Documente Academic
Documente Profesional
Documente Cultură
Product Guide
Release 9.0.1
COPYRIGHT Copyright 2010 McAfee, Inc. All Rights reserved. This documentation is protected by copyright and distributed under licenses restricting its use, copying, distribution, and compilation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without permission of McAfee, Inc. or the suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS Reconnex iGuard, inSight Console, Prevent and Discover, now known as McAfee Network DLP Manager, Monitor, Discover and Prevent, are Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. All McAfee related products contained herein (including Reconnex) are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee reserves the right to change aNy products described herein at any time, and without notice. McAfee assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by McAfee. The use and purchase of this product does not convey a license to any patent copyright, or trademark rights, or any other intellectual property rights of McAfee. FCC SPECIFICATIONS This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. In a residential area, operation of this equipment is likely to cause harmful interference, in which case the user may be required to take adequate measures. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. PRODUCT INFORMATION McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein are only by reference and are the sole property of their respective owners. The documentation is provided "as is" without warranty of any kind, either expressed or implied, including any kind of implied or expressed warranty of non-infringement or the implied warranties of merchantability or fitness for a particular purpose.
ii
Contents
Introducing McAfee DLP 9.0 McAfee DLP Products Product Naming Conventions Features of McAfee DLP 9.0 How DLP Monitor works Unified policy features Incident management features Discovery features Directory server integration features System management features How Host DLP works How Network DLP works Use Cases Examples Protecting Confidential Data Finding leaked documents Identifying and tracking specific documents Finding copied or relocated files Blocking data containing source code Filtering Results Finding documents by file type Finding high-risk incidents Eliminating false positives from results Detecting Insider Activity Monitoring a user's online activity Identifying disgruntled employees Finding unencrypted user data Finding policies violated by a user Getting statistics on website visits Finding message board postings Finding social networking traffic Finding Rogue Communications 1 1 2 2 2 3 4 4 5 5 6 6 6 6 7 7 8 8 9 10 10 10 11 11 11 12 12 13 13 13 14 15
iii
Finding encrypted traffic Identifying frequent communications Finding email using non-standard ports Excluding an IPor email address from detection Detecting Privacy Violations Preventing release of privacy information Blocking transmission of financial data Protecting Endpoints Blocking intellectual property residing on endpoints Keeping IP from being copied to a USBdrive Keeping intellectual property from being printed Preventing loss of project data from endpoints Protecting intellectual property at a specific network location Protecting Global Business Finding evidence of foreign interference Finding leaks after global close of business Filtering captured data Filtering out configuration-controlled files Storing a portion of filtered traffic Searching captured data How data is captured and processed Using search features Basic search processes How capture works Adding or subtracting search parameters Searching with managed systems Getting notification of results Getting details and search history Stopping searches Cloning searches Finding documents How to find documents Finding Microsoft or Apple documents
15 15 16 16 17 17 17 18 18 19 21 22 23 23 23 24 25 25 25 26 26 27 27 27 27 27 27 28 28 28 28 28 29
iv
Finding documents by type Finding office documents Finding proprietary documents Finding source code Finding email and chat How to find email Finding email by address Finding email by host name Finding email by domain name Finding email by port Finding email by protocol Finding email subjects Finding email attachments Finding email senders Finding email recipients Finding copies of emails Finding blind copies of emails Finding webmail by port Finding webmail by protocol Finding chat sessions Finding files How to find files Finding file name patterns Finding files by file type Finding files by owner Finding files by size Finding files by document type Finding files using MD5 signatures Finding images How to find images Finding images of people Finding images using a template Finding IP addresses
29 30 30 30 31 31 31 31 32 32 32 33 33 33 34 34 34 35 35 35 36 36 36 37 37 37 38 38 39 39 39 39 40
How to find IPaddresses Finding a range of IPaddresses Finding IP addresses on a subnet Excluding incidents using specific IPaddresses Finding keywords Excluding keywords from a query Finding exact matches Finding keyword expressions Finding keywords using logical operators Finding non-English matches How to find keywords Supported languages Logical operators supported in keyword queries Finding locations of violations Finding sources of violations Finding violations by website How to find locations List of country codes Finding violations by port How to find violations by port Excluding ports from a query Finding violations by port range List of common port assignments Finding violations by protocol How to find violations by protocol Excluding protocols from a query Finding violations in time How to find time-stamped files Searching in a relative time frame Searching in an exact time frame Searching by file creation time Searching by file last accessed time Searching by last modification time
40 40 40 41 41 41 42 42 42 43 44 45 45 45 45 46 46 47 47 47 47 47 48 48 48 49 49 49 49 50 50 51 51
vi
Searching by local or Greenwich Mean Time Searching with concepts and templates Using concepts and templates in queries Using concepts in queries Using templates in queries Using concept expressions in a query Excluding a concept from a query Understanding search rules Rules used by the indexer How archives are handled Case insensitivity rule How Microsoft Office 2007 files are handled Avoiding negative searches Number of results supported Parts of speech excluded from capture How proper names are treated Handling of short words Special character exceptions How word stemming is handled Monitoring Active Directory users How remote user accounts are monitored Using Active Directory User elements Using DLP on remote LDAP servers Viewing Active Directory incidents Adding Active Directory columns to the dashboard Adding rules to find Active Directory information Advantages of keying on SIDs Types of Active Directory data supported How McAfee Logon Collector is used with DLP How McAfee Logon Collector enables user identification Finding remote user information How remote user data is retrieved Finding remote users by name
51 52 52 52 53 53 54 54 54 55 55 55 56 56 56 56 56 56 57 57 57 58 58 58 59 59 60 60 61 61 61 61 62
vii
Finding remote users by group Finding remote users by city Finding remote users by country Finding remote users by organization Getting and processing results Using the Incidents dashboard Using the DLP Homepage Checking Homepage permissions Configuring the DLPHomepage Customizing the DLPHomepage Howto use the Homepage Getting details of results How to get incident details Finding matches that triggered incidents Finding out if an incident is in a case Getting history of an incident Identifying concepts that triggered incidents Generating reports How reports are generated Adding a company name to a report Creating CSV reports Creating HTML reports Creating PDFreports Scheduling reports Setting up views How to set up views Copying views to users Deleting views Saving views Selecting different views Selecting a view vector Selecting pre-configured views Customizing the results dashboards
62 63 63 64 64 64 65 65 65 66 66 66 66 67 67 67 67 67 67 68 68 68 69 69 69 69 70 70 70 71 71 71 72
viii
How dashboards are customized Adding rows to the dashboard Changing dashboard display space Configuring dashboard columns Displaying match strings Grouping and filtering incidents How incidents are grouped and filtered Clearing filters Filtering incidents Grouping incidents Setting a date and time for results Sorting results How to sort results Deleting incidents Deleting similar incidents Finding incidents that violated a policy Sorting incidents by attribute Changing settings How settings are changed Configuring throttling to limit incidents Encrypting incidents Preventing data loss Protecting data with DLPPrevent, Discover, and Endpoint Protecting data with DLP Prevent How DLPPrevent protects data Adding a DLPPrevent action rule Applying a DLPPrevent action rule Types of DLPPrevent actions The role of DLPPrevent in a managed system How DLPPrevent processes email Configuring DLPPrevent for email How DLPPrevent processes webmail Configuring DLPPrevent for webmail
72 72 72 72 73 73 73 73 73 74 74 75 75 75 75 76 76 76 76 77 77 77 77 78 78 78 79 79 80 80 80 81 81
ix
MTArequirements to inter-operate with Prevent Reviewing prevented violations Protecting data with DLP Discover How DLPDiscover protects data Adding a remedial action rule Types of remedial action Applying a remedial action to a rule Setting up a location for exported files Copying discovered files Deleting discovered files Encrypting discovered files Moving discovered files Reverting remediated files Reviewing remedial actions Adding columns to display remedial actions Protecting data with Host DLP (Endpoint) Adding an Endpoint action rule Applying an action to a rule with Endpoint parameters How Host DLPprotects data Types of DLPEndpoint actions Protecting endpoint data Host DLP: Integrated into Network DLP How Host DLP extends network results How Network DLPprotects endpoints Creating Agent Override Passwords Agent events that cannot be reported Viewing endpoint events Types of endpointevents Managing endpoints How Host and Network policies differ How HostDLPrules are mapped to Network DLP Adding endpoints to existing network rules Limitations of rules with Endpoint parameters
82 82 82 82 83 83 84 84 85 85 86 87 88 88 88 89 89 89 90 90 90 90 91 91 91 92 92 93 93 93 94 94 94
Excluding printers from protection rules Assigning Host DLPincidents to cases Searching endpoint data Limitations of this release Discovering data at risk Introducing McAfee DLPDiscover Setting up Discover Configuring DLPDiscover Adding Discover to Manager Preparing Discover for managed mode Republishing Discover policies Setting Discover registration permissions Setting Discover scan permissions Task status messages System status messages Registering sensitive content Registering documents or structured data How signatures register data Managing registered documents Registering documents by uploading Uploading complete paths with Firefox Excluding text from registration Searching with the DocReg concept Adding the DocReg concept to a rule Setting signature types How signatures are shared with managed systems Managing signature generation memory Deregistering content Reregistering content Crawling databases Protecting sensitive database content What is Dynamic Data Registration? Database types supported
95 95 95 95 95 95 96 96 96 96 97 97 97 98 99 100 100 101 101 101 102 102 102 103 103 104 104 104 104 105 105 105 106
xi
Database object hierarchy differences Database terminology differences Registering structured data by uploading Setting up basic database scans Advanced Options definitions for database scan operations Defining catalogs to be scanned Defining columns to be scanned Defining logins for a database scan Defining nodes for database scan operations Defining ports for a database scan Defining records/rows to be scanned Defining schemas to be scanned Defining SSLcertificates for a database scan Defining tables to be scanned Managing scans Managing scan operations Types of scan states Viewing scan operations Modifying the state of a scan Deploying scans Starting scans Stopping scans Setting bandwidth for a scan Scanning in full duplex mode Managing scan load Editing scans Deleting scans Setting up scans Preparing to scan Setting up basic scans Repository types supported Configuring inventory scans Configuring discovery scans
106 107 107 108 108 109 109 109 110 110 111 111 111 112 112 112 113 113 113 114 114 114 115 115 116 116 116 117 117 117 118 118 119
xii
Configuring registration scans Firewall configuration to allow scanning Managing credentials Using credentials to access repositories Viewing existing credentials Adding credentials Editing credentials Deleting credentials Scheduling scans Using scan schedules Viewing scan schedules Editing scan schedules Deleting scan schedules Filtering scans Defining scans Filtering scans by browsing Filtering scans manually Filtering IPaddresses to be scanned Filtering URLs to be scanned Filtering file properties for a scan Filtering folders to be scanned Filtering shares to be scanned Setting policies for a scan Getting scan results How scan statistic reporting works Understanding scan results Viewing incidents found by a scan Getting reports of scan statistics Getting database scan statistics Adding columns to scan statistics Viewing registered data matches Viewing scan status Getting historical statistics
120 120 121 121 122 122 122 122 123 123 123 123 123 124 124 124 125 126 126 127 128 128 129 129 129 130 130 130 131 131 131 131 132
xiii
Searching discovered data Finding discovered data Finding scan operations Finding registered files in discovered data Finding repository types in discovered data Finding IP addresses in discovered data Finding host names in discovered data Finding file name patterns in discovered data Finding file owners in discovered data Finding file paths in discovered data Finding percentages of registered data at rest Finding share names in discovered data Finding domain names in discovered data Finding catalogs in discovered data Finding schemas in discovered data Finding column names in discovered data Finding table names in discovered data Finding records and rows in discovered data Storage scanning requirements Accessing network storage Accessing Network Attached Storage (NAS) Accessing Storage Area Networks (SANs) Host vs. network discovery How host and network scans differ How host and network remediation differs How host and network registration works Deploying a host package to the agents Registering documents on host computers Setting up a host discovery scan Configuring a policy for host discovery How host scans are scheduled Scheduling a host discovery scan Scheduling a host registration scan
132 132 132 133 133 133 134 134 135 135 135 136 136 136 137 137 137 138 138 138 138 138 138 138 139 139 139 140 140 141 141 141 142
xiv
Using policies and rules How policies and rules are used Using policies How policies work Policy field definitions Using international policies Adding policies Activating policies Deactivating policies How activation works How inheritance works Changing ownership of policies Publishing policies Cloning policies Renaming policies Executing policies Editing policies Deleting policies Using rules How rules work Adding rules Viewing rule parameters Reconfiguring rules for web traffic Copying a rule to a policy Detaching rules from policies Editing rules Deleting rules Defining exceptions to rules What are false positives? How exceptions to rules are defined Defining false positive incidents Adding exceptions to existing rules Adding new rules that contain exceptions
142 142 143 143 143 144 145 145 146 146 146 147 147 147 148 148 148 148 149 149 149 149 150 150 150 151 151 151 151 151 152 152 153
xv
Correcting inaccurate rules Tuning rules Using action rules How action rules are used How action rules are deployed Reacting to violations Comparing Action to Protection rules Assigning status to an incident Applying an action rule Assigning responsibility for an action Using action rules to log incidents Using action rules to notify users Reconfiguring action rules for proxy servers Setting up an action Editing action rules Cloning action rules Removing an action from a rule Deleting action rules Using concepts and templates How concepts and templates are used Using concepts How concepts are used Types of concepts Adding content concepts Adding network concepts Adding session concepts Setting concept conditions Applying concepts to rules Using regular expressions in concepts Restoring factory concepts Editing concepts Deleting concepts Using templates
153 154 155 155 155 155 156 156 156 156 157 157 158 158 158 159 159 159 159 159 160 160 160 160 161 162 163 164 164 165 166 166 166
xvi
How templates are used Adding templates Viewing standard templates Removing a template from a rule Deleting templates Using the case management system How case management works Collecting credit card violations in a case Adding a new case Using incidents to create a case Adding incidents to an existing case Adding comments to a case Notifying users about a case Changing ownership of cases Changing resolution of cases Changing status of cases Customizing Case List columns Customizing case notifications Exporting cases Managing case permissions Reprioritizing cases Deleting an incident from a case Deleting cases Managing DLP systems Managing the system Configuring DLPdevices Configuring DLPdevices Adding devices to DLP Manager Adding Host DLPservers to DLP Manager ePO installation issues Changing link speed Managing disk space Backing up DLPsystems
166 166 167 167 167 168 168 168 168 169 169 170 170 170 170 171 171 171 171 172 172 173 173 173 173 173 173 174 174 175 175 175 176
xvii
Restarting DLPsystems Deregistering devices from DLP Adding servers to DLP systems Configuring servers with DLP systems Setting up DHCP services Using DHCP servers with DLP Adding DHCP servers Setting up directory services Using LDAPservers with DLP Adding Active Directory servers Adding LDAPUsers Configuring Active Directory servers for DLP Exporting certificates from Active Directory How ADAMservers extend DLPManager Mapping LDAPdirectory attributes Setting up McAfee Logon Collector Using McAfee Logon Collector with DLP Authenticating DLPManager and MLC Setting up syslog and time servers Using syslog and time servers with DLP Connecting to syslog servers Correcting system time in the interface Resetting system time manually Synchronizing DLPdevices Managing users and groups Setting up users and groups Managing user groups Working with user groups Using pre-configured user groups Adding user groups Restricting user groups Deleting user groups Managing users
177 177 177 177 178 178 178 179 179 179 181 181 182 183 183 184 184 184 185 185 185 186 187 187 188 188 189 189 189 189 190 190 190
xviii
Working with users Adding users Using pre-configured user types Changing passwords and profiles Creating an ePOdatabase user Using a primary administrator account Viewing active user sessions Setting permissions Assigning permissions Checking permissions Setting policy permissions Setting task permissions Managing user accounts Working with user accounts Customizing login settings Customizing password settings Configuring failover accounts Auditing users Using audit services Filtering audit logs Getting audit log reports Filtering audit log reports Auditing live users Sorting audit log reports Using capture filters Working with capture filters Types of capture filters Types of capture filter actions How content capture filters work Content capture filter actions Adding content capture filters How network capture filters work Network capture filter actions
190 190 191 191 191 191 192 192 192 192 193 193 193 193 193 194 194 194 194 194 195 195 195 196 196 196 196 196 197 197 198 198 199
xix
Ignoring or storing IPaddresses Adding network capture filters Reprioritizing network capture filters Deploying capture filters Editing capture filters Using undeployed capture filters Viewing deployed capture filters Deleting capture filters Setting up system alerts Configuring system alerts Configuring device down alerts Types of device down alerts Technical specifications Understanding specifications Power Redundancy Rack Mounting Requirements Safety Compliance Guidelines Contacting Technical Support Contacting DLPTechnical Support Creating a Technical Support Package Glossary Index
199 200 200 201 201 201 202 202 202 202 202 203 203 203 203 203 204 204 204 205 207 213
xx
Host DLP
DLPMonitor
DLPDiscover
DLPPrevent
NOTE:You can use the familiar Host DLP product if you prefer it is still available as a standalone product. DLP9.0 is organized by incidents and events contained in three different databases that contain incidents found on the network, in network repositories, and on endpoints.
Data-in-Motion
Data-in-Motion on the network is captured and parsed into hundreds of different categories by DLPMonitor. All real-time and historical data on the network is searchable, allowing for the creation of rules that adapt to changing content.
