Académique Documents
Professionnel Documents
Culture Documents
FRP Encryption
McAfee Confidential
McAfee Confidential 1
Facilities
Parking Phones
Smoking
McAfee Confidential 2
Welcome
Introductions
▪ Name
▪ Responsibility
▪ Product Experience
▪ Expectations
McAfee Confidential 3
Agenda
What we will cover through the course
▪ Protection Rules, Rule Sets & Policies ▪ File & Removable media Protection
McAfee Confidential 4
Helpful Links to Bookmark
Threat Center http://www.mcafee.com/us/threat_center/default.asp
McAfee Doc Portal https://docs.mcafee.com/
McAfee Threat Labs http://www.mcafee.com/us/threat_center/default.asp
MyAvert www.avertlabs.com
Security Advisories http://www.mcafee.com/apps/mcafee-labs/signup.aspx
Blog http://www.avertlabs.com/research/blog/
Podcasts http://podcasts.mcafee.com/
McAfee Tools http://www.mcafee.com/us/downloads/free-tools/index.aspx
Threat FAQs http://www.mcafee.com/us/threat_center/outbreaks/faqs.html
Whitepapers http://www.mcafee.com/us/threat_center/white_paper.html
Glossary http://www.mcafee.com/us/threat_center/glossary.html
VGrep http://www.virusbtn.com/resources/vgrep/index.xml?
Extra.dat request page https://www.webimmune.net/extra/getextra.aspx
Stinger http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
Submit a Sample http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspx
Beta DATs page http://vil.nai.com/vil/virus-4d.aspx
McAfee Confidential
5
McAfee Solution Center
McAfee Confidential
Initial Solution Center Startup
McAfee Confidential 7
Solution Center Options
McAfee Confidential 8
Lab 1
Solution Center Environment
~ 15 Mins.
McAfee Confidential
Drawing Boardroom Attention
68%
of data breaches
required public
disclosures1
McAfee Confidential
11
Largest Data Breaches in 21 Century
Equifax 143
Adult Friend Finder 412.2
Anthem 78.8
eBay 145
JP Morgan Chase 76
Home Depot 56
Yahoo 3000
Target Stores 110
Adobe 38
US Office of Personnel Management 22
Sony Playstation Network 77
RSA Security 40
Heartland Payment Systems 134
TJX Companies 94
In Millions
McAfee Confidential
12
Average cost of a breach per Country and Root Causes
McAfee Confidential 14
Understanding Data Exfiltration
Who wants the data? How are thieves getting Where is data being taken
Breaches are initiated by: data out? from?
60%
2/3
of breaches occur on
External 52% Electronic traditional networks
actors Internal means
actors
48% 1/3
40% occur in cloud infrastructures
Physical
means
McAfee Confidential 15
“We all contribute to it.”
Data Loss is a Serious Everyday Issue
Emailing confidential
data via guest laptop
Sending email via
on corporate net Smart Phone
McAfee Confidential
16
Top Data Protection Challenges
McAfee Confidential 17
McAfee Data Loss Protection (DLP) Solution
Salient Features
McAfee Confidential 18
McAfee DLP Portfolio
DLP Prevent
Data-in-Motion
DLP Prevent for Mobile
DLP Monitor
Email Web Post Network Traffic Mobile IM Chat
DLP Endpoint
Data-in-Use Device Control
File and
Removable Cloud removable Media
Printing Web Post Email Clipboard Optical IM Chat
Devices
Encryption
McAfee Confidential 19
Award Winning Technology
Cloud
File
DLP Encryption
Common
Policy,
Console
and Keys
Device Disk
Control Encryption
McAfee Confidential 22
ePO Centralized Management
McAfee DLP (Network & Endpoint) McAfee Endpoint Encryption McAfee ESM
McAfee
EPO
Single consolidated source for policy management, incident response, and reporting.
McAfee Confidential 23
Protecting Data In the Cloud
Content-aware
Device Control
Removable Storage
McAfee Confidential 25
Organizational use of McAfee DLP
Main Office
Sharepoint
OneDrive
Endpoints
DLPe File DLP Discover
Servers, Box
Sharepoint,
Databases
SPAN / Tap
Internet
Exchange DLP Prevent Email Email Gateway
Cloud Services
DLP Monitor
McAfee Confidential 26
Break Time
What's New in
DLP 10 and 11
McAfee Confidential
DLP 10 Highlights Early DLP 11 Highlights
McAfee Confidential 29
Manual Classification
Overview
McAfee Confidential 30
Discover Scanning for Box
• Scans Box just like an on premise repository – Just another Repository in the list.
• Has special reporting, such as which files have been shared anonymously
McAfee Confidential 31
User Initiated Scan
Admin creates a local machine scan, provides end-user the option of running it
outside of the normal scheduled time
End user can select their own remediation options as part of the scan
Allows end user to self manager their machine and sensitive data
Helps with educating end users around data protection – reduces the number
of reported incidents
McAfee Confidential 32
Upgrade Without Reboot
McAfee Confidential 33
Directional Removable Storage protection
Allow to Monitor/Block copy FROM Removable Storage
▪ Adding capability to define to which direction of the copy the protection applies
▪ To Removable Storage
▪ From Removable Storage
▪ Both
McAfee Confidential 34
Auto propagate attachment classification
Propagate the attachment classification to the email message classification
McAfee Confidential 35
Additional Features
McAfee Confidential 36
Mac OS – Manual File Classification
Adding file classification option to Mac OS
McAfee Confidential 37
Mac OS - Additional Features
▪ Support UPN (user principle name) + Serial pair exceptions in device rule
McAfee Confidential 38
Rich Text Support
McAfee Confidential 39
Import User Information
Already available in 10.0.200
▪ Ability to enrich incident data with additional user information from external directory systems
▪ Import is Manual, using .csv file
▪ The imported data will be added to existing and
new incidents
▪ Data can include a list of common fields, as well
as 3 custom fields
▪ User information can be used for:
filtering, reporting, tasks ,etc.
McAfee Confidential 40
Import Definitions (Manual and API based)
McAfee Confidential 41
Skyhigh Connection
McAfee Confidential 42
Updates in Version 11 This Year
McAfee Confidential 43
DLP Architecture
McAfee Confidential
McAfee DLP 11 Solution
ePO
SQL
MYSQL
Oracle Databases
NDLP Discover
SharePoint Sites
CIFS Shares
McAfee
Web Gateway
DLP Endpoint
NDLP Monitor
Switch
NDLP Prevent
Firewall
McAfee Confidential 45
McAfee DLP solution DLP Endpoint
McAfee ePolicyAgent
Prevent
Monitor
Discover Orchestrator
Cover Endpoints, Networks, and Cloud Environments • Software
Covers Windows
Network appliance
Appliance and Macintosh
(Hardware
(Hardware
based server.deployed or platforms
or VM)
VM)
to a windows
• server
Policy
Central
Inspects
Passive is
OS enforced
web
out
viabased
devicebound even when
thatadministration
ePO email system
andtraffic
monitors Webconsole is generates
traffic
and against
for all
• Scans
disconnected.
McAfee
your DLP
incidents, products
largePolicy
but can
Data and passes
not block.Allow
repositories looking/ Block decision
for files that
McAfee ePO • match
Vectors
Enterprise
to outbound
Receives Covered:
class
yourcopy Mail – Email,
and
highly
DLPofpolicy Web Web, Cloud,
scalable
Gateways - RBACRemovable
outbound traffic from switch via a
• Supports
storage,
DLP
Feeds
SPAN Policy
or Network
DLP is
TAP.
CIFS transfers,
incidents
created
shares, back
here Printing,
to
and
ePOpushed
Sharepoint, Clipboard,
out to
MS-SQL,
DLP Endpoint • MySQL,
Screen
various
Works
Monitors Capture
with
control
anyprotocols
more
Oracle points
ICAP capable
and Cloud than Proxy
Web/Email
repositories
• Remediation
Local discovery
Incidents
Works
Last linewith
are
of any
defenseof File
aggregated
SMTP
actions system
mail
(Belt here andand
Gateway
and
include for Mailboxes
suspenders)
Report, available
Copy, Move, for
• Apply
Provides
Can receive
analysis
not for SSL
User
decrypt
Rights CoachingFingerprint,
Decrypted
SSL
Management, dialogs
Session from andProxy
applyfor
• classification
Provides more
Powerful reporting
inspection visibility
(Tag) engine & Control than network can,
due to proximity to data origin.
