How to keep corporate data secure on macOS devices?

To control actions on workstations in Solar Dozor, a separate module is used – Dozor Endpoint Agent (agent), with which you can timely monitor and, if necessary, block the transfer of data. This module is adapted and can work under different operating systems – developer company “Rostelecom-Solar” offers versions for Windows, Linux and macOS. Our portal has already provided reviews of the Dozor Endpoint Agent module for linux And Windows. This article will focus on the module Dozor Endpoint Agent for macOSwhich has been developed since 2021. It has become the flagship of the movement of the Russian market of DLP systems to full-featured monitoring of workplaces based on Apple devices and continues to dominate the market to this day.

About the macOS operating system: some statistics

Macintosh Operating System (macOS, prior to 2016 – OS X) is a family of operating systems designed specifically for Apple Macintosh computers. It is believed that in macOS For the first time, GUI technology was used – a graphical user interface.

According to the world statistics platform statista.com, over 10 years, the share of Windows users in the world has decreased by 17%. The largest part of the Windows market was taken over by the operating system from Apple. At the beginning of 2023, macOS managed to capture and hold 15% of the global market.

Rice. 1 - Statistics on the use of operating systems in the world

Rice. 1 – Statistics on the use of operating systems in the world

In Russia, according to the service StatCounter GlobalStatsas of May-June 2023, the share of computers running Windows has also decreased and is only 83.55% (a few years ago, the Microsoft system occupied almost 100% of the market), while the number of computers running macOS (OS X) – already 6.27%.

Rice. 2 - Statistics on the use of operating systems in the Russian Federation

Rice. 2 – Statistics on the use of operating systems in the Russian Federation

At the moment (June 2023), the macOS family of operating systems in terms of prevalence in the Russian Federation occupies the 3rd line, leaving behind the OS of the Linux family. This is not surprising, because macOS is famous for its reliability, the stable operation of programs written specifically for specific OS configurations, and the best virus protection compared to other operating systems. At the height and usability of the system (usability) – macOS has a very thoughtful interface.

According to Rostelecom-Solar, in Russian companies, macOS workstations are used on average by 5% to 50% of employees (depending on the specifics of the organization):

  • top management, whose MacBooks contain key financial and economic information and information on strategic business development;

  • IT specialists who own confidential technical information, databases, plans for the strategic development of the company’s IT products and services;

  • designers, marketers and other professionals working with contracts, tender documents, customer databases, information about the market development of products and services, etc.

Leakage of such information can lead to quite tangible consequences for companies, including fines and reputational losses.

Using Dozor Endpoint Agent for macOS: Tasks to be solved

With DLP system Solar Dozor and its module Dozor Endpoint Agent for macOS company security specialists can at least receive and view information about the actions of employees on workstations. You can also configure and apply security policy rules so that the system automatically blocks suspicious operations. This controls:

  • exchanging messages and files in webmail;

  • communication in social networks and blogs;

  • data transfer in Telegram messengers (web version), WhatsApp (web version) and Skype;

  • publishing data to cloud storage:

    • Cloud Mail.Ru, Yandex.Disk, OneDrive, Google Drive, Dropbox and iCloud – in web browsers;

    • Yandex.Disk and Mail.Cloud – in the respective desktop applications;

  • connection of external devices (flash drives, external drives, etc.) to workstations via USB;

  • copying information to the clipboard;

  • operations with files (including archives): copying/moving to removable media, network drives and web resources (including using AirDrop technology);

  • sending data for printing;

  • use of search terms.

Also Dozor Endpoint Agent for macOS can provide:

  • snapshots (screenshots) of workstation screens created by him;

  • information entered by employees using the keyboard;

  • data on the time spent by employees in applications and the Internet.

All information collected by the agent is stored in the system and displayed at the user’s request in both text and graphic form. It is possible to receive reports for a long period, clearly showing all the activity of an employee in the workplace. Ultimately, this allows not only to counteract information leaks and prevent them by taking the necessary measures in a timely manner, but also to conduct internal investigations of information security incidents, identify disloyal and poorly performing employees, etc.

