Migration Guide Revision B. McAfee Data Loss Prevention 10.x and 11.0

Size: px

Start display at page:

Download "Migration Guide Revision B. McAfee Data Loss Prevention 10.x and 11.0"

Scott Marsh
6 years ago
Views:

1 Migration Guide Revision B McAfee Data Loss Prevention 10.x and 11.0

2 COPYRIGHT Copyright 2017 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

3 Contents 1 Introduction 5 Migration overview Migration workflow Differences between versions Unsupported features Installation 9 Migrating physical appliances Installing McAfee DLP Prevent appliances Plan your configuration Identify network ports Install the extensions Configure network information Set up the appliance Install the appliance Post-setup tasks Configuring system components 15 Register an LDAP server Create end-user definitions Users, groups, and permission sets Create a user Create a permission set Create a McAfee DLP permission set The Common Appliance Management policy Add an evidence server to store incidents Classifying sensitive content 21 Create a classification Create classification criteria Create document properties Upload registered documents From concepts to definitions Dictionary definitions Advanced pattern definitions Create a general classification definition Protecting with rules, rule sets, and policies 29 McAfee DLP Prevent rule reactions and definitions Create a rule Create a rule set Create an address list definition Create a network address range Create a URL list definition Create a network port range McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 3

4 Contents Create a policy Assign a policy to a McAfee DLP Prevent appliance Use case: Block outbound messages with confidential content unless they are sent to a specified domain.. 35 Use case: Track intellectual property violations Use case: Application-based fingerprinting Scanning data with McAfee DLP Discover 10.x and later 39 Types of repositories Types of scans Define scan definitions Create a classification scan Create rules for remediation scans Create a scheduled remediation scan Use case: Filter the results of a remediation scan Monitoring and reporting 47 Incidents and cases Sort and filter incidents View incident details Update a single incident Update multiple incidents Create notifications Create cases Assign a reviewer View case information Update cases Assign incidents to a case Use case: Find policy violations by user Use case: Find high-risk incidents Use case: Set properties to incidents Use case: Filter incidents by date, destination, and user Assign incident viewing permissions to users in an Active Directory Assign case management viewing permissions to a user Monitoring system health and status McAfee DLP dashboards Appliance Management dashboard McAfee DLP appliance events Maintenance and troubleshooting 61 Troubleshooting tips Managing with the McAfee DLP appliance console Accessing the appliance console Replace the default certificate Error messages Configuration backups Index 69 4 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

5 1 Introduction 1 This migration guide provides information that helps you move from McAfee Network Data Loss Prevention (McAfee Network DLP) 9.3.x to McAfee Data Loss Prevention (McAfee DLP) 10.x. It covers the following versions of McAfee DLP products: McAfee Data Loss Prevention Discover (McAfee DLP Discover) 9.3.x to version and later McAfee Data Loss Prevention Prevent (McAfee DLP Prevent) 9.3.x to versions and later McAfee Data Loss Prevention Monitor (McAfee DLP Monitor) 9.3.x to version 11.0 It also provides information to help you get started with your new version of McAfee DLP. For more information, see the McAfee Data Loss Prevention Product Guide for version Migration overview There is no automatic upgrade path to move from McAfee Network DLP 9.3.x to McAfee DLP 10.x and later. This guide helps you configure the newer versions of McAfee DLP with settings that behave in a similar way to your McAfee Network DLP 9.3.x setup. Migration workflow Use the workflow diagram to install the appliance, then recreate your configuration settings, rules, policies, and incident and case management settings using the tools in McAfee epo. McAfee DLP Monitor does not exist in McAfee DLP 10.x. Installation scenarios From To See Physical McAfee Network DLP 9.3.x Physical McAfee DLP 10.x or 11.0 McAfee DLP Hardware Migration Guide McAfee DLP Hardware Guide Physical McAfee Network DLP 9.3.x Virtual McAfee DLP 10.x or 11.0 McAfee DLP Hardware Migration Guide McAfee DLP Product Guide Virtual McAfee Network DLP 9.3.x Virtual McAfee DLP 10.x or 11.0 This guide For a list of virtual platforms supported by McAfee DLP 10.x and later, see the release notes for your version. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 5

1 Introduction Migration overview Scenario: Using unified incident and case management or McAfee DLP Manager Complete the steps in this workflow diagram if: Your existing incidents and cases are

6 1 Introduction Migration overview Scenario: Using unified incident and case management or McAfee DLP Manager Complete the steps in this workflow diagram if: Your existing incidents and cases are already available in McAfee epo. You use McAfee DLP Manager to manage incidents and cases. Incidents and cases in McAfee DLP Manager cannot be migrated to the McAfee DLP 10.x and later tools. McAfee Network DLP 9.3.x customers and McAfee DLP Endpoint 9.4 customers who chose to retain their McAfee DLP Manager box can keep it available until the incidents and cases are no longer needed. Scenario: Using the Capture Search feature McAfee DLP 10.x and later does not include capture functionality. 6 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

7 Introduction Migration overview 1 Differences between versions Because the product architecture for versions 9.3.x and 10.x and later is different, the configuration settings and data you had in McAfee DLP Manager cannot migrate directly to the McAfee DLP tools in McAfee epo. Product names The 9.3.x version of the product was called McAfee Network Data Loss Prevention (McAfee Network DLP). With version 10.x and later, the Network part of the product name has been dropped to become McAfee Data Loss Prevention. Product management With version 10.x and later, products are now managed with McAfee epo. Configuration settings, rules, concepts and policies that you used in McAfee DLP Manager must be recreated in McAfee epo. Keep McAfee DLP Manager available until the incidents and cases are no longer required. Differences in terms Most features have the same name in the new version, with a few exceptions. Table 1-1 Terminology differences McAfee Network DLP 9.3.x Concept Action rule Template Policy Validator Group McAfee DLP 10.x and later Dictionary definition Advanced pattern definitions (regex) Reaction Classification Definition Rule set Algorithm Permission set Incidents and cases Incidents and cases in McAfee DLP Manager cannot be migrated to the McAfee DLP 10.x and later tools. Unsupported features These features are not supported in McAfee DLP version 10.x and later. Capturing data Creating definitions using the following settings: Number of lines from the beginning Percentage match Number of byes from the beginning McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 7

8 1 Introduction Migration overview 8 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

9 2 Installation 2 To use McAfee DLP 10.x, you must perform a full installation. For instructions on installing McAfee DLP Discover 10.x, see the McAfee Data Loss Prevention Product Guide. Best practice: Before you begin to install the new version, make a full configuration backup of your current installation so you can return to it if necessary. Contents Migrating physical appliances Installing McAfee DLP Prevent appliances Migrating physical appliances If you have a model 4400, 5500, or 6600 appliance, you can install McAfee DLP Prevent 10.x or McAfee DLP Monitor McAfee DLP Manager machines can be repurposed after you've installed McAfee DLP Prevent 10.x or McAfee DLP Monitor 11.0 on your existing appliances. For more information, see the McAfee Network DLP 9.3.x to McAfee DLP 10.x Hardware Migration Guide available from the McAfee download site. Model 1650 and 3650 appliances do not support McAfee DLP Prevent 10.x or McAfee DLP Monitor Installing McAfee DLP Prevent appliances For more detailed installation instructions, see the McAfee Data Loss Prevention Product Guide for your version of the product. Plan your configuration Use the deployment information in the product guide to plan the integration of McAfee DLP products in your network. 1 Familiarize yourself with the McAfee DLP deployment options. 2 Complete the deployment checklist. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 9

2 Installation Installing McAfee DLP Prevent appliances Identify network ports Locate the network ports on your

Figure 2-1 Model 4400 appliance port configuration 1 Serial port 2 OOB port 3 LAN1 port 4 Remote access port (RMM) 5

the appliance has a fiber NIC: For McAfee DLP Prevent, the fiber port becomes LAN1.

On some 4400 models, the capture ports might be on a slotted NIC instead of on the motherboard.

10 2 Installation Installing McAfee DLP Prevent appliances Identify network ports Locate the network ports on your appliance. Unlabeled ports are not used. Figure 2-1 Model 4400 appliance port configuration 1 Serial port 2 OOB port 3 LAN1 port 4 Remote access port (RMM) 5 Ethernet port or fiber port * McAfee DLP Prevent Unused McAfee DLP Monitor Capture port 1 6 Ethernet port Unused * If the appliance has a fiber NIC: For McAfee DLP Prevent, the fiber port becomes LAN1. For McAfee DLP Monitor, the fiber port becomes Capture port 1. On some 4400 models, the capture ports might be on a slotted NIC instead of on the motherboard. In this case, these two ports are swapped over. Figure 2-2 Model 5500 appliance port configuration 1 Ethernet port or fiber port Unused 2 Ethernet port or fiber port * McAfee DLP Prevent Unused McAfee DLP Monitor Capture port 1 3 OOB port 4 LAN1 * 10 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

Installation Installing McAfee DLP Prevent appliances 2 5 Serial port 6 Remote access port (RMM) * If the appliance has a fiber NIC: For McAfee DLP Prevent, this fiber port (callout 2) becomes the

11 Installation Installing McAfee DLP Prevent appliances 2 5 Serial port 6 Remote access port (RMM) * If the appliance has a fiber NIC: For McAfee DLP Prevent, this fiber port (callout 2) becomes the LAN1 port. For McAfee DLP Monitor, this fiber port (callout 2) becomes Capture port 1. Figure 2-3 Model 6600 appliance port configuration 1 LAN1 2 McAfee DLP Prevent Unused McAfee DLP Monitor Capture port 1 3 OOB port 4 Serial port 5 Remote access port (RMM) Install the extensions Prepare the McAfee epo server for integration with McAfee DLP Appliance Management. For information about manually installing the extensions, see the product guide. 1 In McAfee epo, select Menu Software Software Manager. 2 In the left pane, expand Software (by Label) and select Data Loss Prevention. 3 Select the entry for McAfee Network Data Loss Prevention. These extensions are included: McAfee DLP Common UI Appliance Management Extension McAfee DLP Appliance Management 4 Click Check In. 5 Select the checkbox to accept the agreement, then click OK. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 11

12 2 Installation Installing McAfee DLP Prevent appliances Configure network information For McAfee DLP appliances, configure the DNS server and NTP server. For McAfee DLP Prevent, you must also configure a Smart Host. 1 In McAfee epo, select Menu Policy Policy Catalog. 2 From the Product drop-down list, select Common Appliance Management. 3 Select the My Default policy. 4 Add the DNS server and the NTP server, then click Save. 5 From the Product drop-down list, select DLP Appliance Management. 6 Select the My Default policy for McAfee DLP Prevent Settings. 7 Enter the IP address of the Smart Host, then click Save. Set up the appliance Prepare the appliance for network integration. The appliance power supply units and the hard disk can be replaced. Instructions are available in the hardware guide. By default, each appliance is configured with these IP addresses after installation: McAfee DLP Prevent LAN /24 Use the LAN1 network for SMTP or ICAP traffic. You can also use it for management traffic. McAfee DLP Monitor LAN /24 Use the LAN1 network for management traffic. OOB /24 (Optional) Use the out-of-band (OOB) network for management traffic including McAfee epo communication. McAfee DLP Monitor Capture port 1 is used for analysis traffic. It is not configured with any IP address. If your network uses DHCP, the first IP address that the DHCP server assigns to the McAfee DLP appliance is used instead. You can manually configure the IP address with the Setup Wizard. The appliance does not support using a continuous DHCP configuration. The default gateway for the appliance must be on the LAN1 subnet. Configure any routing required on the OOB interface using static routes. 1 Install the appliance in a rack. 2 Connect a monitor, keyboard, and mouse to the appliance. 12 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