Endpoint Data Protection
DLP Discover
Roadmap Roadmap
McAfee Confidential 46
Licensing / Evidence
Policies & Rulesets
McAfee Confidential
Licensing and ePO Evidence Storage Access
McAfee Confidential 48
Methods of Obtaining License Key
McAfee Confidential 49
DLP Evidence Storage
McAfee Confidential 50
DLP Classification Construction
DLP Policy • DLP Policies are similar to other product policies with a minor
difference. DLP Policies are not auto applied upon creation.
Rule Set They must be applied in the DLP Policy Manager.
Rule • Rulesets are created in the DLP Policy Manager, and are
an organized collections of rules called Rule Sets. Rule
Classification Sets are defined, and organized based on the type of
content they are looking for, and the default reaction.
Definition
• Rules are created and held within rulesets that will allow
DLP to identify the critical data based on the classifications
/ definitions used
McAfee Confidential 51
ePO Policy Catalog
Using DLP
McAfee Confidential
52
DLP Policy Manager Review
Data Protection > DLP Policy Manager
McAfee Confidential 53
Rule Sets Tab
Display and Define Rule Sets
[Sample] in Ruleset columns indicate built-in rules for the rule set.
They can be duplicated for use.
McAfee Confidential 54
Types of Rules
Data Rules, Device Rule, Discovery Rules, and Application Rules
Data Rules:
• Detect attempts made to transfer data.
• Available reactions include blocking the attempt or allowing with a justification.
Device Rules:
• Detect when removable storage devices connected to the endpoint machine are
disconnected.
• Available reactions include blocking or read-only access of the application or device.
Discovery Rules:
• Scan systems for files that meet matching criteria.
• Available reactions include quarantining or moving the matching file.
Application Rules
• Provides protection from URL addresses from selected users.
• Available reaction is Block and report incident
McAfee Confidential 55
Policy Assignment Tab
Apply or Assign Policies or Rule Sets / Create or Edit DLP Policy
View
assignments
(flat view).
Manage
privileged
users/groups.
Manage
Endpoint
Discovery
scan.
McAfee Confidential 56
Definitions Tab
Create or Edit Definitions for Rules, Classifications, Tagging, and Scans
McAfee Confidential 57
Supported Definitions
Data, Device Control, Notification, and Other
Data
Device Discovery Application
Definition Type Protection
Control Rules Rules Rules
Rules
Data
Device Class
Device Class N/A ✓ N/A N/A
Device Definitions N/A ✓ N/A N/A
Notification
Justification ✓ ✓ ✓ N/A
User Notification ✓ ✓ ✓ ✓
Other
Scheduler N/A N/A ✓ N/A
McAfee Confidential 58
Supported Definitions (Continued)
Source / Destination
McAfee Confidential 59
Notification: Justification Definitions
Prevent Action for Selected Rules
McAfee Confidential 60
Notification: User Notification Definitions
Built-in Definitions
• Sends a message to
the endpoint
computer to notify
the user of the policy
violation.
• Use default or create
custom one.
McAfee Confidential 61
Notification: Placeholders
Variable Text in Messages
%c Classifications
%r Rule-set name
McAfee Confidential 62
Source / Destination Definitions
Various Built-in Definition Types
McAfee Confidential 63
Other Features
Rights Management
Rights Management:
▪ Supports integration with rights management (RM) servers to apply protections to files
that match rule classifications.
▪ Data protection and endpoint discovery rules.
Protection Bypass:
▪ Allows user to bypass policies, and access or transfer sensitive information for a limited
time.
▪ Administered with Help Desk feature.
▪ Select Menu page > Systems > Help Desk.
McAfee Confidential 64
Review
Key points
McAfee Confidential 65
Begin Lab 2 – 4
~ 50 Min.
Classifications,
Definitions and Tagging
McAfee Confidential
DLP Classification Construction Continued
McAfee Confidential 68
Example Classifications and Criteria
Built-in Classifications/Definitions at a Glance
McAfee Confidential 69
Other Classification Features: Manual Classification
Menu > Data Protection > Classification > Manual Classification Tab
McAfee Confidential 70
Classification Settings
Menu > Data Protection > Classification > Manual Classification Tab
McAfee Confidential 71
Other Classification Features: Register Documents
Menu > Data Protection > Classification > Register Documents Tab
McAfee Confidential 72
Uploading Registered Documents
• Select Create
Package (Action menu
or button).
