McAfee Data Loss Prevention 11.3.x Product Guide PDF Free Download

2y ago

45 Views

1 Downloads

2.51 MB

277 Pages

Report/dmca

Download PDF

Transcription

Released to Support 4-Jul-2019Revision AMcAfee Data Loss Prevention 11.3.x ProductGuide

Released to Support 4-Jul-2019COPYRIGHTCopyright 2019 McAfee, LLCTRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THEGENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASECONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVERECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOUDOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IFAPPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.2McAfee Data Loss Prevention 11.3.x Product Guide

Released to Support 4-Jul-2019Contents1Product overview9Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12234How DLP works with data vectors15How DLP Endpoint and Device Control protect sensitive content . . . . . . . . . . . . . . . . .Benefits of protecting Windows endpoints . . . . . . . . . . . . . . . . . . . . . .Benefits of protecting Mac endpoints . . . . . . . . . . . . . . . . . . . . . . . .How network discovery works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How different scan types protect your data . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP Prevent protects email traffic . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP Prevent protects web traffic . . . . . . . . . . . . . . . . . . . . .Protecting mobile email . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP Monitor inspects live network traffic . . . . . . . . . . . . . . . . . . . .How DLP interacts with other McAfee products . . . . . . . . . . . . . . . . . . . . . . .16171819202122232425Planning policies to protect sensitive content27Getting started with McAfee DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Four steps to protecting your data . . . . . . . . . . . . . . . . . . . . . . . . . . . .Classifying your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Tracking how and when sensitive content is used . . . . . . . . . . . . . . . . . . . .Protecting sensitive data with rules . . . . . . . . . . . . . . . . . . . . . . . . .Monitoring incidents to fine-tune your policies . . . . . . . . . . . . . . . . . . . .Designing policies to protect sensitive data . . . . . . . . . . . . . . . . . . . . . . . . .Getting started with network discovery . . . . . . . . . . . . . . . . . . . . . . . . . .2728282930313234Configuring system components35Configuring McAfee DLP in the Policy Catalog . . . . . . . . . . . . . . . . . . . . . . . .Windows client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .Support for client configuration parameters . . . . . . . . . . . . . . . . . . . . .Import or export the McAfee DLP Endpoint configuration . . . . . . . . . . . . . . . . .Configure client settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .Protecting files with rights management . . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP works with rights management . . . . . . . . . . . . . . . . . . . .Supported RM servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Documenting events with evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using evidence and evidence storage . . . . . . . . . . . . . . . . . . . . . . . .Creating evidence folders . . . . . . . . . . . . . . . . . . . . . . . . . . . .Administrative and end users in McAfee DLP . . . . . . . . . . . . . . . . . . . . . . . .Create user definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Controlling assignments with users and permission sets . . . . . . . . . . . . . . . . . . . .REST API for importing definitions and applying policies . . . . . . . . . . . . . . . . .Assigning McAfee DLP permission sets . . . . . . . . . . . . . . . . . . . . . . .3536383939404242434344464747484848McAfee Data Loss Prevention 11.3.x Product Guide3

