cmdReporter Wiki

Home Email Support Client Login
Welcome
Login
  1. cmdReporter Wiki
  2. Solution home
  3. General Information
  4. Product Overviews
Open navigation

Data Loss Prevention (DLP)

Daniel Griggs
Modified on: Mon, 13 Jul, 2020 at 4:54 PM

How cmdReporter +DLP is different

  • cmdReporter +DLP does not have its own management server and leverages an organization's existing SIEM and MDM servers.
  • We do not rely on scanning files as the primary data detection method.
  • cmdReporter's data stream is used for telemetry and metadata creation about each and every file on the system.
  • Our patented telemetry stream validates and considers any and all information available from macOS to build a complete picture of exactly how the computer is interacting with both itself and the world.
  • Data is classified as sensitive based on our metadata and how each file individually interacts with the system. Any data that is considered sensitive has limits on how it can leave the endpoint.
  • Data movement authorizations are made based on the created database of telemetry information about a file's past interactions so there is no delay when moving large numbers of files.

Benefits of our approach

  • Up to 300x faster than scanning-based DLP systems
  • Adapts to how each user uniquely uses their macOS device
  • Empirically provable DLP operations with the cmdReporter audit stream
  • Tracks data and files through obfuscation methods
  • Near-zero performance impact

Minimum Requirements

  • macOS 10.15 or newer
  • cmdReporter allowed full disk access in privacy settings

How data rules are configured

  • All rules are best enforced via configuration profiles deployed by any MDM server that manages macOS 
  • cmdReporter +DLP has the following options available in Beta 1
    • SensitiveApplications - Any and all data created or modified by these applications is considered sensitive.
      •    DLPExecutableNames - Define SensitiveApps by name
      •    DLPSigningIdentifiers - Define SensitiveApps by app signing ID
      •    DLPTeamIdentifiers - Define SensitiveApps by team signing ID
    • SensitiveUTIs - Define sensitive data by file Uniform Type Identifier (UTI)
    • SensitiveFolders - Any data from these paths are considered sensitive. Any file movements into these folders are always allowed.
    • ApprovedNetworkDestinations (Beta 2) - Define DNS names where files may be uploaded. All other sensitive file uploads will be denied. This preference and behavior is not in Beta 1.

Known Gaps and Bugs

  • cmdReporter +DLP is currently logging-only, no blocking or GUI prompts will appear in beta 1.
  • Browser upload detections are not currently website-aware.
  • Not all command line tools that can send data over network connections are currently monitored.
  • cmdReporter's telemetry database is not currently persistent to enable faster test iterations.

Feedback and Support

Please send any feedback, bug reports, or questions to dlp_beta@cmdsec.com 




Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.