Learn more about how Endpoint DLP works to prevent exfiltration of sensitive data
over peripheral devices.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Endpoint DLP license
Enterprise Data Loss Prevention (E-DLP) license
Autonomous DEM 5.3.4 or later
Prisma Access Agent
One of the following Prisma Access versions
10.2—Prisma Access 5.2
11.2—Prisma Access 5.1 or 5.2
Endpoint DLP enables your security administrators to control the use of peripheral
devices by allowing you to allow or block their use. To prevent exfiltration of
sensitive data to peripheral devices Endpoint DLP uses Enterprise Data Loss Prevention (E-DLP)advanced detection methods, as well as custom data profiles to define custom traffic match criteria or
predefined ML-based and regex data profiles.
The Prisma Access Agent evaluates and enforces your Endpoint DLP policy rules when
files are moved between the endpoint and peripheral device. The Prisma Access Agent detects when file movement between the endpoint and peripheral device occurs and
evaluates the Endpoint DLP policy rulebase. When necessary, Prisma Access Agent
forwards the traffic to Enterprise DLP for inspection and verdict rendering. Enterprise DLP then communicates the verdict to the Prisma Access Agent which
then takes the action configured in the Endpoint DLP policy rule. Additionally, the Prisma Access Agent is also responsible for displaying the end user a notification
when they generate a DLP incident.
The following is an example of the process Enterprise DLP uses to inspect endpoints.
This process succeeds only if you installed the Prisma Access Agent and that you
already configured your Endpoint DLP policy rules.
A user in your organization connects a peripheral device to their laptop.
The user moves a file from their endpoint to the connected peripheral device.
The Prisma Access Agent registers that the user attempted to move a file
from the endpoint to the peripheral device and evaluates your Endpoint DLP
policy rules.
No Policy Rule Match—If there is no Endpoint DLP policy rule
match identified, then the agent allows the peripheral device to
connect and the endpoint has full read and write access privileges
to the peripheral device.
Peripheral Control Policy Rule—If you created a peripheral
control policy rule to control access, then the agent executes the
allow or block action that you configured in the policy rule.
For example, if the Endpoint DLP policy rule blocks the connection to
the peripheral device, then the agent revokes write privileges to
the peripheral device. In this case, the endpoint can't upload files
to the peripheral device.
Alternatively, if the Endpoint DLP policy rule allows the connection
to the peripheral device, then the agent grants the endpoint write
access privileges to the peripheral device. In this case, the
endpoint can upload files to the peripheral device.
Data in Motion Policy Rule—The agent allows the connection to
the peripheral device. When the Prisma Access Agent detects
file movement from the endpoint to a peripheral device, the file is
forwarded to Enterprise DLP for inspection and to render a
verdict. The agent also forwards important file metadata, such as
the fileSHA, which Enterprise DLP
uses to identify each forwarded file.
Enterprise DLP then sends the verdict to the Prisma Access Agent and, if sensitive data is detected, the
agent takes the Endpoint DLP policy
rule action. If Enterprise DLP detects when
forwarded files were already inspected based on the
fileSHA, then Enterprise DLP
returns the existing verdict to the agent. Enterprise DLP does
not inspect the same file twice.
The Prisma Access Agent executes the Endpoint DLP policy rule action that
you configured in either the Peripheral Control or Data in Motion policy rules.
Enterprise DLP generates a DLP incident when appropriate. Additionally, if
you configured End User Coaching, the Prisma Access Agent displays a notification on
the endpoint to alert the user.
What Operating Systems Does Endpoint DLP Support?
Endpoints running the following operating systems support Endpoint DLP.
Operating System
Version
Microsoft
Windows 10 version 2004 or later release
macOS
12 (Monterey) or later release
What File Types Does Endpoint DLP Support?
Endpoint DLP supports the inspection and verdict rendering on the following file
types.