This article explains how to view forensic evidence from DLP policy violation events.
To investigate DLP policy violations, you can securely view the violation evidence directly in the Cato Management Application (CMA). This allows security teams to quickly understand the context of an incident, assess potential data exposure, validate false positives, and fine-tune DLP policies with confidence.
When a DLP policy event is generated, the evidence files are encrypted and sent to a configured secure storage destination. To minimize data exposure and ensure compliance with regulatory requirements, these files can only be viewed on request by admins with the relevant permissions.
Note: Image file types are not supported
A sales representative needs to process a refund to a customer. They send a Slack message to their manager to approve the refund that includes the customer's address. A DLP rule configured to detect PII identifies the customer's address, blocks the message, and triggers an event. The Slack messages are encrypted and stored securely in an Amazon S3 bucket as evidence.
A security analyst, with permission to view forensic evidence, starts to investigate the event. As part of the investigation, they securely view the Slack conversation and confirm that PII data was exposed.
By confirming with certainty that a policy violation has taken place, the security analyst can contact the employees involved and educate them about the company's data protection policy.
To enable forensic evidence to be viewed, you need to:
- Enable your preferred option for the secure storage of the evidence
- Configure forensic evidence settings
- Provide permissions for Admin that can view the evidence
Forensic evidence is stored externally to Cato in a storage destination that you choose. To enable evidence storage, you must create an integration between Cato and the supported storage service. This integration allows Cato to securely write encrypted evidence files when a DLP policy is triggered in your designated storage. For step-by-step instructions on configuring the integration, see the link below. The supported storage services are:
To start storing forensic evidence, you need to enable the feature in the CMA. You can also choose to only display a snippet of the evidence or allow the original file to be stored and available for download during an investigation.
Note: All forensic evidence is always encrypted, it is not possible to uncheck the Encrypt evidence stored in the configured destination checkbox
To configure forensic evidence:
- From the navigation menu, click Security > Data Types & Profiles.
- On the Settings tab, enable the Store DLP Evidence toggle.
- To allow the original evidence file to be downloaded from an event, select the Store original files upon match checkbox. If this option is not checked, only a snippet of the evidence is available during an investigation.
- Choose the location for the evidence to be stored.
- Click Save.
Only Admins with the DLP Forensics permission are able to view forensic evidence within an event. You can add this permission to existing custom roles or create a new custom role and apply it to the relevant admin. For more information on Roles & Permissions, see Managing Admin Roles Using RBAC.
Forensic evidence is available from the Data Incident panel, available from the event that was generated after a DLP rule was violated.
Note: After an event is generated, it may take a few minutes for the file to be available for download.
To view forensic evidence:
- From the navigation menu, click Security > Data Protection to view the Data Protection Dashboard.
-
In the Top Violating Rule, click on the rule you want to investigate.
The Events page is displayed with a predefined filter of the events generated by this rule. For more information, see Analyzing Events in Your Network.
-
Expand the event and in the Evidence field, click View forensics.
The Data Incident panel opens.
-
In the Forensics section, click View Evidence , and in the pop-up box, click Confirm.
The forensic evidence is displayed in the snippet. To access the full file click Download File. This option is grayed out if the Store original files upon match checkbox was unchecked in Step 2.
0 comments
Article is closed for comments.