dlp_1100_pg_c-00_en-us.pdf - McAfee Data Loss Prevention 11.0.000 Product Guide(McAfee ePolicy Orchestrator COPYRIGHT Copyright \u00a9 2018 McAfee LLC

dlp_1100_pg_c-00_en-us.pdf - McAfee Data Loss Prevention...

This preview shows page 1 out of 233 pages.

Unformatted text preview: McAfee Data Loss Prevention 11.0.000 Product Guide (McAfee ePolicy Orchestrator) COPYRIGHT Copyright © 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Data Loss Prevention 11.0.000 Product Guide Contents 1 2 Product overview 9 What is McAfee DLP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP Endpoint and McAfee Device Control — Controlling endpoint content and removable media . . How the client software works . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP Endpoint on the Microsoft Windows platform . . . . . . . . . . . . . . . . McAfee DLP Endpoint on the OS X platform . . . . . . . . . . . . . . . . . . . . . . McAfee DLP Discover — Scanning files, repositories, and databases . . . . . . . . . . . . . . . . Supported repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP Prevent — Protecting email and web traffic . . . . . . . . . . . . . . . . . . . . Protecting email traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting web traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP Monitor — Analyzing network traffic . . . . . . . . . . . . . . . . . . . . . . . Supported protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP Prevent for Mobile Email — Protecting mobile email . . . . . . . . . . . . . . . . . Interaction with other McAfee products . . . . . . . . . . . . . . . . . . . . . . . . . . 9 10 10 12 13 14 15 16 17 17 18 18 19 20 20 21 21 Planning your DLP policy 23 McAfee DLP workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The McAfee DLP protection process . . . . . . . . . . . . . . . . . . . . . . . . . . . Classify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Best practice McAfee DLP Discover workflow . . . . . . . . . . . . . . . . . . . . . . . . Shared policy components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 24 24 25 26 27 27 28 29 Configuration and use 3 Configuring system components 33 Configuring McAfee DLP in the Policy Catalog . . . . . . . . . . . . . . . . . . . . . . . . Import or export the McAfee DLP Endpoint configuration . . . . . . . . . . . . . . . . . Client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support for client configuration parameters . . . . . . . . . . . . . . . . . . . . . Configure client settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protecting files with rights management . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP works with rights management . . . . . . . . . . . . . . . . . . . . Supported RM servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Define a Rights Management server . . . . . . . . . . . . . . . . . . . . . . . . Documenting events with evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using evidence and evidence storage . . . . . . . . . . . . . . . . . . . . . . . . 33 34 34 36 36 37 39 39 40 40 41 41 McAfee Data Loss Prevention 11.0.000 Product Guide 3 Contents 4 5 4 Creating evidence folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure evidence folder settings . . . . . . . . . . . . . . . . . . . . . . . . . Controlling assignments with users and permission sets . . . . . . . . . . . . . . . . . . . . REST API for importing definitions and applying policies . . . . . . . . . . . . . . . . . Create end-user definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assigning McAfee DLP permission sets . . . . . . . . . . . . . . . . . . . . . . . Create a McAfee DLP permission set . . . . . . . . . . . . . . . . . . . . . . . . Working with McAfee DLP policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . Set connection timeout settings . . . . . . . . . . . . . . . . . . . . . . . . . . Set up a cluster of McAfee DLP Prevent appliances . . . . . . . . . . . . . . . . . . . Close the McAfee DLP Prevent appliance SMTP ports . . . . . . . . . . . . . . . . . . Specify a maximum level of nesting of archived attachments . . . . . . . . . . . . . . . Add additional MTAs that can deliver email . . . . . . . . . . . . . . . . . . . . . . Deliver emails using a round-robin approach . . . . . . . . . . . . . . . . . . . . . Limit connections to specified hosts or networks . . . . . . . . . . . . . . . . . . . . Enable TLS on incoming or outgoing messages . . . . . . . . . . . . . . . . . . . . Configure McAfee DLP Prevent to scan encrypted web traffic only . . . . . . . . . . . . . Close the McAfee DLP Prevent appliance ICAP ports . . . . . . . . . . . . . . . . . . . Enable a McAfee DLP Prevent appliance to process response requests . . . . . . . . . . . . Using external authentication servers . . . . . . . . . . . . . . . . . . . . . . . . The Common Appliance Management policy . . . . . . . . . . . . . . . . . . . . . Edit the Email Gateway policy to work with McAfee DLP Prevent . . . . . . . . . . . . . . Integrate McAfee DLP Prevent in your web environment . . . . . . . . . . . . . . . . . McAfee ePO features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 44 45 45 46 46 47 50 50 50 51 51 52 52 52 53 54 54 54 55 59 59 60 62 Protecting removable media 63 Protecting devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing devices with device classes . . . . . . . . . . . . . . . . . . . . . . . . . . . Define a device class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtain a GUID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a device class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizing devices with device templates . . . . . . . . . . . . . . . . . . . . . . . . . Working with device templates . . . . . . . . . . . . . . . . . . . . . . . . . . Device properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a removable storage device rule . . . . . . . . . . . . . . . . . . . . . . . Create a plug-and-play device rule . . . . . . . . . . . . . . . . . . . . . . . . . Create a removable storage file access device rule . . . . . . . . . . . . . . . . . . . Create a fixed hard drive device rule . . . . . . . . . . . . . . . . . . . . . . . . Create a Citrix device rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a TrueCrypt device rule . . . . . . . . . . . . . . . . . . . . . . . . . . Removable storage file access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 64 65 65 66 66 67 70 73 74 75 76 76 77 77 78 Classifying sensitive content 79 Components of the Classification module . . . . . . . . . . . . . . . . . . . . . . . . . Using classifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Classifying by file destination . . . . . . . . . . . . . . . . . . . . . . . . . . . Classifying by file location . . . . . . . . . . . . . . . . . . . . . . . . . . . . Text extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP Endpoint categorizes applications . . . . . . . . . . . . . . . . . . . Dictionary definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced pattern definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Classifying content with document properties or file information . . . . . . . . . . . . . . . . . Application templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Embedded properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 80 81 82 82 83 84 84 85 85 86 87 McAfee Data Loss Prevention 11.0.000 Product Guide Contents Configure manual classification . . . . . . . . . . . . . . . . . . . . . . . . . . Registered documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Whitelisted text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create and configure classifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create classification criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . Upload registered documents . . . . . . . . . . . . . . . . . . . . . . . . . . . Upload files to whitelist text . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure classification components for McAfee DLP . . . . . . . . . . . . . . . . . . . . . Create content fingerprinting criteria . . . . . . . . . . . . . . . . . . . . . . . . Assign manual classification permissions . . . . . . . . . . . . . . . . . . . . . . . Use case: Manual classification . . . . . . . . . . . . . . . . . . . . . . . . . . Create classification definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a general classification definition . . . . . . . . . . . . . . . . . . . . . . . Create or import a dictionary definition . . . . . . . . . . . . . . . . . . . . . . . Create an advanced pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a URL list definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use case: Integrate Titus client with third-party tags . . . . . . . . . . . . . . . . . . . . . . Use case: Integrate Boldon James Email Classifier with classification criteria . . . . . . . . . . . . . 6 Protecting sensitive content 88 88 89 89 90 90 90 90 91 92 92 92 93 93 94 94 95 95 96 97 98 101 Creating policies with rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Create rule definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Create a network port range . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Create a network address range . . . . . . . . . . . . . . . . . . . . . . . . . 102 Create an email address list definition . . . . . . . . . . . . . . . . . . . . . . . 103 Create a network printer definition . . . . . . . . . . . . . . . . . . . . . . . . 103 Defining rules to protect sensitive content . . . . . . . . . . . . . . . . . . . . . . . . . 104 Defining rules by reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Protecting data-in-use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Device control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Discovery rules in McAfee DLP Endpoint and in McAfee DLP Discover . . . . . . . . . . . . 109 Application control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Customizing end-user messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Create and configure rules and rule sets . . . . . . . . . . . . . . . . . . . . . . . . . 112 Create a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Create a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Assign rule sets to policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Enable, disable, or delete rules . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Back up and restore policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configure rule or rule set columns . . . . . . . . . . . . . . . . . . . . . . . . 115 Create a justification definition . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Create a notification definition . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Rule use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Use case: Removable storage file access device rule with a whitelisted process . . . . . . . . 117 Use case: Set a removable device as read-only . . . . . . . . . . . . . . . . . . . . 118 Use case: Block and charge an iPhone with a plug-and-play device rule . . . . . . . . . . . 118 Use case: Prevent burning sensitive information to disk . . . . . . . . . . . . . . . . . 119 Use case: Block outbound messages with confidential content unless they are sent to a specified domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Use case: Allow a specified user group to send credit information . . . . . . . . . . . . . 121 Use case: Classify attachments as NEED-TO-SHARE based on their destination . . . . . . . . 123 McAfee Data Loss Prevention 11.0.000 Product Guide 5 Contents 7 8 Scanning data with McAfee DLP Endpoint discovery 127 Protecting files with discovery rules . . . . . . . . . . . . . . . . . . . . . . . . . . . How discovery scanning works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find content with the Endpoint Discovery crawler . . . . . . . . . . . . . . . . . . . . . . Create and define a discovery rule . . . . . . . . . . . . . . . . . . . . . . . . . Create a scheduler definition . . . . . . . . . . . . . . . . . . . . . . . . . . Set up a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use case: Restore quarantined files or email items . . . . . . . . . . . . . . . . . . . 127 128 129 129 130 130 131 Scanning data with McAfee DLP Discover 133 Choosing the scan type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How inventory scans work . . . . . . . . . . . . . . . . . . . . . . . . . . . How classification scans work . . . . . . . . . . . . . . . . . . . . . . . . . . How remediation scans work . . . . . . . . . . . . . . . . . . . . . . . . . . How registration scans work . . . . . . . . . . . . . . . . . . . . . . . . . . . Scan considerations and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . Repositories and credentials for scans . . . . . . . . . . . . . . . . . . . . . . . . . . Using definitions and classifications with scans . . . . . . . . . . . . . . . . . . . . . . . Using rules with scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure policy for scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create definitions for scans . . . . . . . . . . . . . . . . . . . . . . . . . . . Create rules for remediation scans . . . . . . . . . . . . . . . . . . . . . . . . Configure a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure an inventory scan . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure a classification scan . . . . . . . . . . . . . . . . . . . . . . . . . . Configure a remediation scan . . . . . . . . . . . . . . . . . . . . . . . . . . Configure a registration scan . . . . . . . . . . . . . . . . . . . . . . . . . . . Perform scan operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analyzing scanned data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP Discover uses OLAP . . . . . . . . . . . . . . . . . . . . . . . Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analyze scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View inventory results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 134 134 135 136 138 140 141 142 142 143 147 148 148 149 150 150 151 152 152 152 153 153 Monitoring and reporting 9 6 Incidents and operational events 157 Monitoring and reporting events . . . . . . . . . . . . . . . . . . . . . . . . . . . . DLP Incident Manager/DLP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . How the Incident Manager works . . . . . . . . . . . . . . . . . . . . . . . . . Working with incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sort and filter incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure column views . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure incident filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . View incident details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Update a single incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . Update multiple incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email selected events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working with cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View case information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assign incidents to a case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 158 159 160 161 161 162 162 163 164 164 165 166 166 167 168 168 168 169 McAfee Data Loss Prevention 11.0.000 Product Guide Contents Move or remove incidents from a case . . . . . . . . . . . . . . . . . . . . . . . Update cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add or remove labels to a case . . . . . . . . . . . . . . . . . . . . . . . . . . Delete cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 11 169 169 171 171 Collecting and managing data 173 Edit server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Purge events task . . . . . . . . . . . . . . . . . . . . . . . . . . . Create an Automatic mail Notification task . . . . . . . . . . . . . . . . . . . . . Create a Set Reviewer task . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitor task results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating reports . ...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture