Data Loss Prevention Implementation Guide Installing DLP and Testing basic scenarios. Alejandro Marthi 24 March 2020 For POCs and demos from scratch Data Loss Prevention for Dummies Guide Before you begin Here are some things you will need before you begin this lab. Option 1 - A configured DLP solution (this will be used when using Forcepoint virtual labs): Your instructor will have guided you through the initial/basic configuration of your on-prem DLP Security solution. This will likely be performed in Forcepoint virtual labs however that is not a requirement. Option 2- An On-Prem DLP solution from Scratch (POCs or Partner internal Practice): You will have an on-prem infrastructure either in the partner premises or with a customer/prospect for POCs or demoing the DLP solution from Scratch. A folder to store your DLP Screenshots: Throughout the lab or POC implementation, you will be asked to take screenshots of your configurations, please create a folder on your laptop or desktop to save these screenshots. Title the folder with <Your Name>-DLP, this will help you for have tracking of what you have done on the specific environment, especially when you are in POC you can have a technical memory to give to the end-user as a reference. In the case of the virtual labs, you will be asked to send a compressed archive of the screenshots generated in this lab. Please provide descriptive names for your files so the the person that receives them can identify quickly which step and what you are taking the screenshot of. A means to get the files to a specific destination: If your reports archive is over 20MB they will not go over email and will need to be sent via another method. 1 forcepoint.com Data Loss Prevention for Dummies Guide TABLE OF CONTENTS UNDERSTANDING YOUR ENVIRONMENT (BASE CONFIGURATION) ............................... 4 SETTING UP THE BASICS (FOR FORCEPOINT VIRTUAL LAB ONLY)................................ 6 DOWNLOADING FSM SOFTWARE .................................................................................. 22 KNOWING FSM SOFTWARE INSTALLATION ................................................................. 22 INSTALLING THE SQL SERVER SOFTWARE ................................................................. 24 CONFIGURING THE FORCEPOINT SECURITY MANAGER SOFTWARE .......................... 29 INSTALLING THE DLP COMPONENT ON FSM ................................................................ 35 ADD AN AD SERVER (MICROSOFT DOMAIN CONTROLLER) IF REQUIRED ................... 41 CONFIGURE USER DIRECTORY SETTINGS ...................................................................... 42 BUILDING YOUR ENDPOINT ............................................................................................. 43 INSTALLING THE ENDPOINT IN THE CLIENTS .............................................................. 48 DLP POLICIES – PREDEFINED POLICIES .......................................................................... 53 USE CASE #1 - BASIC PII POLICIES ................................................................................. 54 USE CASE #2 – THE USB DILEMMA ................................................................................. 65 USE CASE #3 – THE USB DILEMMA – ENCRYPTING THE FILE..................................... 67 USE CASE #4 - TRYING TO SHARE IN THE NETWORK .................................................. 72 USE CASE #5 – STOPPING EDITING ON THE APPLICATIONS...................................... 75 USE CASE #6 - PCI (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD) ......... 78 USE CASE #7 – CREDIT CARDS BE MORE SPECIFIC ....................................................... 82 2 forcepoint.com Data Loss Prevention for Dummies Guide USE CASE #8 – PATTERNS AND PHRASES ................................................................... 86 USE CASE #9 – FINGERPRINTING ................................................................................... 93 USE CASE #10 – INSTALLING IRR SERVER .................................................................. 103 USE CASE #11 – PROTECTING THE WEB CHANNEL ...................................................... 127 INSTALLING THE DLP COMPONENT ON A SUPPLEMENTAL DLP SERVER ................ 133 USE CASE #12 – IDENTIFYING TEXT ON AN IMAGE .................................................... 136 APPENDIX 1 – DLP POLICIES ........................................................................................... 138 APPENDIX 2 – DLP ENDPOINT DETAILS ....................................................................... 141 APPENDIX 3 - KNOWING THE COMPONENTS (FORCEPOINT DLP SOLUTION) ....... 145 3 forcepoint.com Data Loss Prevention for Dummies Guide Understanding your environment (Base Configuration) In order to start this implementation, we are assuming you have knowledge of how to build the environment either on-prem or in the Forcepoint virtual desktop, remember you will need to build the full required environment, when you finish to build you will see something similar to the following, this scenario can change depending on the POC or Virtual Lab you are implementing: NOTE: Remember that this is just the beginning, please be sure to understand the dynamics of this implementation so you can add/delete the components you require, for virtual lab you will have the following considerations: Name IP (this is an example IP it can change) Username/Password Description FSMServer 192.168.122.20 Windows User: Administrator Windows Password: Provided FSMUser: admin FSM Password: Provided Forcepoint Security Manager Server on Windows Server 2016 Windows 10 192.168.122.xx Windows User: Administrator Windows Password: Provided This is the Windows 10 client where you will install the DLP Agent 4 forcepoint.com Data Loss Prevention for Dummies Guide Components Forcepoint Security Manager (FSM) SQL Express 2017 Domain Controller OCR Server Required elements • For Virtual Lab - Windows Server 2016 object • For POC - Windows Server 2016 Standard or Data Center, English version (obligatory), installed on a physical or virtual server • For Virtual Lab – This will be included or you can install it on a separate Windows Server 2016 object • For POC – You can obtain this from Microsoft Site and install it either on FSM or on a separate Windos Server 2016 box, depending on the size of your testing. • For Virtual Lab – This will be included on a separate Windows Server 2016 object DC • For POC – You can integrate the DC on the customer environment • • Web Content Gateway (WCG) • • Incident Risk Ranking Server (IRR) • • For Virtual Lab – This will be included or you can download DLP server software from the Forcepoint support site and installed on a separate server For POC – You can use the one provided on the FSM or you can download DLP server software from the Forcepoint support site and installed on a separate server For Virtual Lab – You can obtain the software from Forcepoint support site and install it on CentOS Sever Object For POC – You can obtain the software from Forcepoint support site and install it on a separate CentOS server either physical or virtual, you can also install it also on a Forcepoint appliance. For Virtual Lab – You can obtain the software from Forcepoint support site and install it on CentOS Sever Object For POC – You can obtain the software from Forcepoint support site and install it on a separate CentOS server either physical or virtual. Important Tips/Notes • • • ALWAYS DEPLOY or Save after making config changes. This is EXTREMELY important. There are a lot of referenced objects used in our DLP configuration. LAB IT UP!!! There are lots of configuration options. You will only get better with practice. 5 forcepoint.com Data Loss Prevention for Dummies Guide Setting up the Basics (for Forcepoint Virtual Lab only) Identify your resources 1.- Identify your assigned user – usually this is the user that you use for connecting via RDP or Web Example 1: RDP console: watermelon.go4labs.net Username: manuel.nolen Password: uenMvbtk Example 2: https://watermelon.go4labs.net/login?username=manuel.nolen&password=uenMvbtk 2.- Identify and create your hostname for public access (all the instances of Go4Labs has a public IP that can be used to integrate public services) Take your user name and add the prefix “.lab.go4labs.net”, so in this case the result will be: manuel.nolen.lab.go4labs.net NOTE: Keep this information at your reach since you will be using it, in some of the following steps. 6 forcepoint.com Data Loss Prevention for Dummies Guide Note: Even we have all this lab pre-configured for you, it’s always important to know how we prepared this for you. Probably you will not need to deploy the first few tasks, but you will become wiser. 7 forcepoint.com Data Loss Prevention for Dummies Guide Installing Forcepoint Security Manager 8 forcepoint.com Data Loss Prevention for Dummies Guide Hardware for a Forcepoint Data Manager • • The above requirements are for physical machines On virtual Forcepoint Data Managers may have 10-40% drop in Performance Outlined below are some tips for a successful installation of the Management Server and its ongoing operation: Windows Server Preparation - .NET Framework NOTE: Sometimes Windows Server 2016 also needs to add .NET3.5 9 forcepoint.com Data Loss Prevention for Dummies Guide 10 forcepoint.com Data Loss Prevention for Dummies Guide • Press NEXT Twice and Select the missing components • Press INSTALL 11 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Windows Updates 12 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Synchronize Clocks 13 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Remove Server Hardening for Installation (Optional) 14 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – To perform on all Solutions (Data, Email or Web) Windows Server Preparation – All Endpoint Client Machines Make sure to exclude the Forcepoint directory from your anti-virus scanning and realtime scanning: 15 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Disable Firewall • Goto Control Panel then goto Windows Firewall • Goto Turn Windows Firewall on or off • Turn Windows Firewall OFF for private and public settings (this will be enable later, please consider the ports needed by the FSM and any other component) 16 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Disable Enhanced Security Configuration Note: This step apply to all versions of Windows Server with IE, please verify it is correctly disabled before beginning the installation. The following path can also be used, Server Manager > Local Server > IE Enhanced Security Configuration > Turn it to off 17 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Disable DEP and UAC For DEP > Goto “System Properties” > Select “Advanced Tab” > Performance > Settings 18 forcepoint.com Data Loss Prevention for Dummies Guide For UAC > Goto “Control Panel” > Select “All Control Panel Items” > User Access Control, after this don’t forget to reboot your server and continue after that. 19 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Start Computer Browser Service Windows Server Preparation – Host Name 20 forcepoint.com Data Loss Prevention for Dummies Guide Windows Server Preparation – Temporary File Location Folder IMPORTANT – ALWAYS RESTART YOUR WINDOWS SERVER AFTER ALL T HIS STEPS, THIS WILL ENSURE THAT ALL CHANGES ARE APPLIED FEFORE STARTING TO INSTALL YOUR FSM. B 21 forcepoint.com Data Loss Prevention for Dummies Guide Downloading FSM Software Goto “support.forcepoint.com” > Downloads > “Data & Insider Threat Security” > “Forcepoint DLP” > “v8.7” > Download “Forcepoint DLP” N ote: Use your partner or enduser credentials to sign to Forcepoint support page, if you d on’t have one contact your partner or Forcepoint. Knowing FSM Software Installation As in all systems there are small details that you need to consider before continuing the installation, when installing FSM you need to consider dependencies on the different components you are considering to include: For FSM you will need to install a SQL Server, for demo or PoCs for small amount of users you can use SQL Express, but if you are considering a final and full installation you will need to consider to install or connect to a SQL Server with a Standard or Data Center License, you can find these details on the following link. http://www.websense.com/content/support/library/deployctr/v85/dic_sys_req.aspx In this particular case for the Lab we are going to use the SQL in another Server. 22 forcepoint.com Data Loss Prevention for Dummies Guide NOTE: It is important to consider that during the installation of the FSM it will ask you to connect to the SQL database in order to create the specific structure used to store all the events that are needed for monitor, track, reports and Dashboards, so it will be important to install first the SQL software. In case of SQL Installation in the same server If you try to install the FSM without installing the SQL Software first you will see this message in the installation window: So let’s go and install SQL Server First, go and download the software, once you have it proceed to the installation … NOTE: If for any reason you have executed the FSM Installation file before installing the SQL Server Software, close the installer and during the exit phase select the “Keep Installation Files” Checkbox, and then press the YES button, this way you will preserve all the previous steps you have made, otherwise continue ….. You can install the SQL Express software on the same computer as the FSM for demo or PoCs purposes, for final implementations is recommended to have it on a separate server or just be careful with the requirements of memory, processor and hard disk in order to have both in the same place. 23 forcepoint.com Data Loss Prevention for Dummies Guide Installing the SQL Server Software You will need to install 2 (two) files: Open the installation program of the SQL Server software with administrator privileges and select the CUSTOM installation: 24 forcepoint.com Data Loss Prevention for Dummies Guide Press “INSTALL” and select “New SQL Server stand-alone installation” ACCEPT” License Terms and press “NEXT” 25 forcepoint.com Data Loss Prevention for Dummies Guide Press “NEXT” leaving default info until you get to “Database Engine Configuration”, Select “Mixed Mode” and add a password of your own to the sa account. Continue until you finish the installation and once it finishes install SQL Server Management Studio ….. You will receive the following message, but wait: 26 forcepoint.com Data Loss Prevention for Dummies Guide Before Re-Starting the Windows Server consider to verify the Network configuration on the SQL Express server. Open SQL Server Configuration Manager and go to Network Configuration, and verify that Share Memory, Named Pipes and TCP/IP is enable, if not enable them by double-click each one of them, one enable you need to restart the services, or you can go now and restart the Windows Server 1.- Enable Named Pipes 27 forcepoint.com Data Loss Prevention for Dummies Guide 2.- Enable TCP/IP 3.- Change to IP Addresses Tab and search for IPAll Section Modify the following: • TCP Dynamic Ports to Blank • TCP Port to Port 1433 28 forcepoint.com Data Loss Prevention for Dummies Guide After this you need to restart the SQL Server Service, after doing this reboot the Windows Server for any pending changes. Configuring the Forcepoint Security Manager Software Once you finish, execute the FSM file with administrator privileges … 29 forcepoint.com Data Loss Prevention for Dummies Guide Press the Start button … Select the “Accept” Checkbox and press NEXT … 30 forcepoint.com Data Loss Prevention for Dummies Guide Once you reach the “Installation Type” screen, select the Custom Option and press NEXT … Press “Install” on the Forcepoint Management Infrastructure section, this should be the very first option to install, once it is installed you can continue with the other options, in this case Forcepoint DLP. NOTE: You will install each one of the options separately as required. 31 forcepoint.com Data Loss Prevention for Dummies Guide Leave the default path .. When it asks for SQL Server info, fill it up with your recent SQL Server installation info, verify your SQL server IP address and use the correct one with Port 1433. NOTE: PASSWORD is the one you assign to the sa user during the SQL Server Custom Installation 3 2 forcepoint.com Data Loss Prevention for Dummies Guide Use the IP address where you are installing the FSM or in some cases the corresponding PE, the Password is the one from the Windows Server Administrator Create the FSM admin user Password according to your password strategy and add a working email so you can receive notifications. 3 3 forcepoint.com Data Loss Prevention for Dummies Guide Leave unselected the “configure email settings” you can modify these ones later. After this verify your final settings and press “NEXT” until the installation conclude. 3 4 forcepoint.com Data Loss Prevention for Dummies Guide After this step please restart you server in order to restart and finish any pending components. 3 5 forcepoint.com Data Loss Prevention for Dummies Guide Installing the DLP Component on FSM Once you have installed the FSM, you need to add the required components of the product, in this case you will add the DLP Manager component. This will install all the required infrastructure and predefined components so you can start to work on the product. 3 6 forcepoint.com Data Loss Prevention for Dummies Guide Use the credentials you have already used for Windows Server Administrator and for the sa user in the SQL Express Server. 3 7 forcepoint.com Data Loss Prevention for Dummies Guide It is possible that you can see the following message, since this is a demo you can ignore it, but if you have the required space is better. Select “YES” and continue with the installation Once you finished is time to start testing your FSM installation and add your license …. 