Kaspersky Security 9.0 for Microsoft Exchange Servers Security Officer's Guide

Transcription

1 Kaspersky Security 9.0 for Microsoft Exchange Servers Security Officer's Guide APPLICATION VERSION: 9.0

2 Dear User! Thank you for choosing our product. We hope that this document will help you in your work and will provide answers regarding this software product. Warning! This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation and by international treaties. Illegal reproduction and distribution of this document or parts hereof result in civil, administrative or criminal liability by applicable law. Any type of reproduction or distribution of any materials, including translations, is allowed only with the written permission of Kaspersky Lab. This document, and graphic images related to it, may only be used for informational, non-commercial, and personal purposes. Kaspersky Lab reserves the right to amend this document without additional notification. You can find the latest version of this document on the Kaspersky Lab website at Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any third-party materials used herein, or for any potential harm associated with the use of such materials. Document revision date: 10/10/ Kaspersky Lab ZAO. All Rights Reserved

3 TABLE OF CONTENTS ABOUT THIS GUIDE... 5 In this document... 5 Document conventions... 6 KASPERSKY SECURITY 9.0 FOR MICROSOFT EXCHANGE SERVERS... 8 About DLP categories... 8 About DLP policies About incidents About joint work of Security Officers Process of message scanning by the DLP Module About adding X-headers APPLICATION INTERFACE Main window of the Administration Console Administration Console tree Workspace STARTING AND STOPPING THE APPLICATION STATUS OF DATA LEAK PROTECTION Default status of Data Leak Protection Viewing Data Leak Protection status details CONFIGURING S OF SECURITY OFFICERS MANAGING CATEGORIES Creating and editing a table data category Example of a category of table data Creating and editing a keyword category Deleting a category MANAGING POLICIES Creating a policy Step 1. Configuring general settings Step 2. Configuring the policy scope: senders Step 3. Configuring the policy scope: recipients Step 4. Configuring actions Editing policy settings Configuring the delivery of policy violation notifications Deleting a policy Searching for policies associated with a specific user MANAGING INCIDENTS Viewing the list of incidents Selecting columns to display in the table of incidents Filtering the list of incidents Viewing incident details Changing incident status Saving a message attached to an incident to disk Sending notifications to violators

4 S E C U R I T Y O F F I C E R ' S G U I D E Adding comments to incidents Archiving incidents Restoring incidents from the archive Deleting archived incidents MANAGING REPORTS About reports on DLP Module operation Detailed report Report on users System KPI report Report on policies and incidents Creating a report generation task Detailed report generation task: Configuring settings Task to generate report on users: Configuring settings System KPI report generation task: Configuring settings Task to generate report on policies and incidents: Configuring settings Starting a report creation task Deleting report generation task Viewing a report Generating a report manually Saving reports to disk Deleting reports KASPERSKY LAB ZAO INFORMATION ABOUT THIRD-PARTY CODE TRADEMARK NOTICE

5 ABOUT THIS GUIDE This document is the Security Officer's Guide to Kaspersky Security 9.0 for Microsoft Exchange Servers (hereinafter also "Kaspersky Security"). The Guide serves the following purposes: Provide help on using the application. Serves as a quick source of information to answer questions relating to the operation of Kaspersky Security. IN THIS SECTION: In this document...5 Document conventions...6 IN THIS DOCUMENT This document includes the following sections: Kaspersky Security 9.0 for Microsoft Exchange Servers (see page 8) This section offers a brief description of application features. Application interface (see page 14) This section describes the basic elements of the graphical user interface of the application: the main window, Administration Console, the Administration Console tree, and the workspace. Starting and stopping the application (see page 15) This section contains information on starting and shutting down the application. Status of Data Leak Protection (see page 16) This section provides information on the default status of Data Leak Protection and instructions on obtaining information about the status of the DLP Module and statistics on the operation of the DLP Module. Configuring s of security officers (see page 19) This section provides instructions on configuring the addresses of Security Officers. You are advised to follow these instructions before using the application. Managing categories (see page 20) This section provides instructions on creating, editing, and deleting DLP categories. Managing policies (see page 24) This section provides instructions on creating, editing, and deleting DLP policies. 5

6 S E C U R I T Y O F F I C E R ' S G U I D E Managing incidents (see page 31) This section provides instructions on processing incidents that have been generated. Managing reports This section provides information on the DLP Module operation reports and instructions on creating, viewing, saving, and deleting reports, as well as instructions on creating, modifying, starting, and deleting report generation tasks. Kaspersky Lab ZAO (see page 54) This section provides information about Kaspersky Lab ZAO. Information about third-party code (see page 55) This section provides information about third-party code used in the application. Trademark notices (see page 56) This section lists third-party trademarks used in this document. DOCUMENT CONVENTIONS This document uses the following conventions (see table below). Table 1. Document conventions SAMPLE TEXT DOCUMENT CONVENTIONS DESCRIPTION Note that... Warnings are highlighted in red and enclosed in frames. Warnings show information about actions that may have unwanted consequences. It is recommended that you use... Example: Notes are enclosed in frames. Notes provide additional and reference information. Examples are given on a yellow background under the heading "Example".... 6

