DLP 11 Training Deck 25 July 2018

McAfee DLP 11
FRP Encryption
Scott Kelley – Channel Enablement Engineer
McAfee Confidential
McAfee Confidential 1
Facilities
Building Hours Class Hours
Parking Phones
Rest Rooms Meals
Smoking
Welcome
Introductions
▪ Name
▪ Responsibility
▪ Product Experience
▪ Expectations
Agenda
What we will cover through the course
▪ Importance of DLP ▪ Network DLP Monitor
▪ Solution Architecture Overview ▪ Incident Management & Case Management
▪ Classification and Tagging ▪ DLP Discover & Registration Server
▪ Protection Rules, Rule Sets & Policies ▪ File & Removable media Protection
▪ Publishing Policies ▪ Network DLP Prevent with Clustering
Helpful Links to Bookmark
Threat Center http://www.mcafee.com/us/threat_center/default.asp
McAfee Doc Portal https://docs.mcafee.com/
McAfee Threat Labs http://www.mcafee.com/us/threat_center/default.asp
MyAvert www.avertlabs.com
Security Advisories http://www.mcafee.com/apps/mcafee-labs/signup.aspx
Blog http://www.avertlabs.com/research/blog/
Podcasts http://podcasts.mcafee.com/
McAfee Tools http://www.mcafee.com/us/downloads/free-tools/index.aspx
Threat FAQs http://www.mcafee.com/us/threat_center/outbreaks/faqs.html
Whitepapers http://www.mcafee.com/us/threat_center/white_paper.html
Glossary http://www.mcafee.com/us/threat_center/glossary.html
VGrep http://www.virusbtn.com/resources/vgrep/index.xml?
Extra.dat request page https://www.webimmune.net/extra/getextra.aspx
Stinger http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx
Submit a Sample http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspx
Beta DATs page http://vil.nai.com/vil/virus-4d.aspx
McAfee Confidential
5
McAfee Solution Center
McAfee Confidential
Initial Solution Center Startup
• A: Click to watch the short video that will help

understand how to use Solution Center if you
are not used to it.
• B: Use the Catalog button, to show all

systems that you can spin up for Demo or self
learning purposes
• C: This will display any current systems that

you have running.
Solution Center Options
• Selecting catalog will display a list of various

packages that you can spin up.
• When selecting one, a number of them have
Demo Materials that can be downloaded to
assist with your demos, that include PPTs,
Scripts, and other helpful information.
• Schedule – allows scheduling of the
environment for a specific time
• Quick Launch – when present allows for a
quick launch that will run for 4 hours.
• Customer package request – A new feature
that allows user to request special systems
within the package. Allow 2 – 3 days at
times.
For this class, a similar setup is in the Sales Play:
Preventing Data Breaches. It also contains a demo script.
Lab 1
Solution Center Environment
~ 15 Mins.
Lab 1 Solution Architecture

Importance of DLP
McAfee Confidential
Drawing Boardroom Attention
68%
of data breaches
required public
disclosures1
McAfee Confidential
11
Largest Data Breaches in 21 Century
Equifax 143
Adult Friend Finder 412.2
Anthem 78.8
eBay 145
JP Morgan Chase 76
Home Depot 56
Yahoo 3000
Target Stores 110
Adobe 38
US Office of Personnel Management 22
Sony Playstation Network 77
RSA Security 40
Heartland Payment Systems 134
TJX Companies 94
0 500 1000 1500 2000 2500 3000 3500
In Millions
McAfee Confidential
12
Average cost of a breach per Country and Root Causes
Based on Ponemon Institute research 2018

McAfee Confidential
13
Impacting Company Bottom Line
$4.20M is the average cost

of a data breach1
Costly fines Damaged Loss of customers

reputation and revenue
Understanding Data Exfiltration
Who wants the data? How are thieves getting Where is data being taken
Breaches are initiated by: data out? from?
60%
2/3
of breaches occur on
External 52% Electronic traditional networks
actors Internal means
actors
48% 1/3
40% occur in cloud infrastructures
Physical
means
“We all contribute to it.”
Data Loss is a Serious Everyday Issue
Emailing confidential Copying customer

document to a records to a USB
competitor Drive
Printing financial Sending internal

documents documents via
Hotmail
Emailing confidential
data via guest laptop
Sending email via
on corporate net Smart Phone
McAfee Confidential
16
Top Data Protection Challenges
Rising success rate of Keeping up with Lack of visibility and

malware intrusions regulatory compliance control of data
Both a technical problem and a business

problem to overcome
McAfee Data Loss Protection (DLP) Solution
Salient Features
▪ Detect and Identify: Identifies when data is in use, in

transit, or resides on local file system or shared repository
All McAfee DLP
▪ React and Protect: Supports different actions, such as products identify
Report, Block, Move, Encrypt, or Quarantine sensitive data or user
activity, take action on
▪ Monitor and Report: Creates incident with details of
violation policy violations, and
create incidents of
▪ Collect and Categorize: Collects and categorizes data by violations.
vectors: Data-in-Motion, Data-at-Rest, and Data-in-Use
McAfee DLP Portfolio
Data Types Data Loss Vectors Solution
DLP Prevent
Data-in-Motion
DLP Prevent for Mobile
DLP Monitor
Email Web Post Network Traffic Mobile IM Chat
Data-at-Rest DLP Discover

Drive Encryption
File Share Database Cloud Desktop/Laptop
DLP Endpoint
Data-in-Use Device Control
File and
Removable Cloud removable Media
Printing Web Post Email Clipboard Optical IM Chat
Devices
Encryption
Award Winning Technology
Gartner Magic Quadrant Enterprise

DLP
8 Consecutive Years as a Leader

Why McAfee DLP?
McAfee Confidentiality Language

Comprehensive Portfolio
Cloud
File
DLP Encryption
Common
Policy,
Console
and Keys
Device Disk
Control Encryption
Extensive, effective, and integrated
ePO Centralized Management
McAfee DLP (Network & Endpoint) McAfee Endpoint Encryption McAfee ESM
McAfee
EPO
Single consolidated source for policy management, incident response, and reporting.
Automation of monitoring, reporting, and auditing reduces costs!
Protecting Data In the Cloud
Uploading In the Cloud Downloading
Cloud Protection Rule Cloud Discovery Scan Application Tagging

Web Protection Rule for Box Location Tagging
New Cloud Discovery Feature

Enhanced Mac OS X Protection
Content-aware
Device Control
Removable Storage
Network Share Applications
Fully ePO Managed
Organizational use of McAfee DLP
Main Office
Sharepoint
OneDrive
Endpoints
DLPe File DLP Discover
Servers, Box
Sharepoint,
Databases
Systems Management Network Devices

ePolicy Orchestrator
Switches DLP Prevent Web Web Gateway
SPAN / Tap
Internet
Exchange DLP Prevent Email Email Gateway
Cloud Services
DLP Monitor
DLP Prevent Mobile MobileIron
Break Time
What's New in
DLP 10 and 11
McAfee Confidential
DLP 10 Highlights Early DLP 11 Highlights
• DLP Discover for Cloud • Unification Completed (including DB Scans)
• DLP Prevent VM / Appliance • Directional Removable Storage Protection
• Manual Classification • Auto Propagate Attachment Classification

with E-Mail
• Improved Mac Support
• Use out of Box Classifications
• User Initiated Scan
• DLP Appliance management Extension
• Upgrade Without Reboot
• Web Protection Granularity with “ANY”
• ePO Enhancements
• Chrome Protection Standard and Advanced
• Additional Mac Features (Cloud,

Classification, UPN, Removable storage…)
Manual Classification
Overview
Discover Scanning for Box
• Extends DLP protection to cloud storage providers
• Scans Box just like an on premise repository – Just another Repository in the list.
• Has special reporting, such as which files have been shared anonymously
• Provides a basis for prioritized manual remediation
• Can do automated remediation such as

• Resetting Permissions
• Encryption
• Delete / Remove
• Enforce RMS
User Initiated Scan
Admin creates a local machine scan, provides end-user the option of running it
outside of the normal scheduled time
End user can select their own remediation options as part of the scan
Allows end user to self manager their machine and sensitive data
Helps with educating end users around data protection – reduces the number
of reported incidents
Upgrade Without Reboot
• First time install of DLPe 10.x does require reboot;

provides immediate protection
• Future upgrades from 10.x will not require reboot
• Upgrade from 9.3.x to 10.x requires reboot
Directional Removable Storage protection
Allow to Monitor/Block copy FROM Removable Storage
▪ Adding capability to define to which direction of the copy the protection applies
▪ To Removable Storage
▪ From Removable Storage
▪ Both
Auto propagate attachment classification
Propagate the attachment classification to the email message classification
▪ The file classification of the attachment/s will be added

automatically to the email message classification
Additional Features
▪ Automatic Chrome protection fallback