3 8 forcepoint.com Data Loss Prevention for Dummies Guide Launch Security Manager through any of the following methods: • • • Double-click the shortcut on the Desktop Open a browser and go to https://192.168.122.20:9443/manager/ Use the following credentials to gain access: Username: admin Password: Password set during install 3 9 forcepoint.com Data Loss Prevention for Dummies Guide Add your license and validate it. You found the xml file in the FSM Server desktop. Verify is installed Correctly, go to Dashboard / Your Subscription is valid Verify the license is correct ….. otherwise Update the license with the right one. 3 10 forcepoint.com Data Loss Prevention for Dummies Guide Verify your deployment configuration. You will see the main components to start working with Policies and rules. 40 forcepoint.com Data Loss Prevention for Dummies Guide Add an AD server (Microsoft Domain Controller) if required. Adding AD Server using GNS3, if you are using Forcepoint virtual desktop, otherwise follow the configuration details from the local AD. 1. Navigate to GNS3. 2. Choose Domain Controller 2016 Server Object 3. Drag and Drop to the main window 4. Associate Domain Controller Server with Switch, using the cable/link object. 5. Activate the Domain Controller Server (Start). 41 forcepoint.com Data Loss Prevention for Dummies Guide Configure User Directory Settings. 1. Navigate to Data > Settings > General > Directory Services. Select New 2. Fill the User Directory information 3. Test the connection. 42 forcepoint.com Data Loss Prevention for Dummies Guide Building your endpoint Downloading F1E Software (Forcepoint One Endpoint) Goto “support.forcepoint.com” > Downloads > “Endpoint Security” > “Forcepoint One Endpoint” > “20” > Download “ Forcepoint One Endpoint v20.02.4499 package builder ” N ote: Use your partner or enduser credentials to sign to Forcepoint support page, if you d on’t have one contact your partner or Forcepoint. After you download it, move all the files contained on the ZIP file to the following directory in the FSM server, C:\Program Files (x86)\Websense\Data Security\client, after you perform this, execute the builder program, this is going to generate a final installation file that can be deployed on all the corresponding endpoints. Select “Forcepoint DLP Endpoint” 43 forcepoint.com Data Loss Prevention for Dummies Guide Select the operating system where you are going to deploy the DLP Endpoint, there is going to be generated a file per OS, also add the corresponding PASSWORD for modifying or deleting the installation. Leave the default installation path unless you have any specific strategy for this 44 forcepoint.com Data Loss Prevention for Dummies Guide Fill the IP address field with the corresponding info of the PE or Policy Engine that is going to update your policy in the endpoint, in this case we are considering the FSM since it contains our initial PE (Policy Engine). On final implementations and if your corporate policy allows it, you can enable the automatic software updates checkbox. Select user interface mode: Interactive • The endpoint software user interface is displayed on all endpoint machines. • Users can see a list of files that have been contained. • Users have the option to open files to review their content, or save them to an authorized location. Stealth • The endpoint software user interface is not displayed to the user and the software runs in the background. Because they don’t see block notifications or continuation dialogs, it is best reserved for discovery tasks and audit-only policies. • Users do not know when files are contained. 45 forcepoint.com Data Loss Prevention for Dummies Guide Select where to install the installation Package Press FINISH Once you have the installation file, move it or deploy it to all the involved Windows/Mac/Linux clients you are considering to protect with the endpoint. By using the following steps. Open a network file sharing connection to the FSM server by selecting run - \\192.168.122.20\c$ 46 forcepoint.com Data Loss Prevention for Dummies Guide Enter your network credentials for authorization of the file sharing. Find the DLP endpoint installation file you just create, copy it to the corresponding client or clients and execute them in order to install the DLP endpoint client, otherwise you will need a software distribution tool for this purpose. 47 forcepoint.com Data Loss Prevention for Dummies Guide Installing the endpoint in the clients After you move the installer to the corresponding clients, locate it in your hard disk, in this case we are installting on a Windows 10 laptop. Execute the file .. Accept the Agreement 48 forcepoint.com Data Loss Prevention for Dummies Guide Select the corresponding installation PATH or leave the DEFAULT Press INSTALL 49 forcepoint.com Data Loss Prevention for Dummies Guide After it finishes go and restart the client computer After it reboots you should see the presence of the agent in your taskbar Right Click the endpoint agent and select “Open Forcepoint DLP Endpoint” 50 forcepoint.com Data Loss Prevention for Dummies Guide You should see something like this, and you will need to identify two main details: 1. You should see on the Connection section that the connection status is “Connected”, if it shows something different please go and troubleshoot the communication between the client and the FSM, it could be possible that some Firewall, AV or intermediate Device is blocking the communication. 2. You should see on the Endpoint Settings when it was performed the latest update of the rules and the Status should be “Enabled” Once you have these 2 ready, update the policy by selecting the Update button in the DLP Enpoint after you verify the upload of the new policy, you can CONTINUE with the policies testing. 51 forcepoint.com Data Loss Prevention for Dummies Guide DLP Basic Use Cases STANDARD and Compliance Predefined Use Cases 52 forcepoint.com Data Loss Prevention for Dummies Guide Take your time to browse how many classifiers and other resources you can find and use in policies. DLP Policies – Predefined Policies • Select Policy Management – DLP Policies – Manage Policies • Select Add – Predefined Policies 53 forcepoint.com Data Loss Prevention for Dummies Guide • Press Next Use Case #1 - Basic PII Policies • On the Region section, select CALA / Mexico and Press NEXT 54 forcepoint.com Data Loss Prevention for Dummies Guide On the Industries section, select Finance and Banking and Software • Press NEXT, then Press FINISH 55 forcepoint.com Data Loss Prevention for Dummies Guide • You should see all the Predefined policies selected associated to Mexico / Banking & Software • Select your choice PII and you should see on the right all the corresponding Predefined classifiers • Repeat same steps for “Credit Cards” and “Regulations, Compliance and Standards” 56 forcepoint.com Data Loss Prevention for Dummies Guide • Press the “Use Policies” button and then Select the “Deploy” button • You will see the policies in process of being applied to all the components of the DLP configuration • When if finishes press “Close” • Go again to Policy Management / DLP Policies / Manage Policies • You will see now the selected Policies in the screen 57 forcepoint.com Data Loss Prevention for Dummies Guide • Select Mexico PII: RFC (Default) • Then Select the Rule Link 58 forcepoint.com Data Loss Prevention for Dummies Guide • Goto Severity & Action tab and modify the Action Plan for “at least 3” • Goto Destinations and verify that Endpoint printing is enabled • Press OK and Deploy 59 forcepoint.com Data Loss Prevention for Dummies Guide Testing your first Rule Once you have verified that your endpoint is running and connected we can test it with the First DLP Policy you have already created. You will need to create 2 (two) text documents using either Wordpad or Notepad 1.- First document should have some text to validate in this case just add one line containing the following text: • CIDJ681025JF8 2.- Second document should have similar text but in this case should contain 3 lines with different text but with the same format. • CIDJ681025JF8 • DIGA270109RH7 • CIJC250211NM8 3.- Save your documents with different names 60 forcepoint.com Data Loss Prevention for Dummies Guide 4.- Let’s verify our First Rule • • If it finds only one match it will Audit Only If it finds at least 3 matches, it will Block the action 5.- Try to print each one of the files to a PDF format 61 forcepoint.com Data Loss Prevention for Dummies Guide 6.- When you try to print the file with only ONE line, the print process SUCCEED and you are able to create the PDF file 7.- When you try to print the file with THREE lines, the print process was BLOCKED, you can see the alert message that shows that the operation has been blocked and the file was not created. 62 forcepoint.com Data Loss Prevention for Dummies Guide Verifying your activity on the FSM (Forcepoint Security Manager) Goto Reporting -> Data Loss Prevention -> Incidents You will see the following information: • • • • • The Channel where the incident occurs The severity The Action taken – in this case Blocked as defined in the rules The Rule that matches the incident, including the text that fires the rule And the name of the file you try to print, which you can view or download You will also see some changes in the Dashboard view: 63 forcepoint.com Data Loss Prevention for Dummies Guide 64 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #2 – The USB Dilemma • If you are working with Forcepoint Virtual environment follow these instructions to add a virtual USB to the Win10 Client, otherwise you can test with a real USB • Go to File on your Win10 Console and select USB device • Select USB device and press Close 65 forcepoint.com Data Loss Prevention for Dummies Guide • You will see a new USB Drive (D:) in your File manager • Try to SAVE or COPY the file with one line and also the one with three lines, you should obtain this result on the last one. 66 forcepoint.com Data Loss Prevention for Dummies Guide Verifying your activity on the FSM (Forcepoint Security Manager) Goto Reporting -> Data Loss Prevention -> Incidents Use Case #3 – The USB Dilemma – Encrypting the file • Go to FP One Endpoint application and set Encryption password • On the Win10 client create a new file with 5 instances of the RFC • • • • • • CIDJ681025JF8 DIGA270109RH7 CIJC250211NM8 CIDP040852YT6 DIGP681025JF8 Goto -> Policy Management -> Resources -> Action Plans 67 forcepoint.com Data Loss Prevention for Dummies Guide • Create a New Action Plan • Fill the name and modify the actions on the Endpoint Channels section, when you finish press OK 68 forcepoint.com Data Loss Prevention for Dummies Guide • Go to Policy Management -> DLP Policies -> Manage Policies and search the Mexican PII policy you created • Open the current action plan properties, enable the last match option, change the value of matches to at least 5, with severity High and select the action plan you just create: 69 forcepoint.com Data Loss Prevention for Dummies Guide • Press OK and Deploy • Goto your Windows 10 Client and verify that the new rule has been updated, using the Forcepoint Endpoint One application “update” button 70 forcepoint.com Data Loss Prevention for Dummies Guide • Choose the new file with the 5 instances of RFC and try to save it to the USB Drive, you should get a message like this one. • Verify that the file has been encrypted and the decrypting tools are available. 71 forcepoint.com Data Loss Prevention for Dummies Guide Verifying your activity on the FSM (Forcepoint Security Manager) Goto Reporting -> Data Loss Prevention -> Incidents You will see that under Action column, the action was enforced with encryption on the USB channel Use Case #4 - Trying to share in the network Goto your Win10 client and try to establish a connection to the FSM server by establishing a network File Sharing. Open a network file sharing connection to the FSM server by selecting run - \\192.168.122.20\c$ Enter your network credentials for authorization of the file sharing. Validate that you have 2 (two) file windows. 72 forcepoint.com Data Loss Prevention for Dummies Guide Go to your recent policy on Policy Management -> DLP Policies -> Manage Policies, and select the “Mexico PII” rule you have been using and open it for EDIT. Go to the Destination Tab and enable the “Endpoint LAN” option 73 forcepoint.com Data Loss Prevention for Dummies Guide Press OK and Deploy, after this go back to the Win10 Client and update the policy in the DLP Endpoint. After updating the policy try to move your create files from the Win10 client to the FSM server and see the RESULTS. You should see something like this ….. Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents You will see that under Channel column, the action was detected on the LAN Channel. 74 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #5 – Stopping Editing on the Applications PrintScreen Scenario • • Go to Policy Management -> Resources -> Endpoint Applications Select Wordpad and modify Screen Capture parameter to “Block & Audit” • Press OK and Deploy 75 forcepoint.com Data Loss Prevention for Dummies Guide • • Verify that the F1E is updated on the Win10 client Open Wordpad on the Win10 client and try to “Print the Screen” using the SendKey option at the top of the console window Verifying your activity on the FSM (Forcepoint Security Manager) Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents This event was triggered while trying to do a Printscreen on the Wordpad application. 76 forcepoint.com Data Loss Prevention for Dummies Guide Cut/Paste Scenario • Go to Policy Management -> Resources -> Endpoint Applications Groups • Select Office Applications • Add the Paste button -> Save and DEPLOY 77 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #6 - PCI (Payment Card Industry Data Security Standard) The Payment Card Industry Data Security Standard (PCI DSS) is an i nformation security standard for organizations that handle branded c redit cards from the major c ard schemes. The PCI Standard is mandated by the card brands but administered by the P ayment Card Industry S ecurity Standards Council. The standard was created to increase controls around cardholder data to reduce c redit card fraud. Goto Policy Management -> DLP Policies -> Manage Policies -> Credit Cards section -> Credit Cards Rule Goto -> Severity & Action tab -> enable and add a 2 matches event with severity High and Action Plan to Block All. Press OK and then press NO before DEPLOY, we will modify another rule before that. 78 forcepoint.com Data Loss Prevention for Dummies Guide Goto Policy Management -> DLP Policies -> Manage Policies -> PCI -> PCI: Credit-Card Numbers (default) and then edit the rule Goto -> Severity & Action tab -> enable and add a 2 matches event with severity High and Action Plan to Block All. Press OK and then DEPLOY. 79 forcepoint.com Data Loss Prevention for Dummies Guide • Goto Win10 Client and simply copy/paste the info below on an excel type of file and save it: CCN 3925-2700-8985-2094 6119-6661-5526-2515 5361-0153-4188-4880 6715-5329-8954-5376 6716-2240-5692-6858 5007-2341-7254-6563 4492-0099-9803-7376 4860-8276-1506-5601 4771-6409-4004-2171 5669-7981-3497-5937 5515-6831-9905-4594 5181-3708-9291-6195 4795-6905-3089-7981 6864-4368-8809-1178 4274-0112-2856-3027 3702-8566-1747-4507 4583-8876-6214-4655 6114-2882-6850-5055 4350-1144-7091-5585 3911-6797-8376-2357 6468-6780-1264-4519 4354-9482-2743-1594 5752-0034-6540-3536 N EXT ACTION – TRY TO PRINT IT OR MOVE IT TO A DIFFERENT DIRECTORY AND SEE HOW IT BEHAVES. 80 forcepoint.com Data Loss Prevention for Dummies Guide You should see a blocking message like this: Verifying your activity on the FSM (Forcepoint Security Manager) Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents You will be able to see all the affected Policies that are enabled and the associated file for forensic research. 8 1 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #7 – Credit Cards be more specific Goto Policy Management -> DLP Policies -> Manage Policies -> Credit Cards section -> And enable the following rules: • American Express • Mastercard • VISA • Don’t DEPLOY until you finish enabling all the mentioned rules. • • • Once you finished press OK and Deploy Goto your Win10 client and update the policy by pressing the UPDATE button Create a file with the following info: type: Visa number: 4532 7931 8374 6550 cvv: 457 exp: 12/18 name: Luke Skwalker Address: Calle 37 b sur 27-29 envigado type: American Express number: 3445 202966 40628 cvv: 570 exp: 08/19 name: Han Solo Address: Calle 43 # 5-13 El Poblado Medellin type: Mastercard number: 5554 4269 4901 1171 cvv: 805 exp: 10/18 name: Darth Vader Address: Av Industriales 45-37 Torre Sur piso 10 8 2 forcepoint.com Data Loss Prevention for Dummies Guide • • • Then test again, you will see again an error Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents Verify the rules that are triggered • • Now you are able to see more specific rules for specific formats of credit cards. Verify your Dashboard 8 3 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #7.1 – Whatsapp Web Please follow the following steps to set Web Whatsapp control, GoTo General--->Endpoint--->Detection and add the following domains with or without Wilcards, *.web.whatsapp.com and *.whatsapp.com Goto Win10 and open your browser and open whatsapp web, and try to share some of the docs created previously with some contact, and you will face the following action control. Review the incident in FSM 8 4 forcepoint.com Data Loss Prevention for Dummies Guide DLP Not-that-Basic Use Cases Custom Use Cases 8 5 forcepoint.com Data Loss Prevention for Dummies Guide Content Classifiers: • • • Building blocks’ to use in policy creation Classifiers identify data to protect Used to create condition for rule Type of Classifiers: Typical usage of Classifiers: • Internal Physical Assets: Unique identifiers assigned to equipment, personnel, inventory (requires custom regex or fingerprint). • Internal Technical Assets: Unique processes, procedures, systems (requires file or database fingerprint). • Internal Contingency Plans: Unique plans that may impact liability of the business (requires custom classifier or fingerprint). • Internal Customer Data: Such as name, address, account information, usage metrics (requires custom regex or fingerprint). • Business and Technical Drawing Files: Detecting true file types such as: DWG, DXF, PTC, STL, and more (No OCR needed). • Summary: Most Manufacturing Data classifiers will be custom, will require some tuning (custom policies + thresholding). 8 6 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #8 – Patterns and Phrases For patterns you will usually need a custom regex (regular expression), for Phrases can be any type of fixed text. Key Phrases • Define a specific word or phrase that may indicate classified information: • • • • • Product code names Confidential projects Any confidential or reserved term Not case sensitive Exact match includes slashes, tabs, hyphens, underscores, and carriage returns Best Practices Using Key Phrases • • • • Avoid common words that lead to false positives. Use conditional logic to look for specific combinations and/or thresholds. Consider creating key phrases for unique words not typically found in a dictionary. Combine classifiers with predefined patterns, scripts, dictionaries & fingerprints whenever possible for greater accuracy. Goto Policy Management -> Content Classifiers -> Patterns&Phrases Goto NEW -> Key Phrase 8 7 forcepoint.com Data Loss Prevention for Dummies Guide Fill the fields with proper information, for phrase to search select the phrase you want to search inside the content: Press OK you will see a message similar to this one, indicating you need to associate this new classifier with a rule, you can add it now or wait, for the moment press CANCEL. You can verify that your new classifier has been added: 8 8 forcepoint.com Data Loss Prevention for Dummies Guide Goto Policy Management -> DLP Policies -> Manage Policies -> Add -> Custom Policy • Fill the information on the corresponding FIELDS STEP 1 – General TAB, fill the fields and press NEXT Step 2 – Add the classifier on the Condition TAB, by pressing Add button, search for the name of your recent created classifier and press OK, you will see it on the list of classifiers, press NEXT 8 9 forcepoint.com Data Loss Prevention for Dummies Guide Step 3 – On Severity & Action TAB, add a new match line for at least 2 incidents and assign an ACTION PLAN, press NEXT Next Steps – Leave default values for the rest and press NEXT until you get to FINISH, you will be able to see the new Policy/Rule, go ahead and DEPLOY • • Goto your Win10 Client and update the policy by pressing the UPDATE button. Create a file with the following text, just copy/paste it, it contains your key phrase embedded Star Wars is an American epic space-opera media franchise created by George Lucas, which began with the eponymous 1977 film and quickly became a worldwide pop-culture phenomenon. The franchise has been expanded into various films and other media, including television series, video games, novels, comic books, theme park attractions, and themed areas, comprising an allencompassing fictional universe.The franchise holds a Guinness World LimeStone Records title for the "Most successful film merchandising franchise". In 2020, the total value of the Star Wars franchise was estimated at US$70 billion, and it is currently the fifth-highest-grossing media franchise of all time. • • • • Try to Print/Move/Save the file in order to trigger your new rule. Since this time the Action Plan is just to audit, let’s verify the incidents Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents Verify the rules that are triggered • Verify your Dashboard 8 10 forcepoint.com Data Loss Prevention for Dummies Guide Dictionaries • • • • • Dictionaries are containers for words and expressions. Forcepoint provides over 100 predefined dictionaries. • Examples: medical conditions, legal terms, credit card terms, celebrities, etc. • They are proprietary and encrypted. You can create custom dictionaries. Rules can combine dictionaries with other classifiers. Thresholds set the number of matches required to trigger a rule. 90 forcepoint.com Data Loss Prevention for Dummies Guide Patterns (also named Regular Expressions) • • • • • • • Over 100 pre-defined patterns, some are used by the Policy Template Wizard Create your own classifiers using regular expressions Goto Policy Management -> Content Classifiers -> Patterns&Phrases Select New -> Regular Expression Fill the name and description fields On the Value field use the following regular expression: login([123]|_internal)?\.php This regular expression will match with any of the following: 1. 2. 3. 4. 5. • • • login.php login1.php login2.php login3.php login_internal.php Press OK, then CANCEL Goto Policy Management -> DLP Policies -> Manage Policies Add a new rule to the LimeStone Policy you created in the last Use Case 91 forcepoint.com Data Loss Prevention for Dummies Guide • Under General TAB fill the new name of the rule, Press NEXT • Under Condition TAB select your newly created regular expression: • Under Severty & Action TAB add a new match for at least 3 incidents or events with an Audit Action Plan, Press NEXT until the end, then FINISH and DEPLOY GoTo Win10 Client -> Update the policy Create a file with the information mentioned before and test the file and let’s see the results. Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents Verify the rules that are triggered • • • • 92 forcepoint.com Data Loss Prevention for Dummies Guide Predefined Scripts • Python scripts allow unlimited analysis • Weighted scoring • Complex conditional statements • Context sensitive • External dictionaries • Tunable • Developed exclusively by Forcepoint • More accurate than regular expressions • Analyze content and context using statistical analysis or decision trees. • Three sensitivity levels: default, wide (less accurate) and narrow (more focused and accurate) Use Case #9 – FingerPrinting Fingerprinting of structured and unstructured data allows data owners to define data types and identify full and partial matches across business documents, design plans and databases, and then apply the right control or policy that matches the data. • • File Fingerprinting (Unstructured): files or directories, including Microsoft SharePoint and IBM Domino directories. Database Fingerprinting (Structured): database records directly from your database table, Salesforce table, or CSV file. Database Fingerprinting (DB Fingerprinting) Scenario Goto FSM Server -> Find the SQL Server Management Studio -> Connect to the SQL Server DB using your previous SQL sa credentials. 93 forcepoint.com Data Loss Prevention for Dummies Guide Add a new database or create a new database and fill it with useful information that can be used to match any possible Data Loss in the configured channels, in this example we are recovering a backup of a DB. Select Databases -> Restore DB -> Device -> Add -> Search for the corresponding database (Northwind.bak) usually positioned on the Backup Subdirectory -> Select Database -> Press OK. 94 forcepoint.com Data Loss Prevention for Dummies Guide Press OK button, you should now see your DB loaded on the SQL Server Studio: NEXT STEP is to establish a trusted association between the FSM and the DB we have just added. Configure your ODBC Connector on your Crawler Goto your FSM and locate the ODBC Connector installer on the following route: • C:\Windows\SysWOW64\odbcad32.exe Go and start the installation, use the “User SDN” TAB, and select ADD 95 forcepoint.com Data Loss Prevention for Dummies Guide Select SQL Server from the list and press FINISH Fill the Empty Fields and choose the device where the SQL Server is installed in this case the local FSM Server, then press NEXT. 96 forcepoint.com Data Loss Prevention for Dummies Guide You will need to authenticate to the SQL Server you can either use the user for the DB or the workstation authentication, select which suits you better. If the authentication process was correct, you will be able to see a list of DB that are already working on the SQL Server, go and select the Database where you are going to be connected, and press NEXT. You will see a window like this, Select “Test Data Source” to verify the configuration 97 forcepoint.com Data Loss Prevention for Dummies Guide If you receive the following message then you are CONNECTED and VERIFIED!!!! Press OK twice and continue with the configuration Goto FSM -> Policy Management -> Content Classifiers -> Database Fingerprinting Select NEW -> Database Table Fingerprinting 98 forcepoint.com Data Loss Prevention for Dummies Guide • Fill the name of the new DB Fingerprint classifier • Fill the information to authenticate to the SQL Server via the ODBC Connector • Select the table and the fields you are going to use for matching 99 forcepoint.com Data Loss Prevention for Dummies Guide Go ahead press NEXT and then FINISH, when you reach the creation message press CANCEL and wait until the Crawler finishes to fingerprint the DB. • Goto Policy Management -> DLP Policies -> Manage Policies • Add a Custom Policy using the new classifier • Configure it and DEPLOY 100 forcepoint.com Data Loss Prevention for Dummies Guide • • Goto your Win10 Client and update the policy using the DLP Endpoint Client Update button. Copy/Paste the following data and create a document or spreadsheet file with the following info on it: Davolio Nancy Fuller Andrew Leverling Janet Peacock Margaret Buchanan Steven Suyama Michael King Robert Callahan Laura Dodsworth Anne • • • Try to print it or move it Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents Verify the rules that are triggered 101 forcepoint.com Data Loss Prevention for Dummies Guide Risk Analytics and DLP IRR (Incident Risk Ranking) Server 102 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #10 – Installing IRR Server An analytics engine is used to calculate incident risk, rank it with similar activity, and assign it a risk score, the analytics engine works on a CentOS server. This is how your FSM Main Dashboard looks like before Analytics engine is integrated. If you are working with Forcepoint Virtual Desktop, you should have a CentOS server added in your GNS3 environment. ◗ Open the Console Window of the CentOS Server ◗ Login with User: root / Passw: Forcepoint 1 ◗ Run the following command “nmtui” in order to edit/configure the Server IP 103 forcepoint.com Data Loss Prevention for Dummies Guide ◗ Edit the interface and goto -> IPv4 Configuration and change “Automatic” to “Manual”, then Select “Show”, that will enable the configuration window Select “Add” button and configure fix addresses to the server, in this case I am going to use: • • • • Addresses: 192.168.122.19 Netmask: 255.255.255.0 Gateway: 192.168.122.1 DNS Server: 8.8.8.8 After finishing move to OK using either TAB or Down Arrow Key Press “Back” and then “Quit”, after that execute the following commands: • • • Ifdown eth0 Ifup eth0 Verify the IP using the “ip a show eth0” command. 104 forcepoint.com Data Loss Prevention for Dummies Guide ◗ Download Analytics software from support.forcepoint.com site with your credentials on the Chrome browser on your landing machine ◗ Download wscp on your landing machine and install it Transfer your “AnalyticsEngine86” file from your landing machine to your new CentOS server ◗ Transfer it to the tmp directory ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ Return to the CentOS console Once you are on the CentOS server, change to the /tmp directory (cd /tmp) You should already have the AnalyticsEngine86 file there Perform the following instructions (answer Yes or y when asked): yum -y install epel-release yum –y install open-vm-tools yum -y install apr apr-util perl-Switch unixODBC freetds yum –y install ntpdate ntpdate time.nist.gov chmod +x AnalyticsEngine86 ./AnalyticsEngine86 105 forcepoint.com Data Loss Prevention for Dummies Guide • • • • When prompted, enter the IP address of the Forcepoint management server. Enter a username for a Forcepoint DLP administrator account with System modules permissions. Enter the account password. The analytics engine verifies that it can connect to the management server. ◗ Go back to FSM ◗ See the added DLP Dashboard with new Risk section ◗ Go to Settings / General / Deployment ◗ You should see the new IRR server added 106 forcepoint.com Data Loss Prevention for Dummies Guide Since the IRR option analyzes all the events that have a risk score higher than 4, we will need to modify the configuration so it can show also the low and medium events we have been generating. ◗ Go to Settings / General / Reporting ◗ Goto Incident Risk Ranking TAB ◗ Modify Incident Risk Ranking to 0-10 (All) ◗ Press OK 107 forcepoint.com Data Loss Prevention for Dummies Guide ◗ Since the Risk section updates each 24 hrs during the night, you need to force the update. ◗ GoTo the CentOS server where the Analytics Engine is installed and go to the following directory: /opt/websense/AnalyticsEngine/scripts ◗ Execute ./ae_run ◗ Go back to FSM and you should see the Top Cases updated 18 forcepoint.com Data Loss Prevention for Dummies Guide Extend DLP reach to the Web Channel DLP WCG (Web Content Gateway) Server **** Network License needed or Full WCG required 19 forcepoint.com Data Loss Prevention for Dummies Guide There are two Web Content Gateway module options available for Forcepoint DLP. ◗ The one included with Forcepoint DLP Network provides DLP over the web channel including encrypted SSL content. This core Forcepoint DLP component permits the use of custom policies, fingerprinting, and more. ◗ The one included in Forcepoint Web Security provides SSL decryption, URL categorization, content security, web policy enforcement, and more. In this deployment mode, the gateway is limited to the web DLP quick policies. We are going to work with the one included with the DLP Network license, the DLP WCG engine works on a CentOS server or a Forcepoint appliance. The WCG requires the following: ◗ Interface C (control) – the purpose of this is to connect to the FSM in order to receive configurations. ◗ Interface P1 – This will be the proxy interface and it will be used as the gateway/next hop for all the traffic that will be analyzed. ◗ RAM 6Gb and 2 vCPUS If you are working with Forcepoint Virtual Desktop, you should have a CentOS server added in your GNS3 environment for this WCG server, it should not have links enabled to the switch because you need first to configure the interfaces on the virtual engine. Open the configuration option Goto General Settings and increase the RAM and the vCPU parameters. 110 forcepoint.com Data Loss Prevention for Dummies Guide Goto the network tab and modify the adapters value to “2”, after that APPLY and OK Go and enable the link button and you will see that now you have 2 interfaces in the server. Connect both of them to the switch, and start the CentOs server, you will have then ready the server for configuration. 111 forcepoint.com Data Loss Prevention for Dummies Guide ◗ Open the Console Window of the CentOS Server ◗ Login with User : root / Passw : Forcepoint 1 ◗ Run the following command “nmtui” in order to edit/configure the Server IP Edit the interface and goto -> IPv4 Configuration and change “Automatic” to “Manual”, then Select “Show”, that will enable the configuration window Select “Add” button and configure fix addresses to the server, in this case I am going to use: • • • • Addresses: 192.168.122.2x Netmask: 255.255.255.0 Gateway: 192.168.122.1 DNS Server: 8.8.8.8 This will be the C Interface, after finishing move to OK using either TAB or Down Arrow Key 112 forcepoint.com Data Loss Prevention for Dummies Guide Press “Back” and then “Quit”, after that execute the following commands: • • • Ifdown eth0 Ifup eth0 Verify the IP using the “ip a show eth0” command. You will need to add a secondary interface in order to configure the P1 interface, add a secondary interface and configure it with the following addresses • • • • Addresses: 192.168.122.2x Netmask: 255.255.255.0 Gateway: 192.168.122.1 DNS Server: 8.8.8.8 • After configuring it, enable it and verify the IP using the “ip a show eth1” command. 113 forcepoint.com Data Loss Prevention for Dummies Guide Once you have configured your interface, you need to configure the hostname and the corresponding hosts file in order to have the correct interface associations. So the first step is to download the software from the Forcepoint support site, once you have it, upload it to the CentOS server. Copy it to the tmp directory, once there unpack it using the command gunzip and then tar -xvf to expand the installation files, you can also use a single command to unpack the software: tar -xvzf ContentGateway84xSetup_Lnx.tar.gz 114 forcepoint.com Data Loss Prevention for Dummies Guide Before installing the WCG, you will need to disable the network manager and install some dependencies (libraries) ◗ chkconfig --levels 2345 NetworkManager off ◗ service NetworkManager stop If you are connected to a yum repository you can install these packages with the following command: ◗ yum install -y apr apr-util bind-utils compat-db47 ftp gd iptables-services krb5workstation libicu libpng12 libwbclient nc ncurses-devel net-tools perl perl-Switch perlURI perlautodie perl-libwww-perl readline-devel redhat-lsb-core tcl unzip ◗ After the process is complete execute ./wcg_install.sh ◗ Accept the Agreement by pressing “q” and “y” Configure the password of the admin, it should have a specific format. 115 forcepoint.com Data Loss Prevention for Dummies Guide Enter an email for alerts You will have to select how you want to install this WCG, in this particular case you will select option 2, this is because we are only considering the WCG as a component of Forcepoint DLP without the web security. Enter the Forcepoint Security Manager address that will control this WCG and leave the default port assignments by selecting “X” This will be a single node so leave the default selection for this. 116 forcepoint.com Data Loss Prevention for Dummies Guide Leave the configuration as an Only Proxy Mode Verify your configuration and if it’s correct you can continue the installation by selecting “y”. If everything is OK you should see the following messages: 117 forcepoint.com Data Loss Prevention for Dummies Guide Go back to your FSM server, open a browser session and try to access the WCG with the following information: ◗ https://192.168.122.22:8081 Goto Configure TAB -> Subscription -> Use the subscription Key from FSM and introduce it to the WCG Subscription Field and APPLY After doing this you will need to restart the engine, Goto Basic Section on Configure TAB and press RESTART 118 forcepoint.com Data Loss Prevention for Dummies Guide After restart Goto Configure TAB -> Basic -> General -> Features -> Enable ON the integration Section and verify that Web DLP is selected -> APPLY -> Restart After restart Goto Configure TAB -> Security -> Web DLP -> Fill the empty fields with the FSM admin information in order to register the Forcepoint DLP -> Press Register Verify the succeed message and restart 119 forcepoint.com Data Loss Prevention for Dummies Guide Goto FSM -> Deployment -> System Modules, verify the presence of the WCG -> Deploy In order to be able to INSPECT HTTPS traffic we need to make the WCG trustable to our endpoints, so in order to do that we need to generate a certificate that we will upload on the required browsers. In this particular case we are going to consider mainly 2 types of browsers (Chrome and Firefox), each one of them has a different way to configure, so we will explain both methods to you. 120 forcepoint.com Data Loss Prevention for Dummies Guide Creating a certificate on the WCG Connect via your browser to you WCG Admin interface and authenticate: ◗ https://192.168.122.21:8081 Goto Configure TAB -> Basic -> General -> And enable HTTPS protocol on the protocols division of the features section. Then press APPLY and RESTART, this should enable a new section SSL on the configure TAB. Now Goto SSL -> Internal Root CA -> Create Root CA -> Select Country (MX) -> Fill the fields with asterisk as a minimum -> Press the “Generate and Deploy” button 121 forcepoint.com Data Loss Prevention for Dummies Guide If succeded you will see the following message, go ahead and RESTART the WCG. After this you will need to backup the public and private cert keys so you can import them on the corresponding browsers, after doing this move the certificate keys to your Win10 Client. N OTE: If you don’t have Chrome Browser or Firefox on your Win10 Client you will have to install it. 122 forcepoint.com Data Loss Prevention for Dummies Guide Loading the certificate on the Chrome Browser Goto your File Manager in your Win10 Client and double-Click the PCAcert you have just copied. You will see the following window, for general browsers this will be sufficient, but there are some browsers that needs to install it in the different way, for the moment press the Install Certificate button. Select “Local Machine” and Press NEXT 123 forcepoint.com Data Loss Prevention for Dummies Guide Place the certificate on the “Trusted Root Certification Authorities” certificate store. Press OK you should get a success message, now you can start to test the web channel with Chrome 124 forcepoint.com Data Loss Prevention for Dummies Guide Goto your Chrome Browser Proxy Settings and Enable Manual Proxy Setup, fill the address with your WCG IP address and the Port should be 8080 -> SAVE -> Restart the browser. L et’s validate the Internet Connection and that the traffic is going thru the DLP WCG. Loading the certificate on the Firefox Browser Open your Firefox Browser -> Goto Options 125 forcepoint.com Data Loss Prevention for Dummies Guide Select “Privacy and Security” -> Scroll Down -> View Certificates -> Import Select your PCACert file and OPEN it -> Select TRUST to identify both websites and email users -> Press OK Now let’s configure the proxy in the firefox Browser -> Goto General -> Network Settings -> Manual Proxy Configuration and fill the Proxy fields for HTTP and HTTPS -> Press OK -> Restart Firefox Browser and TEST. 126 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #11 – Protecting the Web Channel Let’s modify our rules to detect on the web channel Goto FSM -> Policy Management -> DLP rules -> Manage Policies -> Select your “Patterns&Phrase” rule -> Modify the severity action plans Goto Destination TAB -> Endpoint Applications -> Edit -> Select All & Move to the Include section -> press OK -> DEPLOY Goto your Win10 Client and UPDATE the policy Open your Chrome or firefox browser and goto “dlptest.com” site, try to HTTP/HTTPS Post your sample files that belongs to the Phrase rule you just modify. 127 forcepoint.com Data Loss Prevention for Dummies Guide • • Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents Verify the rules that are triggered, as you can see the test was blocked by the Endpoint not by the WCG, let’s do some extra config. Goto your FSM -> Deployment -> System Modules -> Web Content Gateway and SELECT the Forcepooint Web Content Gateway line by double-clicking it. Goto HTTP*/HTTPS TAB and from the Mode field change from Monitoring to Blocking -> Press OK -> DEPLOY 128 forcepoint.com Data Loss Prevention for Dummies Guide Goto your Win10 Client -> DLP Endpoint -> Update -> now try to write several times the phrase on the text window and press SUBMIT You will see a different message, now the WCG is the one answering • • Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents Verify the rules that are triggered, as you can see now the it was blocked by the WCG. 129 forcepoint.com Data Loss Prevention for Dummies Guide Finding Data on Images with DLP DLP OCR server **** You need to install a supplemental DLP server for this to work. 130 forcepoint.com Data Loss Prevention for Dummies Guide Included with DLP Network & Discovery: The OCR server enables the system to analyze image files being sent through network channels, such as email attachments and web posts. The server determines whether the images are textual, and if so, extracts and analyzes the text for sensitive content. There is no special policy attribute to configure for optical character recognition (OCR). If sensitive text is found, the image is blocked or permitted according to the active policies. The server can also be used to locate sensitive text in images during network discovery. This feature does not support either handwriting or images containing text that is skewed more than 10 degrees. Summary: Support for many image filetypes + images embedded within Microsoft Office documents and PDFs. In this particular case you will need to install a supplemental DLP server that contains the OCR Server, this needs to be installed on a Windows Server which need to be tuned similarly as the Forcepoint Security Manager and install only the DLP Server component, this will automatically add the OCR Server on it. Execute the FSM file with administrator privileges on the new WinServ … 131 forcepoint.com Data Loss Prevention for Dummies Guide Press the Start button … Select the “Accept” Checkbox and press NEXT, select the Custom option … 132 forcepoint.com Data Loss Prevention for Dummies Guide Installing the DLP Component on a supplemental DLP Server In this case you will add the DLP Manager component. This will install all the required infrastructure and predefined components including the OCR Server. You will see the components to be installed -> Press NEXT Select the IP address of the server where you are installing the DLP Server component. 133 forcepoint.com Data Loss Prevention for Dummies Guide Select Computner name and user with sufficient rights on the server (Administrator) -> Press NEXT. It is possible that you can see the following message, since this is a demo you can ignore it, but if you have the required space is better. You will need to register the Forcepoint Security Manager -> Use the IP of the server and the credentials of the admin for the FSM -> Press NEXT. 134 forcepoint.com Data Loss Prevention for Dummies Guide Confirm Installation -> Press INSTALL -> If you find this message press YES Continue until you FINISH -> Goto FSM and validate the presence of the new DLP Server on the Deployment -> System Modules section -> you will see the new server with the OCR Server on it. 135 forcepoint.com Data Loss Prevention for Dummies Guide Use Case #12 – Identifying Text on an Image Creating an image to test In order to test the detection of the text inside an image, we will use the rules created on Use Case #8 Patterns and Phrases with the word “LimeStone”, so go ahead and use your Win10 client and Open your favorite image editor and create an image containing several instances of the word “LimeStone”. Something like this: Note: I create this one using Paint and save it as a JPEG image. Goto FSM -> Settings -> Deployment -> Select your WCG Server -> Policy Engine Enable OCR -> Select the recently installed OCR Server on the supplemental DLP Server Press OK -> DEPLOY 136 forcepoint.com Data Loss Prevention for Dummies Guide Once you finish connect to dlptest.com or to your email account (Gmail or Hotmail), and try to add your images as an attachment, you will see a Upload Failed message Goto FSM -> Reporting -> Data Loss Prevention -> Incidents (7 days) 137 forcepoint.com Data Loss Prevention for Dummies Guide Appendix 1 – DLP Policies Policies are empty containers that hold rules and exception rules. Policies and rules – Configuration Window 138 forcepoint.com Data Loss Prevention for Dummies Guide Rules Rules define the protection logic. • • Components o Condition ▪ Classifiers ▪ Condition Logic (AND, OR, NOT), thresholds Resources o Severity & Action ▪ Cumulative rules o Sources o Destinations Example Rule 139 forcepoint.com Data Loss Prevention for Dummies Guide Creating Policies • Predefined Policy Templates o Provides immediate access to pre-defined sets of policies o Enables data protection to meet regulatory compliance standards such as GLBA and HIPAA o Policies are based on Natural Language Processing and PreciseID Patterns • (Regular Expressions) • Quick Policies o Email DLP Policy o Web DLP Policy • Custom Policies 140 forcepoint.com Data Loss Prevention for Dummies Guide Appendix 2 – DLP Endpoint Details What is ENDPOINT and Data Endpoint? An endpoint is a laptop, server etc. that applies Forcepoint DATA policies independently of the network-based Forcepoint DATA installation. F1E ENDPOINT has 2 parts: it can intercept data (Data Endpoint); it also can send Web traffic to the cloud proxy (Web Endpoint) Data Endpoint intercepts “data-in-use”: • Sent to removable media • Sent via HTTP, HTTPS, FTP; Sent via Microsoft Outlook (via plug-in) • Copied to shared folders/local-area network (LAN) • Accessed or manipulated by a standard application or even downloaded by an online application • Sent to a local or network printers Endpoints can run endpoint discovery tasks on their local hard drives Endpoints have policy-enforcement options: • • • • • Block Permit Confirm (Endpoint Only) Encrypt Encrypt with user password Note: Encrypt is available for removable media only. Additionally, drop attachment and quarantine are NOT available actions for Endpoint. 141 forcepoint.com Data Loss Prevention for Dummies Guide Endpoint Platforms & Features • Supported platforms o o o o • • • • Windows 2008/2012/2016 Servers and Windows 7/8/10 Red Hat/CentOS 4.8, 5.1, 5.5 (not all features supported) 32 & 64-bit support Mac OS endpoint Endpoint email-channel support PreciseID database and file fingerprint detection Original file access time can be preserved (for backups) Improved printing Why Is an Endpoint Needed? • • • Some computers, like laptops, may not be on the protected network. o Some data cannot be protected at the network level. o Removable media Encrypted communications cannot be analyzed. Replaced by looking into specific applications . Some operations benefit from being done on the client. o Discovery is much less efficient when done by servers for each and every one of the clients. ▪ CPU intensive ▪ Bandwidth intensive 142 forcepoint.com Data Loss Prevention for Dummies Guide Endpoint Application Groups Screen capture • • Screen capture is blocked, when specified applications are running. The screen capture would be sent as forensics, when blocked. File access • • Read access can be intercepted. Some files (tmp directory, etc.) are excluded. Cut/Copy/Paste • Monitoring of copy and paste operations. (Note: Content is analyzed only on paste, even if the rule is on copying.) Endpoint Discovery Local discovery allows analysis of files on local drives. Multiple endpoints handle multiple discovery tasks. • • Run multiple tasks, simultaneously, on a single machine. Run different tasks on different machines. Scanning can be configured to • • Scan only when computer is idle Pause when computer is running on batteries Deploying the Data Endpoint Client Forcepoint Data Security Endpoint deployable using • • • • Manual Microsoft-based tools System Center Configuration Manager (SCCM) Systems Management Server (SMS) 143 forcepoint.com Data Loss Prevention for Dummies Guide Two installers • • • ForcepointEndpoint_XXbit.exe for Windows LinuxEndpoint_SFX_installer_elX for Linux . . .Updates deployable automatically Endpoint Action Plans Available action-plan options for the endpoint • • • • • • HTTP/HTTPS: Permit, block, confirm Application: Permit, block, confirm Removable media: Permit, block, confirm, encrypt LAN: Permit, block, confirm Printing: Permit, block, confirm Confirm and encrypt are unique to the endpoint. 144 forcepoint.com Data Loss Prevention for Dummies Guide Appendix 3 - Knowing the components (Forcepoint DLP solution) Licensing A DLP Solution requires a license to run the different components offered. These licenses are based on: 1. Which components will be used? 2. How many users/seats does the organization have? (could be implemented for part of the company, e.g., finance organization) These are the current DLP subscription offerings: • • • • Forcepoint DLP Endpoint Forcepoint DLP Network Forcepoint DLP Cloud Applications Forcepoint DLP Discovery Customers who own our Email and Web Security products can “add-on” DLP licensing to those products. 145 forcepoint.com Data Loss Prevention for Dummies Guide Forcepoint DLP Endpoint (in-use) - Endpoint protects your critical data on Windows and Mac machines, both on and off the corporate network. It includes advanced protection and control for data at rest (discovery), in motion and in use. It integrates with Microsoft Azure Information Protection to analyze encrypted data and apply appropriate DLP controls. The DLP endpoint monitors web uploads, including HTTPS, as well as uploads to cloud services like Office 365 and Box Enterprise. Full integration with Outlook, Notes and email clients. Forcepoint DLP Network (in-motion) - DLP Network stops the theft of data in motion through email and web channels. This solution helps identify and prevent malicious and accidental data loss from outside attacks, or from insider threats. OCR (Optical Character Recognition) recognizes data within an image. Analytics identify DLP incidents to help stop the theft of data by more easily spotting high-risk user behaviors. Forcepoint DLP Cloud Applications (at rest) - Powered by Forcepoint CASB, DLP Cloud Applications extends the advanced analytics and single control of Forcepoint DLP to critical cloud applications, including Office 365, Salesforce, Google Apps, Box and more. Forcepoint DLP Discovery (at rest) - DLP Discovery identifies sensitive data across your network, as well as data stored in cloud services like Office 365 and Box Enterprise. Advanced fingerprinting technology identifies regulated data and intellectual property at rest, and protects that data by applying appropriate encryption and controls. 146 forcepoint.com Data Loss Prevention for Dummies Guide Policy Engine Policy Engine is the DATA component responsible for all data analysis and policy enforcement Components of Policy Engine Package Policy Engine Package contains: • • • PE – Policy Engine XML – Based Policies Fingeprinting Repository You will find a PE component on any of these implementations including the FSM: 147 forcepoint.com Data Loss Prevention for Dummies Guide FORCEPOINT PROTECTOR Linux based (CentOS) server Software appliance Available also on V5K Monitor and/or block traffic via SPAN Port • Transparently (inline) • Explicitly Supported protocols • HTTP – Monitoring, Blocking • SMTP – Monitoring, Blocking (explicit MTA) • FTP – Monitoring • IM – Monitoring (MSN, Yahoo, AIM) • ICAP – explicitly HTTP/S and FTP monitoring/blocking • • PROTECTOR – MONITOR ONLY PROTECTOR – INLINE 148 forcepoint.com Data Loss Prevention for Dummies Guide PROTECTOR – ICAP INTEGRATION FORCEPOINT DATA SERVER (DSS) Windows based server • Windows Server 2012 • Windows Server 2016 Roles (any or all): • Additional Analysis Engine (PE) • Crawler o Discovery Server o Fingerprinting Server • Endpoint Server • Can host SMTP Agent • OCR Server 149 forcepoint.com Data Loss Prevention for Dummies Guide FORCEPOINT ONE ENDPOINT (F1E) 150 forcepoint.com Data Loss Prevention for Dummies Guide 151 forcepoint.com