Endpoint DLP
Focus
Focus
What's New in the NetSec Platform

Endpoint DLP

Table of Contents

Endpoint DLP

Use Endpoint DLP to stop accidental or malicious data lose over peripheral devices.
Endpoint DLP enables your Security administrators to control the use of peripheral devices by enabling you to allow or block their use, or to alert your Security administrators when a peripheral device is connected to an endpoint in your network. To prevent exfiltration of sensitive data to peripheral devices, use the Enterprise Data Loss Prevention (E-DLP) advanced detection methods, as well as custom data profiles to define custom traffic match criteria or use predefined ML-based and regex data profiles.
Install the Prisma Access Agent on the endpoints that you need to protect. The agent will detect file movement between the endpoint and the peripheral device and then evaluates and enforces your Endpoint DLP policy rules. When necessary, the Prisma Access Agent forwards the traffic to Enterprise DLP for inspection and to render a verdict. Enterprise DLP then communicates the verdict to the Prisma Access Agent which executes the action you configured in the Endpoint DLP policy rule. Additionally, the Prisma Access Agent is responsible for displaying a notification to the end user when they generate a DLP incident.
The following is an example of the process Enterprise DLP uses to inspect endpoints. This process succeeds only if you installed the Prisma Access Agent and that you already configured your Endpoint DLP policy rules.
  1. A user in your organization connects a peripheral device to their laptop.
  2. The user moves a file from their endpoint to the connected peripheral device.
  3. The Prisma Access Agent registers that the user attempted to move a file from the endpoint to the peripheral device and evaluates your Endpoint DLP policy rules.
    • No Policy Rule Match—If there is no Endpoint DLP policy rule match identified, then the agent allows the peripheral device to connect and the endpoint has full read and write access privileges to the peripheral device.
    • Peripheral Control Policy Rule—If you created a peripheral control policy rule to control access, then the agent executes the allow or block action that you configured in the policy rule.
      For example, if the Endpoint DLP policy rule blocks the connection to the peripheral device, then the agent revokes write privileges to the peripheral device. In this case, the endpoint can't upload files to the peripheral device.
      Alternatively, if the Endpoint DLP policy rule allows the connection to the peripheral device, then the agent grants the endpoint write access privileges to the peripheral device. In this case, the endpoint can upload files to the peripheral device.
    • Data in Motion Policy Rule—The agent allows the connection to the peripheral device. When the Prisma Access Agent detects file movement from the endpoint to a peripheral device, the file is forwarded to Enterprise DLP for inspection and to render a verdict. The agent also forwards important file metadata, such as the fileSHA, which Enterprise DLP uses to identify each forwarded file.
      Enterprise DLP then sends the verdict to the Prisma Access Agent and, if sensitive data is detected, the agent takes the Endpoint DLP policy rule action. If Enterprise DLP detects that it's a file that has already been inspected based on the fileSHA, then Enterprise DLP returns the existing verdict to the agent. Enterprise DLP does not inspect the same file twice.
  4. The Prisma Access Agent executes the Endpoint DLP policy rule action that you configured in either the Peripheral Control or Data in Motion policy rules.
  5. Enterprise DLP generates a DLP incident when appropriate. Additionally, if you configured End User Coaching, the Prisma Access Agent displays a notification on the endpoint to alert the user.