Add to collection(s) Add to saved
  1. No category
Uploaded by German Delgadillo

DLPforDummies 2.4

advertisement 
Data Loss Prevention
Implementation Guide
Installing DLP and Testing basic scenarios.
Alejandro Marthi
24 March 2020
For POCs and demos from scratch
Data Loss Prevention for Dummies Guide
Before you begin
Here are some things you will need before you begin this lab.
Option 1 - A configured DLP solution (this will be used when using Forcepoint virtual labs):
Your instructor will have guided you through the initial/basic configuration of your on-prem DLP
Security solution. This will likely be performed in Forcepoint virtual labs however that is not a
requirement.
Option 2- An On-Prem DLP solution from Scratch (POCs or Partner internal Practice):
You will have an on-prem infrastructure either in the partner premises or with a customer/prospect
for POCs or demoing the DLP solution from Scratch.
A folder to store your DLP Screenshots:
Throughout the lab or POC implementation, you will be asked to take screenshots of your
configurations, please create a folder on your laptop or desktop to save these screenshots. Title
the folder with <Your Name>-DLP, this will help you for have tracking of what you have done on the
specific environment, especially when you are in POC you can have a technical memory to give to
the end-user as a reference.
In the case of the virtual labs, you will be asked to send a compressed archive of the
screenshots generated in this lab. Please provide descriptive names for your files so the the
person that receives them can identify quickly which step and what you are taking the
screenshot of.
A means to get the files to a specific destination:
If your reports archive is over 20MB they will not go over email and will need to be sent via
another method.
1
forcepoint.com
Data Loss Prevention for Dummies Guide
TABLE OF CONTENTS
UNDERSTANDING YOUR ENVIRONMENT (BASE CONFIGURATION) ............................... 4
SETTING UP THE BASICS (FOR FORCEPOINT VIRTUAL LAB ONLY)................................ 6
DOWNLOADING FSM SOFTWARE .................................................................................. 22
KNOWING FSM SOFTWARE INSTALLATION ................................................................. 22
INSTALLING THE SQL SERVER SOFTWARE ................................................................. 24
CONFIGURING THE FORCEPOINT SECURITY MANAGER SOFTWARE .......................... 29
INSTALLING THE DLP COMPONENT ON FSM ................................................................ 35
ADD AN AD SERVER (MICROSOFT DOMAIN CONTROLLER) IF REQUIRED ................... 41
CONFIGURE USER DIRECTORY SETTINGS ...................................................................... 42
BUILDING YOUR ENDPOINT ............................................................................................. 43
INSTALLING THE ENDPOINT IN THE CLIENTS .............................................................. 48
DLP POLICIES – PREDEFINED POLICIES .......................................................................... 53
USE CASE #1 - BASIC PII POLICIES ................................................................................. 54
USE CASE #2 – THE USB DILEMMA ................................................................................. 65
USE CASE #3 – THE USB DILEMMA – ENCRYPTING THE FILE..................................... 67
USE CASE #4 - TRYING TO SHARE IN THE NETWORK .................................................. 72
USE CASE #5 – STOPPING EDITING ON THE APPLICATIONS...................................... 75
USE CASE #6 - PCI (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD) ......... 78
USE CASE #7 – CREDIT CARDS BE MORE SPECIFIC ....................................................... 82
2
forcepoint.com
Data Loss Prevention for Dummies Guide
USE CASE #8 – PATTERNS AND PHRASES ................................................................... 86
USE CASE #9 – FINGERPRINTING ................................................................................... 93
USE CASE #10 – INSTALLING IRR SERVER .................................................................. 103
USE CASE #11 – PROTECTING THE WEB CHANNEL ...................................................... 127
INSTALLING THE DLP COMPONENT ON A SUPPLEMENTAL DLP SERVER ................ 133
USE CASE #12 – IDENTIFYING TEXT ON AN IMAGE .................................................... 136
APPENDIX 1 – DLP POLICIES ........................................................................................... 138
APPENDIX 2 – DLP ENDPOINT DETAILS ....................................................................... 141
APPENDIX 3 - KNOWING THE COMPONENTS (FORCEPOINT DLP SOLUTION) ....... 145
3
forcepoint.com
Data Loss Prevention for Dummies Guide
Understanding your environment (Base Configuration)
In order to start this implementation, we are assuming you have knowledge of how to build the
environment either on-prem or in the Forcepoint virtual desktop, remember you will need to
build the full required environment, when you finish to build you will see something similar to
the following, this scenario can change depending on the POC or Virtual Lab you are
implementing:
NOTE: Remember that this is just the beginning, please be sure to understand the dynamics of
this implementation so you can add/delete the components you require, for virtual lab you will
have the following considerations:
Name
IP (this is an example IP
it can change)
Username/Password
Description
FSMServer
192.168.122.20
Windows User: Administrator
Windows Password: Provided
FSMUser: admin
FSM Password: Provided
Forcepoint Security Manager Server on Windows Server 2016
Windows 10
192.168.122.xx
Windows User: Administrator
Windows Password: Provided
This is the Windows 10 client where you will install the DLP
Agent
4
forcepoint.com
Data Loss Prevention for Dummies Guide
Components
Forcepoint Security Manager (FSM)
SQL Express 2017
Domain Controller
OCR Server
Required elements
• For Virtual Lab - Windows Server 2016 object
• For POC - Windows Server 2016 Standard or Data Center,
English version (obligatory), installed on a physical or
virtual server
• For Virtual Lab – This will be included or you can install it
on a separate Windows Server 2016 object
• For POC – You can obtain this from Microsoft Site and
install it either on FSM or on a separate Windos Server
2016 box, depending on the size of your testing.
• For Virtual Lab – This will be included on a separate
Windows Server 2016 object DC
• For POC – You can integrate the DC on the customer
environment
•
•
Web Content Gateway (WCG)
•
•
Incident Risk Ranking Server (IRR)
•
•
For Virtual Lab – This will be included or you can download
DLP server software from the Forcepoint support site and
installed on a separate server
For POC – You can use the one provided on the FSM or
you can download DLP server software from the
Forcepoint support site and installed on a separate server
For Virtual Lab – You can obtain the software from
Forcepoint support site and install it on CentOS Sever
Object
For POC – You can obtain the software from Forcepoint
support site and install it on a separate CentOS server
either physical or virtual, you can also install it also on a
Forcepoint appliance.
For Virtual Lab – You can obtain the software from
Forcepoint support site and install it on CentOS Sever
Object
For POC – You can obtain the software from Forcepoint
support site and install it on a separate CentOS server
either physical or virtual.
Important Tips/Notes
•
•
•
ALWAYS DEPLOY or Save after making config changes. This is EXTREMELY important.
There are a lot of referenced objects used in our DLP configuration.
LAB IT UP!!! There are lots of configuration options. You will only get better with practice.
5
forcepoint.com
Data Loss Prevention for Dummies Guide
Setting up the Basics (for Forcepoint Virtual
Lab only)
Identify your resources
1.- Identify your assigned user – usually this is the user that you use for connecting via RDP or Web
Example 1:
RDP console: watermelon.go4labs.net
Username: manuel.nolen
Password: uenMvbtk
Example 2:
https://watermelon.go4labs.net/login?username=manuel.nolen&password=uenMvbtk
2.- Identify and create your hostname for public access (all the instances of Go4Labs has a public IP
that can be used to integrate public services)
Take your user name and add the prefix “.lab.go4labs.net”, so in this case the result will be:
manuel.nolen.lab.go4labs.net
NOTE: Keep this information at your reach since you will be using it, in some of the following steps.
6
forcepoint.com
Data Loss Prevention for Dummies Guide
Note: Even we have all this lab pre-configured for you, it’s always important to
know how we prepared this for you.
Probably you will not need to deploy the first few tasks, but you will become
wiser.