7 A B O U T T H I S G U I D E SAMPLE TEXT An update is... The Databases are outdated event occurs. Press ENTER. Press ALT+F4. Click the Enable button. To configure a task schedule, perform the following steps: Enter help in the command line The following message will appear: Specify the date in DD:MM:YY format. <User name> DOCUMENT CONVENTIONS DESCRIPTION The following elements are italicized in the text: new terms; status variations and application events. Names of keyboard keys appear in bold and are capitalized. Names of keys linked with a + (plus) sign indicate key combinations. These keys have to be pressed simultaneously. UI elements, for example, names of entry fields, menu items, buttons are in bold. Introductory phrases of instructions are printed in italics and marked with an arrow sign. The following types of text content are set off with a special font: command line text; text of program messages output on the screen; Data to be entered using the keyboard. Variables are enclosed in angle brackets. Instead of a variable, the corresponding value should be inserted, with angle brackets omitted. 7

8 KASPERSKY SECURITY 9.0 FOR MICROSOFT EXCHANGE SERVERS Kaspersky Security 9.0 for Microsoft Exchange Servers is an application designed for protection of mail servers based on Microsoft Exchange Server against viruses, Trojan software and other types of threats that may be transmitted via e- mail, as well as spam, phishing, and accidental leaks of confidential corporate data via . Kaspersky Security 9.0 for Microsoft Exchange Servers includes a data leak prevention (DLP) component the DLP Module. The DLP Module analyzes messages for any confidential information or data with specific parameters, such as credit card details, financial or personal data of company employees. On detecting such information in a message, the DLP Module saves an information security breach record (incident) in its internal log. This record helps to determine who attempted to send information and where to. The DLP Module can either block transmission of messages with confidential information or allow transmission and only reflect it in the log. The DLP Module detects information security violations on the basis of DLP categories and DLP policies. If the law in your country requires notifying individuals that their activity on data transmission networks is being monitored, you must warn users about the operation of the DLP Module in advance. Detailed information about the remaining functions is available in the Administrator's Guide for Kaspersky Security 9.0 for Microsoft Exchange Servers. IN THIS SECTION: About DLP categories...8 About DLP policies About incidents About joint work of Security Officers Process of message scanning by the DLP Module About adding X-headers ABOUT DLP CATEGORIES DLP categories (hereinafter also referred to as "categories") are templates of data according to which the DLP Module looks for data leaks in messages. Categories are divided into Kaspersky Lab categories and custom categories. Kaspersky Lab categories are created by Kaspersky Lab experts, supplied together with the application, and updated together with application databases. Custom categories can be created by the user. 8

9 K A S P E R S K Y S E C U R I T Y 9. 0 F O R M I C R O S O F T E X C H A N G E S E R V E R S Custom categories Table data category A category of this type takes the form of a digital impression of table data, such as a table with personal data of employees or customers, retrieved from CRM systems (see section "Creating and editing a table data category" on page 20). A search through this category can detect in protected data certain combinations of cells from among the specified number of rows and columns (see section "Example of a category of table data" on page 21). Keyword category A category of this type takes the form of a keyword or expression created out of keywords using special functions (see section "Creating and editing a keyword category" on page 21). A search through this category can detect in protected data certain combinations of words and expressions that match complex search criteria, such as the presence of two word combinations with a certain number of words between them. A keyword category is used to provide protection against leaks of text data containing certain marker words (such as names of new technologies or products that constitute a trade secret). New user categories and changes made in the user categories are applied to all security Servers with the DLP Module installed within 30 minutes. Kaspersky Lab categories Administrative documents (Russia) This category serves to protect the major administrative and regulatory documents used in Russian record keeping, such as orders and job descriptions. Confidential documents (Russia) This category serves to protect documents used in Russian record keeping and intended for a limited number of persons. For example, documents marked as "For internal use" or "Confidential". Financial documents (Russia) This category serves to protect standard financial documents used at Russian companies, such as invoices, tax invoices, and contracts. Medical data (Russia) This category serves to protect personal medical data of Russian citizens. Medical data (Germany) This category serves to protect personal medical data of German citizens. Medical data (UK) This category serves to protect personal medical data of UK citizens. Medical data (USA) This category serves to protect personal medical data of US citizens. Payment cards This category is designed to protect confidential data according to PCI DSS the Payment Card Industry Data Security Standard. This category helps to detect payment card details in protected data, such as payment card numbers (with or without delimiters, with or without CVV codes) or magnetic stripe dumps. The "Payment cards" category helps to protect personal data of payment card holders against unauthorized use or distribution. 9