Data-at-Rest
Data-at-Rest in network repositories can be inventoried, and sensitive data can be registered automatically by matching it to existing rules and policies. Not only can the contents of documents be recognized and protected, but individual documents can be explicitly protected individually or in groups. DLP Host defines Data-at-Rest on endpoints by location, document properties, user-defined metadata, file types, text patterns and attributes, encryption types, and user groups.
Data-in-Use
Data-in-Use on endpoints can be matched to the same rules and policies as all other network data, but addition of one or more Host parameters can add the ability to keep data from being compromised in a variety of ways. Rule parameters can also be extended to specific shares, network paths, file or encryption types. NOTE In DLP Host 9.0 Data-in-Motion refers to sources and destinations of endpoints (for example, email, webmail, printers, etc.), and Data-in-Use is categorized by the application that created it.
Unified policy features Incident management features Discovery features Directory server integration features System management features
After capture and classification, incidents can be extracted from the database automatically or manually.
Automatic Extraction
Standard policies are pre-configured to apply rules to classified network data. When a rule hits on a match, an incident is created in the database and reported on the Data-in-Motion dashboards. For example, if you have the HIPAA policy deployed, the system will identify and report any medical privacy violation.
Manual Extraction
Through DLPManager, you can query all DLPMonitor databases directly using the search options available from the DLPReporting | Search page. When a query hits on significant data, the search can be repeated regularly by saving it as a rule under a new or existing policy. NOTE:When a query or rule matches any stored attribute, the entire object to which it belongs is reported to the dashboard as an incident.
Internationalized content
Pre-packaged international rules and concepts supporting local laws and business cases have been added. Ad hoc searches, scans, and document registration can be done in local languages, and dashboards display incidents in local languages.
Databases encrypted
Databases are encrypted, and authorized users can decrypt case, incident and capture data at will.
Reporting is expanded
HTML reports are available for all three incident modes, and PDF reports are now available for Incident Details. Special characters are supported in reports.
Discovery features
In this release, DLP Discover functionality is expanded to support databases, large volumes of data, increased remediation options and additional scan features.
DB2, versions 5x iSeries, 6.1 iSeries, 7.x-9.x MS SQL Server, versions 2000, 2005, 2008,7.0, MSDE 2000 My SQL (Enterprise), versions 5.0.x, 5.1 Oracle, versions 8i, 9i, 10g, 11g
Use Cases
Use Cases
Examples
By using one of the following examples as a template, you can find a solution to some common problems quickly.
Protecting Endpoints
q q q q q
Keeping IPfrom being copied to a USB drive Keeping IPfrom being printed Blocking IPresiding on endpoints Preventing loss of project data from endpoints Protecting IPat a specific network location
Finding leaked documents Identifying and tracking confidential documents Blocking data containing source code Finding copied or relocated files
Excluding an IPor email address from detection Finding email using non-standard ports Identifying frequent communications Finding encrypted traffic
Finding evidence of foreign interference Finding leaks after global close of business
Filtering Results
q q q
Eliminating false positives from results Finding high-risk incidents Finding documents by file type
Finding message board postings Finding policies violated by a user Finding social networking traffic Finding unencrypted user data Getting statistics on website visits Identifying disgruntled employees Monitoring a user's online activity
Use Cases
Example:
Select the Financial and Security Compliance policy and the Financial Statement Documents rule to protect a document that contains sensitive financial information. 5. Select a device that will receive the uploaded file by checking the box of any DLPappliance. 6. If more documents need protection, select Save & Upload Another and repeat the process. 7. Click Save. TIP: Schedule a Discover scan that will crawl file shares regularly looking for the document.
5. Select a policy that corresponds to your objective. For example, you might use the Competitive Edgepolicy if your goal is to protect a sensitive sales document. 6. Select a rule that corresponds to your objective. For example, you might use the Pricing Information rule if your goal is to protect a price list. 7. Select one or more DLPdevices that will store the uploaded price list. 8. Click Save. 9. On the Web Upload page, click the Details icon of the price list to view the MD5 signature number. This unique number will be found during any scan, or in a search of discovery data after a scan has run. 10. Configure a Discover scan and start it. 11. After allowing some time for the document to be found, go to Incidents and click the Columns button. 12. Add the Signature and Path columns to your dashboard. 13. Click Apply. 14. Go to the Incidents page and select Data-at-Rest from the display thumbwheel. 15. Look for the signature number of the document in the results under the added columns. 16. If you want to search the Discover database for that number, right-click the number and select Copy. 17. Go to the Advanced Searchpage. 18. Open File Information. 19. Select MD5 is any of and paste the signature number into the Value box. 20. Click Search. NOTE: You might find that you are inadvertently pasting in unrelated text. If so, close the program that contains that text and repeat the process. 21. Click Search. 22. View the Path column for the exact location of the file.
Use Cases
6. Click Apply. 7. Click Save as Rule. NOTE: When you save a search, it becomes a rule. 8. Go to the Policies tab. 9. Open the policy containing the new rule, then click on it. 10. Click on the Action tab. 11. Click Add Action, then select the Block and Notify Sender action. 12. Click Save. When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email notification of the action. TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.
Filtering Results
Finding documents by file type
You might know that a confidential document you are looking for in your results was created by a Microsoft Office application. You can find that document by filtering incidents to display only documents created by that program. TIP:If you have a limited number of results to sort through, you can simply click any icon on the dashboard relating to the program. The results will be automatically sorted by that attribute. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Under Filter by Timestamp, select a time frame. 3. Click plus to add a filter. 4. Select Content from the first menu. 5. Select equals from the second menu. 6. Type in the document type, or click "?" and select MSWord from the popup menu. If you know the name of the document, add another element using a Filename equals filter, and type in its name. 7. Click Apply. The dashboard will reconfigure the results to display the document. TIP: To add a note to the incident, use the Comments equal filter and type in a text string.
10
3. Click plus to add a filter. 4. Select Severity from the first menu. 5. Select equals from the second menu. 6. Type in a number from 1 to 5, or click "?" from the third menu and select a Severity checkbox from the popup menu. 7. Click Apply. 8. Click Apply.
11
Use Cases
TIP: To monitor the user on a regular basis, save the search as a rule. In case of flagrant violations, incidents and events can be collected in a case and delegated to your legal team for use as evidence in court. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select User ID, Host Name, Host IP, or Email address from the Input Type menu. 3. Type identifying text into the value field. NOTE: The UserID corresponds to a field found on an LDAPserver, so this option cannot be used unless a directory server has been added. Note that UserID might not necessarily correspond to a user's email address, since a user could have more than one email address. 4. If the information is on a remote directory server, click Find and select a category of users, then click Apply. If you select Everyone, the rule will apply to all users on all of your directory servers. 5. If the user is local, click plus to add one or more identifying elements, such as an IPor email address under Source/Destination. 6. Click Search or Save as Rule.
12
3. Type the words account password into the value field. 4. Click Search. NOTE:If there are any significant results, alert your ITdepartment.
13
Use Cases
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Select a time frame from the menu under Filter by Timestamp. 3. Click plus to add a filter. 4. Select Protocol from the first drop-down list, and is any of from the second. 5. Type in HTTP_Post, or click "?" and select it from the popup menu. 6. Click Apply. 7. Click Apply. TIP: This filter identifies all posting traffic. If you know what web site is being posted to, add a Content equals filter and type in its name (for example, webrats.com).
14
15
Use Cases
16
17
Use Cases
7. Click Apply. 8. Click Save as Rule. NOTE: When you save a search, it becomes a rule. 9. Go back to the Policies page. 10. Open the policy containing the new rule, then click on it. 11. Click on the Action tab. 12. Click Add Action, then select the Block and Notify Sender action. 13. Click Save. When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email notification of the action. TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.
Protecting Endpoints
Blocking intellectual property residing on endpoints
If your intellectual property is referenced in email or webmail communications residing on an endpoint, it can be blocked from being sent to a competitor. NOTE:This use case requires deployment of NDLPEndpoint functionality and an added directory server. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor Policy. 3. Select Active from the State menu, then click on the DLPdevices to which you want to publish the policy. 4. Click Save. 5. On the Policies page, open the new policy. From the Actions menu, select Add Rule. NOTE:You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You could also do a historical search, then save it as a rule when it returns the type of information you need. 6. Type a name for the rule. 7. Select a Severity and an inheritance state (Enabled rules run when the policy runs). 8. Define the intellectual property by selecting keywords, content type, or concepts from the Content menu. You may add values to one or more of the following categories.
q q
Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more selections from it. Select Concept from the menu and click "?" to launch the definitions palette.
18
Protecting Endpoints
TIP: Inspect the Intellectual Property sub-menu to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the Concepts palette. NOTE:The following selections are optional, depending on how much you know about what you are looking for. 4. Open Source/Destination and select UserName from the menu. 5. Select is any of or is none of. The latter selection will indicate an exception to the value provided. 6. Click "?" and select from the remote Directory Server List. 7. Click Find and select a category of users, then click Apply. If you select Everyone, the rule will apply to all users on your directory servers. 8. Click plus to add another item under Source/Destination. 9. Select Email Address from the menu. 10. Select is all of or another condition to focus the email address. 11. Type in the domain you want to block. 12. Open Protocol and select Protocol from the menu. 13. Select is any of. 14. Click "?" and select from the Internet Protocols menu. For example, if you suspect intellectual property is being posted, select HTTP_Post. 15. Click Apply. 16. Click the Actions tab, then click Add Action. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one of each type to a single rule. 17. Scroll down to the Data-in-Use actions and select the WebPost Reaction or Email Reaction action rule. NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions column will be applied. 18. After you have finished adding as much information as you have to the rule, click Save and let the policy and rule run. After you get results, tune as needed.
19
Use Cases
3. Select Active from the State menu, then click on the DLPdevices to which you want to publish the policy. 4. Click Save. 5. On the Policies page, open the new policy. From the Actions menu, select Add Rule. NOTE:You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You could also do a historical search, then save it as a rule when it returns the type of information you need. 6. Type a name for the rule. 7. Select a Severity and an inheritance state (Enabled rules run when the policy runs). 8. Open Endpoint and select Protect Removable Media from the menu. 9. Click "?", check Enable, and click Apply. NOTE:This definition, plus an action rule, constitutes a minimal removable media policy. To refine the rule for specific content, add the following definitions. 10. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values to one or more of the following categories.
q q
Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file types from it. Select Concept from the menu and click "?" to launch the definitions palette.
TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the palette. 12. Open Source/Destination and select UserName from the menu. 13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.) 14. Click the "?" and select from the remote Directory Server List.. 15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on your local and directory servers. 16. Click the Actions tab, then Add Action. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one of each type to a single rule. 17. Scroll down to the Data-in-Use actions and select Removable Media Reaction action rule. NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions column will be applied. 18. Click Save.
20
Protecting Endpoints
Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file types from it. Select Concept from the menu and click "?" to launch the definitions palette.
TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the palette. 12. Open Source/Destination and select UserName from the menu. 13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.) 14. Click "?" and select from the remote Directory Server List.
21
Use Cases
15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on your directory servers. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one of each type to a single rule. 16. Scroll down to the Data-in-Use actions and select Printer Reaction action rule. NOTE: Actions are defined and edited on the Actions page. All of the reactions listed in the Actions column will be applied. 17. Click Save.
Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file types from it. Select Concept from the menu and click "?" to launch the definitions palette.
TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the palette. 12. If the user is known, open Source/Destination and type the username in the Values field. 13. If you want to specify exclusions, go to the Exceptions tab and add project data that may be found, but is irrelevant. When you have finished, click Save. 14. On the Actions tab, click Add Action and specify the action to be taken when the project data is found. 15. Select Removable Media Reaction from the Actions menu to protect the data. The actions that will be taken are listed in the Actions column. 16. Click Save.
Example:
Content:
22
Keywords | contains all of | Project X Source/Destination: Email Address | contains all of | tjohnson Endpoint: Protect Removable Media | equals | Enable Actions Removable Media Reaction
23
Use Cases
NOTE: Because dynamically-assigned IP addresses change regularly, hosts that are not local can be identified only if a DHCPserver is installed on the network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Open Source/Destination. 3. Select GeoIPLocation. 4. Click "?". 5. Select one or more country names from the popup menu. 6. Click Apply. 7. Open Date/Time. 8. Select File Creation Time between and enter before and after values. 9. Click Search. TIP: If you do not see locations in your results, click Columns and add Source, Destination, Sender or Recipient columns.
24
25
3. Type the name AOL_Chat and a description (optional). 4. Select Store from the Action menu to retain that traffic. 5. Open the Protocol category and select Protocol equals from the first drop-down menu. 6. Click "?" and select AOL_Chat from the Protocol popup menu. 7. Click Apply and Save. 8. Click Create Network Filter to create another filter. 9. Give the policy a recognizable name, such as "SSHtraffic". Typing a description is optional. 10. Select Ignore from the Action menu. 11. Open Protocol and select Port from the first drop-down list, and source is any of from the second. 12. Type 443 into the value field. 13. Click plus to add a parameter. 14. Repeat the process, but select Port from the first drop-down list, and destination is any of from the second. NOTE:Traffic through ports and port ranges is bidirectional, so you must define source and destination transmissions separately. 19. Type 443 into the Value field. 20. Check the box of the device on which you want the filter deployed. To decide later, check None. 21. Click Save. A new Ignore filter is added to the existing list. 22. Use the Priority icons to change the order of the filters. The Store filter must run first, because the Ignore filter will eliminate all of the rest of the port 443 traffic. NOTE: When a network capture filter is applied to the network data stream, its position in the list indicates its priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data stream, it must always run last. 23. Let the system run. After some time, you can search for AIMtraffic in the captured data on the Incidents page.
26
NOTE:You need not search or save rules to get results. Standard policies that contain collections of rules automatically search captured data to produce incidents, but you can enter your own queries under the Capture tab.
Click the green plus icon to add an element. Click the red minus icon to subtract an element.
27
NOTE:If a search is aborted, no notification is sent. Use this task to get notification of search results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic or Advanced Search. 2. Define a search. 3. Click the Search List tab to view its status. 4. If it is incomplete, continue with other tasks and check back periodically. TIP: Set up your email client to prompt you when new email comes in.
Stopping searches
Use this task to stop a search that is still running. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Search List. 2. Click Abort. NOTE: The search must still be in RUNNINGmode.
Cloning searches
Use this task to edit a search and save as a new one. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Type in a search term. 3. On the search list, click Clone Search. 4. Modify the parameters and results. 5. Click on Search to create a new search.
Finding documents
How to find documents
The classification engine sorts all network data into content types. This allows you to search for engineering drawings, different types of source code, office documents, images, and countless other file types. Use this task to find out what documents are available.
28
Finding documents
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open each document category to review its contents. 7. Click Apply. 8. Click Search or Save as Rule.
29
30
31
32
33
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select Email Address from the first menu. 4. Select sender is any of from the second menu. 5. Type one or more recipient names into the value field. 6. Click Search or Save as Rule.
34
35
2. Open the Content category. 3. Select Content Types from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Chat category. 7. Select one or more chat protocols. 8. Click Apply. 9. Click Search or Save as Rule. NOTE: Encrypted chat sessions (for example, Skype and AOL Instant Messenger 6) cannot be captured.
Finding files
How to find files
When the DLP search engine captures files, each attribute is stored as a separate token in the capture database. You can find files by using any of the attributes of a file, such as type, owner, size or signature.
q
From the Basic Search menu, you can find files in data at rest by selecting Host Name, Host IP, File Name Pattern, or File Owner. From the Advanced Search menu, you can find files in data in motion and data at rest by selecting parameters under File Information, Content | Content Types, or Discover.
Example
Find JPG OR GIFs in a repository: DLPReporting | Basic Search | File Name Pattern contains *.jpg,*.doc NOTE: Only ORis supported for file name pattern searches. You can no longer use a space or ampersand to combine terms in a search. Use the green plus icon to add an element instead.
36
Finding files
37
Example
File Size > range > 1024-5000 (must be expressed in bytes)
# md5sum filename
4. Select and copy the resulting hexadecimal number. 5. Open a browser and launch the DLPMonitor or Discover user interface. 6. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | DLPPolicies. 7. Click on a rule and open File Information. 8. Select Signature. 9. Select is any of from the Condition menu. 10. Paste the hexadecimal number into the value field. 11. Click Save as Rule.
38
Finding images
Finding images
How to find images
Use this task to find images using specific file formats. TIP: Add a Thumbnail Match column to your dashboard to scan results quickly. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Content Type. 4. Click "?". 5. Open Images. 6. Select one or more image types. 7. Click Apply. 8. Click Apply. 9. Click Search or Save as Rule. TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.
39
3. Select Template. 4. Click "?". 5. Select the Common Image Files template. 6. Click Apply. 7. Click Search or Save as Rule. TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.
Finding IP addresses
How to find IPaddresses
Use this task to search for incidents containing individual IP addresses, a range of addresses, or IPaddresses on a subnet. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select IPAddress from the first menu. 4. Select is any of from the second menu. 5. Enter one or more IPaddresses in the value field. 6. Click Search or Save as Rule.
Example
192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25
Example
192.168.4.1-192.168.3.255 6. Click Search or Save as Rule.
40
Finding keywords
Subnet searching is supported whether or not network and host portions of an IP address are standard classful IP (address fields separated into four 8-bit groups). CIDR notation is also supported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select IPAddress from the first menu. 4. Select is any of from the second menu. 5. Type the subnet into the value field. 6. Click Search or Save as Rule.