7
forcepoint.com
Data Loss Prevention for Dummies Guide
Installing Forcepoint Security Manager
8
forcepoint.com
Data Loss Prevention for Dummies Guide
Hardware for a Forcepoint Data Manager
•
•
The above requirements are for physical machines
On virtual Forcepoint Data Managers may have 10-40% drop in Performance
Outlined below are some tips for a successful installation of the Management Server
and its ongoing operation:
Windows Server Preparation - .NET Framework
NOTE: Sometimes Windows Server 2016 also needs to add .NET3.5
9
forcepoint.com
Data Loss Prevention for Dummies Guide
10
forcepoint.com
Data Loss Prevention for Dummies Guide
• Press NEXT Twice and Select the missing components
• Press INSTALL
11
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Windows Updates
12
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Synchronize Clocks
13
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Remove Server Hardening for Installation (Optional)
14
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – To perform on all Solutions (Data, Email or Web)
Windows Server Preparation – All Endpoint Client Machines
Make sure to exclude the Forcepoint directory from your anti-virus scanning and realtime scanning:
15
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Disable Firewall
• Goto Control Panel then goto Windows Firewall
• Goto Turn Windows Firewall on or off
• Turn Windows Firewall OFF for private and public settings (this will be enable
later, please consider the ports needed by the FSM and any other component)
16
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Disable Enhanced Security Configuration
Note: This step apply to all versions of Windows Server with IE, please verify it is correctly
disabled before beginning the installation. The following path can also be used, Server Manager
> Local Server > IE Enhanced Security Configuration > Turn it to off
17
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Disable DEP and UAC
For DEP > Goto “System Properties” > Select “Advanced Tab” > Performance > Settings
18
forcepoint.com
Data Loss Prevention for Dummies Guide
For UAC > Goto “Control Panel” > Select “All Control Panel Items” > User Access
Control, after this don’t forget to reboot your server and continue after that.
19
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Start Computer Browser Service
Windows Server Preparation – Host Name
20
forcepoint.com
Data Loss Prevention for Dummies Guide
Windows Server Preparation – Temporary File Location Folder
IMPORTANT – ALWAYS RESTART YOUR WINDOWS SERVER AFTER ALL
T HIS STEPS, THIS WILL ENSURE THAT ALL CHANGES ARE APPLIED
FEFORE STARTING TO INSTALL YOUR FSM.
B
21
forcepoint.com
Data Loss Prevention for Dummies Guide
Downloading FSM Software
Goto “support.forcepoint.com” > Downloads > “Data & Insider Threat Security” > “Forcepoint
DLP” > “v8.7” > Download “Forcepoint DLP”
N ote: Use your partner or enduser credentials to sign to Forcepoint support page, if you
d on’t have one contact your partner or Forcepoint.
Knowing FSM Software Installation
As in all systems there are small details that you need to consider before continuing the
installation, when installing FSM you need to consider dependencies on the different components
you are considering to include:
For FSM you will need to install a SQL Server, for demo or PoCs for small amount of users you
can use SQL Express, but if you are considering a final and full installation you will need to
consider to install or connect to a SQL Server with a Standard or Data Center License, you can
find these details on the following link.
http://www.websense.com/content/support/library/deployctr/v85/dic_sys_req.aspx
In this particular case for the Lab we are going to use the SQL in another Server.
22
forcepoint.com
Data Loss Prevention for Dummies Guide
NOTE: It is important to consider that during the installation of the FSM it will ask you to connect
to the SQL database in order to create the specific structure used to store all the events that are
needed for monitor, track, reports and Dashboards, so it will be important to install first the SQL
software.
In case of SQL Installation in the same server
If you try to install the FSM without installing the SQL Software first you will see this message in
the installation window:
So let’s go and install SQL Server First, go and download the software, once you have it
proceed to the installation …
NOTE: If for any reason you have executed the FSM Installation file before installing the SQL
Server Software, close the installer and during the exit phase select the “Keep Installation Files”
Checkbox, and then press the YES button, this way you will preserve all the previous steps you
have made, otherwise continue …..
You can install the SQL Express software on the same computer as the FSM for demo or PoCs
purposes, for final implementations is recommended to have it on a separate server or just be
careful with the requirements of memory, processor and hard disk in order to have both in the
same place.
23
forcepoint.com
Data Loss Prevention for Dummies Guide
Installing the SQL Server Software
You will need to install 2 (two) files:
Open the installation program of the SQL Server software with administrator privileges and select
the CUSTOM installation:
24
forcepoint.com
Data Loss Prevention for Dummies Guide
Press “INSTALL” and select “New SQL Server stand-alone installation”
ACCEPT” License Terms and press “NEXT”
25
forcepoint.com
Data Loss Prevention for Dummies Guide
Press “NEXT” leaving default info until you get to “Database Engine Configuration”, Select
“Mixed Mode” and add a password of your own to the sa account.
Continue until you finish the installation and once it finishes install SQL Server Management
Studio …..
You will receive the following message, but wait:
26
forcepoint.com
Data Loss Prevention for Dummies Guide
Before Re-Starting the Windows Server consider to verify the Network configuration on the SQL
Express server.
Open SQL Server Configuration Manager and go to Network Configuration, and verify that Share
Memory, Named Pipes and TCP/IP is enable, if not enable them by double-click each one of
them, one enable you need to restart the services, or you can go now and restart the Windows
Server
1.- Enable Named Pipes
27
forcepoint.com
Data Loss Prevention for Dummies Guide
2.- Enable TCP/IP
3.- Change to IP Addresses Tab and search for IPAll Section
Modify the following:
•
TCP Dynamic Ports to Blank
•
TCP Port to Port 1433
28
forcepoint.com
Data Loss Prevention for Dummies Guide
After this you need to restart the SQL Server Service, after doing this reboot the Windows
Server for any pending changes.
Configuring the Forcepoint Security Manager Software
Once you finish, execute the FSM file with administrator privileges …
29
forcepoint.com
Data Loss Prevention for Dummies Guide
Press the Start button …
Select the “Accept” Checkbox and press NEXT …
30
forcepoint.com
Data Loss Prevention for Dummies Guide
Once you reach the “Installation Type” screen, select the Custom Option and press NEXT …
Press “Install” on the Forcepoint Management Infrastructure section, this should be the very first
option to install, once it is installed you can continue with the other options, in this case Forcepoint
DLP.
NOTE: You will install each one of the options separately as required.
31
forcepoint.com
Data Loss Prevention for Dummies Guide
Leave the default path ..
When it asks for SQL Server info, fill it up with your recent SQL Server installation info, verify your
SQL server IP address and use the correct one with Port 1433.
NOTE: PASSWORD is the one you assign to the sa user during the SQL Server Custom
Installation
3
2
forcepoint.com
Data Loss Prevention for Dummies Guide
Use the IP address where you are installing the FSM or in some cases the corresponding PE,
the Password is the one from the Windows Server Administrator
Create the FSM admin user Password according to your password strategy and add a working
email so you can receive notifications.
3
3
forcepoint.com
Data Loss Prevention for Dummies Guide
Leave unselected the “configure email settings” you can modify these ones later.
After this verify your final settings and press “NEXT” until the installation conclude.
3
4
forcepoint.com
Data Loss Prevention for Dummies Guide
After this step please restart you server in order to restart and finish any pending components.
3
5
forcepoint.com
Data Loss Prevention for Dummies Guide
Installing the DLP Component on FSM
Once you have installed the FSM, you need to add the required components of the product, in
this case you will add the DLP Manager component.
This will install all the required infrastructure and predefined components so you can start to
work on the product.
3
6
forcepoint.com
Data Loss Prevention for Dummies Guide
Use the credentials you have already used for Windows Server Administrator and for the sa
user in the SQL Express Server.
3
7
forcepoint.com
Data Loss Prevention for Dummies Guide
It is possible that you can see the following message, since this is a demo you can ignore it, but
if you have the required space is better.
Select “YES” and continue with the installation
Once you finished is time to start testing your FSM installation and add your license ….
3
8
forcepoint.com
Data Loss Prevention for Dummies Guide
Launch Security Manager through any of the following methods:
•
•
•
Double-click the shortcut on the Desktop
Open a browser and go to https://192.168.122.20:9443/manager/
Use the following credentials to gain access:
Username: admin
Password: Password set during install
3
9
forcepoint.com
Data Loss Prevention for Dummies Guide
Add your license and validate it. You found the xml file in the FSM Server desktop.
Verify is installed Correctly, go to Dashboard / Your Subscription is valid
Verify the license is correct ….. otherwise Update the license with the right one.
3
10
forcepoint.com
Data Loss Prevention for Dummies Guide
Verify your deployment configuration.
You will see the main components to start working with Policies and rules.