13 Installation Installing McAfee DLP Prevent appliances 2 3 Connect the appliance to the network: McAfee DLP Prevent and McAfee DLP Monitor Connect the LAN1 interface of the appliance to your network. McAfee DLP Monitor Connect the Capture port 1 interface to your network tap or SPAN port. 4 (Optional) Connect the OOB interface to another network. This is required for McAfee DLP Monitor if you are not using LAN1 for your management traffic. Install the appliance Install the software and run the Setup Wizard. 1 Prepare the appliance for installation appliances Turn on the appliance and 5500 appliances 1 Using the installation ISO file, create or set up the external imaging media. You can perform the initial installation using these methods: USB drive Use image writing software, such as Launchpad Image Writer, to write the image to the USB drive. For more information, see KB USB CD drive (4400 appliances only) Integrated CD drive Virtual CD drive using the remote management module (RMM) 2 Insert or connect the media to the appliance. 3 Turn on the appliance. 4 Before the operating system starts, press F6 for the boot menu and select the external media. R3c0n3x is the BIOS password for 4400 appliances. 2 Follow the on-screen prompts. When the installation completes, the appliance restarts. 3 Complete the Setup Wizard using the information in the on-screen Help. 4 If the installation fails: 1 Verify the network connection is working and any configured static routes are correct. 2 Ping the default gateway and McAfee epo from the appliance console. 3 If the problem persists, contact technical support for assistance. Do not perform the installation again. When you contact technical support, make sure you know the appliance primary serial number. You can find the serial number on the product name sticker on the delivery packaging, the sticker on the bottom-left of the top panel, or the sticker on the pull-out tray on the front panel. The McAfee DLP appliance is installed and registered to McAfee epo. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 13

14 2 Installation Installing McAfee DLP Prevent appliances Post-setup tasks For more information on these tasks, see the product guide. McAfee DLP appliances 1 Configure an evidence server to store the files that trigger a rule. 2 Configure one or more syslog servers if required. 3 Enable relevant predefined policies and rules. 4 Create additional classifications, policies, and rules to detect potential data loss incidents. 5 Confirm that incidents are recorded in the DLP Incident Manager. McAfee DLP Prevent appliances For McAfee DLP Prevent appliances that analyze traffic: 1 Verify connectivity and mail flow between the mail transfer agent (MTA) server and the McAfee DLP Prevent appliance. 2 Confirm that the X-RCIS-Action: Allow header is added to received . For McAfee DLP Prevent appliances that analyze web traffic, verify connectivity between the web proxy server and the appliance. McAfee DLP Monitor appliances Generate some traffic that the configured network tap or SPAN can see. 14 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

15 3 Configuring 3 system components Register LDAP servers, define user permissions and groups, and specify evidence servers in McAfee epo. Manage appliances with a new feature in McAfee epo called Appliance Management, where you specify policies and view system health status for all McAfee DLP Prevent and McAfee DLP Monitor appliances. Contents Register an LDAP server Users, groups, and permission sets The Common Appliance Management policy Add an evidence server to store incidents Register an LDAP server You must have a registered LDAP server to use Policy Assignment rules, to enable dynamically-assigned permission sets, and to enable Active Directory User Login. 1 Select Menu Configuration Registered Servers, then click New Server. 2 Select LDAP Server from the Server type menu, then specify a unique name and optional description and click Next. 3 Select an OpenLDAP or Active Directory server from the LDAP server type list. 4 Specify a domain name or a specific server name. Use DNS-style domain names (such as internaldomain.com), or fully-qualified domain names or IP addresses for servers (such as server1.internaldomain.com or ). OpenLDAP servers can only use server names. They cannot be specified by domain. 5 Specify whether to use the Global Catalog (not available for OpenLDAP servers). Select it only if the registered domain is the parent of only local domains to avoid potential network traffic, which can impact performance. 6 If you don't use the Global Catalog, select whether to chase referrals. Chasing referrals can generate non-local network traffic. 7 Choose whether to use SSL to communicate with this server. 8 If you are configuring an OpenLDAP server, enter the port. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 15

16 3 Configuring system components Register an LDAP server 9 Enter a user name and password for an admin account on the server. Active Directory servers Use the format domain\username OpenLDAP servers Use the format cn=user,dc=realm,dc=com 10 Enter a Site name for the server, and click Test Connection to verify the connection, then click Save to complete the registration. s Create end-user definitions on page 16 McAfee DLP accesses Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers to create end-user definitions. Create end-user definitions McAfee DLP accesses Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers to create end-user definitions. End-user groups are used for administrator assignments and permissions, and in protection and device rules. They can consist of users, user groups, or organizational units (OU), allowing the administrator to choose an appropriate model. Enterprises organized on an OU model can continue using that model, while others can use groups or individual users where needed. LDAP objects can be identified by name or security ID (SID). SIDs are more secure, and permissions can be maintained even if accounts are renamed. On the other hand, they are stored in hexadecimal, and have to be decoded to convert them to a readable format. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager. 2 Click the Definitions tab. 3 Select Source/Destination End-User Group, then Actions New. 4 In the New End-User Group page, enter a unique name and optional description. 5 Select the method of identifying objects (SID or name). 6 Click one of the Add buttons (Add Users, Add Groups, Add OU). The selection window displays the selected type of information. The display might take a few seconds if the list is long. If no information appears, select Container and children from the Preset drop-down list. 7 Select names and click OK to add them to the definition. Repeat the operation as needed to add users, groups, or organizational users. 8 Click Save. 16 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

17 Configuring system components Users, groups, and permission sets 3 Users, groups, and permission sets Creating users and groups is managed in McAfee DLP 10.x and later in the McAfee epo Users and Permission Sets sections. You can also create LDAP user groups in the McAfee epo DLP Policy Manager. Permission sets in McAfee epo are referred to as groups in McAfee DLP Manager. Best practice: Create specific McAfee DLP permission sets, users, and groups. Create different roles by assigning different administrator and reviewer permissions for the different McAfee DLP modules in McAfee epo. For more information about users and permission sets in McAfee DLP 10.x and later, see the McAfee Data Loss Prevention Product Guide for your version. Administrator rights in McAfee epo When you install McAfee epo, an administrator account is created automatically. Administrators have read and write permissions and rights to all operations. By default, the user name for this account is admin. If the default value is changed during installation, this account is named accordingly. You can create additional administrator accounts for people who require administrator rights. To do so, follow the instructions in Create a user. Administrator rights include: Creating, editing, and deleting source and fallback sites Changing server settings Adding and deleting user accounts Adding, deleting, and assigning permission sets Importing events into the McAfee epo databases and limiting the number of events stored Create a user Users in McAfee DLP 10.x are known as local users in McAfee Network DLP 9.3.x. 1 In McAfee epo, select Menu User Management Users. 2 Click New User and type a user name. 3 Select whether to enable or disable the logon status of this account. Best practice: Disable this account if it is for someone who is not yet a part of the organization. 4 Select an authentication method for this account, and provide the required credentials. Windows authentication Certificate-Based Authentication 5 (Optional) Provide the user's full name, address, phone number, and a description in the Notes text box. 6 Choose to make the user an administrator, or select the appropriate permission sets. 7 Click Save to return to the Users tab. The new user appears in the Users list on the User Management page. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 17

18 3 Configuring system components The Common Appliance Management policy Create a permission set A permission set in McAfee DLP is equivalent to a local group in McAfee Network DLP 9.3.x. 1 In McAfee epo, select Menu User Management Permission Sets. 2 Select a predefined permission set or click New to create one. 3 Type a name, select the users you want to add, then click Save. 4 Click Save. Create a McAfee DLP permission set Permission sets define different administrative and reviewer roles in McAfee DLP software. 1 In McAfee epo, select Menu User Management Permission Sets. 2 Select a predefined permission set or click New to create a permission set. a Type a name for the set and select users. b Click Save. 3 Select a permission set, then click Edit in the Data Loss Prevention section. a In the left pane, select a data protection module. Incident Management, Operational Events, and Case Management can be selected separately. Other options automatically create predefined groups. b c Edit the options and override permissions as needed. Policy Catalog has no options to edit. If you are assigning Policy Catalog to a permission set, you can edit the sub-modules in the Policy Catalog group. Click Save. The Common Appliance Management policy The Common Appliance Management policy category is installed as part of the Appliance Management extension. It applies common settings to new or re-imaged appliances. Date and time, and time zone information Secure Shell (SSH) remote logon settings Lists of DNS servers Remote logging settings Static routing information SNMP alerts and monitoring Information about these options is available in the Appliance Management Help. 18 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

19 Configuring system components Add an evidence server to store incidents 3 Add an evidence server to store incidents Some incidents have evidence items associated with them. You can store the evidence on an evidence server. Before you begin The evidence server must be a CIFS share with read/write permissions. 1 In McAfee epo, select Menu DLP Settings General. 2 Enter the path to the evidence server in Default Evidence Storage to save the settings and activate the software. The evidence storage path must be a network path, that is \\[server]\[share]. 3 Provide the user name and password to access the server, and click Save. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 19

20 3 Configuring system components Add an evidence server to store incidents 20 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

21 4 Classifying 4 sensitive content With McAfee DLP 10.x and later, content is defined using classifications. Classifications used for McAfee DLP Prevent and McAfee DLP Monitor can contain combinations of definitions, document properties, and registered documents. For McAfee DLP 10.x and later, content classification is configured in two places in McAfee epo. Menu Classification Definitions Dictionary Create definitions based on keywords. Menu Classification Definitions Advanced Pattern Create definitions based on regex. You can associate the predefined definitions as they are to create rules, or create duplicates of the predefined rules that you can customize. Contents Create a classification Create classification criteria Create document properties Upload registered documents From concepts to definitions Create a classification Data protection and discovery rules require classification definitions in their configuration. 1 In McAfee epo, select Menu Data Protection Classification. 2 Click New Classification. 3 Enter a name and optional description. 4 Click OK. 5 Add end user groups to manual classification, or registered documents to the classification, by clicking Edit for the respective component. 6 Add content classification criteria or content fingerprinting criteria with the Actions control. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 21

22 4 Classifying sensitive content Create classification criteria Create classification criteria Apply classification criteria to files based on file content and properties. You build content classification criteria from data and file definitions. If a required definition does not exist, you can create it as you define the criteria. 1 In McAfee epo, select Menu Data Protection Classification. 2 Select the classification to add the criteria to, then select Actions New Content Classification Criteria. 3 Enter the name. 4 Select properties and configure the comparison and value entries. To remove a property, click <. For some properties, click... to select an existing property or to create one. To add additional values to a property, click +. To remove values, click. 5 Click Save. Create document properties Create a classification based on document properties. 1 In McAfee epo, select Menu Data Protection Classification. 2 Click New Classification, type a unique name and an optional description. 3 Click Actions, then select New Content Classification Criteria or click the Edit link to change an existing classification criteria. 4 Click Document Properties, then click and select New item. 5 Select the property you want, then click Save. Upload registered documents Select and classify documents to distribute to the endpoint computers. Before you begin Uploading registered documents requires a license for McAfee DLP Endpoint, McAfee DLP Prevent, or McAfee DLP Monitor. 22 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

23 Classifying sensitive content From concepts to definitions 4 1 In McAfee epo, select Menu Data Protection Classification. 2 Click the Register Documents tab. 3 Click File Upload. 4 Browse to the file, select whether to overwrite a file if the file name exists, and select a classification. File Upload processes a single file. To upload multiple documents, create a.zip file. 5 Click OK. The file is uploaded and processed, and statistics are displayed on the page. 6 Click Create Package when the file list is complete. When files are deleted, remove them from the list and create a new package to apply the changes. 7 You can create a package of only registered or whitelisted documents by leaving one list blank. A signature package of all registered documents and all whitelisted documents is loaded to the McAfee epo database for distribution to the endpoint computers. McAfee DLP Prevent and McAfee DLP Monitor can access the McAfee epo database to use registered documents in rule definitions. From concepts to definitions McAfee Network DLP 9.3.x uses concepts based on McAfee expressions to create classification criteria. A concept can contain keywords or regular expressions (regex). In McAfee DLP 10.x and later, concepts become definitions. McAfee DLP 10.x and later use Google RE2 syntax expressions to build definitions. McAfee Network DLP 9.3.x contained some predefined concepts (such as a selection of credit card numbers, HIPAA, and gambling) that match definitions available in McAfee DLP 10.x and later. For those that do not match, you must create them by hand. To achieve similar functionality with McAfee DLP 10.x and later, create separate definitions for Dictionary definitions (keywords) and Advanced Pattern definitions (regular expressions). Table 4-1 Regular expressions Expression DLP 9.3.x DLP 10.x \s any character [\ \f \n \r \t < > ;] whitespace character \w any alphanumeric character plus underscore any alphanumeric character plus underscore. any character \D any non-digit \c any alpha [A Z] or [a z] \i case sensitivity off $ end of a string (up arrow) start of a string For more information about Google RE2, see Best practice: Before you start to create definitions in McAfee DLP 10.x and later, review your existing concept settings to ensure they are still relevant to your needs, and that they provide the results you expect. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 23

24 4 Classifying sensitive content From concepts to definitions Dictionary definitions A dictionary is a collection of keywords or key phrases where each entry is assigned a score. Content classification and content fingerprinting criteria use specified dictionaries to classify a document if a defined threshold (total score) is exceeded that is, if enough words from the dictionary appear in the document. The assigned scores can be negative or positive, allowing you to look for words or phrases in the presence of other words or phrases. The difference between a dictionary and a string in a keyword definition is the assigned score. A keyword classification always tags the document if the phrase is present. A dictionary classification gives you more flexibility because you can set a threshold when you apply the definition, making the classification relative. The threshold can be up to You can also choose how matches are counted: Count multiple occurrences increases the count with each match, Count each match string only one time counts how many dictionary entries match the document. McAfee DLP software includes several built-in dictionaries with terms commonly used in health, banking, finance, and other industries. You can also create your own dictionaries. Dictionaries can be created and edited manually or by copying and pasting from other documents. Limitations There are some limitations to using dictionaries. Dictionaries are saved in Unicode (UTF-8) and can be written in any language. The following descriptions apply to dictionaries written in English. The descriptions generally apply to other languages, but there might be unforeseen problems in certain languages. Dictionary matching has these characteristics: It is only case sensitive when you create case-sensitive dictionary entries. Built-in dictionaries, created before this feature was available, are not case-sensitive. It can optionally match substrings or whole phrases. It matches phrases including spaces. If substring matching is specified, use caution when entering short words because of the potential for false positives. For example, a dictionary entry of "cat" would flag "cataracts" and "duplicate." To prevent these false positives, use the whole phrase matching option, or use statistically improbable phrases (SIPs) to give the best results. Similar entries are another source of false positives. For example, in some HIPAA disease lists, both "celiac" and "celiac disease" appear as separate entries. If the second term appears in a document and substring matching is specified, it produces two hits (one for each entry) and skews the total score. Create or import a dictionary definition A dictionary is a collection of keywords or key phrases where each entry is assigned a score. Scores allow for more granular rule definitions. You can create a dictionary definition by importing a dictionary file in CSV format. You can also import items with a script containing REST API calls. The administrator running the script must be a valid McAfee epo user who has permissions in McAfee epo Permission Sets to perform the actions that are invoked by the APIs. Best practice: Dictionary CSV files can use multiple columns. Export a dictionary to understand how the columns are populated before creating a file for import. 24 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

25 Classifying sensitive content From concepts to definitions 4 1 In McAfee epo, select Menu Data Protection Classification. 2 Click the Definitions tab. 3 In the left pane, select Dictionary. 4 Select Actions New. 5 Enter a name and optional description. 6 Add entries to the dictionary. To import entries: a Click Import Entries. b c d e Enter words or phrases, or cut and paste from another document. The text window is limited to 20,000 lines of 50 characters per line. Click OK. All entries are assigned a default score of 1. If needed, updated the default score of 1 by clicking Edit for the entry. Select the Start With, End With, and Case Sensitive columns as needed. Start With and End With provide substring matching. To manually create entries: a Enter the phrase and score. b c Select the Start With, End With, and Case Sensitive columns as needed. Click Add. 7 Click Save. Create a keyword-based dictionary definition Create a dictionary definition based on keywords 1 In McAfee epo, go to Classification- Definitions Dictionary and click Action New. 2 Give the dictionary a name and an optional description, then click Action Add. 3 In Phrase, type the word security, then set the Score as 1 and select Case Sensitive to only match on the keyword when it is lowercase. 4 Click Add, then click Save. 5 Select Classification New Classification. Give the classification a name, add an optional description and click OK. 6 Select the newly-created classification and click Action New Content Classification Criteria. 7 Select the dictionary and use the comparison (OR/AND/NOT). McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 25

26 4 Classifying sensitive content From concepts to definitions 8 Click ( ). select the dictionary you recently created, give it a threshold of 10 and click OK. 9 Assign the classification to a rule to trigger the classification. Advanced pattern definitions Advanced patterns use regular expressions (regex) that allow complex pattern matching, such as in social security numbers or credit card numbers. Definitions use the Google RE2 regular expression syntax. Advanced pattern definitions include a score (required), as with dictionary definitions. They can also include an optional validator an algorithm used to test regular expressions. Use of the proper validator can significantly reduce false positives. The definition can include an optional Ignored Expressions section to further reduce false positives. The ignored expressions can be regex expressions or keywords. You can import multiple keywords to speed up creating the expressions. When defining an advanced pattern, you can choose how matches are counted: Count multiple occurrences increases the count with each match, Count each match string only one time counts how many defined patterns give an exact match in the document. Advanced patterns indicate sensitive text. Sensitive text patterns are redacted in hit highlighted evidence. If both an matched pattern and an ignored pattern are specified, the ignored pattern has priority. This allows you to specify a general rule and add exceptions to it without rewriting the general rule. Create a definition based on an advanced pattern Advanced patterns are used to define classifications. An advanced pattern definition can consist of a single expression or a combination of expressions and false positive definitions. Advanced patterns are defined using regular expressions (regex). There is no equivalent to the Percentage match, Proximity, and Number of bytes from the beginning options in McAfee DLP 10.x. 1 In McAfee epo, select Menu Data Protection Classification. 2 Select the Definitions tab, then select Advanced pattern in the left pane. To view only the user-defined advanced patterns, deselect the Include Built-in items checkbox. User-defined patterns are the only patterns that can be edited. The available patterns appear in the right pane. 3 Select Actions New. 4 Enter a name and optional description. 5 Under Matched Expressions: a Enter an expression in the text box and add an optional description. b c d Select a validator from the drop-down list or if validation is not appropriate for the expression, select No Validation. A validator is the same as algorithm in McAfee DLP 9.3.x. Use it to minimize false positives. Enter a number in the Score field to indicate the weight of the expression in threshold matching. Click Add. 26 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

27 Classifying sensitive content From concepts to definitions 4 6 Under Ignored Expressions: a Enter an expression in the text box. If you have text patterns stored in an external document, copy them into the definition with Import Entries. b c In the Type field, select RegEx from the drop-down list if the string is a regular expression, or Keyword if it is text. Keyword expressions can also be added using Import Keywords, entering keywords separated by a new line. Click Add. 7 Add the count to the concept: a Give all the expressions a score of 1. b c d e f When you assign the dictionary to the classification, give the threshold the same value that the count setting had in McAfee DLP 9.3.x. Select count multiple occurrence of each match string if the score must be added for multiple occurrence of a single expression in a document. Select count each match string only one time if the score should not be added and should be one even when multiple occurrences of a single expression are present in a document. Select start with and end with to see if the document starts or ends with the expression, or select both options to find the expression anywhere in the document. To match on the number of lines from the beginning of the document, you can create a new regular expression using conditions such as less than, equals, or greater than. 8 Click Save. Create a regex-based definition Block a document that has a credit card number in the format xxxx-xxxx-xxxx-xxxx where x is any digit (0 9) that occurs more than 10 times. 1 In McAfee epo, go to Classification Definitions Advanced pattern and click Actions New. 2 Type a name for the advanced pattern and add an optional description. 3 Enter the phrase as \d{4}(- \s)\d{4}(- \s)\d{4}(- \s)\d{4}\d, select Luhn10 as the validator, and give it a score of 1. 4 Specify any credit card numbers that you want to ignore. 5 Click Add, then click Save. 6 Select Classification New Classification, type a name for the classification and add an optional description, then click OK. 7 Select the classification and select Action New Content Classification Criteria, then click Advanced pattern and select the comparison (OR/AND/NOT). 8 Click ( ), select the pattern you recently created and give it a threshold of 10, then click OK. 9 Assign the classification to a rule. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 27

28 4 Classifying sensitive content From concepts to definitions Create a general classification definition Create and configure definitions for use in classifications and rules. 1 In McAfee epo, select Menu Data Protection Classification. 2 Select the type of definition to configure, then select Actions New. 3 Enter a name and configure the options and properties for the definition. The available options and properties depend on the type of definition. 4 Click Save. 28 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

29 5 Protecting 5 with rules, rule sets, and policies McAfee DLP 10.x and later uses rules to inspect data and traffic, and takes protective action when it detects rule violations. Rules are grouped into rule sets. Rules The rule conditions define what triggers the rule. Depending on the rule type, conditions include classifications, rule definitions, and other criteria. For example, you can create a rule that monitors for when a specific group of users sends out certain company confidential documents as attachments. Exceptions define parameters excluded from the rule. You might want to block most users from visiting a certain website but allow a certain user group access as an exception. Rule sets To recreate the policies you used in DLP Manager, you create rule sets in McAfee DLP 10.x and later. Your rules are grouped into the rule sets. If you have multiple McAfee DLP products, you can combine all rule types into a single rule set. Policy Policies in McAfee DLP 10.x and later are sets of definitions, classifications, and rules that define how McAfee DLP products protect your data. Contents McAfee DLP Prevent rule reactions and definitions Create a rule Create a rule set Create an address list definition Create a network address range Create a URL list definition Create a network port range Create a policy Assign a policy to a McAfee DLP Prevent appliance Use case: Block outbound messages with confidential content unless they are sent to a specified domain Use case: Track intellectual property violations Use case: Application-based fingerprinting McAfee DLP Prevent rule reactions and definitions McAfee DLP Prevent works with McAfee DLP Protection rules and Web Protection rules. Reactions McAfee DLP Prevent can take these actions when rules are triggered. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 29

30 5 Protecting with rules, rule sets, and policies Create a rule Rule type Reaction Description Any No Action Allows the traffic or action. Web Protection Protection Report Incident Store original file as evidence User notification Block Add Header X-RCIS-Action Generates an incident reporting the violation. Stores the file that triggered the rule on the evidence share. You can view evidence in the incident details. Notifies the user of the violation. Blocks the user from accessing the website. These actions are available: SCANFAIL Messages that cannot be analyzed. BLOCK Blocks the message. QUART Quarantines the message. ENCRYPT Encrypts the message. BOUNCE Issues a Non-Delivery Receipt (NDR) message to the sender. REDIR Redirects the message. NOTIFY Notifies supervisory staff. ALLOW Allows the message through. The Allow value is added automatically to all messages that do not contain any matched contents. Store original as evidence Stores the that triggered the rule on the evidence share. You can view evidence in the incident details. Rule reactions do not apply to McAfee DLP Monitor. Rule definitions Similar to classifications, rule definitions specify a condition in the rule. McAfee DLP Prevent uses these rule definitions: Address List Network Port End-User Group File Extension URL List Application Template User Notification File name List Network Address Create a rule The process for creating a rule is similar for all rule types. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager. 2 Click the Rule Sets tab. 30 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

31 Protecting with rules, rule sets, and policies Create a rule set 5 3 Click the name of a rule set and if needed, select the appropriate tab for the Data Protection, Device Control, or Discovery rule. 4 Select Actions New Rule, then select the type of rule. 5 On the Condition tab, enter the information. For some conditions, such as classifications or device template items, click... to select an existing item or create an item. To add additional criteria, click +. To remove criteria, click. 6 (Optional) To add exceptions to the rule, click the Exceptions tab. a Select Actions Add Rule Exception. Device rules do not display an Actions button. To add exceptions to device rules, select an entry from the displayed list. b Fill in the fields as needed. 7 On the Reaction tab, configure the Action, User Notification, and Report Incident options. Rules can have different actions, depending on whether the endpoint computer is in the corporate network. Some rules can also have a different action when connected to the corporate network by VPN. 8 Click Save. Create a rule set Rule sets combine multiple device protection, data protection, and discovery scan rules. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager. 2 Click the Rule Sets tab. 3 Select Actions New Rule Set. 4 Enter the name and optional note, then click OK. Create an address list definition address list definitions are predefined domains or specific addresses that can be referenced in protection rules. To get granularity in protection rules, you include some addresses, and exclude others. Make sure to create both types of definitions. Best practice: For combinations of operators that you use frequently, add multiple entries to one address list definition. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 31

32 5 Protecting with rules, rule sets, and policies Create a network address range You can import address lists in CSV format. You can also import items with a script containing REST API calls. The administrator running the script must be a valid McAfee epo user who has permissions in McAfee epo Permission Sets to perform the actions that are invoked by the APIs. Best practice: address list CSV files use multiple columns. Export an address list to understand how the columns are populated before creating a file for import. value definitions support wildcards, and can define conditions. An example of a condition defined with a wildcard is *@intel.com. Combining an address list condition with a user group in a rule increases granularity. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager Definitions. 2 In the left pane, select Address List, then Actions New. 3 Enter a Name and optional Description. 4 Select an Operator from the drop-down list. Operators defined using the Addresses option support wildcards in the Value field. protection rules that are enforced on McAfee DLP Prevent or McAfee DLP Monitor do not match on the Display name operators. 5 Enter a value, then click Add. 6 Click Save when you have finished adding addresses. Create a network address range Network address ranges serve as filter criteria in network communication protection rules. For each required definition, perform steps 1 4: For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager Definitions. 2 In the left pane, select Network Address (IP address), then click Actions New. 3 Enter a unique name for the definition and an optional description. 4 Enter an address, a range, or a subnet in the text box. Click Add. Correctly formatted examples are displayed on the page. Only IPv4 addresses are supported. If you enter an IPv6 address, the message says IP address is invalid rather than saying that it isn't supported. 5 When you have entered all required definitions, click Save. 32 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

33 Protecting with rules, rule sets, and policies Create a URL list definition 5 Create a URL list definition URL list definitions are used to define web protection rules. They are added to rules as Web address (URL) conditions. You can create a URL list definition by importing the list in CSV format. You can also import items with a script containing REST API calls. The administrator running the script must be a valid McAfee epo user who has permissions in McAfee epo Permission Sets to perform the actions that are invoked by the APIs. Best practice: URL list CSV files can use multiple columns. Export a URL list to understand how the columns are populated before creating a file for import. For each URL required, perform steps 1 4. For details about product features, usage, and best practices, click? or Help. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager Definitions. 2 In the left pane, select URL List, then select Actions New. 3 Enter a unique Name and optional Definition. 4 Do one of the following: Enter the Protocol, Host, Port, and Path information in the text boxes, then click Add. Paste a URL in the Paste URL text box, then click Parse, then click Add. The URL fields are filled in by the software. 5 When all required URLs are added to the definition, click Save. Create a network port range Network port ranges serve as filter criteria in network communication protection rules. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager Definitions. 2 In the left pane, select Network Port, then click Actions New. You can also edit the built-in definitions. 3 Enter a unique name and optional description. 4 Enter the port numbers, separated by commas, and optional description, then click Add. 5 When you have added all required ports, click Save. Create a policy McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 33

34 5 Protecting with rules, rule sets, and policies Assign a policy to a McAfee DLP Prevent appliance 1 Click Menu Policy Policy Catalog, select the DLP Appliance Management category, and click New Policy. 2 Select the policy you want to duplicate, type a name for the new policy and click OK. The policy appears in the Policy Catalog. 3 Select the name of the new policy to open the Policy Settings wizard. 4 Edit the policy settings and click Save. Assign a policy to a McAfee DLP Prevent appliance Before you begin An protection or web protection rule enforced on McAfee DLP Prevent A rule set A McAfee DLP Prevent policy that is assigned to a rule set. 1 In McAfee epo, open the policy you created. 2 Select Actions Active Rule Set, then select the rule set from the list and click OK. 3 Click Menu Systems System Tree Assigned Policies, then select a group from the System Tree. 4 Select the product as DLP Appliance Management. All assigned policies, organized by product, appear in the details pane. 5 Click the Edit Assignment link for the DLP Policy category. 6 Select Break inheritance and assign the policy and settings below and change the assigned policy to the policy you created. 7 Click Save. 34 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

35 Protecting with rules, rule sets, and policies Use case: Block outbound messages with confidential content unless they are sent to a specified domain 5 Use case: Block outbound messages with confidential content unless they are sent to a specified domain Outbound messages are blocked if they contain the word Confidential, unless the recipient is exempt from the rule. Table 5-1 Expected behavior contents Recipient Expected result Body: Confidential Body: Confidential Body: Attachment: Confidential external_user@external.com The message is blocked because it contains the word Confidential. internal_user@example.com The message is not blocked because the exception settings mean that confidential material can be sent to people at example.com external_user@external.com internal_user@example.com The message is blocked because one of the recipients is not allowed to receive it. 1 Create an address list definition for a domain that is exempt from the rule. a In the Data Protection section in McAfee epo, select DLP Policy Manager and click Definitions. b c d e Select the Address List definition and create a duplicate copy of the built-in My organization domain. Select the address list definition you created, and click Edit. In Operator, select Domain name is and set the value to example.com. Click Save. 2 Create a rule set with an Protection rule. a Click Rule Sets, then select Actions New Rule Set. b c Name the rule set Block Confidential in . Create a duplicate copy of the in-built Confidential classification. An editable copy of the classification appears. d e f g h Click Actions New Rule Protection Rule. Name the new rule Block Confidential and enable it. Enforce the rule on DLP Endpoint for Windows and DLP Prevent. Select the classification you created and add it to the rule. Set the Recipient to any recipient (ALL). Leave the other settings on the Condition tab with the default settings. 3 Add exceptions to the rule. a Click Exceptions, then select Actions Add Rule Exception. b Type a name for the exception and enable it. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 35

36 5 Protecting with rules, rule sets, and policies Use case: Track intellectual property violations c d Set the classification to Confidential. Set Recipient to at least one recipient belongs to all groups (AND), then select the address list definition you created. 4 Configure the reaction to messages that contain the word Confidential. a Click Reaction. b c In DLP Endpoint, set the Action to Block for computers connected to and disconnected from the corporate network. In DLP Prevent, select the Add header X-RCIS-Action option and click the Block value. 5 Save and apply the policy. Use case: Track intellectual property violations Your company has lost intellectual property, and you suspect it was leaked from someone at a specific office location. You can create rule parameters that find the leaked documents and the suspected employee, then monitor their activities to build a legal case and prevent any more data loss. Before you begin You must have an Active Directory server and McAfee Logon Collector connected to McAfee DLP. For more information, see the McAfee Data Loss Prevention Product Guide. 1 In McAfee epo, select Menu Data Protection DLP Policy Manager Rule Sets. 2 Either edit an existing rule, or select Actions New Rule Set and create a new one. 3 Select a rule set, then click Actions New Rule, and select the type of rule. 4 Enter a Rule Name, State, and Severity for the rule. 5 Add classification criteria that describes the lost intellectual property. Either select an existing classification, or add a new one. 6 Add classification criteria that describes the lost intellectual property. a Click Menu Data Protection Classification b c Select the classification and click Actions New Content Classification Criteria. Add conditions that describes the lost intellectual property. For example, you might add keywords, an exact phrase found in the leaked documents, a file type, or a concept. 7 Return to the DLP Policy Manager, and select the Definitions tab. 8 Open the Source/Destination category and add a destination that might identify the recipients of the data. For example, you might have IP addresses, domains, or a geographic locations that might help to define the recipient. 9 Click Save. After the rule retrieves incidents. 36 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

37 Protecting with rules, rule sets, and policies Use case: Application-based fingerprinting 5 10 Examine the Incident Details page to confirm the rule retrieves incidents. 11 On the Reaction tab, select Add header X-RCIS-Action from the drop down list in the McAfee DLP Prevent section, then select Block, Quarantine, Redirect, or Notify. Use case: Application-based fingerprinting You can classify content as sensitive according to the application that produced it. In some cases, content can be classified as sensitive by the application that produces it. An example is top-secret military maps. These are JPEG files, typically produced by a specific US Air Force GIS application. By selecting this application in the fingerprinting criteria definition, all JPEG files produced by the application are tagged as sensitive. JPEG files produced by other applications are not tagged. 1 In McAfee epo, select Menu Data Protection Classification. 2 On the Definitions tab, select Application Template, then select Actions New. 3 Enter a name, for example GIS Application, and optional description. 4 Using one or more properties from the Available Properties list, define the GIS application, then click Save. 5 On the Classification tab, click New Classification, and enter a name, for example, GIS application, and optional definition. Click OK. 6 Select Actions New Content Fingerprinting Criteria Application to open the applications fingerprinting criteria page. 7 In the Name field, enter a name for the tag, for example GIS tag. 8 In the Applications field, select the GIS application created in step 1. 9 From the Available Properties File Conditions list, select True File Type, then in the Value field, select Graphic files [built-in]. The built-in definition includes JPEG, as well as other graphic file types. By selecting an application as well as a file type, only JPEG files produced by the application are included in the classification. 10 Click Save, then select Actions Save Classification. The classification is ready to be used in protection rules. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 37

38 5 Protecting with rules, rule sets, and policies Use case: Application-based fingerprinting 38 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

