Digital Guardian and disabling SIP

Stevie
Contributor

We are about to trial Digital Guardian as a POC but they want us to disable SIP on all devices. Which seems like a bad idea at best.. Currently we have Symantec DLP for our Windows users but it has never worked properly on Macs. We decided not to inflict that software onto them. We also have CoSoSys Endpoint Protector for USB Control but our infoSec team didn't like the DLP function with the net result it was never used.

My question is anyone using Digital Guardian in this mode or is there a better product than Digital Guardian for DLP?

18 REPLIES 18

dfarnworth_barc
New Contributor III

I've got to say that I would not adopt any security product that requires you to disable another security feature in the OS, especially one as important as SIP.

Along with that, my questions to the vendor would be:
a) Why does SIP need to be disabled?
b) What efforts are being made to adopt the new system extensions coming in Catalina
c) If SIP disablement is required, what are their plans for their product when the OS partition is read-only.

My statement to the vendor on being asked to disable SIP would include two words, three Fs and a large number of exclamation marks.

chris_kemp
Contributor III

We have a pool of computers that are running DG and they do not have SIP disabled. I agree with the previous poster, no security product worth its salt should require you to disable native OS security.

Stevie
Contributor

Hello,

Thanks for the feedback. According to Digital Guardian you need to disable SIP for the following features;

  • Email visibility and control
  • MS Office/PDF visibility and control
  • IP protection (e.g. source code) & advanced controls (i.e. file save as)
  • Generic copy/paste of data between applications
  • Print controls
  • Screen Capture controls

I think that this product just doesn't meet our requirements and we will look for another solution.

Thanks

Steve

mlizbeth
Contributor II

I believe most, if not all of these permissions can be granted in "Security & Privacy" preferences, at least in Mojave.
This has been the case with our antivirus which requires the "Full Disk Access" permission to even function on Mojave devices.

My organization wanted me to find a better way to implement dual boot on the Macs (just hold option on bootup guys!) and I tried refind for a while, but it turned out to be not worth the effort because any time there was a Windows update or Mac update you would need to disabled SIP again and reinstall refind. I could have left SIP disabled but it's not worth the risk. I removed refind for the machines, and they were ok with it once I explained why it was bad.

Sonic84
Contributor III

We are a current DG customer. They do not require us to disable SIP on our Macs.

lpierce
New Contributor III

Yeah, disabling SIP should be a no go for any security tool...

ithangdang
New Contributor II

Unfortunately what they told you is true for us as a customer. We have been relegated to disable SIP in order to provide visibility to those items you listed Stevie.

Please let us know if you find a DLP tool that checks all the boxes and doesn't require SIP to be disabled.

In practice, disabling SIP seems like bad news in any security context and I would steer clear of Digital Guardian until if or when they can refactor their product to use System Extensions as prescribed by Apple at their most recent WWDC.

Stevie
Contributor

We current have CoSoSys Endpoint Protector for USB Device control but that is being replaced with Bitdefender. However, it now looks like we will go full cycle and give CoSoSys DLP another look. It was only dropped because our InfoSec team didn't like the reports and alerts which were generated. From a user's point of view its doesn't slow their computer down and from an IT point of view their support is good and the software always works with new macOS releases.

ithangdang
New Contributor II

@tlarkin

A mix but that is decided by a different team concerning Security and Risk. Mainly the ask was for something that didn't require SIP to be turned off.

In what I've looked at so far, it may have to be a combination of tools working in unison to provide a combination of DLP and EDR.

sdagley
Honored Contributor II

Has anyone looked at cmdReporter? I asked on the #endpoint_security MacAdmin Slack channel if anyone was using a DLP tool they were happy with, and the vendor replied they currently had some limited DLP functionality, were working to add more, and open to suggestions if there was something lacking. That sounds like a very attentive developer, and it's not kext based which bodes well for stability with macOS updates.

digitalguardian
New Contributor II

Digital Guardian wanted to provide some clarification for everyone on this thread. The Digital Guardian (DG) Agent has always supported macOS for DLP; however, with the introduction of SIP in Mojave, there was a modest reduction in the amount of visibility the DG Agent had into data movement. This was the case for all DLP agents that operated in the kernel, regardless of the vendor. While Digital Guardian was addressing this issue, one option for customers was to disable SIP if they wanted the full visibility of the DG Agent, but Digital Guardian never recommended this to customers – it was an independent customer choice. With the company’s 7.6 release, the functionality is restored. Early access to version 7.6 of the DG Agent for macOS is available now for customers, with general availability scheduled for November 21, 2019.

Stevie
Contributor

Thank you for clearing this up.

bpavlov
Honored Contributor

@digitalguardian SIP was not introduced in Mojave. 😕

rtrouton
Valued Contributor III

Indeed. System Integrity Protection was first introduced in 2015, as part of OS X El Capitan: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-app...

It’s now been out for over four years and its protections are fairly well documented by this point in 2019.

digitalguardian
New Contributor II

Our apologies, we agree and know SIP was first introduced in 2015 as part of El Capitan. We should have been clearer in our last post. Instead of saying "with the introduction of SIP in Mojave", we should have said "with the extension of SIP in Mojave to cover third-party apps, like MS Office, and not just those supplied by Apple…". Will be more careful in future posts : )

ShadowGT
New Contributor III

@digitalguardian Does this mean that 7.6 release will be supporting Catalina System Extension instead of Kernel drivers?

digitalguardian
New Contributor II

@ShadowGT for a more complete answer from a technology/code perspective you should reach out to your DG Support contact. They can also provide you with the early access version of the agent if you’re interested in testing. In the meantime, we can confirm that 7.6 will support Catalina and the DLP use cases/policies our customers have been accustomed to supporting (i.e. monitoring and controlling print, copy, save as commands, etc.). New code has been developed to achieve that on Catalina, but a DG Agent for macOS that uses the new system extensions exclusively, is still being developed for a future release.

guero2099
New Contributor

We are using Forcepoint DLP and you don’t have to disable anything, it is working seamless as they are using extensions in Chrome, Safari, outlook and mail. But the agent needs FDA.