40
forcepoint.com
Data Loss Prevention for Dummies Guide
Add an AD server (Microsoft Domain Controller) if required.
Adding AD Server using GNS3, if you are using Forcepoint virtual desktop, otherwise follow
the configuration details from the local AD.
1. Navigate to GNS3.
2. Choose Domain Controller 2016 Server Object
3. Drag and Drop to the main window
4. Associate Domain Controller Server with Switch, using the
cable/link object.
5. Activate the Domain Controller Server (Start).
41
forcepoint.com
Data Loss Prevention for Dummies Guide
Configure User Directory Settings.
1. Navigate to Data > Settings > General > Directory Services.
Select New
2. Fill the User Directory information
3. Test the connection.
42
forcepoint.com
Data Loss Prevention for Dummies Guide
Building your endpoint
Downloading F1E Software (Forcepoint One Endpoint)
Goto “support.forcepoint.com” > Downloads > “Endpoint Security” > “Forcepoint One Endpoint”
> “20” > Download “ Forcepoint One Endpoint v20.02.4499 package builder ”
N ote: Use your partner or enduser credentials to sign to Forcepoint support page, if you
d on’t have one contact your partner or Forcepoint.
After you download it, move all the files contained on the ZIP file to the following directory in the
FSM server, C:\Program Files (x86)\Websense\Data Security\client, after you perform this,
execute the builder program, this is going to generate a final installation file that can be
deployed on all the corresponding endpoints.
Select “Forcepoint DLP Endpoint”
43
forcepoint.com
Data Loss Prevention for Dummies Guide
Select the operating system where you are going to deploy the DLP Endpoint, there is going to
be generated a file per OS, also add the corresponding PASSWORD for modifying or deleting
the installation.
Leave the default installation path unless you have any specific strategy for this
44
forcepoint.com
Data Loss Prevention for Dummies Guide
Fill the IP address field with the corresponding info of the PE or Policy Engine that is going to
update your policy in the endpoint, in this case we are considering the FSM since it contains our
initial PE (Policy Engine).
On final implementations and if your corporate policy allows it, you can enable the automatic
software updates checkbox.
Select user interface mode:
Interactive
•
The endpoint software user interface is displayed on all endpoint machines.
•
Users can see a list of files that have been contained.
•
Users have the option to open files to review their content, or save them to an authorized
location.
Stealth
•
The endpoint software user interface is not displayed to the user and the software runs in
the background. Because they don’t see block notifications or continuation dialogs, it is
best reserved for discovery tasks and audit-only policies.
•
Users do not know when files are contained.
45
forcepoint.com
Data Loss Prevention for Dummies Guide
Select where to install the installation Package
Press FINISH
Once you have the installation file, move it or deploy it to all the involved Windows/Mac/Linux clients you
are considering to protect with the endpoint. By using the following steps.
Open a network file sharing connection to the FSM server by selecting run - \\192.168.122.20\c$
46
forcepoint.com
Data Loss Prevention for Dummies Guide
Enter your network credentials for authorization of the file sharing.
Find the DLP endpoint installation file you just create, copy it to the corresponding client or clients and
execute them in order to install the DLP endpoint client, otherwise you will need a software distribution
tool for this purpose.
47
forcepoint.com
Data Loss Prevention for Dummies Guide
Installing the endpoint in the clients
After you move the installer to the corresponding clients, locate it in your hard disk, in this case we are
installting on a Windows 10 laptop.
Execute the file ..
Accept the Agreement
48
forcepoint.com
Data Loss Prevention for Dummies Guide
Select the corresponding installation PATH or leave the DEFAULT
Press INSTALL
49
forcepoint.com
Data Loss Prevention for Dummies Guide
After it finishes go and restart the client computer
After it reboots you should see the presence of the agent in your taskbar
Right Click the endpoint agent and select “Open Forcepoint DLP Endpoint”
50
forcepoint.com
Data Loss Prevention for Dummies Guide
You should see something like this, and you will need to identify two main details:
1. You should see on the Connection section that the connection status is “Connected”, if it shows
something different please go and troubleshoot the communication between the client and the
FSM, it could be possible that some Firewall, AV or intermediate Device is blocking the
communication.
2. You should see on the Endpoint Settings when it was performed the latest update of the rules and
the Status should be “Enabled”
Once you have these 2 ready, update the policy by selecting the Update button in the DLP Enpoint after
you verify the upload of the new policy, you can CONTINUE with the policies testing.
51
forcepoint.com
Data Loss Prevention for Dummies Guide
DLP Basic Use Cases
STANDARD and Compliance Predefined Use Cases
52
forcepoint.com
Data Loss Prevention for Dummies Guide
Take your time to browse how many classifiers and other
resources you can find and use in policies.
DLP Policies – Predefined Policies
•
Select Policy Management – DLP Policies – Manage Policies
•
Select Add – Predefined Policies
53
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Press Next
Use Case #1 - Basic PII Policies
•
On the Region section, select CALA / Mexico and Press NEXT
54
forcepoint.com
Data Loss Prevention for Dummies Guide
On the Industries section, select Finance and Banking and Software
•
Press NEXT, then Press FINISH
55
forcepoint.com
Data Loss Prevention for Dummies Guide
•
You should see all the Predefined policies selected associated to Mexico / Banking &
Software
•
Select your choice PII and you should see on the right all the corresponding Predefined classifiers
•
Repeat same steps for “Credit Cards” and “Regulations, Compliance and Standards”
56
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Press the “Use Policies” button and then Select the “Deploy” button
•
You will see the policies in process of being applied to all the components of the DLP
configuration
•
When if finishes press “Close”
•
Go again to Policy Management / DLP Policies / Manage Policies
•
You will see now the selected Policies in the screen
57
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Select Mexico PII: RFC (Default)
•
Then Select the Rule Link
58
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Goto Severity & Action tab and modify the Action Plan for “at least 3”
•
Goto Destinations and verify that Endpoint printing is enabled
•
Press OK and Deploy
59
forcepoint.com
Data Loss Prevention for Dummies Guide
Testing your first Rule
Once you have verified that your endpoint is running and connected we can test it with the First
DLP Policy you have already created.
You will need to create 2 (two) text documents using either Wordpad or Notepad
1.- First document should have some text to validate in this case just add one line containing
the following text:
•
CIDJ681025JF8
2.- Second document should have similar text but in this case should contain 3 lines with
different text but with the same format.
•
CIDJ681025JF8
•
DIGA270109RH7
•
CIJC250211NM8
3.- Save your documents with different names
60
forcepoint.com
Data Loss Prevention for Dummies Guide
4.- Let’s verify our First Rule
•
•
If it finds only one match it will Audit Only
If it finds at least 3 matches, it will Block the action
5.- Try to print each one of the files to a PDF format
61
forcepoint.com
Data Loss Prevention for Dummies Guide
6.- When you try to print the file with only ONE line, the print process SUCCEED and you are able to
create the PDF file
7.- When you try to print the file with THREE lines, the print process was BLOCKED, you can see the
alert message that shows that the operation has been blocked and the file was not created.
62
forcepoint.com
Data Loss Prevention for Dummies Guide
Verifying your activity on the FSM (Forcepoint Security Manager)
Goto Reporting -> Data Loss Prevention -> Incidents
You will see the following information:
•
•
•
•
•
The Channel where the incident occurs
The severity
The Action taken – in this case Blocked as defined in the rules
The Rule that matches the incident, including the text that fires the rule
And the name of the file you try to print, which you can view or download
You will also see some changes in the Dashboard view:
63
forcepoint.com
Data Loss Prevention for Dummies Guide
64
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #2 – The USB Dilemma
•
If you are working with Forcepoint Virtual environment follow these instructions to add a
virtual USB to the Win10 Client, otherwise you can test with a real USB
•
Go to File on your Win10 Console and select USB device
•
Select USB device and press Close
65
forcepoint.com
Data Loss Prevention for Dummies Guide
•
You will see a new USB Drive (D:) in your File manager
•
Try to SAVE or COPY the file with one line and also the one with three lines, you should
obtain this result on the last one.
66
forcepoint.com
Data Loss Prevention for Dummies Guide
Verifying your activity on the FSM (Forcepoint Security Manager)
Goto Reporting -> Data Loss Prevention -> Incidents
Use Case #3 – The USB Dilemma – Encrypting the file
•
Go to FP One Endpoint application and set Encryption password
•
On the Win10 client create a new file with 5 instances of the RFC
•
•
•
•
•
•
CIDJ681025JF8
DIGA270109RH7
CIJC250211NM8
CIDP040852YT6
DIGP681025JF8
Goto -> Policy Management -> Resources -> Action Plans
67
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Create a New Action Plan
•
Fill the name and modify the actions on the Endpoint Channels section, when you finish
press OK
68
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Go to Policy Management -> DLP Policies -> Manage Policies and search the Mexican
PII policy you created
•
Open the current action plan properties, enable the last match option, change the value
of matches to at least 5, with severity High and select the action plan you just create:
69
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Press OK and Deploy
•
Goto your Windows 10 Client and verify that the new rule has been updated, using the
Forcepoint Endpoint One application “update” button
70
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Choose the new file with the 5 instances of RFC and try to save it to the USB Drive, you
should get a message like this one.
•
Verify that the file has been encrypted and the decrypting tools are available.
71
forcepoint.com
Data Loss Prevention for Dummies Guide
Verifying your activity on the FSM (Forcepoint Security Manager)
Goto Reporting -> Data Loss Prevention -> Incidents
You will see that under Action column, the action was enforced with encryption on the USB channel
Use Case #4 - Trying to share in the network
Goto your Win10 client and try to establish a connection to the FSM server by establishing a network
File Sharing.
Open a network file sharing connection to the FSM server by selecting run - \\192.168.122.20\c$
Enter your network credentials for authorization of the file sharing.
Validate that you have 2 (two) file windows.
72
forcepoint.com
Data Loss Prevention for Dummies Guide
Go to your recent policy on Policy Management -> DLP Policies -> Manage Policies, and select the
“Mexico PII” rule you have been using and open it for EDIT.
Go to the Destination Tab and enable the “Endpoint LAN” option
73
forcepoint.com
Data Loss Prevention for Dummies Guide
Press OK and Deploy, after this go back to the Win10 Client and update the policy in the DLP Endpoint.
After updating the policy try to move your create files from the Win10 client to the FSM server and see
the RESULTS.
You should see something like this …..
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
You will see that under Channel column, the action was detected on the LAN Channel.
74
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #5 – Stopping Editing on the Applications
PrintScreen Scenario
•
•
Go to Policy Management -> Resources -> Endpoint Applications
Select Wordpad and modify Screen Capture parameter to “Block & Audit”
•
Press OK and Deploy
75
forcepoint.com
Data Loss Prevention for Dummies Guide
•
•
Verify that the F1E is updated on the Win10 client
Open Wordpad on the Win10 client and try to “Print the Screen” using the SendKey option at the
top of the console window
Verifying your activity on the FSM (Forcepoint Security Manager)
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
This event was triggered while trying to do a Printscreen on the Wordpad application.
76
forcepoint.com
Data Loss Prevention for Dummies Guide
Cut/Paste Scenario
•
Go to Policy Management -> Resources -> Endpoint Applications Groups
•
Select Office Applications
•
Add the Paste button -> Save and DEPLOY
77
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #6 - PCI (Payment Card Industry Data Security
Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is an i nformation security standard
for organizations that handle branded c redit cards from the major c ard schemes.
The PCI Standard is mandated by the card brands but administered by the P ayment Card Industry S
ecurity Standards Council. The standard was created to increase controls around cardholder data to
reduce c redit card fraud.
Goto Policy Management -> DLP Policies -> Manage Policies -> Credit Cards section -> Credit
Cards Rule
Goto -> Severity & Action tab -> enable and add a 2 matches event with severity High and
Action Plan to Block All.
Press OK and then press NO before DEPLOY, we will modify another rule before that.
78
forcepoint.com
Data Loss Prevention for Dummies Guide
Goto Policy Management -> DLP Policies -> Manage Policies -> PCI -> PCI: Credit-Card
Numbers (default) and then edit the rule
Goto -> Severity & Action tab -> enable and add a 2 matches event with severity High and
Action Plan to Block All.
Press OK and then DEPLOY.
79
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Goto Win10 Client and simply copy/paste the info below on an excel type of file and save
it:
CCN
3925-2700-8985-2094
6119-6661-5526-2515
5361-0153-4188-4880
6715-5329-8954-5376
6716-2240-5692-6858
5007-2341-7254-6563
4492-0099-9803-7376
4860-8276-1506-5601
4771-6409-4004-2171
5669-7981-3497-5937
5515-6831-9905-4594
5181-3708-9291-6195
4795-6905-3089-7981
6864-4368-8809-1178
4274-0112-2856-3027
3702-8566-1747-4507
4583-8876-6214-4655
6114-2882-6850-5055
4350-1144-7091-5585
3911-6797-8376-2357
6468-6780-1264-4519
4354-9482-2743-1594
5752-0034-6540-3536
N EXT ACTION – TRY TO PRINT IT OR MOVE IT TO A DIFFERENT DIRECTORY
AND SEE HOW IT BEHAVES.
80
forcepoint.com
Data Loss Prevention for Dummies Guide
You should see a blocking message like this:
Verifying your activity on the FSM (Forcepoint Security Manager)
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
You will be able to see all the affected Policies that are enabled and the associated file for
forensic research.
8
1
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #7 – Credit Cards be more specific
Goto Policy Management -> DLP Policies -> Manage Policies -> Credit Cards section ->
And enable the following rules:
•
American Express
•
Mastercard
•
VISA
•
Don’t DEPLOY until you finish enabling all the mentioned rules.
•
•
•
Once you finished press OK and Deploy
Goto your Win10 client and update the policy by pressing the UPDATE button
Create a file with the following info:
type: Visa
number: 4532 7931 8374 6550
cvv: 457
exp: 12/18
name: Luke Skwalker
Address: Calle 37 b sur 27-29 envigado
type: American Express
number: 3445 202966 40628
cvv: 570
exp: 08/19
name: Han Solo
Address: Calle 43 # 5-13 El Poblado Medellin
type: Mastercard
number: 5554 4269 4901 1171
cvv: 805
exp: 10/18
name: Darth Vader
Address: Av Industriales 45-37 Torre Sur piso 10
8
2
forcepoint.com
Data Loss Prevention for Dummies Guide
•
•
•
Then test again, you will see again an error
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
Verify the rules that are triggered
•
•
Now you are able to see more specific rules for specific formats of credit cards.
Verify your Dashboard
8
3
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #7.1 – Whatsapp Web
Please follow the following steps to set Web Whatsapp control,
GoTo General--->Endpoint--->Detection and add the following domains with or without
Wilcards, *.web.whatsapp.com and *.whatsapp.com
Goto Win10 and open your browser and open whatsapp web, and try to share some of
the docs created previously with some contact, and you will face the following action
control. Review the incident in FSM
8
4
forcepoint.com
Data Loss Prevention for Dummies Guide
DLP Not-that-Basic Use
Cases
Custom Use Cases
8
5
forcepoint.com
Data Loss Prevention for Dummies Guide
Content Classifiers:
•
•
•
Building blocks’ to use in policy creation
Classifiers identify data to protect
Used to create condition for rule
Type of Classifiers:
Typical usage of Classifiers:
• Internal Physical Assets: Unique identifiers assigned to equipment, personnel, inventory
(requires custom regex or fingerprint).
• Internal Technical Assets: Unique processes, procedures, systems (requires file or
database fingerprint).
• Internal Contingency Plans: Unique plans that may impact liability of the business
(requires custom classifier or fingerprint).
• Internal Customer Data: Such as name, address, account information, usage metrics
(requires custom regex or fingerprint).
•
Business and Technical Drawing Files: Detecting true file types such as: DWG, DXF,
PTC, STL, and more (No OCR needed).
•
Summary: Most Manufacturing Data classifiers will be custom, will require some tuning
(custom policies + thresholding).
8
6
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #8 – Patterns and Phrases
For patterns you will usually need a custom regex (regular expression), for Phrases can be any
type of fixed text.
Key Phrases
•
Define a specific word or phrase that may indicate classified information:
•
•
•
•
•
Product code names
Confidential projects
Any confidential or reserved term
Not case sensitive
Exact match includes slashes, tabs, hyphens, underscores, and carriage returns
Best Practices Using Key Phrases
•
•
•
•
Avoid common words that lead to false positives.
Use conditional logic to look for specific combinations and/or thresholds.
Consider creating key phrases for unique words not typically found in a dictionary.
Combine classifiers with predefined patterns, scripts, dictionaries & fingerprints
whenever possible for greater accuracy.
Goto Policy Management -> Content Classifiers -> Patterns&Phrases
Goto NEW -> Key Phrase
8
7
forcepoint.com
Data Loss Prevention for Dummies Guide
Fill the fields with proper information, for phrase to search select the phrase you want to search
inside the content:
Press OK you will see a message similar to this one, indicating you need to associate this new
classifier with a rule, you can add it now or wait, for the moment press CANCEL.
You can verify that your new classifier has been added:
8
8
forcepoint.com
Data Loss Prevention for Dummies Guide
Goto Policy Management -> DLP Policies -> Manage Policies -> Add -> Custom Policy
•
Fill the information on the corresponding FIELDS
STEP 1 – General TAB, fill the fields and press NEXT
Step 2 – Add the classifier on the Condition TAB, by pressing Add button, search for the
name of your recent created classifier and press OK, you will see it on the list of
classifiers, press NEXT
8
9
forcepoint.com
Data Loss Prevention for Dummies Guide
Step 3 – On Severity & Action TAB, add a new match line for at least 2 incidents and
assign an ACTION PLAN, press NEXT
Next Steps – Leave default values for the rest and press NEXT until you get to FINISH,
you will be able to see the new Policy/Rule, go ahead and DEPLOY
•
•
Goto your Win10 Client and update the policy by pressing the UPDATE button.
Create a file with the following text, just copy/paste it, it contains your key phrase
embedded
Star Wars is an American epic space-opera media franchise created by George Lucas, which
began with the eponymous 1977 film and quickly became a worldwide pop-culture phenomenon.
The franchise has been expanded into various films and other media, including television series,
video games, novels, comic books, theme park attractions, and themed areas, comprising an allencompassing fictional universe.The franchise holds a Guinness World LimeStone Records title
for the "Most successful film merchandising franchise". In 2020, the total value of the Star Wars
franchise was estimated at US$70 billion, and it is currently the fifth-highest-grossing media
franchise of all time.
•
•
•
•
Try to Print/Move/Save the file in order to trigger your new rule.
Since this time the Action Plan is just to audit, let’s verify the incidents
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
Verify the rules that are triggered
•
Verify your Dashboard
8
10
forcepoint.com
Data Loss Prevention for Dummies Guide
Dictionaries
•
•
•
•
•
Dictionaries are containers for words and expressions.
Forcepoint provides over 100 predefined dictionaries.
• Examples: medical conditions, legal terms, credit card terms, celebrities, etc.
• They are proprietary and encrypted.
You can create custom dictionaries.
Rules can combine dictionaries with other classifiers.
Thresholds set the number of matches required to trigger a rule.
90
forcepoint.com
Data Loss Prevention for Dummies Guide
Patterns (also named Regular Expressions)
•
•
•
•
•
•
•
Over 100 pre-defined patterns, some are used by the Policy Template Wizard
Create your own classifiers using regular expressions
Goto Policy Management -> Content Classifiers -> Patterns&Phrases
Select New -> Regular Expression
Fill the name and description fields
On the Value field use the following regular expression: login([123]|_internal)?\.php
This regular expression will match with any of the following:
1.
2.
3.
4.
5.
•
•
•
login.php
login1.php
login2.php
login3.php
login_internal.php
Press OK, then CANCEL
Goto Policy Management -> DLP Policies -> Manage Policies
Add a new rule to the LimeStone Policy you created in the last Use Case
91
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Under General TAB fill the new name of the rule, Press NEXT
•
Under Condition TAB select your newly created regular expression:
•
Under Severty & Action TAB add a new match for at least 3 incidents or events with an
Audit Action Plan, Press NEXT until the end, then FINISH and DEPLOY
GoTo Win10 Client -> Update the policy
Create a file with the information mentioned before and test the file and let’s see the
results.
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
Verify the rules that are triggered
•
•
•
•
92
forcepoint.com
Data Loss Prevention for Dummies Guide
Predefined Scripts
• Python scripts allow unlimited analysis
• Weighted scoring
• Complex conditional statements
• Context sensitive
• External dictionaries
• Tunable
• Developed exclusively by Forcepoint
• More accurate than regular expressions
• Analyze content and context using statistical analysis or decision trees.
• Three sensitivity levels: default, wide (less accurate) and narrow (more focused and
accurate)
Use Case #9 – FingerPrinting
Fingerprinting of structured and unstructured data allows data owners to define data types and
identify full and partial matches across business documents, design plans and databases, and
then apply the right control or policy that matches the data.
•
•
File Fingerprinting (Unstructured): files or directories, including Microsoft SharePoint and
IBM Domino directories.
Database Fingerprinting (Structured): database records directly from your database
table, Salesforce table, or CSV file.
Database Fingerprinting (DB Fingerprinting) Scenario
Goto FSM Server -> Find the SQL Server Management Studio -> Connect to the SQL Server
DB using your previous SQL sa credentials.
93
forcepoint.com
Data Loss Prevention for Dummies Guide
Add a new database or create a new database and fill it with useful information that can be
used to match any possible Data Loss in the configured channels, in this example we are
recovering a backup of a DB.
Select Databases -> Restore DB -> Device -> Add -> Search for the corresponding database
(Northwind.bak) usually positioned on the Backup Subdirectory -> Select Database -> Press
OK.
94
forcepoint.com
Data Loss Prevention for Dummies Guide
Press OK button, you should now see your DB loaded on the SQL Server Studio:
NEXT STEP is to establish a trusted association between the FSM and the DB we have just
added.
Configure your ODBC Connector on your Crawler
Goto your FSM and locate the ODBC Connector installer on the following route:
•
C:\Windows\SysWOW64\odbcad32.exe
Go and start the installation, use the “User SDN” TAB, and select ADD
95
forcepoint.com
Data Loss Prevention for Dummies Guide
Select SQL Server from the list and press FINISH
Fill the Empty Fields and choose the device where the SQL Server is installed in this case the
local FSM Server, then press NEXT.
96
forcepoint.com
Data Loss Prevention for Dummies Guide
You will need to authenticate to the SQL Server you can either use the user for the DB or the
workstation authentication, select which suits you better.
If the authentication process was correct, you will be able to see a list of DB that are already
working on the SQL Server, go and select the Database where you are going to be connected,
and press NEXT.
You will see a window like this, Select “Test Data Source” to verify the configuration
97
forcepoint.com
Data Loss Prevention for Dummies Guide
If you receive the following message then you are CONNECTED and VERIFIED!!!! Press OK
twice and continue with the configuration
Goto FSM -> Policy Management -> Content Classifiers -> Database Fingerprinting
Select NEW -> Database Table Fingerprinting
98
forcepoint.com
Data Loss Prevention for Dummies Guide
•
Fill the name of the new DB Fingerprint classifier
•
Fill the information to authenticate to the SQL Server via the ODBC Connector
•
Select the table and the fields you are going to use for matching
99
forcepoint.com
Data Loss Prevention for Dummies Guide
Go ahead press NEXT and then FINISH, when you reach the creation message press CANCEL
and wait until the Crawler finishes to fingerprint the DB.
•
Goto Policy Management -> DLP Policies -> Manage Policies
•
Add a Custom Policy using the new classifier
•
Configure it and DEPLOY
100
forcepoint.com
Data Loss Prevention for Dummies Guide
•
•
Goto your Win10 Client and update the policy using the DLP Endpoint Client Update
button.
Copy/Paste the following data and create a document or spreadsheet file with the
following info on it:
Davolio Nancy
Fuller Andrew
Leverling Janet
Peacock Margaret
Buchanan Steven
Suyama Michael
King Robert
Callahan Laura
Dodsworth Anne
•
•
•
Try to print it or move it
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
Verify the rules that are triggered
101
forcepoint.com
Data Loss Prevention for Dummies Guide
Risk Analytics and DLP
IRR (Incident Risk Ranking) Server
102
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #10 – Installing IRR Server
An analytics engine is used to calculate incident risk, rank it with similar activity, and assign it a risk
score, the analytics engine works on a CentOS server.