39 6 Scanning 6 data with McAfee DLP Discover 10.x and later The types of scan and rules used by McAfee DLP Discover 10.x and later are different from those available in McAfee Network DLP 9.3.x and must be manually recreated. Contents Types of repositories Types of scans Define scan definitions Create a classification scan Create rules for remediation scans Create a scheduled remediation scan Use case: Filter the results of a remediation scan Types of repositories McAfee DLP Discover 10.x and later supports scanning content stored on file servers using CIFS protocol, on-premise SharePoint, and Box. McAfee DLP Discover 11.x adds support for scanning content stored on database servers. CIFS repositories When defining a CIFS repository, the UNC path can be the fully qualified domain name (FQDN) (\ \myserver1.mydomain.com) or the local computer name (\\myserver1). You can add both conventions to a single definition. SharePoint repositories When defining a SharePoint repository, the host name is the server URL unless Alternate Access Mapping (AAM) is configured on the server. For information about AAM, see the SharePoint documentation from Microsoft. Box repositories When defining a Box repository, obtain the client ID and client secret from the Box website. Database repositories McAfee DLP Discover 11.0 adds support for scanning content in database servers. McAfee DLP Discover 11.0 can scan these database servers: McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 39

40 6 Scanning data with McAfee DLP Discover 10.x and later Types of scans Microsoft SQL MySQL Enterprise edition Oracle The McAfee Data Loss Prevention 11.0 Release Notes lists the supported database versions. To add a new database repository, use credentials that can access the database and test the connection. Types of scans McAfee DLP Discover 10.x and later perform inventory, classification, remediation, and registration scans. Inventory scan Collects metadata but does not retrieve any files or data from the repository Returns Online Analytical Processing (OLAP) counters and data inventory (list of files or database table scanned) Restores the last access time of files scanned Classification scan Collects the same metadata as an inventory scan Analyzes the true file type of files based on the internal file format of the file rather than the extension Identifies the classification of files and data stored in databases based on the classification criteria that match the scanned data Restores the last access time of files scanned Remediation scan Remediation scans apply rules to protect sensitive content in the scanned repository. Each analyzed file is compared against the McAfee DLP Discover rules assigned to the scan. When a file matches the rules in a remediation scan, McAfee DLP Discover can: Report an incident to McAfee epo Store the original file on the evidence server Copy or move the file to a different location Apply rights management policy to the file (Box scans only) Modify the anonymous share to logon required Take no action The most restrictive action is taken when multiple actions (belonging to different rules) are triggered. Only one action takes place, but all rules that match are reported back to McAfee epo in the incident details. The most restrictive action is reported as the actual action in the Incident Manager. Example: If multiple rules trigger for the file, the most restrictive action is Move, and two rules have the same action (Move or Copy), only one action is performed. The action taken is the one that belongs to a rule with a higher severity (critical > major > minor > warning > info). 40 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

41 Scanning data with McAfee DLP Discover 10.x and later Define scan definitions 6 The available reactions depend on the repository type. The table shows the list of actions in order. Move is the most restrictive action and No action is the least restrictive action. Action File Servers SharePoint (On-premise) Box Database Move x x x Apply RM policy x x x Modify Anonymous sharing to Logon required Copy x x x No Action x x x x x Document registration scan McAfee DLP Discover 11.0 adds support for document registration scans. Registration scans extract text content from files stored in repositories and create content fingerprints of the data. The content fingerprints (signatures) are stored in a database of registered document signatures contained in the McAfee DLP server. The fingerprints map to McAfee DLP classifications to identify classified documents or fragments of classified content that was copied from a registered document to a different document. The content classification fingerprints are used by McAfee DLP Discover classification and remediation scans, or by McAfee DLP Prevent and McAfee DLP Monitor. When McAfee DLP Discover, McAfee DLP Prevent, or McAfee DLP Monitor analyzes a file, it creates fingerprints of the file. The file fingerprints are compared against the registered document fingerprints to identify whether the file is classified. The action it takes on the file is based on the McAfee DLP policy rules that protect that classification. You can run document registration scans in McAfee DLP Discover to fingerprint content from these file repositories: File Servers (CIFS) SharePoint Box More than one document registration scan can pick up a file. If the file matches more than two content fingerprinting criteria that correspond to different classifications, the file signatures are recorded as matching more than one classification. Define scan definitions All McAfee DLP Discover scans require a definition to specify the repository, credentials, and scheduler. Before you begin To define a repository, you must have the user name, password, and path for the repository. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 41

42 6 Scanning data with McAfee DLP Discover 10.x and later Define scan definitions Repository The target of the scan. Credentials The credentials needed to access the repository. For example, the user and password that access and scan a file server. Scheduler Defines when the scan runs, and the frequency for repeated runs of the scans. Best practice: Optional file information definitions are used to define scan filters. Filters allow you to scan repositories in a more granular and efficient manner by defining which scanned files you want the scan to analyze. 1 In McAfee epo, select Menu Data Protection DLP Discover, and click the Definitions tab. 2 Specify credentials for the definition. a In the left pane, select Others Credentials. b c d Select Actions New. Enter a unique name for the new definition. The Description and Domain name are optional fields. All other fields are required. If the user is a domain user, use the domain suffix for the Domain name field. If the user is a workgroup user, use the local computer name. For Windows domain credentials, click Test Credential to verify the user name and password. The test does not verify whether the domain is accessible from the McAfee DLP Discover server. 3 Define a repository. a In the left pane, under Repositories, select the type of new repository you want to create. b c Select Actions New, type a unique repository name, and fill in the rest of the information. Click Save. 4 Define a scheduler. a In the left pane, select Others Scheduler. b c Select Actions New and fill in the scheduler information. Click Save. 5 (Optional) Define the file information. a In the left pane, select Data File Information. b c d Select Actions New and replace the default name with a unique name for the definition. Select properties to use as filters and fill in the Comparison and Value details. Click Save. 42 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

43 Scanning data with McAfee DLP Discover 10.x and later Create a classification scan 6 Create a classification scan Classification scans collect file data based on defined classifications. They provide visibility to data stored on file systems, cloud repositories and databases, and identify where sensitive data is stored. The sensitive data identified by the classification scan can be protected with a remediation scan. Change the scan type to create remediation and inventory scans. 1 In McAfee epo, select Menu Data Protection DLP Discover. 2 On the Discover Servers tab, select Actions Detect Servers to refresh the list. The list shows all McAfee DLP Discover servers that are installed and managed by this McAfee epo server. If the list is long, you can define a filter to display a shorter list. 3 On the Scan Operations tab, select Actions New Scan and select the repository type. 4 Type a unique name and select Scan Type: Classification, then select a McAfee DLP Discover server that runs the scan, and a schedule when you want the scan to run. 5 (Optional) Set values for Throttling, Files List, or Error Handling or accept the default values. 6 Select the repositories to scan. a On the Repositories tab, click Actions Select Repositories. b c If needed, specify the credentials for each repository from the drop-down list. (Optional) On the Filters tab, select Actions Select Filters to specify files to include or exclude. By default, all files are scanned. 7 Select the classifications that you want the scan to check. a On the Classifications tab, click Actions Select Classifications. b c Select one or more classifications from the list. Click Save. 8 Click Apply policy to push the new scan to the McAfee DLP Discover servers. Create rules for remediation scans Use rules to define the action to take when a remediation scan detects files that match classifications. To enforce Discovery rules you must create a remediation scan, and select one or more rule-sets to be enforced by the remediation scan. Discovery rules belong to rule sets which are simply a container that groups multiple rules (of similar type or different types) into a logical set with a common denominator. For example, PCI compliance is a rule set that includes multiple rules for protecting PCI content. Each rule belongs to only one rule set. All Discovery rules included in the selected rule sets are evaluated and enforced by the remediation scan. The rule sets McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 43

44 6 Scanning data with McAfee DLP Discover 10.x and later Create a scheduled remediation scan 1 In McAfee epo, select Menu Data Protection DLP Policy Manager. 2 On the Rule Sets tab, create a rule set if one does not already exist. a Select Actions New Rule Set. b Enter the name and optional note, then click OK. 3 Click the name of a rule set to edit it, then click the Discover tab if needed. 4 Select Actions New Network Discovery Rule, then select the type of rule. 5 On the Condition tab, configure one or more classifications and repositories. To create an item, click... To add additional criteria, click +. To remove criteria, click -. 6 (Optional) In the rule condition, select one or more repositories where the rule applies (the scan can analyze files in multiple repositories). By default, the rule applies to files in all repositories. 7 (Optional) On the Exceptions tab, specify any exclusions from triggering the rule. The rule first analyzes the conditions. If a file matches a condition, the rule engine analyzes the rule exceptions. If one of the exceptions matches the file, the rule does not apply to the file. 8 On the Reaction tab, configure the reaction and click Save. The available reactions depend on the repository type. Create a scheduled remediation scan Schedule a remediation scan and enforce the Discovery rules. Before you begin Create rules for the scan. Scans run until they are complete unless a suspend time is defined in the scheduler. A scan pauses when it is suspended and resumes when it reaches the end time. If the scan is still running at the time of the next scheduled scan, the next scan is skipped, and scanning restarts at the following interval. For example, if a daily scan starts running on Monday at 9 a.m. and is complete 49 hours later, it restarts Thursday at 9 a.m. Run at night to prevent extensive bandwidth use during work hours. 1 In McAfee epo, select Menu Data Protection DLP Discover. 2 Click the Scan Operations tab, click Actions New Scan and select the type of repository you want to scan. 3 Type a unique name for the scan and set the scan type to Remediation. 44 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

45 Scanning data with McAfee DLP Discover 10.x and later Use case: Filter the results of a remediation scan 6 4 In the scheduler, select a scheduler and define when to run the scan. 5 Select File List to store the list of all analyzed files in the McAfee epo database. Metadata for each analyzed file is stored, even if no rules matched the file. During the scan, McAfee DLP Discover sends the list of files that are being analyzed to the McAfee epo server. The list of files is displayed on the Data Inventory tab in DLP Discover. 6 In the Scan operation editor, click the Repositories tab and select one or more repositories to scan. 7 Click the Rules tab, then select Actions Select Rule Sets to specify one or more rule sets that you want this scan to enforce. 8 Click Save. 9 To push the new scan to McAfee DLP Discover servers, click Apply policy on the Scan Operations tab. The scan starts running at the scheduled time. You can see its progress in the Scan operations table. Check the Data Inventory tab for a list of files that were analyzed as part of the scan. Use case: Filter the results of a remediation scan Get the results of a remediation scan and filter the results. Before you begin Create rules for a remediation scan and run the scan. 1 In McAfee epo, select Menu Data Protection DLP Discover and select Scan operations. 2 Select a scan to open the Scan operation editor, then click the History tab to see the scan results. The History tab displays information such as how many files were scanned, and how many files matched the rules. The number of matched files might be higher than the number of incidents reported because a file can match a discovery rule and a remediation action can be performed. But, the decision to report an incident to McAfee epo is optional. In this case, the file is reported as matching the rule, but there is no incident recorded. 3 Click Cancel to close the Scan operation editor. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 45

46 6 Scanning data with McAfee DLP Discover 10.x and later Use case: Filter the results of a remediation scan 4 Select Menu Data Protection DLP Discover, click Data Analytics, then select the scan name. The Data Analytics view allows you to group the scanned files by up to three categories. For example, the size of the file, the file extension, and the share where the file resides. The number of scanned files that matched the category is shown next to the category. If you selected to store the file list when you configured the scan, each of the group-by categories becomes a link. 5 (Optional) Click a link in the Data Analytics table to go to the Data Inventory tab in DLP Discover, which contains a pre-populated filter that displays the list of files that matched the group-by category. The Data Analytics and Data Inventory tabs enable you to analyze the files stored in your repositories so you can define and tune your data protection policies. 46 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

47 7 Monitoring 7 and reporting McAfee DLP offers several features for managing incidents, cases, and appliance status. Use the DLP Incident Manager console to view and manage incidents created when rules are triggered. Use the DLP Case Management console to view and manage incidents that are assigned to cases. Use the DLP Operations console to view errors and administrative events. Use the Appliance Management system health cards to monitor the status of each of your McAfee DLP appliances. Use the McAfee DLP dashboards in McAfee epo to retrieve incident information. Contents Incidents and cases Monitoring system health and status Incidents and cases Incident and case management are handled similarly between McAfee Network DLP 9.3.x and McAfee DLP 10.x and later. With McAfee DLP 10.x and later, incidents are sent to the McAfee epo Event Parser and stored in a database. Incidents contain the details about the violation, and can optionally include evidence information. You can view incidents and evidence as they are received in the DLP Incident Manager console which has three tabbed sections: Incident List The current list of policy violation events. The following operations can be performed on incidents: Case management Create cases and add selected incidents to a case Comments Add comments to selected incidents events Send selected events Export device parameters Export device parameters to a CSV file (Data in-use/motion list only) Labels Set a label for filtering by label Release redaction Remove redaction to view protected fields (requires correct permission) Set properties Edit the severity, status, or resolution; assign a user or group for incident review Incident s Use the Incident s or Operational Event s tab to set criteria for scheduled tasks. s set up on the pages work with the McAfee epo Server s feature to schedule tasks. s can also include assigning reviewers to incidents, setting automatic notifications, and purging all or part of the list. Incident History A list containing all historic incidents. Purging the incident list does not affect the history. Displays historical incidents or events based on the current selections. Selections can be View, Time, and Filter. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 47

48 7 Monitoring and reporting Incidents and cases When a rule is triggered, the incident is reported to the DLP Incident Manager console. Use this console to view, sort, and modify incidents. The DLP Incident Manager displays incidents for all McAfee DLP products. The type of incidents displayed depends on the Present field selection. The Data in-use/motion option includes incidents generated by McAfee DLP Prevent or McAfee DLP Monitor. Best practice: The incidents from your McAfee Network DLP 9.3.x setup can't be migrated to McAfee epo unless you were using the unified incident management feature in McAfee epo. If you continue to need access to any legacy incidents, run your McAfee Network DLP 9.3.x setup in parallel with McAfee DLP 10.x or later until the legacy incidents are no longer required. Use the DLP Case Management console to group related incidents to a case for further tracking and review. Cases allow administrators to collaborate on the resolution of related incidents. In many situations, a single incident is not an isolated event. You might see multiple incidents in the DLP Incident Manager that share common properties or are related to each other. You can assign these related incidents to a case. Multiple administrators can monitor and manage a case depending on their roles in the organization. Sort and filter incidents Arrange the way incidents appear based on attributes such as time, location, user, or severity. 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select Data in-use/motion. 3 Perform any of these tasks. To sort by column, click a column header. To change columns to a custom view, from the View drop-down list, select a custom view. To filter by time, from the Time drop-down list, select a time frame. To apply a custom filter, from the Filter drop-down list, select a custom filter. To group by attribute: 1 From the Group By drop-down list, select an attribute. A list of available options appears. The list contains up to 250 of the most frequently occurring options. 2 Select an option from the list. Incidents that match the selection are displayed. View incident details View the information related to an incident. 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select the option for your product. 3 Click an Incident ID. For McAfee DLP Endpoint, McAfee DLP Monitor, and McAfee DLP Prevent incidents, the page displays general details and source information. Depending on the incident type, destination or device details appear. For McAfee DLP Discover incidents, the page displays general details about the incident. 48 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

49 Monitoring and reporting Incidents and cases 7 4 To view additional information, perform any of these tasks. To view user information for McAfee DLP Endpoint incidents, click the user name in the Source area. To view evidence files: 1 Click the Evidence tab. 2 Click a file name to open the file with an appropriate program. The Evidence tab also displays the Short Match String, which contains up to three hit highlights as a single string. To view rules that triggered the incident, click the Rules tab. To view classifications, click the Classifications tab. For McAfee DLP Endpoint incidents, the Classifications tab does not appear for some incident types. s To view incident history, click the Audit Logs tab. To view comments added to the incident, click the Comments tab. To the incident details, including decrypted evidence and hit highlight files, select Actions Selected Events. To return to the incident manager, click OK. Change the view on page 49 In addition to using filters to change the view, you can also customize the fields and the order of display. Customized views can be saved and reused. Change the view In addition to using filters to change the view, you can also customize the fields and the order of display. Customized views can be saved and reused. When you save the view, you can also save the time and custom filters. Saved views can be chosen from the drop-down list at the top of the page. 1 To open the Edit View window, click Actions View Choose Columns. 2 To move columns to the left or right, use the arrow icons. 3 Use the x icon to delete columns. 4 To apply the customized view, click Update View. 5 To save for future use, click Actions View Save View. Update a single incident Update incident information such as the severity, status, and reviewer. The Audit Logs tab reports all updates and modifications performed on an incident. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 49

50 7 Monitoring and reporting Incidents and cases 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select Data in-use/motion. 3 Click an incident. The incident details window opens. 4 In the General Details pane, perform any of these tasks. To update the severity, status, or resolution: 1 From the Severity, Status, or Resolution drop-down lists, select an option. 2 Click Save. To update the reviewer: 1 Next to the Reviewer field, click... 2 Select the group or user and click OK. 3 Click Save. To add a comment: 1 Select Actions Add Comment. 2 Enter a comment, then click OK. Update multiple incidents Update multiple incidents with the same information simultaneously. Example: You have applied a filter to display all incidents from a particular user or scan, and you want to change the severity of these incidents to Major. 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select Data in-use/motion. 3 Select the checkboxes of the incidents to update. To update all incidents displayed by the current filter, click Select all in this page. 4 Perform any of these tasks. To add a comment, select Actions Add Comment, enter a comment, then click OK. To send the incidents in an , select Actions Selected Events, enter the information, then click OK. You can select a template, or create a template by entering the information and clicking Save. To export the incidents, select Actions Export Selected Events, enter the information, then click OK. 50 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

51 Monitoring and reporting Incidents and cases 7 To release redaction on the incidents, select Actions Release Redaction, enter a user name and password, then click OK. You must have data redaction permission to remove redaction. To change the properties, select Actions Set Properties, change the options, then click OK. Create notifications The process to add notifications is similar for DLP Incident Manager and DLP Operations. 1 In McAfee epo, select Menu Data Protection DLP Incident Manager or Menu Data Protection DLP Operations. 2 Select either Incident s or Operational Event s, then select Automatic mail Notification. If you chose Incident s, you must also select the type of incident, such as Data-in-use/motion. 3 Click Actions New Rule and enter a name and optional description. Rules are enabled by default. You can change this setting to delay running the rule. 4 Select which events you want to process, then specify the following information: Recipients Subject Body Apart from Body, these fields are required. You can insert variables from the drop-down list as needed. 5 Add the body text. 6 (Optional for DLP Incident Manager) Select the checkbox to attach evidence information to the . 7 Click Next to add the rule criteria and their Comparison and Value parameters, then click Save. Create cases Create a case to group and review related incidents. 1 In McAfee epo, select Menu Data Protection DLP Case Management. 2 Select Actions New. 3 Enter a title name and configure the options. 4 Click OK. Assign a reviewer Assign reviewers to incidents and operational events. Assignments can be by reviewer group or individual reviewer. Use the Permission Sets feature under User Management to create reviewers. The process to set reviewers is similar for DLP Incident Manager and DLP Operations. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 51

52 7 Monitoring and reporting Incidents and cases 1 In McAfee epo, select Menu Data Protection DLP Incident Manager or Menu Data Protection DLP Operations. 2 Select either Incident s or Operational Event s, then select Set Reviewer. 3 Click Actions New Rule and enter a name and optional description. Rules are enabled by default. You can change this setting to delay running the rule. 4 Select a reviewer or group, then click Next. 5 Click Next to add the rule criteria and their Comparison and Value parameters, then click Save. View case information View audit logs, user comments, and incidents assigned to a case. 1 In McAfee epo, select Menu Data Protection DLP Case Management. 2 Click on a case ID. 3 Perform any of these tasks. To view incidents assigned to the case, click the Incidents tab. To view user comments, click the Comments tab. To view the audit logs, click the Audit Log tab. 4 Click OK. Update cases Update case information such as changing the owner, sending notifications, or adding comments. Notifications are sent to the case creator, case owner, and selected users when: An is added or changed. Incidents are added to or deleted from the case. The case title is changed. The owner details are changed. The priority is changed. The resolution is changed. 52 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

53 Monitoring and reporting Incidents and cases 7 Comments are added. An attachment is added. You can disable automatic notifications to the case creator and owner from Menu Configuration Server Settings Data Loss Prevention. 1 In McAfee epo, select Menu Data Protection DLP Case Management. 2 Click a case ID. 3 Perform any of these tasks. To update the case name, in the Title field, enter a new name, then click Save. To update the owner: 1 Next to the Owner field, click... 2 Select the group or user. 3 Click OK. 4 Click Save. To update the Priority, Status, or Resolution options, use the drop-down lists to select the items, then click Save. To send notifications: 1 Next to the Send notifications to field, click... 2 Select the users to send notifications to. If no contacts are listed, specify an server for McAfee epo and add addresses for users. Configure the server from Menu Configuration Server Settings Server. Configure users from Menu User Management Users. 3 Click Save. To add a comment to the case: 1 Click the Comments tab. 2 Enter the comment in the text field. 3 Click Add Comment. 4 Click OK. Assign incidents to a case Add related incidents to a new or existing case. 1 In McAfee epo, select Menu Data Protection DLP Incident Manager. 2 From the Present drop-down list, select Data in-use/motion. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 53

54 7 Monitoring and reporting Incidents and cases 3 Select the checkboxes of one or more incidents. Use options such as Filter or Group By to show related incidents. To update all incidents displayed by the current filter, click Select all in this page. 4 Assign the incidents to a case. To add to a new case, select Actions Case Management Add to new case, enter a title name, and configure the options. To add to an existing case, select Actions Case Management Add to existing case, filter by the case ID or title, and select the case. 5 Click OK. Use case: Find policy violations by user If you have a lot of incidents to review, it can be difficult to find incidents that are related to a particular user. To find related policy violations, use attributes that identify a user. 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select the option for your product. 3 Select the desired time. 4 Click Actions, then select Filter Edit Filter. 5 From Available properties, select a user attribute, such as User Name, or User Primary or User City. The following conditions can be selected from the drop-down list: Equals, Not Equals, Value is Blank, Value is Not Blank, Contains, Does not Contain. 6 Specify the user information in the text field. If you don't have a user's exact information, select the Sender or Recipient filter, add a Contains or Does not Contain condition, and type a string that might match some characters in the user's name, or address. 7 Click Policy Name, then select to choose policy from the list. This displays the incidents generated from above user Information and also from the policy selected. Polices that did not generate any matching incidents are not listed. 8 Click Update Filter. Incidents that match the filter criteria are displayed. 9 Click the Save link next to the Filter drop-down list. This filter can be used again for later use. Use case: Find high-risk incidents To find high-risk incidents, filter incidents by severity. 54 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

