>
    How Does Endpoint DLP Work?
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Configure Enterprise DLP
    4. Endpoint DLP
    5. How Does Endpoint DLP Work?
    Download PDF
    Enterprise DLP

    How Does Endpoint DLP Work?

    Table of Contents

    How Does Endpoint DLP Work?

    Learn more about how Endpoint DLP works to prevent exfiltration of sensitive data over peripheral devices.
    Where Can I Use This?What Do I Need?
    Prisma Access (Managed by Strata Cloud Manager)
    • Endpoint DLP license
    • Enterprise Data Loss Prevention (E-DLP) license
    • Autonomous DEM 5.3.4 or later
    • Prisma Access Agent
    • One of the following Prisma Access versions
      • 10.2Prisma Access 5.2
      • 11.2Prisma Access 5.1 or 5.2
    Endpoint DLP enables your security administrators to control the use of peripheral devices by allowing you to allow or block their use. To prevent exfiltration of sensitive data to peripheral devices Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP) advanced detection methods, as well as custom data profiles to define custom traffic match criteria or predefined ML-based and regex data profiles.
    The Prisma Access Agent is used to evaluate and enforce your Endpoint DLP policy rules when files are moved between the endpoint and peripheral device. The Prisma Access Agent detects when file movement between the endpoint and peripheral device is detected and evaluates the Endpoint DLP policy rulebase. When necessary, Prisma Access Agent forwards the traffic to Enterprise DLP for inspection and verdict rendering. Enterprise DLP then communicates the verdict to the Prisma Access Agent which then takes the action configured in the Endpoint DLP policy rule. Additionally, the Prisma Access Agent is also responsible for displaying the end user a notification when they generate a DLP incident.
    Endpoint DLP is supported for endpoints running the following operating systems.
    Operating System
    Version
    Microsoft
    Windows 10 version 2004 or later release
    macOS
    		12 (Monterey) or later release
    The inspection of endpoints using Enterprise DLP is as follows. This assumes the Prisma Access Agent is successfully installed and you configured your Endpoint DLP policy rules.
    1. A user in your organization connects a peripheral device to their laptop.
    2. The user moves a file from their endpoint to the connected peripheral device.
    3. The Prisma Access Agent registers that the user attempted to move a file from the endpoint to the peripheral device and evaluates your Endpoint DLP policy rulebase.
      • No Policy Rule Match—If there is no Endpoint DLP policy rule match identified then the peripheral device connection is allowed and the endpoint has full read and write access privileges to the peripheral device.
      • Peripheral Control Policy Rule—If you created a peripheral control policy rule is created to control access then the Prisma Access Agent takes the allow or block action configured in the policy rule.
        For example, if the Endpoint DLP policy rule blocks the connection to the peripheral device then the Prisma Access Agent revokes write privileges to the peripheral device. In this case, the endpoint can't upload files to the peripheral device.
        Conversely, if the Endpoint DLP policy rule allows the connection to the peripheral device then the Prisma Access Agent grants the endpoint write access privileges to the peripheral device. In this case, the endpoint can upload files to the peripheral device.
      • Data in Motion Policy Rule—The connection to the peripheral device is allowed. When the Prisma Access Agent detects file movement from the endpoint to a peripheral device, the file is forwarded to Enterprise DLP for inspection and verdict rendering. The Prisma Access Agent also forwards important file metadata, such as the fileSHA, which Enterprise DLP uses to identify each forwarded file.
        Enterprise DLP then sends the verdict to the Prisma Access Agent and the Prisma Access Agent takes the Endpoint DLP policy rule action if sensitive data is detected. If Enterprise DLP detects that it is a file that has already been inspected based on the fileSHA then Enterprise DLP returns the existing verdict to the Prisma Access Agent. Enterprise DLP doesn't inspect the same file twice.
    4. The Prisma Access Agent enforces the Endpoint DLP policy rule action configured in either the Peripheral Control or Data in Motion policy rules.
    5. A DLP incident is generated when appropriate. If you have configured End User Coaching a notification is displayed on the endpoint to alert the user.

    © 2024 Palo Alto Networks, Inc. All rights reserved.