Netskope Global Technical Success (GTS)

EPDLP -  Content Control USB Storage Devices

Netskope Cloud Version - 128

Objective

Control specific file types from being copied in a storage device

Prerequisite

Netskope Endpoint DLP license is required

Context

In this knowledge base article, we'll explore Netskope's capabilities regarding Endpoint DLP Content control. We'll go through a use case to provide insights into its capabilities.

Do You Know?

Endpoint DLP allows you to manage and govern endpoints to prevent sensitive content from being transferred to USB storage devices or printers. You can:

• Govern endpoint devices by creating device control, content control, and file origin policies.
• Monitor endpoint activities and block or trigger alerts when users insert or remove USB storage devices, transfer sensitive files to USB storage devices, set up and configure printers, and print documents.
• Respond to incidents and alert the user of their actions.
• Coach the user through custom notification messages by allowing them to justify their actions or cancel them.

Use Case 1 Block a specific file type from being copied to an external storage device.

Step 1: Go to Settings >> Security Cloud Platform >> Client Configuration >> Select The client configuration where you want to enable Endpoint DLP >> go to Endpoint DLP>> Check the Endpoint DLP Checkbox and Save.

Note: make sure to restart the device after the EPDLP activation.

Step 2: We need to create a file profile adding the specific content we want to restrict within the Endpont DLP policy, in this case we will add a file type 7zip.
Go to policies >>Profiles >> File >>> New File Profile 

Select file type, search and mark 7zip format.

Click Next type a file profile name and save it.

Step 3: Go to policies >> Endpoint Protection >> Content Control

On content control, click on create a new content control policy.

Select on Destination “ USB Storage Device”, then on File add a “File Profile” and select the profiel you created in step 2, Set profile action Block, add a policy name and save the policy.

Verification

Copy any .7z file to the USB storage device and a blocking message will appear.

Go to SkopeIT >> Endpoint Events and confirm the block is logged.

How can I confirm the block action in NSlogs?

A: After downloading the NS logs, you will notice a file named “epdlp-diagnostics.zip.log.” Please remove the “.log” part, and the file will now appear as a zip file. Once you unzip the file, you will find a log folder inside, and the logs are located in the “epdlp_sys_log.txt” file.

Sample

2024/08/22 15:17:04.781 PolicyWorker.cpp:1456 7816 24792 1info] PolicyWorker 7: evaluated event 60ceb07f-3a1b-4b9d-880b-a4ec433b8a3f with result "match" with action "block" for rule "USB storage Block" 

Constraints

In the Netskope UI, go to Policies > Profiles > Constraint and select the USB Device tab >> In the USB Storage Device tab, click New Device Constraint Profile

In the New USB Device Constraint Profile window, enter a profile name.

Provide the list of USB storage device manufacturers, IDs, models, and serial numbers. Select each tab and enter the values or upload a list as a CSV file. You can upload a maximum file size of 6 MB in each tab. Ensure the following:

Manufacturer and Model are partial matches. For example, enter “Sandisk” as the manufacturer to match USB device names such as “Sandisk”, “ Sandisk USB”, “Sandisk Electronics, INC”, etc.

The ID must be in the format idVendor+idProductiSerialNumber.

Serial_Number and ID are exact match fields.

Note: Device Control, policies are prioritized first, followed by Content Control. For example, when it comes to USB devices, if Device Control determines that a device is not allowed on an endpoint, it will block the device. This means the filesystem is never mounted, and the user has no opportunity to copy files to the device, effectively preventing any data transfer.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.