McAfee Confidential 73
Other Classification Features: Whitelisted Text
Menu > Data Protection > Classification > Whitelisted Text Tab
McAfee Confidential 74
Content Fingerprint Criteria
Link Tags to Content
Content fingerprint signatures are stored in a file's extended file attributes (EA), alternate data stream
(ADS), or in a hidden folder (ODB$). You can select the preferred technology on the Windows client
configuration Content Tracking page.
Box – Create content fingerprinting of files hosted in the following corporate Box accounts.
Location – Create content fingerprinting & monitor or block files in the specified location of
files opened (or copied) from the following network shares (UNC).
SharePoint – Create content fingerprinting of files opened (or downloaded) from the
following SharePoint web addresses.
Web Application – Create content fingerprinting of files opened (or downloaded) from the
following web addresses (URL).
McAfee Confidential 75
More on Tagging
Other Considerations
McAfee Confidential 76
Classification Review
McAfee Confidential 77
Classification Review (Continued)
High Level Process
McAfee Confidential 78
Review
McAfee Confidential 79
Begin Lab 5….
~ 10 Mins.
McAfee Confidential
McAfee Confidential 81
Assign your Ruleset to a Policy object
McAfee Confidential 82
Agent Wake Up
McAfee Confidential 83
Verify Correct Policy on Endpoint
Click About
McAfee Confidential 84
Begin Lab 6….
~ 5 Mins.
Component Specification
100 megabit LAN serving all clients and the ePO server
Network Basic TCP/IP networking between clients/servers
configured and working
These are minimum system requirements only. Actual requirements vary among deployments.
McAfee Confidential 87
Solution Requirements: Client Operating Systems
Minimum Platform Requirements for Client Systems
Component Specification
File System Discovery Rules and Network Communication Protection Rules are
not supported on servers.
McAfee Confidential 88
Solution Requirements: Browsers
• Mozilla Firefox
• Microsoft Edge
McAfee Confidential 89
Software-based Install
DLP Endpoint / Discover
McAfee Confidential 90
Software-based Install
DLP Registration Server
McAfee Confidential 91
DLP Prevent Installation
.ISO – Used on Physical Appliances. OVA – Used for VM Servers Installations
• Install DLP Prevent on model 4400 or 5500 • Install on your own ESX or ESXi Server
appliances • Install ESX or ESXi on 4400 or 5500 Appliances
Hyper-V Installations
• DLP Prevent 11.0.300 and Higher can install ,ps.Zip into Hyper-V
• Supported Platforms Windows 2012 and Windows 2016
McAfee Confidential 92
DLP Monitor Installation
• .ISO – Used on Physical Appliances. OVA – Used for VM Servers Installations
• Install DLP Monitor on model 4400, 5500, or 6600 • Install on your own ESX or ESXi Server
appliances
The capture port is set to promiscuous mode. You must
The capture port can be connected to a SPAN port or enable promiscuous mode on a portgroup or virtual switch
a network tap. to allow the appliance to passively inspect copies of all
network packets that pass through the network.
McAfee Confidential 93
DLP Prevent 11
Setup and configuration
McAfee Confidential
ePO
1 message
User sends
via
2 Policy on the
MTA directs
3 Inspects
Prevent:
msg 4 X-Headers,
MTA examines
and
5generated
Incidents are
for any
Exchange to the specific adds X-Headers takes the DLP action, and a
outbound Email (outbound) (if necessary) and appropriate copy is sent to
gateway (MTA) messages to returns message action. ePO
McAfee Email back to the MTA (Block, Bounce,
Prevent for Encrypt, Quarantine,
Redirect)
inspection
McAfee Confidential 95
ePO
1browsing
User’s Web 2 Proxy server 3 Inspects
Prevent
the 4either
Proxy Server
presents a
5generated
Incidents are
for any
session optionally
is directed to an performs SSL payload and custom block DLP action, and a
outbound web decryption, then returns either an page to the end copy is sent to
proxy appliance forwards a copy Allow or Block user, or allows ePO
of the traffic to message in the the traffic through
Web Prevent via ICAP Response depending on the
an ICAP request. response
McAfee Confidential 96
DLP Prevent Clustering
Clustering enable High Availability within multiple DLP Prevent systems utilizing VIP (Virtual IP)
McAfee Confidential 97
DLP Monitor
Setup and Configuration
McAfee Confidential
ePO
DLP Monitor Workflow
4
1. The switch receives network DLP Monitor
packets from internal users and
servers
2
2. McAfee DLP Monitor receives
copies of network packets via
Span / Tap
Span/TAP and analyzes them.
