Sie sind auf Seite 1von 238

McAfee Data Loss Prevention

Product Guide
Release 9.0.1

COPYRIGHT Copyright 2010 McAfee, Inc. All Rights reserved. This documentation is protected by copyright and distributed under licenses restricting its use, copying, distribution, and compilation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without permission of McAfee, Inc. or the suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS Reconnex iGuard, inSight Console, Prevent and Discover, now known as McAfee Network DLP Manager, Monitor, Discover and Prevent, are Class A digital devices, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. All McAfee related products contained herein (including Reconnex) are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee reserves the right to change aNy products described herein at any time, and without notice. McAfee assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by McAfee. The use and purchase of this product does not convey a license to any patent copyright, or trademark rights, or any other intellectual property rights of McAfee. FCC SPECIFICATIONS This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. In a residential area, operation of this equipment is likely to cause harmful interference, in which case the user may be required to take adequate measures. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. PRODUCT INFORMATION McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein are only by reference and are the sole property of their respective owners. The documentation is provided "as is" without warranty of any kind, either expressed or implied, including any kind of implied or expressed warranty of non-infringement or the implied warranties of merchantability or fitness for a particular purpose.

November 10, 2010

ii

McAfee DLP9.0.1 Product Guide

Contents
Introducing McAfee DLP 9.0 McAfee DLP Products Product Naming Conventions Features of McAfee DLP 9.0 How DLP Monitor works Unified policy features Incident management features Discovery features Directory server integration features System management features How Host DLP works How Network DLP works Use Cases Examples Protecting Confidential Data Finding leaked documents Identifying and tracking specific documents Finding copied or relocated files Blocking data containing source code Filtering Results Finding documents by file type Finding high-risk incidents Eliminating false positives from results Detecting Insider Activity Monitoring a user's online activity Identifying disgruntled employees Finding unencrypted user data Finding policies violated by a user Getting statistics on website visits Finding message board postings Finding social networking traffic Finding Rogue Communications 1 1 2 2 2 3 4 4 5 5 6 6 6 6 7 7 8 8 9 10 10 10 11 11 11 12 12 13 13 13 14 15

McAfee DLP9.0.1 Product Guide

iii

Finding encrypted traffic Identifying frequent communications Finding email using non-standard ports Excluding an IPor email address from detection Detecting Privacy Violations Preventing release of privacy information Blocking transmission of financial data Protecting Endpoints Blocking intellectual property residing on endpoints Keeping IP from being copied to a USBdrive Keeping intellectual property from being printed Preventing loss of project data from endpoints Protecting intellectual property at a specific network location Protecting Global Business Finding evidence of foreign interference Finding leaks after global close of business Filtering captured data Filtering out configuration-controlled files Storing a portion of filtered traffic Searching captured data How data is captured and processed Using search features Basic search processes How capture works Adding or subtracting search parameters Searching with managed systems Getting notification of results Getting details and search history Stopping searches Cloning searches Finding documents How to find documents Finding Microsoft or Apple documents

15 15 16 16 17 17 17 18 18 19 21 22 23 23 23 24 25 25 25 26 26 27 27 27 27 27 27 28 28 28 28 28 29

iv

McAfee DLP9.0.1 Product Guide

Finding documents by type Finding office documents Finding proprietary documents Finding source code Finding email and chat How to find email Finding email by address Finding email by host name Finding email by domain name Finding email by port Finding email by protocol Finding email subjects Finding email attachments Finding email senders Finding email recipients Finding copies of emails Finding blind copies of emails Finding webmail by port Finding webmail by protocol Finding chat sessions Finding files How to find files Finding file name patterns Finding files by file type Finding files by owner Finding files by size Finding files by document type Finding files using MD5 signatures Finding images How to find images Finding images of people Finding images using a template Finding IP addresses

29 30 30 30 31 31 31 31 32 32 32 33 33 33 34 34 34 35 35 35 36 36 36 37 37 37 38 38 39 39 39 39 40

McAfee DLP9.0.1 Product Guide

How to find IPaddresses Finding a range of IPaddresses Finding IP addresses on a subnet Excluding incidents using specific IPaddresses Finding keywords Excluding keywords from a query Finding exact matches Finding keyword expressions Finding keywords using logical operators Finding non-English matches How to find keywords Supported languages Logical operators supported in keyword queries Finding locations of violations Finding sources of violations Finding violations by website How to find locations List of country codes Finding violations by port How to find violations by port Excluding ports from a query Finding violations by port range List of common port assignments Finding violations by protocol How to find violations by protocol Excluding protocols from a query Finding violations in time How to find time-stamped files Searching in a relative time frame Searching in an exact time frame Searching by file creation time Searching by file last accessed time Searching by last modification time

40 40 40 41 41 41 42 42 42 43 44 45 45 45 45 46 46 47 47 47 47 47 48 48 48 49 49 49 49 50 50 51 51

vi

McAfee DLP9.0.1 Product Guide

Searching by local or Greenwich Mean Time Searching with concepts and templates Using concepts and templates in queries Using concepts in queries Using templates in queries Using concept expressions in a query Excluding a concept from a query Understanding search rules Rules used by the indexer How archives are handled Case insensitivity rule How Microsoft Office 2007 files are handled Avoiding negative searches Number of results supported Parts of speech excluded from capture How proper names are treated Handling of short words Special character exceptions How word stemming is handled Monitoring Active Directory users How remote user accounts are monitored Using Active Directory User elements Using DLP on remote LDAP servers Viewing Active Directory incidents Adding Active Directory columns to the dashboard Adding rules to find Active Directory information Advantages of keying on SIDs Types of Active Directory data supported How McAfee Logon Collector is used with DLP How McAfee Logon Collector enables user identification Finding remote user information How remote user data is retrieved Finding remote users by name

51 52 52 52 53 53 54 54 54 55 55 55 56 56 56 56 56 56 57 57 57 58 58 58 59 59 60 60 61 61 61 61 62

McAfee DLP9.0.1 Product Guide

vii

Finding remote users by group Finding remote users by city Finding remote users by country Finding remote users by organization Getting and processing results Using the Incidents dashboard Using the DLP Homepage Checking Homepage permissions Configuring the DLPHomepage Customizing the DLPHomepage Howto use the Homepage Getting details of results How to get incident details Finding matches that triggered incidents Finding out if an incident is in a case Getting history of an incident Identifying concepts that triggered incidents Generating reports How reports are generated Adding a company name to a report Creating CSV reports Creating HTML reports Creating PDFreports Scheduling reports Setting up views How to set up views Copying views to users Deleting views Saving views Selecting different views Selecting a view vector Selecting pre-configured views Customizing the results dashboards

62 63 63 64 64 64 65 65 65 66 66 66 66 67 67 67 67 67 67 68 68 68 69 69 69 69 70 70 70 71 71 71 72

viii

McAfee DLP9.0.1 Product Guide

How dashboards are customized Adding rows to the dashboard Changing dashboard display space Configuring dashboard columns Displaying match strings Grouping and filtering incidents How incidents are grouped and filtered Clearing filters Filtering incidents Grouping incidents Setting a date and time for results Sorting results How to sort results Deleting incidents Deleting similar incidents Finding incidents that violated a policy Sorting incidents by attribute Changing settings How settings are changed Configuring throttling to limit incidents Encrypting incidents Preventing data loss Protecting data with DLPPrevent, Discover, and Endpoint Protecting data with DLP Prevent How DLPPrevent protects data Adding a DLPPrevent action rule Applying a DLPPrevent action rule Types of DLPPrevent actions The role of DLPPrevent in a managed system How DLPPrevent processes email Configuring DLPPrevent for email How DLPPrevent processes webmail Configuring DLPPrevent for webmail

72 72 72 72 73 73 73 73 73 74 74 75 75 75 75 76 76 76 76 77 77 77 77 78 78 78 79 79 80 80 80 81 81

McAfee DLP9.0.1 Product Guide

ix

MTArequirements to inter-operate with Prevent Reviewing prevented violations Protecting data with DLP Discover How DLPDiscover protects data Adding a remedial action rule Types of remedial action Applying a remedial action to a rule Setting up a location for exported files Copying discovered files Deleting discovered files Encrypting discovered files Moving discovered files Reverting remediated files Reviewing remedial actions Adding columns to display remedial actions Protecting data with Host DLP (Endpoint) Adding an Endpoint action rule Applying an action to a rule with Endpoint parameters How Host DLPprotects data Types of DLPEndpoint actions Protecting endpoint data Host DLP: Integrated into Network DLP How Host DLP extends network results How Network DLPprotects endpoints Creating Agent Override Passwords Agent events that cannot be reported Viewing endpoint events Types of endpointevents Managing endpoints How Host and Network policies differ How HostDLPrules are mapped to Network DLP Adding endpoints to existing network rules Limitations of rules with Endpoint parameters

82 82 82 82 83 83 84 84 85 85 86 87 88 88 88 89 89 89 90 90 90 90 91 91 91 92 92 93 93 93 94 94 94

McAfee DLP9.0.1 Product Guide

Excluding printers from protection rules Assigning Host DLPincidents to cases Searching endpoint data Limitations of this release Discovering data at risk Introducing McAfee DLPDiscover Setting up Discover Configuring DLPDiscover Adding Discover to Manager Preparing Discover for managed mode Republishing Discover policies Setting Discover registration permissions Setting Discover scan permissions Task status messages System status messages Registering sensitive content Registering documents or structured data How signatures register data Managing registered documents Registering documents by uploading Uploading complete paths with Firefox Excluding text from registration Searching with the DocReg concept Adding the DocReg concept to a rule Setting signature types How signatures are shared with managed systems Managing signature generation memory Deregistering content Reregistering content Crawling databases Protecting sensitive database content What is Dynamic Data Registration? Database types supported

95 95 95 95 95 95 96 96 96 96 97 97 97 98 99 100 100 101 101 101 102 102 102 103 103 104 104 104 104 105 105 105 106

McAfee DLP9.0.1 Product Guide

xi

Database object hierarchy differences Database terminology differences Registering structured data by uploading Setting up basic database scans Advanced Options definitions for database scan operations Defining catalogs to be scanned Defining columns to be scanned Defining logins for a database scan Defining nodes for database scan operations Defining ports for a database scan Defining records/rows to be scanned Defining schemas to be scanned Defining SSLcertificates for a database scan Defining tables to be scanned Managing scans Managing scan operations Types of scan states Viewing scan operations Modifying the state of a scan Deploying scans Starting scans Stopping scans Setting bandwidth for a scan Scanning in full duplex mode Managing scan load Editing scans Deleting scans Setting up scans Preparing to scan Setting up basic scans Repository types supported Configuring inventory scans Configuring discovery scans

106 107 107 108 108 109 109 109 110 110 111 111 111 112 112 112 113 113 113 114 114 114 115 115 116 116 116 117 117 117 118 118 119

xii

McAfee DLP9.0.1 Product Guide

Configuring registration scans Firewall configuration to allow scanning Managing credentials Using credentials to access repositories Viewing existing credentials Adding credentials Editing credentials Deleting credentials Scheduling scans Using scan schedules Viewing scan schedules Editing scan schedules Deleting scan schedules Filtering scans Defining scans Filtering scans by browsing Filtering scans manually Filtering IPaddresses to be scanned Filtering URLs to be scanned Filtering file properties for a scan Filtering folders to be scanned Filtering shares to be scanned Setting policies for a scan Getting scan results How scan statistic reporting works Understanding scan results Viewing incidents found by a scan Getting reports of scan statistics Getting database scan statistics Adding columns to scan statistics Viewing registered data matches Viewing scan status Getting historical statistics

120 120 121 121 122 122 122 122 123 123 123 123 123 124 124 124 125 126 126 127 128 128 129 129 129 130 130 130 131 131 131 131 132

McAfee DLP9.0.1 Product Guide

xiii

Searching discovered data Finding discovered data Finding scan operations Finding registered files in discovered data Finding repository types in discovered data Finding IP addresses in discovered data Finding host names in discovered data Finding file name patterns in discovered data Finding file owners in discovered data Finding file paths in discovered data Finding percentages of registered data at rest Finding share names in discovered data Finding domain names in discovered data Finding catalogs in discovered data Finding schemas in discovered data Finding column names in discovered data Finding table names in discovered data Finding records and rows in discovered data Storage scanning requirements Accessing network storage Accessing Network Attached Storage (NAS) Accessing Storage Area Networks (SANs) Host vs. network discovery How host and network scans differ How host and network remediation differs How host and network registration works Deploying a host package to the agents Registering documents on host computers Setting up a host discovery scan Configuring a policy for host discovery How host scans are scheduled Scheduling a host discovery scan Scheduling a host registration scan

132 132 132 133 133 133 134 134 135 135 135 136 136 136 137 137 137 138 138 138 138 138 138 138 139 139 139 140 140 141 141 141 142

xiv

McAfee DLP9.0.1 Product Guide

Using policies and rules How policies and rules are used Using policies How policies work Policy field definitions Using international policies Adding policies Activating policies Deactivating policies How activation works How inheritance works Changing ownership of policies Publishing policies Cloning policies Renaming policies Executing policies Editing policies Deleting policies Using rules How rules work Adding rules Viewing rule parameters Reconfiguring rules for web traffic Copying a rule to a policy Detaching rules from policies Editing rules Deleting rules Defining exceptions to rules What are false positives? How exceptions to rules are defined Defining false positive incidents Adding exceptions to existing rules Adding new rules that contain exceptions

142 142 143 143 143 144 145 145 146 146 146 147 147 147 148 148 148 148 149 149 149 149 150 150 150 151 151 151 151 151 152 152 153

McAfee DLP9.0.1 Product Guide

xv

Correcting inaccurate rules Tuning rules Using action rules How action rules are used How action rules are deployed Reacting to violations Comparing Action to Protection rules Assigning status to an incident Applying an action rule Assigning responsibility for an action Using action rules to log incidents Using action rules to notify users Reconfiguring action rules for proxy servers Setting up an action Editing action rules Cloning action rules Removing an action from a rule Deleting action rules Using concepts and templates How concepts and templates are used Using concepts How concepts are used Types of concepts Adding content concepts Adding network concepts Adding session concepts Setting concept conditions Applying concepts to rules Using regular expressions in concepts Restoring factory concepts Editing concepts Deleting concepts Using templates

153 154 155 155 155 155 156 156 156 156 157 157 158 158 158 159 159 159 159 159 160 160 160 160 161 162 163 164 164 165 166 166 166

xvi

McAfee DLP9.0.1 Product Guide

How templates are used Adding templates Viewing standard templates Removing a template from a rule Deleting templates Using the case management system How case management works Collecting credit card violations in a case Adding a new case Using incidents to create a case Adding incidents to an existing case Adding comments to a case Notifying users about a case Changing ownership of cases Changing resolution of cases Changing status of cases Customizing Case List columns Customizing case notifications Exporting cases Managing case permissions Reprioritizing cases Deleting an incident from a case Deleting cases Managing DLP systems Managing the system Configuring DLPdevices Configuring DLPdevices Adding devices to DLP Manager Adding Host DLPservers to DLP Manager ePO installation issues Changing link speed Managing disk space Backing up DLPsystems

166 166 167 167 167 168 168 168 168 169 169 170 170 170 170 171 171 171 171 172 172 173 173 173 173 173 173 174 174 175 175 175 176

McAfee DLP9.0.1 Product Guide

xvii

Restarting DLPsystems Deregistering devices from DLP Adding servers to DLP systems Configuring servers with DLP systems Setting up DHCP services Using DHCP servers with DLP Adding DHCP servers Setting up directory services Using LDAPservers with DLP Adding Active Directory servers Adding LDAPUsers Configuring Active Directory servers for DLP Exporting certificates from Active Directory How ADAMservers extend DLPManager Mapping LDAPdirectory attributes Setting up McAfee Logon Collector Using McAfee Logon Collector with DLP Authenticating DLPManager and MLC Setting up syslog and time servers Using syslog and time servers with DLP Connecting to syslog servers Correcting system time in the interface Resetting system time manually Synchronizing DLPdevices Managing users and groups Setting up users and groups Managing user groups Working with user groups Using pre-configured user groups Adding user groups Restricting user groups Deleting user groups Managing users

177 177 177 177 178 178 178 179 179 179 181 181 182 183 183 184 184 184 185 185 185 186 187 187 188 188 189 189 189 189 190 190 190

xviii

McAfee DLP9.0.1 Product Guide

Working with users Adding users Using pre-configured user types Changing passwords and profiles Creating an ePOdatabase user Using a primary administrator account Viewing active user sessions Setting permissions Assigning permissions Checking permissions Setting policy permissions Setting task permissions Managing user accounts Working with user accounts Customizing login settings Customizing password settings Configuring failover accounts Auditing users Using audit services Filtering audit logs Getting audit log reports Filtering audit log reports Auditing live users Sorting audit log reports Using capture filters Working with capture filters Types of capture filters Types of capture filter actions How content capture filters work Content capture filter actions Adding content capture filters How network capture filters work Network capture filter actions

190 190 191 191 191 191 192 192 192 192 193 193 193 193 193 194 194 194 194 194 195 195 195 196 196 196 196 196 197 197 198 198 199

McAfee DLP9.0.1 Product Guide

xix

Ignoring or storing IPaddresses Adding network capture filters Reprioritizing network capture filters Deploying capture filters Editing capture filters Using undeployed capture filters Viewing deployed capture filters Deleting capture filters Setting up system alerts Configuring system alerts Configuring device down alerts Types of device down alerts Technical specifications Understanding specifications Power Redundancy Rack Mounting Requirements Safety Compliance Guidelines Contacting Technical Support Contacting DLPTechnical Support Creating a Technical Support Package Glossary Index

199 200 200 201 201 201 202 202 202 202 202 203 203 203 203 203 204 204 204 205 207 213

xx

McAfee DLP9.0.1 Product Guide

McAfee DLP Products

Introducing McAfee DLP 9.0


McAfee DLP Products
In this release, Host DLP9.0 and the Network DLP8.6 products are integrated, and both are also part of ePO 4.5. McAfee Data Loss Prevention Products DLPManager Coordinates and centralizes all Monitor, Host, Discover and Prevent activity on the network, in file systems and databases, and on endpoints. Host DLP monitors data on endpoints (desktops, laptops, removable media, printers, etc.) using network resources, generates and reports events when violations are detected, and prevents sensitive data from being compromised. DLPMonitor sits passively in the network, connected to a core switch router inside the firewall via span or tap port. It captures and analyzes all TCPtraffic, produces incidents that indicate violations have been detected, and allows disposition of those incidents through filtering and case management. DLPDiscover scans network file systems, databases, and endpoints, registers sensitive data, detects policy violations, and allows for remediation of those incidents. NAS Intranet portals, wikis, blogs, document management systems, and FTP servers can also be scanned. Network DLPPrevent works with an email or web gateway via SMTPor ICAPprotocols, respectively. It analyzes gateway traffic, adds X-headers to indicate actions to be taken on significant content, then returns the processed data to the gateway for enforcement. The proxy server or MTA receiving the data then blocks, bounces, encrypts, quarantines, redirects or allows the marked content.

Host DLP

DLPMonitor

DLPDiscover

DLPPrevent

NOTE:You can use the familiar Host DLP product if you prefer it is still available as a standalone product. DLP9.0 is organized by incidents and events contained in three different databases that contain incidents found on the network, in network repositories, and on endpoints.

Data-in-Motion
Data-in-Motion on the network is captured and parsed into hundreds of different categories by DLPMonitor. All real-time and historical data on the network is searchable, allowing for the creation of rules that adapt to changing content.

McAfee DLP9.0.1 Product Guide

Introducing McAfee DLP 9.0

Data-at-Rest
Data-at-Rest in network repositories can be inventoried, and sensitive data can be registered automatically by matching it to existing rules and policies. Not only can the contents of documents be recognized and protected, but individual documents can be explicitly protected individually or in groups. DLP Host defines Data-at-Rest on endpoints by location, document properties, user-defined metadata, file types, text patterns and attributes, encryption types, and user groups.

Data-in-Use
Data-in-Use on endpoints can be matched to the same rules and policies as all other network data, but addition of one or more Host parameters can add the ability to keep data from being compromised in a variety of ways. Rule parameters can also be extended to specific shares, network paths, file or encryption types. NOTE In DLP Host 9.0 Data-in-Motion refers to sources and destinations of endpoints (for example, email, webmail, printers, etc.), and Data-in-Use is categorized by the application that created it.

Product Naming Conventions


The McAfee DLP suite is referenced in the documentation by the following product names. McAfee Short Name Host DLP DLPManager DLPMonitor DLPPrevent DLPDiscover McAfee Product Name McAfee Host DLP McAfee Network DLPManager McAfee Network DLPMonitor McAfee Network DLPPrevent McAfee Network DLPDiscover

Features of McAfee DLP 9.0


All DLP products, including Host DLP, are now integrated in ePO 4.5. In addition, many features in the following categories have been added.
q q q q q

Unified policy features Incident management features Discovery features Directory server integration features System management features

How DLP Monitor works


DLPMonitor captures all network traffic, and performance and results can be improved by deploying capture filters that limit the amount of data that will be recognized and indexed.

McAfee DLP9.0.1 Product Guide

Unified policy features

After capture and classification, incidents can be extracted from the database automatically or manually.

Automatic Extraction
Standard policies are pre-configured to apply rules to classified network data. When a rule hits on a match, an incident is created in the database and reported on the Data-in-Motion dashboards. For example, if you have the HIPAA policy deployed, the system will identify and report any medical privacy violation.

Manual Extraction
Through DLPManager, you can query all DLPMonitor databases directly using the search options available from the DLPReporting | Search page. When a query hits on significant data, the search can be repeated regularly by saving it as a rule under a new or existing policy. NOTE:When a query or rule matches any stored attribute, the entire object to which it belongs is reported to the dashboard as an incident.

Unified policy features


In this release, international policies apply to both network and host applications. All products are configured through one interface and need only one policy set, which is applied to all vectors.

Unified Policies implemented


Host and Network DLP are integrated in this release, making is possible for users to create rules containing Network and Host DLP parameters and display results on all dashboards. Integration of Discover, McAfee Logon Collector, and LDAPservers make it possible to extend all features across global enterprises protecting data, whether it is on- and off-line.

Internationalized content
Pre-packaged international rules and concepts supporting local laws and business cases have been added. Ad hoc searches, scans, and document registration can be done in local languages, and dashboards display incidents in local languages.

Rules configurable with multiple user attributes


Use of Active Directory parameters in rules allows retrieval of data from groups and sites through directory servers, which may be located anywhere on the globe.

Concept checks added


Algorithms that correspond to specific user-defined concepts can be implemented to detect and correct transcription errors at runtime, decreasing reports of false positives.

Concept address space added


Up to 512 concepts can be implemented by DLP Manager.

McAfee DLP9.0.1 Product Guide

Introducing McAfee DLP 9.0

Incident management features


In this release, more options are available to effectively manage incidents.

Databases encrypted
Databases are encrypted, and authorized users can decrypt case, incident and capture data at will.

Reporting is expanded
HTML reports are available for all three incident modes, and PDF reports are now available for Incident Details. Special characters are supported in reports.

Case permissions can be assigned


Role-based authorization enables administrators to distribute case privileges according to need to know.

Case enhancements added


Administrators can set up notifications of case assignments or changes. The Case List can be customized, and case logs now contain incident history. The timestamp filter is updated to match the incidents feature.

Discovery features
In this release, DLP Discover functionality is expanded to support databases, large volumes of data, increased remediation options and additional scan features.

Database crawling supported


In addition to the storage repositories already supported, DLP Discover supports ODBC. DLPDiscover now crawls the following structured databases as well as network repositories:
q q q q

DB2, versions 5x iSeries, 6.1 iSeries, 7.x-9.x MS SQL Server, versions 2000, 2005, 2008,7.0, MSDE 2000 My SQL (Enterprise), versions 5.0.x, 5.1 Oracle, versions 8i, 9i, 10g, 11g

Dynamic data registration


Large volumes of data (up to 300 million records) can not only be registered as sensitive and tracked, but fine distinctions can be made between matches. In addition, data that has been identified can not only be tracked, but associated with a rule to provide long-term protection.

Increased Discover remediation support


Data at rest detected in non-CIFS repositories (HTTP, HTTPS, FTP, Documentum, NFS, and HTTP SharePoint)can now be moved, copied, encrypted or deleted. If data is moved to quarantine an incident, the action can be reverted. If remediation actions fail,

McAfee DLP9.0.1 Product Guide

Directory server integration features

error messages are launched.

Discover scans expanded


Scan operations can be paused and resumed, and notification can be set up to inform users that a crawl has started and stopped.

Directory server integration features


In this release, DLP is extended through integration with additional Active Directory server functionality.

Individual users can be identified


Through integration with McAfee Logon Collector, the identity of individual users can be resolved. Previously, only IP addresses and locations could be detected.

Large enterprise environments supported


Through integration with McAfee Logon Collector, McAfee DLP supports multiple domain controllers used in large-scale operations.

LDAP pagination is supported


User data retrieved from Active Directory servers is displayed in page format.

System management features


In this release, DLP administrative control has been improved.

Device status can be updated


DLP Manager can notify users if a device is down (disconnected or turned off), and a variety of time periods can be defined.

User login security strengthened


Administrators can discourage unauthorized access by setting up lockout conditions for repetitive logins.

Increased security in password setting


Password requirements can be customized to force users to create more secure passwords.

Audit Logs customizable


Audit logs can be sorted and displayed to filter user data, and specific systems can be targeted.

Technical support package improved


Files generated by users to help tech support resolve problems now contain core file and BIOS DMI (Desktop Management Interface) logs, ETL (Extract/Transfer/Load) incident count, MySQL process list log, and case status.

McAfee DLP9.0.1 Product Guide

Use Cases

How Host DLP works


In this release, Host DLPis embedded in Network DLPat the rules level, making it possible to monitor and act on endpoint content on- and off-line. Host DLPprotects all data at network endpoints not only on desktops and laptops, but on removable media and printers. When a policy violation is recognized, an event is generated, stored in the ePOdatabase as evidence, and a pre-defined reaction is triggered to handle the violation appropriately. All endpoint events can be viewed on the ePO dashboards, as well as on the Network DLP Incidents |Data-in-Use dashboard, where they can be filtered, analyzed, reviewed, and assigned to cases for further investigation.

How Network DLP works


The core component of Network DLP is a capture engine that runs on DLP Monitor. The engine captures all packets and reassembles them up to the application layer, where the database objects are classified into types and stored on capture partitions. However, Network DLPis extended to discovery of data in network repositories, to directory servers throughout the enterprise, and to endpoints through Host DLP. In addition, DLPPrevent monitors and acts on all email and webmail in the enterprise.

Use Cases
Examples
By using one of the following examples as a template, you can find a solution to some common problems quickly.

Protecting Endpoints
q q q q q

Keeping IPfrom being copied to a USB drive Keeping IPfrom being printed Blocking IPresiding on endpoints Preventing loss of project data from endpoints Protecting IPat a specific network location

Protecting Confidential Data


q q q q

Finding leaked documents Identifying and tracking confidential documents Blocking data containing source code Finding copied or relocated files

Detecting Privacy Violations


q

Blocking transmission of financial data

McAfee DLP9.0.1 Product Guide

Protecting Confidential Data

Preventing release of privacy information

Finding Rogue Communications


q q q q

Excluding an IPor email address from detection Finding email using non-standard ports Identifying frequent communications Finding encrypted traffic

Protecting Global Business


q q

Finding evidence of foreign interference Finding leaks after global close of business

Filtering Results
q q q

Eliminating false positives from results Finding high-risk incidents Finding documents by file type

Filtering Captured Traffic


q q

Filtering out configuration-controlled files Storing a portion of filtered traffic

Detecting Insider Activity


q q q q q q q

Finding message board postings Finding policies violated by a user Finding social networking traffic Finding unencrypted user data Getting statistics on website visits Identifying disgruntled employees Monitoring a user's online activity

Protecting Confidential Data


Finding leaked documents
Whether accidental or unintentional, confidential documents on corporate networks are often open to discovery by unauthorized users. Use keyword and time-delimited searches to locate those documents, then analyze the incidents to find out how those documents were leaked. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Type in a word or phrase that might be found in the controlled document, such as Confidential. If you have additional information (such as content type or protocol), use an Advanced Search so you can add elements to include those values.

McAfee DLP9.0.1 Product Guide

Use Cases

3. Select a time frame from the Date/Time menu. 4. Click Search.

Identifying and tracking specific documents


McAfee DLPsystems help you to identify documents at risk without knowing exactly what information they contain. But in some cases, you might know enough to be able to identify those documents in advance. You can register them individually, then track them as they move or are copied to different locations. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents. 2. From the Actions menu, select Upload New File. 3. Browse to locate a sensitive filethat must be protected. NOTE: Mozilla Firefox 3.5 will not include the path to the uploaded document unless you reconfigure it before scanning. 4. Select a policy and rule to guide the search.

Example:
Select the Financial and Security Compliance policy and the Financial Statement Documents rule to protect a document that contains sensitive financial information. 5. Select a device that will receive the uploaded file by checking the box of any DLPappliance. 6. If more documents need protection, select Save & Upload Another and repeat the process. 7. Click Save. TIP: Schedule a Discover scan that will crawl file shares regularly looking for the document.

Finding copied or relocated files


Confidential documents often proliferate over networks, because employees can copy or move them to insecure locations to work on them, or share them with other staff members. Even when confidential information is accessed only by those who have the proper privileges, finding, registering and controlling every copy is the only way to protect it. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents | Web Upload. 2. Select Upload New File from the Actions menu. 3. Browse to the file you want to track. 4. Select a signature type. NOTE: The web upload feature supports only high granularity mode, which provides full plagiarism detection and protection by generating overlapping signatures over every bit of text in a file. The original document can be identified, even if words are transposed. The contents may differ by a couple of lines of text.

McAfee DLP9.0.1 Product Guide

Protecting Confidential Data

5. Select a policy that corresponds to your objective. For example, you might use the Competitive Edgepolicy if your goal is to protect a sensitive sales document. 6. Select a rule that corresponds to your objective. For example, you might use the Pricing Information rule if your goal is to protect a price list. 7. Select one or more DLPdevices that will store the uploaded price list. 8. Click Save. 9. On the Web Upload page, click the Details icon of the price list to view the MD5 signature number. This unique number will be found during any scan, or in a search of discovery data after a scan has run. 10. Configure a Discover scan and start it. 11. After allowing some time for the document to be found, go to Incidents and click the Columns button. 12. Add the Signature and Path columns to your dashboard. 13. Click Apply. 14. Go to the Incidents page and select Data-at-Rest from the display thumbwheel. 15. Look for the signature number of the document in the results under the added columns. 16. If you want to search the Discover database for that number, right-click the number and select Copy. 17. Go to the Advanced Searchpage. 18. Open File Information. 19. Select MD5 is any of and paste the signature number into the Value box. 20. Click Search. NOTE: You might find that you are inadvertently pasting in unrelated text. If so, close the program that contains that text and repeat the process. 21. Click Search. 22. View the Path column for the exact location of the file.

Blocking data containing source code


Employees who are leaving the company might feel they have a right to the code they have written. You can protect your company's intellectual property by configuring your systems to block all source code leaving the network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Content Type is any of and click "?". 4. Open Source Code from the popup menu. 5. Select one or more source code types. TIP: If you don't know the source code type, select Template andis any of. Then click "?" and Select All beside the Source Code category.

McAfee DLP9.0.1 Product Guide

Use Cases

6. Click Apply. 7. Click Save as Rule. NOTE: When you save a search, it becomes a rule. 8. Go to the Policies tab. 9. Open the policy containing the new rule, then click on it. 10. Click on the Action tab. 11. Click Add Action, then select the Block and Notify Sender action. 12. Click Save. When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email notification of the action. TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.

Filtering Results
Finding documents by file type
You might know that a confidential document you are looking for in your results was created by a Microsoft Office application. You can find that document by filtering incidents to display only documents created by that program. TIP:If you have a limited number of results to sort through, you can simply click any icon on the dashboard relating to the program. The results will be automatically sorted by that attribute. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Under Filter by Timestamp, select a time frame. 3. Click plus to add a filter. 4. Select Content from the first menu. 5. Select equals from the second menu. 6. Type in the document type, or click "?" and select MSWord from the popup menu. If you know the name of the document, add another element using a Filename equals filter, and type in its name. 7. Click Apply. The dashboard will reconfigure the results to display the document. TIP: To add a note to the incident, use the Comments equal filter and type in a text string.

Finding high-risk incidents


When you have a high volume of violations to search through, it may be difficult to find the most significant ones. Filter your results to display only the most critical incidents. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Under Filter by Timestamp, select a time frame.

10

McAfee DLP9.0.1 Product Guide

Detecting Insider Activity

3. Click plus to add a filter. 4. Select Severity from the first menu. 5. Select equals from the second menu. 6. Type in a number from 1 to 5, or click "?" from the third menu and select a Severity checkbox from the popup menu. 7. Click Apply. 8. Click Apply.

Eliminating false positives from results


Suppose you are looking for personal identification numbers that violate privacy standards, but product part numbers that also match the pattern are being erroneously reported. An exception that redefines numerical patterns will exclude the incidents containing part numbers, which do not constitute privacy violations. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. 2. On the Incidents dashboard, find one or more incidents that contain part numbers. 3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed. 4. Check the boxes of the incidents. TIP:If all incidents on the page were produced by the rule, select the box in the table header to select all of them. 5. From the Actions menu, select Modify Status | False Positive | Create Exception. 6. When the Edit Rule page launches, type some text describing the exception in the Notes box. 7. Redefine the values reported on that page. For example, if the part number has the same pattern as an identification number, but is preceded by "PN#", add a Content element that specifies "Keywords | contain none of | PN#." TIP:If there is no difference in the pattern, consider eliminating another element the incidents have in common. For example, if all of the reported part number incidents may have come from the same department, create a Source/Destination element that specifies an email domain or UserOrganization. 8. Click Save. TIP: After the rule runs, evaluate the incidents retrieved and make revisions if the results still do not meet your criteria.

Detecting Insider Activity


Monitoring a user's online activity
Employees who have been warned to discontinue specific network activities should be monitored to prevent them from wasting company resources or sabotaging the system. You can monitor all of a user's communications to determine if they are complying with your instructions.

McAfee DLP9.0.1 Product Guide

11

Use Cases

TIP: To monitor the user on a regular basis, save the search as a rule. In case of flagrant violations, incidents and events can be collected in a case and delegated to your legal team for use as evidence in court. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select User ID, Host Name, Host IP, or Email address from the Input Type menu. 3. Type identifying text into the value field. NOTE: The UserID corresponds to a field found on an LDAPserver, so this option cannot be used unless a directory server has been added. Note that UserID might not necessarily correspond to a user's email address, since a user could have more than one email address. 4. If the information is on a remote directory server, click Find and select a category of users, then click Apply. If you select Everyone, the rule will apply to all users on all of your directory servers. 5. If the user is local, click plus to add one or more identifying elements, such as an IPor email address under Source/Destination. 6. Click Search or Save as Rule.

Identifying disgruntled employees


Unhappy insiders can do a lot of damage to your business operations if they are not found and stopped. You can search for instant messaging or email communications that contain clues to potential trouble by applying a concept that will identify those transmissions. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Concept from the first drop-down menu, and is any of from the second. 4. Click "?". 5. Select DISCONTENT from the Acceptable Use menu. This concept contains a collection of words and phrases that are often used by unhappy employees. Go to Policies | Concepts and double-click on one of them to understand what the phrases are, and how the concept is constructed. 6. Click Apply. 7. Click Search.

Finding unencrypted user data


You might assume that usernames and passwords are protected on your network as a matter of course, but that may not always be the case. Find out quickly if user account information is circulating in cleartext on your network by searching for account passwords. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select Keywords.

12

McAfee DLP9.0.1 Product Guide

Detecting Insider Activity

3. Type the words account password into the value field. 4. Click Search. NOTE:If there are any significant results, alert your ITdepartment.

Finding policies violated by a user


If you have a lot of incidents to sort through, it may be hard to find the ones that are related to a particular user. You can find them by keying on attributes relating to that user. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Select Policy from the Group by menu. 3. Double-click the policy the user might have violated (if it generated incidents). 4. Under Filter by, select a time from the Timestamp menu. 5. Click plus to add a filter. 6. Select UserID, UserName, or UserEmail from the first menu. 7. Select equals from the second menu. 8. Type in the user's ID, name or email address. TIP: If you don't have exact information but want to guess at the identity of a sender or recipient, select the Sender or Recipient filter, add a like or not like condition, and type in a string that might match some characters in the user's ID, name or email address. 9. Click Apply.

Getting statistics on website visits


Even if users are routinely allowed to use the Internet to complete their job duties, they might have been told to curtail certain web sites that can compromise network security. TIP:By creating a content capture filter, you can store all traffic to and from inappropriate web sites to find out if your company policy is being violated. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select URL is any of and type the URL of the website into the value field for example, www.webrats.com. 4. Click Search. TIP: If no results are retrieved, check to see if the default ignore_http_header content capture filter is still active.

Finding message board postings


Employees sometimes spend company time on non-work-related posting to internet sites. You can identify that activity by targeting the protocol that is used to transmit such postings.

McAfee DLP9.0.1 Product Guide

13

Use Cases

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Select a time frame from the menu under Filter by Timestamp. 3. Click plus to add a filter. 4. Select Protocol from the first drop-down list, and is any of from the second. 5. Type in HTTP_Post, or click "?" and select it from the popup menu. 6. Click Apply. 7. Click Apply. TIP: This filter identifies all posting traffic. If you know what web site is being posted to, add a Content equals filter and type in its name (for example, webrats.com).

Finding social networking traffic


Employees who are accustomed to using social networking sites might not realize how much time they are spending on activities that reduce their productivity, or how much sensitive information might be leaked when they use such sites in the workplace. You can find out how much social networking activity is occurring on your network by finding all traffic to and from specific web sites.

Use Site Keywords


1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Type site keywords into the value field (for example, facebook or myspace). 3. Select a time frame from the Date/Time menu. 4. Click Search.

Detect Posting to any Site


1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select Protocol. 3. Click "?" and select HTTP_Post from the popup menu. 4. Click Apply. 5. Click Search.

Find Blog Postings to Popular Sites


1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Open Content. 3. Select Concept is any of and click "?". 4. Select BLOGPOST from the popup menu. TIP: Go to Policies | Concepts and customize BLOGPOST by clicking plus to add additional expressions that cover more sites. Save the edited concept, then repeat the search.

14

McAfee DLP9.0.1 Product Guide

Finding Rogue Communications

5. Click Apply. 6. Click Search.

Finding Rogue Communications


Finding encrypted traffic
Insiders attempting to conceal illegal activity or steal your intellectual property routinely use encryption. Identify the sources and destinations of encrypted traffic on your network to expose those activities. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Content Typefrom the first drop-down list, and is any of from the second. 4. Click "?". 5. From the Protocol menu, select Crypto. 6. Click Apply. 7. Click Search.

Identifying frequent communications


You may suspect that a particular user is communicating with an off-site competitor. You might be able to identify the sources and destinations of frequent communications that will eventually reveal that leak. TIP: If you already know a source or destination, find the other side of the session by searching for a UserID or email address on the Advanced Search page under the Source/Destination category. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Select an incident. 3. Select a time frame from the menu under Filter by Timestamp. 4. Click plus to add a filter. 5. Select SourceIPor DestinationIP from the first drop-down list, and equals from the second. NOTE: If the source and destination IPaddresses are dynamically assigned, they will change over time. If you have added a DHCP server to DLPManager, you can track the previous addresses of a host. 6. Type the known IP address into the Values field. TIP: Click the Details icon of an incident to find the IPaddress. 7. Click Apply. The dashboard will display all sender and recipient communications with that IPaddress,but you see the SourceIPand DestinationIPaddresses by adding those columns to the dashboard. TIP: Add another filter to identify both source and destination of frequent communications.

