How to detect incidents with SkyDrive

book

Article ID: 160574

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Customer environment has SkyDrive (or possibly similar programs like Google Drive or Dropbox) that can share data outside the network via cloud networking and they wish to detect and possibly block data or notify users of their transgressions.

Resolution

Etrack 3241133. Note: These steps are similar to those of Dropbox and Google Drive.  The only change is the executable names.

 

Step 1: Set up SkyDrive properly in the AFAC (Application File Access Control).

  In the Enforce Console:  System --> Agent --> Application Monitoring

  Add Application or Edit a previous entry:

 

  Name(Required)
  Binary Name *
  Internal Name *
  Original Filename *

 

Application Monitoring Configuration
Check one or more activities to enable application monitoring.
  Network Access
  Print/Fax
  Send to Clipboard
  Filesystem Activity
  Enable monitoring of local drive, removable media and other filesystem activities.
 
  Monitor Application File Access
  Monitor writing to CD/DVD
  Monitor all files that application attempts to:
 
  File Open
   File Read
Save.

Step 2: Ensure that AFAC is enabled on the Endpoint Server.

  In the Enforce Console:  System --> Agent --> Agent Configuration

    *If you need a config to work with, clone their currrent config*
    Inside the configuration under the Agent Monitoring area is the Applications section with a single option.  Ensure that Application File Access is checked.

  You can either Save and Apply or just Save.  If you only save or if you cancel, make sure the configuration has been applied to the Endpoint Server.

    In the Enforce Console:  System --> Agent --> Agent Configuration.  Click the Apply Configuration button.
      Select the appropriate server and choose the correct configuration from the dropdown menu on that right.
      Click the Apply and Update button.
 

Step 3: Set up a response rule.  (If the customer has a response set up already, skip this step)

  In the Enforce Console:  Manage --> Policies --> Response Rules

    If the customer is looking to Notify or Block the action, make sure the Action is Endpoint Block / Notify / User Cancel
   
If the customer is looking to only apply this response to SkyDrive (and any other applications being monitored), you can select Protocol or Endpoint Monitoring and choose Endpoint Application File Access under conditions.

Step 4: Set up the proper policy.

  In the Enforce Console:  Manage --> Policies --> Policy List

    Any previously created policies should trigger the SkyDrive response.  If you are unsure, your best option would be to create a simple keyword policy, apply the appropriate SkyDrive response, and test.
   

Note: Detection steps for Dropbox (TECH220313) and Google Drive (TECH222150) are very similar.