Example
For subnet mask 255.255.255.128, you can use CIDR shorthand to translate the value for example, 192.168.2.1/25
Example
172.25.3.100-172.25.3.199 6. Click plus to add an element. 7. Select IPAddress from the first menu. 8. Select does not equal from the second menu. 9. Type one or more addresses within the range into the value field to exclude addresses from the defined range.
Example
172.25.3.101,172.25.3.197 10. Click Search or Save as Rule.
Finding keywords
Excluding keywords from a query
Use this task to exclude keywords from a query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category.
41
3. Select Keywords from the first menu. 4. Select contains none of from the second menu. 5. Type one or more keywords into the values field. 6. Click Search or Save as Rule.
42
Finding keywords
NOTE:Custom searches are not supported in this release. If you created a rule in DLP8.6 using only logical operators, it will no longer run. You must rebuild the query using parameters available in the menus available on the rules pages. Logical Operator Notation Different Ways of Expressing the Same Query
AND
Confidential Restricted Secret Confidential ANDRestricted AND Secret + && Confidential and Restricted and Secret Confidential + Restricted + Secret Confidential &&Restricted && Secret or || ConfidentialORRestricted OR Secret Confidential or Restricted or Secret (Confidential || Restricted) && Secret Confidential -Restricted -Secret Confidential !Restricted !Secret Confident~ Restrict~ Secret~ Confidential AND(Restricted ORSecret) "Confidential and Secret"
OR
NOTE:All operators, including Exact Match, are case-insensitive. In other words, if you search for a term in ALLCAPS, the system will return that term not only in capital letters, but initial caps or lowercase as well. Use logical operators (|| or OR) instead of a comma to construct an OR query. You cannot use AND operators between URLs and email fields. NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type containing the files is specified. Eight other compressed file types are also supported.
43
44
Supported languages
Supported Languages English Chinese (traditional) Chinese (simplified) Korean French German Spanish Portuguese Dutch Polish Russian Turkish
Examples
These compound queries will produce the same results: confidential +Eyes Only OR Do Not Distribute secret -security Confidential "Eyes Only" || "Do Not Distribute" !secret !security This complex query adds grouping of search terms and use of word stemming: Confidential + (("Eyes Only" || "Do Not Distribute") || (secret~ or secur~)) This query will find documents containing the word "Confidential" that are also marked EITHER "Eyes Only" or "Do Not Distribute" OR contain variations of the words "secret" or "secure".
45
5. Select checkboxes of one or more countries. 6. Click Apply. 7. Click Search or Save as Rule.
46
47
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select Port from the first menu. 4. Select is any of from the second menu. 5. Type port numbers (separated by a dash) into the values field. 6. Click Search or Save as Rule.
48
49
Example
File Creation Time > between > 16:30:00 and 17:00:00.
50
Example
Last Accessed > before > 17:00:00 TIP: If a Discover crawl processes more than 50,000 files, the date and time is reported in a yyyyMMddHHmmss format (for example, 20090820120000). Because Microsoft Excel interprets this as a large real number, it is displayed in scientific notation (for example, 2.01+E13). Recover the date by selecting the column, then set the number to zero decimal places under Tools | Format | Cell | Number.
Example
Last Modification Time > after > 13:30:00
51
Example:
If you are managing a global network, you may expect confidential data to be entering or leaving the network data stream during business hours. But after 5PM local time, movement of sensitive data may indicate a leak. By creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los Angeles, New York, London, and Tokyo offices, you can monitor data at the time most employees are leaving each of those facilities. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Select Date/Time from the first menu. 3. Select Exact Time from the second menu. 4. Select a local or global before, between or after time from the drop-down menus. Automatic Conversion to GMT (same moment globally) before between after Local time (same clock time globally) before (local time) between (local time) after (local time) 5. Click the Calendar icon to select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.
52
7. Click Apply. 8. Click Search or Save as Rule. NOTE: The number of concepts usable in a compound search or a rule is limited only by the number of concepts defined in the system.
53
Example:
The expression concept:CCN -concept:AMEX(concept:SSN OR concept:EIN)finds credit card numbers that are not American Express AND either Social Security or Employee Identification numbers.
Search rules
q q q
How archives are handled Understanding case insensitivity How Microsoft Office 2007 files are handled
54
q q q q q q q
Avoiding negative searches Number of results supported Parts of speech excluded from capture How proper names are treated Handling of short words Special character exceptions How word stemming is handled
If two dictionary words are merged together, the merged word will not be found.
Example:
American and Recovery are two dictionary words. If they are merged into the word AmericanRecovery, they will not be found.
q
If a word in a Microsoft Office 2007 document has different fonts and colors, the word will not be read as a whole and will not be found.
Example:
If all the letters in the word Recovery are of different fonts and colors, it will not be found.
q
Example:
If the word Recovery is spread across two pages (one page contains Rec and the second page contains overy), it will not be found.
q
Words in documents that use special Microsoft Office 2007 font features like WordArt, SmartArt, and watermarks will not be found. Words present in macros in Microsoft Office 2007 documents, and headers and footers in PowerPoint and Excel, will not be found.
55
Exceptions
q q
Postal codes are reported [AL, CA, CT, TX, NY...] Common governmental acronyms are reported [DMV, CIA, DOJ, FAA, NSA, IRS]
56
Description
less than/greater than parentheses backslashes markup control characters escape characters
If you enter any of these characters in a query, you might get the following error messages: >>Invalid character(s) in the input for the field; or Search did
not complete.
Searching for "basket" to retrieve "basketball" will not return a result. Searching for "run" in "running" will return a result.
NOTE: If the plural of a complete word used in a search is found, the result is reported as if it were a word stem.
57
But each account on an Active Directory server is made up of attributes that identify the individual who owns the account. McAfee Logon Collector matches the unique SIDs that are assigned to each Active Directory user to IPaddresses, and all of the parameters associated with that SID are extracted when MLC moves binding updates from the Active Directory server to DLP. NOTE:Because SAMAccountName was used to index data in earlier releases, that information may be lost during ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capture database pre-dates the upgrade.
Parameters available
q q q q q
User Name: user's name, alias, department, location User Groups: user's group User City: user's city User Country: user's country User Organization: user's company or organization
58
Columns available
q q q q q q q q q q q q q q
User Custom UserCity UserCompany UserCountry UserEmail UserGroups UserID UserManager UserName UserGroup UserOrganization Network printer Network path Location Tag Path
4. Use Move buttons to move all User columns to the top of the Selected pane. TIP: If you cannot see the Move buttons, expand your dashboard. 5. Click Apply.
59
TIP:You can construct a rule to keep administrators, who are responsible for handling privileged information, from being reported as violators. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. From the Actions menu, select Add a Policy. NOTE:You can skip this step and add a rule to an existing policy, or add Active Directory user parameters to an existing rule. 3. Select Add a rule from the Actions menu. 4. Select a Severity to classify the rule. 5. Set the Inherit Policy State to Enabled to bind the rule to the policy. 6. Open Content and add a keyword, concept, or content type to retrieve specific content (optional). 7. Open Source/Destination and click on a user parameter. 8. Click "?" and select an Active Directory server. 9. Click Find to retrieve all available patterns. TIP:If you know what you are looking for, you can type it into the search field. 10. Click on one or more patterns and Apply. 11. Add other parameters as needed. 12. If you want to apply an action when a match is found, click on the Actions tab and add one or more. 13. Click Save.
UserCity (ucity) UserCountry (ucountry) UserDepartment (udepartment) UserGroups (ugroup) UserName (uname)
60
NOTE:These are the parameters that can be used for queries and rules, but incidents that are reported on the dashboard may have more objects available in the database. That information can be viewed by adding columns that can display those fields. The following Active Directory parameters are supported by the standalone Host DLP 9.0.
q q q
61
If your local network is connected through McAfee Login Collector to remote Active Directory servers, this capability brings your global security problems down to local control. TIP:When a user parameter is used to bring in remote information, it is best to use it as a key within a larger search or rule. Add other qualifiers to target the information that is needed. NOTE:Before you can search for user information on remote servers, you will have to add an Active Directory server and establish secure connections between a McAfee Login Collector and DLPManager.
62
TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user group entries. 8. Select one or more groups. 9. Click Apply. The selected groups will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote groups. 11. Click Search or Save as Rule.
63
4. Select is any of from the second menu. TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user country entries. 8. Select one or more cities. 9. Click Apply. The selected country's users will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote users of the selected country. 11. Click Search or Save as Rule.
64
Database vectors
q q
Data-in-Motion incidents are produced by DLPMonitor when its rules match data in the network stream. Data-at-Rest incidents are produced by DLPDiscover when a scan finds sensitive data in network repositories or databases. Data-in-Use events are produced by DLPHost when data violations are found at network endpoints.
The dashboard tools give you the means to sort through all of the databases to reveal the most significant objects.
Dashboard tools
q
Selecting pre-defined views, such as Incident Listing, offer different configurations of the incidents on the dashboard. Clicking the List, Group Detail, and Summary buttons display some typically useful configurations. Clicking on any link on the dashboard changes the sorting keys in the Group by pane change to reveal different attributes of the incidents. Building filters using the Filter by pane offers dozens of options for viewing the data stored in the databases. Selecting the Disk or Options icons allows you to save significant collections of data as views or reports.
q q
q q
If you are using DLPthrough ePolicy Orchestrator, all DLPdashboard tools are available to you. In addition, you can get summaries of the incidents and events on the main ePOdashboards. TIP:Assign incidents to cases to collaborate on investigating and resolving problems.
65
66
Generating reports
Generating reports
How reports are generated
When you save a report, you are saving the content of what you are seeing on the dashboard in PDF, HTMLor CSV format.
67
NOTE: CSV output is limited to150,000 incidents. The maximum size of the exported report is 5 MB. There are no limits on the number of incidents exported in a case. If you want to save the dashboard settings, save a view instead. NOTE: An incident that is exported from the dashboard cannot be saved if it is larger than 5 KB.
68
Setting up views
5. Select Open or Save. If you select Open, the report will open it in a web browser. If you select Save, the report will be saved to your desktop.
Creating PDFreports
Use this task to export a report in Adobe PDF format. NOTE: The maximum number of incidents displayed in the PDFIncident List Report is 5,000. The maximum size of the exported report is 5 MB. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use). 3. Click List, Group Detail, or Summary. 4. Select Export as PDF from the Options menu. 5. Select Open or Save. If you select Open, the report will launch if you have Adobe Reader installed. If you select Save, the report will be saved to your desktop.
Scheduling reports
Use this task to set up a report to run on a regular basis and send an email notification. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click the Disk icon. 3. Name the view. 4. Select an owner. NOTE:Ownership is determined by the group to which a user belongs. If the user's group is not listed, go to DLPSysconfig | User Administration | Groups and add the group. 1. Click Set as Home View (optional). 2. Click Schedule Reports. 3. Click Types. 4. Fill in the report frequency parameters. 5. Type in the email parameters. 6. Click Save.
Setting up views
How to set up views
In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. Use this page to manage all standard and custom views you have collected. Using a variety of significant data patterns will help you to understand and manipulate the incidents that are found.
69
TIP: Pull down the Incident Listing menu on the Incidents page and select another view to see how results can be rearranged. Attachments can be displayed if they are under 50 MB. The number of incidents that can be reported is limited to 150,000. After that number is reached, chunks of supporting data are wiped, starting with the oldest incidents first.
Deleting views
Use this task to delete views from the Incident Listing menu. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. 2. Check a view box. 3. Select Delete from the Actions menu. 4. Confirm or cancel.
Saving views
Use this task to save a customized view to the Incident Listing menu. NOTE: When you save a view, you are storing your current dashboard settings. To save the content you are seeing, create a report instead. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. 2. Select a vector from the Data-in-Motion dashboard menu. 3. Reconfigure your dashboard (optional). 4. Group your results (optional). 5. Filter your results (optional). 6. Click the Disk icon. 7. Name the view. 8. Select an owner.
70
Setting up views
NOTE: Ownership is determined by the group to which a user belongs. Add a group if the user's group is not listed. 9. Check Set as Home View (optional). 10. Schedule a report that will use the view (optional). 11. Click Save.
Select Data-in-Motion from the vector menu to view incidents found in the network data stream. Select Data-at-Rest from the vector menu to view incidents found by scanning repositories. Select Data-in-Use from the vector menu to view events thathave occurred on endpoints.
TIP: Customize each view type by sorting, grouping, or filtering incidents. The Incident Listing menu contains a large number of sample views that you can add to by saving your own custom views.
71
72
5. Click Apply. TIP: If you add a column to display ThumbnailMatch images, do not add rows. Moving 1,000 or more incident rows at one time could cause an HTTPREQUESTtimeout.
Clearing filters
Use this task to clear any filters you have set. CAUTION: When you finish using a filter, Clear All, or the configuration will block all other results. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Go to Filter by... . 3. Click Clear All. 4. Click Apply.
Filtering incidents
Use this task to eliminate irrelevant results that block significant data.
73
TIP:Before filtering, always define a time frame. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click any view type (List, Group Detail, or Summary). TIP: You can filter incidents instantaneously by clicking on any cell. The dashboard will immediately display all other incidents that contain the attribute that was selected. 3. Go to Filter by... . 4. Set the time frame filter. 5. Click the green plus sign to add a filter. 6. Set another data filter (for example, Content equals MSWord). NOTE: You can type attributes into the value field, but it is easier to click "?" to launch a popup menu. 7. Click Apply. 8. Add filters that will narrow the results further (for example, Filename equals <filename>). 9. Click Apply. 10. Click the Disk icon to save the configuration (optional). NOTE: When you finish using a filter, Clear All, or the configuration will block all other results.
Grouping incidents
By focusing only on categories that are relevant, you will learn how to get more focused results. Use this task to select up to two group types that will provide a framework for your incidents. TIP: Before grouping, always set a time frame filter. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a view vector (Data-at-Rest, Data-in-Motion, Data-in-Use). 3. Click Group Details. 4. In the Group by... pane, select two categories that will act as your primary and secondary sort keys. 5. For each category, select the number of occurrences to display. 6. Click the disk icon to save the view (optional). The workspace automatically adjusts to the configuration you define. NOTE: When you finish using a filter, Clear All, or the configuration will block all other results.
74
Sorting results
Use this task to find all results captured at a specific time or within a certain time frame. NOTE:Time filters are associated with dashboard views. For example, if you select a view different from the default Incident List, you can see the Timestamp and other filter settings change. TIP: Keep the time setting constant by saving a Home View. 1. Go to Filter by... . 2. Select Timestamp (default). 3. Select a time frame from the Anytime menu. TIP: Click "?" to select a Custom Date. 4. Click Apply. When you finish using a filter, Clear All, or the configuration will block all other results.
Sorting results
How to sort results
In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents to sort incidents. Sorting allows you to set aside results that are not immediately relevant, but might be significant at a later time. TIP: Save a view or a report to track your changes.
Deleting incidents
Use this task to delete incidents that do not contain useful information. NOTE:You can delete over 100,000 incidents from the capture database at one time. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select one or more checkboxes. TIP: Click the box in the column header to Select All Results on Page if you want to delete more results. 3. Select Delete from the Actions menu. 4. Click OKto confirm, or Cancel. TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for deletion later.
75
NOTE:Using this method, you can delete over 100,000 incidents from the capture database at one time. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a category from the Group by... menu. 3. Select All Results or All on Page from the Actions menu. 4. Select Delete from the Actions menu. 5. Click OK to confirm, or Cancel. TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for deletion later.
Changing settings
How settings are changed
Because DLPsystems capture everything on the network (except traffic which is deliberately filtered out using capture filters), you may find that you need to change the settings that determine how many incidents are reported at once, and how they are delivered to the dashboard. For example, you might want to expand the number of incidents reported to the dashboard by default, but avoid overburdening the system. You can experiment with different settings by configuring throttling. Similarly, you can comply with PII requirements by encrypting certain elements, but you can manage the system resources that are being consumed while doing so.
76
Encrypting incidents
Use this task to ensure compliance with PII requirements. When the encryption feature is enabled, two significant files (subject and matchstring) that might contain PIIinformation are encrypted before storing to the database. They are decrypted before displaying on the dashboard. NOTE: This feature is disabled by default to conserve resources. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Policies | Settings | Security Settings. 2. Check the Sensitive Incident Data box to encrypt all incidents found. 3. Check the Encrypt Capture Data box to encrypt the entire capture database. NOTE:Selecting this option might impede performance. 4. Click Save.
DLPPrevent evaluates email and webmail that has been forwarded from an MTA or proxy server, marks messages that violate active rules with certain actions, and passes them back to the email or webmail server to be enforced. DLPDiscover supports remedial actions that can be taken when sensitive or registered content has been detected in a network repository or database. Host DLP uses pre-programmed rules with specific actions that may be deployed on- or offline when violations are found at endpoints.
77
Whether they are generated by Prevent, Discover, or Host DLPdevices, Incidents and events on DLPdashboards can be resolved manually or automatically. Users might apply actions directly to incidents from the Actions menu, or pre-program rules to automatically trigger specific actions.
block confidential data breaches encrypt authorized transmissions quarantine suspicious traffic bounce email that violates policies notify supervisory personnel record incidents in a system log allow email that is determined to be legitimate.
When violations are found in webmail, the seven DLPactions are attenuated to BLOCKand ALLOW. TIP: Use DLPPrevent to capture network traffic for later forensic analysis or block the transmission of sensitive data sent using specific mail protocols (for example, HTTP POST, SMTP_Request, etc.).
78
5. Open Syslog Notification and select Enable to log the incident (optional). 6. Open Incident Reviewer to assign a reviewer when the action takes place (recommended). 7. Open Incident Status to change the stage of resolution when the action takes place (recommended). 8. Select an action from the Data-in-Motion Prevent Action menu. 9. Click Save. After you have created the action rule, apply it to one or more rules.
Actions
q q q q q q q q
Each action can be configured to automatically notify users that a preventive action has been applied. Each action can also be configured to place a record in a system log, assign the incident to one or more reviewers, or apply a status that indicates its stage of resolution.
79
80
81
By incoming and outgoing, we mean emails that are either being sent to or received from the outside world. By entering and leaving, we mean emails that are entering or leaving the MTA.
Any MTA that is expected to inter-operate with Prevent must comply with the following requirements. 1. Must be capable of sending either all or a portion of outgoing traffic to the Prevent application. DLPPrevent is not typically used to inspect incoming email. Examples of a requirement where only a portion of the traffic needs to be scanned may be in environments where only traffic with attachments is to be scanned, or where scanning is limited to traffic directed to public sites (for example, Yahoo). 2. Must be capable of inspecting email headers of messages entering the MTA. 3. Must be capable of taking actions based on specified match expressions for email headers. The specific header strings received from Prevent are the X header X-RCIS-Action header with values ALLOW, BLOCK, QUART, ENCRYPT, BOUNCE, REDIR and NOTIFY. 4. Based on entering port or some other metric, must be capable of distinguishing between all emails arriving from the Prevent appliance, then applying header inspection and header-based action rules exclusively to incoming email from Prevent. 5. Must be capable of ensuring that emails arriving from the Prevent appliance are not routed back to the Prevent appliance. This can be done either by using port / srcIP-based mail routing, checking to see if an X-RCISAction header already exists in an email scheduled to be routed to the Prevent appliance, or by some other means. 6. Must be capable of implementing all of the Prevent-based actions. If the MTA does not have all of the required capabilities, inter-operation is still possible but in that case, the actions that can be set when rules are created must be limited to those supported by the MTA. 7. Must be able to inter-operate with an email encryption appliance (if this capability is needed) and instruct the encryption appliance to encrypt specific messages based on header information or other metrics.
82
When a violation is found, a Data-at-Rest action rule can be configured to prevent or correct the situation that produced the incident. NOTE: Remediation is part of the incident workflow, and any time incidents are wiped from the system, remediated files will also be wiped. When violations are found in Data-at-Rest, the remediation feature may be used to do the following:
q q q q
Copy files containing violations to another location on the network Move files containing violations to another location on the network Password-protect files containing violations Delete files containing violations
Notify users of violations found in scanned data Record violations found in scanned data in a system log Assign incidents to one or more reviewers Set a status that indicates the state of resolution
Remediation can be applied directly to incidents reported on the Data-at-Rest dashboard, or pre-programmed by attaching an action rule to rules that produce incidents.
Copy Move
83
q q
Encrypt Delete
Each action can be configured to automatically notify users that a remedial action has been applied to a violation found in Data-at-Rest. Each action can also be configured to place a record in a system log, assign the incident to one or more reviewers, or apply a status that indicates its stage of resolution.
84
6. Select a Credential to access the repository, or click New to create a new one using authentication parameters of an existing account. 7. Click Test to verify read/write access to the repository. If the credential is correct but the test is negative, use Windows Explorer to verify that sharing is enabled and read-write privilege has been granted. 8. In Microsoft Windows Explorer, right-click on the target folder and select Properties. 9. On the General tab, deselect the Read-only checkbox. 10. On the Sharing tab, select Share this folder. 11. Click OK. 12. Click Save, then re-test.
85
location to leave a record of the remedial process that has been applied. 1. Check the permissions of the file to be deleted. 2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Action Rules. 3. From the Actions menu, select Add Action Rule. 4. Type a name for the action rule. 5. Open Remediation Policy and select Delete from the Action drop-down list. 6. If you have read and understood the Warning, select the IAccept checkbox. NOTE: The action can be completed only if there is no conflicting instruction in the rule to which the action rule is attached. 7. Add File Marker Text as appropriate. TIP: You can add Dynamic Variables to the file marker text at the text cursor position by clicking the variable on the drop-down list. For example, ##Filename found by ##ScanOperation violated ##Policy and was deleted. 8. Click Save. 9. Apply the new action rule to one or more rules. 10. Go to Menu | Data Loss Prevention | DLPSys Config. Click Discover Configuration. The Scan Operations page is displayed. 11. Select a scan. 12. From the Actions menu, select Rescan . 13. Check results to verify that the file gets deleted.
86
9. Type in a password and confirm it. 10. Add File Marker Text as appropriate. TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on the drop-down list. For example, ##Filename found by ##ScanOperation violated the ##Policy and was password-protected. Consult <administrator> for more information. 11. Click Save. TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the rule and click Save, then start a discovery scan that applies the rule containing the action rule.
87
5. Click Add to move the column headers to the Selected list. TIP: To move column headers out of the Selected list, select them, then click Remove. 6. Click the Move buttons to rearrange the placement of column headers. 7. Click Apply.
88
If the endpoint data detected is to be encrypted, provide an encryption key. Consult the updated Endpoint Encryption for Files and Folders 4.0 Product Guide for more information. If the data detected is significant, select a Severity from the drop-down list. If users are to be notified when endpoint data is detected, type in a message. Typing in link text or a URLis optional.
q q
5. Select a Data-in-Use Policy Action. 6. Select from the available actions. NOTE:Endpoint actions can be taken if the detected device is online or offline. Select one or both. 5. Click Save. After you have created the endpoint action rule, apply it to one or more rules.
89
Actions
q q q q q q q q q
Block Delete Encrypt Monitor Notify User Quarantine Request Justification Store Evidence Tag
90
The new Host DLPproduct interface is now known as Endpoint protection and configuration. Events are identified by McAfee Agent and displayed through a Host DLP server on the ePOand DLPData-in-Use dashboards. For example, data that has been moved, copied, printed or screen-captured from a laptop or desktop to another device or location is monitored and controlled. Endpoints that are protected include desktops, laptops, removable media, and printers.
91
Agent enters bypass mode Agent leaves bypass mode User returned from Safe Mode Device plugged in New device class found
92
Types of endpointevents
Types of endpointevents
Host DLPevents are generated by the McAfee DLPAgent, which is deployed by the Host DLPMonitor, and any significant events found are displayedthrough the DLPManager. Problems identified by the McAfee Agent might include critical system events, rule violations, or events associated with a particular user or computer. The roles users play in an organization determine what types of events they are allowed to view. The events displayed may also include registered and classified content that has been tagged for protection purposes, disallowed user actions, access violations, or detection of a controlled element. Events can be filtered by general, administrative, or outgoing conditions. For example, an administrative event may indicate that an agent or policy state has changed, and an outgoing event may be generated when protected data is in motion.
Managing endpoints
The DLP9.0 system must be set up to record incidents and events to the Host and Network DLPdatabases through DLPManager. Because existing Host DLP operations must not be affected, the default configuration is to allow them. As long as device control, application tagging, and rights management features are not needed, you can manage endpoints with Network DLP. This is done by creating a global policy to enable all of the supported Host DLPfeatures. The policy for host operations must be created on the DLPSysconfig | Endpoint Configuration | Manage Endpoints page. Its rule definitions are updated on the Host DLP extension every 30 seconds by default, but a different interval can be defined by editing the Time Duration for Posting Policy Definition setting. After the policy is generated, it is posted from DLPManager to ePO, saved in the ePOdatabase, forwarded to the connected agents, and updated at the defined interval. NOTE:If you don't check the Generate Policy for Endpoint box, incidents found by the existing policies are sent to the Network DLPdatabases and reported to the Data-in-Motion dashboard. If the box is checked, incidents and events will be sent to both Host and Network DLPdatabases, and reported to both Data-in-Use and Data-in-Motion dashboards.
93
Multiple endpoints can be added to a rule as a group by creating a template, then selecting it from the menu before saving the rule. Adding frequently-used collections of endpoints to a rule increases its efficiency and scope.
Email address sender variants Email subjects GeoIP locations User city User country File size Keyword expressions Complex Boolean algebra
94
Device control prevents unauthorized use of removable media (including USB drives), iPods, Buetooth devices, CDs, and DVDs. Application-based tagging rules are used to monitor or block files created by applications. Digital rights management controls use of digital content not authorized by the content provider.
q q
95
Setting up Discover
Configuring DLPDiscover
Before DLPDiscover can be configured to in cooperation with other DLPappliances, you must prepare it to run in managed mode, register it to DLPmanager and ePO, and configure policies to find incidents in data at rest. Users who are tasked with registering documents and running scans must be given permission to do so. See Setting Discover scan permissions.
User-defined elements
q q q q q q
Scan tasks Schedules Credentials Scan statistics Export locations Users and user preferences
96
Setting up Discover
Web Upload: Upload documents or structured data to be registered; no deletion or de-registration rights; view user's own registered documents Manage Uploaded Documents: Upload documents or structured data to be registered; view and manage documents uploaded by all users; delete and deregister uploaded files; update and delete excluded text Discover Registration: Register documents or structured data.
NOTE:If group permissions are modified, all members will have to log out and relogin. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config. Click User Administration | Groups. 2. Click the Details icon of a group. 3. Select the Task Permissions tab. 4. Open Discover Registration Permissions. 5. Select one or more permissions checkboxes. 6. Click Apply.
97
Manage Schedules: Create, edit and delete schedules Manage Credentials: Create, view, edit and delete credentials Manage Scans: Create, view, edit, activate, deactivate and delete scans; register documents; view and export scan statistics, history and registered files; add and view excluded text Control Scans: Create new actions, view, start, stop, re-scan, and clone tasks; View and export scan statistics, history and registered files; add and view excluded text
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLPSys Config. Click User Administration | Groups. 2. Click the Details icon of a group. 3. Select the Task Permissions tab. 4. Open Discover Scan Permissions. 5. Select one or more permissions checkboxes. 6. Click Apply. NOTE:Policy Execute and Task View Dashboards permissions are required to for DLPDiscover users to see the Incidents dashboard.
98
Setting up Discover
Status Message Resource Missing Configuration Error Connection timed out Incomplete Listing Complete Incomplete Incomplete Listing Server stopped responding Task Terminated Task Terminated Incomplete Listing Waiting crawlers busy
Definition The path does not exist, or the file may be missing. It was found during the investigation phase (indexing) but is missing during the crawling phase. The task database may have been corrupted.
Remedy Check on the repository to see if it is really missing. If not, restart the scan. Recreate the task. Call McAfee Technical Support if that does not resolve the problem.
Cannot connect to the repository while investigation phase is in progress. The scan is complete. The scan is incomplete, probably due to a network error. The repository may have become unavailable. The node is down, there was a network failure, credentials were changed between task, or the server is busy. The server is busy. The Stop action was applied to the scan operation, the task stopped according to schedule, or it was killed by some extraneous means (for example, a system crash or health check). The task stopped (or its scheduled end time arrived) during investigation phase.
Reconnect and restart the scan. Wait for awhile, then rescan. Wait for awhile, then resume the task.
99
Definition The repository is busy, too many connections have been made to the repository, or the network is down. The account (username) is locked.
Remedy Wait for the network or repository to idle, then restart the scan. Provide a valid account, or contact administrator of the repository. Check the user name, password and domain in the credential, or try another one.
Account is locked
An incorrect credential has been entered. Authentication was successful. Although authentication was successful, you do not have the privilege needed to use the resource.
Contact your administrator. Supply the correct credentials (read/write access) and restart the task. Go to the Filters tab and try to browse to the share. Verify the IPaddress and port, then restart. Call Technical Support if the error persists. Provide correct login database, then restart. Check documentation for supported version.
Do not have permission to update last access time Permission to access the repository is needed. on repository Share (or Shares) Inaccessible Socket Communication Failure Unknown Unknown database Unsupported database version A share may be inaccessible because of insufficient user privilege, or because he share is being used exclusively by another process. Could not establish socket connection to the database. This error is rare, but may be related to a configuration error. The login database given was wrong. Database version on the repository is not supported.
Scanning network devices Embedding the DocReg or DBReg attribute in network rules Uploading individual files or databases Scanning the endpoint and deploying the signature package to the DLP Agent.
100
Crawling a repository using a Registration scan is the most efficient way to create unique signatures for many at-risk documents. The scan can be set to run at regularly scheduled times, or it may be started manually.
Use Web Upload under DLPPolicies | Registered Documents to register single documents or objects. Use Data Registration to register groups of documents or database tables.
TIP: All signatures generated by these methods are stored in the DocReg or DBReg system attributes. Embed the DocReg concept in a rule to find registered data on a regular basis, or run an ad hoc query by selecting it from a popup menu.
Example
If your goal is to protect design documents, you might select the High Technology Industry IPpolicy
101
and the Design Documents Emailed to Competition rule. 5. Click Save or Save, Upload Another. When you click Save, the signature of the document is added to the DocReg attribute. All web uploaded documents are collected in the DocReg concept; they are treated as a group, not registered individually. NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will not be recorded when using that browser.
102
NOTE: You can embed the DocReg concept in a rule to regularly match its signatures to data-at-rest or data-inmotion on the network.
Example
If DocReg is added to the PIIrule Social Security Number in Documents, it will find signatures only in stationary documents. If DocReg is added to Social Security Number in Email and Instant Messaging Conversations, it will find signatures only in streaming network data. TIP: If a Registration task is used with the DocReg concept, the rule will also be evaluated by any Discover scan that uses its policy. You must manually configure the rule to include the DocReg concept if you want to register the same document across multiple rules.
High granularity
High granularity signatures provide full plagiarism detection and protection by generating
103
overlapping tiles over every bit of text. The original document can be identified, even if words are transposed or the contents differ by a couple of lines of text. If this signature type is used, a percentage of matching signatures can be detected.
Medium granularity
Medium granularity signatures provide basic plagiarism detection and protection by generating tiles over every eighth word. The original document can be identified even if the contents differ by a couple of pages of text.
Low granularity
Low granularity signatures include a single compact digital signature for each document registered. Exact copies of the file can be detected.
Deregistering content
Use this task to keep registered documents or objects from being identified again by any scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Data Registration. A list of registered items is displayed. 2. From the Actions menu, select Unregister. When this is done, the registration crawler will exclude the document or object from future registration.
Reregistering content
Use this task to re-register documents or objects that have been deregistered.
104
Crawling databases
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Data Registration. A list of unregistered items is displayed. 2. From the Actions menu, select Reregister. When this is done, the registration crawler will restore the registered document or object.
Crawling databases
Protecting sensitive database content
McAfee DLPDiscover can crawl databases to protect known sensitive content or determine if files that violate confidentiality are stored, then return the results of the crawl. You can drill down to database catalogs, schemas, table, and column level with a scan, just as you can scan for data at specific levels of a file system hierarchy. There are three ways to register database content:
q q q
Run a registration scan on network devices or storage Embed the DBReg attribute in network rules Upload individual files or databases
NOTE:The structured data found can be saved to your desktop and uploaded, so that it can be used in subsequent scans. Different database vendors support different object hierarchies, and terminologies can differ from vendor to vendor. NOTE:Since the configuration of the filters page depends on the database type chosen, only the relevant objects are displayed.
Example:
Database X might have the hierarchy Database -> Catalog -> Schema -> Table -> Columns/rows Database Y might have the hierarchy Database -> Schema -> Table -> column/rows
105
The same mechanisms that support registration of flat files also support registration of database records. For example, the DBREG factory default concept collects structured data in the form of comma-separated values found in databases, just as DocREG does for documents.
NOTE:Only MySQL Enterprise is supported. MySQL CE cannot be used for a database scan task because DataDirect, publisher of the JDBCdriver used in DLP products, does not support free GPL database versions.
TIP: Try selecting different database types, then go to the Filter tab to observe the options available for each database type. All filters are applied across the database server. For example, if you set filter "Table=Employees", the crawler will scan all databases and fetch records for tables whose names match "Employees". If you set filter "Column=LAST_NAME, the crawler will scan all tables and fetch records from the columns whose name is LAST_NAME in any table crawler scan access. To restrict a particular column in a particular table, enter filter for both table and column names, and make sure no other table has the same name and has similarly-named columns.
106
Crawling databases
Catalogs may be a collection of related schemas. Because many databases have only one catalog, metadata is sometimes simply called schema information. Schema is a collection of database objects that are owned or have been created by a particular user. Tables are collections of columns arranged in specific orders.
q q
Example
If the data to be protected is of a financial nature, you might select the Banking and Financial sector policy and the Unencrypted Bank Transactions with ABA Routing Number rule. 8. Click Save or Save, Upload Another. When you click Save, the signatures of the structured data are added to the DBReg attribute. As with the DocReg attribute, signatures are treated as a group, regardless of registration method. NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will not be recorded when using that browser.
107
Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan. Select On Start or On End to determine if and when you want email notification sent.
NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task start/stop time and the email posting. The end notification is sent at the end of scanning, and file processing might continue after notification. 12. Click Save.
108
Crawling databases
Definition Specifies the bandwidth when throttling is activated. A standard email address text box. Specifies the text of the message. A default message is included. Dynamic variables can be pasted in by clicking them when the cursor is in the text box. Checkboxes that specify when email is sent.
NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might continue after notification.
109
Definition Type the name of the database. For SQL, this is the database instance. For Oracle, it is the System ID.
When you have completed the node entries, click Include. You can also Test the database connection.
Port
If you are using a non-standard port, type the address in the text box. Login Database (for Oracle: SID) SSL Certificate Type the name of the database. For SQL, this is the database instance. For Oracle, the System ID. Certificates are created and saved on the Discover Configuration | SSL Certificates page. Click New to create a new certificate on the fly .
When you have completed the node entries, click Include. You can also Test the database connection.
110
Crawling databases
Option Port
Definition The port is automatically configured, according to the database type. If you are using a non-standard port, type the address in the text box.
q q q q
DB2 50000 Microsoft SQL Server 1433 MySQL 3306 Oracle 1521
When you have completed the node entries, click Include. You can also Test the database connection.
Limit (#Rows)
111
NOTE:You have the option of using an SSLcertificate to identify the database server host and encrypt the data exchanged between database server and the DLPdevice. This is particularly useful if the database server is using a non-standard/self-signed certificate. Client certificate handling is currently not supported. Use these options to determine the SSLcertificate needed for a database scan. Option SSL Certificate Definition Certificates are created and saved on the Discover Configuration | SSL Certificates page. Click New to create a new certificate on the fly.
When you have completed the node entries, click Include. You can also Test the database connection.
Managing scans
Managing scan operations
You can manage one or more scans by applying different states from the Actions menu on the Scan Operations page.
112
Managing scans
Description Launches the Add Scan Operation dialog box Copies the selected scan and opens the Edit Scan Operation dialog box; allows name and other parameters to be changed Activates the selected scan; causes system to fetch files and analyze content
Activate
Deactivate Deactivates the selected scan (keeps it from running) Start Stop Rescan Delete Starts the scan; fetches only new content Stops the scan Resubmits the scan for tasks that not running, but are in a Ready state. Re-fetches files and re-analyzes all content, and generates new incidents Deletes the scan
Up to 100 scans can be queued. TIP: Configure firewalls and set bandwidth when you set up a scan.
Ready: Task is ready to run and user can start tasks. Running: Task (crawler) is running Inactive: Task is removed from the schedule queue and tasks cannot be run (even manually). Such tasks must be activated before they can be run. Starting: Task is starting and about to run. Stopping: Task is stopping. Stopped: (Rare) Task was killed/crashed by some unforeseen situation. Such tasks can be started again.
q q q
113
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Select the radio button of the scan. 3. From the Actions menu, select a state.
Deploying scans
A scan is deployed when the scan targetsare defined. Use this task to identify the Discover and Monitor devices that run the scan and store the signatures. TIP:On Monitor and Discover appliances managed by DLP Manager, you can store the signatures on more than one DLPdevice. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Double-click the name of the scan. 3. Select the radio button of an appliance from the Devices checkbox. TIP: Select None if you want to save a scan, but do not want to run it right away.
Starting scans
Use this task to start a scan. NOTE: You cannot start a task until it is in Ready state. A new scan will remain inactive until its associated policies are published. If the status column does not display Ready, wait until this happens (you may refresh the screen if you wish). Then click the radio button of the task and select Start from the Actions menu. NOTE: When you rescan, all files are fetched again and reanalyzed. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Note the Last Status column of the scan. If the scan status is Inactive, select the radio button and select Activate from the Actions menu. 3. Select the radio button of the scan. 4. From the Actions menu, select Start. TIP: Click on the Refresh icon to refresh the status of the scan. NOTE: If a scan is stopped, you can resume it without restarting by simply selecting Start from the Actions menu.
Stopping scans
Use this task to stop a scan.
114
Managing scans
NOTE: The task must be in a RUNNING state. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Note the Last Status column of the scan. 3. Select the radio button of the scan. 4. From the Actions menu, select Stop NOTE: When you stop a scan, the process pauses, and selecting Start from the Actions causes it to resume.
Example:
On a 100-Mbps LAN, limit bandwidth to 50 Mbps to limit the crawler to half of the bandwidth available. NOTE:If bandwidth is throttled correctly and there is L3 connectivity between networks, Discover can be deployed across a WAN, though object viewing might be slower due to WAN latency. For example, if a 1 Gbps link between Tokyo and London is used, only ~10 Kbps throughput may be available for a CIFS scan. 4. Click Save after completing all other scan parameters. NOTE: Bandwidth throttling is applied as an average across the entire scan rather than as each individual file is being fetched. A Discover scan might burst above or below the configured throttle limit, but the average throughput measured across the entire scan will remain very close to the configured limit.
115
Hard-code the speed and duplex of the Discover appliance to 100 Mbps and full duplex. Ensure that all intermediary devices are either hard-coded to 100 Mbps and full duplex, or validate that all intermediary devices have negotiated to full duplex if configured for automatic negotiation
Set the speed and duplex of the Discover appliance to 1000 Mbps and full duplex or to auto-detect. Ensure that all intermediary devices are either hard-coded to 1000 Mbps and full duplex, or validate that all intermediary devices have negotiated to full duplex if configured for automatic negotiation
Deleting or creating scans in the same time frame; Crawlers are running and processing files from an extended scan; Multiple policies and rules are being decoupled from deleted scans.
If a Discover scan appears to have stopped, wait for 30 minutes. If the task does not reactivate, select it and Activate from the Actions menu. If several retries fail, save the scan as a new task to republish all policies, then delete the old task.
Editing scans
Use this task to edit a scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Double-click the name of scan you want to modify. 3. Make changes in the Edit Scan Operation window. 4. Click Save.
Deleting scans
Use this task to delete a scan. NOTE:If a scan is in Runningstate, it must be stopped before it can be deleted. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. By clicking one or more radio buttons, select the scans to be deleted. 3. From the Actions menu, select Delete.
116
Setting up scans
NOTE: Deleting a scan will also clear all scan statistics and the entire history of the scan, and any incidents found by a scan that is later deleted will not be remediable or recoverable.
Setting up scans
Preparing to scan
Plan your scan before setting it up. Gather all of the following information.
q q q q q q q q q q
Scan mode - Inventory, Registration, or Discover Credentials to access the repository Database type and version (for database scans) IP address, subnet, or range including required ports Login database or SID and SSL certificate (for database scans) File systems to be scanned Schedule for the scan Configuration of firewalls Bandwidth to be used Projected scan load
For a Single IP, type the IP Address, then click Include or Exclude to add the IP address to the list.
117
q q
For an IP Subnet, type a Base IP and a Subnet Mask. Click Include or Exclude to add the IP subnet to the list. For an IP Range, type a Start IP and an End IP. Click Include or Exclude to add the IP range to the list.
Depending on the protocol used, you might have to enter the URL instead. NOTE: You must include at least one IP address, subnet, or range. Including or excluding additional addresses, subnets, or ranges is optional. See Defining URLs to be scanned. 10. On the Filters tab, filter the scan to define the location to be scanned. 11. On the Advanced Options tab, make the following settings.
q q q
Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan. If you do not want the scan to update the file's last access time, select Preserve and run the scan manually. Type email notification information. Notification can be send for scan start or stop or both, with a default message or the message of your choice.
NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might continue after notification. 12. Click Save.
118
Setting up scans
1. Set up a basic scan. 2. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository. See Repository types supported for a list of protocols. 3. Set up filters to define the location to be crawled. The inventory scan identifies all files that are available to be scanned in a targeted repository. 4. Set the Advanced Options. See Setting up basic scans for details. 5. Click Save. TIP: You can export a report of the index from the Scan Statistics window.
119
NOTE: You must add at least one policy to create a valid definition. 9. Click Save.
120
Managing credentials
NOTE: Source ports are randomly chosen unless explicitly noted. Network and host-based firewalls typically permit connections only on certain ports and might have to be configured to permit connections on others.
Managing credentials
Using credentials to access repositories
Credentials enabling access to an existing account on a repository are needed before a scan can be created. Some systems may also require a domain name to complete the authentication process. Use these tasks to add, view, edit, or delete credentials. NOTE: If the data in a file system is openly accessible, you can use the default credential None.
121
Adding credentials
Use this task to add a credential, which will allow you access to a repository to be scanned. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Name and describe (optional) the credential. 4. Type a User Name of an existing account. 5. Add a Domain Name (may not be required). 6. Type and confirm the Password. 7. Click Save.
Editing credentials
Use this task to edit a credential that must be modified before it can be used to access a repository. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations | Credentials. 2. Click a credential to display its properties. 3. Modify the parameters, then click Save.
Deleting credentials
Use this task to delete credentials that can no longer be used to access a repository. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations | Credentials. 2. Select one or more credential checkboxes. 3. From the Actions menu, select Delete Selected. TIP: Click trash can icons to delete credentials one by one.
122
Scheduling scans
Scheduling scans
Using scan schedules
Use this task to define a schedule for a scan task. Continuous, periodic and on-demand scans are supported. NOTE:To schedule a host discovery scan, go to Menu | Policy | Policy Catalog and click on the Discovery Schedule tab of the Agent Configuration settings. See Scheduling a host discovery scan for details. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration |Schedules. 2. From the Actions menu, select New. 3. Type in a name for the schedule. Typing a description is optional. 4. Set the time parameters for the schedule. 5. Click Save.
123
Filtering scans
Defining scans
After you decide whether to inventory, register, or discover files in a repository, you must set up filtering, registration, and policy options. The scan definition must include the credentials to be used to access the repository, and a schedule that determines when the scan will be run. Because Last Access Updating is enabled in all Microsoft Windows operating systems before Vista, the DLP Discover crawler automatically changes the access time of each file it touches. The original timestamps can be preserved by selecting the Preserve Last Access Time checkbox and filtering the scan manually. NOTE: This feature is applicable only to CIFS and NFS repositories. Use these tasks to set filters, locations, policies, and other scan parameters.
Database Filtering
Filter definitions allow the scan to look for data at a specific level of the database hierarchy. The hierarchy is specific for the database type, and includes catalogs, schema, table, column, or row level. CONDITION All Exact Match Pattern Definition Default value; equivalent to no filtering. Filters by exact match to the schema/table/column name entered in the VALUE parameter. Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.
124
Filtering scans
4. Select a target for storage of the signatures by selecting one or more Devices. 5. Click the Filters tab. 6. Click Browse. 7. Click the plus icon to open the repository. If Authentication Failed appears when you filter a repository, check the credential you are using to access it. If authentication succeeds for the repository, but fails for a share, you might not have permission to view it. 8. Select the shares, folders and file properties. NOTE:For browsing document repositories, only file properties (File pattern and size) are supported for HTTP, HTTPS, FTPand SharePoint. Database repositories attributes differ according to database type. TIP: Use only a single click; double-clicking will duplicate your selection. 9. Click X to close the browse window. 10. Click Save.
Example:
For /home/nfs_local/mydirectory use /%2Fhome%2Fnfs_local/mydirectory where /home/nfs_local is the name of the exported share and /mydirectory is a directory under this share. 7. Define the folders to be scanned. 8. Define the file properties to use when scanning. 9. Click Save.
125
Examples
Single IPaddress 192.168.1.0 IPRange Type 192.168.3.128-192.168.3.200 and click Include; Type 192.168.3.245-192.168.3.254 and click Exclude. IP Subnet 192.168.1.0 255.255.255.0 NOTE:You cannot define a range across subnets; only 255 addresses can be defined at a time (0-254). CIDR is not supported in the address field decimal notation is required. 7. Click Include or Exclude, as appropriate. 8. Click Save. 9. Define filters and policies.
126
Filtering scans
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Set the repository to one of the following:
q q q q
5. Select URL from the Node Definition menu. 6. Type a URL into the URL field followed by a slash, which establishes the boundaries of the scan.
Example:
http://www.yahoo.com/
https://reconnex-host.reconnex.net:8181/dir/
7. Click Include. 8. Click Save. 9. Define filters and policies.
Examples
Absolute Directory Path > equals >C$/Eng/Network/Drawings File Pattern > equals > *.jpg,*.doc File Owner > equals > bjones File Size > range > 1024-5000 (requires numbers expressed in bytes)
127
File Creation Time > between > 16:30:00 and 17:00:00. Last Modification Time > after > 13:30:00 Last Accessed > before > 17:00:00 9. Define policies. 10. Click Save.
Examples
Absolute Directory Path > equals > C$/Eng/Network/Drawings Directory Pattern > contains > Human Resources Directory Pattern > does not contain > Employee Records NOTE: All subdirectories matching the pattern will be crawled. 8. Define policies. 9. Click Save.
128
NOTE: When you scan all the shares on a system, you do not have to define a filter at all. The default filter will always crawl all the shares on the system with the base directory / (root). 8. From the Shares menu, select equals. 9. Select Exact Match or Pattern from the Condition menu. TIP: The All condition, indicating that all shares will be scanned, is the default. 10. Type the share name into the Value menu. 11. Define the folders to be scanned, if needed. 12. Define the file properties to use when scanning, if needed. 13. Click Save.
129
Reports the file list at share level (only files of the required share), IP level (only files of a required host), or task level (all files detected Export File List by the task across hosts and shares). If there is a single host with a single share, all three reports will be the same. 4. Click Save. If you have Microsoft Excel installed and are using Internet Explorer, the reports will automatically open in Excel . If not, a CSV text file will launch.
130
NOTE: Because CSV is a generic ASCII format, it can be opened with any text editor, spreadsheet or database program. If the CSV file is very large (50,000+ records), it will be compressed into a zip file before it is available for opening or saving.
Click Files Fetched to get a full page report. Select Columns and move them to the Available or Selected windows. Click the Move buttons to change the display order.
6. Click Apply.
131
4. Open Share Details per Host. 5. Click on Shares Detected, Shares Crawled, or Shares Failed. Underlines under numbers indicate that there is more information available. NOTE: The Files yet to be fetched counter increments when new shares are detected and decreases as files are detected and fetched. If a database scan is interrupted when records have been fetched but not processed, those records are not processed when the scan is rerun. TIP: Select a Report Option to keep a record of the scan after it has completed. TIP: If you need updates before the scan status is synchronized, click the Refresh button. This action consumes resources, so use it judiciously.
132
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Repository Type from the first drop-down list, and is any of from the second.. 3. Click "?". 4. Select one or more repositories. 5. Click Search or Save as Rule.
133
3. Click "?". 4. Type the IPaddress of the repository into the value field. NOTE: You can type in a single address, a range, or a subnet CIDR notation is supported.
Examples
192.168.3.225 10.1.0-10.0.1.255 172.16.1.1/24 5. Click Search or Save as Rule.
Example
Find a JPG in a database or repository:
134
Capture | Advanced Search | Discover | File Name Patterncontains *.jpg Find Microsoft Office Word AND Excel files in a database or repository: Capture | Advanced Search | Discover | File Name Pattern contains *.xls NOTE: You can use a keyword with an asterisk (for example, Financ*), but a File Name Pattern search is faster. 7. Click Search or Save as Rule.
135
1. Go to DLPReporting | Advanced Search. 2. Open Discover. 3. Select Signature Percentage Match from the first menu. 4. Select greater than from the second menu. NOTE: Because an exact percentage match is unlikely, you can only ask that the match be greater than the percentage you specify. 5. Enter an integer in the value field. 6. Click Save.
Example:
Find a domain name: DLPReporting | Advanced Search | Discover | Domain Namecontains any of Mercury
136
When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so searching for match to a percentage of the registered material is more likely to expose intellectual property theft. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Catalog from the drop-down list, then click Search or Save as Rule.
137
3. Click "?". 4. Type a share name into the value field. 5. Click Search or Save as Rule. NOTE:On Microsoft Windows computers, the default share is C$.
138
Using content categories. Categories can match specific text patterns, dictionaries, or registered documents repositories to the files. Using file context. You can specify file types, file extensions, document properties, encryption type, and user assignment in the discovery rule.
For host discovery scans, a setting on the Policy tab allows you to delete files instead of quarantining them. In Policy Orchestrator, go to Menu | Data Protection | DLP Monitor | Tools | Options. You will need a release key to release files from quarantine. This is done by generating a challenge key and sending it to the administrator, who issues an Agent Quarantine Release Key. For network scans, quarantined files can be remediated from the DLP Reporting | Incidents page. No release key is required.
139
7. Click Next. 8. Select a suitable Schedule type and set the options, date, and schedule parameters. Click Next. 9. Review the task summary. When you are satisfied that it is correct, click Save.
Documents that existed before the location-based tag was defined are not detected by location-based tagging rules unless the user opens or copies the original file from its network location. Registered document classification rules detect all files in the defined folders. If the same confidential content exists in several documents, you need to categorize it only once using a registered document repository. When you use location-based tagging you have to identify every network share where the confidential content is located, and tag each one.
140
NOTE: If you don't specify any folders for either scan or skip, all folders on the computer are scanned. The only folder that is skipped by default is C:\Windows. The following file types will always be skipped, no matter which folder they are in:
q q
The specific files ntldr, boot.ini, and .cekey Executable files (*.com, *.exe, *.sys)
141
1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data Loss Prevention 9.0.0.0:Policies. 2. Create a new Agent Configuration, or edit an existing one. 3. Click the Discovery Schedule tab. Set the time of day for the scan to start using the thumbwheel. 4. Set the scanning frequency using the option buttons and checkboxes. 5. If you want to run a discovery scan immediately, select Run now. 6. If you want to prevent runs being missed due to the user being logged off, select Resume discovery missed runs after login. 7. Set the start and end dates for discovery scans. Click Save.
142
Using policies
Using policies
How policies work
Policies are containers for groups of related rules. When the rules of a policy produce an incident, the navigation pane displays the name of the policy used. However, the Group by menu can be configured to display other attributes as well. TIP: Select Group by Rule to find out exactly why the incident was reported. Standard policies are installed on DLPMonitor, Discover or Prevent appliances before shipment. Your geographic location, industry sector, and business type determine which ones are activated during installation, but activation can also be done from the Policies page. Customized policies can be created at any time to address issues specific to your business operations. All standard and customized policies are listed under the Policies tab.
Policy Name
Type in a descriptive name. Use of certain non-alphanumeric characters may generate an error message.
Policy Description
Type in a description (optional).
Owner
Select a group whose members can access the policy. If you are logged in as a member of one of the default groups, only that group is displayed, and other options are not available.
State
Policies must be published to a device to be used, so new policies are inactive by default. If you plan to use the new policy, check one or more boxes under Devices. Those appliances will then match the policy's rules to network traffic or repositories, and report results to the Data-at-Rest or Data-in-Motiondashboards.
Region
In this release, groups of international policies can be used to add rules relevant to specific geographic regions. For example, to define a new policy for Ukraine, select Europe and Middle East from this menu to add the new Ukrainian policy to that regional group. If the EMEAgroup is not on the menu, select it from the Regional Policy menu on the Policies page and click Add.
143
Suppress incidents
Check either Data-at-Rest or Data-in-Motion if your purpose is to find incidents only in static network repositories or moving network traffic. Eliminating reporting of irrelevant hits will exclude results that are not useful and improve performance. Note: Data-in-Use events will display only if DLPHost is installed, and cannot be suppressed if they are found.
Devices
Devices that are attached to DLPManager are listed so that you can publish the new policy to one or more of the available DLPappliances. If you are not going to publish the policy right away, check None. If you check the Host box, you must already have it installed on DLPManager.
Asia Pacific
Australia China Hong Kong India Korea Singapore Taiwan
144
Using policies
Latin America
Brazil Mexico Use this task to add and activate local policies and rules. 1. In ePolicy Orchestrator, go to Menu | DLPPrevention | DLPPolicies. 2. Click Add, then confirm or cancel the operation. 3. Select the checkboxes of the appropriate local policies. 4. From the Actions menu, select Activate.
Adding policies
Use this task to add customized policies that address a specific need in your organization. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select Add Policy from the Actions menu. 3. Type in a name and an optional description. 4. Select an Owner. NOTE:Standard policies are owned by the admin user. If another policy owner is needed but not listed, add the user to an existing group, or create a new one before adding the policy. 5. If you are going to use the policy immediately, set State to Active. An inactive policy cannot produce incidents. 6. If you want to limit the rule to acting on static or moving data, check Data-at-Rest or Data-in-Motion. 7. Select one or more device checkboxes to publish the policy to specific appliances. TIP: Select None if you want to publish the policy at a later time. 8. Click Save. 9. Go to System |User Administration to assign access rights to the policy. 10. Select Groups, then click the Details icon of a group that will use the policy. 11. Click Policy Permissions. 12. Select the checkboxes of the permissions needed by the group. 13. Click Apply. 14. Click the Policy tab and open the new policy. 15. Add rules to the policy.
Activating policies
Use this task to activate a policy that was not initially activated during installation of DLPappliances. A policy that is inactive cannot find and report incidents to the dashboard.
145
NOTE:Policies have the default state Inactive. To use a policy, you can activate it while editing or, to activate multiple policies, select the policy checkboxes and select Activate from the Actions menu. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select a policy checkbox. 3. Select Activate from the Actions menu. 4. Verify the change in the State column. TIP: Rules inherit activation from their policies, but inheritance can be disabled to allow them to run independently.
Deactivating policies
Use this task to deactivate a policy so that it will not produce any incidents. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select a policy checkbox. 3. Select Deactivate from the Actions menu. 4. View the State column of the policy to verify the change. NOTE: The rules of a policy may be active or inactive, depending on inheritance.
During installation, check the boxes of the policies to be activated. On the Policies page, check the boxes of the policies to be activated, then select Activate from the Actions menu. Open a policy and select Active from the State menu.
NOTE: State is inherited by the rules of a policy, but can be disabled to allow rules to run independently.
146
Using policies
Publishing policies
Use this task to publish policies to one or more appliances. A published policy is one that is deployed on one or more DLPdevices. NOTE: Policies can be published by checking Device boxes during creation or modification. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select one or more policy checkboxes. 3. Select Modify Devices from the Actions menu. 4. Check the boxes of one or more appliances. NOTE: If the All Devices deployment target is selected, all rules of all policies that have been activated on DLPManager will run on all its managed devices. If the appliance to which you need to publish is not listed under Devices, you must first add that device to the system. 5. Click Apply. 6. Select one or more devices from the submenu. TIP: Select None if you want to publish the policy at a later time. 7. Check the Deployed On column to verify redeployment.
Cloning policies
Use this task to create a new policy that resembles an existing one. NOTE: You cannot save and edit the rules, but all policy attributes will be replicated. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on the policy you want to use as a template. 3. Type in a new name. 4. Type in a new description (optional). 5. Edit other parameters as needed. 6. Click Save As.
147
7. Verify that the new policy is listed under Policies. 8. Add rules to the policy.
Renaming policies
Use this task to rename a policy. NOTE:If you rename a policy, you will lose incidents already found by its rules. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Type in a new name and description (optional). When you start typing, a Save As button will pop up. 4. Click Save. NOTE: No confirmation is required. The new policy is immediately added to the policy list.
Executing policies
Use this task to assign policy permissions to users. NOTE:Users tasked with viewing incidents and events must have Execute Policy permission, because policies have been used to find them. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLPSysconfig | System | User Administration. 2. Click on the Details icon of the user's group. 3. Click on the Policy Permissions tab. 4. Open Policies. 5. Select one or more Execute checkboxes corresponding to the policies to be used to find incidents. 6. Click Apply.
Editing policies
Use this task to modify the parameters of a policy. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on the policy. 3. Modify one or more parameters. 4. Click Save.
Deleting policies
Use this task to delete policies. NOTE: You can delete a policy only if you own it.
148
Using rules
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select one or more policy checkboxes. 3. Select Delete from the Actions menu. TIP: To delete policies one by one, click the trash can icons.
Using rules
How rules work
Rules define patterns that are matched against network or endpoint data to identify violations of policy. When a rule hits on a data match, an incident or event is saved in a database and reported to the dashboard. NOTE:Only active rules report results, and the system cannot manage more than a total of 512 active rules. To activate a 513th rule, you must deactivate an active rule. TIP: User permissions, including the ability to create or use rules, depend on group membership. Group permissions are displayed under DLPSysdmin | User Administration |<Details> | Groups | Task Permissions |Policy Permissions.
Adding rules
Use this task to add arule to a policy. However, you may also search captured data and save the search as a rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic or Advanced Search. 2. Enter a query and examine the results. 3. If the results are useful, and you want to run the query on a regular basis, click Save as Rule. The Edit Rule page launches. 4. Type in a rule name. 5. Assign the rule to a policy by selecting an appropriate one from the Policy menu. 6. Select a Severity to classify the rule. 7. Set the Inherit Policy State to Enabled to bind the rule to the policy. 8. Make any changes or additions to the rule's parameters. 9. Click Save as Rule. TIP: If you want to tune the rule, select the Disabled state and run it apart from the policy until it is perfected.
149
4. Open the categories under the Define, Actions and Exceptions tabs. 5. View any of the defined parameters.
150
Editing rules
Use this task to modify the parameters of a rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Click on a rule. 4. Modify one or more parameters. 5. Click Save. NOTE: Inactive rules that belong to standard policies are automatically activated when they are saved.
Deleting rules
Use this task to delete one or more rules from a policy. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Select one or more rule checkboxes. 4. Select Delete from the Actions menu. TIP: To delete rules one by one, click the trash can icons.
151
q q q q
Add new rules that contain exceptions Add exceptions to an existing rules Use existing incidents to build more accurate rules Define an incident that has already been detected as a false positive
TIP: To prevent false positive matches, tune rules after they are created using historical data.
152
6. Type in a Note describing the exception. 7. Using the existing categories, define each aspect of the exception. 8. Click Save. NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only when tuning rules, which requires historical data.
153
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents. 2. Find an incident that contains useless or insignificant information. 3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed. 4. Check the boxes of the rules you want to define as exceptions, or Select All Results from the Actions menu. TIP:Check the box in the table header to select all incidents on the current page. 5. From the Actions menu, select Modify Status | False Positive | Create Exception. 6. When the Edit Rule page launches, define the exception by adding or deleting parameters. NOTE:When an exception is created from the Actions menu, the Edit Rule page is populated with the current values of the rule under the Exceptions tab. This makes it easy to edit those elements to prevent a similar incident from being reported again. 7. Type some text describing the exception in the Notes box. 8. Click Save.
Tuning rules
Use this task to tune rules, and save the search when all extraneous search terms have been eliminated. Tuning is done by running multiple searches on historical data and gradually tightening conditions and parameters with each modification. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select Rule from the Group by menu. 3. Click on a rule that produces some useful results. 4. Make a note of incidents that include irrelevant information. 5. Go to Policies. 6. Click on the policy of the rule that produced the hits. 7. Click on the rule that produced the hits. 8. In Inherit Policy State, click Disabled. NOTE: Disabling inheritance allows the rule to run independently of the other rules in the policy, allowing for multiple revisions. 9. On the Define tab of the rule, remove any parameters that are producing false positives. TIP: Using the conditions is none of or contains none of will help to eliminate extraneous information. 10. Click on Test Rule to start searching the historical data for a match. 11. Go to Incidents and inspect the results. 12. Repeat the process until all incidents contain useful information. 13. Reset Inherit Policy State to Enabled. 14. Click Save as Rule.
154
A Data-in-Motion action rule applies preventive actions to incidents found by Monitor in network data. A Data-at-Rest action rule applies corrective actions to incidents found by Discover after scanning a repository. A Data-in-Use action rule is applied when a specific event takes place on an endpoint.
An action rule can be applied to data in motion if DLPPrevent is configured with an MTA or proxy server and registered to DLPManager. An action rule can be applied to data at rest if DLPDiscover crawls a repository and finds files that should be remediated. An action rule must be applied to data in use if any rule acts on an endpoint event.
NOTE: If Monitor and Discover devices are both managed by DLPManager, every rule can be configured to deploy one action of each of the three incident types.
Reacting to violations
When DLPPrevent is deployed with an MTA or proxy server, problems found in email and webmail can be identified and resolved immediately by associating an action with a rule. For example, DLPPrevent might use action rules to:
q q q q q q q
block confidential data breaches encrypt authorized transmissions quarantine suspicious traffic bounce email that violates policies notify supervisory personnel record incidents in a system log allow email that is determined to be legitimate.
TIP: Use DLPPrevent to capture network traffic for later forensic analysis, or block the transmission of sensitive data sent using specific protocols (for example, HTTP, SMTP, HTTP POST, etc.).
155
In this release, a single Action rule can be attached to many different rules. Each of the rules to which the action has been added can deploy that action once to network data in motion, data in repositories, or data in use at endpoints.
Several actions can be combined in a single Action rule. For example, when a rule hits, the file found may be blocked or quarantined, its sender may be notified, and it may be assigned to a group for investigation.
q
In the Host DLP9.0 standalone product, reactions are pre-configured when a Protection rule is defined. They may be applied to different endpoints under a variety of circumstances.
Reactions can vary, depending on what action is to be taken and whether the endpoint is on- or offline (in contact with a domain controller)when the violation occurs.
156
NOTE: Only one reviewer can be assigned to an action rule, but a user group can be considered a single reviewer. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on an action rule. 3. Open the Incident Reviewer category. 4. From the drop-down list, select a reviewer. 5. Click Save.
157
NOTE:The Subject and Message fields accept dynamic variables, enabling you to set up automatic responses to routine situations. TIP: You can use Dynamic Variables to alert users to details of the violation automatically. For example, ##Filename found by the ##Rule violated the ##Policy.
Setting up an action
Use this task to set up an action that will be taken whenever a rule identifies an incident or event. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. From the Data-in-Motion or Data-at-Rest Actions menu, select Add Action Rule. You can configure one rule for each vector. NOTE:See Setting up an Endpoint action rule to add an action rule to the Data-in-Use vector. 3. Type a name for the action rule. Typing a description is optional. 4. Enabling email and syslog notification is optional. 5. From the Incident Reviewer and Incident Status menus, select from the drop-down lists. 6. Depending on the Actions menu selected, select a Prevent or Remediation action and supply the required parameters. 7. Click Save.
158
159
NOTE:Network DLPpolicies contain collections of related rules, while Host DLP rules are all part of a single global policy.
Using concepts
How concepts are used
Content concepts, the most common type, find collections of significant data related to a single issue in application data. Most of the concepts that are shipped with your DLPappliances are listed under the UserDefined tab. Only a few Factory Default concepts are constructed with proprietary algorithms. TIP: Use a content concept with one or more templates to look for patterns in specific data types. For example, a content concept can be used to collect credit card numbering patterns that can be matched to network data. You might use one of the factory default concepts (AMEX, CCN, DISCOVER, MASTERCARD) to find them quickly, or you can add one that focuses only on patterns used by retail cards. If you are an advanced user, you can construct network or session concepts to identify data in the Transport and Session layers.
Types of concepts
There are three types of concepts.
q
Content concepts contain text patterns and regular expressions to match patterns to data on the Application layer (Layer 7). Network concepts monitor activity on the Transport layer (Layer 4). They can be used to find spiders, robots, crawlers, types of webmail, browser versions, and operating systems in use. Session concepts focus on exchanges of data between applications on the Session layer (Layer 5). They can be used to recognize content found in multiple objects contained in a single flow.
160
Using concepts
5. If you want to discourage false positives, select an algorithm that is associated with the regular expression you will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and results that do not match exactly will be discarded.
Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm will ignore the pattern and replace it with the correct sequence. 6. Select a category for the expression (optional). TIP:Later you might want to use a package of related concepts in a query to expedite the search process. 7. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded. 8. Click Import Expressions to load in the expressions from the file you selected. TIP:If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to your desktop. You can debug them in a text editor, then re-import them. 9. If you don't have a document to upload, use text and regular expressions to build one or more expressions, starting with Expression 0. TIP:Add additional expressions by clicking the green plus icon. 10. Click Validate, then enter the expression and a sample of a string it should match. 11. Click Validate in the dialog box, then check the Matches String box to get a true or false result. 12. Set conditions for the concept, if needed. 13. Click Save. NOTE: When creating concepts that have multiple words, you must escape spaces between words with a backslash (for example, hello\_world). Other metacharacters and ASCIIcharacters (such as   	  ​ for space, tab, form feed, zero-width space) can also be used to define concept expressions. TIP: Add a template using your custom concept. This will save you keystrokes when searching, creating rules, and building capture filters.
161
5. Select Add Concept from the Actions menu. 6. Open Advanced at the bottom of the page and select the Network Type radio button. 7. Type in a name (uppercase only) and description (optional). 8. If you want to discourage false positives, select an algorithm that is associated with the regular expression you will define or upload. When the concept hits, the system will run checksums to verify accuracy, and results that do not match exactly will be discarded.
Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm will ignore the pattern and replace it with the correct sequence. 9. Select a category for the expression (optional). TIP:Later you may want to use a package of related concepts in a query to expedite the search process. 10. Paste the string from the TCP stream into an Expression field. NOTE: Escape all metacharacters with a backslash to ensure literal interpretation. For example, www\.deadspin\.com. 11. Click Validate, then enter the expression and a sample of a string it should match. 12. Click Validate in the dialog box, then check the Matches String box to get a true or false result. 13. Set conditions for the concept, if needed. 14. Click Save.
Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm will ignore the pattern and replace it with the correct sequence. 7. Select a category for the expression (optional).
162
Using concepts
TIP:Later you may want to use a package of related concepts in a query to expedite the search process. 8. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded. 9. Click Import Expressions to load in the expressions from the file you selected. TIP:If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to your desktop. You can debug them in a text editor, then re-import them. 10. If you don't have a document to upload, use text and regular expressions to build one or more expressions, starting with Expression 0, on the fly. TIP:Add additional expressions by clicking the green plus sign. 11. Click Validate, then enter the expression and a sample of a string it should match. 12. Click Validate in the dialog box, then check the Matches String box to get a true or false result. 13. Set conditions for the concept, if needed. 14. Click Save. NOTE: When creating concepts that have multiple words, you must escape spaces between words with a backslash (e.g., \_).
Use the Count category to set a number of objects that must be found before a match is reported. Use the Percentage Match category to define a percentage of objects that must be found before a match is reported. Use the Number of lines from the beginning category to define the number of lines within which an object must be found (starting from the beginning of a captured object) before a match is reported. Use the Number of bytes from the beginning category to define the number of bytes within which an object must be found (starting from the beginning of a captured object) before a match is reported. Use the Proximity category to define the relative proximity to a specified byte of an object before a match is reported.
NOTE: Imposing multiple conditions could cause conflicts. Consider carefully what the conditions will do before setting them.
163
6. Use the Condition, Value and Expressions fields to set the parameters of a condition. 7. Use the Advanced component to change the concept type only if the conditions you have set will apply to a different type of concept. 8. Click Save.
164
Using concepts
Expression \n \r \f \b \a \t \k \K \0xN \nnn \d \D \c \C \w \W \s \S \p \P \i \I [] x-y ^ \ line feed carriage return form feed backspace bell tab
Definition
disables Perl/POSIX set range restrictions enables Perl/POSIX set range restrictions the hex ascii character equivalent to N the octal character of value nnn digit 0-9 not digit 0-9 any alpha A-Z or a-z not any alpha A-Z or a-z any alphanumeric \c or \d not alphanumeric ^\w any space [\ \f \n \r \t] not any space ^\s any space or field delimiter [\ -\\ :-@ \[- {-~ ] not any space or field delimiter ^\p case sensitivity off case sensitivity on character sets, e.g. [3-6a-c] = 3,4,5,6,a,b,c character ranges T-X = T,U,V,W,X invert, e.g. ^\0x0 are all characters except NULL literal backslash (transforms metacharacters into ordinary characters) Examples: \\ \. \& \[ \] \<space> \* \+
165
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Select one or more concepts. 3. Select Restore Default from the Actions menu.
Editing concepts
Use this task to modify the parameters of a concept. For example, you might want to remove one of the expressions used in a content concept if it generates false positive results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Click a concept. 3. Modify one or more parameters. 4. Click Save.
Deleting concepts
Use this task to delete more than one concept. NOTE: Factory Default templates cannot be deleted. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Select one or more concept checkboxes. 3. Select Delete from the Actions menu.
Using templates
How templates are used
Templates contain collections of elements that save time when searching, creating rules, or building capture filters. They eliminate the need to enter the same values repetitively. For example, when you search for data containing source code of any type, you might use the Source Code template. Similarly, to find data containing images, you might use the Common Image Files template. TIP: You can use any of the standard templates, or you can add your own custom templates to the list under Policies | Templates.
Adding templates
Use this task to add a template to save time on repetitive or complex searches. TIP: You can use a template to create a name for a range of IPaddresses so you can refer to them as a group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Templates. 2. Select Add Template from the Actions menu.
166
Using templates
3. Type in a name. 4. Type in a description (optional). 5. Open Construction. 6. Select an element from the first menu. 7. Select a condition from the second menu. 8. Click "?". If no popup menu launches, type a string into the values field. 9. Click Save. NOTE: When a template element is used in a search or rule, a list of available templates pops up from the "?" at the end of the values field. Each category may pop up a different set of templates, and more than one can be used at a time.
Deleting templates
Use this task to delete templates one by one, or as a group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Templates. 2. Click the box of one or more templates. 3. Select Delete from the Actions menu. 4. Click Confirm or Cancel. TIP: To delete templates one by one, click the trash can icons.
167
168
4. Select an Owner. 5. Select a Resolution state (optional). 6. Select a Status (optional). 7. Select a Priority (optional) 8. Type in one or more Keywords. 9. Check the Notify Submitter box (optional). 10. Check the Notify Owner box (optional). 11. Type in Notes (optional). 12. Click Apply. NOTE: No more than 100 incidents can be added to a case at one time.
169
5. Click Apply. NOTE: No more than 100 incidents can be added to a case at one time.
170
4. Click Apply.
Exporting cases
Use this task to save a case to the Exported Cases list.
171
NOTE:Exported cases can be downloaded to local computers. There are no limits on the number of incidents that can be exported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select one or more case checkboxes, or export a single case by clicking its Export icon. TIP: Click the box in the column header to Select All cases. 3. From the Actions menu, select Export Selected Cases. 4. Click OKto verify export. The case will appear in the file list under Exported Cases. 5. Click on the exported case link to open or save it.
Example:
If Lee has a need to know about a case and he has been given read access, case information might display on his DLPHomepage but Apply, Save, Delete or Assign buttons will not display because he is not allowed to take those actions.
Example:
If Juan is given responsibility for a group of legal cases, an administrator might assign Read and Write but not Delete privileges. All menus and buttons except the Delete icon will be available to him. NOTE:When Write permission is assigned, Read permission is implicit.
Reprioritizing cases
Use this task to reprioritize the severity of a case.
172
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select the Details icon of the case. 3. From the Priority menu, select a new severity. TIP: To notify the originator by email, select the Notify Submitter box. 4. Click Apply.
Deleting cases
Use this task to remove a case from the Case List. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Click the Delete icon. TIP: If you cannot see the icon, expand your dashboard.
Configuring DLPdevices
Configuring DLPdevices
Use this task to reconfigure any DLPdevice.
173
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Click the configure link of the device to be configured. 3. Change parameters on the System Configuration page. 4. Click Update after each change is made. TIP: If you are on a standalone appliance, you can click on Setup Wizard to review all settings. If the setup is not changed, you can select Cancel to leave the Setup Wizard and go directly to the dashboard.
174
3. Select a Host DLPVersion. NOTE: Version 3.0 is required to use Host and Network DLP separately in the ePO interface. 4. Type in the IP or host name and password. 5. Type in the database port, user, and database names. 6. Type in the ePOdatabase, IPaddress, user name and password, and port. 7. Click Add. 8. Click OK to confirm or cancel registration. 9. Wait for the Status icon to turn green. TIP: If registration seems to be taking a long time, try refreshing the page.
Capture partitions hold all the content captured, which is organized by type. Non-Capture partitions contain the operating system and the results partitions (A-Z), which fill sequentially.
175
Use this task to get a complete report of disk space, including information about partitions and volumes. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Selecting the More link of the device. 3. Under Utilities | Application Information, click on Disk Usage. NOTE: Space-based wiping is the default policy. It erases the earliest results after 80% of the disk is used. When that threshold is reached, the system erases data to the 70% watermark.
Backing up DLPsystems
Use this task to create a backup archive to ensure that configuration files, users, logs and cases are not lost during system operations. TIP: Back up whenever there is a change in content or configuration. After 30 days or 150,000 incidents, the oldest incidents are lost, and if a managed mode device is deregistered, all incidents are lost. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Backup. 2. Type in the Remote Host Name of an external storage device. NOTE:Only Linux devices are supported. Microsoft Windows computers have not been tested. 1. Type in the user name and password required to log on to that machine. 2. Browse to the directory that will receive the backup. 3. Select the Port to be used to connect to the remote host. 4. Click Backup. NOTE: The local archive filename will be made up of a date and backup number (for example, 200910301346). But on the Remote Host and other DLPdevices, the filename will also include the FQHN (fully-qualified host name) and device type (inSight = Manager, iGuard = Monitor), followed by date_backup#.tar>. Example
abc-123.lab.company.net-inSight-20091030-1346.tar
TIP: Refresh the File List and select the archive with the latest date and highest backup number. You will be able to verify the build number after extraction.
Archive contents
q
Active configuration files (policies, rules, action rules, concepts, templates, network and content capture filters, DHCP settings, schedules, task definitions and credentials) Local and Active Directory users Network settings User Action Logs Cases
q q q q
176
Depending on the volume of data to be backed up, processing time might be lengthy. When the process is complete, email is sent to the address in the user's profile, and the file list is populated with the name of the new archive.
Restarting DLPsystems
Use this task to restart, shut down or reboot any of the McAfee Network DLPappliances or services. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Select More for the device you want to restart or shut down. 3. Scroll down to the bottom of the Utilities window. 4. Select the appropriate link.
Adding a DHCPserver supports accurate resolution of the sources and destinations of network transmissions.
177
Adding an LDAPserver supports integration with existing user systems, enables notification of users, and authenticates user accounts. DLPsupports Microsoft Active Directory LDAPservices. McAfee Logon Collector can be configured withDLP Manager to resolve user identities by retrieving collections of user account information from all Active Directory servers that have been added to the DLP system. Adding a Host DLP server supports integration with ePO . Syslog servers receive DLPerror messages. NTP servers make it possible to synchronize DLP systems.
q q q
178
Matching this pattern enables DHCP logging. For the SMB client, 'mget DhcpSrvLog*' can be used from the SMB prompt to link to Windows files such as DhcpSrvLog-Wed.log or DhcpSrvLog-Sun.log. For SCP or SFTP, use /var/state/dhcp/dhcpd.leases or /var/state/dhcp/dhcpd*. 9. Set a Lease expiration interval to determine when IPaddresses will be reassigned. The interval must be set because some DHCP servers (Windows) do not put the expiration time in the logs. 10. Set the Frequency to indicate how often the server should be polled to pull down new information. 11. Check the boxes of devices to be connected to the DHCP server. 12. Click Save.
179
NOTE: Although more than one LDAP server can be added from the user interface, multiple LDAP servers require ip2user mapping, which is not currently supported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | DHCP Servers. | Directory Services. 2. Select Create Directory Server from the Actions menu. 3. Type in alabel to identify the LDAP server. 4. Type in the domain of the LDAPserver (optional). NOTE:If you use this option, you must login to an administrative account on the LDAPserver. The system will then query the Domain Name Server to find the domain controller for the Active Directory domain. 5. If you are not using the LDAPdomain server name, type in the name or IPaddress of the authorization server. If you are using SSL to encrypt the connection, you must enter the FQDN cited in the uploaded certificate (see below). NOTE:Unlike the LDAPserver domain name, you can use any valid account that has permission to read from the LDAPserver (an administrative account is not necessary). If you have already entered the domain name of the LDAPserver in the previous step, any information you enter here will be ignored. 6. Type in the port to be used for the connection. 7. Set intervals for connection timeouts and retries (in seconds). 8. Type in the LoginID attribute. Use samaccountname to retrieve user names from the server. 9. Type in the user name. Use an administrative account whose password does not expire to maintain the connection, but a non-administrative account name is acceptable when using an authorization server. 10. Identify the local domain components (for example, dc=mydomain,dc=com). 11. Type in the number of records you want to retrieve at one time. Before entering a value higher than 10, consult the administrator of the Active Directory server to find out how many records can be served per request. 12. Check the SSL box to encrypt the connection and enable LDAP over SSL (LDAPS). NOTE:A secure connection is not required, but is strongly recommended. Accept any available certificate, or select one by uploading it. If you take this step, you must find the FQDNname of the authorization server in the encrypted file by logging in to the back end of the DLPappliance and running the following command:
subject= /DC=net/DC=reconnex/CN=tyche
Read from right to left to get the name of the authorization server.
tyche.reconnex.net
13. Type the name into the authorization server name field. 14. Select a Scope to set the directory depth to be accessed on the server, 15. Click Apply.
180
Adding LDAPUsers
Use this task to addusers after an LDAPserver has been added to DLPManager. NOTE: LDAPusers must be assigned to existing groups. If you have not yet decided on a user group design, review user group management. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | DHCP Servers | User Administration | Actions |Create LDAPUser. 2. Select the LDAP host. 3. Retrieve one or more users using one of the following techniques.
q q q
Enter an asterisk (*) to retrieve a list of all users on the server and select a radio button. Type in a known Login ID or user name. Use an asterisk (*) as a metacharacter to retrieve related users (for example, R* or *st*).
NOTE:User names containing special characters cannot be retrieved. 5. Click Find. 6. Click a radio button to select a user. 7. Select one or more groups from the Available groups for the new user and Add. 8. Click Apply. NOTE:User permissions are assigned by membership in a user group. When permissions have been changed by addition or subtraction of membership in a group, users must log in again for the change to register. 7. Go to Incidents | My Views | Actions | Copy View to Users to copy over views available to new users. 8. Check the boxes of all views the new user should be able to see. 9. Pull down the Actions menu. 10. Select Copy View to Users. 11. Select one or more checkboxes of users who should see the selected views. 12. Click Apply. To make changes to the user's status later, go to System | User Administration | Users and select the Detail icon of the user.For example, you can use the Action menu to Disable or Delete the user.
https://<DLP_address>/activedir/ADintegration.zip.
3. Save the zip file to your desktop.
181
NOTE: The rwl_client.exe file in this zip file has been changed in the 9.0 release. If you already have it installed on an 8.6 appliance, you must reinstall it. 4. Extract the two files from the archive to your desktop. 5. On the Microsoft Windows server desktop, go to Start | Administrative Tools | Active Directory Users and Computers. 6. Right-click on the domain name (currently reconnex.net) in the navigation bar. 7. Go to Properties | Group Policy | Default Domain Policy. 8. Select Edit. 9. Under User Configuration, click on Windows Settings | Scripts | Logon. 10. On the Scripts tab, click Show Files. 11. Drag the rwl_client.exe and logon.bat from your desktop to the Group Policy Object Editor window. 12. Right-click the logon.bat file. 13. Select Edit and Run. 14. After rwl_client.exe, type in the IPaddress of the DLPManager or Monitor (if you are on a standalone machine).
Example
REMSubstitute the following 'hostname.example.org' argument REMwith the hostname or IP address of your Monitor rwl_client.exe iGuardHostname.reconnex.net
When the batch file gets executed, DLPMonitor is notified that a user has logged in. 15. Save. 16. Close the window containing the rwl_client.exe and logon.bat files. 17. Click OK on the Scripts tab of the Logon Properties dialog box. 18. Close the Group Policy Object Editor window. 19. Click OK on the Group Policy tab of the reconnex.net Properties dialog box. 20. Close the Active Directory Users and Computers window. The next step is to add the server to DLPManager.
182
a. Click Start | Administrative Tools | Certificate Authority to launch the Microsoft Management Console. b. Select the CA machine. c. Right-click and select Properties. d. From the General menu, click View Certificate. e. Select the Details view. f. Click the Copy to File button on the lower right corner of the window. g. Use the Certificate Export Wizard to save the CA certificate in a file. NOTE: Save the CA certificate in either DER Encoded Binary X-509 format, or Based-64 Encoded X-509 format. 3. Verify that SSL is enabled on the Microsoft Active Directory server (Microsoft Windows 2000 or Microsoft Windows 2003). a. Ensure that Windows 2000 Support Tools (Windows Support Tools on Microsoft Windows 2003) is installed on the Microsoft Active Directory machine. b. Find the suptools.msi setup program in the \Support\Tools\ directory on your Microsoft Windows CD. c. Start the ldp tool. For Microsoft Windows 2000 systems, go to Start | Windows 2000 Support Tools | Tools | Active Directory Administration Tool. For Windows 2003, go to Start | Windows Support Tools | Tools | Command Prompt. 4. Select Connection | Connect from the ldp window. 5. Type in the host name and port number (secure port 636 is required). If the connection is successful, a window will be displayed listing information related to the Microsoft Active Directory SSL connection. If it is unsuccessful, restart your system and repeat the procedure.
183
3. Type the new attribute names into the Directory Server Mapping Attributes fields. 4. Click Apply. Default Attribute Mappings UserName=cn UserID=sAMAccountName UserTitle=title UserCompany=company UserDepartment=department UserCity=givenName UserZipcode=postalCode UserCountry=countryCode UserManager=manager UserGroups=memberOf UserEmail=proxyAddresses NOTE: When an incident is reported to the dashboard, user attribute columns will contain the information found in the corresponding fields on the existing LDAP server.
184
3. Scroll to the bottom of the page. 4. Highlight and copy all text in the Base 64 field. 5. Open a web browser and login to the DLPManager. 6. Go to System | Directory Services. 7. Select Add a McAfee Logon Collector from the Actions menu. 8. Type in the IPaddress of the MLC. 9. Click the paste radio button and paste the text into the box. TIP:Save this Base 64 data to a text file on your desktop so you can re-use it. 10. Click Apply. 11. Click Export to save the NetworkDLPcertificate to your desktop. 12. Open a web browser and type in the address of the McAfee Logon Collector. 13. Go to Menu | Configuration | Trusted CA. 14. Click New Authority. 15. Browse to the netdlp_certificate.cer file you saved to your desktop. 16. Click Open. 17. Click Save. This adds the DLPManager to MLC. 18. Open a Remote Desktop session on the MLCserver. 19. Shut down and restart the MLCserver. The connection is now complete.
Jul 7 15:38:18 172.16.0.50 RTS:CEF:0|McAfee|Monitor|3.2|-testrule1|3|cs1=-chein-prevent cs1Label=policies cn1=1 cn1Label=MatchCount src=51.0.16.172 dst=53.0.16.172 spt= 5281 dpt= 25 suser= duser=cs2="testing" cs2Label=Subject filename="specscdrom.pdf"
185
Message Structure and Format Date HostName Component Format Device Vendor Device Product Device Version Rule Severity # Policy Policy label Match Count Match Count Label Source IP Destination IP Source Port Destination Port Source user name Destination name Email subject File name Date the event was logged Name or IPaddress of the machine that logged the event Component or Process that generated the alert Format version of the syslog output Vendor name Manager, Monitor, Discover or Prevent Product version Search rule Critical, High, Medium, Low, Informational Policy name Type of object Matches found Type of object Source IPaddress Destination IPaddress Source port Destination Port Source user name Destination user name Email subject File name
NOTE: Syslog servers are automatically recognized if they reside on the same network as DLPdevices; no special connection is needed.
186
6. Click Logout. 7. Click Login. If this doesn't work, login to the back end as root and reset the time from the DLPMonitor command line.
Synchronizing DLPdevices
If you get a system time error when attempting to log in to the user interface, use this task to resynchronize DLP device time with your desktop. 1. Open the Microsoft Windows date/time display. 2. Adjust local time to Greenwich Mean Time. 3. Log on to DLP Monitor and use the date --utc command to enter the corrected data and time.
# date
8. If the date is correct, reset Stingray.
187
Administrative Example
A CSOof a large company might log in as primary user and create administrative groups with specific sets of rights to manage the DLPManager. These groups might include the following:
q q q q
System Administrators Network Administrators Installation and Setup Administrators Policy Administrators
Each administrator might then create Forensics and Analyst groups for users who report to them.
Organizational Example
The primary DLPadministrator might decide that user groups should reflect user roles in existing departments. New groups like the following might be created to reflect the current organization of the company.
q q q q
188
In this example, the rights assigned to each of these groups match departmental tasks and responsibilities.
189
Managing users
Working with users
DLP User Administration matches the rights of individual users to their roles, which are defined by user group permissions. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLPSys Config | Users to view existing users. TIP: Click on the Details icon of any user or group to review task and policy permissions. NOTE:Administrative permission is required to add, delete or disable users.
Adding users
Use this task to add users. 1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLPSys Config | Users| Actions| Create Local User. TIP:You can add multiple users by importing them from an LDAPserver.
190
2. Type in the user's login ID, name, email address and password. 3. Select an Available group to which you want the user to belong. 4. Click Add to move it to Current group membership. 5. Repeat until the user is a member of all appropriate groups. 6. Apply. NOTE: If the user doesn't fit logically into the available groups, you must add a new group.
191
Setting permissions
Assigning permissions
Use this task to assign permissions to users. Only administrators can assign permissions, and if group permissions are modified, all its members will have to log out and re-login. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Select the Details icon of a group. 3. Select the Task Permissions or Policy Permissions tab. 4. Open a Permissions group. 5. Select one or more checkboxes. 6. Click Apply. 7. Repeat until all permissions are set. 8. Click Apply. NOTE:Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.
Checking permissions
All rights are inherited from group affiliation, so users must know their group affiliations to check permissions. Only administrators can assign permissions. Use this task to check permissions. This procedure will work only if an administrator has given the user's group permission to view permissions. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Users. 2. Select the Detail icon of the user. 3. Make a note of Current group membership. 4. Go to System | User Administration | Groups. 5. Select the Detail icon of the group. 6. Select the Task or Policy Permissions tab. 7. Open a Permissions group. 8. Review the checked boxes. 9. Repeat until all permissions are viewed. 10. Click Cancel.
192
193
1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | User Settings. 2. Check the Enable Lockout box. 3. Enter login parameters in the Login Settings dialog box. When a user exceeds the maximum number of attempts, the system will no longer respond. When automatic lockout is set, the session will time out for the time set in minutes. 4. Click Submit.
Auditing users
Using audit services
The user audit log records all user activity on DLP systems. Users who have administrative permissions can monitor them. Re-order the audit log elements by clicking the column headers, or use the Filter by feature in the navigation bar to sort the results for greater readability.
194
For example, if you suspect a system problem was caused by a single user or action, checking entries at the time the problem appeared might reveal its source. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Audit Logs. 2. Pull down the Timestamp menu under Filter by... . 3. Select a period of interest. 4. Click plus to add a filtering category. 5. Pull down the Filter by... menu and select Device to sort by DLPsystem. 6. Select equals or not equal from the second pull-down menu. 7. Click "?"to launch a pop-up with the names of the available DLPdevices. Alternatively, you can type in the host name of the machine (listed in the Device column). 8. Repeat the action for any of the other elements listed in the log. 9. Click Apply. 10. Review the log information. 11. Correct or reverse the action. NOTE: Clear All before creating another filter.
195
Re-order the audit log elements by clicking the column headers, or use the Filter by feature in the navigation bar to sort the results for greater readability.
Content capture filters reveal significant data types and improve performance by eliminating selected portions of Flow A (Layer 1) traffic. Network capture filters reveal significant data streams and improve performance by eliminating large portions of Transport (Layer 4) traffic, usually in a specific sequence.
196
q q
Content capture filter actions keep certain types of traffic from being recognized by the capture engine. Network capture filter actions ignore specific components of network traffic or store data that is transmitted via certain protocols.
197
data types being transmitted, and protocols being used to transmit it).
198
Standard Network Capture Filters Excludes traffic routed to 10.0.0.0.-10.255.255.255, Ignore RFC 172.16.0.0.-172.31.255.255 and 192.168.0.01918 192.168.255.255 Ignore Excludes program output sent from a server after HTTP receiving and interpreting an HTTPRequest Responses Ignore unknown Ignore SMB Excludes traffic using unknown protocols Excludes Session Message Block and Microsoft Basic Input/Output System (NetBIOS)traffic
Ignore SSH Excludes secure shell traffic Ignore POP Excludes Post Office Protocol 3 traffic Ignore IMAP Ignore HTTPS Ignore LDAP Ignore NTLM BASE Excludes Internet Message Access Protocol traffic Excludes secureHypertext Transport Protocol Traffic Excludes Lightweight Directory Access Protocol traffic Excludes Microsoft New Technology Local Area Network Manager traffic Base Configuration filter (opens the system for storage of incoming data)
199
3. Open Source/Destination. 4. Select IPAddress. 5. Select source or destination. 6. Enter IPaddresses in the value field. 7. Click Search.
Example
192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25
200
NOTE: When a network capture filter is applied to the network data stream, its position in the list indicates its priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data stream, it must always run last. For example, if you add a filter to ignore all traffic to and from ports 80 and 453, the capture engine would ignore all HTTPand HTTPS traffic. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Click Create Network Filter and define its parameters. The new filter is added to the bottom of the Network Filters list. 3. Use the UParrow in the Priority column to move it up to the correct position. 4. Click Apply. TIP:Move the new filter up until it is in a position to filter out more traffic than the filters below it, but less than those above it.
201
202
Technical specifications
Notification that the device has recovered and has been up for X minutes Notification that the device was down for X minutes Notification is sent every X minutes after the device went down
Technical specifications
Understanding specifications
Any modifications to DLP equipment, unless expressly approved by the party responsible for compliance, could void authority to operate the equipment. DLPhardware has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 16 of the Federal Communications Commission rules. Operation is subject to the following two conditions:
q q
the device may not cause harmful interference, and the device must accept any interference received, including interference that may cause unwanted operation.
These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. DLP equipment generates, uses, and can radiate radio frequency energy. If not installed and used in accordance with the instruction manual, it might cause harmful interference to radio communications. If operation of this equipment in a residential area causes harmful interference, it must be corrected at owner expense.
Power Redundancy
To ensure redundancy on the DLP appliances with more than one power supply, all must be active to share the load while operating at nominal power. Additional protection is provided if two electrical outlets that are on different circuit breakers are used. Should one power supply fail, a back-up fan automatically turns on, an alarm sounds and a warning LED is illuminated. If this occurs, contact McAfee Technical Support for a replacement unit. NOTE: If the appliance loses power for any reason, it will not come back up unless you change the BIOS setting in advance. The motherboard is set to off by default.
203
C) Mechanical Loading
Mounting of the equipment in the rack should be such that a hazardous condition is not created due to uneven mechanical loading.
D) Circuit Overloading
Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.
E) Reliable Earthing
Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (use of power strips).
TIP:Troubleshooting tips are available on the WebHelp home page. You can also get system information by clicking More or Configure links at Menu | Data Loss Prevention | DLPSys Config.
204
205
206
Glossary
Glossary
A action rule An automatic rule that uses one or more specific Prevent Policy actions (allow, block, bounce, encrypt, notify, quarantine, redirect) to resolve violations flagged by the capture engine. Active Directory Microsoft directory service used to provide basic organizational LDAP functions, such as integration with existing user systems. administrator account Default user account for the primary NDLP administrator (admin). alert A message triggered by a significant system event that may require a response. anchor commands Reference markers that set conditions for matches found in network data by a Concept. archive Compressed files that can be extracted and evaluated by the search engine. audit log A record of all actions taken by DLP users. authentication A security measure that confirms the identity of a user or entity attempting to access a system. B bandwidth throttling A setting that restricts the quantity of data transmitted to prevent network congestion. blocking An action taken to prevent transmision of data outside of a network. C capture engine A DLP component that captures, analyzes, processes, and saves all data on a network. capture filter A component that is used to isolate significant portions of data to streamline processing by the DLP capture engine. case system A collaborative framework that centralizes resolution of incidents flagged by DLP queries and rules. centralized alerting An alert notification process controlled by McAfee DLP Manager.
207
Glossary
certificate A digital component generated by a Certificate Authority that authenticates a secure connection between users or servers. certificate authority An entity or service that issues and manages digital security certificates. CIDR (Classless Inter-Domain Routing) Notation used to define IP addresses and subnet masks beyond 8-bit 'classful' limits to efficiently describe routing of IPv4 or IPv6 packets. cipher text Encrypted text that is unreadable until it has been converted into plain text. cleartext Unencrypted plain text that is readable by anyone on a network. compliant A state that indicates that no policy violations have been found after rules have been applied to the network data stream. Concept A DLP component that finds collections of significant data related to a single issue. console The centralized Manager device that coordinates DLP appliances. content filtering The process of classifying all network data into content types that can be processed by a capture engine. content type A database object that defines data according to file type. crawl An automated process that scans and indexes the contents of a database or file system. credential A utility made up of user name, domain, and password that authenticates entry to a repository or database. D Data at Rest Static data at risk that can be found in a repository or database during a DLP scanning process. Data in Motion Dynamic data at risk that is flagged by DLP Monitor in the network data stream. Data in Use Static data at risk that can be found on host devices that use network resources. deployment The process of distributing policies and rules from DLP Manager to its attached appliances.
208
Glossary
DHCP Services used to assign dynamic IP addresses whose sources and destinations can be traced and identified. Discover scan A type of scan that uses policies, rules, and Concepts to find data that is at risk. distributed searching A technique used by DLP Manager to construct queries of network data through multiple DLP Monitors. drilldown The process of discovering increasingly granular information about an incident by clicking through link levels on DLP dashboards. Dynamic Host Configuration Protocol Services used to assign dynamic IP addresses whose sources and destinations can be traced and identified. E endpoints Host devices, including laptops, desktops, servers, printers, removeable media and mobile devices that utilize corporate resources. exception A parameter added to a rule that keeps the capture engine from reporting false positives. exclude list A collection of documents that are not to be reported if they are detected during a scan. F failover account A default account that provides backdoor access to a DLP appliance if the link to its Manager is broken. false positive An incident that is reported when a rule produces a hit that resembles, but does not match the definition of a violation. filter A feature that provides customized views of captured data by selectively screening results on DLP dashboards. fingerprinting The process of using an algorithm to create a digital signature that identifies data at risk. I incident An object of interest that is reported to a DLP device when a rule parameter matches a string in network or endpoint data. inheritance The application of settings of a DLP policy to its rules.
209
Glossary
Inventory scan A type of scan that produces a manifest of all data available in a repository or database. L Lightweight Directory Access Protocol Directory services used by DLP Manager to identify and extract user accounts residing on external servers. link speed A setting that may need to be changed if devices on a network monitored by DLP devices have specific speed and duplex requirements that prevent auto-negotiation. logical operator A symbol that is used to construct DLP keyword queries in a shorthand fashion. M Mail Transfer Agent An email relay server used by DLP Prevent to communicate actions to be implemented when data at risk is identified. Message digest (MD5) A cryptographic hash function used by DLP devices to identify data that has been fingerprinted. N network storage scan A type of Discover scan that crawls network attached storage repositories or databases. Network Time Server A local or remote server used by DLP to synchronize date and time with other network devices. node A host connected to a network. P permissions Privileges allowing role-based access to DLP users who are assigned specific tasks based on their role in the organization. policy A collection of related rules used by DLP devices to identify and classify data at risk. Prevent Policy actions A set of actions (allow, block, bounce, encrypt, notify, quarantine, redirect) that can be automatically applied to data at risk by an action rule. proxy server A component that acts as an intermediary between a group of intranet devices and the internet. publishing The act of distributing policies to DLP appliances from a centralized DLP Manager.
210
Glossary
Q quarantine Enforced isolation of a file or folder that violates policy or poses a risk to the system. R RBAC (Role-Based Access Control) A system that assigns privileges to DLP users based on their roles in an organization. reaction An aspect of a host DLP rule that uses one or more specific actions (encrypt, monitor, notify, quarantine, store evidence, delete) to process incidents or violations flagged by the McAfee Agent. Registration scan A type of scan that crawls a designated database or file share and generates unique signatures to protect data at risk. remediation The process of using action rules to resolve violations found during a DLP discovery scan of a repository or database. repository A server, or a share on a server, containing files that are to be crawled by DLP Discover. repository type A file system defined by the protocol used to access it. rule An entity that identifies anomalies in network or endpoint data by matching its parameters to one or more attributes of data at risk. RWL (Real World Locality) An entity whose name is likely to be used in a directory search request. S scan A process that locates data at risk while crawling a network repository or database at a designated time. share A device, volume, partition, directory that has been targeted for remote access by a scan operation. signature A unique hexidecimal number generated by an algorithm that identifies data at risk. syslog server A system log server that automatically receives and records messages from a DLP Manager or Monitor.
211
Glossary
T tar file A UNIX or Linux archive containing compressed files. template A DLP component used to save keystrokes when searching network data, adding rules, or creating capture filters. tuning a rule The process of modifying a rule in stages to gradually eliminate false positives from search results. U unpublishing The act of removing policies from deployment on DLP appliances. V view vector A configuration that displays incidents from one of three capture databases (Data-in-Motion, Data-at-Rest, Datain-Use) on DLP dashboards. views A framework that displays incidents found in captured or scanned data in a variety of different configurations on DLP dashboards. violation A risk that is reported when a query or rule matches an attribute in the capture database. W wiping policy A setting regulating use of disk space on a DLP Monitor appliance.
212
Index
Index
A Action Rules configuring deleting types using Activation defining Active Directory Alerts defining notification types Audit logs defining filtering 194-195 194-196 202 202 203 146 177, 181-183, 185 89-91, 156, 158159 159 157 155-157
ports reprioritizing types viewing Cases adding to existing assigning changing owner changing priority changing resolution changing status creating deleting managing Concepts adding conditions creating defining deleting DocReg C network syntax 196-197, 199 201 25 198, 200 198 197 196 201 16 201-202 Configuring backing up dashboard NDLP devices restarting restoring shutting down time Content types company
159-160, 163
Capture Filters actions activating by size creating default network default standard definition deploying IP address modifying
175-176 65-66, 72-73, 171 173, 175 177 175-176 177 186-187 28 29
213
Index
29 30 30 30
Filters clearing 73
H Host DLP
defining
91-95, 156
D Database crawling Devices adding deregistering viewing DHCP services adding using Disk space managing 175 178 178 174 177 173 105-112
F Filtering by browsing by group by time examples manually 124 74 73-74 10, 13, 15, 168 125 Permissions assigning checking Discover policy task
214
Index
Policies activating changing ownership creating deactivating defining deleting executing inheritance modifying publishing renaming standard Prevent actions configuring how it works using Profile changing passwords 191 78-80, 82, 90, 155 80, 82 77, 80-81 17 145-146 147 143, 145 146 142 148 148 146 148 147 147-148 143-144
registering devices Discover Registration endpoint data Remediation adding columns applying actions copying incidents deleting incidents encrypting exporting incidents methods moving incidents resolving problems reverting actions viewing actions Reports CSV My Reports PDF save R scan history schedule 100 101 102 104, 139 101, 104 102 104 Rules activating creating deactivating deleting exceptions inheritance modifying reconfiguring tuning 150 22, 94-95, 149-150 150 151 58, 61, 151-153 150 77, 151 150 154 68 64, 69, 76-77 68-69 67, 73 131-132 69 88 78-79, 83-84 85 85 86 84 82 87 83 88 88 92-93 96-97
registering by scanning by web upload complete doc paths deregistering data documents in motion excluding text managing resources methods
215
Index
viewing
149
Search by concept 52-54 38 38 31 33 37 37 37 36 36 40-41, 199 41-45 45-46 47-49 46 61-64 31, 35 47 53 132 134-137 134 27 32 31 34 33 33-34 136-138 39 39
S Scan Scanning default directory defining file properties defining folders defining nodes defining shares fetching files in duplex mode reports results setting bandwidth setting policies statistics storage Scans configuring deleting deleting schedules deploying managing modifying modifying schedules modifying states scheduling starting stopping viewing viewing scheduled scans 117-120, 138-141 116 123 114 112 116 123 113 123 114 113-114 113 123 129 127 128 126 128 129 115 130 130 115 129 131 138 123
by content type by digest by email address by email attachment by file owner by file size by file type by filename by filename pattern by IP address by keyword by location by protocol by URL by user ID chat country codes list custom templates data at rest discovered data discovered data\ distributed email by domain email by hostname email by recipient email by sender email by subject finding share names fleshtone images images
216
Index
limitations logical operators on subnet repositories results scan operations search List using DocReg Webmail Searching filters Specifications
unhappy employees user investigation website posts websites visited Users add user
T Tech support create a summary how to contact Templates creating deleting standard 166 167 167 205 204 Views copying default deleting saving vectors
70 66, 71 70 70 71
U Use Cases confidential data covert email data leaked Discover encrypted data financial leaks overseas leaks source code leak 6 8 16 7-8 12 15 17 23 9
217
218