McAfee DLP9.0.1 Product Guide

15

Use Cases

Finding email using non-standard ports


When non-standard ports are used to transmit email, a deliberate attempt to conceal illegal activity should be suspected. By eliminating email that uses well-known ports, unknown or unsecured transmissions can be revealed. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Content Type from the first drop-down list,, and is any of from the second.. 4. Click "?". 5. Open Mail from the popup menu. 6. Select one or more email formats, or Select All. 7. Click Apply. 8. Open Protocol. 9. Select Port is none of and type standard port numbers into the value field. TIP: Ports 25 and 80 are commonly-used email and webmail ports. Add 10. Type 25 into the Value field. Repeat for port 80 to exclude all email sent by well-known ports. 11. Click Search and evaluate the results. TIP: You may have to add Columns to your dashboard to see the port information, which is displayed in source and destination columns.

Excluding an IPor email address from detection


Even network administrators may not be privileged to peruse certain information found in network data streams. If you want to ensure absolute security for one or more hosts or users who have access to top secret information, you can protect them from detection by the capture engine. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Click Create Content Filter. 3. Type in a name for the filter. Typing a description is optional. 4. Select Drop Element from the Action menu. 5. Open the Source/Destination category. 6. Select IP Address from the first drop-down list, and is any of from the second. You can define an email address instead, or add an element and protect both email and IPaddresses. 7. Type the IP address or email address into the value field. NOTE:If the address is on a subnet, it is detectable only if the network and host portions of an IP address are standard classful IP (address fields are separated into four 8-bit groups). Separate multiple addresses by commas, and IPranges by dashes. 7. Check the box of the device on which you want the filter deployed, or None if you want to deploy it later. 8. Click Save.

16

McAfee DLP9.0.1 Product Guide

Detecting Privacy Violations

NOTE: CIDR notation is supported, but IPv6 is not.

Detecting Privacy Violations


Preventing release of privacy information
Billions of dollars have been lost by companies that have released privacy information by accident. You can prevent such losses by implementing existing policies to identify the information, then setting up automatic blocking to keep it from leaving the network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy that can be used to identify privacy information. For example, you might select Financial and Security Compliance, Competitive Edge, or Personally Identifiable Information. 3. Click on the first rule listed under the policy, then click the Actions tab. 4. If no action is listed, or the action listed is not relevant, click the Add Action icon. 5. Select the appropriate action rule. NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions column will be applied. If you do not see the one you need, create it under Policies | Actions Rule, then return to this step. NOTE: Action rules act only on monitored or discovered data (Data-in-Motion or Data-at-Rest). Only one action type is allowed for each process. 6. Click Save. 7. Repeat this process for every rule under the policy. 8. When the policy runs, all privacy information defined in its rules will be blocked from leaving the network.

Blocking transmission of financial data


Even the most dedicated employees might not realize the implications of failing to protect financial documents, or they may not know how to encrypt them. You can protect this data in either case by creating a concept that flags a variety of financial documents, then attach an action rule to prevent them from leaving the network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Concept is any of and click "?". 4. Check the Select All checkboxes on all groups of financial concepts. (For example, if you are in North America you might select Banking and Financial Sector, and Corporate Financial.) TIP: Concepts contain words and phrases that identify a broad range of financial content. Go to Policies | Concepts and double-click on one of them to understand how they are constructed.

McAfee DLP9.0.1 Product Guide

17

Use Cases

7. Click Apply. 8. Click Save as Rule. NOTE: When you save a search, it becomes a rule. 9. Go back to the Policies page. 10. Open the policy containing the new rule, then click on it. 11. Click on the Action tab. 12. Click Add Action, then select the Block and Notify Sender action. 13. Click Save. When the rule runs and source code is found, the action rule automatically blocks it. The sender receives email notification of the action. TIP: To notify more users, go to Policies | Action Rules, edit the action rule, and Save.

Protecting Endpoints
Blocking intellectual property residing on endpoints
If your intellectual property is referenced in email or webmail communications residing on an endpoint, it can be blocked from being sent to a competitor. NOTE:This use case requires deployment of NDLPEndpoint functionality and an added directory server. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor Policy. 3. Select Active from the State menu, then click on the DLPdevices to which you want to publish the policy. 4. Click Save. 5. On the Policies page, open the new policy. From the Actions menu, select Add Rule. NOTE:You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You could also do a historical search, then save it as a rule when it returns the type of information you need. 6. Type a name for the rule. 7. Select a Severity and an inheritance state (Enabled rules run when the policy runs). 8. Define the intellectual property by selecting keywords, content type, or concepts from the Content menu. You may add values to one or more of the following categories.
q q

Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more selections from it. Select Concept from the menu and click "?" to launch the definitions palette.

18

McAfee DLP9.0.1 Product Guide

Protecting Endpoints

TIP: Inspect the Intellectual Property sub-menu to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the Concepts palette. NOTE:The following selections are optional, depending on how much you know about what you are looking for. 4. Open Source/Destination and select UserName from the menu. 5. Select is any of or is none of. The latter selection will indicate an exception to the value provided. 6. Click "?" and select from the remote Directory Server List. 7. Click Find and select a category of users, then click Apply. If you select Everyone, the rule will apply to all users on your directory servers. 8. Click plus to add another item under Source/Destination. 9. Select Email Address from the menu. 10. Select is all of or another condition to focus the email address. 11. Type in the domain you want to block. 12. Open Protocol and select Protocol from the menu. 13. Select is any of. 14. Click "?" and select from the Internet Protocols menu. For example, if you suspect intellectual property is being posted, select HTTP_Post. 15. Click Apply. 16. Click the Actions tab, then click Add Action. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one of each type to a single rule. 17. Scroll down to the Data-in-Use actions and select the WebPost Reaction or Email Reaction action rule. NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions column will be applied. 18. After you have finished adding as much information as you have to the rule, click Save and let the policy and rule run. After you get results, tune as needed.

Keeping IP from being copied to a USBdrive


If your employees are allowed to work remotely, they may be duplicating material that includes contains proprietary information in the course of performing legitimate tasks. If USB drives containing such information are lost or mishandled, your intellectual property could easily be lost to a competitor. NOTE:This use case requires deployment of NDLPEndpoint functionality and an added directory server. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Competitor Policy.

McAfee DLP9.0.1 Product Guide

19

Use Cases

3. Select Active from the State menu, then click on the DLPdevices to which you want to publish the policy. 4. Click Save. 5. On the Policies page, open the new policy. From the Actions menu, select Add Rule. NOTE:You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You could also do a historical search, then save it as a rule when it returns the type of information you need. 6. Type a name for the rule. 7. Select a Severity and an inheritance state (Enabled rules run when the policy runs). 8. Open Endpoint and select Protect Removable Media from the menu. 9. Click "?", check Enable, and click Apply. NOTE:This definition, plus an action rule, constitutes a minimal removable media policy. To refine the rule for specific content, add the following definitions. 10. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values to one or more of the following categories.
q q

Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file types from it. Select Concept from the menu and click "?" to launch the definitions palette.

TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the palette. 12. Open Source/Destination and select UserName from the menu. 13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.) 14. Click the "?" and select from the remote Directory Server List.. 15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on your local and directory servers. 16. Click the Actions tab, then Add Action. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one of each type to a single rule. 17. Scroll down to the Data-in-Use actions and select Removable Media Reaction action rule. NOTE: Actions are defined and edited on the Action Rules page. All of the reactions listed in the Actions column will be applied. 18. Click Save.

20

McAfee DLP9.0.1 Product Guide

Protecting Endpoints

Keeping intellectual property from being printed


If your employees are allowed to work remotely, they may be printing material that includes contains proprietary information in the course of performing legitimate tasks. If printed copies containing such information are lost or mishandled, your intellectual property could easily be lost to a competitor. NOTE:This use case requires deployment of NDLPEndpoint functionality and an added directory server. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. From the Actions menu, select Add Policy. Give the policy a recognizable name, such as Printer Policy . 3. Select Active from the State menu, then click on the DLPdevices to which you want to publish the policy. 4. Click Save. 5. On the Policies page, open the new policy. From the Actions menu, select Add Rule. NOTE:You can use an existing policy and add a rule to it, or clone an existing rule from another policy. You could also do a historical search, then save it as a rule when it returns the type of information you need. 6. Type a name for the rule. 7. Select a Severity and an inheritance state (Enabled rules run when the policy runs). 8. Open Endpoint and select Protect Local Printers from the menu. 9. Click "?", check Enable, and click Apply. TIP: You can select one or more Network Printers from the "?" Directory Server List, or type in its network path and name, to add printer protection for printers on your company site. You can allow exceptions for secure printers by defining them at DLPSys Config | Endpoint Configuration | Unmanaged Printers. 10. Click the Actions tab, then Add Action. NOTE:This definition, plus an action rule, constitutes a minimal printer policy. To refine the rule for specific content, add the following definitions. 11. Define content by selecting keywords, content type, or concepts from the Content menu. You may add values to one or more of the following categories.
q q

Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file types from it. Select Concept from the menu and click "?" to launch the definitions palette.

TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the palette. 12. Open Source/Destination and select UserName from the menu. 13. Select is any of or is none of. (The latter selection will indicate an exception to the value provided.) 14. Click "?" and select from the remote Directory Server List.

McAfee DLP9.0.1 Product Guide

21

Use Cases

15. Click Find and select a category of users, then Apply. If you select Everyone, the rule will apply to all users on your directory servers. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one of each type to a single rule. 16. Scroll down to the Data-in-Use actions and select Printer Reaction action rule. NOTE: Actions are defined and edited on the Actions page. All of the reactions listed in the Actions column will be applied. 17. Click Save.

Preventing loss of project data from endpoints


Use this task to keep users from copying project information to a USB drive. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. From the Actions menu, select Add a Policy. 3. Type a name and optional description for the policy. 4. Select Host or All Devices to publish the policy to host or network DLPdevices, then click Save. 5. Click the policy to open it for editing. From the Actions menu, select Add Rule. 6. Type a name and optional description for the rule. 7. Select a Severity and an inheritance state (Enabled rules run when the policy runs). 8. Define the project data by selecting keywords, content type, or concepts from the Content menu. You may add values to one or more of the following categories.
q q

Type in Keywords that may be found in sensitive documents. Select Content Type from the menu, click "?" to launch the Content Type palette, and make one or more file types from it. Select Concept from the menu and click "?" to launch the definitions palette.

TIP: Inspect the sub-menus to see if one or more of the default concepts will suit your purposes. If not, create a new concept and add your own parameters, then return to this page and add that new concept from the palette. 12. If the user is known, open Source/Destination and type the username in the Values field. 13. If you want to specify exclusions, go to the Exceptions tab and add project data that may be found, but is irrelevant. When you have finished, click Save. 14. On the Actions tab, click Add Action and specify the action to be taken when the project data is found. 15. Select Removable Media Reaction from the Actions menu to protect the data. The actions that will be taken are listed in the Actions column. 16. Click Save.

Example:
Content:

22

McAfee DLP9.0.1 Product Guide

Protecting Global Business

Keywords | contains all of | Project X Source/Destination: Email Address | contains all of | tjohnson Endpoint: Protect Removable Media | equals | Enable Actions Removable Media Reaction

Protecting intellectual property at a specific network location


If documents containing intellectual property are located at specific network locations, you can protect those locations from access by unauthorized users. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Add a policy, and add a rule to the policy. NOTE:You can use an existing policy and add a rule to it, or edit an existing rule. You can also do a historical search, then save it as a rule when it returns the type of information you need. 3. Open Endpoint and select Location Tag Path to protect all documents on a single share. TIP:Use Network File Path to add protection for a single directory. 4. Click "?", check Enable, and Apply. 5. Click the Actions tab, then Add Action. NOTE:The same action can be used on all three data types (Data-in-Motion, Data-at-Rest, Data-in-Use), but only one for each type. 6. Scroll down to the Data-in-Use actions and select the Network Communication Reaction action rule. NOTE: All of the reactions listed in the Actions column will be applied. The copy action will be monitored, blocked, stored as evidence, and the user will be notified of the violation. 7. Click Save as Rule.

Protecting Global Business


Finding evidence of foreign interference
Protecting intellectual property can be difficult when sensitive data is so easily transported beyond national borders. Identifying source and destination IP addresses will help you to identify where suspicious traffic is coming from and where it is going.

McAfee DLP9.0.1 Product Guide

23

Use Cases

NOTE: Because dynamically-assigned IP addresses change regularly, hosts that are not local can be identified only if a DHCPserver is installed on the network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Open Source/Destination. 3. Select GeoIPLocation. 4. Click "?". 5. Select one or more country names from the popup menu. 6. Click Apply. 7. Open Date/Time. 8. Select File Creation Time between and enter before and after values. 9. Click Search. TIP: If you do not see locations in your results, click Columns and add Source, Destination, Sender or Recipient columns.

Finding leaks after global close of business


You might expect confidential data to be entering or leaving a company network during business hours after 5PM, movement of sensitive data may indicate a leak. But global operations make it difficult to define exactly when close of business occurs in local time zones. If you are managing several DLPMonitors in different locations, you can find captured data at the same clock time in each of those locations. Monitoring data at the time most employees are leaving each of those facilities will help to expose those activities. Detect this activity by creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los Angeles, New York, London, and Tokyo offices, 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search | Date/Time. 2. Select Exact Time and a local or GMT time frame.

Automatic Conversion to GMT (same moment globally)


before between after

Local time (same clock time globally)


before (local time) between (local time) after (local time) 3. Click the Calendar icon to select a date. 4. Select the hour, minute and second from the pull-down menus. 5. Click Search or Save as Rule.

24

McAfee DLP9.0.1 Product Guide

Filtering captured data

Filtering captured data


Filtering out configuration-controlled files
Use a content capture filter to filter out configuration-controlled files. Because network data streams typically transport large numbers of images, eliminating large multimedia content can improve performance of the capture engine. For example, you might have a library of video files that is already protected by a configuration control system. Setting up a filter to bypass those files will improve system performance. TIP: A pre-installed filter automatically filters out images (like icons and thumbnails) that are too small to be significant. You can turn off this filter by removing it from the list under DLPSysconfig | Capture Filters | Content Filters. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Click Create Content Filter. 3. Type in a name for the filter. Typing a description is optional. 4. From the drop-down Action list, select Drop Element. 5. Select the devices for deployment. NOTE:If you want to deploy a capture filter at a later time, select the None checkbox under Devices, then select it from the Add Filter menu under the deployment target. 6. Open Content . 7. Select Content type from the first drop-down list, and is any of from the second.. . 8. Click "?" and open the Multimedia popup menu. 9. Check the box of the controlled format (for example, MPEG). 10. Click Apply. 11. Click Save.

Storing a portion of filtered traffic


In some circumstances, you might want to block all encrypted traffic on the network, except for a particular type. You can do this by setting up multiple action filters that are applied to the data stream, gradually narrowing the filtering process by applying them one after another. Isolating traffic using port 443, which commonly transports encrypted data, is one way of filtering out encrypted traffic. But that port is also used by AOL, and blocking that traffic too might eliminate traffic you need to monitor. In such a case, you can set up the capture filters to retain the encrypted AIMtraffic while dropping the broader category of encrypted traffic. CAUTION: You cannot save sessions or data that have already been eliminated, so pay attention to the filtering sequence. 1. In ePolicy Orchestrator, go toMenu | Data Loss Prevention | DLPSyslog | Capture Filters. 2. Click Create Network Filter.

McAfee DLP9.0.1 Product Guide

25

Searching captured data

3. Type the name AOL_Chat and a description (optional). 4. Select Store from the Action menu to retain that traffic. 5. Open the Protocol category and select Protocol equals from the first drop-down menu. 6. Click "?" and select AOL_Chat from the Protocol popup menu. 7. Click Apply and Save. 8. Click Create Network Filter to create another filter. 9. Give the policy a recognizable name, such as "SSHtraffic". Typing a description is optional. 10. Select Ignore from the Action menu. 11. Open Protocol and select Port from the first drop-down list, and source is any of from the second. 12. Type 443 into the value field. 13. Click plus to add a parameter. 14. Repeat the process, but select Port from the first drop-down list, and destination is any of from the second. NOTE:Traffic through ports and port ranges is bidirectional, so you must define source and destination transmissions separately. 19. Type 443 into the Value field. 20. Check the box of the device on which you want the filter deployed. To decide later, check None. 21. Click Save. A new Ignore filter is added to the existing list. 22. Use the Priority icons to change the order of the filters. The Store filter must run first, because the Ignore filter will eliminate all of the rest of the port 443 traffic. NOTE: When a network capture filter is applied to the network data stream, its position in the list indicates its priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data stream, it must always run last. 23. Let the system run. After some time, you can search for AIMtraffic in the captured data on the Incidents page.

Searching captured data


How data is captured and processed
The core component of Network DLP is a capture engine that allows reassembly of packets that have been extracted from network traffic or repositories. The reassembled objects are classified into object types that are saved in the DLPMonitor database. Each object has many attributes, all of which can be retrieved by queries. Captured data is indexed and analyzed in three different databases that hold data in use, data at rest, and data in motion. You can query the databases directly using the options available in the user interface, or save queries that are to be run regularly as rules. When an object matches a query or rule, the result is reported to the DLPdashboards as an incident. Incidents can be sorted and filtered according to their attributes so that the most significant information can be identified and displayed.

26

McAfee DLP9.0.1 Product Guide

Using search features

NOTE:You need not search or save rules to get results. Standard policies that contain collections of rules automatically search captured data to produce incidents, but you can enter your own queries under the Capture tab.

Using search features


Basic search processes
DLP search features are designed to make constructing queries and getting results easy. By scanning just a few of the search topics, you can master the basics quickly. NOTE:Logical operators are still supported, but only in concept and keyword expressions. TIP: Specific permissions are required for search tasks. Check DLPSys Config | System | User Administration | Groups | Task Permissions |Capture Permissions for details.

How capture works


The core component of Network DLP is a capture engine that extracts packets from network traffic or repositories. They are indexed and analyzed, classified into object types, and saved in databases on capture partitions on the DLPMonitor and Discover appliances. You can query the Monitor and Discover databases directly using the options available in the user interface, and save queries that are to be run regularly as rules. When an object matches a query or rule, the result is reported to the dashboard as an incident. NOTE:You need not search or save rules to get results. Standard policies that contain sets of rules automatically search captured data to produce incidents, and concepts that match related parameters to network data can be used as a shortcut to find text-based data quickly.

Adding or subtracting search parameters


Use this task to add an element to any search, rule, filter, or case.
q q

Click the green plus icon to add an element. Click the red minus icon to subtract an element.

Searching with managed systems


When you send a query from an DLPManager, you are automatically doing a distributed search through all DLPappliances registered to the system. NOTE: Although the default is All Devices, you can target an DLPManager search by selecting one or more checkboxes of devices from the DLPReporting | Advanced Search | Devices menu.

Getting notification of results


Any search that takes more than 60 seconds to process is run in background mode. When it is complete, the user who is logged in is notified by email.

McAfee DLP9.0.1 Product Guide

27

Searching captured data

NOTE:If a search is aborted, no notification is sent. Use this task to get notification of search results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic or Advanced Search. 2. Define a search. 3. Click the Search List tab to view its status. 4. If it is incomplete, continue with other tasks and check back periodically. TIP: Set up your email client to prompt you when new email comes in.

Getting details and search history


Use this task to get details about a query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Search List. 2. Click the Details link of the query.

Stopping searches
Use this task to stop a search that is still running. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Search List. 2. Click Abort. NOTE: The search must still be in RUNNINGmode.

Cloning searches
Use this task to edit a search and save as a new one. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Type in a search term. 3. On the search list, click Clone Search. 4. Modify the parameters and results. 5. Click on Search to create a new search.

Finding documents
How to find documents
The classification engine sorts all network data into content types. This allows you to search for engineering drawings, different types of source code, office documents, images, and countless other file types. Use this task to find out what documents are available.

28

McAfee DLP9.0.1 Product Guide

Finding documents

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open each document category to review its contents. 7. Click Apply. 8. Click Search or Save as Rule.

Finding Microsoft or Apple documents


The classification engine sorts all network data into content types. This allows you to search for engineering drawings, different types of source code, office documents, images, and countless other file types. Use this task to find out what content types are available. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Apple or Microsoft categories to review their contents. 7. Check the boxes to define the format you are looking for. 8. Click Apply. 9. Click Search or Save as Rule.

Finding documents by type


Use this task to find specific document types (for example, Adobe FrameMaker, PostScript, ePS, or XML)on your network. TIP: Narrow your selection to one or two document types to keep from getting too many results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Advanced Documents category to review its contents. 7. Check the boxes to define type of document you are looking for. 8. Click Apply. 9. Click Search or Save as Rule.

McAfee DLP9.0.1 Product Guide

29

Searching captured data

Finding office documents


Use this task to find office documents on your network. TIP: Narrow your selection to one or two document types to keep from getting too many results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Office Applications category to review its contents. 7. Check the boxes to define type of office document you are looking for. 8. Click Apply. 9. Click Search or Save as Rule.

Finding proprietary documents


Use this task to find proprietary design documents on your network. TIP: Narrow your selection to one or two document types to keep from getting too many results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Engineering Drawings and Designs category to review its contents. 7. Check the boxes to define type of document you are looking for. 8. Click Apply. 9. Click Search or Save as Rule.

Finding source code


Use this task to find out if proprietary source code is unsecured on your network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Source Code category to review its contents. 7. Check the boxes to define type of source code you are looking for.

30

McAfee DLP9.0.1 Product Guide

Finding email and chat

8. Click Apply. 9. Click Search or Save as Rule.

Finding email and chat


How to find email
Email objects are stored in capture databases as separate tokens. For that reason, you can search for one or more components of an email address (for example, user, host or domain names). NOTE:Email addresses or domain names that contain numbers are searchable only if they are in the addressing, subject, cc or bcc fields. Only alphabetic characters are supported in the body of email messages. NOTE: In rare cases, email addresses that are not present in SMTP mail may be displayed in strikeout mode in the highlighting on the dashboard.

Finding email by address


Use this task to find email addresses. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP: If you use a Basic Search, you can specify the Email to or from address selections. In an Advanced Search, the condition defines the sender or recipient. 2. Open the Source/Destination category. 3. Select Email Address from the first menu. 4. Select is any of, all of, or none of (to include or exclude specific addresses) from the second menu. TIP:Select the sendercondition to indicate that the email address found was the source of the email. Use the green plus to add another parameter if you also want to define the recipient of the email. 5. Type in one or more email addresses. 6. Click Apply. 7. Click Search or Save as Rule.

Finding email by host name


Use this task to find email by host name. NOTE: This search is limited to data at rest. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select Host Name from the first menu. 3. Type one or more host names into the value field. 4. Click Search or Save as Rule.

McAfee DLP9.0.1 Product Guide

31

Searching captured data

Finding email by domain name


Use this task to find email by domain name. Note: This search is limited to data at rest. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Discover. 3. Select Domain Name from the first menu. 4. Select is any of from the second menu. 5. Type the domain name into the value field. 6. Click Search or Save as Rule.

Finding email by port


Use this task to find email by port. This can be useful if you know the protocol of the email you are looking for. For example, SMTPemail is commonly sent through Port 25; webmail uses Port 80. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Protocol. 3. Select Port from the first menu. 4. Select is any of from the second menu. TIP: The system returns port information in both directions, but in separate flows. For complete results, first add source port, then use the green plus to add an additional parameter that defines the destination port. 5. Type 25 or 80 into the value field. 6. Click Search or Save as Rule. TIP: Because most email uses one of two ports, searching by port is likely to return too many results. Narrow your query by using additional qualifiers, such as user, host or domain name.

Finding email by protocol


Use this task to find email by protocol. This can be useful if you know the protocol of the email you are looking for. For example, you are likely to find local corporate email if you search for SMTP traffic, and private webmail by looking for HTTP communications. TIP: You can search for a protocol directly from the Basic Search menu, but such a query is likely to return too many results. Use an Advanced Search so you can add additional qualifiers (like user, host or domain names). 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Click "?". 4. Select HTTP_Webmail from the popup menu.

32

McAfee DLP9.0.1 Product Guide

Finding email and chat

5. Click Apply. 6. Click Search or Save as Rule.

Finding email subjects


Use this task to find email by subject. TIP: If you know the exact verbiage of the subject line, you might start with a quick Basic Search. Select Email Subject and type in the exact words, then Search. Use Advanced Search to add parameters if you have some additional information that will focus your query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select Email Subject from the first menu. 4. Select contains any of from the second menu. 5. Type the subject into the value field. 6. Click Search or Save as Rule.

Finding email attachments


Use this task to find incidents with email attachments. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Click "?". 4. Open the Mail Protocols category. 5. Select one or more attachment types. TIP: You might select HTTP_Webmail_Attach to find webmail attachments, SMTP_Attach to find email attachments sent, and POP3_Attach to find email attachments received. 6. Click Apply. 7. Click Search or Save as Rule. TIP: When an incident is reported, click its Details icon to view the attachment. NOTE: Attachments larger than 50MB cannot be reported.

Finding email senders


Use this task to find email by sender. TIP: You can search for an email sender from the Basic Search page, but such a query may return too many results. Use an Advanced Search so you can add additional qualifiers (like subject, host or IPaddress).

McAfee DLP9.0.1 Product Guide

33

Searching captured data

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select Email Address from the first menu. 4. Select sender is any of from the second menu. 5. Type one or more recipient names into the value field. 6. Click Search or Save as Rule.

Finding email recipients


Use this task to find email by recipient. TIP: You can search for an email recipient from the Basic Search page, but such a query may return too many results. Use an Advanced Search so you can add additional qualifiers (like subject, host or IPaddress). 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select Email Address from the first menu. 4. Select recipient is any of from the second menu. 5. Type one or more recipient names into the value field. 6. Click Search or Save as Rule.

Finding copies of emails


Use this task to find lind copies of emails (cc). 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select Email CC from the first menu. 4. Select contains any of from the second menu. 5. Type the cc: addressee into the value field. 6. Click Search or Save as Rule.

Finding blind copies of emails


Use this task to find blind copies of email (bcc). 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination. 3. Select Email BCC from the first menu. 4. Select contains any of from the second menu. 5. Type the bcc: addressee into the value field. 6. Click Search or Save as Rule.

34

McAfee DLP9.0.1 Product Guide

Finding email and chat

Finding webmail by port


Use this task to search for all traffic using Port 80, which is commonly used for webmail. TIP:You can use Basic Search to find all traffic on a single port quickly, but such a search is likely to return too many results. Use Advanced Search to add parameters that will focus your query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select Port from the first menu. 4. Select source is any of from the second menu. TIP: The system returns port information in both directions, but in separate flows. For complete results, define both source and destination values. 5. Type 80 into the value field. 6. Select Port from the first menu. 7. Select destination is any of from the second menu. 8. Type 80 into the value field. 9. Click Search or Save as Rule.

Finding webmail by protocol


Use this task to search for all traffic using the HTTP_Webmail protocol. TIP:You can use Basic Search to find all traffic using a single protocol quickly, but such a search is likely to return too many results. Use Advanced Search to add parameters that will focus your query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select Protocol from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Select HTTP_Webmail from the popup menu. 7. Click Apply. 8. Click Search or Save as Rule.

Finding chat sessions


Use this task to find incidents containing chat sessions. NOTE: Chat sessions lasting up to four hours can be captured. They are reported in chronological order. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. If you don't have to exclude incidents containing specific chat sessions, use Basic Search instead.

McAfee DLP9.0.1 Product Guide

35

Searching captured data

2. Open the Content category. 3. Select Content Types from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Open the Chat category. 7. Select one or more chat protocols. 8. Click Apply. 9. Click Search or Save as Rule. NOTE: Encrypted chat sessions (for example, Skype and AOL Instant Messenger 6) cannot be captured.

Finding files
How to find files
When the DLP search engine captures files, each attribute is stored as a separate token in the capture database. You can find files by using any of the attributes of a file, such as type, owner, size or signature.
q

From the Basic Search menu, you can find files in data at rest by selecting Host Name, Host IP, File Name Pattern, or File Owner. From the Advanced Search menu, you can find files in data in motion and data at rest by selecting parameters under File Information, Content | Content Types, or Discover.

Finding file name patterns


Use this task to find files by file name pattern. NOTE: You can find multiple files by entering a word stem and adding an asterisk, but it is the only metacharacter supported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select File Name Pattern. 3. Click Search or Save as Rule. NOTE:You can also find file names in file repositories and databases by going to DLPReporting | Advanced Search. Open Discover, select File Name Pattern, and type a pattern into the value field.

Example
Find JPG OR GIFs in a repository: DLPReporting | Basic Search | File Name Pattern contains *.jpg,*.doc NOTE: Only ORis supported for file name pattern searches. You can no longer use a space or ampersand to combine terms in a search. Use the green plus icon to add an element instead.

36

McAfee DLP9.0.1 Product Guide

Finding files

4. Click Save as Rule.

Finding files by file type


Use this task to limit your search to files of a specific content type. TIP: The DLPindexer captures all data on the network and sorts it into content types. If you just want to see what they are, go to Capture | Basic Search and select Content Type, then click the "?" to launch the popup menu, which contains all available content types. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select is any of from the second menu. 4. Click "?". 5. Open a content type group. 6. Check one or more file types. NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type containing the files is specified. Eight other compressed file types are also supported. 7. Click Apply. 8. Click Search or Save as Rule.

Finding files by owner


Use this task to find all files owned by a user. NOTE:This feature searches the Discover database, which must contain data in order for results to be retrieved. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic Search. 2. Select File Owner. 3. Type the file owner into the value field 4. Click Search or Save as Rule.

Finding files by size


Use this task to find files of a specific size. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open File Information. 3. Select File Size. 4. Select range from the Condition menu. You can also specify greater or less than values. 5. Enter a value in bytes. If you define a range, use a dash to separate values. 6. Click Search or Save as Rule.

McAfee DLP9.0.1 Product Guide

37

Searching captured data

Example
File Size > range > 1024-5000 (must be expressed in bytes)

Finding files by document type


Use this task to find specific document types (for example, all Microsoft Word and Excel documents). TIP:You can use Basic Search to find all files of a specific document type, but such a search is likely to return too many results. Use Advanced Search to add parameters that will focus your query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Content Type from the first menu. 4. Click "?". 5. Open Office Applications. 6. Select one or more office document types. 7. Click Apply. 8. Click Search or Save as Rule. NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type containing the files is specified. Eight other compressed file types are also supported.

Finding files using MD5 signatures


MD5 is the most widely-used algorithm used for creating compact digital signatures. NOTE:This procedure can no longer be used in a direct query, but it can be attached to a rule. Use this task to find all copies of a unique file identified by an MD5 signature. 1. Login to the back end of an DLPManager or Monitor. 2. Go to the /usr/bin directory and locate the md5sum utility. 3. Use the md5sum utility to generate a signature.

# md5sum filename
4. Select and copy the resulting hexadecimal number. 5. Open a browser and launch the DLPMonitor or Discover user interface. 6. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | DLPPolicies. 7. Click on a rule and open File Information. 8. Select Signature. 9. Select is any of from the Condition menu. 10. Paste the hexadecimal number into the value field. 11. Click Save as Rule.

38

McAfee DLP9.0.1 Product Guide

Finding images

Finding images
How to find images
Use this task to find images using specific file formats. TIP: Add a Thumbnail Match column to your dashboard to scan results quickly. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Content Type. 4. Click "?". 5. Open Images. 6. Select one or more image types. 7. Click Apply. 8. Click Apply. 9. Click Search or Save as Rule. TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.

Finding images of people


Use this task to find images containing advertising imagery or pornographic content. TIP: Add a Thumbnail Match column to your dashboard to scan results quickly. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content. 3. Select Concepts. 4. Select a Condition. 5. Click "?". 6. Click Fleshtone from the popup menu. 7. Click Apply. 8. Click Search or Save as Rule. TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.

Finding images using a template


Use this task to expedite image searches. TIP: Add a Thumbnail Match column to your dashboard to scan results quickly. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Content.

McAfee DLP9.0.1 Product Guide

39

Searching captured data

3. Select Template. 4. Click "?". 5. Select the Common Image Files template. 6. Click Apply. 7. Click Search or Save as Rule. TIP: Avoid timeouts caused by retrieving large image files by adding additional search terms.

Finding IP addresses
How to find IPaddresses
Use this task to search for incidents containing individual IP addresses, a range of addresses, or IPaddresses on a subnet. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select IPAddress from the first menu. 4. Select is any of from the second menu. 5. Enter one or more IPaddresses in the value field. 6. Click Search or Save as Rule.

Example
192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25

Finding a range of IPaddresses


Use this task to find a range of IPaddresses. TIP: Use a dash between starting and ending addresses, and a comma to add individual addresses. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination from the first menu. 3. Select IPAddress from the first menu. 4. Select is any of from the second menu. 5. Enter the IPaddress range in the value field. Do not use spaces.

Example
192.168.4.1-192.168.3.255 6. Click Search or Save as Rule.

Finding IP addresses on a subnet


Use this task to find IPaddresses on a subnet.

40

McAfee DLP9.0.1 Product Guide

Finding keywords

Subnet searching is supported whether or not network and host portions of an IP address are standard classful IP (address fields separated into four 8-bit groups). CIDR notation is also supported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select IPAddress from the first menu. 4. Select is any of from the second menu. 5. Type the subnet into the value field. 6. Click Search or Save as Rule.

Example
For subnet mask 255.255.255.128, you can use CIDR shorthand to translate the value for example, 192.168.2.1/25

Excluding incidents using specific IPaddresses


Use this task to exclude incidents using specific IPaddresses from a query or rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select IPAddress from the first menu. 4. Select is any of from the second menu. 5. Type an IPaddress range into the value field.

Example
172.25.3.100-172.25.3.199 6. Click plus to add an element. 7. Select IPAddress from the first menu. 8. Select does not equal from the second menu. 9. Type one or more addresses within the range into the value field to exclude addresses from the defined range.

Example
172.25.3.101,172.25.3.197 10. Click Search or Save as Rule.

Finding keywords
Excluding keywords from a query
Use this task to exclude keywords from a query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category.

McAfee DLP9.0.1 Product Guide

41

Searching captured data

3. Select Keywords from the first menu. 4. Select contains none of from the second menu. 5. Type one or more keywords into the values field. 6. Click Search or Save as Rule.

Finding exact matches


Use this task to search for an exact match using keywords and logical operators. NOTE:Keywords need not be in the order specified, but all must be present. NOTE:You can use logical operators to build a keyword query, but only for keyword expressions and exact phrases. NOTE:Because search is case-insensitive, you need not capitalize the keywords. Do not add quotation marks and parentheses; they are added by the search engine. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Keywords from the first menu. 4. Select exact phrase from the second menu. Do not use quotation marks. 5. Type the phrase into the value field. 6. Click Search or Save as Rule.

Finding keyword expressions


Use this task to enter a keyword query using logical operators. NOTE:You can use logical operators to build a keyword query, but only for concept or keyword expressions and exact phrases. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Keywords from the first menu. 4. Select expression from the second menu. 5. Type keywords and logical operators into the values field. 6. Click Search or Save as Rule.

Finding keywords using logical operators


Use the supported logical operators to enter searches into keyword expressions and exact phrase fields.

42

McAfee DLP9.0.1 Product Guide

Finding keywords

NOTE:Custom searches are not supported in this release. If you created a rule in DLP8.6 using only logical operators, it will no longer run. You must rebuild the query using parameters available in the menus available on the rules pages. Logical Operator Notation Different Ways of Expressing the Same Query

AND

Confidential Restricted Secret Confidential ANDRestricted AND Secret + && Confidential and Restricted and Secret Confidential + Restricted + Secret Confidential &&Restricted && Secret or || ConfidentialORRestricted OR Secret Confidential or Restricted or Secret (Confidential || Restricted) && Secret Confidential -Restricted -Secret Confidential !Restricted !Secret Confident~ Restrict~ Secret~ Confidential AND(Restricted ORSecret) "Confidential and Secret"

OR

NOT Word stemming

Parentheses ( ) Exact Match ""

NOTE:All operators, including Exact Match, are case-insensitive. In other words, if you search for a term in ALLCAPS, the system will return that term not only in capital letters, but initial caps or lowercase as well. Use logical operators (|| or OR) instead of a comma to construct an OR query. You cannot use AND operators between URLs and email fields. NOTE: The capture engine can extract and evaluate content from ZIP, GZIP and TAR files as long as the type containing the files is specified. Eight other compressed file types are also supported.

Finding non-English matches


Use this task to search for non-English keywords. NOTE:The search engine supports the UTF-8 standard. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Keywords from the first menu. 4. Select exact phrase from the second menu. 5. Cut and paste keywords containing the characters into the values field. 6. Click Apply. 7. Click Search or Save as Rule.

McAfee DLP9.0.1 Product Guide

43

Searching captured data

How to find keywords


The keyword search types are illustrated by the following examples. The examples displayed here show the queries as they are summarized in search boxes. Logical operators can be entered in value fields only when used with expression and exact phrase conditions.

Find all these words (in any order)


Keywords | Condition contains | Intel AMD NVidia When using the contains condition, spaces between words imply AND.

Find one or more of these words (in any order)


Keywords | Condition contains any of | Intel AMD NVidia When using the contains any of condition, spaces between words imply OR.

Find this exact phrase


Keywords | Condition exact phrase | NVidia supports AMD and Intel platforms. When using the exact phrase condition, do not use quotation marks. Search is case-insensitive; upper-case characters are ignored.

Find these words, but not this word


Keywords | Condition contains | Intel AMD Keywords | Condition does not contain | NVidia

Find either of these words, but neither of these


Keywords | Condition expression (Intel || AMD) !(Nvidia && ATI)

Find non-English content


Keywords | exact phrase | <paste in characters> NOTE:Search keywords are highlighted in your search results, with the exception of high volume retrieval (when the 50,000 or All Results options are selected in the Basic Search window). This limitation improves performance.

44

McAfee DLP9.0.1 Product Guide

Finding locations of violations

Supported languages
Supported Languages English Chinese (traditional) Chinese (simplified) Korean French German Spanish Portuguese Dutch Polish Russian Turkish

Logical operators supported in keyword queries


Use these examples to construct keyword queries in the expressions and exact phrases fields.

Examples
These compound queries will produce the same results: confidential +Eyes Only OR Do Not Distribute secret -security Confidential "Eyes Only" || "Do Not Distribute" !secret !security This complex query adds grouping of search terms and use of word stemming: Confidential + (("Eyes Only" || "Do Not Distribute") || (secret~ or secur~)) This query will find documents containing the word "Confidential" that are also marked EITHER "Eyes Only" or "Do Not Distribute" OR contain variations of the words "secret" or "secure".

Finding locations of violations


Finding sources of violations
Use this task to find violations in traffic sent to or received from a specific country. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open Source/Destination and select GeoIPLocation. 3. Select a sender or recipient condition. 4. Click "?".

McAfee DLP9.0.1 Product Guide

45

Searching captured data

5. Select checkboxes of one or more countries. 6. Click Apply. 7. Click Search or Save as Rule.

Finding violations by website


Use this task to find violations associated with a website. If you know the source or destination of a known transmission, you can find violations in traffic to or from a specific user, host or website. NOTE: When defining a URL in a Discover scan, the URL must be preceded by the protocol used and terminated by a slash. If the URL is not terminated, the scan will run not only within the targeted directory and subdirectories, but will be extended to directories above the parent URL. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select URL from the first menu. 4. Select is any of from the second menu. 5. Type the URLinto the values field. 6. Click Search or Save as Rule. NOTE: This search assumes that the ignore_http_header capture filter has been removed, making it possible for the classification engine to find HTTP posts in captured data.