10 S E C U R I T Y O F F I C E R ' S G U I D E Personal data (Germany) This category is designed to protect personal data according to the requirements of German law. Personal data (Russia) This category is designed to protect personal data according to the requirements of Russian law. Personal data (UK) This category is designed to protect personal data according to the requirements of UK law. Personal data (USA) This category is designed to protect personal data of individuals according to personally identifiable information protection requirements set forth in US laws. This category helps to detect information that can be used to identify an individual or his/her location, such as passport or driver's license details, information about tax returns or social security numbers. Russian Federal Law No. 152 This category is designed to protect personal data listed in Russian Federal Law No This category combines the "Personal data (Russia)" and "Medical data (Russia)" categories. U.S. Federal Law HIPAA This category is designed to protect personal healthcare data listed in the HIPPA Federal Act of the USA. The set of Kaspersky Lab categories supplied with the application may differ from the list provided above. This set may also be supplemented with new categories as the application databases are updated. ABOUT DLP POLICIES You can create DLP policies on the basis of Kaspersky Lab DLP categories and custom DLP categories (see section "Creating a policy" on page 24) (hereinafter also referred to as policies). The policy scope includes: The plurality of senders whose messages should be scanned by the application according to this policy. The plurality of recipients the messages addressed to whom should be scanned by the application according to this policy. The application applies policies to those outgoing messages that fall within the scope of policies and searches the messages for confidential data corresponding to the categories of such policies. A policy also defines actions to be taken. The application performs these actions on messages found to contain confidential data. Several policies with different scopes and different sets of actions to be taken on messages may be created on the basis of one category. New policies and changes made in the policies are applied to all security Servers with the DLP Module installed within 30 minutes. 10

11 K A S P E R S K Y S E C U R I T Y 9. 0 F O R M I C R O S O F T E X C H A N G E S E R V E R S ABOUT INCIDENTS When the message content matches the category data and all criteria specified in the policy, the DLP Module generates an incident indicating a violation of this policy. If the message violates information security according to several policies at once, the DLP Module generates several incidents matching the number of policies violated (see section "Process of message scanning by the DLP Module" on page 12). Each incident includes information about the incident object (the message that caused an information security breach), the sender and recipients of the message, the violated policy, and service information, such as the incident ID or the time when the incident was generated (see section "Viewing the list of incidents" on page 31). Each incident must be processed by a security officer. Incident processing involves recording a violation and taking the available technical and organizational measures to improve protection of confidential data. Incident status Incident status reflects the stage of incident processing. When an incident is generated, it is assigned the New status label. The security officer changes the incident status over the course of incident processing. Incident processing ends when the security officer assigns one of the Closed (<reason>) status labels to the incident. The New and In progress status labels are open status labels, and the Closed (<reason>) status labels are closed status labels. Table 2. Incident status STATUS TYPE VALUE New Open New incident. Incident processing has not started. In progress Open An incident investigation is in progress. Closed (processed) Closed The incident has been processed successfully, and the required measures have been taken. Closed (false positive) Closed A policy has been violated, but the transmission of protected data was legitimate. There is no information security violation. Policy settings may need to be revised. Closed (not an incident) Closed A policy has been violated, but the transmission of protected data was authorized by a special order. No additional action is required. Closed (other) Closed The incident has been closed for other reasons. Incident priority The incident priority reflects the urgency with which the incident has to be processed. The application assigns an incident priority upon generating the incident (Low, Medium or High). The priority is assigned based on the value specified in the settings of the policy that has been violated. Incident archives Closed incidents can be archived (see section "Archiving incidents" on page 37). Incidents placed in an archive are called archived incidents. Incidents placed in an archive are removed from the list of incidents. If necessary, you can restore incidents from the archive (see section "Restoring incidents from the archive" on page 38) and view them in the list of incidents again. An incident archive is a specially formatted file with the bak extension. You can create an unlimited number of incident archives. Archives help to periodically free up the list of incidents by removing closed incidents, thereby optimizing the use of the incident database volume without losing the history of incidents generated and processed. 11

12 S E C U R I T Y O F F I C E R ' S G U I D E Statistics and reports The application displays statistics on new incidents, incidents being processed, and closed incidents. This information helps to evaluate the status of data protection and the performance of the security officer. This information can be also used to generate reports. ABOUT JOINT WORK OF SECURITY OFFICERS The application allows the joint work of several security officers. Any user who is assigned a role of the "security officer", has access to all controls and functions of the DLP Module. All of the controls and features of DLP Module are available for any user who has been assigned the Information Security Specialist role. PROCESS OF MESSAGE SCANNING BY THE DLP MODULE The DLP Module scans messages using the following algorithm: 1. The DLP Module receives a message. 2. The DLP Module checks whether the message falls within the scope of each one of the existing policies (see section "Creating a policy" on page 24). If the message does not fall within the scope of any one of the policies, the DLP Module skips the message without scanning. If the message falls within the scope of any one of the policies, the DLP Module searches the message for data fragments corresponding to the category of this policy (see section "About DLP categories" on page 8). The search includes the message subject, message content, and all of the message attachments. 3. If the search is successful (matches to the policy category are found in the message), this means that the policy has been violated. The DLP Module generates an incident with the specified priority and takes the actions specified in the policy settings on the message (see section "Editing policy settings" on page 28): Deletes the message or allows message transmission to the user. A message copy can be attached to the incident for subsequent incident investigation. Sends a policy violation notification to the specified recipients (see section "Configuring the delivery of policy violation notifications" on page 28). Information about the action taken on the message is saved in the incident details (see section "Viewing incident details" on page 33). 4. If the search fails, the DLP Module proceeds to scan the message against the next policy. If the message violates information security according to several policies at once, the DLP Module generates several incidents matching the number of policies violated. Messages undergo such processing on all corporate mail servers where the DLP Module is installed. Incidents generated on all corporate mail servers appear in a common list of incidents. If the topology of your mail infrastructure causes the message to pass through two or more mail servers with the DLP Module installed, the message undergoes scanning for data leaks only on one of the servers. This rules out any duplicate incident records and distortion of report statistics (see section "Managing reports" on page 40). 12

13 K A S P E R S K Y S E C U R I T Y 9. 0 F O R M I C R O S O F T E X C H A N G E S E R V E R S ABOUT ADDING X-HEADERS While processing messages the DLP Module adds new X-headers to them. These X-headers make it possible to obtain information on the results of message processing by the DLP Module by analyzing the message. Table 3. X-headers of messages added by the DLP Module X-HEADER X-KSE-Dlp-Interceptor-Info X-KSE-DLP-ScanInfo VALUES license violation a license violation; the message is skipped without being scanned. protection disabled the DLP Module is disabled; the message is skipped without being scanned. fallback the DLP Module is not operational; the message is skipped without being scanned. Overloaded the queue of incoming messages is overflowing; the message is skipped without being scanned. Skipped no policies applicable to the message have been found; the message is skipped without being scanned. Clean the message falls within the scope of one or several policies, but no policy violations have been detected. Detect the message has caused a violation of one or several policies. ScanError a scan error has been encountered. 13

14 APPLICATION INTERFACE The user interface of the application is provided by the Administration Console component. The Administration Console is a dedicated isolated snap-in integrated into Microsoft Management Console (MMC). IN THIS SECTION: Main window of the Administration Console Administration Console tree Workspace MAIN WINDOW OF THE ADMINISTRATION CONSOLE Main window of the Administration Console contains the following items: Menu. Displayed in the upper part of the main window. The menu lets you manage files and windows and access the help system. Administration Console tree. Located in the left part of the main window. The Administration Console tree serves to provide access to application features and settings. Workspace. It is located in the right part of the main window. The workspace shows the contents of the node selected in the Administration Console tree. ADMINISTRATION CONSOLE TREE The console tree includes the Data Leak Protection node designed to obtain information on the status of protection against data leaks. The root node contains the following subnodes for managing the application features: Categories and policies. Configuring Data Leak Protection settings. Incidents. Processing incidents. Reports. Creating, viewing, and otherwise managing DLP Module reports. WORKSPACE The workspace provides access to the contents of the node selected in the Administration Console tree: the application settings and functions or statistics on the operation of the application. The workspace appearance depends on the node selected. 14

15 STARTING AND STOPPING THE APPLICATION To start using the application, launch Administration Console. To launch the Administration Console, In the Start menu, select Programs Kaspersky Security 9.0 for Microsoft Exchange Servers Kaspersky Security 9.0 for Microsoft Exchange Servers. After being started, Administration Console connects to the Security Server. Administration Console shows the Data Leak Protection node and the following nodes: Categories and policies. Incidents. Reports. If Administration Console is not installed on your computer or the type of Administration Console that is running differs from the one described above, contact your administrator. To finish using the application, close Administration Console. To close Administration Console, in the main menu of Administration Console, select File Exit. 15

16 STATUS OF DATA LEAK PROTECTION This section provides information on the default status of Data Leak Protection and instructions on obtaining information about the status of the DLP Module and statistics on the operation of the DLP Module. IN THIS SECTION: Default status of Data Leak Protection Viewing Data Leak Protection status details DEFAULT STATUS OF DATA LEAK PROTECTION After application installation, Data Leak Protection has the following status by default: The DLP Module is enabled. The application includes predefined categories. The application does not have any custom categories. The application does not have any policies. The application does not scan outgoing messages for data leaks and does not generate incidents. The DLP Module skips all incoming messages without modifying them. VIEWING DATA LEAK PROTECTION STATUS DETAILS Information about the status of data leak protection is displayed in the Data Leak Protection node of Administration Console. Details shown in the workspace of the Data Leak Protection node are grouped into three sections: DLP Module status. Opened incidents. Statistics. DLP Module status section The DLP Module status section provides information on the current status of the DLP Module and errors encountered during the operation of the DLP Module on Security Servers of your company. This section contains the following information: DLP Module status (Enabled; Enabled, running with errors; Disabled) Information on the following types of errors (if any): Licensing errors Errors associated with the DLP database Message scan errors Errors of connection with Security Servers with the DLP Module installed. The blocks with error details show the number and list of Security Servers where errors have occurred. 16

17 S T A T U S O F D A T A L E A K P R O T E C T I O N Opened incidents section The Opened incidents section lets you view statistics on currently existing incidents with New and In progress statuses. The following information is displayed in the upper part of the section: Violators. The number of unique senders. Incidents generated while scanning messages of these senders, which currently have New or In progress status. New incidents. The number of currently existing incidents with New status. Incidents under processing. The number of currently existing incidents with In progress status. Opened high-priority incidents. The number of opened incidents (in percentage points) to which High priority has been assigned. This setting reflects the current danger level. The danger level can have the following values: 0%-25%. Low. Highlighted in green. 25%-50%. Medium. Highlighted in yellow. 50%-75%. High. Highlighted in red. 75%-100%. Critical. Highlighted in black. Top 3 violators. A list of three senders. Messages from these senders have violated the largest number of policies, and incidents generated as a result of policy violations by these messages have New or In progress status. A chart showing the number of opened incidents with New and In progress status calculated for each category is displayed in the lower part of the section. Data belonging to all categories is included in the chart by default. You can modify the list of categories for which the chart of opened incidents is created. To modify the list of categories for which the chart of opened incidents is created: 1. Click the Select categories button. The List of categories window opens. 2. Select check boxes for the categories to be reflected in the chart. Then click OK. The chart content is refreshed according to the categories selected. Statistics section The Statistics section lets you obtain information about messages processed and scanned and on the number of incidents closed during the reporting period. The reporting period can be either 7 days or 30 days. You can choose the reporting period. To choose the reporting period, click either one of the links: 7 days or 30 days. Data in the section is refreshed according to the reporting period selected. The upper part of the section contains the following information: Messages processed. Number of messages processed by the DLP Module. Messages scanned. Number of messages that fall into the scope of policies (see section "On DLP policies" on page 10) and have been scanned by the DLP Module. 17

18 S E C U R I T Y O F F I C E R ' S G U I D E Incidents created. Number of incidents generated. Messages skipped due to timeouts. Number of messages that have not been scanned due to timeouts. Messages skipped due to errors. Number of messages that have not been scanned due to errors, including licensing errors. The lower part of the section includes a chart of closed incidents showing the number and percentage of incidents with Closed (processed), Closed (false positive), Closed (not an incident), Closed (other) status, which were generated during the selected reporting period. Incidents restored from the archive are also reflected in the chart (see section "Restoring incidents from the archive" on page 38). Incidents associated with all categories are included in the chart by default. You can modify the list of categories for which the chart of closed incidents is created. To modify the list of categories for which the chart of closed incidents is created: 1. Click the Select categories button. The List of categories window opens. 2. Select check boxes for the categories to be reflected in the chart. Then click OK. The chart content is refreshed according to the categories selected. 18

19 CONFIGURING S OF SECURITY OFFICERS Before using the DLP Module, you are advised to specify the addresses of Security Officers. The application can send notifications about the status of the DLP Module, policy violations, and reports to these addresses. This makes it possible to receive real-time information on the status of information security at the organization. To configure the addresses of security officers: 1. In the Administration Console tree, select the Data Leak Protection node. 2. In the DLP Module status section, click the Configure button. The addresses window opens. 3. In the Addresses of security officers field, enter the addresses, separating them with semicolons. 4. Click OK to save the changes. You are advised to follow this procedure every time there is a change in the staff of security officers at your organization. 19

20 MANAGING CATEGORIES This section provides instructions on creating, editing, and deleting DLP categories. IN THIS SECTION: Creating and editing a table data category Example of a category of table data Creating and editing a keyword category Deleting a category CREATING AND EDITING A TABLE DATA CATEGORY To create or edit a category of table data: 1. In the Administration Console tree, select the Categories and policies node. 2. Perform one of the following steps: To create a new category of table data, click the Add category button. Then select Table data in the dropdown list. To edit an existing category of table data, select it in the list of categories and policies and click the Edit button. A window with category settings appears. 3. Specify the category name of your choice in the Name field. 4. Click Browse and select a CSV file with data to be protected against leaks with the help of a category. The CSV file must be saved in UTF-8 encoding. Other encodings are not supported. The first row in the file is the header. This row is not imported and does not participate in creating a category. 5. In the Column separator drop-down list, select the symbol to be used in the file for separating columns. 6. In the Match level section, specify the threshold values of rows and columns (see section "Example of a category of table data" on page 21). Detailed information on threshold values of rows and columns is available via the Help on configuring the match level link in the Category settings window. 7. Specify additional information pertaining to data included in the category in the Comments field. 8. Click OK. Data from this file is imported into the category. The new / modified category of table data appears in the list of categories and policies. 20

21 M A N A G I N G C A T E G O R I E S EXAMPLE OF A CATEGORY OF TABLE DATA Suppose that the file staff.csv is used as a source of data for a category of table data. The file contains the following data (see table below): Table 4. Contents of the csv file FIRST NAME LAST NAME JOB TITLE POSTAL CODE CITY Ivan Petrov manager Moscow John Smith developer SW3 London Otto Weber tester Berlin The following parameter values are used to create the category: Threshold value of columns = 3. Threshold value of rows = 2. A policy created based on this category is violated when the text of the scanned message is found to contain values from at least three columns (value of the Threshold value of columns parameter) in the same row, and at least two rows (value of the Threshold value of rows parameter). Here, different columns can be found in each one of the rows. A policy created on the basis of this category is violated if the text of the message being scanned is found to contain the following fragments: manager Ivan Petrov and developer John Smith Moscow Ivan tester Weber Berlin A policy created on the basis of this category is not violated if the text of the message being scanned is found to contain the following fragments: Ivan Petrov manager Moscow the text includes data from one table row only. Ivan John tester Otto manager developer the text includes data from two table rows only. CREATING AND EDITING A KEYWORD CATEGORY To create or edit a category based on keywords: 1. In the Administration Console tree, select the Categories and policies node. 2. Perform one of the following steps: To create a new category of keywords, click the New category button. Then select the Keywords item in the drop-down list. To edit an existing category based on keywords, select it in the list of categories and policies and click the Edit button. The Category settings window opens. This window lets you add keywords to a category and specify the category name. 3. Specify values for the following settings: Name. Name assigned to a category. 21

22 S E C U R I T Y O F F I C E R ' S G U I D E Keyword input field. This is a field for entering the keyword or expression according to which messages will be searched for certain text content. A keyword is a word or expression that has to be recognized by the application as confidential information that requires protection against leaks. Keywords are enclosed in quotation marks. By default, the list of keywords is not case-sensitive. Use the "!" character at the start of the keyword to make it case-sensitive. Example:!Kaspersky Lab The application will detect text content in which words in the "Kaspersky Lab" word combination begin with capital letters while the other letters are lower-case. The text where the case of characters in these words differs from the example (e.g. "kaspersky Lab", "kaspersky lab", or "KASPERSKY LAB") will be skipped. A key expression is one or several keywords joined by the operators AND, OR, NEAR, ONEAR. Use the AND operator to detect two or more keywords included in the text at the same time. The order in which the keywords are enumerated does not affect the search. Example: anti-virus AND security. The application will detect text content that includes the words anti-virus and security. Text content that includes only one of these two words will be skipped. Use the OR operator to detect one of the keywords or several keywords in the text. Example: security OR computer protection. The application will detect text content that includes the key word security or the expression computer protection or both. A line break character in an expression is also recognized as the OR operator. A keyword written in a new line is connected to the previous keyword using the OR operator that is not displayed expressly in this case. The NEAR operator is used to detect several keywords separated by several other words in text. Specify the number of words separating the keywords in brackets. Example: security NEAR(6) system. The application detects text content that includes the words security and system that are separated by no more than six words. Words can be separated by blank spaces, line break characters, tab characters, and other characters that are defined in Unicode specifications as blank space characters and punctuation marks. The ONEAR operator is used to detect several keywords separated by several other words in text and appearing in the order specified in the expression. Specify the number of words separating the keywords in brackets. Example: protection ONEAR(4) privacy. The application detects text content in which the word privacy follows the word protection and is separated from it by no more than four words. Words can be separated by blank spaces, line break characters, tab characters, and other characters that are defined in Unicode specifications as blank space characters and punctuation marks. You can create complex expressions that contain several operators. Use round brackets to specify the priority of operators in an expression. Example: (( technologies OR security ) ONEAR(0)!Kaspersky ) AND The application detects text content that includes the number 2014 and the word Kaspersky that immediately follows the word technologies or the word security. 22

