Method and system for detecting and protecting against potential data loss from unknown applications
First Claim
1. A computer-implemented method, comprising:
- detecting, by an endpoint data loss prevention (DLP) system running on a client computing device, that a local application has accessed a document on the client computing device;
determining that the document contains sensitive data according to one or more DLP polices of the endpoint DLP system;
determining that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies;
capturing at least one of one or more screenshots, and video of one or more operations that the application performs on the document;
sending the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system; and
receiving one or more updated DLP policies from the enforcement server, the one or more updated DLP policies comprising changes based on the captured at least one of the one or more screenshots or the video;
wherein the one or more updated DLP policies cause the endpoint DLP system to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting and protecting against potential data loss from unknown applications is described. In one embodiment, a method includes detecting, by an endpoint data loss prevention (DLP) system running on a client computing device, that a local application has accessed a document on the client computing device. The method further includes determining that the document contains sensitive data according to one or more DLP polices of the endpoint DLP system and determining that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies. Then, the method includes capturing at least one of one or more screenshots, and video of one or more operations that the application performs on the document and sending the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system.
-
Citations
15 Claims
-
1. A computer-implemented method, comprising:
-
detecting, by an endpoint data loss prevention (DLP) system running on a client computing device, that a local application has accessed a document on the client computing device; determining that the document contains sensitive data according to one or more DLP polices of the endpoint DLP system; determining that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies; capturing at least one of one or more screenshots, and video of one or more operations that the application performs on the document; sending the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system; and receiving one or more updated DLP policies from the enforcement server, the one or more updated DLP policies comprising changes based on the captured at least one of the one or more screenshots or the video; wherein the one or more updated DLP policies cause the endpoint DLP system to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An endpoint device, comprising:
-
a memory to store instructions for a data loss prevention (DLP) policy; and a processing device coupled with the memory, wherein the processing device is configured to; detect that a local application of the endpoint device has accessed a document on the client computing device; determine that the document contains sensitive data according to the DLP policy; determine that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies; capture at least one of one or more screenshots, and video of one or more operations that the application performs on the document; send the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system; and receive one or more updated DLP policies from the enforcement server, the one or more updated DLP policies comprising changes based on the captured at least one of the one or more screenshots or the video; wherein the one or more updated DLP policies cause the endpoint DLP system to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform a method comprising:
-
receiving, by an enforcement server device of a data loss prevent (DLP) system, data representing captured at least one of one or more screenshots or video of an application manipulating a sensitive document at an endpoint DLP system of the DLP system; analyzing, by the enforcement server device, the received captured data to determine whether at least one of suspicious or malicious activity occurred with respect to the sensitive document; updating, by the enforcement server device, one or more DLP policies based on the results of the analysis; and deploying, by the enforcement server device, the one or more updated DLP policies to one or more endpoint DLP systems; wherein the one or more updated DLP policies cause the one or more endpoint DLP systems to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location. - View Dependent Claims (13, 14, 15)
-
Specification