How to find locations


Use this task to search for traffic sent to and received from specific countries, or to exclude specific geographic traffic. TIP:Use Basic Search | GeoIPLocation to find all incidents involving one or more geographic locations. Use Advanced Search to add more parameters. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Source/Destination category. 3. Select GeoIP Location from the first menu. 4. Select a condition from the second menu. TIP: Add an additional parameter by selecting the green plus icon if you want to define more than one condition. For example, use is none of to exclude a country, or sender and recipient values to define source or destination. 5. Click "?". 6. Select checkboxes of one or more countries. 7. Click Apply. 8. Click Search or Save as Rule.

46

McAfee DLP9.0.1 Product Guide

Finding violations by port

List of country codes


Use country codes to identify sources or destination of violations.

Updated list of country codes


http://www.iso.org/iso/country_codes/iso_3166_code_lists

Finding violations by port


How to find violations by port
Use this task to find violations in traffic that uses well-known ports. NOTE: Unless you define both source and destination values, the system returns incidents in either direction, but not both. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select Port from the first menu. 4. Select source is any of from the second menu. 5. Type a port number into the values field. 6. Select the green plus icon to add a parameter. 7. Select destination is any of from the second menu. 8. Type a port number into the values field. 9. Click Search or Save as Rule.

Excluding ports from a query


Use this task to eliminate a type of traffic that is transmitted through one of the well-known ports. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select Port from the first menu. 4. Select source is none of from the second menu. 5. Type a port number into the values field. 6. Select Port. 7. Select destination is none of from the second menu. 8. Type a port number into the values field. 9. Click Search or Save as Rule.

Finding violations by port range


Use this task to find violations in traffic that uses a specific port range. TIP:For example, the Solaris operating system often uses the 1000-1023 range.

McAfee DLP9.0.1 Product Guide

47

Searching captured data

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select Port from the first menu. 4. Select is any of from the second menu. 5. Type port numbers (separated by a dash) into the values field. 6. Click Search or Save as Rule.

List of common port assignments


You can select from a list of common port assignments to find a specific type of traffic that uses one of the well-known ports. Common Port Assignments Service FTP SSH Telnet SMTP HTTP POP3 NTP IMAP NNTP HTTPS SMTP-SSL IMAP-SSL POP3-SSL Port # 20/21 22 23 25 80 110 123 143 144 443 465, 587 993 995

TIP: You can find the latest IANA update at http://www.iana.org/assignments/port-numbers.

Finding violations by protocol


How to find violations by protocol
Use this task to search for violations in traffic transmitted by a specific protocol. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic or Advanced Search. 2. Open the Protocol category. 3. Select is any of from the second menu. 4. Click "?". 5. Open categories and check protocol boxes.

48

McAfee DLP9.0.1 Product Guide

Finding violations in time

6. Click Apply. 7. Click Search or Save as Rule.

Excluding protocols from a query


Use this task to exclude violations in traffic that uses a specific protocol. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Protocol category. 3. Select is none of from the second menu. 4. Click "?". 5. Select one or more protocol checkboxes. 6. Click Apply. 7. Click Search or Save as Rule.

Finding violations in time


How to find time-stamped files
Because the DLPMonitor captures every packet in a network data stream and time-stamps every significant object found, it is essential to set a time frame for your search or rule. Objects are time-stamped in UTC, but you can use either local or global time conditions. The system does the conversion for you. TIP:Remember the date of installation of the DLPappliance when searching in time. The system cannot retrieve results that were never captured. NOTE: If you have a time frame set under Incidents | Filter by... , it takes precedence over one set in Advanced Search.

Searching in a relative time frame


Use this task to find a file time-stamped within a relative time frame. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Date/Time category. 3. Select any parameter from the first menu. 4. Select a local or global before, between or after time from the drop-down menus. 5. Click the Calendar icon to select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.

McAfee DLP9.0.1 Product Guide

49

Searching captured data

Searching in an exact time frame


When you define a time in a search or rule, your local time is automatically converted to Greenwich Mean Time. If you are managing several DLPMonitors in different locations, you can find captured data at the same clock time in each of those locations. Use this task to select an Exact Time in local or GreenwichMean Time. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Date/Time category. 3. Select Exact Time from the first menu. 4. Select a local or global before, between or after time from the drop-down menus.

Automatic Conversion to GMT (same moment globally)


before between after

Local time (same clock time globally)


before (local time) between (local time) after (local time) 5. Click the Calendar icon to select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.

Searching by file creation time


Use this task to find a file that was created in a specific time frame. NOTE: The interface displays the time zone of the DLPappliance. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Date/Time category. 3. Select File Creation Time from the first menu. 4. Select before, between or after from the second menu. 5. Click the Calendar icon and select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.

Example
File Creation Time > between > 16:30:00 and 17:00:00.

50

McAfee DLP9.0.1 Product Guide

Finding violations in time

Searching by file last accessed time


Use this task to find out when a file was last accessed. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Date/Time category. 3. Select File Last Accessed from the first menu. 4. Select before, between or after from the second menu. 5. Click the Calendar icon to select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.

Example
Last Accessed > before > 17:00:00 TIP: If a Discover crawl processes more than 50,000 files, the date and time is reported in a yyyyMMddHHmmss format (for example, 20090820120000). Because Microsoft Excel interprets this as a large real number, it is displayed in scientific notation (for example, 2.01+E13). Recover the date by selecting the column, then set the number to zero decimal places under Tools | Format | Cell | Number.

Searching by last modification time


Use this task to find out when a file was last modified. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Select the Date/Time category. 3. Select Last Modification Time from the first menu. 4. Select before, between or after from the second menu. 5. Click the Calendar icon to select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.

Example
Last Modification Time > after > 13:30:00

Searching by local or Greenwich Mean Time


Use this task to search for an event that occurs at the same local time in different time zones. When you define a time in a search or rule, your local time is automatically converted to Greenwich Mean Time . But if you are managing several DLPMonitors in different locations, you will want to know what the local time is in each of those locations.

McAfee DLP9.0.1 Product Guide

51

Searching captured data

Example:
If you are managing a global network, you may expect confidential data to be entering or leaving the network data stream during business hours. But after 5PM local time, movement of sensitive data may indicate a leak. By creating a rule that tracks sensitive data between the hours of 5 and 6 PM in your Los Angeles, New York, London, and Tokyo offices, you can monitor data at the time most employees are leaving each of those facilities. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Select Date/Time from the first menu. 3. Select Exact Time from the second menu. 4. Select a local or global before, between or after time from the drop-down menus. Automatic Conversion to GMT (same moment globally) before between after Local time (same clock time globally) before (local time) between (local time) after (local time) 5. Click the Calendar icon to select a date. 6. Select the hour, minute and second from the pull-down menus. 7. Click Search or Save as Rule.

Searching with concepts and templates


Using concepts and templates in queries
Concepts and templates can be used to expedite queries. Concepts provide ready-made parameters to find all data of a similar type, while templates can be used to avoid repetitive searching.

Using concepts in queries


Use this task to find concepts (collections of data related to a single issue) in a search. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Concept from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Select one or more concepts from the popup menu.

52

McAfee DLP9.0.1 Product Guide

Searching with concepts and templates

7. Click Apply. 8. Click Search or Save as Rule. NOTE: The number of concepts usable in a compound search or a rule is limited only by the number of concepts defined in the system.

Using templates in queries


Use this task to search using a template. For example, you might use a template to find all documents of a certain type, or give a name to an IPaddress range. TIP: Go to Policies | Templates and open any template to learn to construct one of your own. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Template from the first menu. NOTE:Each category on the Advanced Search and Add/Edit Rule pages includes a Template element containing a set of templates related to that category. 4. Select equals from the second menu. 5. Click "?". 6. Select a template from the popup menu. NOTE: All templates are available from the popup menu. If you add a custom template, it is automatically added to the menu. 7. Click Search or Save as Rule. TIP: When you tune a rule, use a template to run repetitive queries that vary slightly.

Using concept expressions in a query


Use this task to create a complex concept query using logical operators. NOTE:You can use logical operators to build a keyword query, but only for concept or keyword expressions and exact phrases. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. 2. Open the Content category. 3. Select Concept from the first menu. 4. Select expression from the second menu. 5. Type an expression into the value field. 6. Click Search or Save as Rule.

McAfee DLP9.0.1 Product Guide

53

Searching captured data

Example:
The expression concept:CCN -concept:AMEX(concept:SSN OR concept:EIN)finds credit card numbers that are not American Express AND either Social Security or Employee Identification numbers.

Excluding a concept from a query


Use this task to exclude an entire concept from a query. NOTE: Concepts identify collections of data related to a single issue. Content concepts, the type most widely used, use patterns to identify related data objects. For example, if you wanted to find credit cards using any possible numbering pattern except American Express, you could eliminate the AMEXconcept from a general credit card query. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP:You may also exclude a concept from an existing rule by editing it. 2. Open the Content category 3. Select Concept from the first menu. 4. Select is any of from the second menu. 5. Click "?". 6. Select one or more VISA, DISCOVER, MASTERCARD, DINERS or JCB checkboxes. 7. Click Apply. 8. Select plus to add an element. 9. Select Concept from the first menu. 10. Select is none of from the second menu. 11. Click "?". 12. Select the AMEX checkbox. 13. Click Apply. 14. Click Search or Save as Rule.

Understanding search rules


Rules used by the indexer
Because DLPsystems capture all network data, some rules are needed to classify and store it.

Search rules
q q q

How archives are handled Understanding case insensitivity How Microsoft Office 2007 files are handled

54

McAfee DLP9.0.1 Product Guide

Understanding search rules

q q q q q q q

Avoiding negative searches Number of results supported Parts of speech excluded from capture How proper names are treated Handling of short words Special character exceptions How word stemming is handled

How archives are handled


The search engine finds, extracts and evaluates content in ZIP, GZIPand TAR archives, but only if the compressed file type is identified in the query.

Case insensitivity rule


The search engine is case-insensitive. For example, if you search for a term in ALLCAPS, the system will retrieve and report the matching content, whether it is in upper or lower case.

How Microsoft Office 2007 files are handled


The indexer ignores certain Microsoft Office 2007 content because of the way the applications handle fonts, colors, macros, and page definition.
q

If two dictionary words are merged together, the merged word will not be found.

Example:
American and Recovery are two dictionary words. If they are merged into the word AmericanRecovery, they will not be found.
q

If a word in a Microsoft Office 2007 document has different fonts and colors, the word will not be read as a whole and will not be found.

Example:
If all the letters in the word Recovery are of different fonts and colors, it will not be found.
q

If a word continues across two different pages, it will not be found.

Example:
If the word Recovery is spread across two pages (one page contains Rec and the second page contains overy), it will not be found.
q

Words in documents that use special Microsoft Office 2007 font features like WordArt, SmartArt, and watermarks will not be found. Words present in macros in Microsoft Office 2007 documents, and headers and footers in PowerPoint and Excel, will not be found.

McAfee DLP9.0.1 Product Guide

55

Searching captured data

Avoiding negative searches


The search engine does not recognize queries that consists entirely of negative search terms. A query containing only words not to be found is instructing the search engine not to search. Therefore, you must define a scope of data within which the term will not be found.

Number of results supported


The search engine is designed to retrieve no more than 10,000 results at a time. If this limit is exceeded, match strings will not be retrieved, and hits on substrings may return overly broad results. The dashboard incident list is limited to 5,000 results, but up to 150,000 incidents can be exported via CSV. Export from dashboard is limited to 5K. TIP: If your search results exceed this number, narrow your query and repeat the search.

Parts of speech excluded from capture


The indexer ignores some common parts of speech. Parts of speech like a, and, this, therefore, else, while, and with are excluded from capture.

How proper names are treated


The indexer treats proper name searches like keyword searches. It is not necessary to capitalize them.

Handling of short words


The indexer ignores words that are less than or equal to three characters. Short words like air, eye, mac, pet, sox, and zip are excluded from capture.

Exceptions
q q

Postal codes are reported [AL, CA, CT, TX, NY...] Common governmental acronyms are reported [DMV, CIA, DOJ, FAA, NSA, IRS]

Special character exceptions


The indexer reports words including non-alphabetic characters, such as number or spaces, only if they are identified in an Exact Search. The following characters have special meaning and cannot be used in searches.

56

McAfee DLP9.0.1 Product Guide

How remote user accounts are monitored

Character . ; | ` <> () \ \\ /> ]]> * / period semicolon pipe back tick

Description

less than/greater than parentheses backslashes markup control characters escape characters

If you enter any of these characters in a query, you might get the following error messages: >>Invalid character(s) in the input for the field; or Search did

not complete.

How word stemming is handled


The search engine does not recognize Incomplete or partial words, but word stemming is supported. NOTE:If an exact search is defined, stemming is disabled. Example
q q

Searching for "basket" to retrieve "basketball" will not return a result. Searching for "run" in "running" will return a result.

NOTE: If the plural of a complete word used in a search is found, the result is reported as if it were a word stem.

Monitoring Active Directory users


How remote user accounts are monitored
Historically, DLPManager has been linked to SAMAccountName as the main user identification element. But if that attribute is applied to users in the same domain who have similar or matching user names, they cannot be positively identified. DLPnow keys on the unique alphanumeric SID (Security Identifier) that is assigned to each user account by the Windows domain controller. For example, the user name jsmith may belong to John Smith or Jack Smith, so more information would be needed to distinguish between those two users. Those individuals may even be using the same IPaddress, which would aggravate the problem of discovering the identity of the actual user.

McAfee DLP9.0.1 Product Guide

57

Monitoring Active Directory users

But each account on an Active Directory server is made up of attributes that identify the individual who owns the account. McAfee Logon Collector matches the unique SIDs that are assigned to each Active Directory user to IPaddresses, and all of the parameters associated with that SID are extracted when MLC moves binding updates from the Active Directory server to DLP. NOTE:Because SAMAccountName was used to index data in earlier releases, that information may be lost during ad hoc searches when the user has upgraded to 9.0, or when the data residing in the capture database pre-dates the upgrade.

Using Active Directory User elements


.All Active Directory elements are treated as word queries, and can be directed to specific LDAPservers. When these elements are used in a query, columns supporting the parameter are configured in the search popup and on the dashboard. NOTE:Each of the user elements retrieves the attributes listed.

Parameters available
q q q q q

User Name: user's name, alias, department, location User Groups: user's group User City: user's city User Country: user's country User Organization: user's company or organization

Using DLP on remote LDAP servers


The ability to monitor user traffic on Active Directory servers now has been extended to directory servers, making global user management a reality. The ability of DLP9.0 to connect to multiple domain controllers makes this possible. Not only is data on local networks captured, but it is extended to all traffic on up to two LDAP servers. When users can be recognized by name, group, department, city or country, a DLPadministrator can extract a great deal of significant information by using a few seminal facts to gradually gather more details about potential violations.

Viewing Active Directory incidents


In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. When you get results from querying a directory server, you can view them on the Data-in-Motion dashboard or the corresponding ePOdashboard. Click Columns to see what other data categories are available for display. NOTE:Not all of these parameters can be used for queries. This accounts for the disparity of data categories on search and rule pages.

58

McAfee DLP9.0.1 Product Guide

Adding Active Directory columns to the dashboard

Adding Active Directory columns to the dashboard


When you view Active Directory results, you will want to see all the user data available for the query you made. Use this task to add user columns to the dashboard. NOTE:The columns available reflect the scope of data available. Not all of these parameters can be used for searching captured data or implementing rules. In an ad hoc search, some Active Directory attributes (user names, companies, email, managers, titles) are not displayed. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click Columns. 3. Use the Add and Remove buttons to move Available columns to the Selected box. NOTE:There are many more columns available than there are searchable network elements. They were added to the interface to accommodate Host DLP. You can use them to display additional attributes that are reported, but not displayed by default.

Columns available
q q q q q q q q q q q q q q

User Custom UserCity UserCompany UserCountry UserEmail UserGroups UserID UserManager UserName UserGroup UserOrganization Network printer Network path Location Tag Path

4. Use Move buttons to move all User columns to the top of the Selected pane. TIP: If you cannot see the Move buttons, expand your dashboard. 5. Click Apply.

Adding rules to find Active Directory information


After you have configured your DLP system to get Active Directory user parameters, you will be able to search network traffic for any user information on that server. Use this task to create rules that will find significant information in that traffic.

McAfee DLP9.0.1 Product Guide

59

Monitoring Active Directory users

TIP:You can construct a rule to keep administrators, who are responsible for handling privileged information, from being reported as violators. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. From the Actions menu, select Add a Policy. NOTE:You can skip this step and add a rule to an existing policy, or add Active Directory user parameters to an existing rule. 3. Select Add a rule from the Actions menu. 4. Select a Severity to classify the rule. 5. Set the Inherit Policy State to Enabled to bind the rule to the policy. 6. Open Content and add a keyword, concept, or content type to retrieve specific content (optional). 7. Open Source/Destination and click on a user parameter. 8. Click "?" and select an Active Directory server. 9. Click Find to retrieve all available patterns. TIP:If you know what you are looking for, you can type it into the search field. 10. Click on one or more patterns and Apply. 11. Add other parameters as needed. 12. If you want to apply an action when a match is found, click on the Actions tab and add one or more. 13. Click Save.

Advantages of keying on SIDs


Because McAfee Logon Collector allows DLPto key on SIDs instead of sAMAccountnames, the identities of individual users can be resolved and their traffic can be monitored. By leveraging multiple user attributes, it is now possible to identify end users conclusively, regardless of what email or IPaddresses they are using. When a SID is retrieved from the Active Directory server, all of its associated attributes, such as domain name, location, department and user group, come with it. That collection of information can then be used in rules, templates, action rules, and notifications to find and stop security violations by specific users.

Types of Active Directory data supported


The following Active Directory parameters are supported by this release.
q q q q q

UserCity (ucity) UserCountry (ucountry) UserDepartment (udepartment) UserGroups (ugroup) UserName (uname)

60

McAfee DLP9.0.1 Product Guide

How McAfee Logon Collector is used with DLP

NOTE:These are the parameters that can be used for queries and rules, but incidents that are reported on the dashboard may have more objects available in the database. That information can be viewed by adding columns that can display those fields. The following Active Directory parameters are supported by the standalone Host DLP 9.0.
q q q

Network path Network printer Location Tag Path

How McAfee Logon Collector is used with DLP


Suppose you know that your company has lost intellectual property to a Chinese firm, and you suspect that the leak came from an insider in your Shanghai branch. Because McAfee DLPcaptures all traffic on your company's network, you can add an Active Directory server that contains the user account of that insider to DLPManager, then search for the UserName of that individual and monitor his communications. You might then search his communications for the name of the lost component, then find the email address and geographical location of users outside the company who may have received the information. You might not know what will be in those communications, but you can use what you find to ask the next logical question. TIP:If you don't know the user's name, you can gradually develop his identity by searching for users in Shanghai, searching the user groups in your Engineering division, and identifying a sub-group that may contain the user.

How McAfee Logon Collector enables user identification


McAfee Logon Collector is used to map IPaddresses to user identities within Active Directory servers. Without it, users may be hard to identify because they may be logged into different or multiple workstations. IP addresses change when DHCP servers automatically assign new addresses, and more than one user might be logged on to the same workstation. When a McAfee Logon Collector is configured withan DLP Manager, it resolves user identities by retrieving collections of user account information from all Active Directory servers that have been added to the DLP system. Supporting multiple domain controllers means that large-scale enterprise operations can be served by McAfee applications. For DLP, that means that after McAfee Logon Collector is enabled, DLPadministrators can configure Active Directory-based queries and rules to find out what activities specific users are engaging in on the network.

Finding remote user information


How remote user data is retrieved
The extension of McAfee DLPcapabilities through multiple Active Directory controllers makes it possible to retrieve more information about remote users than ever before.

McAfee DLP9.0.1 Product Guide

61

Monitoring Active Directory users

If your local network is connected through McAfee Login Collector to remote Active Directory servers, this capability brings your global security problems down to local control. TIP:When a user parameter is used to bring in remote information, it is best to use it as a key within a larger search or rule. Add other qualifiers to target the information that is needed. NOTE:Before you can search for user information on remote servers, you will have to add an Active Directory server and establish secure connections between a McAfee Login Collector and DLPManager.

Finding remote users by name


Use this task to get information about specific users on remote networks. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or rules. 2. Open the Source/Destination category. 3. Select User Name from the first menu. 4. Select is any of from the second menu. TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user name entries. 8. Select Local User or Everyone. 9. Click Apply. The selected user names will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote users. 11. Click Search or Save as Rule.

Finding remote users by group


Use this task to get information about users on remote networks who are members of specific groups. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or rules. 2. Open the Source/Destination category. 3. Select User Group from the first menu. 4. Select is any of from the second menu.

62

McAfee DLP9.0.1 Product Guide

How McAfee Logon Collector is used with DLP

TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user group entries. 8. Select one or more groups. 9. Click Apply. The selected groups will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote groups. 11. Click Search or Save as Rule.

Finding remote users by city


Use this task to get information about users on remote networks who reside in specific cities. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or rules. 2. Open the Source/Destination category. 3. Select User City from the first menu. 4. Select is any of from the second menu. TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user city entries. 8. Select one or more cities. 9. Click Apply. The selected city's users will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote users of the selected city. 11. Click Search or Save as Rule.

Finding remote users by country


Use this task to get information about users on remote networks who reside in a specific country. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or rules. 2. Open the Source/Destination category. 3. Select User Country from the first menu.

McAfee DLP9.0.1 Product Guide

63

Getting and processing results

4. Select is any of from the second menu. TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user country entries. 8. Select one or more cities. 9. Click Apply. The selected country's users will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote users of the selected country. 11. Click Search or Save as Rule.

Finding remote users by organization


Use this task to get information about users on remote networks who work for specific organizations or companies. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Advanced Search. TIP: Use Basic Search to do exploratory searches, and Advanced Search to create complex searches or rules. 2. Open the Source/Destination category. 3. Select User Organization from the first menu. 4. Select is any of from the second menu. TIP: Using the is none of condition might retrieve too many records. 5. Click "?". 6. Select a Directory Server from the popup menu. 7. Click Find to fetch the first 1000 user organization entries. 8. Select one or more organizations. 9. Click Apply. The selected organizations will populate the value field. 10. Add parameters from other categories to define the information that is needed from the records of the remote organizations. 11. Click Search or Save as Rule.

Getting and processing results


Using the Incidents dashboard
The Incidents dashboard gives you a detailed and comprehensive picture of the risks faced by your organization. The incidents and events reported are stored in three different databases, which correspond to the appliances that produced them.

64

McAfee DLP9.0.1 Product Guide

Using the DLP Homepage

Database vectors
q q

Data-in-Motion incidents are produced by DLPMonitor when its rules match data in the network stream. Data-at-Rest incidents are produced by DLPDiscover when a scan finds sensitive data in network repositories or databases. Data-in-Use events are produced by DLPHost when data violations are found at network endpoints.

The dashboard tools give you the means to sort through all of the databases to reveal the most significant objects.

Dashboard tools
q

Selecting pre-defined views, such as Incident Listing, offer different configurations of the incidents on the dashboard. Clicking the List, Group Detail, and Summary buttons display some typically useful configurations. Clicking on any link on the dashboard changes the sorting keys in the Group by pane change to reveal different attributes of the incidents. Building filters using the Filter by pane offers dozens of options for viewing the data stored in the databases. Selecting the Disk or Options icons allows you to save significant collections of data as views or reports.

q q

q q

If you are using DLPthrough ePolicy Orchestrator, all DLPdashboard tools are available to you. In addition, you can get summaries of the incidents and events on the main ePOdashboards. TIP:Assign incidents to cases to collaborate on investigating and resolving problems.

Using the DLP Homepage


Checking Homepage permissions
In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | DLPHomePage. Your role in the organization determines what you will be able to see on this page. You can check your permissions by checking DLPSys Config | User Administration | Groups | Details|Task Permissions |Incident Permissions. NOTE:Because permissions are assigned by group, you will have to find out what group you belong to before checking permissions.

Configuring the DLPHomepage


The DLPHomepage gives you a quick overview of incidents found on your network or in network repositories. You can also get a summary of events that have taken place at network endpoints on this page. Incidents are categorized by the Data-in-Motion, Data-at-Rest, or Data-in-Use vectors. These correspond to data moving over the network, data in network repositories, and events taking place at network endpoints.

McAfee DLP9.0.1 Product Guide

65

Getting and processing results

Customizing the DLPHomepage


Use this task to display up to four different reports on your home page. TIP: You can control the details of incidents you see on the Incidents dashboard by sorting, grouping and filtering them. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | DLPHomePage. 2. Select Customize from the Options menu. 3. Select up to four reports. 4. Click Apply.

Howto use the Homepage


All incidents and events that are reported on the Incidents dashboard can also be viewed directly by clicking the ePODashboard icon. NOTE:If you want to sort, filter, or manage any of the incidents, you must go to the DLPReporting | Incidents dashboard.
q q q q q q

DLP Status Summary DLPExecutive DLPManager DLPData-in-Motion DLPData-at-Rest DLPData-in-Use

Getting details of results


How to get incident details
Use this task to get details about an incident. TIP: If you cannot see incident details, you may not have the right permissions set. See your administrator. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click on a Details icon. 3. On the Incident Details page, click any available link. NOTE:The document will launch if the supporting software is installed. If there is another link inside the document, it is likely to be the database object that triggered the incident. 4. Click any tab to get additional information. NOTE: Incidents that are captured in real time, like chat and FTPsessions, cannot display details (like file names and user information) because they cannot be synchronized with the existing flow.

66

McAfee DLP9.0.1 Product Guide

Generating reports

Finding matches that triggered incidents


Use this task to find the match string that triggered an incident. TIP: If you cannot see incident details, you may not have the right permissions set. See your administrator. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click on a Details icon. 3. In the Incident Details window, click Matches.

Finding out if an incident is in a case


Use this task to find out if an incident has been included in a case. TIP: If you cannot see incident details, you may not have the right permissions. See your administrator. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click on a Details icon. 3. On the Incident Details page, click Case.

Getting history of an incident


Use this task to find out who looked at an incident and what actions were taken. TIP: If you cannot see incident details, you may not have the right permissions. See your administrator. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click on a Details icon. 3. In the Incident Details window, click History.

Identifying concepts that triggered incidents


Use this task to find out what concept triggered an incident. TIP: If you cannot see incident details, you might not have the right permissions. See your administrator. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click on a Details icon. 3. In the Incident Details window, click Concepts.

Generating reports
How reports are generated
When you save a report, you are saving the content of what you are seeing on the dashboard in PDF, HTMLor CSV format.

McAfee DLP9.0.1 Product Guide

67

Getting and processing results

NOTE: CSV output is limited to150,000 incidents. The maximum size of the exported report is 5 MB. There are no limits on the number of incidents exported in a case. If you want to save the dashboard settings, save a view instead. NOTE: An incident that is exported from the dashboard cannot be saved if it is larger than 5 KB.

Adding a company name to a report


Use this task to display a company name on a report. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLP Sys Config | System Administration. 2. Select a Configure link for the DLPManager being used to create the report. 3. Scroll down to Company Information. 4. Type in your company name. 5. Click Update.

Creating CSV reports


Use this task to export an ASCIIreport in CSV format. NOTE: The CSV format is available only under List view. Group Detail and Summary are not supported. NOTE:Unlike the HTMLand PDFIncident List Reports, there is no maximum number of incidents or maximum size for the exported report. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use). 3. Click List. 4. Click Options. 5. Select Export as CSV. 6. Select Open or Save. If you select Open, the report will launch in spreadsheet format if you have Microsoft Excel installed. If you select Save, the report will be saved to your desktop.

Creating HTML reports


Use this task to export an report in HTML format. NOTE: Tne maximum number of incidents displayed in the HTMLIncident List Report is 5,000. The maximum size of the exported report is 5 MB. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use). 3. Click List, Group Detail, or Summary. 4. Select Export as HTML from the Options menu.

68

McAfee DLP9.0.1 Product Guide

Setting up views

5. Select Open or Save. If you select Open, the report will open it in a web browser. If you select Save, the report will be saved to your desktop.

Creating PDFreports
Use this task to export a report in Adobe PDF format. NOTE: The maximum number of incidents displayed in the PDFIncident List Report is 5,000. The maximum size of the exported report is 5 MB. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a view vector (Data-in-Motion, Data-at-Rest, Data-in-Use). 3. Click List, Group Detail, or Summary. 4. Select Export as PDF from the Options menu. 5. Select Open or Save. If you select Open, the report will launch if you have Adobe Reader installed. If you select Save, the report will be saved to your desktop.

Scheduling reports
Use this task to set up a report to run on a regular basis and send an email notification. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click the Disk icon. 3. Name the view. 4. Select an owner. NOTE:Ownership is determined by the group to which a user belongs. If the user's group is not listed, go to DLPSysconfig | User Administration | Groups and add the group. 1. Click Set as Home View (optional). 2. Click Schedule Reports. 3. Click Types. 4. Fill in the report frequency parameters. 5. Type in the email parameters. 6. Click Save.

Setting up views
How to set up views
In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. Use this page to manage all standard and custom views you have collected. Using a variety of significant data patterns will help you to understand and manipulate the incidents that are found.

McAfee DLP9.0.1 Product Guide

69

Getting and processing results

TIP: Pull down the Incident Listing menu on the Incidents page and select another view to see how results can be rearranged. Attachments can be displayed if they are under 50 MB. The number of incidents that can be reported is limited to 150,000. After that number is reached, chunks of supporting data are wiped, starting with the oldest incidents first.

Copying views to users


Use this task to copy a view that you have created to another group of users. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. 2. Check a view box. 3. Select Copy View to Users from the Actions menu. 4. Check a group box. 5. Click Apply. TIP: Add a user group if the one you need is not listed.

Deleting views
Use this task to delete views from the Incident Listing menu. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. 2. Check a view box. 3. Select Delete from the Actions menu. 4. Confirm or cancel.

Saving views
Use this task to save a customized view to the Incident Listing menu. NOTE: When you save a view, you are storing your current dashboard settings. To save the content you are seeing, create a report instead. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | My Views. 2. Select a vector from the Data-in-Motion dashboard menu. 3. Reconfigure your dashboard (optional). 4. Group your results (optional). 5. Filter your results (optional). 6. Click the Disk icon. 7. Name the view. 8. Select an owner.

70

McAfee DLP9.0.1 Product Guide

Setting up views

NOTE: Ownership is determined by the group to which a user belongs. Add a group if the user's group is not listed. 9. Check Set as Home View (optional). 10. Schedule a report that will use the view (optional). 11. Click Save.

Selecting different views


You can switch to different Incident configurations by selecting from a variety of different dashboard menus. TIP: Many views keyed on different attributes of reported incidents are available in the Incident Listing menu. If none suit your purposes, save a custom view; it will be added automatically to the list. NOTE:Each of the view vector menus (Data-in-Motion, Data-at-Rest, Data-in-Use) references a different database.

Selecting a view vector


Use this task to control the display of incidents from the three databases that support DLPdevices. The vector menu is located over the Actions menu on the Incidents dashboard.
q q q

Select Data-in-Motion from the vector menu to view incidents found in the network data stream. Select Data-at-Rest from the vector menu to view incidents found by scanning repositories. Select Data-in-Use from the vector menu to view events thathave occurred on endpoints.

Selecting pre-configured views


The Incidents dashboard displays icons that access three pre-configured views. Pre-configured Views List Group Detail Summary Displays all incidents in page format Displays incidents graphically using two sort keys Reports incident highlights arranged in a graphical framework

TIP: Customize each view type by sorting, grouping, or filtering incidents. The Incident Listing menu contains a large number of sample views that you can add to by saving your own custom views.

McAfee DLP9.0.1 Product Guide

71

Getting and processing results

Customizing the results dashboards


How dashboards are customized
Customizing the results dashboard allows expansion of the display area, listing of more incidents, or display of additional attributes that are hidden by the default configuration. TIP:Pull down the Incident Listing menu and select another view to change the default configuration quickly.

Adding rows to the dashboard


Use this task to view more than 25 rows of incidents on the dashboard. NOTE: Viewing a large number of incident rows at one time (1,000 or more) could cause an HTTP REQUEST timeout. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click Columns. 3. Select a number from the Incidents per page menu. 4. Click Apply.

Changing dashboard display space


Use this task to change incident display space on the dashboard by expanding or collapsing dashboard panes. TIP: To adjust the size of the navigation pane, drag the vertical rule to the desired location. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Double-click the expansion bar between panes to collapse the navigation pane. 3. Double-click the expansion bar to restore the navigation pane. TIP: Drag the expansion bar to adjust the space used by each frame.

Configuring dashboard columns


Use this task to change the number of attributes reported per item by adding or removing dashboard columns. TIP: Try changing the view type (List, Group Detail, Summary) or views under Incident Listing before adding columns. One of the views may already provide the framework you need. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click Columns. 3. Use the Add and Remove buttons to move Available columns to the Selected box. 4. Use Move buttons to move Selected column headers up or down. TIP: If you cannot see the Move buttons, expand your dashboard.

72

McAfee DLP9.0.1 Product Guide

Grouping and filtering incidents

5. Click Apply. TIP: If you add a column to display ThumbnailMatch images, do not add rows. Moving 1,000 or more incident rows at one time could cause an HTTPREQUESTtimeout.

Displaying match strings


Use this task to add a Matchstrings row to the incidents dashboard. TIP: Because Matchstrings use more space on your dashboard, you may prefer to view them using the Details icon of each incident.. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click Columns. 3. Select the Display Matchstring checkbox. 4. Click Apply.

Grouping and filtering incidents


How incidents are grouped and filtered
DLPMonitor captures all network data, though portions of traffic might be filtered out to improve performance. NOTE:You can set a capture filter to focus the capture engine on significant traffic. Because each incident displayed on the DLPdashboard is supported by a huge collection of database objects, a vast amount of data is available for viewing. TIP: Click on a data cell to see how the dashboard uses attributes as sorting keys. Because you can see and understand only a small percentage of those objects at one time, you should try to filter incidents so that only the most significant attributes will be displayed.

Clearing filters
Use this task to clear any filters you have set. CAUTION: When you finish using a filter, Clear All, or the configuration will block all other results. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Go to Filter by... . 3. Click Clear All. 4. Click Apply.

Filtering incidents
Use this task to eliminate irrelevant results that block significant data.

McAfee DLP9.0.1 Product Guide

73

Getting and processing results

TIP:Before filtering, always define a time frame. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click any view type (List, Group Detail, or Summary). TIP: You can filter incidents instantaneously by clicking on any cell. The dashboard will immediately display all other incidents that contain the attribute that was selected. 3. Go to Filter by... . 4. Set the time frame filter. 5. Click the green plus sign to add a filter. 6. Set another data filter (for example, Content equals MSWord). NOTE: You can type attributes into the value field, but it is easier to click "?" to launch a popup menu. 7. Click Apply. 8. Add filters that will narrow the results further (for example, Filename equals <filename>). 9. Click Apply. 10. Click the Disk icon to save the configuration (optional). NOTE: When you finish using a filter, Clear All, or the configuration will block all other results.

Grouping incidents
By focusing only on categories that are relevant, you will learn how to get more focused results. Use this task to select up to two group types that will provide a framework for your incidents. TIP: Before grouping, always set a time frame filter. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a view vector (Data-at-Rest, Data-in-Motion, Data-in-Use). 3. Click Group Details. 4. In the Group by... pane, select two categories that will act as your primary and secondary sort keys. 5. For each category, select the number of occurrences to display. 6. Click the disk icon to save the view (optional). The workspace automatically adjusts to the configuration you define. NOTE: When you finish using a filter, Clear All, or the configuration will block all other results.

Setting a date and time for results


Because Monitor captures everything on your network, you must specify a general or specific time frame to focus your results but make sure you have data available for the period you specify. If you select a date range before your systems started capturing data, you will not get any results.

74

McAfee DLP9.0.1 Product Guide

Sorting results

Use this task to find all results captured at a specific time or within a certain time frame. NOTE:Time filters are associated with dashboard views. For example, if you select a view different from the default Incident List, you can see the Timestamp and other filter settings change. TIP: Keep the time setting constant by saving a Home View. 1. Go to Filter by... . 2. Select Timestamp (default). 3. Select a time frame from the Anytime menu. TIP: Click "?" to select a Custom Date. 4. Click Apply. When you finish using a filter, Clear All, or the configuration will block all other results.

Sorting results
How to sort results
In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents to sort incidents. Sorting allows you to set aside results that are not immediately relevant, but might be significant at a later time. TIP: Save a view or a report to track your changes.

Deleting incidents
Use this task to delete incidents that do not contain useful information. NOTE:You can delete over 100,000 incidents from the capture database at one time. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select one or more checkboxes. TIP: Click the box in the column header to Select All Results on Page if you want to delete more results. 3. Select Delete from the Actions menu. 4. Click OKto confirm, or Cancel. TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for deletion later.

Deleting similar incidents


Use this task to delete all incidents produced by a single rule, policy, or any other attribute.

McAfee DLP9.0.1 Product Guide

75

Getting and processing results

NOTE:Using this method, you can delete over 100,000 incidents from the capture database at one time. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select a category from the Group by... menu. 3. Select All Results or All on Page from the Actions menu. 4. Select Delete from the Actions menu. 5. Click OK to confirm, or Cancel. TIP: You can mark incidents as false positives to prevent them from being retrieved again, or flag them for deletion later.

Finding incidents that violated a policy


Use this task to find all incidents that violated a single policy. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Select List or Summary. 3. Double-click any policy listed under Group by... . The incidents that violated that policy will be displayed on the dashboard.

Sorting incidents by attribute


Use this task to sort incidents that contain common attributes (for example, the same recipient, timestamp, severity, reviewer, etc.). TIP: Select Columns and add more columns to display more attributes. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Incidents. 2. Click on the column of the state. The incidents will sort according to the attribute selected.

Changing settings
How settings are changed
Because DLPsystems capture everything on the network (except traffic which is deliberately filtered out using capture filters), you may find that you need to change the settings that determine how many incidents are reported at once, and how they are delivered to the dashboard. For example, you might want to expand the number of incidents reported to the dashboard by default, but avoid overburdening the system. You can experiment with different settings by configuring throttling. Similarly, you can comply with PII requirements by encrypting certain elements, but you can manage the system resources that are being consumed while doing so.

76

McAfee DLP9.0.1 Product Guide

Protecting data with DLPPrevent, Discover, and Endpoint

Configuring throttling to limit incidents


You can set throttling to report between 1 and 9,999 incidents in from 10 to 3600 seconds. Throttling is enabled by default; to report all incidents, uncheck the Enable Throttling box. Use this task to change the number of incidents found in a specific time frame. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Policies | Settings. 2. Under Configure Throttling Parameters, leave the Enable Throttling box checked. 3. Type in the maximum Number of Incidents to be reported. 4. Type in the maximum Time Duration in seconds. 5. Click Save.

Encrypting incidents
Use this task to ensure compliance with PII requirements. When the encryption feature is enabled, two significant files (subject and matchstring) that might contain PIIinformation are encrypted before storing to the database. They are decrypted before displaying on the dashboard. NOTE: This feature is disabled by default to conserve resources. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPReporting | Policies | Settings | Security Settings. 2. Check the Sensitive Incident Data box to encrypt all incidents found. 3. Check the Encrypt Capture Data box to encrypt the entire capture database. NOTE:Selecting this option might impede performance. 4. Click Save.