55 Monitoring and reporting Incidents and cases 7 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select the option for your product 3 From Group by list, select Severity from the drop-down list. 4 Select the severity you want to apply, such as critical or warning. Incidents that match the filter criteria are displayed. Use case: Set properties to incidents You can change incident properties such as the severity to help search for and track certain incidents. The properties are Severity, Status, Resolution, Reviewing Group, and Reviewing User. 1 In McAfee epo, select DLP Incident Manager. 2 From the Present drop-down list, select the option for your product. 3 Click an incident. The Incident Details window opens. 4 In the General Details pane, perform any of these tasks, then click Save. To update the severity, status, or resolution, select the options you want from the drop-down list, then click Save. Click... next to the Reviewer field, select the group or user, then click OK. 5 Select Actions Add Comment. 6 Enter a comment, then click OK. Use case: Filter incidents by date, destination, and user Create a filter that identifies incidents sent within the last 24 hours by a particular user. 1 In McAfee epo, select Menu Data Protection DLP Incident Manager. 2 Select Data-in-use/motion from Present. 3 Select Last 24 hours from the Time drop-down list. 4 In Filters, click Edit. 5 In Destination equals add the required destination. 6 Select Username equals and add the name you want to look for. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 55

56 7 Monitoring and reporting Incidents and cases 7 Select Update Filter. 8 In the left-hand panel select Group-by, and choose Rule Set from the drop-down list. Assign incident viewing permissions to users in an Active Directory Select users from the Active Directory who can view incidents in the DLP Incident Manager. Before you begin Register an Active Directory server in McAfee epo. 1 In McAfee epo, select Menu User Management Permission Sets. 2 Select the role you want to edit, then click the Edit link under Name and users. 3 Click Add, select the Active Directory users you want to add, then click OK. 4 Click Save. 5 In Data Loss Prevention, click the Edit link. 6 Select Incident Management, then click User can view all incidents. 7 Click Save. Assign case management viewing permissions to a user Allow a specific user to view their cases in DLP Case Management. Before you begin Create a user in McAfee epo and assign a permission set to the user. 1 In McAfee epo, select Menu User Management Permission Sets and select the permission set that the user belongs to. 2 Click the Edit link under Name and users. 3 Select the recently created user, and click Save. 4 In Data Loss Prevention, click the Edit link. 5 Select Case Management, and click Users can view cases assigned to them. 6 Click Save. 56 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

57 Monitoring and reporting Monitoring system health and status 7 Monitoring system health and status Use the Appliance Management dashboard in McAfee epo to manage your appliances, view system health status, and get detailed information about alerts. For information about McAfee DLP Prevent or McAfee DLP Monitor appliance status reported in Appliance Management system health cards, see the latest version of the McAfee Data Loss Prevention Product Guide. For information specifically relating to the Appliance Management options, see the Appliance Management online Help. McAfee DLP dashboards McAfee DLP 10.x and later add four incident-related charts in McAfee epo dashboards. You can create new dashboards that contain any of the McAfee DLP charts. DLP: Number of Incidents per day (data in-use/in-motion) in a line chart format DLP: Number of Incidents per severity (data in-use/in-motion) in a pie-chart format DLP: Number of Incidents per type (data in-use/in-motion) in a pie-chart format DLP: Number of Incidents per rule set (data in-use/in-motion) in a bar chart format Appliance Management dashboard The Appliance Management dashboard combines the Appliances tree view, System Health cards, Alerts and Details panes. The dashboard shows the following information for all of your managed appliances. A selection of information about each McAfee DLP appliance. In a McAfee DLP Prevent cluster environment, the system health cards shows the tree view display of the cluster master and a number of cluster scanners. Indicators to show whether an appliance needs attention. Detailed information about any detected issues. The information bar includes the appliance name, the number of currently reported alerts, and other information specific to the reported appliance. McAfee DLP appliance events McAfee DLP appliances send events to the Client Events log or the DLP Operations log. Client Events log events Some events include reason codes that you can use to search log files. Best practice: Regularly purge the Client Events log to stop it becoming full. Event ID UI event text Description LDAP query failure The query failed. Reasons are provided in the event descriptions LDAP directory synchronization Resource usage reached critical level Directory synchronization status. McAfee DLP Prevent cannot analyze a message because the directory is critically full. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 57

58 7 Monitoring and reporting Monitoring system health and status Event ID UI event text Appliance ISO upgrade success Appliance ISO upgrade failed Appliance downgrading to lower version Internal install image updated successfully Failed to update internal install image Description Appliance upgrade events: 983 Appliance ISO upgrade failed. Detailed logs can be found under / rescue/logs/. 984 Appliance ISO upgrade success. The appliance was successfully upgraded to a higher version. 985 Appliance downgrading to lower version. This event is sent when the downgrade attempt is initiated. Upgrade success or failure events are sent after the upgrade is complete. If a clean upgrade or downgrade is requested, the success or failure event is sent after the McAfee epo connection is established. Internal installation image updates using SCP events: 986 Internal installation image was updated successfully. 987 Failed to update the internal installation image User logon A user logged on to the appliance: 354 GUI logon successful. 355 GUI logon failed. 424 SSH logon successful 425 SSH logon failed. 426 Appliance console logon successful. 427 Appliance console logon failed. 430 User switch successful. 431 User switch failed User logoff A user logged off the appliance: 356 GUI user logged off. 357 The session has expired. 428 The SSH user logged off. 429 The appliance console user logged off. 432 The user logged off Certificate Install Certificate installation success Certificate installation failed: <reason> A certificate might not install due to one of the following reasons: Bad passphrase No private key Chain error Bad certificate Expired certificate Not yet valid Bad signature Bad CA certificate Chain too long Wrong purpose Revoked Bad or missing CRL The reason is also reported in the syslog. If the reason does not match any of the available reasons, it gives the default Certificate installation failed event. 58 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

59 Monitoring and reporting Monitoring system health and status 7 DLP Operations log events Event ID UI event text Description Policy Change Appliance Management successfully pushed a policy to the appliance Policy Push Failed Appliance Management failed to push a policy to the appliance Evidence Replication Failed An evidence file could not be encrypted. An evidence file could not be copied to the evidence server Analysis Failed Possible denial-of-service attack. The content could not be decomposed for analysis DLP Prevent Registered The appliance successfully registered with McAfee epo DLP Monitor Registered The appliance successfully registered with McAfee epo. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 59

60 7 Monitoring and reporting Monitoring system health and status 60 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

8 Maintenance 8 and troubleshooting Use the appliance console for general maintenance tasks such as changing network settings and performing software updates.

61 8 Maintenance 8 and troubleshooting Use the appliance console for general maintenance tasks such as changing network settings and performing software updates. Troubleshooting options, sanity checks, and error messages are available to help you identify and resolve problems with a McAfee DLP Prevent or McAfee DLP Monitor appliance. Contents Troubleshooting tips Managing with the McAfee DLP appliance console Accessing the appliance console Replace the default certificate Error messages Configuration backups Troubleshooting tips For more information about troubleshooting and maintenance tasks, and information about McAfee DLP Prevent or McAfee DLP Monitor client and operational events, see the McAfee Data Loss Prevention Product Guide. The appliance failed to register with McAfee epo Verify the network connection is working, and any static routes that you created are correct. Ping the default gateway and McAfee epo from the appliance console to test your network connection. If the registration continues to fail, call technical support. Do not attempt the registration again. Connection between McAfee epo and the appliance is lost You can check the connection status for all your physical and virtual appliances using the Appliance Management feature in McAfee epo. To restore a failed connection, open the System Tree and select the McAfee DLP Prevent or McAfee DLP Monitor appliance that has lost the connection. Then select Action Agent Wake Up Agents and click OK. McAfee DLP Prevent or McAfee DLP Monitor registration failures McAfee DLP Prevent or McAfee DLP Monitor registration events are available from the DLP Operations log in McAfee epo. Event ID UI event text Description DLP Prevent Registered The appliance successfully registered with McAfee epo DLP Monitor Registered The appliance successfully registered with McAfee epo. No events are registered if the McAfee DLP Prevent or McAfee DLP Monitor appliance is unregistered. You can get more information from /var/log/messages. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 61

62 8 Maintenance and troubleshooting Troubleshooting tips delivery issues If is not delivered, check whether it is blocked by a McAfee DLP Prevent appliance. Go to the DLP Incident Manager on McAfee epo to check if there is any corresponding incident for the message. If notification is configured on McAfee epo as a Reaction, the sender is notified. Check if the Smart Host can receive if: McAfee DLP Prevent could not connect to the Smart Host to send the message. The connection to Smart Host was dropped during a conversation. rejection issues If a Smart Host is not configured, McAfee DLP Prevent cannot accept messages because it has nowhere to send them to. Web Gateway and McAfee DLP Prevent ICAP issues Check the McAfee DLP Web Settings category settings in DLP Appliance Management in the Policy Catalog. McAfee DLP Prevent processes ICAP and ICAPs traffic based on selected services from secure ICAP, unencrypted. If neither are selected, the ICAP server on McAfee DLP Prevent does not accept any connection. If only secure ICAP is enabled, ensure that the ICAP client is ICAPs capable. You can select the modes in which McAfee DLP Prevent can operate for the ICAP traffic from REQMOD and RESPMOD. If any of the modes are deselected, that traffic is ignored by the McAfee DLP Prevent appliance and is not processed. Both REQMOD and RESPMOD cannot be disabled at the same time. LDAP and Logon Collector issues If there are communication issues between the McAfee DLP Prevent or McAfee DLP Monitor appliance and the Active Directory while querying user information: Check the Active Directory credentials configured on McAfee epo. If SSL is selected, check that Active Directory accepts secure connections. If you configured Active Directory to use Global Catalog ports, check that at least one of these attributes is replicated to the Global Catalog server from the domains in the forest: Proxy addresses Mail If a McAfee DLP Prevent or McAfee DLP Monitor appliance needs to use NTLM authentication for ICAP traffic, these LDAP attributes must also be replicated: configurationnamingcontext netbiosname msds-principalname For Logon Collector, check the Logon Collector certificate on the McAfee DLP Prevent or McAfee DLP Monitor appliance. 62 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

63 Maintenance and troubleshooting Troubleshooting tips 8 Installation failures Dependency issues There might be a dependency issue if the following extensions are missed: Common UI package Appliance Management Extension Data Loss Prevention Management Extension Upgrade issues the following error occurs if you install the same version or earlier version of the extension: Can't upgrade the extension dlp-prevent-server-app to <version x.x.x.x > because <version x.x.x.x> is already installed. Policy push failures Policy push events are also available from the DLP Operations log in McAfee epo. If policy push fails, details can be obtained from the McAfee DLP Prevent or McAfee DLP Monitor appliance at /wk/mca/ ame_policy_dlpps 1000_error.log System health The Appliance Management dashboard in McAfee epo provides information to manage your appliances, view system health status, and get detailed information about alerts. System health show status of: Evidence Queue Memory and web requests (McAfee DLP Prevent) Disk Packet analysis (McAfee DLP Monitor) Network CPU usage Displays errors or warnings that relate to: System health Evidence queue size Policy enforcement Communication between McAfee epo and McAfee DLP Prevent and McAfee DLP Monitor appliances. Incident Manger issues Issues with user, LDAP, or certificate installation are listed under Client Events Log. 1 In McAfee epo, go to the System Tree. 2 Select the checkbox next to the McAfee DLP Prevent or McAfee DLP Monitor appliance. 3 Select Actions, then go to Agent Show Client Events. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 63