23 M A N A G I N G C A T E G O R I E S Such expressions as term1 NEAR(n) ( term2 AND term3 ) and term1 NEAR(n) ( term2 NEAR(m) term3 ) are not supported. The result of processing of such expressions is unknown due to uncertainty that arises when the brackets are expanded. The combined length of expressions with keywords in all categories based on keywords may not exceed 480,000 characters. Comments. Additional information related to the data in this category. 4. Click OK to save the changes. The new or modified category of key terms appears in the list of categories and policies. DELETING A CATEGORY You can delete only custom categories. Kaspersky Lab categories cannot be deleted. To delete a category: 1. In the Administration Console tree, select the Categories and policies node. 2. In the list of categories and policies, select the category that you want to delete. 3. Click the Delete button. Confirm deletion in the window that opens. The selected category is deleted. Policies associated with this category are also deleted. Incidents created according to these policies are saved (see section Viewing the list of incidents on page 31). 23

24 MANAGING POLICIES This section provides instructions on creating, editing, and deleting DLP policies. IN THIS SECTION: Creating a policy Editing policy settings Configuring the delivery of policy violation notifications Deleting a policy Searching for policies associated with a specific user CREATING A POLICY Policies can be created on the basis of existing categories. An unlimited number of policies can be created on the basis of one category (see section "About DLP policies" on page 10). To create a policy: 1. In the Administration Console tree, select the Categories and policies node. 2. In the list of categories and policies, select the category based on which you want to create a policy. 3. Click the New policy button. The Policy Wizard starts. 4. Follow the instructions of the Wizard. Use the Back and Next buttons to navigate the windows of the Wizard. IN THIS SECTION: Step 1. Configuring general settings Step 2. Configuring the policy scope: senders Step 3. Configuring the policy scope: recipients Step 4. Configuring actions STEP 1. CONFIGURING GENERAL SETTINGS At this step, configure the general policy settings: Policy name. Name assigned to a policy. The default value is <Category name> New policy. You can change this value. Policies created on the basis of one category must have unique names. Policies created on the basis of different categories may have identical names. 24

25 M A N A G I N G P O L I C I E S Activate policy right after it is created. Participation of a policy in data leak prevention in accordance with its settings. If the check box is selected, a policy is activated when the Wizard finishes. The application applies the policy to messages and monitors them for data leaks according to the settings specified in the policy. If the check box is cleared, the policy remains inactive after the Wizard finishes and does not participate in data leak prevention. The check box is selected by default. Link to guidance document. Proceed to the next step of the Wizard. A link to a document with security requirements that the policy must conform to, or to an excerpt from this document. This field is optional and may be left blank. STEP 2. CONFIGURING THE POLICY SCOPE: SENDERS At this step, specify the message senders that make up the scope of the policy. The application applies the policy to outgoing messages that have been sent by these senders. Configure the following settings: Any internal users. The policy is applied to messages sent by any user that belongs to the company. This is the default option. Selected users or groups. The policy is applied to messages sent by company users enumerated in the list below. You can user accounts and user groups to the list or remove them using the and buttons. You can add only security groups of users to the list. Distribution groups cannot be added. Contact the administrator for additional information. If the list includes a group of users, the application applies the policy to outgoing messages sent by any users belonging to that group (and also to subgroups). The list is empty by default. Exclusions. The list contains user accounts and groups of user accounts belonging to the company whose messages are excluded from the policy. You can user accounts and user groups to the list or remove them using the and buttons. You can add only security groups of users to the list. Distribution groups cannot be added. Contact the administrator for additional information. If an exclusion has been specified as a group of users, the application does not apply the policy to outgoing messages sent by any users belonging to that group (and also to subgroups). The list is empty by default. Proceed to the next step of the Wizard. STEP 3. CONFIGURING THE POLICY SCOPE: RECIPIENTS At this step, specify the message recipients that make up the scope of the policy. The application applies the policy to outgoing messages that have been sent by these senders. 25

