc your files around as needed...
Frankly this would be a much cheaper solution.... but the client has to sign off on it.
-
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@Pete-S said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
On windows you can disable USB storage devices but keep other things working.
We need USB for storage devices - or rather - the client is saying - we want to retain the ability to do so.
so simply disabling it wholesale is not an option.Is sharing the USB storage device over the network an option. This way you would have a command and control workstation?
no, not without DLP on THAT workstation.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
Besides storage devices, printers and input what other purpose? Printers should be networked, storage devices are unacceptable from this insurance provider and input devices can be replaced with Bluetooth devices.
It would seem to be way easier to use the KISS method.
Windows supports disabling USB for storage devices (I'm pretty sure) while leaving them enabled for everything else.
But the client still wants USB access for storage devices from at least 2 machines.
Now - I could say - you know... the damned insurance company is so narrow sited... that we could just disable all USB, and you could just dropbox/Onedrive for Business/Google Drive/etc your files around as needed...
Frankly this would be a much cheaper solution.... but the client has to sign off on it.
See it's shit like this - this end around to semantics that just drives me personally crazy... the insurance company doesn't really care about their data - they only care about USB access... likely because someone just wrote a line on a piece of paper saying so.. and now everyone else is repeating it.
Really the insurance company should be mandating DLP of their data EVERYWHERE, regardless of how it's accessed.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
Is anyone using a DLP with Windows and/or Mac?
I've been tasked with finding a solution - Other than google searches, not sure where to start.
Client has mostly Windows 10 Pro and 1 bloody Mac - Everyone is on O365 E3.
I know MS has a DLP solution, and I just barely started to read about it last night.
anything else I should look at?
Goal:
Log any data written to USB attached devices.This is literally the only goal at this point. An insurance company we are getting data from is obsessed with blocking/controlling data being copied onto USB devices - they don't about NAS devices, or Cloud services, or CD-Roms, etc... they are just simply obsessed with USB.
Have used McAfee (won't recommend that!). You could check from the below list:
https://www.devicelock.com/
https://www.secudrives.com/
https://www.forcepoint.com/product/dlp-data-loss-prevention
https://zecurion.com/products/data-loss-prevention/ -
I am starting to work on Office 365 DLP for EMail and OneDrive and working with Sophos DLP in computers and mobiles so not fully there yet.
-
@dbeato said in DLP (Data Loss Prevention) solution:
I am starting to work on Office 365 DLP for EMail and OneDrive and working with Sophos DLP in computers and mobiles so not fully there yet.
Why the split? I thought MS had their own computers DLP solution, not sure about mobile.
-
About windows information protection
Helping prevent accidental data disclosure to removable media. WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnβt.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@dbeato said in DLP (Data Loss Prevention) solution:
I am starting to work on Office 365 DLP for EMail and OneDrive and working with Sophos DLP in computers and mobiles so not fully there yet.
Why the split? I thought MS had their own computers DLP solution, not sure about mobile.
Because I have customers in different environments, but those are the only DLP types I have worked oh and I just remembered Mimecast too.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@Pete-S said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
On windows you can disable USB storage devices but keep other things working.
We need USB for storage devices - or rather - the client is saying - we want to retain the ability to do so.
so simply disabling it wholesale is not an option.So you need to block storage, while allowing storage. This gets hard. Can you define how to determine which storage is required and which is verboten?
-
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@Pete-S said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
@DustinB3403 said in DLP (Data Loss Prevention) solution:
Any reason you can't just put super glue into the USB ports if this insurance company is so obsessed with them?
Use Bluetooth keyboard and mouse for everything and never think about these again.
yes, because we wish to use USB for other purposes.
On windows you can disable USB storage devices but keep other things working.
We need USB for storage devices - or rather - the client is saying - we want to retain the ability to do so.
so simply disabling it wholesale is not an option.So you need to block storage, while allowing storage. This gets hard. Can you define how to determine which storage is required and which is verboten?
Exactly - you can't.
Which is why the insurance company came back with using DLP. They are OK with use using USB devices as long as we use DLP to monitor what is being saved to USB sticks.
-
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they need.
Of course - that to is against the 'spirit' of what the insurance company wants to avoid, but hey, they only asked about stopping access to USB, so the auditors are happy.
We are deploying the Reg change that disables USB storage use.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
-
@Dashrender so you are or aren't going to be superglueing the USB ports?
-
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
-
@DustinB3403 said in DLP (Data Loss Prevention) solution:
@Dashrender so you are or aren't going to be superglueing the USB ports?
I really hope this isn't a real question.
But to answer it anyway - hell no I'm not. We still have USB keyboards and mice and scanners, etc.
-
@Dashrender said in DLP (Data Loss Prevention) solution:
@scottalanmiller said in DLP (Data Loss Prevention) solution:
@Dashrender said in DLP (Data Loss Prevention) solution:
Ultimately the client decided it wasn't worth the hassle of buying/deploying DLP just so they could use USB sticks.
Instead - they will email or OD4B or Slack the files around that they neeSo in this case, it seems like the insurance requirement turned out to be a good thing. Pushed them to do things in a controlled, logical way rather than a crufty, silly, legacy way.
yes - sure, that's true, but come on, we both know that's not what the real intention of this request is/was - or at least I personally don't believe that someone at the insurance company has a personal vendetta against USB storage - but really, they are trying to prevent insurance data from being leaked... and when they were considering how things get leaked - they crazily started and stopped with USB storage.
Well, I don't know. Let's think about it... USB sticks being allowed is an extremely weird thing to want to keep. It's a super dangerous activity with little reason to be allowed in the modern world. So anyone doing it is likely to be doing loads of risky, stupid things because the reason to want to do it is almost certainly a bad one.
The goal is easily to heavily punish bad behaviour and/or encourage rethinking bad decisions. It's isolated, but it worked. Something risky and dumb turned into something modern and practical in a pretty predictable way. The insurance company pushed them to fix a process that you as IT alone could not do.
Do assume insurance companies are dumb when they do something that turns out really smart. They do their homework.