▪ Applicable to unsupported Chrome versions
▪ Full support for File upload (Monitor & Block)
▪ Post text (e.g. gmail email body) monitor only
▪ Improved compound objects handling (e.g. ZIP)

▪ Analyze text per file
▪ Removable Storage protection - Bulk copy fix

(Block only the sensitive files, out of a bulk copy)
▪ Sandboxed FRP Encrypt reaction in Removable Storage protection

(Sandbox was available before only to Block reaction)
Mac OS – Manual File Classification
Adding file classification option to Mac OS
▪ Manually classify file by right click in Finder

▪ Ability to read manual classification for additional file formats (e.g. image, audio, video, pdf)
(Was available in 10.0 only for Office files)
Mac OS - Additional Features
▪ Support UPN (user principle name) + Serial pair exceptions in device rule
▪ Report device properties in Removable Storage protection rule
▪ Report Short match-string
Rich Text Support
▪ Rich Text (HTML) supported in:

▪ User Notification
▪ Email notification (Automatic and Manual)
▪ User Notification configuration also includes:

▪ Size of dialog (Small/Large)
▪ Placement
(System Tray/ Center Modal)
Import User Information
Already available in 10.0.200
▪ Ability to enrich incident data with additional user information from external directory systems
▪ Import is Manual, using .csv file
▪ The imported data will be added to existing and
new incidents
▪ Data can include a list of common fields, as well
as 3 custom fields
▪ User information can be used for:
filtering, reporting, tasks ,etc.
Import Definitions (Manual and API based)
▪ Definitions import/export in CSV format available for:

▪ Email address lists
▪ Serial number and end-user pair
▪ URL lists
▪ Device templates
▪ Dictionaries
▪ REST API support for import of above definitions

(except for Serial number/User pair)
▪ Needs to be enabled in DLP Settings
Skyhigh Connection
▪ Simple ability to connect and test with

Skyhigh within DLP Settings
▪ Connection with Skyhigh Tenant to pull

Incidents to ePO
▪ Provides push, sync and delete of DLP

Classification to Skyhigh
▪ Ability to see Last Synchronization, number

of classifications and incidents sent / pulled
Updates in Version 11 This Year
• 41 Various Updates covering DLP Endpoint Highlights

• 17 For DLP Endpoint • Server 2016 Support
• Interset (UEBA)
• 9 for DLP Extension Updates • SYSLOG Reporting
• Cloud Protection for O365 / personal / Business / with
• 10 Surrounding DLP Discover
differentiating
• 5 Covering DLP Prevent / Monitor • This includes SharePoint online and on-premise
DLP Extension Highlights Network DLP Highlights

• Help Points to Docs.McAfee.com • NDLP Prevent supporting Hyper-V Deployment
• Rest API Decrypting Evidence • Increased Incidents per scan from 10K to 100K
• Enable / Disable reporting of Short Match List • LDAP Sync Schedule
String • Notify an email sender of policy violation (Bounce)
• Pushing Classifications to Skyhigh and Pulling
Incidents
• GDPR Enhancements with Built-in
classifications
DLP Architecture
McAfee Confidential
McAfee DLP 11 Solution
ePO
SQL
MYSQL
Oracle Databases
NDLP Discover
SharePoint Sites
CIFS Shares
3rd Party e-mail Gateway

Database Repositories
McAfee
Web Gateway
DLP Endpoint
NDLP Monitor
Switch
NDLP Prevent
Firewall
McAfee DLP solution DLP Endpoint
McAfee ePolicyAgent
Prevent
Monitor
Discover Orchestrator
Cover Endpoints, Networks, and Cloud Environments • Software
Covers Windows
Network appliance
Appliance and Macintosh
(Hardware
(Hardware
based server.deployed or platforms
or VM)
VM)
to a windows
• server
Policy
Central
Inspects
Passive is
OS enforced
web
out
viabased
devicebound even when
thatadministration
ePO email system
andtraffic
monitors Webconsole is generates
traffic
and against
for all
• Scans
disconnected.
McAfee
your DLP
incidents, products
largePolicy
but can
Data and passes
not block.Allow
repositories looking/ Block decision
for files that
McAfee ePO • match
Vectors
Enterprise
to outbound
Receives Covered:
class
yourcopy Mail – Email,
and
highly
DLPofpolicy Web Web, Cloud,
scalable
Gateways - RBACRemovable
outbound traffic from switch via a
• Supports
storage,
DLP
Feeds
SPAN Policy
or Network
DLP is
TAP.
CIFS transfers,
incidents
created
shares, back
here Printing,
to
and
ePOpushed
Sharepoint, Clipboard,
out to
MS-SQL,
DLP Endpoint • MySQL,
Screen
various
Works
Monitors Capture
with
control
anyprotocols
more
Oracle points
ICAP capable
and Cloud than Proxy
Web/Email
repositories
• Remediation
Local discovery
Incidents
Works
Last linewith
are
of any
defenseof File
aggregated
SMTP
actions system
mail
(Belt here andand
Gateway
and
include for Mailboxes
suspenders)
Report, available
Copy, Move, for
• Apply
Provides
Can receive
analysis
not for SSL
User
decrypt
Rights CoachingFingerprint,
Decrypted
SSL
Management, dialogs
Session from andProxy
applyfor
• classification
Provides more
Powerful reporting
inspection visibility
(Tag) engine & Control than network can,
due to proximity to data origin.
Endpoint Data Protection
DLP Discover
Data Repositories Discover via Cloud API
DLP Prevent Email & Web Gateway
Network Data Protection Sharepoint

Online
Roadmap Roadmap
DLP Monitor Switch Firewall Internet
Licensing / Evidence
Policies & Rulesets
McAfee Confidential
Licensing and ePO Evidence Storage Access
Methods of Obtaining License Key
DLP Evidence Storage
• DLP 11 has 2 locations for

evidence storage.
• The Endpoint is located in Policy

Catalog > DLP11 > Windows
Client Config. > <Policy>
• Select the Evidence Copy Service

and enter the UNC path.
• The Network Evidence is in the

Server config. Category
DLP Classification Construction
DLP Policy • DLP Policies are similar to other product policies with a minor
difference. DLP Policies are not auto applied upon creation.
Rule Set They must be applied in the DLP Policy Manager.
Rule • Rulesets are created in the DLP Policy Manager, and are
an organized collections of rules called Rule Sets. Rule
Classification Sets are defined, and organized based on the type of
content they are looking for, and the default reaction.
Definition
• Rules are created and held within rulesets that will allow
DLP to identify the critical data based on the classifications
/ definitions used
ePO Policy Catalog
Using DLP
• Restructured Policy Catalog

• Products no longer a Drop Down
• Category No longer a Drop Down
• Category on Left Expandable for 1 or all
• Ability to get to view / edit from 1 screen
• Create New Policy Simplified
• Covered in Labs
McAfee Confidential
52
DLP Policy Manager Review
Data Protection > DLP Policy Manager
• Accessed from Data Protection

section.
• Organized by three tabs: Rule
Sets, Policy Assignment, and
Definitions
Rule Sets Tab
Display and Define Rule Sets
[Sample] in Ruleset columns indicate built-in rules for the rule set.
They can be duplicated for use.
Types of Rules
Data Rules, Device Rule, Discovery Rules, and Application Rules
Data Rules:
• Detect attempts made to transfer data.
• Available reactions include blocking the attempt or allowing with a justification.
Device Rules:
• Detect when removable storage devices connected to the endpoint machine are
disconnected.
• Available reactions include blocking or read-only access of the application or device.
Discovery Rules:
• Scan systems for files that meet matching criteria.
• Available reactions include quarantining or moving the matching file.
Application Rules
• Provides protection from URL addresses from selected users.
• Available reaction is Block and report incident
Policy Assignment Tab
Apply or Assign Policies or Rule Sets / Create or Edit DLP Policy
View
assignments
(flat view).
Manage
privileged
users/groups.
Manage
Endpoint
Discovery
scan.
Definitions Tab
Create or Edit Definitions for Rules, Classifications, Tagging, and Scans
• Use Duplicate to create a