Rice. 3 - Features of the Dozor Endpoint Agent for macOS: you can see a noticeable improvement compared to the first release of the macOS agent in September 2021 (that release included: Internet traffic control, local mail interception and data transmission control in WhatsApp and Skype), which indicates a high rate of development of the module

Rice. 3 – Functions Dozor Endpoint Agent for macOS: you can see noticeable progress compared to the first release of the macOS agent in September 2021 (that release included: Internet traffic control, local mail interception and data transfer control in WhatsApp and Skype), which indicates a high rate of development of the module

Rice. 4 - An enlarged diagram of the work of Dozor Endpoint Agent for macOS

Rice. 4 – Enlarged scheme of work Dozor Endpoint Agent for macOS

Latest Version Dozor Endpoint Agent for macOS:

  • works on workstations running macOS of the latest versions – 11.x (Big Sur), 12.x (Monterey), 13.x (Ventura);

  • supports both x86-64 and Apple M1/M2 devices;

  • compatible with antivirus Kaspersky Endpoint Security for macOS.

The agent can be easily installed locally on a specific workstation using a graphical installer or deployed simultaneously to a group of macbooks using special tools – MDM / EMM systems (for example, VMware AirWatch or Microsoft Intune). You can manage workstations with installed agents in the Solar Dozor web interface.

Rice. 5 - Solar Dozor interface, a list of workstations running on macOS with the agent installed: controls

Rice. 5 – Solar Dozor interface, a list of workstations running on macOS with the agent installed: controls

Dozor Endpoint Agent for macOS Key Features

You can predict which agent features will be most in demand by monitoring and understanding trends in data breach channels. According to research, which was conducted by Rostelecom-Solar analysts, over the past year, cloud storage, flash drives and web versions of instant messengers have become the most common channels of leakage, for example, in financial institutions. This is a clear reflection of the all-Russian policy of tightening the rules for using online communication tools at the workplaces of employees. Accordingly, control of data transfer to cloud storages and instant messengers (especially in their web versions) and control of copying files to USB drives are priority areas for protection against leaks.

Another important area for the macOS agent is providing control over AirDrop file transfers. AirDrop technology was developed by Apple specifically for sharing documents, images, and other data between nearby Apple devices (using Wi-Fi or Bluetooth connections).

In addition, it is worth mentioning print control – module Dozor Endpoint Agent for macOS can not only intercept, but also block the printing of documents.

Control of information transfer in messengers: receiving correspondence data in the web versions of Telegram and WhatsApp, as well as Skype

According to Kaspersky Lab (TASS), in 2023, compared to last year, attackers have shifted their focus to focus on big business. This is evidenced by the figures for the same periods in 2022 and 2023:

For large businesses: in 2022, there were 28 million lines of information that got into the network, in the current – already 163 million;

· for small and medium business: 70 million lines in 2022 against 20 million in 2023.

It is noted that half of all leaks were published within a month after the data was uploaded, while most often the data got into the network through a messenger. Telegram.

By using Dozor Endpoint Agent for macOS on workstations running macOS control data transfer V web versions of Telegram and WhatsApp instant messengers are available now — Interception of sent and/or received messages and files is provided. In addition, the agent intercepts incoming and outgoing correspondence in the Skype messenger, both in the application installed on the workstation and in the web version.

All intercepted data can be viewed in the Solar Dozor web interface in the card of the message generated by the agent about correspondence in a particular messenger.

Rice. 6 - Solar Dozor interface, message card: information about the file sent to Telegram Web

Rice. 6 – Solar Dozor interface, message card: information about the file sent to Telegram Web

Rice. 7 - Solar Dozor interface, message card: Details of the data sent to WhatsApp Web

Rice. 7 – Solar Dozor interface, message card: Details of the data sent to WhatsApp Web

Rice. 8 - Solar Dozor interface, message card: Details of data sent to Skype

Rice. 8 – Solar Dozor interface, message card: Details of data sent to Skype

Tracking the publication of data in cloud storage: Cloud Mail.Ru, Yandex.Disk, OneDrive, Google Drive, Dropbox and iCloud – under control

Using the latest version of the module Dozor Endpoint Agent for macOSestablished on workstations running macOS, it is possible to fully control the transfer of files to cloud storage Yandex.Disk And Cloud Mail.RUperformed through the respective application. You can, for example, configure security policy rules so that when an employee sends a file containing company-critical data, the system blocks the upload operation, creates an event or incident with a high level of criticality, and notifies security specialists. You can also specify whether to notify the employee when he violates the policy rules and set the text of this notification.

Information about successful and unsuccessful attempts by workstation users to send data to Yandex.Disk or in Cloud Mail.Ru are fixed in Solar Dozor, and they can be viewed in the web interface of the system. In particular, you can get information about the success/failure of such a transfer attempt: prohibited/allowed.

Rice. 9 - Solar Dozor interface, message card: information about a blocked attempt to publish a file on Yandex.Disk

Rice. 9 – Solar Dozor interface, message card: information about a blocked attempt to publish a file on Yandex.Disk

Rice. 10 - Workstation screen: result of blocking file sending to Yandex.Disk - the file was not sent

Rice. 10 – Workstation screen: result of blocking file sending to Yandex.Disk – the file was not sent

Rice. 11 - Solar Dozor interface, message card: information about a blocked attempt to send a file to the Cloud Mail.RU

Rice. 11 – Solar Dozor interface, message card: information about a blocked attempt to send a file to the Cloud Mail.RU

Rice. 12 - Workstation screen: result of blocking file sending to the Mail.RU Cloud - the file was not sent, the workstation user received a notification about a violation of security policy rules

Rice. 12 – Workstation screen: result of blocking file sending to the Mail.RU Cloud – the file was not sent, the workstation user received a notification about a violation of security policy rules

In addition, with the help Dozor Endpoint Agent for macOS you can track the facts of web browser transfer to the cloud storage Cloud Mail.Ru, Yandex.Disk, OneDrive, Google Drive, Dropbox and iCloud. If, for example, you set up the system so that when it registers the fact of such a transfer, it will immediately notify security service specialists, this will allow you to respond in a timely manner, take appropriate measures and, thereby, prevent further information leakage.

Control of copying/moving files to removable media and network resources: intercepting and blocking operations

By using Dozor Endpoint Agent for macOS and security policy rules configured in Solar Dozor, you can automatically monitor and, if necessary, block operations performed by employees to copy or move files to removable media and / or network resources. At the same time, the contents of both the files themselves and archives are checked for compliance with the security policy (docx/pdf/pdf/txt files and the contents of zip/7z/arj/rar/tar archives are checked).

Rice. 13 - Company employee workstation screen when attempting to copy a file to USB is blocked

Rice. 13 – Company employee workstation screen when attempting to copy a file to USB is blocked

Rice. 14 - Solar Dozor interface, message card: Details of a blocked attempt to copy a file to USB

Rice. 14 – Solar Dozor interface, message card: Details of a blocked attempt to copy a file to USB

Rice. 15 - Solar Dozor interface, message card: information about a blocked attempt to copy an archive to a network share

Rice. 15 – Solar Dozor interface, message card: information about a blocked attempt to copy an archive to a network share

AirDrop channel control: intercepting files and blocking their transfer

By using Dozor Endpoint Agent for macOS and security policy rules configured in Solar Dozor, you can automatically monitor and, if necessary, block AirDrop data transfers performed from the Finder file manager, the operating system desktop, or directly from applications.

Rice. 16 - Solar Dozor interface, message card: Blocked AirDrop file transfer details

Rice. 16 – Solar Dozor interface, message card: Blocked AirDrop file transfer details

Control of data sent for printing: interception and blocking by content

The print control function implemented in Dozor Endpoint Agent for macOSallows:

  • intercept data sent by employees to local, network or virtual printers for subsequent printing (regardless of the application from which the user starts printing);

  • fix in the system the fact of printing a document of any type;

  • check the contents of the document sent for printing for compliance with the rules of the security policy (in the case of a multi-page document, only the text of printed pages will be checked);

  • block the print operation if critical information was found in the document as a result of checking the document.

Rice. Fig. 17 - Screen of the workstation of a company employee when a blocked attempt to print a file with confidential data

Rice. Fig. 17 – Screen of the workstation of a company employee when a blocked attempt to print a file with confidential data

Instead of conclusions: prospects and development plans for Dozor Endpoint Agent for macOS

Despite the trend of import substitution in the field of software and hardware, computers running on macOS continue to be actively used in the Russian corporate segment. As mentioned above, the key users of macOS devices are the top management of companies, as well as representatives of creative professions – designers, developers, marketers.

Among users Dozor Endpoint Agent for macOS – the largest companies in the financial and construction sectors, the IT industry, retail and wholesale trade, as well as advertising (media industry). They value the unobtrusive monitoring capabilities when it comes to privileged users, and the benefits of proactive threat response when it comes to attempts to expose protected information outside the corporate network perimeter.

One of the most important vectors for further development of the module Dozor Endpoint Agent for macOS is the desire for parity of functions with the module Dozor Endpoint Agent for Windowshistorically the most functionally developed agent module of the Solar Dozor DLP system.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *