Skip to main content

Proxy for Network Inspection

The Windows and macOS endpoint sensors include a built-in inline network proxy designed to inspect network traffic in real time. This proxy capability enhances visibility and allows you to monitor and block unauthorized file uploads and data shares before sensitive information leaves the organization.

To enable this feature, contact Cyberhaven Support.

Key Benefits

Cyberhaven’s inline proxy offers the following benefits.

  • Provides a reliable mechanism for inspecting network traffic without relying on deep kernel-level introspection of application behavior.
  • Deployed seamlessly with the endpoint sensor without requiring additional configuration.
  • Utilizes minimal memory and disk usage to ensure low performance impact on the host operating system.
  • Enables detailed inspection of user activity in applications that are typically difficult to monitor using only the endpoint sensors.
  • Combines the metadata from the inspected traffic with Cyberhaven’s data classification and lineage to give you a complete view of the data movement and user activity.

How it works

When the endpoint sensor is deployed, the proxy intercepts the network traffic in real time before it reaches the application. The intercepted traffic is passed on to the Cyberhaven platform for analysis, where it is correlated with:

  • File content and sensitivity classification
  • User activity
  • Data lineage across files, devices, and apps

The metadata collected by the proxy are shown in the Event details within the Cyberhaven Console. This metadata can then be used in a policy to control data movements. For example, when a user attempts to upload a sensitive file through the Microsoft Teams desktop app, the proxy captures and inspects the request. If the action violates a policy, it can be blocked before the data is transmitted.

The two processes that are responsible for inspecting the traffic are CyberhavenNetworkInspector and CyberhavenNetworkRedirector.

The proxy supports SSL/TLS decryption, which allows the inspection of encrypted data streams.

Deployment

The endpoint proxy is deployed automatically with Cyberhaven Windows sensor version 25.03 onwards. The proxy is activated for supported applications and is currently configured to be used for the Microsoft Teams desktop application.

On macOS, the MDM profile versions 2.0.8 and above include the inline proxy. Although, some MDM solutions may prompt you for a VPN hostname when uploading the Cyberhaven MDM profile. If prompted, enter 127.0.0.1 as the VPN hostname to proceed with the upload. See the individual MDM sections under, Installing the macOS Sensor.

:::info NOTE

On macOS, this feature requires the installation of a self-signed certificate to allow secure traffic inspection. Customer Support can assist with certificate configuration and deployment. :::