Enterprise DLP
Endpoint DLP Policy Rule Example
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Endpoint DLP Policy Rule Example
Example of creating Endpoint DLP policy rules to control access to peripheral devices
for some users while allowing access to other users.
- Log in to Strata Cloud Manager.Add a Peripheral to Endpoint DLP and Create a Peripheral Group.Adding peripheral devices and creating peripheral groups is required only if you want to allow or block access to specific peripheral devices. You can skip this step if you want to allow or block access to all peripheral devices of any type.Repeat this step to add all peripheral devices you want to control access to using Endpoint DLP. In this example, we are allowing access to a specific peripheral group.Configure the Enterprise DLP match criteria to define custom sensitive data that you want to inspect for and block in your Data in Motion policy rule.
- Create custom data patterns to define your match criteria.Alternatively, you can use the predefined data patterns instead of creating custom data patterns.Create a data profile and add your data patterns.Alternatively, you can use the predefined data profiles instead of creating custom data profiles.Select ManageConfigurationData Loss PreventionEndpoint DLP Policy and Add Policy.Create a Peripheral Control policy rule.In this example, we want to configure a policy rule that restricts endpoint access to all USB peripheral devices for all users, while excluding two users approved to have USB connectivity for their endpoints.
- Configure the Basic Information for the Peripheral Control policy rule.Make sure that you Enable Policy. Click Next to continue.For the Scope, select Any Users & Groups.This option blocks access to all users regardless of the user group they are associated with. You can exclude one or more users, thereby allowing their endpoint connectivity to USB peripheral devices you specify.In the example below, the Peripheral Control policy rule Scope is configured to block access to all users while allowing endpoint connectivity to USB peripheral devices for Alex Smith and Ashok Kachana.For the Peripherals, select Any to block connectivity to all USB peripheral devices. Alternatively, you can Select specific USB peripheral devices to Include or Exclude.
- If you Include specific USB peripheral devices then endpoint connectivity to only the specified USB peripheral devices is blocked. All other USB peripheral device connectivity is allowed.
- If you Exclude specific USB peripheral devices then endpoint connectivity is blocked for all but excluded USB peripheral devices.
In this example, Any is selected because we want to block endpoint connectivity for all USB peripheral devices. This particular policy rule is specific to USB devices so None is selected for Printers and Network Shares.Click Next to continue.For the Response Action, select Block.Click Next to continue.For the Evaluation Priority, configure the Priority Selection as 1st.Palo Alto Networks recommends adding Peripheral Control policy rules designed to block access to peripheral devices at the top of your policy rulebase hierarchy. This ensures that the correct users are blocked and not unintentionally given access.Click Next to continue.Review the Endpoint DLP policy rule Summary and Save.Create a Data in Motion policy rule.In this example, we want to configure a policy rule that restricts uses Enterprise DLP to prevent exfiltration of sensitive data for the users we excluded in the Peripheral Control policy rule.- Configure the Basic Information for the Data in Motion policy rule.Make sure that you Enable Policy. Click Next to continue.For the Classifiers, select the Data Profile you created in the previous step or select a predefined data profile.Click Next to continue.For the Scope, select Select Users.This option allows you to select the specific users for to which the policy rule applies while excluding all other users.In the example below, the Data in Motion policy rule Scope is configured to inspect file movement from the endpoint devices of Alex Smith and Ashok Kachana to the USB peripheral devices you specify in the next step.Click Next to continue.For the Peripherals, Select a USB peripheral groups to Include or Exclude.
- If you Include specific USB peripheral group then Enterprise DLP inspects and renders verdicts on file movement between the endpoint device and all the specified USB peripheral devices associated with the selected peripheral groups. Enterprise DLP inspection and verdict rendering doesn't occur for file movement for any other USB device.
- If you Exclude one or more USB peripheral groups then Enterprise DLP inspects and renders verdicts on file movement between the endpoint device and all but the excluded USB peripheral groups.
In this example, we included the SANDISK group to allow write access to a specific set of USB devices and we want Enterprise DLP inspection and verdict rendering for these USB peripheral devices when connected to Alex and Ashok's endpoints. This particular policy rule is specific to USB devices so None is selected for Printers and Network Shares.Click Next to continue.For the Response Action, select Block.This instructs Enterprise DLP to block file movement from the endpoint to the USB peripheral device if sensitive data is detected.Click Next to continue.For the Evaluation Priority, configure the Priority Selection as 2nd.Palo Alto Networks recommends adding the Data in Motion policy rules after your Peripheral Control policy rules to ensure the correct users are blocked and not unintentionally given access while forwarding traffic for allowed users to Enterprise DLP.Click Next to continue.Review the Endpoint DLP policy rule Summary and Save.Review your Endpoint DLP policy rulebase to verify your policy rules are enabled and ordered correctly.Review the Priority to ensure your policy rules are ordered correctly, the Users to confirm your policy rules target the correct set of users, and the Peripherals to ensure the policy rules apply to the intended peripheral device types.Review your Endpoint DLP Audit and Push Logs.Review your Enterprise DLP Incidents.A DLP incident is generated when a user moves a file from the endpoint to the peripheral device but sensitive data is detected and the file move is blocked because sensitive data was detected.