ContentsReleased to Support 4-Jul-2019564Create a McAfee DLP permission set . . . . . . . . . . . . . . . . . . . . . . . .Create a DLP Help Desk permission set . . . . . . . . . . . . . . . . . . . . . . .Control access to McAfee DLP appliance features . . . . . . . . . . . . . . . . . . . . . . .Restrict users from viewing appliances in the System Tree . . . . . . . . . . . . . . . .Allow users to edit the policy . . . . . . . . . . . . . . . . . . . . . . . . . . .Control access to Appliance Management features . . . . . . . . . . . . . . . . . . .McAfee ePO features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50525253535354Protecting removable devices55Protecting content on removable devices . . . . . . . . . . . . . . . . . . . . . . . . . .Benefits of device classes in managing devices . . . . . . . . . . . . . . . . . . . . . . . .Define a device class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a GUID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a device class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Organizing devices with device templates . . . . . . . . . . . . . . . . . . . . . . . . .Benefits of device templates in defining device parameters . . . . . . . . . . . . . . . .Benefits of device templates to define device parameters . . . . . . . . . . . . . . . .Create a device group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a removable storage device template . . . . . . . . . . . . . . . . . . . . .Create a whitelisted plug and play template . . . . . . . . . . . . . . . . . . . . . .Create a serial number and user pair definition . . . . . . . . . . . . . . . . . . . .Device control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a device rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Removable storage file access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .565657575858595960616162626465Classifying sensitive content67Identifying and tracking content with classifications . . . . . . . . . . . . . . . . . . . . . .How applications are categorized . . . . . . . . . . . . . . . . . . . . . . . . .Identifying and tracking content with classifications . . . . . . . . . . . . . . . . . . . . . .Classifying by file destination . . . . . . . . . . . . . . . . . . . . . . . . . . .Classifying by file location . . . . . . . . . . . . . . . . . . . . . . . . . . . .Text extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Classifying content with dictionary definitions . . . . . . . . . . . . . . . . . . . . . . . .Classifying content with advanced pattern definitions . . . . . . . . . . . . . . . . . . . . .Create an advanced pattern . . . . . . . . . . . . . . . . . . . . . . . . . . .Classifying content with document properties or file information . . . . . . . . . . . . . . . . .Benefits of using templates to define content fingerprinting criteria . . . . . . . . . . . . . . . .Classifying files manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Embedding properties for third-party integration . . . . . . . . . . . . . . . . . . . .Configure manual classification . . . . . . . . . . . . . . . . . . . . . . . . . .Registered documents and whitelisted text . . . . . . . . . . . . . . . . . . . . . . . . .Creating and configuring classifications . . . . . . . . . . . . . . . . . . . . . . . . . .Create a classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create classification criteria . . . . . . . . . . . . . . . . . . . . . . . . . . .Create document properties . . . . . . . . . . . . . . . . . . . . . . . . . . .Upload registered or whitelisted documents . . . . . . . . . . . . . . . . . . . . .Upload files to whitelisted text . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring classification components for McAfee DLP . . . . . . . . . . . . . . . . . . . .Create content fingerprinting criteria . . . . . . . . . . . . . . . . . . . . . . . .Assign manual classification permissions . . . . . . . . . . . . . . . . . . . . . . .How end users can classify their own files . . . . . . . . . . . . . . . . . . . . . .Find an exact match in a data file . . . . . . . . . . . . . . . . . . . . . . . . .Creating classification definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a general classification definition . . . . . . . . . . . . . . . . . . . . . . .Create or import a dictionary definition . . . . . . . . . . . . . . . . . . . . . . .Create an advanced pattern . . . . . . . . . . . . . . . . . . . . . . . . . . 58688888889McAfee Data Loss Prevention 11.3.x Product Guide

ContentsReleased to Support 4-Jul-2019Create a URL list definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Use case: Create classifications with third-party tags . . . . . . . . . . . . . . . . . . . . .917Using rules and policies to protect sensitive content93Creating policies with rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9394Create rule definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create a network port range . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Create a network address range . . . . . . . . . . . . . . . . . . . . . . . . . . 94Create an email address list definition . . . . . . . . . . . . . . . . . . . . . . . . 94Create a network printer definition . . . . . . . . . . . . . . . . . . . . . . . . . 95Create a URL list definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Defining rules to protect sensitive content . . . . . . . . . . . . . . . . . . . . . . . . . 96Defining rules by reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Protecting data-in-use . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Device control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Endpoint and network discovery rules . . . . . . . . . . . . . . . . . . . . . . . 104Application control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Customizing end-user messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105106Create and configure rules and rule sets . . . . . . . . . . . . . . . . . . . . . . . . .Create a rule set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Create a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107Assign rule sets to policies . . . . . . . . . . . . . . . . . . . . . . . . . . .107Enable, disable, or delete rules . . . . . . . . . . . . . . . . . . . . . . . . . . 108Back up and restore policy . . . . . . . . . . . . . . . . . . . . . . . . . . .108Configure rule or rule set columns . . . . . . . . . . . . . . . . . . . . . . . .109Create a justification definition . . . . . . . . . . . . . . . . . . . . . . . . . . 109Create a notification definition . . . . . . . . . . . . . . . . . . . . . . . . . . 110Create and assign policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Assign a policy to an appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 111Rule use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Use case: Removable storage file access device rule with a whitelisted process . . . . . . . . 112Use case: Set a removable device as read-only . . . . . . . . . . . . . . . . . . . . 113Use case: Block and charge an iPhone with a plug-and-play device rule . . . . . . . . . . . 113Use case: Prevent burning sensitive information to disk . . . . . . . . . . . . . . . . . 114Use case: Block outbound messages with confidential content unless they are sent to a specified domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Use case: Block email message and return to the sender . . . . . . . . . . . . . . . . 116Use case: Allow a specified user group to send credit information . . . . . . . . . . . . . 117Use case: Classify attachments as NEED-TO-SHARE based on their destination . . . . . . . .1198Synchronizing DLP policies with MVISION 9123Integrating DLP policies with McAfee MVISION Cloud . . . . . . . . . . . . . . . . . . . .Create a classification policy in MVISION Cloud . . . . . . . . . . . . . . . . . . . .Using McAfee DLP policies in MVISION Cloud . . . . . . . . . . . . . . . . . . . . . . .Protecting email - using McAfee DLP policies in McAfee MVISION Cloud . . . . . . . . . . . . . .About Inline Email DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Inline Email DLP Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . .Integrate Inline Email DLP with McAfee ePO . . . . . . . . . . . . . . . . . . . . .Enabling inline DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123124125126126128128129Working with McAfee DLP policies133Working with McAfee DLP policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Set advanced configuration options . . . . . . . . . . . . . . . . . . . . . . . . 133Set up a cluster of McAfee DLP Prevent appliances . . . . . . . . . . . . . . . . . . . 134McAfee Data Loss Prevention 11.3.x Product Guide5

ContentsReleased to Support 4-Jul-2019Set up a cluster of McAfee DLP Monitor appliances . . . . . . . . . . . . . . . . . .Enable FIPS 140-2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .Set connection timeout settings . . . . . . . . . . . . . . . . . . . . . . . . .Connect to an evidence server outside your firewall . . . . . . . . . . . . . . . . . .Specify the server for registered documents . . . . . . . . . . . . . . . . . . . . .Customize the appliance console banner text . . . . . . . . . . . . . . . . . . . .Disable access to management ports through the traffic interface . . . . . . . . . . . . .Close the McAfee DLP Prevent appliance SMTP ports . . . . . . . . . . . . . . . . . .Specify a maximum level of nesting of archived attachments . . . . . . . . . . . . . . .Add additional MTAs that can deliver email . . . . . . . . . . . . . . . . . . . . .Deliver emails using a round-robin approach . . . . . . . . . . . . . . . . . . . . .Limit connections to specified hosts or networks . . . . . . . . . . . . . . . . . . .Enable TLS on incoming or outgoing messages . . . . . . . . . . . . . . . . . . . .Configure McAfee DLP Prevent to scan encrypted web traffic only . . . . . . . . . . . . .Close the McAfee DLP Prevent appliance ICAP ports . . . . . . . . . . . . . . . . . .Enable a McAfee DLP Prevent appliance to process response requests . . . . . . . . . . .Using external authentication servers . . . . . . . . . . . . . . . . . . . . . . .Apply network communication protection rules to FTP, HTTP, or SMTP traffic . . . . . . . . .Create a traffic filtering rule . . . . . . . . . . . . . . . . . . . . . . . . . . .Edit the McAfee Email Gateway policy to work with McAfee DLP Prevent . . . . . . . . . . .Integrating McAfee DLP Prevent in your web environment . . . . . . . . . . . . . . . .Appliance Management General policy settings . . . . . . . . . . . . . . . . . . . 0140141145145146148149Scanning local files with DLP Endpoint discovery153Protecting files with discovery rules . . . . . . . . . . . . . . . . . . . . . . . . . . .How discovery scanning works . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Find content with the discovery crawler . . . . . . . . . . . . . . . . . . . . . . . . . .Create and define a discovery rule . . . . . . . . . . . . . . . . . . . . . . . . .Create a scheduler definition . . . . . . . . . . . . . . . . . . . . . . . . . .Set up a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Use case: Restore quarantined files or email items . . . . . . . . . . . . . . . . . . .153154154155156156157Scanning data with McAfee DLP Discover161Choosing the scan type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How inventory scans work . . . . . . . . . . . . . . . . . . . . . . . . . . .How classification scans work . . . . . . . . . . . . . . . . . . . . . . . . . .How remediation scans work . . . . . . . . . . . . . . . . . . . . . . . . . .How registration scans work . . . . . . . . . . . . . . . . . . . . . . . . . . .Scan considerations and limitations . . . . . . . . . . . . . . . . . . . . . . . . . . .Scanning image files with OCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Repositories and credentials for scans . . . . . . . . . . . . . . . . . . . . . . . . . .Using definitions and classifications with scans . . . . . . . . . . . . . . . . . . . . . . .Using rules with scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure policy for scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create definitions for scans . . . . . . . . . . . . . . . . . . . . . . . . . . .Create rules for remediation scans . . . . . . . . . . . . . . . . . . . . . . . .Configure a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure an inventory scan . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure a classification scan . . . . . . . . . . . . . . . . . . . . . . . . . .Configure a remediation scan . . . . . . . . . . . . . . . . . . . . . . . . . .Configure a registration scan . . . . . . . . . . . . . . . . . . . . . . . . . . .Perform scan operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Analyzing scanned data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP Discover uses OLAP . . . . . . . . . . . . . . . . . . . . . . .Viewing scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Analyze scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81182183184184184186McAfee Data Loss Prevention 11.3.x Product Guide

ContentsReleased to Support 4-Jul-2019View inventory results . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12131415186The DLP Capture Search feature189Searching captured data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Working with the DLP Capture feature . . . . . . . . . . . . . . . . . . . . . . .Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Build a dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .DLP Capture searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Forensic Investigation search . . . . . . . . . . . . . . . . . . . . . . . . . .Tuning your rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Search List and Sear

McAfee DLP appliances dashboards .222 McAfee DLP Prevent system health information .223 McAfee DLP Monitor system health information .224 15 McAfee DLP appliance events and reports 227 Event r