26 S E C U R I T Y O F F I C E R ' S G U I D E Configure the following settings: Any. The policy is applied to messages that are addressed to both users within the company and external recipients. This is the default option. External only. The policy is applied to messages addressed to recipients outside the company. Exclusions. The list contains user accounts, groups of user accounts, and addresses messages addressed to which are excluded from the policy. The following buttons are used to create the list: adds the address in mailbox@domain.com format specified in the entry field to the list. You may use masks, such as *@domain.com. adds a user account or group of user accounts belonging to the company to the list. You can add only security groups of users to the list. Distribution groups cannot be added. Contact the administrator for additional information. removes the selected record from the list. If an exclusion has been specified as a group of users, the application does not apply the policy to outgoing messages addressed to any users belonging to that group (and also to subgroups). The list is empty by default. Proceed to the next step of the Wizard. STEP 4. CONFIGURING ACTIONS At this step, define the actions that the application will take on messages violating the policy and specify the recipients to which the application will send policy violation notifications. To define the actions, configure the following settings: Delete the message. Deletes the message that caused a policy violation. If the check box is selected, the application deletes the message that violated the policy. A message is deleted if any part of the message (header, content, or any attachment) violates a policy. If the check box is cleared, the application skips the message without changes. Regardless of whether or not the check box is selected, when a policy is violated the application logs the event as a possible data leak and creates an incident. The check box is cleared by default. Create incidents with priority. Assessment of the danger of a potential data leak. This drop-down list lets you select the priority that the application assigns to an incident upon policy violation: Low, Medium, High. The priority reflects the degree of danger of policy violation and the urgency with which the incident must be processed. The default value is Low. 26

27 . M A N A G I N G P O L I C I E S Attach message to incident. A message copy is attached to incident information. If the check box is selected, the application attaches a copy of the message that caused a policy violation to incident information for subsequent analysis. If the check box is cleared, the application does not attach a message copy to incident information. The check box is selected by default. Record event to Windows Event Viewer. Adding of policy violation records to Windows Event Viewer. If the check box is selected, the application records the following policy violation event in Windows Event Viewer: Level=Warning; Source=KSCM8; Event ID= The event description contains information about the sender, the recipients, the message subject, about a violated policy and the associated category. Events about a policy violation may be useful if you use automated systems for collection and analysis of security events (SIEM, Security Information and Event Management) to monitor the state of the organization's information security. Using these events you can obtain topical information on incidents that arise when you are not using the Administration Console. If the check box is cleared, events are not recorded in Windows Event Viewer. The check box is cleared by default. To specify notification recipients, configure the following settings: To security officer. A policy violation notification is sent to the addresses of security officers. If the check box is selected, upon a policy violation the application sends a violation notification to the address(es) of security officers. The address or list of addresses of security officers must be specified in advance in the Data Leakage Prevention node. If the check box is cleared, the application does not send notifications to security officers. The check box is cleared by default. To violator. Delivery of a policy violation notification to the message sender. If the check box is selected, upon a policy violation the application sends a notification to the message sender with information about the violation. If the check box is cleared, the application does not send a notification to the message sender. The check box is cleared by default. To violator's manager. Delivery of a policy violation notification to the message sender's manager. If the check box is selected, upon a policy violation the application sends a notification to the message sender's manager with information about the violation. The application retrieves the address of the sender's manager from Active Directory. If the check box is cleared, the application does not send a notification to the message sender's manager. The check box is cleared by default. Additionally. Delivery of policy violation notifications to additional addresses. If the check box is selected, upon a policy violation the application sends a violation notification to the additional addresses specified in the entry field. 27

28 S E C U R I T Y O F F I C E R ' S G U I D E If the check box is cleared, the application does not send a notification to additional addresses. The check box is cleared by default. Entry field. List of additional addresses of notification recipients. Addresses in the list must be separated with a semicolon. The field is active if the Additionally check box is selected. This entry field is blank by default. To complete the Wizard, click the Finish button. EDITING POLICY SETTINGS To edit policy settings: 1. In the Administration Console tree, select the Categories and policies node. 2. In the list of categories and policies, select the policy whose settings you want to edit and click the Settings button. The Policy settings window opens. 3. Edit the settings appearing on the window tabs. The settings on the window tabs are identical to the settings in the Policy Wizard windows (see section "Creating a policy" on page 24). 4. Click OK to save the changes. CONFIGURING THE DELIVERY OF POLICY VIOLATION NOTIFICATIONS You can configure delivery of application violation notifications for each policy. Such notifications enable you and other concerned persons (such as administrators, managers, and other security officers) to learn about data leak threats in real time. Policy violation notifications contain the following information: Name of the violated policy. The name of the category based on which the incident has been generated. Message details: subject, sender's address, and list of addresses of recipients. Incident number, the date and time of incident generation. The context of violations, i.e. fragments of message text or attached document in which protected data was detected. Information about message removal, if the message has been removed by the policy. Policy violation notifications are sent via at the time when the policy is violated. Notification delivery is disabled in policy settings by default. 28