Preventing data loss


Protecting data with DLPPrevent, Discover, and Endpoint
McAfee DLP devices use three different mechanisms to prevent data loss. Actions taken depend upon whether the violations are detected in network communications, network repositories and databases, or at network endpoints.
q

DLPPrevent evaluates email and webmail that has been forwarded from an MTA or proxy server, marks messages that violate active rules with certain actions, and passes them back to the email or webmail server to be enforced. DLPDiscover supports remedial actions that can be taken when sensitive or registered content has been detected in a network repository or database. Host DLP uses pre-programmed rules with specific actions that may be deployed on- or offline when violations are found at endpoints.

McAfee DLP9.0.1 Product Guide

77

Preventing data loss

Whether they are generated by Prevent, Discover, or Host DLPdevices, Incidents and events on DLPdashboards can be resolved manually or automatically. Users might apply actions directly to incidents from the Actions menu, or pre-program rules to automatically trigger specific actions.

Protecting data with DLP Prevent


How DLPPrevent protects data
DLPPrevent uses a rules evaluation mechanism with applied actions to provide automatic resolution of problems found in email and webmail that is circulating on a network. When a violation is found in network communications,an optional action rule is triggered to neutralize or dispose of the incident. NOTE: DLPPrevent must be deployed with an MTA or proxy server. Communications are forwarded over SMTP or ICAP, depending on whether an email or web gateway is used. When violations are found in network email, DLPPrevent might be used to do the following:
q q q q q q q

block confidential data breaches encrypt authorized transmissions quarantine suspicious traffic bounce email that violates policies notify supervisory personnel record incidents in a system log allow email that is determined to be legitimate.

When violations are found in webmail, the seven DLPactions are attenuated to BLOCKand ALLOW. TIP: Use DLPPrevent to capture network traffic for later forensic analysis or block the transmission of sensitive data sent using specific mail protocols (for example, HTTP POST, SMTP_Request, etc.).

Adding a DLPPrevent action rule


McAfee DLP9.0 provides default action rules that can be applied to any rule, and they are used by DLPPrevent to process violations in email communications. Use this task to create a custom action rule, if one is needed. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. From the Actions menu under Data-in-Motion, select Add Action Rule. 3. Type in a name for the action rule. 4. Open Email Notification to alert one or more users when the action is triggered. TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example, ##Filename found by the ##Rule violated the ##Policy and was quarantined.

78

McAfee DLP9.0.1 Product Guide

Protecting data with DLP Prevent

5. Open Syslog Notification and select Enable to log the incident (optional). 6. Open Incident Reviewer to assign a reviewer when the action takes place (recommended). 7. Open Incident Status to change the stage of resolution when the action takes place (recommended). 8. Select an action from the Data-in-Motion Prevent Action menu. 9. Click Save. After you have created the action rule, apply it to one or more rules.

Applying a DLPPrevent action rule


DLPPrevent contains a set if international rules that are automatically applied against email communications, and many of them already have default actions that will be taken when the rules hit. If the correct action has not yet been applied, use the following task to add an action to a rule. 1. Go to Policies and click on a policy. 2. Click on a rule. 3. Click on the Actions tab. 4. Click on the Add Action plus sign. 5. Select the action from the Data-in-Motion list. 6. Click Save. TIP: Wait for the edited rule to produce results, or create some traffic that will execute it. Then verify that the action rule applied to the rule implements the correct action.

Types of DLPPrevent actions


Violations found by DLPMonitor capture engine may be processed using one of seven preventive actions.

Actions
q q q q q q q q

Allow Block Bounce Encrypt Monitor Notify Quarantine Redirect

Each action can be configured to automatically notify users that a preventive action has been applied. Each action can also be configured to place a record in a system log, assign the incident to one or more reviewers, or apply a status that indicates its stage of resolution.

McAfee DLP9.0.1 Product Guide

79

Preventing data loss

The role of DLPPrevent in a managed system


DLPMonitor is a passive component on the network, so the default preventive action has to be set to ALLOW. This setting changes only if DLPPrevent is installed preventive actions are not supported without it. If DLPPrevent is managed by DLPManager, rules that are deployed to All Devices are directed to DLPPrevent, but only if they contain preventive actions. NOTE: If DLPMonitor, Discover and Endpoint devices are managed by DLPManager, every rule can be configured to deploy one action of each of the three incident types.

How DLPPrevent processes email


Use this task to understand the DLPPrevent process. 1. A host sends an email message to an email gateway. 2. The message is relayed to the smart host, which routes it to the DLPPrevent appliance. 3. On receiving the email, the DLP Prevent appliance compares it to existing rules. 4. If a rule matches, DLPPrevent adds an X-RCIS-Action header and stores the event in its database. 5. The DLPPrevent then sends the email back to the smart host, and it is relayed back to the email server. 6. Based on the action specified in the X-RCIS-Action header appended by the Prevent appliance, the message is allowed, blocked, bounced, encrypted, monitored, quarantined or redirected. 7. Notification of the action is sent to the defined user.

Configuring DLPPrevent for email


When configured with an email gateway, DLP Prevent can monitor transmissions and apply preventive actions to protect data in network communications. Use this task to configure DLP Prevent. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPSysConfig. 2. Select the DLPPrevent appliance and click Configure. 3. Scroll down to the Smart Host section of the page and enter an IPaddress to which the email to be processed will be routed. NOTE: Host names are not supported; an IPaddress must be used. A smart host is configured only if SMTPemail is being processed, and configuring more than one is not supported. 4. If you configured a rule and you want email notification when the rule hits, you must add an email address. The mail server sends notification to that address after the action is taken. 5. Click Send test mail to verify that the smart host connection is alive. 6. Click Update. NOTE:Both MTA and proxy servers can be handled by one DLPPrevent system, but contact a McAfee Service Representative to assure proper performance.

80

McAfee DLP9.0.1 Product Guide

Protecting data with DLP Prevent

How DLPPrevent processes webmail


Use this task to understand the DLPPrevent webmail process. 1. A host sends a webmail message to a network address. 2. If a web proxy server is set up, it intercepts the message and routes it to the DLP Prevent appliance. 3. On receiving the email, the DLP Prevent appliance compares it to existing rules. 4. If a rule matches, DLP Prevent adds an X-RCIS-Action header and stores the event in its database. 5. The DLP Prevent then sends the webmail back to the proxy server, and it is either blocked or delivered to its addressee. NOTE: Although DLP Prevent supports block, bounce, encrypt, monitor, quarantine and redirect actions, proxy servers can only BLOCK or ALLOW webmail. 6. Notification of the action is sent to the defined email address.

Configuring DLPPrevent for webmail


When configured with a web proxy server, DLP Prevent can monitor transmissions and identify traffic to and from wikis, portals, blogs and other collaborative sites using HTTP and HTTPS protocols. Use this task to set DLPPrevent up to work with webmail. 1. Set up DLPPrevent to work with Bluecoat, McAfee Web Gateway (formerly Webwasher), or McAfee Email Security Appliance. McAfee Email Security Appliance is set to handle up to 30 concurrent SMTP connections but Prevent exceeds this limit. To get these two appliances to work together, you must modify the ESA configuration files. 2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSysconfig. 3. Add the DLPPrevent device to DLPManager. 4. Click on the configure link of the DLPPrevent. 5. Scroll down to the Email Setting fields and add an email address for notification. NOTE:If you are monitoring traffic through a proxy server, no configuration is needed because that server is already part of the network, so smart hosts are not used when DLPPrevent is configured with a proxy server. Do not enter anything in this box. 6. Click Update. NOTE:SSL-encrypted webmail transmissions might become visible during this process. 7. The web proxy server captures outgoing HTTPtraffic (including webmail) and sends that the DLPPrevent over ICAP(Internet Control Adaptation Protocol). 8. If a rule matches, DLPPrevent adds an X-RCIS-Action header and stores the event in its database. 9. If the action specified in the header is not ALLOW, the webmail is BLOCKED. 10. Notification of the action is sent to the defined user.

McAfee DLP9.0.1 Product Guide

81

Preventing data loss

MTArequirements to inter-operate with Prevent


Whether or not a generic MTA can inter-operate with Prevent depends upon the capabilities of the MTA in question. In what follows, we distinguish between the terms incoming/outgoing and entering/leaving when discussing emails.
q q

By incoming and outgoing, we mean emails that are either being sent to or received from the outside world. By entering and leaving, we mean emails that are entering or leaving the MTA.

Any MTA that is expected to inter-operate with Prevent must comply with the following requirements. 1. Must be capable of sending either all or a portion of outgoing traffic to the Prevent application. DLPPrevent is not typically used to inspect incoming email. Examples of a requirement where only a portion of the traffic needs to be scanned may be in environments where only traffic with attachments is to be scanned, or where scanning is limited to traffic directed to public sites (for example, Yahoo). 2. Must be capable of inspecting email headers of messages entering the MTA. 3. Must be capable of taking actions based on specified match expressions for email headers. The specific header strings received from Prevent are the X header X-RCIS-Action header with values ALLOW, BLOCK, QUART, ENCRYPT, BOUNCE, REDIR and NOTIFY. 4. Based on entering port or some other metric, must be capable of distinguishing between all emails arriving from the Prevent appliance, then applying header inspection and header-based action rules exclusively to incoming email from Prevent. 5. Must be capable of ensuring that emails arriving from the Prevent appliance are not routed back to the Prevent appliance. This can be done either by using port / srcIP-based mail routing, checking to see if an X-RCISAction header already exists in an email scheduled to be routed to the Prevent appliance, or by some other means. 6. Must be capable of implementing all of the Prevent-based actions. If the MTA does not have all of the required capabilities, inter-operation is still possible but in that case, the actions that can be set when rules are created must be limited to those supported by the MTA. 7. Must be able to inter-operate with an email encryption appliance (if this capability is needed) and instruct the encryption appliance to encrypt specific messages based on header information or other metrics.

Reviewing prevented violations


Use this task to see what preventive actions have been applied to an incident. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Incidents. 2. Click List. 3. Select an incident and click its Details icon. 4. At the bottom of the Incident Details page, check for prevented actions.

Protecting data with DLP Discover


How DLPDiscover protects data
DLP Discover remediation allows immediate resolution of problems found in a repository or database.

82

McAfee DLP9.0.1 Product Guide

Protecting data with DLP Discover

When a violation is found, a Data-at-Rest action rule can be configured to prevent or correct the situation that produced the incident. NOTE: Remediation is part of the incident workflow, and any time incidents are wiped from the system, remediated files will also be wiped. When violations are found in Data-at-Rest, the remediation feature may be used to do the following:
q q q q

Copy files containing violations to another location on the network Move files containing violations to another location on the network Password-protect files containing violations Delete files containing violations

Each of these actions also includes the capability to do the following:


q q q q

Notify users of violations found in scanned data Record violations found in scanned data in a system log Assign incidents to one or more reviewers Set a status that indicates the state of resolution

Remediation can be applied directly to incidents reported on the Data-at-Rest dashboard, or pre-programmed by attaching an action rule to rules that produce incidents.

Adding a remedial action rule


Use this task to add a remedial action rule that will be applied in a Discover scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Action Rules. 2. Select Add Action Rule from the Actions menu under Data-at-Rest. 3. Type a name for the action rule. 4. Open Email Notification to alert one or more users to the action. TIP: You can use Dynamic Variables to inform users of the remedial action automatically. For example, ##Filename found by ##ScanOperation violated the ##Policy and was moved to <export location>. 5. Open Syslog Notification and select Enable to log the incident. 6. Open Incident Reviewer and Incident Status to assign a reviewer. 7. Open Incident Status to define its stage of resolution. 8. Open Remediation Policy and select the corrective action that is to be taken. 9. Click Save.

Types of remedial action


Violations found by a Discover scan may be processed using one of four remedial actions.
q q

Copy Move

McAfee DLP9.0.1 Product Guide

83

Preventing data loss

q q

Encrypt Delete

Each action can be configured to automatically notify users that a remedial action has been applied to a violation found in Data-at-Rest. Each action can also be configured to place a record in a system log, assign the incident to one or more reviewers, or apply a status that indicates its stage of resolution.

Applying a remedial action to a rule


Use this task to apply a remedial action to a rule that will be used in a Discover scan. If the rule hits, the action defined in the rule will be taken. NOTE: If Monitor and Discover devices are managed by DLPManager, every rule can be configured to deploy one action to each of the three incident types. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on the policy defined in the scan. 3. Click on one of the rules. 4. Click on the Actions tab. 5. Click on the Add Action plus sign. 6. Select the remedial action from the Data-at-Rest menu. 7. Click Save. Repeat until all rules have the action applied. TIP: Re-scan to produce updated results, then verify that the action rule applied to the rule implements the correct remedial action.

Setting up a location for exported files


Before sensitive files found in a database or repository can be copied or moved, a folder must be set up to receive them, and it must also be set up for sharing. Use this task to set up and configure an export location. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Export Locations. 2. From the Actions menu, select New. 3. Name the Export Location. NOTE: If the folder does not already exist, it is created. 4. Type the IPaddress/Host Name, Share Name and Directory Path in the appropriate boxes. 5. Select a type from the Repository Type drop-down list. NOTE: Only Windows shares (CIFS) are supported.

84

McAfee DLP9.0.1 Product Guide

Protecting data with DLP Discover

6. Select a Credential to access the repository, or click New to create a new one using authentication parameters of an existing account. 7. Click Test to verify read/write access to the repository. If the credential is correct but the test is negative, use Windows Explorer to verify that sharing is enabled and read-write privilege has been granted. 8. In Microsoft Windows Explorer, right-click on the target folder and select Properties. 9. On the General tab, deselect the Read-only checkbox. 10. On the Sharing tab, select Share this folder. 11. Click OK. 12. Click Save, then re-test.

Copying discovered files


After defining an export location, use this task to copy a file found by a discovery scan to that location. NOTE: When a file is copied, moved, deleted or encrypted, DLPDiscover leaves a trace file at the original location to leave a record of the remedial process that has been applied. 1. Use the export location task to define a folder that will receive the file. 2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Action Rules. 3. Under Data-at-Rest, from the Actions menu, select Add Action Rule. 4. Type a name for the action rule. 5. Open Email Notification to alert one or more users when the action is triggered. TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example, ##Filename found by the ##Rule violated the ##Policy and was quarantined. 6. Open Syslog Notification and select Enable to log the incident (optional). 7. Open Incident Reviewer to assign a reviewer when the action takes place (recommended). 8. Open Incident Status to change the stage of resolution when the action takes place (recommended). 9. Open Remediation Policy and select Copy from the Action drop-down list. 10. Select the export location from the Destination drop-down list. 11. Click Save. TIP: If you copy an incident from the dashboard, select its checkbox and select Remediate | Action | <copy action rule> from the Actions menu. If an incident is to be copied when it is hit on by a rule, add the <copy action rule> to the rule and click Save, then start a Discover scan that applies the rule containing the action rule.

Deleting discovered files


Use this task to delete a file found during a discovery scan. Deleted incidents cannot be recovered. NOTE: When a file is copied, moved, deleted or encrypted, DLPDiscover leaves a trace file at the original

McAfee DLP9.0.1 Product Guide

85

Preventing data loss

location to leave a record of the remedial process that has been applied. 1. Check the permissions of the file to be deleted. 2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Action Rules. 3. From the Actions menu, select Add Action Rule. 4. Type a name for the action rule. 5. Open Remediation Policy and select Delete from the Action drop-down list. 6. If you have read and understood the Warning, select the IAccept checkbox. NOTE: The action can be completed only if there is no conflicting instruction in the rule to which the action rule is attached. 7. Add File Marker Text as appropriate. TIP: You can add Dynamic Variables to the file marker text at the text cursor position by clicking the variable on the drop-down list. For example, ##Filename found by ##ScanOperation violated ##Policy and was deleted. 8. Click Save. 9. Apply the new action rule to one or more rules. 10. Go to Menu | Data Loss Prevention | DLPSys Config. Click Discover Configuration. The Scan Operations page is displayed. 11. Select a scan. 12. From the Actions menu, select Rescan . 13. Check results to verify that the file gets deleted.

Encrypting discovered files


Use this task to password-protect a file found by a discovery scan. NOTE: When a file is copied, moved, deleted or encrypted, DLPDiscover leaves a trace file at the original location to leave a record of the remedial process that has been applied. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Action Rules. 2. Under Data-at-Rest, from the Actions menu, select Add Action Rule. 3. Type a name for the action rule. 4. Open Email Notification to alert one or more users when the action is triggered. TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example, ##Filename found by the ##Rule violated the ##Policy and was quarantined. 5. Open Syslog Notification and select Enable to log the incident (optional). 6. Open Incident Reviewer to assign a reviewer when the action takes place (recommended). 7. Open Incident Status to change the stage of resolution when the action takes place (recommended). 8. Open Remediation Policy and select Encrypt from the Action drop-down list.

86

McAfee DLP9.0.1 Product Guide

Protecting data with DLP Discover

9. Type in a password and confirm it. 10. Add File Marker Text as appropriate. TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on the drop-down list. For example, ##Filename found by ##ScanOperation violated the ##Policy and was password-protected. Consult <administrator> for more information. 11. Click Save. TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the rule and click Save, then start a discovery scan that applies the rule containing the action rule.

Moving discovered files


After defining an export location, use this task to move a file found by a discovery scan to that location. NOTE: When a file is copied, moved, deleted or encrypted, DLPDiscover leaves a trace file at the original location to leave a record of the remedial process that has been applied. 1. Use the export location task to define a folder that will receive the file. 2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Action Rules. 3. Under Data-at-Rest, from the Actions menu, select Add Action Rule. 4. Type a name for the action rule. 5. Open Email Notification to alert one or more users when the action is triggered. TIP: You can use Dynamic Variables to inform users of the prevented action automatically. For example, ##Filename found by the ##Rule violated the ##Policy and was quarantined. 6. Open Syslog Notification and select Enable to log the incident (optional). 7. Open Incident Reviewer to assign a reviewer when the action takes place (recommended). 8. Open Incident Status to change the stage of resolution when the action takes place (recommended). 9. Open Remediation Policy and select Move from the Action drop-down list. 10. Select the export location from the Destination drop-down list. TIP: You can use Dynamic Variables to the file marker text at the test cursor position by clicking the variable on the drop-down list. This informs users of the relocation automatically. For example, ##Filename found by ##ScanOperation violated the ##Policy and was moved to <export location>. 11. Click Save. TIP: If you relocate an incident from the dashboard, select its checkbox and select Remediate | Action | <move action rule> from the Actions menu. If you want an incident to trigger a move, add the <move action rule> to the rule and click Save, then start a discovery scan that applies the rule containing the action rule.

McAfee DLP9.0.1 Product Guide

87

Preventing data loss

Reverting remediated files


Use this task to reverse a remedial action that has been applied to a file that was found during a discovery scan. NOTE:Deleted incidents cannot be reverted or recovered. 1. In ePolicy Orchestrator, go to to Menu | Data Loss Prevention | DLP Reporting | Incidents. 2. Check one or more incident boxes. 3. Click on the Actions menu, and select Remediate | Revert. 4. Click OK to confirm, or Cancel. 5. Verify that the action has been reverted by rescanning (optional).

Reviewing remedial actions


Use this task to see what remedial actions have been applied to an incident. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLPReporting Incidents. 2. Select Data-at-Rest from the display thumbwheel. 3. Click an incident to display the DLPIncident Details page. Any remedial actions are listed. TIP: Click Columns to add the three Rem columns to the dashboard.

Adding columns to display remedial actions


Use this task to configure the Incidents | Data-at-Rest page to display the remedial actions that have been applied to a file. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. 2. Click Incidents, then select Data-at-Rest from the display thumbwheel. 3. Click Columns. 4. On the Table Columns page, scroll down the Available list of columns. 5. Select one or more of the Remediation column headers.
q q q

RemActionRule RemActionType RemTaskStatus

5. Click Add to move the column headers to the Selected list. TIP: To move column headers out of the Selected list, select them, then click Remove. 6. Click the Move buttons to rearrange the placement of column headers. 7. Click Apply.

88

McAfee DLP9.0.1 Product Guide

Protecting data with Host DLP (Endpoint)

Protecting data with Host DLP (Endpoint)


Adding an Endpoint action rule
Endpoint action rules contain elements that are used in rules supported by the Host DLP product but in this release, they can also include network parameters. However, the endpoint parameters used in the rule must be enabled before they can be used. Use this task to create an action rule that can be added to any network rule containing an Endpoint parameter. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. From the Data-in-Use Actions menu, select Add Action Rule. 3. Type a name for the action rule. Typing a description is optional. 4. Select one or more actions to be taken when a protected endpoint is detected.
q

If the endpoint data detected is to be encrypted, provide an encryption key. Consult the updated Endpoint Encryption for Files and Folders 4.0 Product Guide for more information. If the data detected is significant, select a Severity from the drop-down list. If users are to be notified when endpoint data is detected, type in a message. Typing in link text or a URLis optional.

q q

5. Select a Data-in-Use Policy Action. 6. Select from the available actions. NOTE:Endpoint actions can be taken if the detected device is online or offline. Select one or both. 5. Click Save. After you have created the endpoint action rule, apply it to one or more rules.

Applying an action to a rule with Endpoint parameters


Endpoint action rules are defined in the same way as DLPPrevent and DLPDiscover action rules, but if protection rules are to employ those actions, they must first be enabled (after selecting them from a rule's Endpoint menu). NOTE:You can add one of the existing Endpointaction rules to the unified rule, or configure an action containing one or more of the Data-in-Use actions. Any rule can contain actions based on moving traffic or static files, as well as endpoint reactions. Because all parameters in a rule may have actions added, many different combinations are possible. If an action is needed in a rule containing Endpoint parameters, use this task to add one. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies and click on a rule that has one or more Endpoint parameters. 2. Click on the Actions tab and select Add Action. 3. Select one or more Data-in-Use actions to be taken when a protected endpoint is detected. 4. Click Save.

McAfee DLP9.0.1 Product Guide

89

Protecting endpoint data

How Host DLPprotects data


Host DLP9.0 protection rules have reactions defined by default, but in the unified release, actions are optional, and they can be pre-programmed in the same way as DLP Prevent and Discover. But rules containing Endpoint protection parameters are disabled by default, and reactions fire only if they are enabled. Endpoint protection rules cover clipboards, local printers, PDFs and image writers, removable media, and screen captures and by combining them with network parameters, massive amounts of data that needs protection can be precisely defined. In addition, Host DLP allows targeting of specific network paths and shares, printers, file and encryption types, making it possible to protect a wide range of network endpoint types. When any of these targets is compromised, a violation is generated and reported to Data-in-Use dashboards on ePOor DLPManager. If an Endpoint action rule has been pre-defined, an action is triggered when a violation is found. If not, the Actions menu provides many other ways to resolve problems that are reported to the dashboards.

Types of DLPEndpoint actions


Events found on an endpoint by McAfee Agent may be processed using one of nine preventive actions.

Actions
q q q q q q q q q

Block Delete Encrypt Monitor Notify User Quarantine Request Justification Store Evidence Tag

Each of these actions can be applied to endpoints whether on- or offline.

Protecting endpoint data


Host DLP: Integrated into Network DLP
In this release, Host DLPhas been redesigned and embedded in Network DLP. With this addition, Network DLPhas been extended to protect enterprises from the risk associated with unauthorized transfer of data to unsecured endpoints. In addition, network file systems and shares can now be protected using both host and network products.

90

McAfee DLP9.0.1 Product Guide

How Host DLP extends network results

The new Host DLPproduct interface is now known as Endpoint protection and configuration. Events are identified by McAfee Agent and displayed through a Host DLP server on the ePOand DLPData-in-Use dashboards. For example, data that has been moved, copied, printed or screen-captured from a laptop or desktop to another device or location is monitored and controlled. Endpoints that are protected include desktops, laptops, removable media, and printers.

How Host DLP extends network results


With the addition of Host DLP9.0, significant host events are reported along with network incidents. Like Network DLP, when violations are found, actions that prevent the misuse of sensitive data fire automatically. Because each host event can be embedded in a network rule, additional network parameters can be added. For example, content, protocols, time definitions, and file and location parameters may amplify the information available for each host event. This is done by constructing network-oriented rules that include endpoint definitions. Open any rule and pull down the Endpoint menu to select one or more of the Host DLPprotection rules. Then use the menu choices under other categories to add attributes that will produce more relevant hits on or off the network. NOTE:If your DLPManager is configured with McAfee Logon Collector and an Active Directory server, endpoint protection can be extended to directory servers managing users all over the world.

How Network DLPprotects endpoints


Host DLP protects endpoints by using the McAfee DLP Agent, which resides on hosts, to administer and enforce the global Host DLPpolicy. Network DLP works with the Agent through Host DLP by adding host parameters to existing network rules and policies. When a significant event is detected by one of the integrated host protection rules, it is reported to the Data-in-Use dashboards through DLPManager. When a rule hits, reactions that are associated with Host DLP rules are deployed.

Creating Agent Override Passwords


After McAfee Agent reports an event, an agent override key must be used to reverse any of its actions. An Agent Override Password must therefore be set before starting any network tasks related to DLPHost. For example, a key must be used to unblock quarantined files, unlock and decrypt encrypted files, request justification for blocked actions, or work around any other events that have been generated by the McAfee Agent. Use this task to set an agent override password. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config. 2. Click Endpoint Configuration, then Agent Override Password.

McAfee DLP9.0.1 Product Guide

91

Protecting endpoint data

3. Type in and confirm a password. 4. Click Submit.

Agent events that cannot be reported


Some of the events detected by McAfee Agent cannot be reported to DLPdashboards. For example, the Incident Details page cannot identify content, content type, or the evidence server that generated the event. None of the following events can be reported to DLP Manager.
q q q q q

Agent enters bypass mode Agent leaves bypass mode User returned from Safe Mode Device plugged in New device class found

Viewing endpoint events


Events that are generated by DLP agents at endpoints are stored in the ePOdatabase, which is accessed through DLPManager. They can be viewed on the Incidents dashboard on the Network DLPData-in-Use dashboard, and a summary of those events is also displayed on ePO's main dashboard. NOTE: If you cannot see endpoint event details, you might not have the right permissions set. Contact your administrator. Use this task to view endpoint events on ePO. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Reporting. 2. Click Incidents. 3. Select the Data-in-Use vector. 4. Click List. 5. Select a view from the Incident Listing menu. 6. Click a Details icon. 7. On the Incident Details page, click any available link. If you select a document link, it will launch if the supporting software is installed. If there is another link inside the document, it is likely to be the database object that triggered the incident. 8. Click any tab on the Incidents Details page to get additional information. TIP: The columns configured on the dashboard determine the attributes displayed on the Incident Details page. Add or subtract columns by clicking the Columns button on the Incidents dashboard.

92

McAfee DLP9.0.1 Product Guide

Types of endpointevents

Types of endpointevents
Host DLPevents are generated by the McAfee DLPAgent, which is deployed by the Host DLPMonitor, and any significant events found are displayedthrough the DLPManager. Problems identified by the McAfee Agent might include critical system events, rule violations, or events associated with a particular user or computer. The roles users play in an organization determine what types of events they are allowed to view. The events displayed may also include registered and classified content that has been tagged for protection purposes, disallowed user actions, access violations, or detection of a controlled element. Events can be filtered by general, administrative, or outgoing conditions. For example, an administrative event may indicate that an agent or policy state has changed, and an outgoing event may be generated when protected data is in motion.

Managing endpoints
The DLP9.0 system must be set up to record incidents and events to the Host and Network DLPdatabases through DLPManager. Because existing Host DLP operations must not be affected, the default configuration is to allow them. As long as device control, application tagging, and rights management features are not needed, you can manage endpoints with Network DLP. This is done by creating a global policy to enable all of the supported Host DLPfeatures. The policy for host operations must be created on the DLPSysconfig | Endpoint Configuration | Manage Endpoints page. Its rule definitions are updated on the Host DLP extension every 30 seconds by default, but a different interval can be defined by editing the Time Duration for Posting Policy Definition setting. After the policy is generated, it is posted from DLPManager to ePO, saved in the ePOdatabase, forwarded to the connected agents, and updated at the defined interval. NOTE:If you don't check the Generate Policy for Endpoint box, incidents found by the existing policies are sent to the Network DLPdatabases and reported to the Data-in-Motion dashboard. If the box is checked, incidents and events will be sent to both Host and Network DLPdatabases, and reported to both Data-in-Use and Data-in-Motion dashboards.

How Host and Network policies differ


Rule definitions for Host DLPare all consolidated within a single global policy definition, so there is only one global policy that supports multiple rules. Network DLP,however, is designed around an international collection of unified policies, and all Host rules are accommodated within that system. The systems are merged by adding an Endpoint category to every rule of every policy. When that category is opened on the Add or Edit Rule page, a menu listing all Host DLPrules is displayed. One or more can be selected to add specific endpoints to the parameters of any rule. For example, existing privacy policies that have been deployed on a DLPMonitor can be configured to identify violations not only in network traffic, but on specific endpoints.

McAfee DLP9.0.1 Product Guide

93

Protecting endpoint data

Multiple endpoints can be added to a rule as a group by creating a template, then selecting it from the menu before saving the rule. Adding frequently-used collections of endpoints to a rule increases its efficiency and scope.

How HostDLPrules are mapped to Network DLP


Network DLP rules are organized under sets of policies that may have multiple owners. To preserve this hierarchy, Host DLPrules feed into this structure by becoming an attribute, or rule type. The merged structure then becomes

<policy owner> | <policy> | <rule> | <rule type>.

Adding endpoints to existing network rules


Use this task to add a DLPHost endpoint parameter to an existing rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click a policy to open it for editing. 3. Click the rule to which you are adding endpoint parameters. 4. Open Endpoint. 5. Select an endpoint rule and define it. If it is a protection rule, click "?"; select Enable and Apply. 6. Click the Actions tab, then Add Action. 7. Select a suitable action from the Data-in-Use section. 8. Click Save. 9. Click Save.

Limitations of rules with Endpoint parameters


If a rule contains attributes that are supported by Network DLP, but not Host DLP, the rule will not produce accurate results.

Unsupported DLPNetwork Parameters


q q q q q q q q

Email address sender variants Email subjects GeoIP locations User city User country File size Keyword expressions Complex Boolean algebra

94

McAfee DLP9.0.1 Product Guide

Excluding printers from protection rules

Excluding printers from protection rules


Before you use printer protection rules, you should whitelist any printers that need not be monitored. Identify the printers that do not require protection by going to Menu | Data Loss Prevention | DLPSys Config, and open the Endpoint Configuration | Unmanaged Printer Models page. You can type printer paths and names directly into the Printer Model field, but if you have added Active Directory servers to DLPManager, you can click "?" and select them from an existing Directory Server list.

Assigning Host DLPincidents to cases


Allevents reported on Data-in-Use dashboards can be assigned to cases if further investigation is warranted. They might even be assigned to the same cases as Data-at-Rest and Data-inMotion incidents. NOTE:If an error is encountered while assigning incidents to a case (for example, the object cannot be fetched from the evidence share), a message launches indicating that the failed incidents must be reassigned to the case.

Searching endpoint data


Endpoint data can be identified if it is tagged or registered, and user activities can be monitored and controlled to prevent compromise of sensitive data. But because it is not indexed, endpoint data cannot be searched.

Limitations of this release


If you have to implement device control, application tagging, or digital rights management features of Host DLP, you cannot also use Network DLP.
q

Device control prevents unauthorized use of removable media (including USB drives), iPods, Buetooth devices, CDs, and DVDs. Application-based tagging rules are used to monitor or block files created by applications. Digital rights management controls use of digital content not authorized by the content provider.

q q

Discovering data at risk


Introducing McAfee DLPDiscover
DLP Discover scans document or database repositories on network or managed client (host) computers to identify and protect sensitive data. Crawling is implemented by scan tasks, which find, fetch, and analyze sensitive content. Depending on the type of scan used, files found may be listed, registered, or evaluated and protected, producing incidents and violations.

McAfee DLP9.0.1 Product Guide

95

Discovering data at risk

Setting up Discover
Configuring DLPDiscover
Before DLPDiscover can be configured to in cooperation with other DLPappliances, you must prepare it to run in managed mode, register it to DLPmanager and ePO, and configure policies to find incidents in data at rest. Users who are tasked with registering documents and running scans must be given permission to do so. See Setting Discover scan permissions.

Adding Discover to Manager


Use this task to integrate the DLPDiscover appliance into the DLPsystem. NOTE: Because registering wipes the current configuration, you must recreate any scan tasks manually. If you are upgrading from a standalone DLPDiscover, you cannot register it to DLP Manager if any registration task is in Running state. Wait for the task to finish, or stop it manually. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLPSys Config | Devices. 2. From the Actions menu, select New Device . 3. Fill in the blank fields. The database port and ePO UI port are predefined, and should not normally be changed. If you are adding a DLP Host server, check the box. 4. Click Add. 5. Click OK to confirm. 6. Wait for the Status icon in the device list to turn green. If registration seems to be taking a long time, try refreshing the page. If the Status icon changes to a Critical or Unknown state, you might have to overwrite an old configuration or resynchronize the systems. Deregister the machine, then reregister it.

Preparing Discover for managed mode


Because registering Discover to DLPManager wipes its configuration, take notes so you can recreate all user-defined elements. NOTE: Only captured data and incidents are retained after the Discover device is added to DLPManager.

User-defined elements
q q q q q q

Scan tasks Schedules Credentials Scan statistics Export locations Users and user preferences

96

McAfee DLP9.0.1 Product Guide

Setting up Discover

Custom rules and policies.

Contact McAfee Professional Services if you need assistance.

Republishing Discover policies


Use this task to publish policies to Discover after it has been registered to DLPManager. This process copies policies, rules, concepts, and content capture filters to Discover. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLP Policies. 2. Select a policy that will be used by Discover. 3. Select a rule in the policy. 4. Select the Discover Devices checkbox. 5. Repeat for each rule that is to be used. 6. Click Save.

Setting Discover registration permissions


Use this task to assign privileges to register documents. NOTE: You must have administrative permission to make these changes.

Document Registration Permissions


q

Web Upload: Upload documents or structured data to be registered; no deletion or de-registration rights; view user's own registered documents Manage Uploaded Documents: Upload documents or structured data to be registered; view and manage documents uploaded by all users; delete and deregister uploaded files; update and delete excluded text Discover Registration: Register documents or structured data.

NOTE:If group permissions are modified, all members will have to log out and relogin. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config. Click User Administration | Groups. 2. Click the Details icon of a group. 3. Select the Task Permissions tab. 4. Open Discover Registration Permissions. 5. Select one or more permissions checkboxes. 6. Click Apply.

Setting Discover scan permissions


Use this task to assign privileges to users who will be using Discover. NOTE: You must have administrative permission to make these changes.

McAfee DLP9.0.1 Product Guide

97

Discovering data at risk

Discover Scan Permissions


q q q

Manage Schedules: Create, edit and delete schedules Manage Credentials: Create, view, edit and delete credentials Manage Scans: Create, view, edit, activate, deactivate and delete scans; register documents; view and export scan statistics, history and registered files; add and view excluded text Control Scans: Create new actions, view, start, stop, re-scan, and clone tasks; View and export scan statistics, history and registered files; add and view excluded text

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLPSys Config. Click User Administration | Groups. 2. Click the Details icon of a group. 3. Select the Task Permissions tab. 4. Open Discover Scan Permissions. 5. Select one or more permissions checkboxes. 6. Click Apply. NOTE:Policy Execute and Task View Dashboards permissions are required to for DLPDiscover users to see the Incidents dashboard.

Task status messages


Status messages indicate anomalies or updates that may respond to remedial actions.

98

McAfee DLP9.0.1 Product Guide

Setting up Discover

Status Message Resource Missing Configuration Error Connection timed out Incomplete Listing Complete Incomplete Incomplete Listing Server stopped responding Task Terminated Task Terminated Incomplete Listing Waiting crawlers busy

Definition The path does not exist, or the file may be missing. It was found during the investigation phase (indexing) but is missing during the crawling phase. The task database may have been corrupted.

Remedy Check on the repository to see if it is really missing. If not, restart the scan. Recreate the task. Call McAfee Technical Support if that does not resolve the problem.

Cannot connect to the repository while investigation phase is in progress. The scan is complete. The scan is incomplete, probably due to a network error. The repository may have become unavailable. The node is down, there was a network failure, credentials were changed between task, or the server is busy. The server is busy. The Stop action was applied to the scan operation, the task stopped according to schedule, or it was killed by some extraneous means (for example, a system crash or health check). The task stopped (or its scheduled end time arrived) during investigation phase.

Wait for awhile, then try again.

Reconnect and restart the scan. Wait for awhile, then rescan. Wait for awhile, then resume the task.

Wait for awhile, then rescan.

Restart the task.

The system has reached the maximum limit.

The task will continue when the system is free.

System status messages


Status messages indicate anomalies or updates that may respond to remedial actions.

McAfee DLP9.0.1 Product Guide

99

Discovering data at risk

Status Message Connection Timed Out

Definition The repository is busy, too many connections have been made to the repository, or the network is down. The account (username) is locked.

Remedy Wait for the network or repository to idle, then restart the scan. Provide a valid account, or contact administrator of the repository. Check the user name, password and domain in the credential, or try another one.

Account is locked

Authentication Failed Authentication OK Permission Denied

An incorrect credential has been entered. Authentication was successful. Although authentication was successful, you do not have the privilege needed to use the resource.

Contact your administrator. Supply the correct credentials (read/write access) and restart the task. Go to the Filters tab and try to browse to the share. Verify the IPaddress and port, then restart. Call Technical Support if the error persists. Provide correct login database, then restart. Check documentation for supported version.

Do not have permission to update last access time Permission to access the repository is needed. on repository Share (or Shares) Inaccessible Socket Communication Failure Unknown Unknown database Unsupported database version A share may be inaccessible because of insufficient user privilege, or because he share is being used exclusively by another process. Could not establish socket connection to the database. This error is rare, but may be related to a configuration error. The login database given was wrong. Database version on the repository is not supported.

Registering sensitive content


Registering documents or structured data
Registered documents are indexed files. During a Registration scan, algorithms generate signatures according to defined criteria that identify the text in the documents. They are used by rules and policies to identify sensitive content. The signatures are stored in the DocReg or DBRegsystem attributes for network scans. For host scans, the signatures are stored in registered document packages that are deployed to the host computers. There are four ways to register content:
q q q q

Scanning network devices Embedding the DocReg or DBReg attribute in network rules Uploading individual files or databases Scanning the endpoint and deploying the signature package to the DLP Agent.

100

McAfee DLP9.0.1 Product Guide

Registering sensitive content

Crawling a repository using a Registration scan is the most efficient way to create unique signatures for many at-risk documents. The scan can be set to run at regularly scheduled times, or it may be started manually.

How signatures register data


Signatures that identify sensitive data are generated by complex algorithms during registration. The registration process runs whenever a document is uploaded to Discover, or when a Registration scan runs on a designated file system. Each protected document may contain hundreds of overlapping signatures, which are expressed as hexadecimal numbers. The density, or fidelity, of the signature tiling depends on the level of detection you need.

Managing registered documents


Use these tasks to manage registered documents. There are two ways of registering sensitive document or structured data.
q q

Use Web Upload under DLPPolicies | Registered Documents to register single documents or objects. Use Data Registration to register groups of documents or database tables.

TIP: All signatures generated by these methods are stored in the DocReg or DBReg system attributes. Embed the DocReg concept in a rule to find registered data on a regular basis, or run an ad hoc query by selecting it from a popup menu.