64 8 Maintenance and troubleshooting Managing with the McAfee DLP appliance console Incidents are not showing in the DLP Incident Manager 1 Use the Remote Desktop Protocol (RDP) to access McAfee epo. 2 Go to Services. 3 Confirm that the McAfee epo Event Parser is running. If it has stopped or paused, restart it to resolve the issue. McAfee DLP Prevent and McAfee DLP Monitor send logging information to the local syslog, and one or more remote logging servers if you have them enabled. Syslog entries contain information about the device itself (the vendor, product name, and version), the severity of the event, and the date the event occurred. Use settings in the General category of the Common Appliance policy to set up remote logging servers. Managing with the McAfee DLP appliance console Use administrator credentials to open the appliance console to edit network settings you entered in the Setup Wizard and perform other maintenance and troubleshooting tasks. You can add your own text to appear on the top of the appliance console or SSH logon screen using the Custom Logon Banner option in McAfee epo (Menu Policy Catalog DLP Appliance Management General. Table 8-1 Appliance console menu options Option Graphical configuration wizard Definition Open the graphical configuration wizard. If you log on using SSH, the graphical configuration wizard option is not available. Shell Enable/Disable SSH Generate MER Power down Reboot Rescue Image Reset to factory defaults Change password Logout Open the appliance Shell. Enable or disable SSH as a method of connecting to the appliance. Create a Minimum Escalation Report (MER) to send to McAfee Support to diagnose problems with the appliance. Shut down the appliance. Restart the appliance. Create a rescue image for the appliance to boot from. Reset the appliance to its factory default settings. Change the administrator account password. Log off the master appliance. Accessing the appliance console The appliance console allows you to perform various maintenance tasks. There are different ways to access the console depending on the type of appliance you have. Table 8-2 Methods for accessing the console Method Virtual appliance Hardware appliance SSH X X vsphere Client X 64 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

65 Maintenance and troubleshooting Replace the default certificate 8 Table 8-2 Methods for accessing the console (continued) Method Virtual appliance Hardware appliance Local KVM (keyboard, monitor, mouse) X RMM X Serial port X Replace the default certificate You can replace the self-signed certificate with one issued by a certificate authority (CA) so that other hosts on the network can validate the appliance's SSL certificate. Before you begin SSH must be enabled. To replace the certificate, you can either: Upload a new certificate and private key. Download a certificate signing request (CSR) from the appliance, have it signed by a CA, and upload the certificate that the CA gives you. Best practice: Downloading a CSR from the appliance ensures that the appliance's private key cannot be inadvertently exposed. Only ECDSA and RSA certificates and keys are allowed in the uploaded file. The certificate must be suitable for use as both a TLS server and a TLS client and the upload must include the whole certificate chain. Uploads can be in the following formats: PEM (Base64) Certificate chain and private key or certificate chain only PKCS#12 Certificate chain and private key PKCS#7 Certificate chain only If the upload format is PKCS#12 or PKCS#7, the correct file endings must be used: PKCS#12 must have the file ending.p12 or.pfx. PKCS#7 must have the file ending.p7b. The certificate might fail to install if: The certificate is not usable for its intended role. The certificate has expired. The uploaded file does not contain the CA certificates that it needs to verify it. The certificate uses an unsupported public key algorithm, such as DSA. If installation fails, detailed information is available in the appliance syslog. To view it, log on to the appliance console, select the Shell option, and type $ grep import_ssl_cert /var/log/messages. 1 In a browser, go to and select one of the CSR links for download. Two files are available: one contains an RSA public key (the file ending in.rsa.csr) and the other contains an ECDSA public key (the file ending in.ec.csr). McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 65

66 8 Maintenance and troubleshooting Error messages 2 Follow your CA's instructions to get the request signed. 3 Use an SFTP client, such as winscp, to copy the file to the /home/admin/upload/cert directory on the appliance. The Client Events log reports whether the installation succeeded or failed. The file installs automatically. Error messages If the appliance is not configured correctly, it tries to identify the problem and sends a temporary or permanent failure message. The text in parentheses in the error message provides additional information about the problem. Some error messages relay the response from the Smart Host so the McAfee DLP Prevent response contains the IP address, which is indicated by x.x.x.x. For example, : Connection refused indicates that the Smart Host with the address did not accept the SMTP connection. Table 8-3 Temporary failure messages Text Cause Recommended action 451 (The system has not been registered with an epo server) 451 (No DNS servers have been configured) 451 (No Smart Host has been configured) 451 (Policy OPG file not found in configured location) The initial setup was not completed. The configuration applied from McAfee epo did not specify any DNS servers. The configuration applied from McAfee epo did not specify a Smart Host. The configuration applied from McAfee epo was incomplete. Register the appliance with a McAfee epo server using the Graphical Configuration Wizard option in the appliance console. Configure at least one DNS server in the General category of the Common Appliance policy. Configure a Smart Host in the McAfee DLP Prevent Settings policy category. Ensure that the Data Loss Prevention extension is installed. Configure a Data Loss Prevention policy. Contact your technical support representative. The configuration OPG file must be applied with the policy OPG file. 451 (Configuration OPG file not found in configured location) The configuration applied from McAfee epo was incomplete. Ensure that the Data Loss Prevention extension is installed. Configure a Data Loss Prevention policy. Contact your technical support representative. The configuration OPG file must be applied with the policy OPG file. 66 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

67 Maintenance and troubleshooting Error messages 8 Table 8-3 Temporary failure messages (continued) Text Cause Recommended action 451 (LDAP server configuration missing) This error occurs when both these conditions are met: McAfee DLP Prevent contains a rule that specifies a sender as a member of an LDAP user group. McAfee DLP Prevent is not configured to receive group information from the LDAP server that contains that user group. Check that the LDAP server is selected in the Users and Groups policy category. 451 (Error resolving sender based policy) A policy contains LDAP sender conditions, but cannot get the information from the LDAP server because: McAfee DLP Prevent and the LDAP server have not synchronized. The LDAP server is not responding. Check that the LDAP server is available. 451 (FIPS test failed) The cryptographic self-tests required for FIPS compliance failed 442 x.x.x.x: Connection refused McAfee DLP Prevent could not connect to the Smart Host to send the message, or the connection to Smart Host was dropped during a conversation. Contact your technical support representative. Check that the Smart Host can receive . Table 8-4 Permanent failure messages Error Cause Action 550 Host / domain is not permitted 550 x.x.x.x: Denied by policy. TLS conversation required Table 8-5 ICAP error messages McAfee DLP Prevent refused the connection from the source MTA. The Smart Host did not accept a STARTTLS command but McAfee DLP Prevent is configured to always send over a TLS connection. Check that the MTA is in the list of permitted hosts in the McAfee DLP Prevent Settings policy category. Check the TLS configuration on the host. Error Cause Action 500 (LDAP server configuration missing) This error occurs when both these conditions are met: McAfee DLP Prevent contains a rule that specifies an end-user as a member of an LDAP user group. McAfee DLP Prevent is not configured to receive group information from the LDAP server that contains that user group. Check that the LDAP server is selected in the Users and Groups policy category. 500 (Error resolving end-user based policy) A policy contains LDAP sender conditions, but cannot get the information from the LDAP server because: McAfee DLP Prevent and the LDAP server have not synchronized. The LDAP server is not responding. Check that the LDAP server is available. McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 67

68 8 Maintenance and troubleshooting Configuration backups Configuration backups In McAfee DLP 10.x and later, you can create backups of your configuration data that can be restored. However, appliance settings are not backed up. Backup tasks are run as needed from the backend, and cannot be scheduled. The following components are included in a McAfee DLP 10.x and later backup. The SQL database. The installed extensions. Keys for McAfee epo agent-server communication and the repositories. All products that have been checked into the Master Repository. The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates. To create a backup of your McAfee DLP 10.x and later configuration, see KB McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

69 Index A access control 17 action rules reaction 7 Active Directory 15 administrator role permission set 18 advanced pattern creating 26 advanced pattern definitions 21, 23 appliance status 57 Appliance Management 18, 47, 57 architecture differences in versions 7 authentication 17 B backups creating 68 Box repositories 39 Box scan 40 C case management 47 cases adding comments 52 assigning incidents 53 audit logs 52 creating 51 sending notifications 52 updating 52 Certificate authentication 17 certificates 65 CIFS repositories 39 classification 21 advanced pattern 27 advanced pattern definition 26 create new 28 criteria 22 document properties 22 definitions 21 keyword definition creation 25 classification 21 (continued) regular expression 27 unsupported options 26 classification scan 40 Common Appliance Management 18 concepts classification and definitions 21 definitions 23 dictionary and advanced pattern definitions 7 configuration backups 68 D dashboards 47, 57 data classifying 24 date and time Common Appliance Management 18 definitions classification 21 dictionaries 24 text pattern 26 device rules 30 dictionaries about 24 creating 24 importing entries 24 dictionary definition create 25 dictionary definitions 21, 23 DLP Case Management 47 DLP data, classifying 26 DLP Incident Manager 47 DLP Operations 47 DNS server definition Common Appliance Management 18 document properties classification 21, 22 E addresses creating 31 importing 31 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 69

70 Index protection rule reactions 29 end-user definitions LDAP 16 endpoint discovery rules 30 evidence server adding 19 exceptions to rules 30 F features new and renamed 7 unsupported 7 G Global Catalog 15 group permission set 7 I incidents assign a reviewer 51 charts 57 details 48 notifications 51 evidence server 19 filtering 48 sorting 48 updating 49, 50 incidents and cases 47 installation 9 inventory scan 40 K keyword definition creation 25 keywords definitions 23 L LDAP end-user definitions 16 LDAP server registration 15 local group McAfee DLP Prevent permission set 18 permission set 7 creation 18 see permission set 18 local user see user creation 17 M management differences in versions 7 McAfee DLP dashboards 47, 57 McAfee DLP Discover 39 create a classification scan 43 create rules for remediation scan 43 create scan definitions 41 installation 9 scheduling a scan 45 types of repository 39 types of scan 40 McAfee DLP Prevent permission sets 18 replace the default certificate 65 McAfee DLP Prevent and McAfee DLP Monitor troubleshooting 61 migration workflow 5 monitoring 47 Appliance Management 57 N network definitions address range 32 port range 33 O OpenLDAP server 15 P permission sets create a reviewer 51 permission sets, defining 18 policies 29 assign to McAfee DLP Prevent 34 rule set 7 post-installation tasks 14 product names differences in versions 7 protection rules 30 R reactions 29 registered documents classification 21 manual 22 registration scan 40 regular expressions definitions 23 remediation scan 40 Remote logging Common Appliance Management McAfee Data Loss Prevention 10.x and 11.0 Migration Guide

71 Index remote logon Common Appliance Management 18 reporting 47 repositories 39 REST API 24, 31, 33 reviewer role permission set 18 role-based access control 18 rule definitions 29 rule sets 29 creating 31 rules 29 creating 30 definitions 29 exceptions 30 reactions 29 S scans create definitions 41 types of 40 scheduling McAfee DLP Discover scans 45 Secure Shell logon Common Appliance Management 18 SharePoint repositories 39 SNMP Common Appliance Management 18 static routing Common Appliance Management 18 system health cards 57 T template classifications and definitions 7 terminology differences in versions 7 text patterns about 26 time zone specification Common Appliance Management 18 troubleshooting McAfee DLP Prevent and McAfee DLP Monitor 61 U unsupported features 7 URL lists creating 33 user creation 17 V validator algorithm 7 validators 26 W web protection rule reactions 29 Windows authentication 17 McAfee Data Loss Prevention 10.x and 11.0 Migration Guide 71

72 0B00

McAfee Client Proxy Product Guide

McAfee Client Proxy Product Guide McAfee Client Proxy 2.3.5 Product Guide COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone,