Learn more about how Endpoint DLP works to prevent exfiltration of sensitive data
over peripheral devices.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Endpoint DLP license
Enterprise Data Loss Prevention (E-DLP) license
Autonomous DEM 5.3.4 or later
Prisma Access Agent
One of the following Prisma Access versions
10.2—Prisma Access 5.2
11.2—Prisma Access 5.1 or 5.2
Endpoint DLP enables your security administrators to control the use of peripheral
devices by allowing you to allow or block their use. To prevent exfiltration of
sensitive data to peripheral devices Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP)advanced detection methods, as well as custom data profiles to define custom traffic match criteria or
predefined ML-based and regex data profiles.
The Prisma Access Agent is used to evaluate and enforce your Endpoint DLP policy
rules when files are moved between the endpoint and peripheral device. The Prisma Access Agent detects when file movement between the endpoint and peripheral
device is detected and evaluates the Endpoint DLP policy rulebase. When necessary, Prisma Access Agent forwards the traffic to Enterprise DLP for inspection and
verdict rendering. Enterprise DLP then communicates the verdict to the Prisma Access Agent which then takes the action configured in the Endpoint DLP
policy rule. Additionally, the Prisma Access Agent is also responsible for
displaying the end user a notification when they generate a DLP
incident.
Endpoint DLP is supported for endpoints running the following operating systems.
Operating System
Version
Microsoft
Windows 10 version 2004 or later release
macOS
12 (Monterey) or later release
The inspection of endpoints using Enterprise DLP is as follows. This assumes the Prisma Access Agent is successfully installed and you configured your Endpoint DLP policy rules.
A user in your organization connects a peripheral device to their laptop.
The user moves a file from their endpoint to the connected peripheral device.
The Prisma Access Agent registers that the user attempted to move a file
from the endpoint to the peripheral device and evaluates your Endpoint DLP
policy rulebase.
No Policy Rule Match—If there is no Endpoint DLP policy rule
match identified then the peripheral device connection is allowed
and the endpoint has full read and write access privileges to the
peripheral device.
Peripheral Control Policy Rule—If you created a peripheral
control policy rule is created to control access then the Prisma Access Agent takes the allow or block action configured
in the policy rule.
For example, if the Endpoint DLP policy rule blocks the connection to
the peripheral device then the Prisma Access Agent revokes
write privileges to the peripheral device. In this case, the
endpoint can't upload files to the peripheral device.
Conversely, if the Endpoint DLP policy rule allows the connection to
the peripheral device then the Prisma Access Agent grants the
endpoint write access privileges to the peripheral device. In this
case, the endpoint can upload files to the peripheral device.
Data in Motion Policy Rule—The connection to the peripheral
device is allowed. When the Prisma Access Agent detects file
movement from the endpoint to a peripheral device, the file is
forwarded to Enterprise DLP for inspection and verdict
rendering. The Prisma Access Agent also forwards important
file metadata, such as the fileSHA,
which Enterprise DLP uses to identify each forwarded file.
Enterprise DLP then sends the verdict to the Prisma Access Agent and the Prisma Access Agent takes
the Endpoint DLP policy rule
action if sensitive data is detected. If Enterprise DLP detects
that it is a file that has already been inspected based on the
fileSHA then Enterprise DLP
returns the existing verdict to the Prisma Access Agent. Enterprise DLP doesn't inspect the same file twice.
The Prisma Access Agent enforces the Endpoint DLP policy rule action
configured in either the Peripheral Control or Data in Motion policy rules.
A DLP incident is generated when appropriate. If you have configured End User Coaching a
notification is displayed on the endpoint to alert the user.