Registering documents by uploading


Use this task to register documents on network repositories one at a time. NOTE:If you want to upload a CSV (comma-separated values) file larger than 100 MB, compress the data file (zip, jar, gzip, tar, etc.) before uploading. Net DLPdevice caps the size of uploaded files from browsers to 100 MB. However, a larger data file can easily be compressed into an archive smaller than 100 MB. The DLPserver does not impose any size limits on files after they are uploaded and uncompressed. NOTE: If you use DLPManager to upload a document, it will automatically be registered on all managed devices. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents | Web Upload. 2. From the Actions menu, select Upload New File. 3. Browse to the file you want to register. The file to be registered cannot be over 10 MB. 4. Select the policy and rule you want to use to detect the document.

Example
If your goal is to protect design documents, you might select the High Technology Industry IPpolicy

McAfee DLP9.0.1 Product Guide

101

Discovering data at risk

and the Design Documents Emailed to Competition rule. 5. Click Save or Save, Upload Another. When you click Save, the signature of the document is added to the DocReg attribute. All web uploaded documents are collected in the DocReg concept; they are treated as a group, not registered individually. NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will not be recorded when using that browser.

Uploading complete paths with Firefox


Use this task to determine the complete path to the uploaded file when using Mozilla Firefox 3.5.x. Other browsers do not require reconfiguration. 1. Type about:config in the Firefox address bar. 2. Click the button acknowledging the warning. 3. Double-click signed.applets.codebase_principal_support. 4. Close and re-open Firefox. 5. Upload a file. 6. Click Allow on the Internet Security popup.

Excluding text from registration


Use this task to register text that should be ignored by a scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents | Excluded Text. 2. From the Actions menu, select New Text. 3. Open the document containing the text to be excluded. 4. Cut and paste the text into the Text to Exclude box. 5. Click Save. TIP: You can also exclude text by tuning rules or identifying incidents as false positives.

Searching with the DocReg concept


Use this task to search for documents that have been registered. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search and open Content. 2. Select Concept from the first drop-down list, and is any of from the second.. 3. Type DocReg in the text box 4. Select the search results threshold from the drop-down list, then click Search.

102

McAfee DLP9.0.1 Product Guide

Registering sensitive content

NOTE: You can embed the DocReg concept in a rule to regularly match its signatures to data-at-rest or data-inmotion on the network.

Adding the DocReg concept to a rule


Use this task to add the DocReg concept to a rule. You can add up to two scan tasks to a rule, but only one of each type (Data-in-Motion or Data at Rest). The definition of the rule determines which type is targeted. TIP: If you add a scan operation to a rule after the DocReg concept is added, you can restrict the incidents reported to a specific task by clicking "?" and selecting it from the popup menu. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select a policy, then select a rule to open it. 3. On the Define tab, select Content. 4. Click the plus icon to add an element. 5. In the new element, select Concept from the first drop-down list, and is any of from the second.. 6. Click "?", then open Corporate Confidential and select DocReg. This instructs the rule to match all existing signatures to the content you defined. 7. Click Save. TIP: Alternatively, click Save as Rule to open a rule definition page. Adding this rule to a policy allows you to use the DocReg concept to identify sensitive documents automatically whenever that policy is used to find incidents.

Example
If DocReg is added to the PIIrule Social Security Number in Documents, it will find signatures only in stationary documents. If DocReg is added to Social Security Number in Email and Instant Messaging Conversations, it will find signatures only in streaming network data. TIP: If a Registration task is used with the DocReg concept, the rule will also be evaluated by any Discover scan that uses its policy. You must manually configure the rule to include the DocReg concept if you want to register the same document across multiple rules.

Setting signature types


The density of signatures generated during registration is determined by the signature type selected when a Registration scan is configured. NOTE: Only High Granularity signature types are generated for Web Uploaded documents.

High granularity
High granularity signatures provide full plagiarism detection and protection by generating

McAfee DLP9.0.1 Product Guide

103

Discovering data at risk

overlapping tiles over every bit of text. The original document can be identified, even if words are transposed or the contents differ by a couple of lines of text. If this signature type is used, a percentage of matching signatures can be detected.

Medium granularity
Medium granularity signatures provide basic plagiarism detection and protection by generating tiles over every eighth word. The original document can be identified even if the contents differ by a couple of pages of text.

Low granularity
Low granularity signatures include a single compact digital signature for each document registered. Exact copies of the file can be detected.

How signatures are shared with managed systems


When Discover and Monitor are in communication through DLP Manager, the registration records produced on a Discover system are automatically shared with the Monitor signature agents. When signatures are shared, protection for content that has been identified in data at rest is extended to data in motion on the network. NOTE: Signatures are automatically transferred from Discover to any managed Monitor when a registration scan is run. Rescanning is not necessary.

Managing signature generation memory


Generating signatures consumes memory resources; one gigabyte is available for the process. The signature type defines the amount of memory used. NOTE: In general, the larger the signature set, the more memory used while completing a registration task. For example, a high granularity signature that provides full plagiarism detection consumes more resources than a low granularity signature, which detects only documents that are identical to the one registered.

Deregistering content
Use this task to keep registered documents or objects from being identified again by any scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Data Registration. A list of registered items is displayed. 2. From the Actions menu, select Unregister. When this is done, the registration crawler will exclude the document or object from future registration.

Reregistering content
Use this task to re-register documents or objects that have been deregistered.

104

McAfee DLP9.0.1 Product Guide

Crawling databases

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Data Registration. A list of unregistered items is displayed. 2. From the Actions menu, select Reregister. When this is done, the registration crawler will restore the registered document or object.

Crawling databases
Protecting sensitive database content
McAfee DLPDiscover can crawl databases to protect known sensitive content or determine if files that violate confidentiality are stored, then return the results of the crawl. You can drill down to database catalogs, schemas, table, and column level with a scan, just as you can scan for data at specific levels of a file system hierarchy. There are three ways to register database content:
q q q

Run a registration scan on network devices or storage Embed the DBReg attribute in network rules Upload individual files or databases

NOTE:The structured data found can be saved to your desktop and uploaded, so that it can be used in subsequent scans. Different database vendors support different object hierarchies, and terminologies can differ from vendor to vendor. NOTE:Since the configuration of the filters page depends on the database type chosen, only the relevant objects are displayed.

Example:
Database X might have the hierarchy Database -> Catalog -> Schema -> Table -> Columns/rows Database Y might have the hierarchy Database -> Schema -> Table -> column/rows

What is Dynamic Data Registration?


Dynamic data registration (DDR) is a method for making the system aware of specific data items that need protection. This could include lists of customer names and account numbers, credit card numbers, patient records, and more. DDR matches specific data values, not just patterns that describe the data, so fine distinctions can be made between matches. For example, customer credit card numbers might be reported as privacy violations, but an employee's own credit card number would be ignored. With the DDR feature of McAfee DLPDiscover, large volumes of data in a database (~10 million records) can be registered as sensitive and tracked. This feature is also known as Dynamic Data Match. The signatures produced by data matching are collected in a factory default concept (DBREG).

McAfee DLP9.0.1 Product Guide

105

Discovering data at risk

The same mechanisms that support registration of flat files also support registration of database records. For example, the DBREG factory default concept collects structured data in the form of comma-separated values found in databases, just as DocREG does for documents.

Database types supported


When you access a database, you are connecting to a central network location where data is stored, organized and maintained. Database Type/Version Oracle DB2 MSSQL Server MySQL Filtering Options Schemas, Tables, Columns, Records/Rows Schemas, Tables, Columns, Records/Rows Catalogs, Schemas, Tables, Columns, Records/Rows Catalogs, Tables, Columns, Records/Rows

NOTE:Only MySQL Enterprise is supported. MySQL CE cannot be used for a database scan task because DataDirect, publisher of the JDBCdriver used in DLP products, does not support free GPL database versions.

Database object hierarchy differences


The database types available for scanning by DLPDiscover use the following object hierarchy. Database Type MySQL Oracle DB2 MS SQL Server Object Hierarchy There is no concept of a difference between catalogs and schemas. Databases and tables can be listed. Schemas corresponds to users, and users can be listed. Catalogs cannot be listed (remotely), but all tables the current user can access can be listed. Schemas can be listed, and databases/catalogs cannot be listed (remotely). Tables in a schema can be listed. Schemas and tables can be listed.

TIP: Try selecting different database types, then go to the Filter tab to observe the options available for each database type. All filters are applied across the database server. For example, if you set filter "Table=Employees", the crawler will scan all databases and fetch records for tables whose names match "Employees". If you set filter "Column=LAST_NAME, the crawler will scan all tables and fetch records from the columns whose name is LAST_NAME in any table crawler scan access. To restrict a particular column in a particular table, enter filter for both table and column names, and make sure no other table has the same name and has similarly-named columns.

106

McAfee DLP9.0.1 Product Guide

Crawling databases

Database terminology differences


Database object hierarchy differs according to the terminologies used by the vendors of different database types. The object hierarchy displayed on the Filters tab is determined by the selection of the database type on the Add Scan Operation page. DLPDiscover follows ANSI SQL 92 standards, which defines a catalog/schema model for data stores. In this model, catalogs (databases) contain schemas, and schemas contain tables.
q

Catalogs may be a collection of related schemas. Because many databases have only one catalog, metadata is sometimes simply called schema information. Schema is a collection of database objects that are owned or have been created by a particular user. Tables are collections of columns arranged in specific orders.

q q

Registering structured data by uploading


Use this task to upload significant structured data found in a database. You might want to do this if you find significant data in one database, and want to set up a task to detect it in others. NOTE: If you use DLPManager to upload structured data, it will automatically be registered on all managed devices. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Registered Documents | Database Registration. 2. From the Actions menu, select Upload New Data File. 3. Browse to the objects you want to register. The compressed file to be registered cannot be over 100 MB. TIP:You can generate a CSV file by creating a database scan, filtering the scan, and then copying and pasting the data you find in a folder into a spreadsheet document. Save the document to your desktop, then browse to that location to upload it. 4. In the Registration Name text box, type a name. 5. If there is no significant data in the first row of the table (for example, a header), check Skip First Row. 6. Select a Signature Type. Only High Granularity signature types are generated for uploaded CSV documents. 7. Select the policy and rule you want to use to detect the document.

Example
If the data to be protected is of a financial nature, you might select the Banking and Financial sector policy and the Unencrypted Bank Transactions with ABA Routing Number rule. 8. Click Save or Save, Upload Another. When you click Save, the signatures of the structured data are added to the DBReg attribute. As with the DocReg attribute, signatures are treated as a group, regardless of registration method. NOTE: If you are using Mozilla Firefox 3.x, you may get an error message advising you of a security risk after clicking Save. The file will be uploaded anyway, but unless you reconfigure Firefox, the complete path to it will not be recorded when using that browser.

McAfee DLP9.0.1 Product Guide

107

Discovering data at risk

Setting up basic database scans


Use this task to set up a basic database scan, then adapt it to your purpose by characterizing it as an inventory, registration or discovery scan. NOTE:Because integrated Windows authentication is not supported for Microsoft SQL Server, you must create anMSSQLServer user with the correct credentials for use in a scan task operation. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. In the Scan Operation text box, type a name. Typing a description is optional. TIP: Include the scan mode in the name for example, a name like Finance_registration will help you to remember what the scan does when applied to a rule. 4. Select a Database Type. This defines the support protocol that allows DLP Discover to access the database. 5. Select a Credential definition to enable access to the repository, if necessary, or click New to create a new one. 6. Select a Schedule, or click New to create a new one. 7. Select a scan Mode. See Types of network scans for a definition of the different modes. 8. Under Devices, select the appliance from which the scan will be run. NOTE: Select None if you want to save a scan, but do not want to deploy it immediately. 9. On the Node Definition tab, define the IP type by making a selection from the menu. 10. Type the IP Address, then click Include or Exclude to add the IP address to the list. Select Test to verify the connection. 10. On the Filters tab, filter the scan to define the location to be scanned. 11. On the Advanced Options tab, make the following settings.
q q

Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan. Select On Start or On End to determine if and when you want email notification sent.

NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task start/stop time and the email posting. The end notification is sent at the end of scanning, and file processing might continue after notification. 12. Click Save.

Advanced Options definitions for database scan operations


Advanced Options are used to set the throttling bandwidth and set up email notification of scanning operations. Notifications can be sent at scan start, stop, or both. Customize the email notification by selecting from the dynamic variables available or adding the message of your choice. Use this page to set the Advanced Options definitions.

108

McAfee DLP9.0.1 Product Guide

Crawling databases

Option Bandwidth Email To End Message / Start Message On End / On Start

Definition Specifies the bandwidth when throttling is activated. A standard email address text box. Specifies the text of the message. A default message is included. Dynamic variables can be pasted in by clicking them when the cursor is in the text box. Checkboxes that specify when email is sent.

NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might continue after notification.

Defining catalogs to be scanned


MySQL and Microsoft SQL Server catalogs can be scanned. InMySQL databases, there is no difference between catalogs and schemas. Use these options to set a catalog filter for MySQL or Microsoft SQL Server scans. CONDITION All Exact Match Pattern Definition Default value; equivalent to no filtering. Filters by exact match to the schema/table/column name entered in the VALUE parameter. Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.

Defining columns to be scanned


Columns for all four database types can be scanned. Use these options to set a column filter for any scan. CONDITION All Exact Match Pattern Definition Default value; equivalent to no filtering. Filters by exact match to the schema/table/column name entered in the VALUE parameter. Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.

Defining logins for a database scan


When Repository Type for a scan operation is set to DATABASE, specific parameters appear on the Node Definition tab. The parameters are slightly different for different database types, but remain the same for all modes. Use this page to determine the login for a database scan.

McAfee DLP9.0.1 Product Guide

109

Discovering data at risk

Option Login Database (for Oracle: SID)

Definition Type the name of the database. For SQL, this is the database instance. For Oracle, it is the System ID.

When you have completed the node entries, click Include. You can also Test the database connection.

Defining nodes for database scan operations


When Repository Type for a scan operation is set to DATABASE, specific parameters appear on the Node Definition tab. The parameters are slightly different for different Database Types, but remain the same for all Modes. Use this page to determine the Node Definition settings for database scan operations. Option IP Address Definition Only single IP Addresses are allowed. You must enter a valid IP Address to create a valid scan operation. The port is automatically configured, according to the Database Type:
q q q q q

Port

DB2 50000 Microsoft Server 1433 MySQL 3306 Oracle 1521

If you are using a non-standard port, type the address in the text box. Login Database (for Oracle: SID) SSL Certificate Type the name of the database. For SQL, this is the database instance. For Oracle, the System ID. Certificates are created and saved on the Discover Configuration | SSL Certificates page. Click New to create a new certificate on the fly .

When you have completed the node entries, click Include. You can also Test the database connection.

Defining ports for a database scan


When Repository Type for a scan operation is set to DATABASE, specific parameters appear on the Node Definition tab. The parameters are different for different database types, but remain the same for all modes. Use this page to determine a port setting for a database scan.

110

McAfee DLP9.0.1 Product Guide

Crawling databases

Option Port

Definition The port is automatically configured, according to the database type. If you are using a non-standard port, type the address in the text box.
q q q q

DB2 50000 Microsoft SQL Server 1433 MySQL 3306 Oracle 1521

When you have completed the node entries, click Include. You can also Test the database connection.

Defining records/rows to be scanned


Records for all four database types can be scanned. Use these options to set a record/row filter for any scan. Option Where Definition Allows entry of any SQL where clause. For example, retrieve matching names from columns in a table by entering surname like '%lang'; . Limits the number of rows fetched from each table. If you set a limit of 100, it means at most one hundred rows will be fetched from each table crawled.

Limit (#Rows)

Defining schemas to be scanned


Schemas for all four database types can be scanned. InMSSQL database, there is a distinction between catalogs and schemas. Use these options to set a schema filter for any scan. CONDITION All Exact Match Pattern Definition Default value; equivalent to no filtering. Filters by exact match to the schema/table/column name entered in the VALUE parameter. Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.

Defining SSLcertificates for a database scan


When Repository Type for a scan operation is set to DATABASE, specific parameters appear on the Node Definition tab. The parameters are slightly different for different Database Types, but remain the same for all Modes.

McAfee DLP9.0.1 Product Guide

111

Discovering data at risk

NOTE:You have the option of using an SSLcertificate to identify the database server host and encrypt the data exchanged between database server and the DLPdevice. This is particularly useful if the database server is using a non-standard/self-signed certificate. Client certificate handling is currently not supported. Use these options to determine the SSLcertificate needed for a database scan. Option SSL Certificate Definition Certificates are created and saved on the Discover Configuration | SSL Certificates page. Click New to create a new certificate on the fly.

When you have completed the node entries, click Include. You can also Test the database connection.

Defining tables to be scanned


Tables for all four database types can be scanned. Use these options to set a table filter for any scan. CONDITION All Exact Match Pattern Definition Default value; equivalent to no filtering. Filters by exact match to the schema/table/column name entered in the VALUE parameter. Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.

Managing scans
Managing scan operations
You can manage one or more scans by applying different states from the Actions menu on the Scan Operations page.

112

McAfee DLP9.0.1 Product Guide

Managing scans

Scan Action New Clone

Description Launches the Add Scan Operation dialog box Copies the selected scan and opens the Edit Scan Operation dialog box; allows name and other parameters to be changed Activates the selected scan; causes system to fetch files and analyze content

Activate

Deactivate Deactivates the selected scan (keeps it from running) Start Stop Rescan Delete Starts the scan; fetches only new content Stops the scan Resubmits the scan for tasks that not running, but are in a Ready state. Re-fetches files and re-analyzes all content, and generates new incidents Deletes the scan

Up to 100 scans can be queued. TIP: Configure firewalls and set bandwidth when you set up a scan.

Types of scan states


The Last Status column on the Scan Operations page always displays one of the following states.
q q q

Ready: Task is ready to run and user can start tasks. Running: Task (crawler) is running Inactive: Task is removed from the schedule queue and tasks cannot be run (even manually). Such tasks must be activated before they can be run. Starting: Task is starting and about to run. Stopping: Task is stopping. Stopped: (Rare) Task was killed/crashed by some unforeseen situation. Such tasks can be started again.

q q q

Viewing scan operations


All scan operations are listed on the Scan Operations page. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. TIP: You can get details on scans that are in progress or completed by selecting the Statistics icon.

Modifying the state of a scan


Use this task to modify a scan.

McAfee DLP9.0.1 Product Guide

113

Discovering data at risk

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Select the radio button of the scan. 3. From the Actions menu, select a state.

Deploying scans
A scan is deployed when the scan targetsare defined. Use this task to identify the Discover and Monitor devices that run the scan and store the signatures. TIP:On Monitor and Discover appliances managed by DLP Manager, you can store the signatures on more than one DLPdevice. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Double-click the name of the scan. 3. Select the radio button of an appliance from the Devices checkbox. TIP: Select None if you want to save a scan, but do not want to run it right away.

Starting scans
Use this task to start a scan. NOTE: You cannot start a task until it is in Ready state. A new scan will remain inactive until its associated policies are published. If the status column does not display Ready, wait until this happens (you may refresh the screen if you wish). Then click the radio button of the task and select Start from the Actions menu. NOTE: When you rescan, all files are fetched again and reanalyzed. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Note the Last Status column of the scan. If the scan status is Inactive, select the radio button and select Activate from the Actions menu. 3. Select the radio button of the scan. 4. From the Actions menu, select Start. TIP: Click on the Refresh icon to refresh the status of the scan. NOTE: If a scan is stopped, you can resume it without restarting by simply selecting Start from the Actions menu.

Stopping scans
Use this task to stop a scan.

114

McAfee DLP9.0.1 Product Guide

Managing scans

NOTE: The task must be in a RUNNING state. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Note the Last Status column of the scan. 3. Select the radio button of the scan. 4. From the Actions menu, select Stop NOTE: When you stop a scan, the process pauses, and selecting Start from the Actions causes it to resume.

Setting bandwidth for a scan


Discover is set up to use all bandwidth needed to perform a scan (No Throttling is the default). Use this task to conserve bandwidth by configuring bandwidth throttling. TIP: Consider the transmission capacity of your network and the amount of network traffic before deciding how much bandwidth to allocate to the scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Select the Advanced Options tab. 5. Type a rate into the Bandwidth field, or select No Throttling from the menu.
q q q

No Throttling Kbps Mbps

Example:
On a 100-Mbps LAN, limit bandwidth to 50 Mbps to limit the crawler to half of the bandwidth available. NOTE:If bandwidth is throttled correctly and there is L3 connectivity between networks, Discover can be deployed across a WAN, though object viewing might be slower due to WAN latency. For example, if a 1 Gbps link between Tokyo and London is used, only ~10 Kbps throughput may be available for a CIFS scan. 4. Click Save after completing all other scan parameters. NOTE: Bandwidth throttling is applied as an average across the entire scan rather than as each individual file is being fetched. A Discover scan might burst above or below the configured throttle limit, but the average throughput measured across the entire scan will remain very close to the configured limit.

Scanning in full duplex mode


Discover cannot be deployed in half-duplex mode. Every interface between Discover and target nodes (intermediary switch, router, firewall, etc.) must be set to full duplex.

McAfee DLP9.0.1 Product Guide

115

Discovering data at risk

Guidelines for Fast Ethernet networks


q q

Hard-code the speed and duplex of the Discover appliance to 100 Mbps and full duplex. Ensure that all intermediary devices are either hard-coded to 100 Mbps and full duplex, or validate that all intermediary devices have negotiated to full duplex if configured for automatic negotiation

Guidelines for Gigabit Ethernet networks


q q

Set the speed and duplex of the Discover appliance to 1000 Mbps and full duplex or to auto-detect. Ensure that all intermediary devices are either hard-coded to 1000 Mbps and full duplex, or validate that all intermediary devices have negotiated to full duplex if configured for automatic negotiation

Managing scan load


Scan load may have an impact on performance of DLPsystems. If too many operations are running concurrently, a Discover scan might appear to be stalled in a Not Ready state. Operations that add load to the system include:
q q q

Deleting or creating scans in the same time frame; Crawlers are running and processing files from an extended scan; Multiple policies and rules are being decoupled from deleted scans.

If a Discover scan appears to have stopped, wait for 30 minutes. If the task does not reactivate, select it and Activate from the Actions menu. If several retries fail, save the scan as a new task to republish all policies, then delete the old task.

Editing scans
Use this task to edit a scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Double-click the name of scan you want to modify. 3. Make changes in the Edit Scan Operation window. 4. Click Save.

Deleting scans
Use this task to delete a scan. NOTE:If a scan is in Runningstate, it must be stopped before it can be deleted. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. By clicking one or more radio buttons, select the scans to be deleted. 3. From the Actions menu, select Delete.

116

McAfee DLP9.0.1 Product Guide

Setting up scans

NOTE: Deleting a scan will also clear all scan statistics and the entire history of the scan, and any incidents found by a scan that is later deleted will not be remediable or recoverable.

Setting up scans
Preparing to scan
Plan your scan before setting it up. Gather all of the following information.
q q q q q q q q q q

Scan mode - Inventory, Registration, or Discover Credentials to access the repository Database type and version (for database scans) IP address, subnet, or range including required ports Login database or SID and SSL certificate (for database scans) File systems to be scanned Schedule for the scan Configuration of firewalls Bandwidth to be used Projected scan load

Setting up basic scans


Use this task to set up a basic scan, then adapt it to your purpose by characterizing it as an inventory, registration or discovery scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLP Sys Config. Click Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. In the Scan Operation text box, type a name. Typing a description is optional. TIP: Include the scan mode in the name. For example, a name like Finance_registration will help you to remember what the scan does when applied to a rule. 4. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository. See Repository types supported for a list of protocols. 5. Select a Credential definition to enable access to the repository, if necessary, or click New to create a new one. 6. Select a Schedule, or click New to create a new one. 7. Select a scan Mode. See Discovering data at risk for a definition of the different modes. 8. Under Devices, select the appliance from which the scan will be run. NOTE: Select None if you want to save a scan, but do not want to deploy it immediately. 9. On the Node Definition tab, select a Node definition.
q

For a Single IP, type the IP Address, then click Include or Exclude to add the IP address to the list.

McAfee DLP9.0.1 Product Guide

117

Discovering data at risk

q q

For an IP Subnet, type a Base IP and a Subnet Mask. Click Include or Exclude to add the IP subnet to the list. For an IP Range, type a Start IP and an End IP. Click Include or Exclude to add the IP range to the list.

Depending on the protocol used, you might have to enter the URL instead. NOTE: You must include at least one IP address, subnet, or range. Including or excluding additional addresses, subnets, or ranges is optional. See Defining URLs to be scanned. 10. On the Filters tab, filter the scan to define the location to be scanned. 11. On the Advanced Options tab, make the following settings.
q q q

Throttle the bandwidth available to the scan if necessary. See Setting bandwidth for a scan. If you do not want the scan to update the file's last access time, select Preserve and run the scan manually. Type email notification information. Notification can be send for scan start or stop or both, with a default message or the message of your choice.

NOTE: Subject fields are not customizable. There may be a lag of a few minutes between the actual task start/stop time and the email posting. The end notification is sent at the end of scanning. File processing might continue after notification. 12. Click Save.

Repository types supported


When you access a repository, you are connecting to a central network location where data is stored, organized and maintained. The repository type is determined by the protocol used to access data on the device.

Configuring inventory scans


Inventory scans crawl all directories and files residing on a targeted repository and generate an index, or manifest. Use this task to configure a basic scan as an inventory scan.

118

McAfee DLP9.0.1 Product Guide

Setting up scans

1. Set up a basic scan. 2. Select a Repository Type. This defines the support protocol that allows DLP Discover to access the repository. See Repository types supported for a list of protocols. 3. Set up filters to define the location to be crawled. The inventory scan identifies all files that are available to be scanned in a targeted repository. 4. Set the Advanced Options. See Setting up basic scans for details. 5. Click Save. TIP: You can export a report of the index from the Scan Statistics window.

Configuring discovery scans


Discovery scans find data that has been registered or is residing on a file share in violation of a policy. Network discovery scans are defined and scheduled as described below. Host discovery scans are defined as described below, but are scheduled on the ePolicy Orchestrator Agent Configuration page. Discovery scans act according to specified policies. Go to Menu | Data Loss Prevention | DLP Policies to verify that a suitable policy exists, or to create a new policy. For more information, see Using policies and rules. For host discovery, see Configuring a policy for host discovery for hostspecific instructions. Use this task to configure a basic scan as a discovery scan. 1. Set up a basic scan. 2. Select a Repository Type. NOTE: For host discovery scans, use CIFS. 3. Select a Schedule, or click New to create a new one. NOTE: For host discovery scans, accept the default schedule. The schedule set in the HDLP policy in the ePolicy Orchestrator Policy Catalog overrides the value set here. 4. For Mode, select Discover. 5. Under Devices, select the appliance from which the scan will be run. NOTE: For host discovery, select None. 6. On the Node Definition tab, select a Node definition. See Setting up basic scans for more details. NOTE: For host discovery, you must select Single IP. Type a dummy IP address, for example, 1.1.1.1. Host discovery is run only on the host computer, and the DLP Agent on the host ignores this information, but you must include a valid IP address to create a valid scan definition. 7. Set the Advanced Options. See Setting up basic scans for details. 8. On the Policies tab, select policies from the Available Policies list and Add them to theSelected Policies list

McAfee DLP9.0.1 Product Guide

119

Discovering data at risk

NOTE: You must add at least one policy to create a valid definition. 9. Click Save.

Configuring registration scans


Registration scans register sensitive data by generating digital fingerprints, or signatures, that identify whole or partial documents. Network registration scans are defined and scheduled as described below. Host registration scans are defined as described below, but are scheduled with ePolicy Orchestrator Server Tasks . Use this task to configure a basic scan as a Registration scan. TIP: Do an inventory scan first to get an idea of what directories, folders and documents are available to be scanned. 1. Set up a basic scan. 2. Select a Repository Type. NOTE: For Host discovery scans, use CIFS. 3. Select a Credential definition to enable access to the repository, or click New to create a new one. 4. Select a Schedule, or click New to create a new one. NOTE: For Host registration scans, accept the default schedule. The schedule set in ePolicy Orchestrator Server Tasks overrides the value set here. 5. For Mode select Registration. NOTE: For database registration, select Data Match. 6. Select one or more Devices that will receive the registration signatures. NOTE: For Host registration scans, select None. 7. Set the Advanced Options. See Setting up basic scans for details. 8. On the Registration tab, define signature type and targets. 9. Click Save. NOTE: If Discover reboots (or the application is restarted) while the registration task is in the RUNNING state, a few documents might be re-registered, and duplicate incidents could be reported.

Firewall configuration to allow scanning


Before you crawl a repository, make sure the scan will not be impeded by a firewall.

120

McAfee DLP9.0.1 Product Guide

Managing credentials

NOTE: Source ports are randomly chosen unless explicitly noted. Network and host-based firewalls typically permit connections only on certain ports and might have to be configured to permit connections on others.

Managing credentials
Using credentials to access repositories
Credentials enabling access to an existing account on a repository are needed before a scan can be created. Some systems may also require a domain name to complete the authentication process. Use these tasks to add, view, edit, or delete credentials. NOTE: If the data in a file system is openly accessible, you can use the default credential None.

McAfee DLP9.0.1 Product Guide

121

Discovering data at risk

Viewing existing credentials


Use this task to view the credentials available for logging on to a repository. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations | Credentials. 2. Click a credential to view its properties.

Adding credentials
Use this task to add a credential, which will allow you access to a repository to be scanned. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Name and describe (optional) the credential. 4. Type a User Name of an existing account. 5. Add a Domain Name (may not be required). 6. Type and confirm the Password. 7. Click Save.

Editing credentials
Use this task to edit a credential that must be modified before it can be used to access a repository. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations | Credentials. 2. Click a credential to display its properties. 3. Modify the parameters, then click Save.

Deleting credentials
Use this task to delete credentials that can no longer be used to access a repository. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations | Credentials. 2. Select one or more credential checkboxes. 3. From the Actions menu, select Delete Selected. TIP: Click trash can icons to delete credentials one by one.

122

McAfee DLP9.0.1 Product Guide

Scheduling scans

Scheduling scans
Using scan schedules
Use this task to define a schedule for a scan task. Continuous, periodic and on-demand scans are supported. NOTE:To schedule a host discovery scan, go to Menu | Policy | Policy Catalog and click on the Discovery Schedule tab of the Agent Configuration settings. See Scheduling a host discovery scan for details. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration |Schedules. 2. From the Actions menu, select New. 3. Type in a name for the schedule. Typing a description is optional. 4. Set the time parameters for the schedule. 5. Click Save.

Viewing scan schedules


Use this task to view available schedules. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration. 2. Click Schedules. 3. View the Description and Details columns. NOTE: By opening the schedule, you can find out what scans are controlled by it.

Editing scan schedules


Use this task to edit a scan schedule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration |Schedules. 2. Open a schedule and modify the parameters. 3. Click Save.

Deleting scan schedules


Use this task to delete scan schedules. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Schedules. 2. Select one or more schedule checkboxes. TIP: Click trash can icons to delete schedules one by one. 3. From the Actions menu, select Delete Selected.

McAfee DLP9.0.1 Product Guide

123

Discovering data at risk

Filtering scans
Defining scans
After you decide whether to inventory, register, or discover files in a repository, you must set up filtering, registration, and policy options. The scan definition must include the credentials to be used to access the repository, and a schedule that determines when the scan will be run. Because Last Access Updating is enabled in all Microsoft Windows operating systems before Vista, the DLP Discover crawler automatically changes the access time of each file it touches. The original timestamps can be preserved by selecting the Preserve Last Access Time checkbox and filtering the scan manually. NOTE: This feature is applicable only to CIFS and NFS repositories. Use these tasks to set filters, locations, policies, and other scan parameters.

Filtering scans by browsing


Use this task to define a filter when browsing databases and file systems.

Database Filtering
Filter definitions allow the scan to look for data at a specific level of the database hierarchy. The hierarchy is specific for the database type, and includes catalogs, schema, table, column, or row level. CONDITION All Exact Match Pattern Definition Default value; equivalent to no filtering. Filters by exact match to the schema/table/column name entered in the VALUE parameter. Filters by text pattern match to the schema/table/column name entered in the VALUE parameter.

File System Filtering


Filter definitions allow the scan to look for data at a specific levels of a file system hierarchy. The hierarchy is specific for the file system, and includes shares, folders, and file properties. CAUTION: Because Last Access Updating is enabled in all Microsoft Windows operating systems before Vista, the DLP Discover crawler automatically changes the Last Accessed Time of each file it touches. If you do not want the files changed, click the Preserve Last Access Time box and filter the scan manually. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node.

124

McAfee DLP9.0.1 Product Guide

Filtering scans

4. Select a target for storage of the signatures by selecting one or more Devices. 5. Click the Filters tab. 6. Click Browse. 7. Click the plus icon to open the repository. If Authentication Failed appears when you filter a repository, check the credential you are using to access it. If authentication succeeds for the repository, but fails for a share, you might not have permission to view it. 8. Select the shares, folders and file properties. NOTE:For browsing document repositories, only file properties (File pattern and size) are supported for HTTP, HTTPS, FTPand SharePoint. Database repositories attributes differ according to database type. TIP: Use only a single click; double-clicking will duplicate your selection. 9. Click X to close the browse window. 10. Click Save.

Filtering scans manually


Use this task to define a filter manually. TIP: Use the Browse feature to research the path before entering options manually. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Select one or more Devices from which the scan will be deployed. 5. Select the Filters tab and open Filter. 6. Define the shares to be scanned. NOTE: If you define an absolute path on an NFSrepository manually, Discover will not crawl the share unless you replace the "/" character in the share name with "%2F".

Example:
For /home/nfs_local/mydirectory use /%2Fhome%2Fnfs_local/mydirectory where /home/nfs_local is the name of the exported share and /mydirectory is a directory under this share. 7. Define the folders to be scanned. 8. Define the file properties to use when scanning. 9. Click Save.

McAfee DLP9.0.1 Product Guide

125

Discovering data at risk

Filtering IPaddresses to be scanned


Use this task to define IPaddresses of hosts to be scanned. NOTE:Only single IP addresses are allowed for database scans. You must enter a valid IP Address to create a valid scan operation. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Set the repository type to CIFS, NFS or Documentum. NOTE: The protocol used determines the repository type and method of node definition. CIFS, NFS and Documentum require IPaddresses. 5. Select Single IP, IP Subnet or IPRange from the Node Definition menu. 6. Type addresses in the IPAddress field. TIP: If some addresses do not fit in the sequence, you can define those addresses or ranges and exclude them.

Examples
Single IPaddress 192.168.1.0 IPRange Type 192.168.3.128-192.168.3.200 and click Include; Type 192.168.3.245-192.168.3.254 and click Exclude. IP Subnet 192.168.1.0 255.255.255.0 NOTE:You cannot define a range across subnets; only 255 addresses can be defined at a time (0-254). CIDR is not supported in the address field decimal notation is required. 7. Click Include or Exclude, as appropriate. 8. Click Save. 9. Define filters and policies.

Filtering URLs to be scanned


Use this task to define URLs to be scanned.

126

McAfee DLP9.0.1 Product Guide

Filtering scans

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Set the repository to one of the following:
q q q q

FTP HTTP HTTPS Microsoft SharePoint

5. Select URL from the Node Definition menu. 6. Type a URL into the URL field followed by a slash, which establishes the boundaries of the scan.

Example:
http://www.yahoo.com/

https://reconnex-host.reconnex.net:8181/dir/
7. Click Include. 8. Click Save. 9. Define filters and policies.

Filtering file properties for a scan


Use this task to define file properties before scanning. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Click the Filters tab. 5. Open Folders. 6. Open File Properties. 7. Select an Element and Condition. 8. Type a path or pattern into the value field. Absolute Directory Path is recognized as the base directory.

Examples
Absolute Directory Path > equals >C$/Eng/Network/Drawings File Pattern > equals > *.jpg,*.doc File Owner > equals > bjones File Size > range > 1024-5000 (requires numbers expressed in bytes)

McAfee DLP9.0.1 Product Guide

127

Discovering data at risk

File Creation Time > between > 16:30:00 and 17:00:00. Last Modification Time > after > 13:30:00 Last Accessed > before > 17:00:00 9. Define policies. 10. Click Save.

Filtering folders to be scanned


Use this task to define the folders to be scanned. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Click the Filters tab. 5. Open Folders. 6. Select an Element and Condition. 7. Type a path or pattern into the value field. Absolute Directory Path is recognized as the base directory.

Examples
Absolute Directory Path > equals > C$/Eng/Network/Drawings Directory Pattern > contains > Human Resources Directory Pattern > does not contain > Employee Records NOTE: All subdirectories matching the pattern will be crawled. 8. Define policies. 9. Click Save.

Filtering shares to be scanned


Use this task to define shares to be scanned. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. From the Actions menu, select New. 3. Define the credential, schedule, mode, devices and node. 4. Select one or more Devices from which the scan will be deployed. 5. Select the Filters tab. 6. Open Filter. 7. Open Shares.

128

McAfee DLP9.0.1 Product Guide

Getting scan results

NOTE: When you scan all the shares on a system, you do not have to define a filter at all. The default filter will always crawl all the shares on the system with the base directory / (root). 8. From the Shares menu, select equals. 9. Select Exact Match or Pattern from the Condition menu. TIP: The All condition, indicating that all shares will be scanned, is the default. 10. Type the share name into the Value menu. 11. Define the folders to be scanned, if needed. 12. Define the file properties to use when scanning, if needed. 13. Click Save.

Setting policies for a scan


Use this task to match specific policies and rules to the data found by a Discover scan. The scan cannot be saved until you choose at least one policy. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Select the Policies tab. 3. Click on one or more policies. 4. Click Add or Add All. Use the Remove or Remove All buttons to make adjustments to your selection.

Getting scan results


How scan statistic reporting works
While files are being fetched, counters increment as nodes are identified and shares are authenticated. The incident database is updated every 15 minutes until the conclusion of the task. Incident files are downloaded directly to Discover from the host on which they were detected, but the files are not saved indefinitely. They are fetched from the source when needed and the cache is flushed regularly to optimize disk utilization. The index keeps running in the background until all files are reported, even if the task has completed. NOTE: To maximize performance during a CIFS/NFS/Documentum inventory scan, the crawler updates the database only after 100,000 files have been processed. If fewer files are detected, the counters are updated after the scan has been completed.

McAfee DLP9.0.1 Product Guide

129

Discovering data at risk

Understanding scan results


When you run a scan operation, files that have been registered or matched to rule conditions are indexed and fetched from the repository. Scan results are displayed on the Incidents | Data-atRest dashboard. Statistics describing the status of the scan are displayed under the Statistics icon. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration.

Viewing incidents found by a scan


Incidents found by a scan are reported on the Incidents dashboard. Select Details to display the file and its attributes, and the Match tab to find out why it was reported, or add the MatchString column to the dashboard. After a standalone Discover is registered to DLPManager, the number of total incidents displayed will not include incidents that were reported before Discover was added to the network. Because a few documents might be re-registered after a reboot or restart, duplicate incidents might be reported. TIP: Use the Actions menu to change the status of incidents that have been found, and set up action rules to remediate them.

Getting reports of scan statistics


Use this task to save all statistics produced during a scan to your dashboard. NOTE: Export from the dashboard is limited to 5 KB. Although the dashboard incident list is limited to 5,000 results, up to 150,000 results can be exported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Click the icon in the Statistics column of the scan. 3. From the Reports menu, select a report. Report Types Current Statistics All Statistics Description Reports statistics which are currently viewable. They could be from the current scan, the last one run, or any other historical scan. Reports all the statistics of all the runs of the scan task.

Reports the file list at share level (only files of the required share), IP level (only files of a required host), or task level (all files detected Export File List by the task across hosts and shares). If there is a single host with a single share, all three reports will be the same. 4. Click Save. If you have Microsoft Excel installed and are using Internet Explorer, the reports will automatically open in Excel . If not, a CSV text file will launch.

130

McAfee DLP9.0.1 Product Guide

Getting scan results

NOTE: Because CSV is a generic ASCII format, it can be opened with any text editor, spreadsheet or database program. If the CSV file is very large (50,000+ records), it will be compressed into a zip file before it is available for opening or saving.

Getting database scan statistics


Use this task to get statistics from running and completed database scans. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Click the icon in the Statistics column of a database scan. 3. View database scan statistics and counters. TIP: Select an export option from the Report Options menu to get a report of the historical scan.

Adding columns to scan statistics


Use this task to display scan statistics in a different configuration. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Click the Statistics icon. 3. Select the Repository Details tab. 4. Open Share Details per Host. 5. Click on Shares Detected, Shares Crawled, or Shares Failed. Click underlined numbers for more information.
q q q

Click Files Fetched to get a full page report. Select Columns and move them to the Available or Selected windows. Click the Move buttons to change the display order.

6. Click Apply.

Viewing registered data matches


Registered data results do not display match strings on the Incident Details page, because the file found is itself evidence of an exact match. However, the Match tab under Incident Details does display the document matched and the matching text snippet.

Viewing scan status


Use this task to get information on the status of a crawl. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Click the Statistics icon for the scan of interest. 3. Select the Repository Details tab.

McAfee DLP9.0.1 Product Guide

131

Discovering data at risk

4. Open Share Details per Host. 5. Click on Shares Detected, Shares Crawled, or Shares Failed. Underlines under numbers indicate that there is more information available. NOTE: The Files yet to be fetched counter increments when new shares are detected and decreases as files are detected and fetched. If a database scan is interrupted when records have been fetched but not processed, those records are not processed when the scan is rerun. TIP: Select a Report Option to keep a record of the scan after it has completed. TIP: If you need updates before the scan status is synchronized, click the Refresh button. This action consumes resources, so use it judiciously.

Getting historical statistics


Use this task to get statistics from previously completed scans. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Discover Configuration | Scan Operations. 2. Click the icon in the Statistics column of the scan. 3. Select a report from the History menu. 4. View. TIP: Select an export option from the Report Options menu to get a report of the historical scan.

Searching discovered data


Finding discovered data
In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discoverto search for data in the Discover database.

Finding scan operations


Use this task to find existing scan operations. TIP: Use this parameter with other options to find files discovered by a specific scan. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Scan Operation from the first drop-down list, and is any of from the second.. 3. Click "?". 4. Select the scan task from the popup menu. 5. Click Search or Save as Rule.

132

McAfee DLP9.0.1 Product Guide

Searching discovered data

Finding registered files in discovered data


Use this task to find registered files in the Discover scanned data database. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Content. 2. Select Concept from the first drop-down list and is any of from the second.. 3. Click "?", then open Corporate Confidential. 4. Select DocReg. The DocReg concept contains all the signatures that identify registered data. When this concept is used in a search, its signatures are applied against all objects in the Discover database. Any matches are reported on the Incidents dashboard. 5. Click Apply. 6. Click Search. TIP:Alternately, save as rule to open a rule definition page. Adding this rule to a policy allows you to use the DocReg concept to identify sensitive documents automatically whenever that policy is used to find incidents.

Finding repository types in discovered data


Use this task to find repository types in a data at rest. Repository Type CIFS SharePoint NFS Documentum FTP_Crawl HTTP_Crawl HTTPS_Crawl Definition Microsoft Common Internet File Services Microsoft SharePoint Sun Network File System EMC Documentum File Transfer Protocol Crawl Hypertext Transfer Protocol Crawl Secure Hypertext Transfer Protocol Crawl

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Repository Type from the first drop-down list, and is any of from the second.. 3. Click "?". 4. Select one or more repositories. 5. Click Search or Save as Rule.

Finding IP addresses in discovered data


Use this task to find IPaddresses in the Discover scanned data database. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Host IP from the first drop-down list, and is any of from the second..

McAfee DLP9.0.1 Product Guide

133

Discovering data at risk

3. Click "?". 4. Type the IPaddress of the repository into the value field. NOTE: You can type in a single address, a range, or a subnet CIDR notation is supported.

Examples
192.168.3.225 10.1.0-10.0.1.255 172.16.1.1/24 5. Click Search or Save as Rule.

Finding host names in discovered data


Use this task to find host names in the Discover scanned data database. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Host Name from the first drop-down list, and is any of from the second.. 3. Click "?". 4. Type the host name of the repository into the value field. 5. Click Search or Save as Rule.

Finding file name patterns in discovered data


Use this task to find files by pattern in the Discover scanned data database. NOTE: The only metacharacter supported is a single asterisk . 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Share Name, Host IPor Host Name from the drop-down list to define the target of the search. 3. Click the plus icon to add an element. 4. Select File Name Pattern from the first drop-down list, and contains any of from the second.. NOTE: Use Basic Search | File Name Pattern to find files in streaming network data. 5. Type a name, or a single file type extension into the value field. 6. Click Search or Save as Rule. NOTE: Comma- and space-separated values signifying ANDand ORare not supported.

Example
Find a JPG in a database or repository:

134

McAfee DLP9.0.1 Product Guide

Searching discovered data

Capture | Advanced Search | Discover | File Name Patterncontains *.jpg Find Microsoft Office Word AND Excel files in a database or repository: Capture | Advanced Search | Discover | File Name Pattern contains *.xls NOTE: You can use a keyword with an asterisk (for example, Financ*), but a File Name Pattern search is faster. 7. Click Search or Save as Rule.

Finding file owners in discovered data


Use this task to find all files belonging to a single user in the Discover scanned data database. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select File Owner. 3. Select is any of from the drop-down list. TIP: If the files belong to a prolific user, adding other search elements to the query will help to focus on exactly what is needed. 4. Type the file owner into the value field. 5. Click Search or Save as Rule.

Finding file paths in discovered data


Use this task to find file paths in the Discover scanned data database. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select File Path from the first drop-down list, and contains any of from the second. 3. Type the file path of the repository into the value field. 4. Click Search or Save as Rule. NOTE:Absolute or relative file paths in Microsoft Windows (\) or UNIX (/) systems are indexed in the database, but only UNIX paths are supported when searching.

Finding percentages of registered data at rest


When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so searching for match to a percentage of the registered material is more likely to expose intellectual property theft. Use this task to match files containing a percentage of registered data in the Discover database. NOTE:This function cannot be used to search; it can only be added a rule to supplement other parameters that have been defined.

McAfee DLP9.0.1 Product Guide

135

Discovering data at risk

1. Go to DLPReporting | Advanced Search. 2. Open Discover. 3. Select Signature Percentage Match from the first menu. 4. Select greater than from the second menu. NOTE: Because an exact percentage match is unlikely, you can only ask that the match be greater than the percentage you specify. 5. Enter an integer in the value field. 6. Click Save.

Finding share names in discovered data


Use this task to find share names in the Discover scanned data database. NOTE: You need not know the server on which the share resides, but the targeted file system will have to be configured as a share. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Share Name from the first drop-down list, and is any of from the second.. 3. Click "?". 4. Type a share name into the value field. 5. Click Search or Save as Rule. NOTE:On Microsoft Windows computers, the default share is C$.

Finding domain names in discovered data


Use this task to find domain names in the Discover scanned data database. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Domain Name from the first drop-down list, and contains any of from the second.. 3. Type a domain name into the value field. 4. Select contains any of from the drop-down list. 5. Click Search or Save as Rule.

Example:
Find a domain name: DLPReporting | Advanced Search | Discover | Domain Namecontains any of Mercury

Finding catalogs in discovered data


Use this task to match files containing a catalog in the Discover database.

136

McAfee DLP9.0.1 Product Guide

Searching discovered data

When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so searching for match to a percentage of the registered material is more likely to expose intellectual property theft. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Catalog from the drop-down list, then click Search or Save as Rule.

Finding schemas in discovered data


Use this task to match files containing a catalog in the Discover database. When registered text is plagiarized, it is unlikely that a 100% match will be found to the original document, so searching for match to a percentage of the registered material is more likely to expose intellectual property theft. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Catalog from the drop-down list. 3. Click Search or Save as Rule.

Finding column names in discovered data


Use this task to find share names in the Discover scanned data database. NOTE: You need not know the server on which the share resides, but the targeted file system will have to be configured as a share. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover 2. Select Share Name from the drop-down list, and is any of from the second.. 3. Click "?" 4. Type a share name into the value field. 5. Click Search or Save as Rule. NOTE:On Microsoft Windows computers, the default share is C$.

Finding table names in discovered data


Use this task to find share names in the Discover scanned data database. NOTE: You need not know the server on which the share resides, but the targeted file system will have to be configured as a share. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Share Name from the first drop-down list, and is any of from the second..

McAfee DLP9.0.1 Product Guide

137

Discovering data at risk

3. Click "?". 4. Type a share name into the value field. 5. Click Search or Save as Rule. NOTE:On Microsoft Windows computers, the default share is C$.

Finding records and rows in discovered data


Use this task to find share names in the Discover scanned data database. NOTE: You need not know the server on which the share resides, but the targeted file system will have to be configured as a share. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting. Click Advanced Search, then open Discover. 2. Select Share Name from the first drop-down list, and is any of from the second.. 3. Click "?". 4. Type a share name into the value field. 5. Click Search or Save as Rule. NOTE:On Microsoft Windows computers, the default share is C$.

Storage scanning requirements


Accessing network storage
Before scanning data storage devices, you must understand what is required for DLP Discover to access the file system.

Accessing Network Attached Storage (NAS)


Network Attached Storage presents a conventional file system to the network, and can be accessed directly by DLPsystems.

Accessing Storage Area Networks (SANs)


Store data in an unusable format using physical blocks of disk space, but DLP Discover can connect through any server that owns a pool of data on that device.

Host vs. network discovery


How host and network scans differ
Network scans find content that has been registered, or has been discovered during a registration scan. Host scans use either content or context.

138

McAfee DLP9.0.1 Product Guide

Storage scanning requirements

Using content categories. Categories can match specific text patterns, dictionaries, or registered documents repositories to the files. Using file context. You can specify file types, file extensions, document properties, encryption type, and user assignment in the discovery rule.

How host and network remediation differs


When sensitive content is found during a network scan, it can be remediated by pre-configuring actions that will automatically copy, encrypt, move (quarantine), or delete it.
q

For host discovery scans, a setting on the Policy tab allows you to delete files instead of quarantining them. In Policy Orchestrator, go to Menu | Data Protection | DLP Monitor | Tools | Options. You will need a release key to release files from quarantine. This is done by generating a challenge key and sending it to the administrator, who issues an Agent Quarantine Release Key. For network scans, quarantined files can be remediated from the DLP Reporting | Incidents page. No release key is required.

How host and network registration works


Registration works slightly differently in the host and network implementations. Unique signatures that identify documents or data on the network are collected in the DocReg and DBReg concepts. They are proprietary concepts that hold all signatures generated for registered documents or structured data during registration. In host document registration, a host registration scan deploys registered document packages to the DLP Agents, and the index packages are distributed to all endpoint workstations. The DLP Agent on the endpoint blocks distribution of documents containing registered content fragments outside of the host system.

Deploying a host package to the agents


Use this task to deploy a registered document package to host computers when working in ePolicy Orchestrator. NOTE:The registered document package must be indexed in ePolicy Orchestrator. 1. In ePolicy Orchestrator, click System Tree. 2. In the System Tree, select the level at which to deploy the registered document package. TIP: Leaving the level at My Organization deploys to all workstations managed by ePolicy Orchestrator. If you select a level under My Organization, the right-hand pane displays the available workstations. You can also deploy the registered document package to individua workstations. 3. Click the Client Tasks tab. Under Actions click New Task. The Client Task Builder wizard opens. 4. In the Name field, type a suitable name, for example, Deploy registered document package. 5. In the Type field, select Product Deployment. Click Next. 6. In the Products and Components field, select DLP Registered Documents 9.0.0.0. Leave the Action on Install.

McAfee DLP9.0.1 Product Guide

139

Discovering data at risk

7. Click Next. 8. Select a suitable Schedule type and set the options, date, and schedule parameters. Click Next. 9. Review the task summary. When you are satisfied that it is correct, click Save.

Registering documents on host computers


There are two advantages of registering documents over traditional location-based tagging.
q

Documents that existed before the location-based tag was defined are not detected by location-based tagging rules unless the user opens or copies the original file from its network location. Registered document classification rules detect all files in the defined folders. If the same confidential content exists in several documents, you need to categorize it only once using a registered document repository. When you use location-based tagging you have to identify every network share where the confidential content is located, and tag each one.

Setting up a host discovery scan


Use this task to set up a host discovery scan. Changes in discovery setting parameters take effect on the next scan. They are not applied to scans already in progress. NOTE: To run a discovery scan on a host computer, you must activate the discovery module on the Miscellaneous tab of the Agent Configuration dialog box. 1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data Loss Prevention 9.0.0.0:Policies. From the Category drop-down list select Agent Configuration. 2. Create a new Agent Configuration, or edit an existing one. 3. Click the Discovery Setup tab. Set the performance parameters. To prevent excessive demand on the system, you can pause the scan when the CPU or RAM usage exceeds a preset value. The default for each of these is 80%. You can also speed up scans by setting a maximum file size to scan. 4. Set the notification details. When the Quarantine action is selected in a discovery rule, discovery removes files with sensitive content to the quarantine folder. If no notifications are set, users might wonder why their files disappeared. The notification feature replaces files with stand-in files with the same name containing the notification text. If the discovery rule is set to encrypt files, no notification is needed because the files remain in place. 5. To get files out of quarantine, users must request a quarantine release key from the administrator. This works in a similar manner to the agent override key. To unlock encrypted files, users must have the encryption key specified in the discovery rule. NOTE: If you select the Encrypt action and McAfee Endpoint Encryption is not installed, the files are quarantined. 6. Select the folders to scan, and the folders to skip. Use Windows Explorer to browse to a folder, then cut and paste the address into the Enter folder text box. Use the plus icon to the add the folder to the scan list. You can remove folders with the minus icon.

140

McAfee DLP9.0.1 Product Guide

Storage scanning requirements

NOTE: If you don't specify any folders for either scan or skip, all folders on the computer are scanned. The only folder that is skipped by default is C:\Windows. The following file types will always be skipped, no matter which folder they are in:
q q

The specific files ntldr, boot.ini, and .cekey Executable files (*.com, *.exe, *.sys)

Configuring a policy for host discovery


Use this task to set the discovery policy. 1. Go to Menu | Data Loss Prevention | DLP Policies. 2. On the Policies page, from the Actions menu, select Add Policy. 3. Type a name for the policy. Under Devices select Host. From the State drop-down listselect Active. From the Actions menu, select Add Rule. 4. Type a name for the rule. For Inherit Policy State select Enabled. On the Define tab,define at least one rule element. The element should be one of Keywords or Concept (under Content) or Location Tag Path (under Endpoint). 5. On the Actions tab, click to add an action rule, and select the discovery action rulecreated previously from the list. 6. Click Save to save the rule, then click Save to save the policy. See Configuring discovery scans to configure the scan operation.

How host scans are scheduled


Host discovery scans are set up and scheduled on standalone systems on the Agent Configuration page in the Policy Catalog. You can run a host scan at a specific time daily, or on specified days of the week or month. You can specify start and stop dates, or run a scan when the DLP Agent configuration is enforced. You can suspend the scan when the computer's CPU or RAM exceeds a specified limit. If you change the discovery policy while a host scan is running, rules and schedule parameters will change immediately. Changes to which parameters are enabled or disabled will take effect with the next scan. If the computer is restarted while a scan is running, the scan continues where it left off. For network discovery, scheduling is set on the Scan Operations page. If you make changes to network scans, you must stop the scan, make the changes, save, and re-scan.

Scheduling a host discovery scan


Use this task to schedule a host discovery scan. NOTE: To run a discovery scan on a host computer, you must activate the discovery module on the Miscellaneous tab of the Agent Configuration dialog box.

McAfee DLP9.0.1 Product Guide

141

Using policies and rules

1. In ePolicy Orchestrator, go to Menu | Policy | Policy Catalog. From the Product drop-down list, select Data Loss Prevention 9.0.0.0:Policies. 2. Create a new Agent Configuration, or edit an existing one. 3. Click the Discovery Schedule tab. Set the time of day for the scan to start using the thumbwheel. 4. Set the scanning frequency using the option buttons and checkboxes. 5. If you want to run a discovery scan immediately, select Run now. 6. If you want to prevent runs being missed due to the user being logged off, select Resume discovery missed runs after login. 7. Set the start and end dates for discovery scans. Click Save.

Scheduling a host registration scan


Use this task to schedule indexing of host registered document repositories in ePolicy Orchestrator. Create a registered documents repository definition, then create and enable a registered documents classification rule and a protection rule using the content category specified in the classification rule. Apply the policy to ePolicy Orchestrator. 1. In ePolicy Orchestrator, go to Menu | Server Tasks. 2. Click New Task. 3. In the Server Task Builder, name the new task and click Next. 4. On the Actions page, select DLP Register Documents Scanner from the pull-downmenu. Click Next to schedule the scan, review your task, and click Save. The task now appears in the Server Tasks list. Select it and click Run to run the scan immediately.

Using policies and rules


How policies and rules are used
On DLPsystems, rules are used to match network and endpoint data to produce incidents. Related rules are collected in policies that target specific issues. Many standard policies are installed on DLPMonitor, and users can choose which ones to activate and publish to other DLPdevices. By default, policies and their rules act as a single unit, but if inheritance is disabled, rules can be run individually. After one or more DLPMonitors have captured and processed data for some time, incidents that are found by the rules under standard policies are reported to the Incidents dashboard. On endpointsystems, all deployed rules are collected in a single global DLPpolicy. That policy is implicit, and is not visible on the DLPdashboards as a separate entity.

142

McAfee DLP9.0.1 Product Guide

Using policies

Using policies
How policies work
Policies are containers for groups of related rules. When the rules of a policy produce an incident, the navigation pane displays the name of the policy used. However, the Group by menu can be configured to display other attributes as well. TIP: Select Group by Rule to find out exactly why the incident was reported. Standard policies are installed on DLPMonitor, Discover or Prevent appliances before shipment. Your geographic location, industry sector, and business type determine which ones are activated during installation, but activation can also be done from the Policies page. Customized policies can be created at any time to address issues specific to your business operations. All standard and customized policies are listed under the Policies tab.

Policy field definitions


Use the following field definitions when adding or editing policies.

Policy Name
Type in a descriptive name. Use of certain non-alphanumeric characters may generate an error message.

Policy Description
Type in a description (optional).

Owner
Select a group whose members can access the policy. If you are logged in as a member of one of the default groups, only that group is displayed, and other options are not available.

State
Policies must be published to a device to be used, so new policies are inactive by default. If you plan to use the new policy, check one or more boxes under Devices. Those appliances will then match the policy's rules to network traffic or repositories, and report results to the Data-at-Rest or Data-in-Motiondashboards.

Region
In this release, groups of international policies can be used to add rules relevant to specific geographic regions. For example, to define a new policy for Ukraine, select Europe and Middle East from this menu to add the new Ukrainian policy to that regional group. If the EMEAgroup is not on the menu, select it from the Regional Policy menu on the Policies page and click Add.

McAfee DLP9.0.1 Product Guide

143

Using policies and rules

Suppress incidents
Check either Data-at-Rest or Data-in-Motion if your purpose is to find incidents only in static network repositories or moving network traffic. Eliminating reporting of irrelevant hits will exclude results that are not useful and improve performance. Note: Data-in-Use events will display only if DLPHost is installed, and cannot be suppressed if they are found.

Devices
Devices that are attached to DLPManager are listed so that you can publish the new policy to one or more of the available DLPappliances. If you are not going to publish the policy right away, check None. If you check the Host box, you must already have it installed on DLPManager.

Using international policies


International policies containing rules supporting regional documents have been added to this release. Regional users can not only conduct searches and view incidents in local languages, but use rules constructed to provide privacy protection for local identification numbers (drivers' licenses, international bank account numbers, etc.),

Asia Pacific
Australia China Hong Kong India Korea Singapore Taiwan

Europe and Middle East


Austria France Germany Israel Netherlands Poland Russia Spain

144

McAfee DLP9.0.1 Product Guide

Using policies

Turkey United Kingdom

Latin America
Brazil Mexico Use this task to add and activate local policies and rules. 1. In ePolicy Orchestrator, go to Menu | DLPPrevention | DLPPolicies. 2. Click Add, then confirm or cancel the operation. 3. Select the checkboxes of the appropriate local policies. 4. From the Actions menu, select Activate.

Adding policies
Use this task to add customized policies that address a specific need in your organization. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select Add Policy from the Actions menu. 3. Type in a name and an optional description. 4. Select an Owner. NOTE:Standard policies are owned by the admin user. If another policy owner is needed but not listed, add the user to an existing group, or create a new one before adding the policy. 5. If you are going to use the policy immediately, set State to Active. An inactive policy cannot produce incidents. 6. If you want to limit the rule to acting on static or moving data, check Data-at-Rest or Data-in-Motion. 7. Select one or more device checkboxes to publish the policy to specific appliances. TIP: Select None if you want to publish the policy at a later time. 8. Click Save. 9. Go to System |User Administration to assign access rights to the policy. 10. Select Groups, then click the Details icon of a group that will use the policy. 11. Click Policy Permissions. 12. Select the checkboxes of the permissions needed by the group. 13. Click Apply. 14. Click the Policy tab and open the new policy. 15. Add rules to the policy.

Activating policies
Use this task to activate a policy that was not initially activated during installation of DLPappliances. A policy that is inactive cannot find and report incidents to the dashboard.

McAfee DLP9.0.1 Product Guide

145

Using policies and rules

NOTE:Policies have the default state Inactive. To use a policy, you can activate it while editing or, to activate multiple policies, select the policy checkboxes and select Activate from the Actions menu. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select a policy checkbox. 3. Select Activate from the Actions menu. 4. Verify the change in the State column. TIP: Rules inherit activation from their policies, but inheritance can be disabled to allow them to run independently.

Deactivating policies
Use this task to deactivate a policy so that it will not produce any incidents. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select a policy checkbox. 3. Select Deactivate from the Actions menu. 4. View the State column of the policy to verify the change. NOTE: The rules of a policy may be active or inactive, depending on inheritance.

How activation works


Policies must be activated and published to at least one DLPappliance before the system can report incidents and events. They are inactive by default to allow users to focus only on the rule sets that meet their needs. For example, United Kingdom users may add the EMEAregional policy package, but activate only the UKpolicy. Similarly, North American users may want to use only the U.S. government regulatory policies, like HIPAA, SOX and ITAR. There are three ways to activate a policy.
q q

During installation, check the boxes of the policies to be activated. On the Policies page, check the boxes of the policies to be activated, then select Activate from the Actions menu. Open a policy and select Active from the State menu.

NOTE: State is inherited by the rules of a policy, but can be disabled to allow rules to run independently.

How inheritance works


The Inherit Policy State establishes the relationship of a rule to its policy. If a rule inherits Active state from its policy, it runs only when the policy runs, and cannot be run independently. NOTE: Policy-based inheritance is enabled by default because it allows policies to work efficiently as a unit. User-defined rules are disabled by default, allowing the flexibility needed for non-standard applications.

146

McAfee DLP9.0.1 Product Guide

Using policies

Changing ownership of policies


Use this task to change ownership of a policy. NOTE: Ownership is granted to users through the Manage Policy and Rules group permission. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select a policy checkbox. 3. Select Modify Owner from the Actions menu. 4. Select a group from the sub-menu.

Publishing policies
Use this task to publish policies to one or more appliances. A published policy is one that is deployed on one or more DLPdevices. NOTE: Policies can be published by checking Device boxes during creation or modification. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select one or more policy checkboxes. 3. Select Modify Devices from the Actions menu. 4. Check the boxes of one or more appliances. NOTE: If the All Devices deployment target is selected, all rules of all policies that have been activated on DLPManager will run on all its managed devices. If the appliance to which you need to publish is not listed under Devices, you must first add that device to the system. 5. Click Apply. 6. Select one or more devices from the submenu. TIP: Select None if you want to publish the policy at a later time. 7. Check the Deployed On column to verify redeployment.

Cloning policies
Use this task to create a new policy that resembles an existing one. NOTE: You cannot save and edit the rules, but all policy attributes will be replicated. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on the policy you want to use as a template. 3. Type in a new name. 4. Type in a new description (optional). 5. Edit other parameters as needed. 6. Click Save As.

McAfee DLP9.0.1 Product Guide

147

Using policies and rules

7. Verify that the new policy is listed under Policies. 8. Add rules to the policy.

Renaming policies
Use this task to rename a policy. NOTE:If you rename a policy, you will lose incidents already found by its rules. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Type in a new name and description (optional). When you start typing, a Save As button will pop up. 4. Click Save. NOTE: No confirmation is required. The new policy is immediately added to the policy list.

Executing policies
Use this task to assign policy permissions to users. NOTE:Users tasked with viewing incidents and events must have Execute Policy permission, because policies have been used to find them. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention |DLPSysconfig | System | User Administration. 2. Click on the Details icon of the user's group. 3. Click on the Policy Permissions tab. 4. Open Policies. 5. Select one or more Execute checkboxes corresponding to the policies to be used to find incidents. 6. Click Apply.

Editing policies
Use this task to modify the parameters of a policy. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on the policy. 3. Modify one or more parameters. 4. Click Save.

Deleting policies
Use this task to delete policies. NOTE: You can delete a policy only if you own it.

148

McAfee DLP9.0.1 Product Guide

Using rules

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select one or more policy checkboxes. 3. Select Delete from the Actions menu. TIP: To delete policies one by one, click the trash can icons.

Using rules
How rules work
Rules define patterns that are matched against network or endpoint data to identify violations of policy. When a rule hits on a data match, an incident or event is saved in a database and reported to the dashboard. NOTE:Only active rules report results, and the system cannot manage more than a total of 512 active rules. To activate a 513th rule, you must deactivate an active rule. TIP: User permissions, including the ability to create or use rules, depend on group membership. Group permissions are displayed under DLPSysdmin | User Administration |<Details> | Groups | Task Permissions |Policy Permissions.

Adding rules
Use this task to add arule to a policy. However, you may also search captured data and save the search as a rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Basic or Advanced Search. 2. Enter a query and examine the results. 3. If the results are useful, and you want to run the query on a regular basis, click Save as Rule. The Edit Rule page launches. 4. Type in a rule name. 5. Assign the rule to a policy by selecting an appropriate one from the Policy menu. 6. Select a Severity to classify the rule. 7. Set the Inherit Policy State to Enabled to bind the rule to the policy. 8. Make any changes or additions to the rule's parameters. 9. Click Save as Rule. TIP: If you want to tune the rule, select the Disabled state and run it apart from the policy until it is perfected.

Viewing rule parameters


Use this task to review the parameters of a rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Click on a rule.

McAfee DLP9.0.1 Product Guide

149

Using policies and rules

4. Open the categories under the Define, Actions and Exceptions tabs. 5. View any of the defined parameters.

Reconfiguring rules for web traffic


Use this task to reconfigure rules to monitor web traffic. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy, then click on a rule you want to adapt for web traffic. 3. Type a new name and click Save As to create a copy of the rule. 4. Click on the new rule. 5. Open Protocol. 6. Select Protocol from the Element menu. 7. Select is any of from the Condition menu. 8. Click "?". 9. If any boxes are checked on the popup menu, uncheck them. 10. Select all HTTP checkboxes. 11. Click Apply. 12. Click Save.

Copying a rule to a policy


Use this task to save the same rule under two different policies. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. In the Rule Name field, type in a new name. To have the appearance of an exact duplicate, you can or add a single character or a space to distinguish it from the original. 3. Select a different policy from the Policy menu. 4. Click Save As. 5. Go to Policies. 6. Click on the policy you selected from the Policy menu. 7. Verify that the copied rule has been added to the rule list.

Detaching rules from policies


Use this task to detach a rule so that it can be run independent of its policy. NOTE:This process is used primarily for tuning rules. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on an Active policy. 3. Click on a rule.

150

McAfee DLP9.0.1 Product Guide

Defining exceptions to rules

4. Disable the Inherit Policy State. 5. Click Save.

Editing rules
Use this task to modify the parameters of a rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Click on a rule. 4. Modify one or more parameters. 5. Click Save. NOTE: Inactive rules that belong to standard policies are automatically activated when they are saved.

Deleting rules
Use this task to delete one or more rules from a policy. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Click on a policy. 3. Select one or more rule checkboxes. 4. Select Delete from the Actions menu. TIP: To delete rules one by one, click the trash can icons.

Defining exceptions to rules


What are false positives?
When the parameters of a rule literally match network data but produce no useful information, the resulting incident is referred to as a false positive. Creating an exception keeps the rule that tagged false data from reporting it again. The classification engine responds by ignoring incidents that include certain attributes.

How exceptions to rules are defined


An incident may technically match a rule, but it might not contain any useful information, which makes it a false positive. False positives get in the way of significant results, preventing accurate reporting of the problems detected in network traffic. In such a case, you can redefine the rule that produced the incident by adding an exception. When the rule runs again, the classification engine will ignore any incidents that contain the misleading attributes. There are several ways to assure that only legitimate violations are reported to the dashboards.

McAfee DLP9.0.1 Product Guide

151

Using policies and rules

q q q q

Add new rules that contain exceptions Add exceptions to an existing rules Use existing incidents to build more accurate rules Define an incident that has already been detected as a false positive

TIP: To prevent false positive matches, tune rules after they are created using historical data.

Defining false positive incidents


Use this task to define false positive incidents. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents. 2. Find one or more incidents that contain useless or insignificant information. 3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed. 4. Check the boxes of the rules you want to define as exceptions. TIP:Select the box in the table header to select all incidents on the current page, or Select All Results from the Actions menu to define every incident with a specific false positive parameter from being reported again. 5. From the Actions menu, select Modify Status | False Positive | Set Status. 6. Click the Columns icon. 7. Select Status from the Available list. 8. Add it to the selected columns. TIP:Before clicking Apply, select Status and click the Move Up or Top buttons to move the false positive status to the left. 9. Click Apply. 10. Scroll the list of incidents to view those that are false positives. TIP:Click the Status column header to display all false positives at the top of the list.

Adding exceptions to existing rules


Use this task to add an exception to an existing rule. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies 2. Click on a policy, then the rule to be modified. 3. Click on the Exceptions tab, and open the Exception 1 element. 4. Type text describing the exception into the Notes box. 5. Open the element categories and define parameters that should be ignored when the rule is run. NOTE:Eight exceptions are supported for each rule, so you can define precisely the conditions that are NOT to be matched. The capture engine will DROP any incident matching the exceptions.

152

McAfee DLP9.0.1 Product Guide

Defining exceptions to rules

6. Type in a Note describing the exception. 7. Using the existing categories, define each aspect of the exception. 8. Click Save. NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only when tuning rules, which requires historical data.

Adding new rules that contain exceptions


Use this task to define a new rule with an exception. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. From the Actions menu, select Add Policy. 3. Type in a name for the policy. Typing a description is optional. 4. From the State menu, select Active. NOTE:If you are not going to use the rule right away, you can leave it in an Inactive state. 5. From the Region menu, select the region in which the policy will be used. 6. Select the devices to which the policy will be deployed. 7. Click Save. 8. Click on the policy, and select Add Rule from the Actions menu. 9. Click on the policy that contains the rule. 10. Type in a name for the policy. Typing a description is optional. 11. From the Severity menu, select a severity. 12. If the rule is to be run whenever its policy is run, select the Enable radio button from the Inherit Policy State. 13. On the Define tab, define the parameters of the rule. 14. Click on the Actions tab, and add actions to be performed when the rule is active. 15. Click on the Exceptions tab, and open the Exception 1 element. 16. Type text describing the exception into the Notes box. 17. Open the element categories and define parameters that must NOTbe flagged when the rule is run. NOTE:Eight exceptions are supported for each rule, so you can define precisely the conditions that are to be ignored. The capture engine will drop any incident matching the exceptions. 18. Click Save. NOTE: Exceptions apply to real-time searches only. You cannot use Test Rule because it is available only when tuning rules, which requires historical data.

Correcting inaccurate rules


Use this task to adjust rules that produced false positive results.

McAfee DLP9.0.1 Product Guide

153

Using policies and rules

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | Incidents. 2. Find an incident that contains useless or insignificant information. 3. From the menu in the Group by... window, select Rule. All incidents produced by that rule will be listed. 4. Check the boxes of the rules you want to define as exceptions, or Select All Results from the Actions menu. TIP:Check the box in the table header to select all incidents on the current page. 5. From the Actions menu, select Modify Status | False Positive | Create Exception. 6. When the Edit Rule page launches, define the exception by adding or deleting parameters. NOTE:When an exception is created from the Actions menu, the Edit Rule page is populated with the current values of the rule under the Exceptions tab. This makes it easy to edit those elements to prevent a similar incident from being reported again. 7. Type some text describing the exception in the Notes box. 8. Click Save.

Tuning rules
Use this task to tune rules, and save the search when all extraneous search terms have been eliminated. Tuning is done by running multiple searches on historical data and gradually tightening conditions and parameters with each modification. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies. 2. Select Rule from the Group by menu. 3. Click on a rule that produces some useful results. 4. Make a note of incidents that include irrelevant information. 5. Go to Policies. 6. Click on the policy of the rule that produced the hits. 7. Click on the rule that produced the hits. 8. In Inherit Policy State, click Disabled. NOTE: Disabling inheritance allows the rule to run independently of the other rules in the policy, allowing for multiple revisions. 9. On the Define tab of the rule, remove any parameters that are producing false positives. TIP: Using the conditions is none of or contains none of will help to eliminate extraneous information. 10. Click on Test Rule to start searching the historical data for a match. 11. Go to Incidents and inspect the results. 12. Repeat the process until all incidents contain useful information. 13. Reset Inherit Policy State to Enabled. 14. Click Save as Rule.

154

McAfee DLP9.0.1 Product Guide

Using action rules

Using action rules


How action rules are used
When a rule produces an incident in network data or a scanned repository, use of an action rule can prevent damage, trigger a remedial action, or react to an action that has been taken at a network endpoint.
q q

A Data-in-Motion action rule applies preventive actions to incidents found by Monitor in network data. A Data-at-Rest action rule applies corrective actions to incidents found by Discover after scanning a repository. A Data-in-Use action rule is applied when a specific event takes place on an endpoint.

How action rules are deployed


Action rules may be are applied to Data-in-Motion, Data-at-Rest or Data-in-Use,
q

An action rule can be applied to data in motion if DLPPrevent is configured with an MTA or proxy server and registered to DLPManager. An action rule can be applied to data at rest if DLPDiscover crawls a repository and finds files that should be remediated. An action rule must be applied to data in use if any rule acts on an endpoint event.

NOTE: If Monitor and Discover devices are both managed by DLPManager, every rule can be configured to deploy one action of each of the three incident types.

Reacting to violations
When DLPPrevent is deployed with an MTA or proxy server, problems found in email and webmail can be identified and resolved immediately by associating an action with a rule. For example, DLPPrevent might use action rules to:
q q q q q q q

block confidential data breaches encrypt authorized transmissions quarantine suspicious traffic bounce email that violates policies notify supervisory personnel record incidents in a system log allow email that is determined to be legitimate.

TIP: Use DLPPrevent to capture network traffic for later forensic analysis, or block the transmission of sensitive data sent using specific protocols (for example, HTTP, SMTP, HTTP POST, etc.).

McAfee DLP9.0.1 Product Guide

155

Using policies and rules

Comparing Action to Protection rules


In this release, all DLP products use Action rules to define the disposition of a detected incident or event, but some actions were originally defined as reactions attached to Host DLPprotection rules.
q

In this release, a single Action rule can be attached to many different rules. Each of the rules to which the action has been added can deploy that action once to network data in motion, data in repositories, or data in use at endpoints.

Several actions can be combined in a single Action rule. For example, when a rule hits, the file found may be blocked or quarantined, its sender may be notified, and it may be assigned to a group for investigation.
q

In the Host DLP9.0 standalone product, reactions are pre-configured when a Protection rule is defined. They may be applied to different endpoints under a variety of circumstances.

Reactions can vary, depending on what action is to be taken and whether the endpoint is on- or offline (in contact with a domain controller)when the violation occurs.

Assigning status to an incident


Use this task to identify the state of an incident in the resolution process. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on an action rule. 3. Open the Incident Status category. 4. From the drop-down list, select a state. 5. Click Save.

Applying an action rule


Use this task to add an action to a rule before it runs. Actions can be added to rules monitoring data in motion, scanning data at rest, or identifying significant events on endpoints. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies. 2. Click on a policy, then click on a rule. 3. Click on Actions tab, then click Add Action. 4. Select an action. 5. Click Save. The list displayed will include the standard action rules, plus any custom ones you have created.

Assigning responsibility for an action


Use this task to assign an action rule to one or more reviewers who will assume responsibility for the result.

156

McAfee DLP9.0.1 Product Guide

Using action rules

NOTE: Only one reviewer can be assigned to an action rule, but a user group can be considered a single reviewer. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on an action rule. 3. Open the Incident Reviewer category. 4. From the drop-down list, select a reviewer. 5. Click Save.

Using action rules to log incidents


Use this task to set up an action rule to log system events. NOTE: You must have a syslog server configured on your network to receive system log entries. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on an action rule. 3. From the Syslog Notification menu, select Enable. 4. Click Save.

Using action rules to notify users


Use this task to set up notifications that inform users of problems found. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on an action rule, or add a new one from the Actions menu. 3. Open Email Notification. 4. Enter a valid email address in the From field. NOTE: If an existing action rule is edited, the From field must be completed, even if it was not there when the rule was created. NOTE: If an email address containing a special character (e.g. &, *, %) is added to the Email Notification component of an action rule, notification will not be sent. However, additional valid email addresses added to the same rule will provide notification to other users. 5. Enter one or more addresses in the "To" and "cc:" fields. 6. Check a box to send a copy to the Manager, Reviewer, Sender or Recipients (optional). The options available depend upon which DLPappliance you are using. Managers can be identified only if an Active Directory server has been added, but other categories are user-defined. Reviewer is the only option available on Discover. 7. Type in a Subject and Message (optional). 8. Click Save.

McAfee DLP9.0.1 Product Guide

157

Using policies and rules

NOTE:The Subject and Message fields accept dynamic variables, enabling you to set up automatic responses to routine situations. TIP: You can use Dynamic Variables to alert users to details of the violation automatically. For example, ##Filename found by the ##Rule violated the ##Policy.

Reconfiguring action rules for proxy servers


Use this task to reconfigure action rules for use on proxy servers. This is necessary because BOUNCE, ENCRYPT, NOTIFY, QUARANTINE or REDIRECT actions cannot be used on proxy servers, which support onlyALLOWor BLOCK. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on the action rule you want to reconfigure. 3. Type a new name and click Save As to create a copy of the action rule. 4. Click on the new action rule. 5. Open the Prevent actions menu. 6. Select Allow or Block, then click Save.

Setting up an action
Use this task to set up an action that will be taken whenever a rule identifies an incident or event. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. From the Data-in-Motion or Data-at-Rest Actions menu, select Add Action Rule. You can configure one rule for each vector. NOTE:See Setting up an Endpoint action rule to add an action rule to the Data-in-Use vector. 3. Type a name for the action rule. Typing a description is optional. 4. Enabling email and syslog notification is optional. 5. From the Incident Reviewer and Incident Status menus, select from the drop-down lists. 6. Depending on the Actions menu selected, select a Prevent or Remediation action and supply the required parameters. 7. Click Save.