This is how your FSM Main Dashboard looks like before Analytics engine is integrated.
If you are working with Forcepoint Virtual Desktop, you should have a CentOS server added in
your GNS3 environment.
◗ Open the Console Window of the CentOS Server
◗ Login with User: root / Passw: Forcepoint 1
◗ Run the following command “nmtui” in order to edit/configure the Server IP
103
forcepoint.com
Data Loss Prevention for Dummies Guide
◗ Edit the interface and goto -> IPv4 Configuration and change “Automatic” to “Manual”,
then Select “Show”, that will enable the configuration window
Select “Add” button and configure fix addresses to the server, in this case I am going to use:
•
•
•
•
Addresses: 192.168.122.19
Netmask: 255.255.255.0
Gateway: 192.168.122.1
DNS Server: 8.8.8.8
After finishing move to OK using either TAB or Down Arrow Key
Press “Back” and then “Quit”, after that execute the following commands:
•
•
•
Ifdown eth0
Ifup eth0
Verify the IP using the “ip a show eth0” command.
104
forcepoint.com
Data Loss Prevention for Dummies Guide
◗ Download Analytics software from support.forcepoint.com site with your credentials on
the Chrome browser on your landing machine
◗ Download wscp on your landing machine and install it
Transfer your “AnalyticsEngine86” file from your landing machine to your new CentOS server
◗ Transfer it to the tmp directory
◗
◗
◗
◗
◗
◗
◗
◗
◗
◗
◗
Return to the CentOS console
Once you are on the CentOS server, change to the /tmp directory (cd /tmp)
You should already have the AnalyticsEngine86 file there
Perform the following instructions (answer Yes or y when asked):
yum -y install epel-release
yum –y install open-vm-tools
yum -y install apr apr-util perl-Switch unixODBC freetds
yum –y install ntpdate
ntpdate time.nist.gov
chmod +x AnalyticsEngine86
./AnalyticsEngine86
105
forcepoint.com
Data Loss Prevention for Dummies Guide
•
•
•
•
When prompted, enter the IP address of the Forcepoint management server.
Enter a username for a Forcepoint DLP administrator account with System modules
permissions.
Enter the account password.
The analytics engine verifies that it can connect to the management server.
◗ Go back to FSM
◗ See the added DLP Dashboard with new Risk section
◗ Go to Settings / General / Deployment
◗ You should see the new IRR server added
106
forcepoint.com
Data Loss Prevention for Dummies Guide
Since the IRR option analyzes all the events that have a risk score higher than 4, we will need to
modify the configuration so it can show also the low and medium events we have been
generating.
◗ Go to Settings / General / Reporting
◗ Goto Incident Risk Ranking TAB
◗ Modify Incident Risk Ranking to 0-10 (All)
◗ Press OK
107
forcepoint.com
Data Loss Prevention for Dummies Guide
◗ Since the Risk section updates each 24 hrs during the night, you need to force the
update.
◗ GoTo the CentOS server where the Analytics Engine is installed and go to the following
directory: /opt/websense/AnalyticsEngine/scripts
◗ Execute ./ae_run
◗ Go back to FSM and you should see the Top Cases updated
18
forcepoint.com
Data Loss Prevention for Dummies Guide
Extend DLP reach to the Web Channel
DLP WCG (Web Content Gateway) Server
**** Network License needed or Full WCG required
19
forcepoint.com
Data Loss Prevention for Dummies Guide
There are two Web Content Gateway module options available for Forcepoint DLP.
◗ The one included with Forcepoint DLP Network provides DLP over the web channel
including encrypted SSL content. This core Forcepoint DLP component permits the use of
custom policies, fingerprinting, and more.
◗ The one included in Forcepoint Web Security provides SSL decryption,
URL
categorization, content security, web policy enforcement, and more. In this deployment
mode, the gateway is limited to the web DLP quick policies.
We are going to work with the one included with the DLP Network license, the DLP WCG engine
works on a CentOS server or a Forcepoint appliance.
The WCG requires the following:
◗ Interface C (control) – the purpose of this is to connect to the FSM in order to receive
configurations.
◗ Interface P1 – This will be the proxy interface and it will be used as the gateway/next hop
for all the traffic that will be analyzed.
◗ RAM 6Gb and 2 vCPUS
If you are working with Forcepoint Virtual Desktop, you should have a CentOS server added in
your GNS3 environment for this WCG server, it should not have links enabled to the switch
because you need first to configure the interfaces on the virtual engine.
Open the configuration option
Goto General Settings and increase the RAM and the vCPU parameters.
110
forcepoint.com
Data Loss Prevention for Dummies Guide
Goto the network tab and modify the adapters value to “2”, after that APPLY and OK
Go and enable the link button and you will see that now you have 2 interfaces in the server.
Connect both of them to the switch, and start the CentOs server, you will have then ready the
server for configuration.
111
forcepoint.com
Data Loss Prevention for Dummies Guide
◗ Open the Console Window of the CentOS Server
◗ Login with User : root / Passw : Forcepoint 1
◗ Run the following command “nmtui” in order to edit/configure the Server IP
Edit the interface and goto -> IPv4 Configuration and change “Automatic” to “Manual”, then
Select “Show”, that will enable the configuration window
Select “Add” button and configure fix addresses to the server, in this case I am going to use:
•
•
•
•
Addresses: 192.168.122.2x
Netmask: 255.255.255.0
Gateway: 192.168.122.1
DNS Server: 8.8.8.8
This will be the C Interface, after finishing move to OK using either TAB or Down Arrow Key
112
forcepoint.com
Data Loss Prevention for Dummies Guide
Press “Back” and then “Quit”, after that execute the following commands:
•
•
•
Ifdown eth0
Ifup eth0
Verify the IP using the “ip a show eth0” command.
You will need to add a secondary interface in order to configure the P1 interface, add a
secondary interface and configure it with the following addresses
•
•
•
•
Addresses: 192.168.122.2x
Netmask: 255.255.255.0
Gateway: 192.168.122.1
DNS Server: 8.8.8.8
•
After configuring it, enable it and verify the IP using the “ip a show eth1” command.
113
forcepoint.com
Data Loss Prevention for Dummies Guide
Once you have configured your interface, you need to configure the hostname and the
corresponding hosts file in order to have the correct interface associations.
So the first step is to download the software from the Forcepoint support site, once you have it,
upload it to the CentOS server.
Copy it to the tmp directory, once there unpack it using the command gunzip and then tar -xvf to
expand the installation files, you can also use a single command to unpack the software:
tar -xvzf ContentGateway84xSetup_Lnx.tar.gz
114
forcepoint.com
Data Loss Prevention for Dummies Guide
Before installing the WCG, you will need to disable the network manager and install some
dependencies (libraries)
◗ chkconfig --levels 2345 NetworkManager off
◗ service NetworkManager stop
If you are connected to a yum repository you can install these packages with the following command:
◗
yum install -y apr apr-util bind-utils compat-db47 ftp gd iptables-services krb5workstation libicu libpng12 libwbclient nc ncurses-devel net-tools perl perl-Switch perlURI perlautodie perl-libwww-perl readline-devel redhat-lsb-core tcl unzip
◗ After the process is complete execute ./wcg_install.sh
◗ Accept the Agreement by pressing “q” and “y”
Configure the password of the admin, it should have a specific format.
115
forcepoint.com
Data Loss Prevention for Dummies Guide
Enter an email for alerts
You will have to select how you want to install this WCG, in this particular case you will select option 2,
this is because we are only considering the WCG as a component of Forcepoint DLP without the web
security.
Enter the Forcepoint Security Manager address that will control this WCG and leave the default
port assignments by selecting “X”
This will be a single node so leave the default selection for this.
116
forcepoint.com
Data Loss Prevention for Dummies Guide
Leave the configuration as an Only Proxy Mode
Verify your configuration and if it’s correct you can continue the installation by selecting “y”.
If everything is OK you should see the following messages:
117
forcepoint.com
Data Loss Prevention for Dummies Guide
Go back to your FSM server, open a browser session and try to access the WCG with the
following information:
◗ https://192.168.122.22:8081
Goto Configure TAB -> Subscription -> Use the subscription Key from FSM and introduce it to
the WCG Subscription Field and APPLY
After doing this you will need to restart the engine, Goto Basic Section on Configure TAB and
press RESTART
118
forcepoint.com
Data Loss Prevention for Dummies Guide
After restart Goto Configure TAB -> Basic -> General -> Features -> Enable ON the integration
Section and verify that Web DLP is selected -> APPLY -> Restart
After restart Goto Configure TAB -> Security -> Web DLP -> Fill the empty fields with the FSM
admin information in order to register the Forcepoint DLP -> Press Register
Verify the succeed message and restart
119
forcepoint.com
Data Loss Prevention for Dummies Guide
Goto FSM -> Deployment -> System Modules, verify the presence of the WCG -> Deploy
In order to be able to INSPECT HTTPS traffic we need to make the WCG trustable to our
endpoints, so in order to do that we need to generate a certificate that we will upload on the
required browsers.
In this particular case we are going to consider mainly 2 types of browsers (Chrome and Firefox),
each one of them has a different way to configure, so we will explain both methods to you.
120
forcepoint.com
Data Loss Prevention for Dummies Guide
Creating a certificate on the WCG
Connect via your browser to you WCG Admin interface and authenticate:
◗ https://192.168.122.21:8081
Goto Configure TAB -> Basic -> General -> And enable HTTPS protocol on the protocols
division of the features section.
Then press APPLY and RESTART, this should enable a new section SSL on the configure
TAB.
Now Goto SSL -> Internal Root CA -> Create Root CA -> Select Country (MX) -> Fill the fields
with asterisk as a minimum -> Press the “Generate and Deploy” button
121
forcepoint.com
Data Loss Prevention for Dummies Guide
If succeded you will see the following message, go ahead and RESTART the WCG.
After this you will need to backup the public and private cert keys so you can import them on
the corresponding browsers, after doing this move the certificate keys to your Win10 Client.
N OTE: If you don’t have Chrome Browser or Firefox on your Win10 Client you will have to
install it.
122
forcepoint.com
Data Loss Prevention for Dummies Guide
Loading the certificate on the Chrome Browser
Goto your File Manager in your Win10 Client and double-Click the PCAcert you have just
copied.
You will see the following window, for general browsers this will be sufficient, but there are
some browsers that needs to install it in the different way, for the moment press the Install
Certificate button.
Select “Local Machine” and Press NEXT
123
forcepoint.com
Data Loss Prevention for Dummies Guide
Place the certificate on the “Trusted Root Certification Authorities” certificate store.
Press OK you should get a success message, now you can start to test the web channel with
Chrome
124
forcepoint.com
Data Loss Prevention for Dummies Guide
Goto your Chrome Browser Proxy Settings and Enable Manual Proxy Setup, fill the address
with your WCG IP address and the Port should be 8080 -> SAVE -> Restart the browser.
L et’s validate the Internet Connection and that the traffic is going thru the DLP WCG.
Loading the certificate on the Firefox Browser
Open your Firefox Browser -> Goto Options
125
forcepoint.com
Data Loss Prevention for Dummies Guide
Select “Privacy and Security” -> Scroll Down -> View Certificates -> Import
Select your PCACert file and OPEN it -> Select TRUST to identify both websites and email
users -> Press OK
Now let’s configure the proxy in the firefox Browser -> Goto General -> Network Settings ->
Manual Proxy Configuration and fill the Proxy fields for HTTP and HTTPS -> Press OK ->
Restart Firefox Browser and TEST.
126
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #11 – Protecting the Web Channel
Let’s modify our rules to detect on the web channel
Goto FSM -> Policy Management -> DLP rules -> Manage Policies -> Select your
“Patterns&Phrase” rule -> Modify the severity action plans
Goto Destination TAB -> Endpoint Applications -> Edit -> Select All & Move to the Include
section -> press OK -> DEPLOY
Goto your Win10 Client and UPDATE the policy
Open your Chrome or firefox browser and goto “dlptest.com” site, try to HTTP/HTTPS Post your
sample files that belongs to the Phrase rule you just modify.
127
forcepoint.com
Data Loss Prevention for Dummies Guide
•
•
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
Verify the rules that are triggered, as you can see the test was blocked by the Endpoint
not by the WCG, let’s do some extra config.
Goto your FSM -> Deployment -> System Modules -> Web Content Gateway and SELECT the
Forcepooint Web Content Gateway line by double-clicking it.
Goto HTTP*/HTTPS TAB and from the Mode field change from Monitoring to Blocking -> Press
OK -> DEPLOY
128
forcepoint.com
Data Loss Prevention for Dummies Guide
Goto your Win10 Client -> DLP Endpoint -> Update -> now try to write several times the phrase
on the text window and press SUBMIT
You will see a different message, now the WCG is the one answering
•
•
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
Verify the rules that are triggered, as you can see now the it was blocked by the WCG.
129
forcepoint.com
Data Loss Prevention for Dummies Guide
Finding Data on Images with DLP
DLP OCR server
**** You need to install a supplemental DLP server for this to work.
130
forcepoint.com
Data Loss Prevention for Dummies Guide
Included with DLP Network & Discovery:
The OCR server enables the system to analyze image files being sent through network channels,
such as email attachments and web posts. The server determines whether the images are textual,
and if so, extracts and analyzes the text for sensitive content. There is no special policy attribute
to configure for optical character recognition (OCR). If sensitive text is found, the image is blocked
or permitted according to the active policies.
The server can also be used to locate sensitive text in images during network discovery.
This feature does not support either handwriting or images containing text that is skewed more
than 10 degrees.
Summary: Support for many image filetypes + images embedded within Microsoft Office
documents and PDFs.
In this particular case you will need to install a supplemental DLP server that contains the OCR
Server, this needs to be installed on a Windows Server which need to be tuned similarly as the
Forcepoint Security Manager and install only the DLP Server component, this will automatically
add the OCR Server on it.
Execute the FSM file with administrator privileges on the new WinServ …
131
forcepoint.com
Data Loss Prevention for Dummies Guide
Press the Start button …
Select the “Accept” Checkbox and press NEXT, select the Custom option …
132
forcepoint.com
Data Loss Prevention for Dummies Guide
Installing the DLP Component on a supplemental DLP Server
In this case you will add the DLP Manager component.
This will install all the required infrastructure and predefined components including the OCR
Server.
You will see the components to be installed -> Press NEXT
Select the IP address of the server where you are installing the DLP Server component.
133
forcepoint.com
Data Loss Prevention for Dummies Guide
Select Computner name and user with sufficient rights on the server (Administrator) -> Press
NEXT.
It is possible that you can see the following message, since this is a demo you can ignore it, but
if you have the required space is better.
You will need to register the Forcepoint Security Manager -> Use the IP of the server and the
credentials of the admin for the FSM -> Press NEXT.
134
forcepoint.com
Data Loss Prevention for Dummies Guide
Confirm Installation -> Press INSTALL -> If you find this message press YES
Continue until you FINISH -> Goto FSM and validate the presence of the new DLP Server on
the Deployment -> System Modules section -> you will see the new server with the OCR Server
on it.
135
forcepoint.com
Data Loss Prevention for Dummies Guide
Use Case #12 – Identifying Text on an Image
Creating an image to test
In order to test the detection of the text inside an image, we will use the rules created on Use
Case #8 Patterns and Phrases with the word “LimeStone”, so go ahead and use your Win10
client and Open your favorite image editor and create an image containing several instances of
the word “LimeStone”.
Something like this:
Note: I create this one using Paint and save it as a JPEG image.
Goto FSM -> Settings -> Deployment -> Select your WCG Server -> Policy Engine
Enable OCR -> Select the recently installed OCR Server on the supplemental DLP Server
Press OK -> DEPLOY
136
forcepoint.com
Data Loss Prevention for Dummies Guide
Once you finish connect to dlptest.com or to your email account (Gmail or Hotmail), and try to
add your images as an attachment, you will see a Upload Failed message
Goto FSM -> Reporting -> Data Loss Prevention -> Incidents (7 days)
137
forcepoint.com
Data Loss Prevention for Dummies Guide
Appendix 1 – DLP Policies
Policies are empty containers that hold rules and exception rules.
Policies and rules – Configuration Window
138
forcepoint.com
Data Loss Prevention for Dummies Guide
Rules
Rules define the protection logic.
•
•
Components
o Condition
▪ Classifiers
▪ Condition Logic (AND, OR, NOT), thresholds
Resources
o Severity & Action
▪ Cumulative rules
o Sources
o Destinations
Example Rule
139
forcepoint.com
Data Loss Prevention for Dummies Guide
Creating Policies
•
Predefined Policy Templates
o Provides immediate access to pre-defined sets of policies
o Enables data protection to meet regulatory compliance standards such as GLBA
and HIPAA
o Policies are based on Natural Language Processing and PreciseID Patterns
•
(Regular Expressions)
•
Quick Policies
o Email DLP Policy
o Web DLP Policy
•
Custom Policies
140
forcepoint.com
Data Loss Prevention for Dummies Guide
Appendix 2 – DLP Endpoint Details
What is ENDPOINT and Data Endpoint?
An endpoint is a laptop, server etc. that applies Forcepoint DATA policies independently of the
network-based Forcepoint DATA installation.
F1E ENDPOINT has 2 parts: it can intercept data (Data Endpoint); it also can send Web traffic
to the cloud proxy (Web Endpoint)
Data Endpoint intercepts “data-in-use”:
• Sent to removable media
• Sent via HTTP, HTTPS, FTP; Sent via Microsoft Outlook (via plug-in)
• Copied to shared folders/local-area network (LAN)
• Accessed or manipulated by a standard application or even downloaded by an online
application
• Sent to a local or network printers
Endpoints can run endpoint discovery tasks on their local hard drives
Endpoints have policy-enforcement options:
•
•
•
•
•
Block
Permit
Confirm (Endpoint Only)
Encrypt
Encrypt with user password
Note: Encrypt is available for removable media only. Additionally, drop attachment and
quarantine are NOT available actions for Endpoint.
141
forcepoint.com
Data Loss Prevention for Dummies Guide
Endpoint Platforms & Features
•
Supported platforms
o
o
o
o
•
•
•
•
Windows 2008/2012/2016 Servers and Windows 7/8/10
Red Hat/CentOS 4.8, 5.1, 5.5 (not all features supported)
32 & 64-bit support
Mac OS endpoint
Endpoint email-channel support
PreciseID database and file fingerprint detection
Original file access time can be preserved (for backups)
Improved printing
Why Is an Endpoint Needed?
•
•
•
Some computers, like laptops, may not be on the protected network.
o Some data cannot be protected at the network level.
o Removable media
Encrypted communications cannot be analyzed. Replaced by looking into specific
applications .
Some operations benefit from being done on the client.
o Discovery is much less efficient when done by servers for each and every one of
the clients.
▪ CPU intensive
▪ Bandwidth intensive
142
forcepoint.com
Data Loss Prevention for Dummies Guide
Endpoint Application Groups
Screen capture
•
•
Screen capture is blocked, when specified applications are running.
The screen capture would be sent as forensics, when blocked.
File access
•
•
Read access can be intercepted.
Some files (tmp directory, etc.) are excluded.
Cut/Copy/Paste
• Monitoring of copy and paste operations.
(Note: Content is analyzed only on paste, even if the rule is on copying.)
Endpoint Discovery
Local discovery allows analysis of files on local drives.
Multiple endpoints handle multiple discovery tasks.
•
•
Run multiple tasks, simultaneously, on a single machine.
Run different tasks on different machines.
Scanning can be configured to
•
•
Scan only when computer is idle
Pause when computer is running on batteries
Deploying the Data Endpoint Client
Forcepoint Data Security Endpoint deployable using
•
•
•
•
Manual
Microsoft-based tools
System Center Configuration Manager (SCCM)
Systems Management Server (SMS)
143
forcepoint.com
Data Loss Prevention for Dummies Guide
Two installers
•
•
•
ForcepointEndpoint_XXbit.exe for Windows
LinuxEndpoint_SFX_installer_elX for Linux
. . .Updates deployable automatically
Endpoint Action Plans
Available action-plan options for the endpoint
•
•
•
•
•
•
HTTP/HTTPS: Permit, block, confirm
Application: Permit, block, confirm
Removable media: Permit, block, confirm, encrypt
LAN: Permit, block, confirm
Printing: Permit, block, confirm
Confirm and encrypt are unique to the endpoint.
144
forcepoint.com
Data Loss Prevention for Dummies Guide
Appendix 3 - Knowing the components (Forcepoint
DLP solution)
Licensing
A DLP Solution requires a license to run the different components offered. These licenses are
based on:
1. Which components will be used?
2. How many users/seats does the organization have? (could be implemented for part of
the company, e.g., finance organization)
These are the current DLP subscription offerings:
•
•
•
•
Forcepoint DLP Endpoint
Forcepoint DLP Network
Forcepoint DLP Cloud Applications
Forcepoint DLP Discovery
Customers who own our Email and Web Security products can “add-on” DLP licensing to those
products.
145
forcepoint.com
Data Loss Prevention for Dummies Guide
Forcepoint DLP Endpoint (in-use) - Endpoint protects your critical data on Windows and Mac
machines, both on and off the corporate network. It includes advanced protection and control for
data at rest (discovery), in motion and in use. It integrates with Microsoft Azure Information
Protection to analyze encrypted data and apply appropriate DLP controls. The DLP endpoint
monitors web uploads, including HTTPS, as well as uploads to cloud services like Office 365 and
Box Enterprise. Full integration with Outlook, Notes and email clients.
Forcepoint DLP Network (in-motion) - DLP Network stops the theft of data in motion through
email and web channels. This solution helps identify and prevent malicious and accidental data
loss from outside attacks, or from insider threats. OCR (Optical Character Recognition)
recognizes data within an image. Analytics identify DLP incidents to help stop the theft of data by
more easily spotting high-risk user behaviors.
Forcepoint DLP Cloud Applications (at rest) - Powered by Forcepoint CASB, DLP Cloud
Applications extends the advanced analytics and single control of Forcepoint DLP to critical cloud
applications, including Office 365, Salesforce, Google Apps, Box and more.
Forcepoint DLP Discovery (at rest) - DLP Discovery identifies sensitive data across your
network, as well as data stored in cloud services like Office 365 and Box Enterprise. Advanced
fingerprinting technology identifies regulated data and intellectual property at rest, and protects
that data by applying appropriate encryption and controls.
146
forcepoint.com
Data Loss Prevention for Dummies Guide
Policy Engine
Policy Engine is the DATA component responsible for all data analysis and policy enforcement
Components of Policy Engine Package
Policy Engine Package contains:
•
•
•
PE – Policy Engine
XML – Based Policies
Fingeprinting Repository
You will find a PE component on any of these implementations including the FSM:
147
forcepoint.com
Data Loss Prevention for Dummies Guide
FORCEPOINT PROTECTOR
Linux based (CentOS) server
Software appliance
Available also on V5K
Monitor and/or block traffic via SPAN Port
• Transparently (inline)
• Explicitly
Supported protocols
• HTTP – Monitoring, Blocking
• SMTP – Monitoring, Blocking (explicit MTA)
• FTP – Monitoring
• IM – Monitoring (MSN, Yahoo, AIM)
• ICAP – explicitly HTTP/S and FTP monitoring/blocking
•
•
PROTECTOR – MONITOR ONLY
PROTECTOR – INLINE
148
forcepoint.com
Data Loss Prevention for Dummies Guide
PROTECTOR – ICAP INTEGRATION
FORCEPOINT DATA SERVER (DSS)
Windows based server
• Windows Server 2012
• Windows Server 2016
Roles (any or all):
• Additional Analysis Engine (PE)
• Crawler
o Discovery Server
o Fingerprinting Server
• Endpoint Server
• Can host SMTP Agent
• OCR Server
149
forcepoint.com
Data Loss Prevention for Dummies Guide
FORCEPOINT ONE ENDPOINT (F1E)
150
forcepoint.com
Data Loss Prevention for Dummies Guide
151
forcepoint.com
Related documents
River Civilizations Mini Project: The Dummies Guide Nile, Tigris
River Civilizations Mini Project: The Dummies Guide Nile, Tigris
Sustainable living book review
Sustainable living book review
Google Classroom Notice - Daily Learning Plan
Google Classroom Notice - Daily Learning Plan
Advanced Computing Security
Advanced Computing Security
Biometrics For Dummies By Gregory Peter H Simon Michael A
Biometrics For Dummies By Gregory Peter H Simon Michael A
Download
advertisement