1 3
3. The switch also sends packets
through firewall to internet. Users / Servers Egress Switch Firewall
McAfee Confidential 99
Using a Traffic Aggregator
DLP Monitor
DLP Monitor DLP Monitor
An Intelligent traffic
aggregator device
Span
can be used to load Span
Span
balance sessions
across multiple
Monitor appliances
on high bandwidth
segments Tap
McAfee Confidential
Justification vs Notification
McAfee Confidential
DLP Discover Overview
▪ Filters
▪ For All DB’s
▪ All Schemas
▪ All Tables
▪ Or selected ones of the above based
on operators and values in the filters
• Scans Box just like an on premise repository – Seen as just another repository in the
list.
• Has special reporting, such as which files have been shared anonymously
Enter the required information, to create the Box account so you can use this in the labs today.
Web Prevent
Email Prevent
DLP Monitor
Discover 1 Discover 2
McAfee Confidential
Incident and Event Monitoring Overview
DLP Operations:
▪ Displays administrative events.
Operational
Events List
Operational
Events History
User Information
✓ Name
(required)
✓ Description
✓ State
✓ Reviewer or
Group
✓ Rule Criteria
Tasks always
run on
unassigned
incidents.
After a
reviewer is
set, it is not
possible to
override the
reviewer.
• Name (required)
• Description
• State
• Events to process
• Recipients (at least
one)
• Subject and Body
• Attach Evidence
• Rule Criteria
Helpful for scenarios where multiple incidents share common properties or are related.
Scenario:
▪ User often generates several incidents after business hours.
▪ Suspicious activity or user's system has been compromised.
▪ Assign incidents to a case to track violations.
Scenario:
▪ Remediation scans show sensitive files recently added to a publicly accessible repositories.
▪ Assign incidents to team to take action (add comments, change priority, or notify key
stakeholders).
✓ Title
✓ Owner
✓ Assigned/Unassigned
✓ Priority
✓ Status
✓ Resolution
Create a reviewer or designate a group reviewer with Set Reviewer permissions for DLP Incident
Management and Operations Events.
You cannot modify or delete the default dashboards and predefined. To change them,
duplicate, rename, and modify the renamed dashboard or query.
Private queries:
▪ Exist in user’s Private Group list.
▪ Only available to the creator.
Public queries:
▪ Exist in the Shared Groups list
▪ Available to everyone who has
permissions use public queries.
▪ Administrators and users with
appropriate permissions can make
their queries private.
Elements:
‒ Images
‒ Page breaks
‒ Query Charts
‒ Text
‒ Query Tables
• Logo
• Date/Time
• Page Number
• User Name
• Custom text
Incident Summary:
▪ Displays number of incidents per day, severity, type, and rule set.
▪ Helpful for analysis.
Operations Summary:
▪ Displays number of events over time, agent status, operational mode and version, product
distribution, and scan status.
▪ Helps you monitor your environment.
Policy Summary:
▪ Displays metrics about policies, such as enforced rule sets, bypassed users, undefined
device classes for Windows devices, privileged users.
▪ Helps you monitor your policies, as well as deployment and updates.
Links to detail
McAfee Confidential
McAfee Confidential 145
Solution Highlights – Securing cloud storage services
Sync Folder
Endpoint Assist App
McAfee ePO
File &
Removable
Media Protection
McAfee ePO
Mobile Connector
(Conduit Platform)
• Centralized Management
• Integrated Policy
Management & Reporting Endpoint
Assistant App
• Windows: All files in specified folder will be transparently “encrypted” before syncing with Cloud Storage
• iOS and Android: Encrypted files accessed will be transparently “decrypted” before allowing users to view
Click link in the email to send the App to your Cell phone or scan the QR Code