Editing action rules


Use this task to modify the parameters of any action rule. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on the action rule to be edited. 3. Modify one or more parameters. 4. Click Save.

158

McAfee DLP9.0.1 Product Guide

How concepts and templates are used

Cloning action rules


Use this task to clone any action rule so you can apply the same action to another rule. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Click on an action rule. 3. Type in a new name. Typing in different parameters is optional. 4. Click Save As.

Removing an action from a rule


Use this task to remove an action that has been applied to a rule. NOTE:This task removes only actions that have been applied to rules. Action rules that have been applied to rules are in use, so they cannot be removed. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies. 2. Click on a policy, then click on a rule. 3. Click on the Actions tab. 4. Find the action to be removed from the rule. 5. Click on "X". 6. Click Save.

Deleting action rules


You can delete action rules one by one, or as a group. NOTE:Action rules that have been applied to rules are in use, so they cannot be removed. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies | Action Rules. 2. Check the box of one or more action rules. 3. Select Delete from the Actions menu. TIP:To delete templates one by one, click the trash can icons. 4. Click Confirm or Cancel.

Using concepts and templates


How concepts and templates are used
Content concepts, the most common type, find collections of significant data related to a single issue in application data (Flow A). If you are an advanced user, you can construct network or session concepts to identify data in the transport and session layers. Templates contain collections of elements that save time when searching, creating rules, or building capture filters. They eliminate the need to enter the same values repetitively.

McAfee DLP9.0.1 Product Guide

159

Using concepts and templates

NOTE:Network DLPpolicies contain collections of related rules, while Host DLP rules are all part of a single global policy.

Using concepts
How concepts are used
Content concepts, the most common type, find collections of significant data related to a single issue in application data. Most of the concepts that are shipped with your DLPappliances are listed under the UserDefined tab. Only a few Factory Default concepts are constructed with proprietary algorithms. TIP: Use a content concept with one or more templates to look for patterns in specific data types. For example, a content concept can be used to collect credit card numbering patterns that can be matched to network data. You might use one of the factory default concepts (AMEX, CCN, DISCOVER, MASTERCARD) to find them quickly, or you can add one that focuses only on patterns used by retail cards. If you are an advanced user, you can construct network or session concepts to identify data in the Transport and Session layers.

Types of concepts
There are three types of concepts.
q

Content concepts contain text patterns and regular expressions to match patterns to data on the Application layer (Layer 7). Network concepts monitor activity on the Transport layer (Layer 4). They can be used to find spiders, robots, crawlers, types of webmail, browser versions, and operating systems in use. Session concepts focus on exchanges of data between applications on the Session layer (Layer 5). They can be used to recognize content found in multiple objects contained in a single flow.

Adding content concepts


Use a content concept to regularly search application-level traffic for specific patterns defined by regular expressions. TIP:Open and examine an existing concept to understand its construction. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Select Add Concept from the Actions menu. NOTE: DLPManager can manage up to 512 concepts. 3. Type in a name (uppercase only). 4. Type in a description (optional).

160

McAfee DLP9.0.1 Product Guide

Using concepts

5. If you want to discourage false positives, select an algorithm that is associated with the regular expression you will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and results that do not match exactly will be discarded.

Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm will ignore the pattern and replace it with the correct sequence. 6. Select a category for the expression (optional). TIP:Later you might want to use a package of related concepts in a query to expedite the search process. 7. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded. 8. Click Import Expressions to load in the expressions from the file you selected. TIP:If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to your desktop. You can debug them in a text editor, then re-import them. 9. If you don't have a document to upload, use text and regular expressions to build one or more expressions, starting with Expression 0. TIP:Add additional expressions by clicking the green plus icon. 10. Click Validate, then enter the expression and a sample of a string it should match. 11. Click Validate in the dialog box, then check the Matches String box to get a true or false result. 12. Set conditions for the concept, if needed. 13. Click Save. NOTE: When creating concepts that have multiple words, you must escape spaces between words with a backslash (for example, hello\_world). Other metacharacters and ASCIIcharacters (such as &#x0020; &#x0009; &#x000C; &#x200B for space, tab, form feed, zero-width space) can also be used to define concept expressions. TIP: Add a template using your custom concept. This will save you keystrokes when searching, creating rules, and building capture filters.

Adding network concepts


Use a network concept to find spiders, robots, crawlers, types of webmail, browser versions, and operating systems. 1. Open a browser and post to the problem website. 2. Use a packet analyzer like Wireshark on your system to locate the type of traffic you are looking for. For example, you might focus on a GET instruction. 3. Right-click on the instruction in the TCPstream and copy the string. 4. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts.

McAfee DLP9.0.1 Product Guide

161

Using concepts and templates

5. Select Add Concept from the Actions menu. 6. Open Advanced at the bottom of the page and select the Network Type radio button. 7. Type in a name (uppercase only) and description (optional). 8. If you want to discourage false positives, select an algorithm that is associated with the regular expression you will define or upload. When the concept hits, the system will run checksums to verify accuracy, and results that do not match exactly will be discarded.

Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm will ignore the pattern and replace it with the correct sequence. 9. Select a category for the expression (optional). TIP:Later you may want to use a package of related concepts in a query to expedite the search process. 10. Paste the string from the TCP stream into an Expression field. NOTE: Escape all metacharacters with a backslash to ensure literal interpretation. For example, www\.deadspin\.com. 11. Click Validate, then enter the expression and a sample of a string it should match. 12. Click Validate in the dialog box, then check the Matches String box to get a true or false result. 13. Set conditions for the concept, if needed. 14. Click Save.

Adding session concepts


Use a session concept to inspect all communications between two parties when a pattern is matched. Because the session layer is monitored, you will be able to find multiple objects contained in a single flow (for example, an email attachment as well as the mail body). 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Select Add Concept from the Actions menu. 3. Open Advanced at the bottom of the page and select the Session Type radio button. 4. Type in a name (uppercase only). 5. Type in a description (optional). 6. If you want to discourage false positives, select an algorithm that is associated with the regular expression you will define or upload (optional). When the concept hits, the system will run checksums to verify accuracy, and results that do not match exactly will be discarded.

Example:
If you create a MasterCard expression that uses an incorrect numbering sequence, the algorithm will ignore the pattern and replace it with the correct sequence. 7. Select a category for the expression (optional).

162

McAfee DLP9.0.1 Product Guide

Using concepts

TIP:Later you may want to use a package of related concepts in a query to expedite the search process. 8. If you have patterns recorded in a document, Upload it by browsing. Only text documents can be uploaded. 9. Click Import Expressions to load in the expressions from the file you selected. TIP:If you want to edit the list of expressions or just keep a copy, click Export Expressions to save them to your desktop. You can debug them in a text editor, then re-import them. 10. If you don't have a document to upload, use text and regular expressions to build one or more expressions, starting with Expression 0, on the fly. TIP:Add additional expressions by clicking the green plus sign. 11. Click Validate, then enter the expression and a sample of a string it should match. 12. Click Validate in the dialog box, then check the Matches String box to get a true or false result. 13. Set conditions for the concept, if needed. 14. Click Save. NOTE: When creating concepts that have multiple words, you must escape spaces between words with a backslash (e.g., \_).

Setting concept conditions


Use this task to narrow the focus of any content, network or session concept. Matches are reported only if certain conditions are met. NOTE: Only User-Defined or custom concepts accept conditions. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Click on a concept. 3. Open a component.
q q

Use the Count category to set a number of objects that must be found before a match is reported. Use the Percentage Match category to define a percentage of objects that must be found before a match is reported. Use the Number of lines from the beginning category to define the number of lines within which an object must be found (starting from the beginning of a captured object) before a match is reported. Use the Number of bytes from the beginning category to define the number of bytes within which an object must be found (starting from the beginning of a captured object) before a match is reported. Use the Proximity category to define the relative proximity to a specified byte of an object before a match is reported.

NOTE: Imposing multiple conditions could cause conflicts. Consider carefully what the conditions will do before setting them.

McAfee DLP9.0.1 Product Guide

163

Using concepts and templates

6. Use the Condition, Value and Expressions fields to set the parameters of a condition. 7. Use the Advanced component to change the concept type only if the conditions you have set will apply to a different type of concept. 8. Click Save.

Applying concepts to rules


Use this task to apply a content concept to a rule. Whenever the rule runs, the pattern identified in the concept will find matches in captured data. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Open a related policy and click on a rule. 3. If you want the rule to run independently of its policy, set its Inherit State to Disabled. TIP: This is especially useful for trying out rules before they are implemented with the other rules in the policy. 3. Open the Content category. 4. Select Concept from the first menu. 5. Select is any of from the second menu. 6. Click "?" . 7. Select one or more concept categories from the popup menu. TIP: Open a concept category to select one or more concepts in the category. 8. Click Apply. 9. Click Save. 10. Wait for the rule to run, then go to Incidents to view the result. TIP: If you can't find a relevant incident, group by policy and rule to filter results. You can set up an action rule to notify you when there is a hit.

Using regular expressions in concepts


When you build concepts using regular expressions, use only the syntax supported by DLP.

164

McAfee DLP9.0.1 Product Guide

Using concepts

Expression \n \r \f \b \a \t \k \K \0xN \nnn \d \D \c \C \w \W \s \S \p \P \i \I [] x-y ^ \ line feed carriage return form feed backspace bell tab

Definition

disables Perl/POSIX set range restrictions enables Perl/POSIX set range restrictions the hex ascii character equivalent to N the octal character of value nnn digit 0-9 not digit 0-9 any alpha A-Z or a-z not any alpha A-Z or a-z any alphanumeric \c or \d not alphanumeric ^\w any space [\ \f \n \r \t] not any space ^\s any space or field delimiter [\ -\\ :-@ \[- {-~ ] not any space or field delimiter ^\p case sensitivity off case sensitivity on character sets, e.g. [3-6a-c] = 3,4,5,6,a,b,c character ranges T-X = T,U,V,W,X invert, e.g. ^\0x0 are all characters except NULL literal backslash (transforms metacharacters into ordinary characters) Examples: \\ \. \& \[ \] \<space> \* \+

Restoring factory concepts


If you have accidentally written over an original concept, use this task to restore it to its original state. NOTE:Only the original list of concepts under the User-Defined tab can be restored. Custom concepts cannot be recovered. Concepts listed under the Factory Default tab cannot be edited, so they need not be restored.

McAfee DLP9.0.1 Product Guide

165

Using concepts and templates

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Select one or more concepts. 3. Select Restore Default from the Actions menu.

Editing concepts
Use this task to modify the parameters of a concept. For example, you might want to remove one of the expressions used in a content concept if it generates false positive results. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Click a concept. 3. Modify one or more parameters. 4. Click Save.

Deleting concepts
Use this task to delete more than one concept. NOTE: Factory Default templates cannot be deleted. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Concepts. 2. Select one or more concept checkboxes. 3. Select Delete from the Actions menu.

Using templates
How templates are used
Templates contain collections of elements that save time when searching, creating rules, or building capture filters. They eliminate the need to enter the same values repetitively. For example, when you search for data containing source code of any type, you might use the Source Code template. Similarly, to find data containing images, you might use the Common Image Files template. TIP: You can use any of the standard templates, or you can add your own custom templates to the list under Policies | Templates.

Adding templates
Use this task to add a template to save time on repetitive or complex searches. TIP: You can use a template to create a name for a range of IPaddresses so you can refer to them as a group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Templates. 2. Select Add Template from the Actions menu.

166

McAfee DLP9.0.1 Product Guide

Using templates

3. Type in a name. 4. Type in a description (optional). 5. Open Construction. 6. Select an element from the first menu. 7. Select a condition from the second menu. 8. Click "?". If no popup menu launches, type a string into the values field. 9. Click Save. NOTE: When a template element is used in a search or rule, a list of available templates pops up from the "?" at the end of the values field. Each category may pop up a different set of templates, and more than one can be used at a time.

Viewing standard templates


All templates, including the ones you created and added to those included with the DLPdevices, are listed on the Templates page. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Templates. TIP: Open any template to learn to construct one of your own.

Removing a template from a rule


Use this task to remove a template that has been applied to a rule or filter. NOTE:This task does not remove the template. Templates that are attached to rules or capture filters cannot be removed. 1. In ePolicy Orchestrator, go to Menu| Data Loss Prevention | DLPPolicies. 2. Click on the rule or filter to which it is attached. 3. Click on the red minus icon to remove the element containing the template. 4. Click Save. TIP: To delete templates one by one, click the trash can icons.

Deleting templates
Use this task to delete templates one by one, or as a group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPPolicies | Templates. 2. Click the box of one or more templates. 3. Select Delete from the Actions menu. 4. Click Confirm or Cancel. TIP: To delete templates one by one, click the trash can icons.

McAfee DLP9.0.1 Product Guide

167

Using the case management system

Using the case management system


How case management works
Assigning incidents with common attributes to a single case allows employees to collaborate to resolve them more quickly. Each staff member involved can focus on a single attribute to advance the resolution of the case. For example, a case that contains emailed evidence might be assigned to members of a legal team, who might develop it so that it can be used in court. Each member of that team might add notes and citations, change status and priority, notify stakeholders, or redirect the case to another user who may be able to add information. NOTE: Case dashboards display information based on organizational responsibilities. For example, Human Resources personnel might see Acceptable Use violations, but not SOX compliance issues.

Collecting credit card violations in a case


If credit card violations are being detected on a regular basis, start a case with the first few, then add others as they come in. NOTE: A privacy policy must be installed to produce the credit card violations. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management and select one or more incidents. 2. From the Actions menu, select Assign to Case | New Case. TIP:If a case has already been opened, select Existing Case. 3. Type a name into the Headline field. 4. Type in one or more Keywords. 5. Set an Owner for the case for example, Compliance:group. 6. Set the Resolution status for example, Under Investigation. 7. Select the Notify Owner checkbox (optional). 8. Select the Notify Submitter checkbox (optional). 9. Select a Status for example, In Progress. 10. Select a Priority for example, Urgent. 11. Add a note (optional) for example, Visa and MasterCard numbers found. 12. Click Apply.

Adding a new case


Use this task to add a new case to contain incidents that have not been detected yet. 1. In ePolicy Orchestrator, go to Menu |Data Loss Prevention | DLPReporting | Case Management. 2. From the Actions menu, select New. 3. Type in a Headline.

168

McAfee DLP9.0.1 Product Guide

Using incidents to create a case

4. Select an Owner. 5. Select a Resolution state (optional). 6. Select a Status (optional). 7. Select a Priority (optional) 8. Type in one or more Keywords. 9. Check the Notify Submitter box (optional). 10. Check the Notify Owner box (optional). 11. Type in Notes (optional). 12. Click Apply. NOTE: No more than 100 incidents can be added to a case at one time.

Using incidents to create a case


Use this task to create a case from one or more incidents. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Check one or more incident boxes. NOTE: No more than 100 incidents can be added to a case at one time. 3. From the Actions menu, select Assign to Case | New Case. 4. Type in a Headline. 5. Select an Owner. 6. Select a Resolution state (optional). 7. Select a Status (optional). 8. Select a Priority (optional). 9. Type in Keywords. 10. Chuck the Notify Owner box (optional). 11. Check the Notify Submitter box (optional). 12. Type in Notes (optional). 13. Click Apply.

Adding incidents to an existing case


Use this task to add an incident to an existing case. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Incidents. 2. Select one or more incidents. 3. From the Actions menu, select Assign to Case or Existing Case. 4. After completing the assignment, click on the Assign link of the case to view the case details. TIP: If you cannot see the Assign link on the right, expand your dashboard.

McAfee DLP9.0.1 Product Guide

169

Using the case management system

5. Click Apply. NOTE: No more than 100 incidents can be added to a case at one time.

Adding comments to a case


Use this task to add a comment to a case. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select a case. 3. Click the Details icon. 4. Type text into Add Notes. 5. Click Apply.

Notifying users about a case


Use this task to send notification of an action taken to the submitter or owner of a case. 1. IIn ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Click the Details icon. 3. Check the Notify Submitter or Notify Owner boxes. 4. Click Apply.

Changing ownership of cases


Use this task to reassign the case to another user or group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select the Details icon of the case. 3. From the Owner menu, select a new or existing user. If the owner you want to select is not listed, add the new user or user group, then return to the case. TIP:To notify the owner or originator by email, select the Notify Owner or Notify Submitter box. 4. Click Apply.

Changing resolution of cases


Use this task to change the state of resolution of a case. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select the Details icon of the case. 3. From the Resolution menu, select a new status. TIP:To notify the owner or originator by email, select the Notify Owner or Notify Submitter box.

170

McAfee DLP9.0.1 Product Guide

Changing status of cases

4. Click Apply.

Changing status of cases


Use this task to change the status of a case. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select the Details icon of the case. 3. From the Status menu, select a new status. TIP: To notify the originator by email, select the Notify Submitter box. 4. Click Apply.

Customizing Case List columns


Use this task to add or remove Case List columns on the dashboard. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. From the Options menu, select Customize columns. 3. Use the Add and Remove buttons to move Available columns to the Selected box. 4. Use Move buttons to move Selected column headers up or down. TIP: If you cannot see the Move buttons, expand your dashboard. 5. Click Apply.

Customizing case notifications


Use this task to set up notifications of changes in a case. For example, the case owner might set up a daily status update notification to himself and the submitter. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select one or more cases. 3. From the Options menu, select Customize Case Config. 4. Select checkboxes to automatically send email to the Submitter or Owner when the case is updated. TIP: Set up a daily email reminder to those responsible for new or pending cases. 5. Select radio buttons to set a standard interval, or add items from the weekly and monthly menus to add more specific parameters. 6. Click Save.

Exporting cases
Use this task to save a case to the Exported Cases list.

McAfee DLP9.0.1 Product Guide

171

Using the case management system

NOTE:Exported cases can be downloaded to local computers. There are no limits on the number of incidents that can be exported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select one or more case checkboxes, or export a single case by clicking its Export icon. TIP: Click the box in the column header to Select All cases. 3. From the Actions menu, select Export Selected Cases. 4. Click OKto verify export. The case will appear in the file list under Exported Cases. 5. Click on the exported case link to open or save it.

Managing case permissions


If you are an administrator, you can control access to cases so that they can be seen and processed only by authorized users. NOTE: Users who create cases are automatically allocated all three permissions (Read, Write and Delete) but if the case owner is changed, those permissions are lost. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Click the Details icon of the case. 3. Scroll down to the Options menu and select Permissions. 4. Select the Read, Write and Delete boxes corresponding to the assignment of the case to users and groups. 5. Click Apply. NOTE:Global permissions that are set under DLP Sys Config | System | User Administration | Groups | Details | Task Permissions | Case Permissions take precedence over cases configured individually. If there is a conflict between permissions assigned under an individual case and those that are assigned globally, global group permissions take precedence.

Example:
If Lee has a need to know about a case and he has been given read access, case information might display on his DLPHomepage but Apply, Save, Delete or Assign buttons will not display because he is not allowed to take those actions.

Example:
If Juan is given responsibility for a group of legal cases, an administrator might assign Read and Write but not Delete privileges. All menus and buttons except the Delete icon will be available to him. NOTE:When Write permission is assigned, Read permission is implicit.

Reprioritizing cases
Use this task to reprioritize the severity of a case.

172

McAfee DLP9.0.1 Product Guide

Deleting an incident from a case

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select the Details icon of the case. 3. From the Priority menu, select a new severity. TIP: To notify the originator by email, select the Notify Submitter box. 4. Click Apply.

Deleting an incident from a case


Use this task to delete an incident from a case. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Select the Details icon of the case. 3. Inside the case, select an incident box. 4. Select Delete from the Options menu. TIP: If you cannot see the link, expand your dashboard. 5. Click Apply.

Deleting cases
Use this task to remove a case from the Case List. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPReporting | Case Management. 2. Click the Delete icon. TIP: If you cannot see the icon, expand your dashboard.

Managing DLP systems


Managing the system
All DLPsetup, configuration and management tasks are handled by DLPManager, which coordinates all DLPsystems. Managed devices may include the DLPproduct appliances (Monitor, Discover, Prevent) and servers (DHCP, LDAP, NTP, DLPHost and syslog) that provide added functionality. If you have the proper administrative permissions, you can monitor and manage your DLP systems from theSystem Administration dashboard.

Configuring DLPdevices
Configuring DLPdevices
Use this task to reconfigure any DLPdevice.

McAfee DLP9.0.1 Product Guide

173

Managing DLP systems

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Click the configure link of the device to be configured. 3. Change parameters on the System Configuration page. 4. Click Update after each change is made. TIP: If you are on a standalone appliance, you can click on Setup Wizard to review all settings. If the setup is not changed, you can select Cancel to leave the Setup Wizard and go directly to the dashboard.

Adding devices to DLP Manager


Use this task to add a DLPappliance. This process creates an SSHcommunication tunnel between DLPManager and the DLP appliances. The CPU usage indicates that the registration tasks being performed. DLPManager does not display any CPUactivity, because it serves only as a collection point for the data. Other machines are capturing and indexing data and the processor indicates the CPU utilization. It should not go over 70-80%. On some networks you can choose a port configuration. The DLP appliance is a Gigabit network device, so the bringing it down is possible. NOTE: Adding a Network DLPappliance wipes the current configuration of that machine, but captured data, cases and incidents will not be lost. Unless you have previously deployed policies to All Devices, you will have to edit them to add the device. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Select New Device from the Actions menu. 3. Type in the IPaddress and password. NOTE:The user account used for association is root. It is recommended that you change the root password on the appliance before adding it to NDLPManager. If you change the IP address, the network service needs to be restarted. Stingray will automatically restart the box to register the change. The Add Device page is also used to add a Host DLP server. Several fields are not available until the DLPHost Server box is checked. 4. Click Add. 5. Click OK to confirm or cancel registration. 6. Wait for the Status icon in the device list to turn green. TIP: If registration seems to be taking a long time, try refreshing the page.

Adding Host DLPservers to DLP Manager


Use this task to add a DLPHost server to DLPManager. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Check the DLPHost Server box.

174

McAfee DLP9.0.1 Product Guide

Deleting an incident from a case

3. Select a Host DLPVersion. NOTE: Version 3.0 is required to use Host and Network DLP separately in the ePO interface. 4. Type in the IP or host name and password. 5. Type in the database port, user, and database names. 6. Type in the ePOdatabase, IPaddress, user name and password, and port. 7. Click Add. 8. Click OK to confirm or cancel registration. 9. Wait for the Status icon to turn green. TIP: If registration seems to be taking a long time, try refreshing the page.

ePO installation issues


In this release, Host and Network DLPare integrated in an ePO4.5 framework or in a Linuxbased configuration. For more information, download the McAfee Installation Guide for DLP9.0 on ePO4.5 from the ServicePortal. NOTE:If the ePO 4.5 server loses connection to the database, you cannot use https://servername:port/core/config to reconnect the ePO 4.5 server to the database. Refer to KB66320 in the McAfee Knowledgebase for more information.

Changing link speed


If DLPis installed on a network that supports devices that have specific speed and duplexing requirements, DLPMonitor might not be able to auto-negotiate traffic to capture interfaces. Use this task to change link speed to accommodate existing hardware. NOTE: Depending on your network configuration, you might have to replace your standard Ethernet cable with one that is appropriate for your network. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Select a device from the list. 3. Click on the Configure link. 4. Select link speeds for each capture interface from the Speed and Duplex menus. 5. Click Update. A notification message will launch to verify the change.

Managing disk space


The Reconnex file system (RFS) divides the DLPMonitor disk into partitions.
q q

Capture partitions hold all the content captured, which is organized by type. Non-Capture partitions contain the operating system and the results partitions (A-Z), which fill sequentially.

McAfee DLP9.0.1 Product Guide

175

Managing DLP systems

Use this task to get a complete report of disk space, including information about partitions and volumes. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Selecting the More link of the device. 3. Under Utilities | Application Information, click on Disk Usage. NOTE: Space-based wiping is the default policy. It erases the earliest results after 80% of the disk is used. When that threshold is reached, the system erases data to the 70% watermark.

Backing up DLPsystems
Use this task to create a backup archive to ensure that configuration files, users, logs and cases are not lost during system operations. TIP: Back up whenever there is a change in content or configuration. After 30 days or 150,000 incidents, the oldest incidents are lost, and if a managed mode device is deregistered, all incidents are lost. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Backup. 2. Type in the Remote Host Name of an external storage device. NOTE:Only Linux devices are supported. Microsoft Windows computers have not been tested. 1. Type in the user name and password required to log on to that machine. 2. Browse to the directory that will receive the backup. 3. Select the Port to be used to connect to the remote host. 4. Click Backup. NOTE: The local archive filename will be made up of a date and backup number (for example, 200910301346). But on the Remote Host and other DLPdevices, the filename will also include the FQHN (fully-qualified host name) and device type (inSight = Manager, iGuard = Monitor), followed by date_backup#.tar>. Example

abc-123.lab.company.net-inSight-20091030-1346.tar
TIP: Refresh the File List and select the archive with the latest date and highest backup number. You will be able to verify the build number after extraction.

Archive contents
q

Active configuration files (policies, rules, action rules, concepts, templates, network and content capture filters, DHCP settings, schedules, task definitions and credentials) Local and Active Directory users Network settings User Action Logs Cases

q q q q

176

McAfee DLP9.0.1 Product Guide

Adding servers to DLP systems

Depending on the volume of data to be backed up, processing time might be lengthy. When the process is complete, email is sent to the address in the user's profile, and the file list is populated with the name of the new archive.

Restarting DLPsystems
Use this task to restart, shut down or reboot any of the McAfee Network DLPappliances or services. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Select More for the device you want to restart or shut down. 3. Scroll down to the bottom of the Utilities window. 4. Select the appropriate link.

Deregistering devices from DLP


If you have to re-synchronize a timed-out system, overwrite an older configuration, or register a device to a different DLPManager, you might have to use this task to deregister a device. NOTE:If the device is to be reconfigured as a standalone system, you must reinstall it. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices. 2. Select More. 3. Scroll down and select Deregister Device. 4. Click confirm or cancel. NOTE: Because the messaging service must be restarted whenever a device is deregistered, you might get a log in error message like "could not connect to service" before you can log in again. If so, the messaging service will generally be back up in 1-3 minutes. 5. Confirm that the deregistered device has been removed from the list.

Adding servers to DLP systems


Configuring servers with DLP systems
DLPsystems support several different types of servers that extend its functionality. Enterprise DLPconfigurations usually have DHCP, DNS and LDAP(Active Directory) services configured, as well as connections to mail, NTP and syslog servers. McAfee Logon Collector must also be installed if Active Directory servers are to be supported. These connections can be made from the DLPManager interface, or from the DLPePOframe-in. If the applications are set up to work through ePO, Host DLPand McAfee Agent will also have to be installed.
q

Adding a DHCPserver supports accurate resolution of the sources and destinations of network transmissions.

McAfee DLP9.0.1 Product Guide

177

Managing DLP systems

Adding an LDAPserver supports integration with existing user systems, enables notification of users, and authenticates user accounts. DLPsupports Microsoft Active Directory LDAPservices. McAfee Logon Collector can be configured withDLP Manager to resolve user identities by retrieving collections of user account information from all Active Directory servers that have been added to the DLP system. Adding a Host DLP server supports integration with ePO . Syslog servers receive DLPerror messages. NTP servers make it possible to synchronize DLP systems.

q q q

Setting up DHCP services


Using DHCP servers with DLP
DLPsystems can accurately resolve the sources and destination of network transmissions by using DHCP services. A DHCPserver must be added to the system to provide those services. NOTE: Senders and receivers can be easily identified if they have static IPaddresses, but dynamic addresses are more commonly used. Because they change frequently, it is often difficult to pinpoint the sources and destinations of transmissions. The DHCPserver automatically assigns an IPaddress from an appropriate pool of addresses to the clients connecting to the system. The server then extracts, parses and loads log files to resolve the address to a host name, and the information is passed along to the DLPsystem.

Adding DHCP servers


Use this task to set up DLP to get location information about incidents that have been flagged by the DLPcapture database. NOTE: DHCPservers are used by most ISPs to assign dynamic addresses to the hosts they administer. Because dynamic addresses expire at specified times, hosts using them can be tracked only through DHCP server records. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | DHCP Servers. 2. From the Actions menu, select Add DHCP. 3. Type in a name for the server. Typing in a description is optional. 4. Select the Server Type. Internet Systems Consortium, Solaris and Microsoft Windows types are supported. 5. Select an Access Mode to retrieve directory information, get and put log files, and perform related transfer tasks. The access mode determines the method of transfer. NOTE: SMBClient access mode is supported only for Windows Server. 6. Type in the IPaddress, domain name, user name, and password to log on to the server. 7. Type in the Folder name, if needed. 8. Add the File Pattern name to enable DHCPlogging. NOTE: The DHCPlog file name depends on the DHCPserver operating system. DhcpSrvLog is a Windows file name pattern. Use dhcpd* for ISCand Solaris DHCPlogs (dhcpd.leases).

178

McAfee DLP9.0.1 Product Guide

Adding servers to DLP systems

Matching this pattern enables DHCP logging. For the SMB client, 'mget DhcpSrvLog*' can be used from the SMB prompt to link to Windows files such as DhcpSrvLog-Wed.log or DhcpSrvLog-Sun.log. For SCP or SFTP, use /var/state/dhcp/dhcpd.leases or /var/state/dhcp/dhcpd*. 9. Set a Lease expiration interval to determine when IPaddresses will be reassigned. The interval must be set because some DHCP servers (Windows) do not put the expiration time in the logs. 10. Set the Frequency to indicate how often the server should be polled to pull down new information. 11. Check the boxes of devices to be connected to the DHCP server. 12. Click Save.

Setting up directory services


Using LDAPservers with DLP
DLPproducts use Lightweight Directory Access Protocol services to integrate with existing user systems, authenticate user accounts, extend notification to users by role, and support other objects that might be imported from an LDAPserver. DLPsupports Microsoft Active Directory LDAPservices. Importing multiple user accounts is a common task that is made possible by adding an ActiveDirectory server to DLPManager. If customized attributes are added to the directory database, the information in those fields will automatically populate the default user fields on the DLPdashboards.

Adding Active Directory servers


Use this task to add a Microsoft Active Directory (LDAP)server to DLP. NOTE: The server must be configured before adding users to the system. Sample Configuration LDAPLabel: Domain: Authorization Server Server Port Timeout (sec) Retries (sec) LoginID Attribute Login DN Password Confirm Password Base DN Limit Search Results to abc.example.net 389 3 3 samaccountname admin or username ****** ****** dc=example,dc=net 20 myserver

McAfee DLP9.0.1 Product Guide

179

Managing DLP systems

NOTE: Although more than one LDAP server can be added from the user interface, multiple LDAP servers require ip2user mapping, which is not currently supported. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | DHCP Servers. | Directory Services. 2. Select Create Directory Server from the Actions menu. 3. Type in alabel to identify the LDAP server. 4. Type in the domain of the LDAPserver (optional). NOTE:If you use this option, you must login to an administrative account on the LDAPserver. The system will then query the Domain Name Server to find the domain controller for the Active Directory domain. 5. If you are not using the LDAPdomain server name, type in the name or IPaddress of the authorization server. If you are using SSL to encrypt the connection, you must enter the FQDN cited in the uploaded certificate (see below). NOTE:Unlike the LDAPserver domain name, you can use any valid account that has permission to read from the LDAPserver (an administrative account is not necessary). If you have already entered the domain name of the LDAPserver in the previous step, any information you enter here will be ignored. 6. Type in the port to be used for the connection. 7. Set intervals for connection timeouts and retries (in seconds). 8. Type in the LoginID attribute. Use samaccountname to retrieve user names from the server. 9. Type in the user name. Use an administrative account whose password does not expire to maintain the connection, but a non-administrative account name is acceptable when using an authorization server. 10. Identify the local domain components (for example, dc=mydomain,dc=com). 11. Type in the number of records you want to retrieve at one time. Before entering a value higher than 10, consult the administrator of the Active Directory server to find out how many records can be served per request. 12. Check the SSL box to encrypt the connection and enable LDAP over SSL (LDAPS). NOTE:A secure connection is not required, but is strongly recommended. Accept any available certificate, or select one by uploading it. If you take this step, you must find the FQDNname of the authorization server in the encrypted file by logging in to the back end of the DLPappliance and running the following command:

# openssl x509 -noout -in <filename>.cer -subject


The FQDNwill be returned in reverse order:

subject= /DC=net/DC=reconnex/CN=tyche
Read from right to left to get the name of the authorization server.

tyche.reconnex.net
13. Type the name into the authorization server name field. 14. Select a Scope to set the directory depth to be accessed on the server, 15. Click Apply.

180

McAfee DLP9.0.1 Product Guide

Adding servers to DLP systems

Adding LDAPUsers
Use this task to addusers after an LDAPserver has been added to DLPManager. NOTE: LDAPusers must be assigned to existing groups. If you have not yet decided on a user group design, review user group management. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | DHCP Servers | User Administration | Actions |Create LDAPUser. 2. Select the LDAP host. 3. Retrieve one or more users using one of the following techniques.
q q q

Enter an asterisk (*) to retrieve a list of all users on the server and select a radio button. Type in a known Login ID or user name. Use an asterisk (*) as a metacharacter to retrieve related users (for example, R* or *st*).

NOTE:User names containing special characters cannot be retrieved. 5. Click Find. 6. Click a radio button to select a user. 7. Select one or more groups from the Available groups for the new user and Add. 8. Click Apply. NOTE:User permissions are assigned by membership in a user group. When permissions have been changed by addition or subtraction of membership in a group, users must log in again for the change to register. 7. Go to Incidents | My Views | Actions | Copy View to Users to copy over views available to new users. 8. Check the boxes of all views the new user should be able to see. 9. Pull down the Actions menu. 10. Select Copy View to Users. 11. Select one or more checkboxes of users who should see the selected views. 12. Click Apply. To make changes to the user's status later, go to System | User Administration | Users and select the Detail icon of the user.For example, you can use the Action menu to Disable or Delete the user.

Configuring Active Directory servers for DLP


The LDAP RWL client works with directory services to enable retrieval of all LDAPdata. Use this task to provide basic LDAPfunctions to DLPsystems. 1. Log on to DLPManager. 2. Get the integration files by typing the zip file location into the address bar.

https://<DLP_address>/activedir/ADintegration.zip.
3. Save the zip file to your desktop.

McAfee DLP9.0.1 Product Guide

181

Managing DLP systems

NOTE: The rwl_client.exe file in this zip file has been changed in the 9.0 release. If you already have it installed on an 8.6 appliance, you must reinstall it. 4. Extract the two files from the archive to your desktop. 5. On the Microsoft Windows server desktop, go to Start | Administrative Tools | Active Directory Users and Computers. 6. Right-click on the domain name (currently reconnex.net) in the navigation bar. 7. Go to Properties | Group Policy | Default Domain Policy. 8. Select Edit. 9. Under User Configuration, click on Windows Settings | Scripts | Logon. 10. On the Scripts tab, click Show Files. 11. Drag the rwl_client.exe and logon.bat from your desktop to the Group Policy Object Editor window. 12. Right-click the logon.bat file. 13. Select Edit and Run. 14. After rwl_client.exe, type in the IPaddress of the DLPManager or Monitor (if you are on a standalone machine).

Example
REMSubstitute the following 'hostname.example.org' argument REMwith the hostname or IP address of your Monitor rwl_client.exe iGuardHostname.reconnex.net
When the batch file gets executed, DLPMonitor is notified that a user has logged in. 15. Save. 16. Close the window containing the rwl_client.exe and logon.bat files. 17. Click OK on the Scripts tab of the Logon Properties dialog box. 18. Close the Group Policy Object Editor window. 19. Click OK on the Group Policy tab of the reconnex.net Properties dialog box. 20. Close the Active Directory Users and Computers window. The next step is to add the server to DLPManager.

Exporting certificates from Active Directory


Use this task to get a certificate from a Microsoft Active Directory server, export it, and add it in the DLP Manager interface. This process supports encryption of an LDAP connection. By default, LDAP traffic is transmitted unsecured, but using secure LDAPover SSL technology encrypts the connection. 1. Log in as either a member of the local Administrator security group for standalone computers, or as a member of the Domain Administrator security group for any computers that are connected to the domain. 2. Install the certificate on the Microsoft Windows server, which will install the server certificate on the Microsoft Active Directory server.

182

McAfee DLP9.0.1 Product Guide

Adding servers to DLP systems

a. Click Start | Administrative Tools | Certificate Authority to launch the Microsoft Management Console. b. Select the CA machine. c. Right-click and select Properties. d. From the General menu, click View Certificate. e. Select the Details view. f. Click the Copy to File button on the lower right corner of the window. g. Use the Certificate Export Wizard to save the CA certificate in a file. NOTE: Save the CA certificate in either DER Encoded Binary X-509 format, or Based-64 Encoded X-509 format. 3. Verify that SSL is enabled on the Microsoft Active Directory server (Microsoft Windows 2000 or Microsoft Windows 2003). a. Ensure that Windows 2000 Support Tools (Windows Support Tools on Microsoft Windows 2003) is installed on the Microsoft Active Directory machine. b. Find the suptools.msi setup program in the \Support\Tools\ directory on your Microsoft Windows CD. c. Start the ldp tool. For Microsoft Windows 2000 systems, go to Start | Windows 2000 Support Tools | Tools | Active Directory Administration Tool. For Windows 2003, go to Start | Windows Support Tools | Tools | Command Prompt. 4. Select Connection | Connect from the ldp window. 5. Type in the host name and port number (secure port 636 is required). If the connection is successful, a window will be displayed listing information related to the Microsoft Active Directory SSL connection. If it is unsuccessful, restart your system and repeat the procedure.

How ADAMservers extend DLPManager


DLP products now enable retrieval of information from Microsoft Active Directory Application Mode servers. ADAM allows DLPto access objects in customized database schemas by modifying its default attribute mappings to recognize the names of equivalent fields. Use of a Certificate Authority supports secure transmissions through LDAPS or HTTPS. Verification can be disabled by selecting Accept Any Certificate when adding the server. NOTE: Whenever SSL communication is requested, the hostname should be name of the server with domain clearly specified. An IPaddress will not work.

Mapping LDAPdirectory attributes


Use this task to map the customized user attributes of an LDAPdirectory server to the Network DLP defaults. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | DHCP Servers | Directory Services. 2. Click on Edit.

McAfee DLP9.0.1 Product Guide

183

Managing DLP systems

3. Type the new attribute names into the Directory Server Mapping Attributes fields. 4. Click Apply. Default Attribute Mappings UserName=cn UserID=sAMAccountName UserTitle=title UserCompany=company UserDepartment=department UserCity=givenName UserZipcode=postalCode UserCountry=countryCode UserManager=manager UserGroups=memberOf UserEmail=proxyAddresses NOTE: When an incident is reported to the dashboard, user attribute columns will contain the information found in the corresponding fields on the existing LDAP server.

Setting up McAfee Logon Collector


Using McAfee Logon Collector with DLP
Before MLC can be used with DLP, an Active Directory server must be added to DLP Manager. Then secure communications must be established between DLPand MLC. Use the following tasks in this sequence to complete the SSLconnections. 1. Export a certificate from MLC. 2. Import the MLCcertificate into DLPManager. 3. Export a certificate from DLP. 4. Import the DLPcertificate into MLC. 5. Restart MLC. After these steps are complete, secure communications between DLPand MLC are enabled, and data on Active Directory servers is available for searching and rule construction.

Authenticating DLPManager and MLC


Use this task to connect DLPto a McAfee Logon Collector so that certificates can be exchanged, authenticating each to the other. When the process is complete, an SSLconnection will be set up between them. 1. Open a web browser and login to the MLC. 2. In ePolicy Orchestrator, go to Menu | Configuration | Server Settings | Identity Replication Certificate.

184

McAfee DLP9.0.1 Product Guide

Adding servers to DLP systems

3. Scroll to the bottom of the page. 4. Highlight and copy all text in the Base 64 field. 5. Open a web browser and login to the DLPManager. 6. Go to System | Directory Services. 7. Select Add a McAfee Logon Collector from the Actions menu. 8. Type in the IPaddress of the MLC. 9. Click the paste radio button and paste the text into the box. TIP:Save this Base 64 data to a text file on your desktop so you can re-use it. 10. Click Apply. 11. Click Export to save the NetworkDLPcertificate to your desktop. 12. Open a web browser and type in the address of the McAfee Logon Collector. 13. Go to Menu | Configuration | Trusted CA. 14. Click New Authority. 15. Browse to the netdlp_certificate.cer file you saved to your desktop. 16. Click Open. 17. Click Save. This adds the DLPManager to MLC. 18. Open a Remote Desktop session on the MLCserver. 19. Shut down and restart the MLCserver. The connection is now complete.

Setting up syslog and time servers


Using syslog and time servers with DLP
You will need an NTPserver on your network to synchronize the DLP devices and servers. A syslog server is not required, but does not require setup and can be useful for managing the system.

Connecting to syslog servers


If a syslog server is installed on the network, DLP automatically sends messages about significant events in the following format. The health of the box as well as the rule hits are automatically transferred to the syslog server.

Jul 7 15:38:18 172.16.0.50 RTS:CEF:0|McAfee|Monitor|3.2|-testrule1|3|cs1=-chein-prevent cs1Label=policies cn1=1 cn1Label=MatchCount src=51.0.16.172 dst=53.0.16.172 spt= 5281 dpt= 25 suser= duser=cs2="testing" cs2Label=Subject filename="specscdrom.pdf"

McAfee DLP9.0.1 Product Guide

185

Managing DLP systems

Message Structure and Format Date HostName Component Format Device Vendor Device Product Device Version Rule Severity # Policy Policy label Match Count Match Count Label Source IP Destination IP Source Port Destination Port Source user name Destination name Email subject File name Date the event was logged Name or IPaddress of the machine that logged the event Component or Process that generated the alert Format version of the syslog output Vendor name Manager, Monitor, Discover or Prevent Product version Search rule Critical, High, Medium, Low, Informational Policy name Type of object Matches found Type of object Source IPaddress Destination IPaddress Source port Destination Port Source user name Destination user name Email subject File name

NOTE: Syslog servers are automatically recognized if they reside on the same network as DLPdevices; no special connection is needed.

Correcting system time in the interface


If an error message is displayed when logging in, you might be able to use this task to resynchronize DLPappliances with the server. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config. Click on the configure link for the local system. 2. On the System Configuration page, scroll down to Time Configuration. 3. Select the Manual radio button, 4. Enter the correct time and date. 5. Select Update.

186

McAfee DLP9.0.1 Product Guide

Adding servers to DLP systems

6. Click Logout. 7. Click Login. If this doesn't work, login to the back end as root and reset the time from the DLPMonitor command line.

Resetting system time manually


Use this task to stop and restart the NTP service before resetting the time manually. 1. Stop the NTPdaemon.

# service ntpd stop # chkconfig --level 2345 ntpd off


2. Restart the NTPdaemon.

# service ntpd start # chkconfig --level 2345 ntpd on


The service command will control the service while the system is running; the chkconfig commands will control what happened at boot time.

Synchronizing DLPdevices
If you get a system time error when attempting to log in to the user interface, use this task to resynchronize DLP device time with your desktop. 1. Open the Microsoft Windows date/time display. 2. Adjust local time to Greenwich Mean Time. 3. Log on to DLP Monitor and use the date --utc command to enter the corrected data and time.

# date --utc MMDDhhmmCCYY


4. Use the GMT setting to provide the correct time.

# date --utc 080216492009


5. Watch the clock on the date/time display and press enter to send the command when the two times sync up. 6. Type in the hardware time command. # hwclock -w 7. Type in the date command.

# date
8. If the date is correct, reset Stingray.

# service stingray reset


9. Find and kill the current process.

# ps -ef | grep java

McAfee DLP9.0.1 Product Guide

187

Managing DLP systems

# kill -9 <process id number>


10. Relogin to DLPMonitor root. 11. Restart Stingray and reboot the machine.

# service stingray restart # reboot


12. Log in to the web browser. The user interface should launch normally. 13. Return the Microsoft Windows clock setting to the correct time zone.

Managing users and groups


Setting up users and groups
McAfee DLPis designed to use RBAC , which makes it possible to give users different levels of permissions depending on their roles in the organization. User accounts are dependent on the groups to which they belong. Users may be created locally, or an Active Directory server may be used to import existing accounts. TIP: Before creating a new user group scheme, review the task and policy permissions of the pre-configured user groups. Clone or reconfigure them as templates to design a user system that will fit your existing organization.

Administrative Example
A CSOof a large company might log in as primary user and create administrative groups with specific sets of rights to manage the DLPManager. These groups might include the following:
q q q q

System Administrators Network Administrators Installation and Setup Administrators Policy Administrators

Each administrator might then create Forensics and Analyst groups for users who report to them.

Organizational Example
The primary DLPadministrator might decide that user groups should reflect user roles in existing departments. New groups like the following might be created to reflect the current organization of the company.
q q q q

Engineering Group Manufacturing Group Marketing Group Sales Group

188

McAfee DLP9.0.1 Product Guide

Managing users and groups

In this example, the rights assigned to each of these groups match departmental tasks and responsibilities.

Managing user groups


Working with user groups
DLP User Administration matches the rights of individual users to their roles, which are defined by user group permissions. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groupsto add, delete, and and assign group privileges. NOTE: Click on the Details icon of any user or group to review task and policy permissions. You must have administrative permission to assign them.

Using pre-configured user groups


Pre-configured groups provide useful templates for user group design. DLPsystems include eight customizable users and user groups that correspond to common organizational roles. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups to view pre-configured user groups. NOTE: Click on the Details icon of any user or group to review task and policy permissions. You must have administrative permission to modify them.

Adding user groups


Use this task to add a user group. You must be an administrator to do this. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Select Create New Group from the Actions menu. 3. Type in the name and description (optional) of the new group. 4. Type in an email address. 5. Select users in the Available Users box. 6. Click Add to move them to the Current Members pane. 7. Click Apply. TIP: Alternatively, you can create a group first, then add users and assign them to the group. 8. Click on the Task Permissions tab. 9. Open the Permissions groups and select one or more checkboxes. 10. Click Apply. 11. Click on the Policy Permissions tab. 12. Open the Policies group and select one or more checkboxes. 13. Click Apply. TIP: Check View and Execute for all policies. NOTE:Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.

McAfee DLP9.0.1 Product Guide

189

Managing DLP systems

Restricting user groups


Use this task to add restrictions to user groups. For example, you might create a view only group for users who do not act on incidents. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Click the Details icon. 3. Click the Task Permissions or Policy Permissions tab. 4. Open a Permissions group. 5. Select one or more checkboxes. 6. Click Apply. 7. Repeat until all permissions are set. 8. Click Apply. TIP: Select the top Delete checkbox under Policy Permissions to keep users from deleting policies.

Deleting user groups


Use this task to delete a user group. You must be an administrator to do this. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Click on the Details link of the group you want to delete. 3. Select Delete from the Actions menu. 4. Click Go. 5. Confirm or cancel.

Managing users
Working with users
DLP User Administration matches the rights of individual users to their roles, which are defined by user group permissions. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLPSys Config | Users to view existing users. TIP: Click on the Details icon of any user or group to review task and policy permissions. NOTE:Administrative permission is required to add, delete or disable users.

Adding users
Use this task to add users. 1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLPSys Config | Users| Actions| Create Local User. TIP:You can add multiple users by importing them from an LDAPserver.

190

McAfee DLP9.0.1 Product Guide

Managing users and groups

2. Type in the user's login ID, name, email address and password. 3. Select an Available group to which you want the user to belong. 4. Click Add to move it to Current group membership. 5. Repeat until the user is a member of all appropriate groups. 6. Apply. NOTE: If the user doesn't fit logically into the available groups, you must add a new group.

Using pre-configured user types


Pre-configured users provide useful templates for user account design. DLPsystems include eight customizable users and user groups that correspond to common organizational roles. All pre-configured user groups are listed on the System | User Administration | Groups page. Administrative permission is required to add or delete them. TIP: Click on the Details icon of any user or group to review task and policy permissions.

Changing passwords and profiles


Use this task to make changes in your user profile. 1. Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLPSys Config | Users. 2. Select the Details icon for the account to be changed. 3. In the User Information dialog box, type in the old password and confirm the new one. 4. Click Update.

Creating an ePOdatabase user


ePO is a Windows server, and DLPManager is a Linux system that does not support Windowsbased authentication of users. For this reason, you must create an ePOdatabase user to establish a connection between DLPand ePO systems. This task is just one aspect of establishing that connection. Consult Installing Host and Network DLP9.0 on ePOfor more information.

Using a primary administrator account


The primary administrator account is owned by the initial user of the DLPsystem. TIP: Create an equivalent administrative user immediately after logging on to preserve the integrity of the default account. Primary administrators have complete access to all task and policy permissions and are responsible for creating users and custom user groups. However, the primary administrator can assign that task to other administrators. If you need primary administrator permission to log in, contact McAfee Technical Support.

McAfee DLP9.0.1 Product Guide

191

Managing DLP systems

Viewing active user sessions


Go to ePolicy Orchestrator Menu | Data Loss Prevention | DLPSys Config| Live Users to view active user sessions. Only administrators can view and manage Live User sessions. Click on the Session IDlink of a user to see what actions have been taken. TIP: Select Clear All from the Filter by... pane to view all the actions that can be reported.

Setting permissions
Assigning permissions
Use this task to assign permissions to users. Only administrators can assign permissions, and if group permissions are modified, all its members will have to log out and re-login. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Select the Details icon of a group. 3. Select the Task Permissions or Policy Permissions tab. 4. Open a Permissions group. 5. Select one or more checkboxes. 6. Click Apply. 7. Repeat until all permissions are set. 8. Click Apply. NOTE:Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.

Checking permissions
All rights are inherited from group affiliation, so users must know their group affiliations to check permissions. Only administrators can assign permissions. Use this task to check permissions. This procedure will work only if an administrator has given the user's group permission to view permissions. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Users. 2. Select the Detail icon of the user. 3. Make a note of Current group membership. 4. Go to System | User Administration | Groups. 5. Select the Detail icon of the group. 6. Select the Task or Policy Permissions tab. 7. Open a Permissions group. 8. Review the checked boxes. 9. Repeat until all permissions are viewed. 10. Click Cancel.

192

McAfee DLP9.0.1 Product Guide

Managing users and groups

Setting policy permissions


Users who are tasked with ensuring compliance with company policies might be given view, edit and execute permission for policies like Acceptable Use, Human Resources, and Suspicious Activity. Similarly, users responsible for implementation of regulatory issues might have view and execute permission for policies like SOX Compliance, State Privacy Laws, PCIand GLBACompliance. Use this task to assign policy permissions to a user group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Select the Detail icon of the group. 3. Select the Policy Permissions tab. 4. Open Policies. 5. Select or clear the View, Edit, Execute or Delete boxes. 6. Click Apply. NOTE: Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.

Setting task permissions


For example, users who are tasked with Discover scanning repositories might have Select All boxes selected under Document Registration and Discover Scan Permissions. Similarly, users who process incidents and cases might have checkboxes under Case and Incident Permissions selected. Use this task to assign task permissions to a user group. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Groups. 2. Select the Detail icon of the group. 3. Select the Task Permissions tab. 4. Open a Permissions group. 5. Select or clear the relevant checkboxes. 6. Click Apply. NOTE:Policy Execute and Task View Dashboards permissions are required to see the Incidents dashboard.

Managing user accounts


Working with user accounts
With this release, security is enhanced by the addition of customized login and password settings. Type in alphanumeric entries in the values fields to configure password settings and select from the drop-down lists to enable lockout.

Customizing login settings


Use this task to discourage unauthorized logins. NOTE:Lockout is disabled by default.

McAfee DLP9.0.1 Product Guide

193

Managing DLP systems

1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | User Settings. 2. Check the Enable Lockout box. 3. Enter login parameters in the Login Settings dialog box. When a user exceeds the maximum number of attempts, the system will no longer respond. When automatic lockout is set, the session will time out for the time set in minutes. 4. Click Submit.

Customizing password settings


Use this task to force users to create more secure passwords. NOTE: You must have administrative permissions to change password settings. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | User Settings. 2. Enter password parameters in the Password Settings dialog box. When a user creates a password, the requirements will be displayed. 3. Click Submit.

Configuring failover accounts


Failover accounts are disabled by default because failover accounts allow backdoor access to DLPMonitor. The link between DLP Manager and Monitor is open, and the default failover account could be used to log on to Monitor. The username and password for the failover account are the same as that of the primary administrator. Use this task to disallow failover logins. 1. Go to DLPSys Config | User Administration | Failover Account. 2. Type in a username and password for the account. 3. Select Off from the Allow Login menu. 4. Click Update. If a attempt is made to log in, an error message is launched indicating that the capability has been turned off.

Auditing users
Using audit services
The user audit log records all user activity on DLP systems. Users who have administrative permissions can monitor them. Re-order the audit log elements by clicking the column headers, or use the Filter by feature in the navigation bar to sort the results for greater readability.

Filtering audit logs


Use this task to find out who has logged into DLP Monitors and what actions have been taken.

194

McAfee DLP9.0.1 Product Guide

Managing users and groups

For example, if you suspect a system problem was caused by a single user or action, checking entries at the time the problem appeared might reveal its source. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Audit Logs. 2. Pull down the Timestamp menu under Filter by... . 3. Select a period of interest. 4. Click plus to add a filtering category. 5. Pull down the Filter by... menu and select Device to sort by DLPsystem. 6. Select equals or not equal from the second pull-down menu. 7. Click "?"to launch a pop-up with the names of the available DLPdevices. Alternatively, you can type in the host name of the machine (listed in the Device column). 8. Repeat the action for any of the other elements listed in the log. 9. Click Apply. 10. Review the log information. 11. Correct or reverse the action. NOTE: Clear All before creating another filter.

Getting audit log reports


Use this task to get a CSV report of an audit log. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Audit Logs. 2. Select Export as CSV from the Actions menu. 3. Open or save the log using the existing tools in your browser. NOTE: If Microsoft Excel is installed and you select Open, the CSV report will launch in a spreadsheet.

Filtering audit log reports


Use this task to filter audit log entries. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Audit Logs. 2. Determine which cell in the audit log table will act as the primary key. 3. Click on the cell to automatically create a filter in the Filter by... pane. The dashboard data will immediately change to reflect your selection. NOTE: Clear All before creating another filter.

Auditing live users


The Live Users feature records all activity in all live sessions. Click on the SessionID to launch the user audit log .

McAfee DLP9.0.1 Product Guide

195

Managing DLP systems

Re-order the audit log elements by clicking the column headers, or use the Filter by feature in the navigation bar to sort the results for greater readability.

Sorting audit log reports


Use this task to sort audit log entries. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | User Administration | Audit Logs. 2. Determine which column will act as the primary key. 3. Click a column header to rearrange the log entries. NOTE:Actions are reported chronologically, so the Timestamp column cannot be sorted by clicking the header.

Using capture filters


Working with capture filters
DLPMonitor capture engine captures all network traffic. The indexer captures and identifies all TCP/IPtraffic, breaking it down into content types. Anything that cannot be identified is tagged Unknown Protocol. Because all content is indexed, a capture filter can be used to filter out large portions of network traffic that do not need to be analyzed by the capture engine. Filtering network data can cut down on the vast amounts of data captured and analyzed, so it is important to tune the system using capture filters when it is set up. This not only improves performance, but makes it easier to expose only the most significant data for investigation. NOTE:Under certain circumstances, capture filters can also be used to store critical sessions and applicationslevel data.

Types of capture filters


Capture filter types are determined by the layer of the OSI model that is recognized and stored by the capture database.
q

Content capture filters reveal significant data types and improve performance by eliminating selected portions of Flow A (Layer 1) traffic. Network capture filters reveal significant data streams and improve performance by eliminating large portions of Transport (Layer 4) traffic, usually in a specific sequence.

Types of capture filter actions


Content and network capture filters allow different types of user actions.

196

McAfee DLP9.0.1 Product Guide

Using capture filters

q q

Content capture filter actions keep certain types of traffic from being recognized by the capture engine. Network capture filter actions ignore specific components of network traffic or store data that is transmitted via certain protocols.

How content capture filters work


Standard content capture filters included with DLPsystems reveal significant data types and improve performance by eliminating selected portions of Flow A (Layer 1) traffic. NOTE: Unlike network capture filters, content capture filters can be applied to the network data stream in any order. Standard Content Capture Filters Ignore binary Ignore BMP and GIFimages Ignore crypto Ignore HTTPGzip responses Ignore HTTPheaders Ignore P2P Ignore small JPG images Ignore flow headers Excludes all binary files Excludes images in BMPand GIF formats Excludes encrypted data Keeps compressed files from being opened more than once (excludes HTTPGzip responses) Excludes HTTPheaders Excludes all peer-to-peer traffic Excludes insignificant images (JPGimages smaller than 4 MB) Excludes flow headers

Content capture filter actions


Content capture filter actions may drop elements or sessions, or store only metadata. Drop Element For example, if your network has a large cache of video files that you know are not a security threat because you have controlled them with configuration management software, you can set up a filter that drops these secure files, saving time and resources for analysis of data at risk. Drop Sessions For example, if your employees are authorized to send or receive any SMTP content that is processed by your company's mail server, you can drop those communications. Drop elements and store metadata only For example, if you want to know what kind of data is moving through the network data stream without storing its content, storing metadata allows you to keep incidental information (like the source and destination of the data,

McAfee DLP9.0.1 Product Guide

197

Managing DLP systems

data types being transmitted, and protocols being used to transmit it).

Adding content capture filters


Use this task to design and add a content capture filter. For example, suppose you want to create a filter to ignore all traffic to and from your web server that contains RTSP files. This would eliminate a significant portion of network activity, making it easier to focus on other types of traffic that you suspect might be compromised. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Go to System | Capture Filters. 3. Click Create Content Filter. 4. Type in a name and description. 5. Select Ignore or Store from the Action menu. In this case, you want to ignore RTSPfiles. 6. Select the DLPMonitor on which you want to install the filter. If you want to deploy a capture filter at a later time, select the None checkbox under Devices. 7. Open Protocol. 8. Select Protocol from the Element menu. 9. Click "?". 10. Select RTSP from the popup menu. 11. Click Apply. 12. Click Save. TIP:Add more elements to focus the concept, like size of the files, date and time transmitted, and source and destination of the traffic.

How network capture filters work


Standard network capture filters included with DLPsystems reveal significant data streams and improve performance by eliminating large portions of Transport (Layer 4) traffic, usually in a specific sequence. For example, most businesses are interested in monitoring traffic carried to or from external IPaddresses. When the RFC 1918 filter is active, IP addresses set aside by IANA for internal use can be excluded from analysis by the capture engine.

198

McAfee DLP9.0.1 Product Guide

Using capture filters

Standard Network Capture Filters Excludes traffic routed to 10.0.0.0.-10.255.255.255, Ignore RFC 172.16.0.0.-172.31.255.255 and 192.168.0.01918 192.168.255.255 Ignore Excludes program output sent from a server after HTTP receiving and interpreting an HTTPRequest Responses Ignore unknown Ignore SMB Excludes traffic using unknown protocols Excludes Session Message Block and Microsoft Basic Input/Output System (NetBIOS)traffic

Ignore SSH Excludes secure shell traffic Ignore POP Excludes Post Office Protocol 3 traffic Ignore IMAP Ignore HTTPS Ignore LDAP Ignore NTLM BASE Excludes Internet Message Access Protocol traffic Excludes secureHypertext Transport Protocol Traffic Excludes Lightweight Directory Access Protocol traffic Excludes Microsoft New Technology Local Area Network Manager traffic Base Configuration filter (opens the system for storage of incoming data)

Network capture filter actions


Network capture filter actions may ignore or store network data depending on port or protocol used. Ignore For example, you can ignore all web traffic by using HTTP filters, or eliminateauthorized email by ignoring traffic using port 25 (SMTP). Store For example, you can store chat traffic by creating a filter that identifies and keeps data transmitted using AOL_ Chat, MSN_Chat, or Yahoo_Chat protocols.

Ignoring or storing IPaddresses


Use this task to find to search for individual IP addresses, a range of addresses, or addresses on a subnet. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Click Content or Network filter.

McAfee DLP9.0.1 Product Guide

199

Managing DLP systems

3. Open Source/Destination. 4. Select IPAddress. 5. Select source or destination. 6. Enter IPaddresses in the value field. 7. Click Search.

Example
192.168.1.244,172.25.3.100-172.25.3.199,192.168.2.1/25

Adding network capture filters


Use this task to add a network capture filter. Designing one requires experimentation, but taking the time to streamline the capture process can save a lot of processing time. TIP: Before creating a network capture filter, open the All category in the Network Filter dialog box. This action either captures or cuts off all traffic, depending on the capture action you select, so that you can observe a limited pool of data before deciding what to filter. NOTE: When a network capture filter is applied to the network data stream, its position in the list indicates its priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data stream, it must always run last. 1. Make a list of the sessions you want the capture engine to store or ignore. 2. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 3. Select Create Network Filter. 4. Name and describe the filter. 5. Select the devices for deployment. If you want to deploy a capture filter at a later time, select the None checkbox under Devices. 6. Select a capture action. 7. Configure the Source/Destination, Protocol, and Date/Time components to define the sessions to be stored or ignored by the capture filter. 8. Click Save. 9. Use the Priority icons to change the order in which filters will be run. 10. Test the filter and modify it, if necessary. TIP: When establishing a sequence for applying network capture filters to the network data stream, remember that changing the order of a single filter might skew your results.

Reprioritizing network capture filters


Use this task to reprioritize network capture filters that modify others. Please filters that define the largest portions of traffic at or near the top of the list to improve processing time.

200

McAfee DLP9.0.1 Product Guide

Using capture filters

NOTE: When a network capture filter is applied to the network data stream, its position in the list indicates its priority. Because the BASE filter instructs the system to store all data that has not been dropped from the data stream, it must always run last. For example, if you add a filter to ignore all traffic to and from ports 80 and 453, the capture engine would ignore all HTTPand HTTPS traffic. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Click Create Network Filter and define its parameters. The new filter is added to the bottom of the Network Filters list. 3. Use the UParrow in the Priority column to move it up to the correct position. 4. Click Apply. TIP:Move the new filter up until it is in a position to filter out more traffic than the filters below it, but less than those above it.

Deploying capture filters


Use this task to deploy a capture filter. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Double-click the filter you want to deploy. 3. In the Devices box, check the appliance on which you want to install the capture filter. 4. Click Save. NOTE:If you want to deploy a capture filter at a later time, select the None checkbox under Devices.

Editing capture filters


Use this task to edit a capture filter. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Double-click on the name of the filter. 3. Redefine the filter by changing its parameters. 4. Click Save.

Using undeployed capture filters


Use this task to apply capture filters to targets after they have been created. If you want to deploy a capture filter at a later time, select the None checkbox under Devices. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Click on the undeployed capture filter. 3. Select one or more checkboxes of devices on which the filters should be deployed. 4. Click Save.

McAfee DLP9.0.1 Product Guide

201

Managing DLP systems

Viewing deployed capture filters


Use this task to find out which filters are deployed on each DLPMonitor. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. If DLPManager is managing several Monitors, scroll down the page to see all the filters. NOTE:If you are using a standalone DLPMonitor, you will see only the filters deployed on your own machine. If you are using an DLPManager, scroll down the list to get complete information on all managed systems.

Deleting capture filters


Use this task to delete a capture filter. If you are on a standalone DLPMonitor, you can delete a capture filter but on DLP Manager, you can only remove a capture filter from the Monitor to which it has been deployed. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Capture Filters. 2. Select the Remove icon next to the filter you want to delete. 3. Click OK or cancel. TIP: Before deleting, view deployed filters to determine which DLPMonitors are using the filter.

Setting up system alerts


Configuring system alerts
This release supports device down alerts. Device down alerts allow you to set up DLPManager to notify up to 25 users whenever one of the registered DLPdevices goes down. NOTE:If you have a syslog server, system events are regularly reported to the events database. The database is polled every 2 minutes, and every alert in the database is sent to the dashboard within this interval. A timestamp is reported for each alert.

Configuring device down alerts


Use this task to set up notification for users who need to know when DLPdevices go down. NOTE:The notification is the same whether the devices are disconnected or just turned off. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config | Devices | System Alerts. 2. Type in the email addresses of the users to be notified. Up to 25 email addresses are supported. 3. Select the alert types you want to send. 4. Click Apply.

202

McAfee DLP9.0.1 Product Guide

Technical specifications

Types of device down alerts


There are three possible configuration intervals for a device down alert.
q q q

Notification that the device has recovered and has been up for X minutes Notification that the device was down for X minutes Notification is sent every X minutes after the device went down

Technical specifications
Understanding specifications
Any modifications to DLP equipment, unless expressly approved by the party responsible for compliance, could void authority to operate the equipment. DLPhardware has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 16 of the Federal Communications Commission rules. Operation is subject to the following two conditions:
q q

the device may not cause harmful interference, and the device must accept any interference received, including interference that may cause unwanted operation.

These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. DLP equipment generates, uses, and can radiate radio frequency energy. If not installed and used in accordance with the instruction manual, it might cause harmful interference to radio communications. If operation of this equipment in a residential area causes harmful interference, it must be corrected at owner expense.

Power Redundancy
To ensure redundancy on the DLP appliances with more than one power supply, all must be active to share the load while operating at nominal power. Additional protection is provided if two electrical outlets that are on different circuit breakers are used. Should one power supply fail, a back-up fan automatically turns on, an alarm sounds and a warning LED is illuminated. If this occurs, contact McAfee Technical Support for a replacement unit. NOTE: If the appliance loses power for any reason, it will not come back up unless you change the BIOS setting in advance. The motherboard is set to off by default.

Rack Mounting Requirements


Use this information to ensure safe configuration of DLPappliances.

McAfee DLP9.0.1 Product Guide

203

Contacting Technical Support

A) Elevated Operating Ambient Temperature


If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the TMA specified by the manufacturer.

B) Reduced Air Flow


Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.

C) Mechanical Loading
Mounting of the equipment in the rack should be such that a hazardous condition is not created due to uneven mechanical loading.

D) Circuit Overloading
Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.

E) Reliable Earthing
Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (use of power strips).

Safety Compliance Guidelines


DLPhardware must be installed only in Restricted Access locations (dedicated equipment rooms, electrical closets, or the like). CAUTION: Disconnect all power supply cords before servicing. RISK OF EXPLOSION if battery is replaced by an incorrect type. Dispose of used batteries according to the instructions.

Contacting Technical Support


Contacting DLPTechnical Support
Contact McAfee Technical Support by phone, email or web. Telephone Email Support Portal (800) 937-2237; (408) 988-3832 www.mcafee.com/us/about/contact/index.html mysupport.mcafee.com

TIP:Troubleshooting tips are available on the WebHelp home page. You can also get system information by clicking More or Configure links at Menu | Data Loss Prevention | DLPSys Config.

204

McAfee DLP9.0.1 Product Guide

Creating a Technical Support Package

Creating a Technical Support Package


Use this task to give your technical support representative background information. 1. In ePolicy Orchestrator, go to Menu | Data Loss Prevention | DLPSys Config. 2. Select a Monitor or Discover system and click More. TIP: If you cannot see the link, expand your dashboard. 3. Click Create tech support package. The system will automatically build a file. It may take a few minutes. 4. Click check back. 5. Click Save to download the file to your desktop. 6. Email the file to your McAfee support representative.

McAfee DLP9.0.1 Product Guide

205

Creating a Technical Support Package

206

McAfee DLP9.0.1 Product Guide

Glossary

Glossary
A action rule An automatic rule that uses one or more specific Prevent Policy actions (allow, block, bounce, encrypt, notify, quarantine, redirect) to resolve violations flagged by the capture engine. Active Directory Microsoft directory service used to provide basic organizational LDAP functions, such as integration with existing user systems. administrator account Default user account for the primary NDLP administrator (admin). alert A message triggered by a significant system event that may require a response. anchor commands Reference markers that set conditions for matches found in network data by a Concept. archive Compressed files that can be extracted and evaluated by the search engine. audit log A record of all actions taken by DLP users. authentication A security measure that confirms the identity of a user or entity attempting to access a system. B bandwidth throttling A setting that restricts the quantity of data transmitted to prevent network congestion. blocking An action taken to prevent transmision of data outside of a network. C capture engine A DLP component that captures, analyzes, processes, and saves all data on a network. capture filter A component that is used to isolate significant portions of data to streamline processing by the DLP capture engine. case system A collaborative framework that centralizes resolution of incidents flagged by DLP queries and rules. centralized alerting An alert notification process controlled by McAfee DLP Manager.

McAfee DLP9.0.1 Product Guide

207

Glossary

certificate A digital component generated by a Certificate Authority that authenticates a secure connection between users or servers. certificate authority An entity or service that issues and manages digital security certificates. CIDR (Classless Inter-Domain Routing) Notation used to define IP addresses and subnet masks beyond 8-bit 'classful' limits to efficiently describe routing of IPv4 or IPv6 packets. cipher text Encrypted text that is unreadable until it has been converted into plain text. cleartext Unencrypted plain text that is readable by anyone on a network. compliant A state that indicates that no policy violations have been found after rules have been applied to the network data stream. Concept A DLP component that finds collections of significant data related to a single issue. console The centralized Manager device that coordinates DLP appliances. content filtering The process of classifying all network data into content types that can be processed by a capture engine. content type A database object that defines data according to file type. crawl An automated process that scans and indexes the contents of a database or file system. credential A utility made up of user name, domain, and password that authenticates entry to a repository or database. D Data at Rest Static data at risk that can be found in a repository or database during a DLP scanning process. Data in Motion Dynamic data at risk that is flagged by DLP Monitor in the network data stream. Data in Use Static data at risk that can be found on host devices that use network resources. deployment The process of distributing policies and rules from DLP Manager to its attached appliances.

208

McAfee DLP9.0.1 Product Guide

Glossary

DHCP Services used to assign dynamic IP addresses whose sources and destinations can be traced and identified. Discover scan A type of scan that uses policies, rules, and Concepts to find data that is at risk. distributed searching A technique used by DLP Manager to construct queries of network data through multiple DLP Monitors. drilldown The process of discovering increasingly granular information about an incident by clicking through link levels on DLP dashboards. Dynamic Host Configuration Protocol Services used to assign dynamic IP addresses whose sources and destinations can be traced and identified. E endpoints Host devices, including laptops, desktops, servers, printers, removeable media and mobile devices that utilize corporate resources. exception A parameter added to a rule that keeps the capture engine from reporting false positives. exclude list A collection of documents that are not to be reported if they are detected during a scan. F failover account A default account that provides backdoor access to a DLP appliance if the link to its Manager is broken. false positive An incident that is reported when a rule produces a hit that resembles, but does not match the definition of a violation. filter A feature that provides customized views of captured data by selectively screening results on DLP dashboards. fingerprinting The process of using an algorithm to create a digital signature that identifies data at risk. I incident An object of interest that is reported to a DLP device when a rule parameter matches a string in network or endpoint data. inheritance The application of settings of a DLP policy to its rules.

McAfee DLP9.0.1 Product Guide

209

Glossary

Inventory scan A type of scan that produces a manifest of all data available in a repository or database. L Lightweight Directory Access Protocol Directory services used by DLP Manager to identify and extract user accounts residing on external servers. link speed A setting that may need to be changed if devices on a network monitored by DLP devices have specific speed and duplex requirements that prevent auto-negotiation. logical operator A symbol that is used to construct DLP keyword queries in a shorthand fashion. M Mail Transfer Agent An email relay server used by DLP Prevent to communicate actions to be implemented when data at risk is identified. Message digest (MD5) A cryptographic hash function used by DLP devices to identify data that has been fingerprinted. N network storage scan A type of Discover scan that crawls network attached storage repositories or databases. Network Time Server A local or remote server used by DLP to synchronize date and time with other network devices. node A host connected to a network. P permissions Privileges allowing role-based access to DLP users who are assigned specific tasks based on their role in the organization. policy A collection of related rules used by DLP devices to identify and classify data at risk. Prevent Policy actions A set of actions (allow, block, bounce, encrypt, notify, quarantine, redirect) that can be automatically applied to data at risk by an action rule. proxy server A component that acts as an intermediary between a group of intranet devices and the internet. publishing The act of distributing policies to DLP appliances from a centralized DLP Manager.

210

McAfee DLP9.0.1 Product Guide

Glossary

Q quarantine Enforced isolation of a file or folder that violates policy or poses a risk to the system. R RBAC (Role-Based Access Control) A system that assigns privileges to DLP users based on their roles in an organization. reaction An aspect of a host DLP rule that uses one or more specific actions (encrypt, monitor, notify, quarantine, store evidence, delete) to process incidents or violations flagged by the McAfee Agent. Registration scan A type of scan that crawls a designated database or file share and generates unique signatures to protect data at risk. remediation The process of using action rules to resolve violations found during a DLP discovery scan of a repository or database. repository A server, or a share on a server, containing files that are to be crawled by DLP Discover. repository type A file system defined by the protocol used to access it. rule An entity that identifies anomalies in network or endpoint data by matching its parameters to one or more attributes of data at risk. RWL (Real World Locality) An entity whose name is likely to be used in a directory search request. S scan A process that locates data at risk while crawling a network repository or database at a designated time. share A device, volume, partition, directory that has been targeted for remote access by a scan operation. signature A unique hexidecimal number generated by an algorithm that identifies data at risk. syslog server A system log server that automatically receives and records messages from a DLP Manager or Monitor.

McAfee DLP9.0.1 Product Guide

211

Glossary

T tar file A UNIX or Linux archive containing compressed files. template A DLP component used to save keystrokes when searching network data, adding rules, or creating capture filters. tuning a rule The process of modifying a rule in stages to gradually eliminate false positives from search results. U unpublishing The act of removing policies from deployment on DLP appliances. V view vector A configuration that displays incidents from one of three capture databases (Data-in-Motion, Data-at-Rest, Datain-Use) on DLP dashboards. views A framework that displays incidents found in captured or scanned data in a variety of different configurations on DLP dashboards. violation A risk that is reported when a query or rule matches an attribute in the capture database. W wiping policy A setting regulating use of disk space on a DLP Monitor appliance.

212

McAfee DLP9.0.1 Product Guide

Index

Index
A Action Rules configuring deleting types using Activation defining Active Directory Alerts defining notification types Audit logs defining filtering 194-195 194-196 202 202 203 146 177, 181-183, 185 89-91, 156, 158159 159 157 155-157

ports reprioritizing types viewing Cases adding to existing assigning changing owner changing priority changing resolution changing status creating deleting managing Concepts adding conditions creating defining deleting DocReg C network syntax 196-197, 199 201 25 198, 200 198 197 196 201 16 201-202 Configuring backing up dashboard NDLP devices restarting restoring shutting down time Content types company

25 200 196 202

169, 173 169 170 172 170 171 168

27-28, 170, 173 168

159-160, 163

160, 162, 165-166 160 166 102 161, 164 164

Capture Filters actions activating by size creating default network default standard definition deploying IP address modifying

175-176 65-66, 72-73, 171 173, 175 177 175-176 177 186-187 28 29

213

McAfee DLP9.0.1 Product Guide

Index

document office proprietary source code Credentials creating deleting modifying

29 30 30 30

Filters clearing 73

H Host DLP

122 122 122

defining

91-95, 156

I Incidents deleting 75-76 66-67 76 131

D Database crawling Devices adding deregistering viewing DHCP services adding using Disk space managing 175 178 178 174 177 173 105-112

details labeling match strings

L LDAP adding a server adding users 57-61, 179, 184 181-183

N E Error messages Discover 98-99 NDLP overview product naming 1-6 2

F Filtering by browsing by group by time examples manually 124 74 73-74 10, 13, 15, 168 125 Permissions assigning checking Discover policy task

97, 192 192 97 193 193

McAfee DLP9.0.1 Product Guide

214

Index

Policies activating changing ownership creating deactivating defining deleting executing inheritance modifying publishing renaming standard Prevent actions configuring how it works using Profile changing passwords 191 78-80, 82, 90, 155 80, 82 77, 80-81 17 145-146 147 143, 145 146 142 148 148 146 148 147 147-148 143-144

registering devices Discover Registration endpoint data Remediation adding columns applying actions copying incidents deleting incidents encrypting exporting incidents methods moving incidents resolving problems reverting actions viewing actions Reports CSV My Reports PDF save R scan history schedule 100 101 102 104, 139 101, 104 102 104 Rules activating creating deactivating deleting exceptions inheritance modifying reconfiguring tuning 150 22, 94-95, 149-150 150 151 58, 61, 151-153 150 77, 151 150 154 68 64, 69, 76-77 68-69 67, 73 131-132 69 88 78-79, 83-84 85 85 86 84 82 87 83 88 88 92-93 96-97

registering by scanning by web upload complete doc paths deregistering data documents in motion excluding text managing resources methods

101, 139-140, 142 103 103

signature types with rules

215

McAfee DLP9.0.1 Product Guide

Index

viewing

149

Search by concept 52-54 38 38 31 33 37 37 37 36 36 40-41, 199 41-45 45-46 47-49 46 61-64 31, 35 47 53 132 134-137 134 27 32 31 34 33 33-34 136-138 39 39

S Scan Scanning default directory defining file properties defining folders defining nodes defining shares fetching files in duplex mode reports results setting bandwidth setting policies statistics storage Scans configuring deleting deleting schedules deploying managing modifying modifying schedules modifying states scheduling starting stopping viewing viewing scheduled scans 117-120, 138-141 116 123 114 112 116 123 113 123 114 113-114 113 123 129 127 128 126 128 129 115 130 130 115 129 131 138 123

by content type by digest by email address by email attachment by file owner by file size by file type by filename by filename pattern by IP address by keyword by location by protocol by URL by user ID chat country codes list custom templates data at rest discovered data discovered data\ distributed email by domain email by hostname email by recipient email by sender email by subject finding share names fleshtone images images

IP addresses in data at rest 133

McAfee DLP9.0.1 Product Guide

216

Index

limitations logical operators on subnet repositories results scan operations search List using DocReg Webmail Searching filters Specifications

26, 54-57 42, 45 40 133 27 132 28 133 32, 35

unhappy employees user investigation website posts websites visited Users add user

12 11, 18-19, 21, 23 14 13

189-190, 193-194 189-190 188 191, 194 189, 191 191-192

add user group design a system failover account

24, 49-51 203-204

preconfigured groups primary admin

T Tech support create a summary how to contact Templates creating deleting standard 166 167 167 205 204 Views copying default deleting saving vectors

70 66, 71 70 70 71

U Use Cases confidential data covert email data leaked Discover encrypted data financial leaks overseas leaks source code leak 6 8 16 7-8 12 15 17 23 9

217

McAfee DLP9.0.1 Product Guide

McAfee DLP9.0.1 Product Guide

218