How cmdReporter +DLP is different
- cmdReporter +DLP does not have its own management server and leverages an organization's existing SIEM and MDM servers.
- We do not rely on scanning files as the primary data detection method.
- cmdReporter's data stream is used for telemetry and metadata creation about each and every file on the system.
- Our patented telemetry stream validates and considers any and all information available from macOS to build a complete picture of exactly how the computer is interacting with both itself and the world.
- Data is classified as sensitive based on our metadata and how each file individually interacts with the system. Any data that is considered sensitive has limits on how it can leave the endpoint.
- Data movement authorizations are made based on the created database of telemetry information about a file's past interactions so there is no delay when moving large numbers of files.
Benefits of our approach
- Up to 300x faster than scanning-based DLP systems
- Adapts to how each user uniquely uses their macOS device
- Empirically provable DLP operations with the cmdReporter audit stream
- Tracks data and files through obfuscation methods
- Near-zero performance impact
Minimum Requirements
- macOS 10.15 or newer
- cmdReporter allowed full disk access in privacy settings
How data rules are configured
- All rules are best enforced via configuration profiles deployed by any MDM server that manages macOS
- com.cmdsec.cmdreporter.dlp = preference domain for DLP-related configurations
- Example cmdReporter +DLP Profile
- cmdReporter +DLP has the following options available in Beta 1
- SensitiveApplications - Any and all data created or modified by these applications is considered sensitive.
- DLPExecutableNames - Define SensitiveApps by name
- DLPSigningIdentifiers - Define SensitiveApps by app signing ID
- DLPTeamIdentifiers - Define SensitiveApps by team signing ID
- SensitiveUTIs - Define sensitive data by file Uniform Type Identifier (UTI)
- SensitiveFolders - Any data from these paths are considered sensitive. Any file movements into these folders are always allowed.
- ApprovedNetworkDestinations (Beta 2) - Define DNS names where files may be uploaded. All other sensitive file uploads will be denied. This preference and behavior is not in Beta 1.
- SensitiveApplications - Any and all data created or modified by these applications is considered sensitive.
Known Gaps and Bugs
- cmdReporter +DLP is currently logging-only, no blocking or GUI prompts will appear in beta 1.
- Browser upload detections are not currently website-aware.
- Not all command line tools that can send data over network connections are currently monitored.
- cmdReporter's telemetry database is not currently persistent to enable faster test iterations.
Feedback and Support
Please send any feedback, bug reports, or questions to dlp_beta@cmdsec.com