new extension with
additional definitions
• View option gives

information on definition
properties in use
• Actions > Depending on

the Definition selected,
New provides the ability to
create a new Definition,
Export or Import from a file
(CSV)
• Not Shown in the definition

list is Repositories. This is
where you would enter the
DLP Discover Scan
repository information, such
as BOX, CIFS, DB’s, and
SharePoint.
Supported Definitions
Data, Device Control, Notification, and Other
Data
Device Discovery Application
Definition Type Protection
Control Rules Rules Rules
Rules
Data
File Extension ✓ N/A ✓ N/A
Device Class
Device Class N/A ✓ N/A N/A
Device Definitions N/A ✓ N/A N/A
Notification
Justification ✓ ✓ ✓ N/A
User Notification ✓ ✓ ✓ ✓
Other
Scheduler N/A N/A ✓ N/A
Supported Definitions (Continued)
Source / Destination
Data Protection Device Control Discovery Application

Definition Type
Rules Rules Rules Rules
Application Template ✓ N/A N/A N/A

Email Address ✓ N/A N/A N/A
End-User Group ✓ ✓ N/A ✓
Local Folder ✓ N/A N/A N/A
Network Address (IP address) ✓ N/A N/A N/A
Network Port ✓ N/A N/A N/A
Network Printer ✓ N/A N/A N/A
Network Share ✓ N/A N/A N/A
Process Name ✓ ✓ N/A N/A
URL List ✓ N/A N/A ✓

Windows Title ✓ N/A N/A N/A
Notification: Justification Definitions
Prevent Action for Selected Rules
• Form of policy bypass.

• Use default or create custom one.
• If a message for a certain locale does not
exist, the default message is used.
Notification: User Notification Definitions
Built-in Definitions
• Sends a message to
the endpoint
computer to notify
the user of the policy
violation.
• Use default or create
custom one.
Notification: Placeholders
Variable Text in Messages
%c Classifications
%r Rule-set name
%v Vector (Email protection, Web protection, DLP Prevent)
%a Action (example: Block)
%s String value (file name, device name, email subject, URI)
Source / Destination Definitions
Various Built-in Definition Types
Other Features
Rights Management
Rights Management:
▪ Supports integration with rights management (RM) servers to apply protections to files
that match rule classifications.
▪ Data protection and endpoint discovery rules.
Protection Bypass:
▪ Allows user to bypass policies, and access or transfer sensitive information for a limited
time.
▪ Administered with Help Desk feature.
▪ Select Menu page > Systems > Help Desk.
Review
Key points
▪ Rule sets are assigned to ▪ Definitions provide related

DLP policies. information for rules,
classifications, tagging, and
▪ Consist of one or more rules
scans.
(Data, Device, or Discovery).
• Data
▪ Rules define condition and • Device Control
reaction. • Notification
▪ Policy Assignment tab is • Other
used to apply or assign rule • Source/Destination
sets to policies, create or • Repositories
edit DLP Policy settings,
such as privileged
users/groups and endpoint
discovery scan.
Begin Lab 2 – 4
~ 50 Min.
License DLP and Build Evidence

Create DLP Policy
Protection Rules & Rule Sets
** Possible SkyHigh Integration Walkthrough**

Content Classification and Tagging
Classifications,
Definitions and Tagging
McAfee Confidential
DLP Classification Construction Continued
DLP Policy • Multiple definitions may be used in a single

Classification for the purpose of accurately identifying
Rule Set particular type of protected content. The Classification is
used to classify the content
Rule
• Definitions are in turn used to construct content
Classifications, which are referenced in the DLP Protection
Classification Rules. Rules can be organized into Rule Sets which can then
be assigned to one or more DLP Policies
Definition
Example Classifications and Criteria
Built-in Classifications/Definitions at a Glance
Other Classification Features: Manual Classification
Menu > Data Protection > Classification > Manual Classification Tab
• Allow Everyone or Select

User Groups.
• Group by Classifications or
User Groups.
• Not recommended
Allow everyone or Select

End-User Groups.
Classification Settings
Menu > Data Protection > Classification > Manual Classification Tab
• Allows classification to be placed in header

or footer of email messages
• Can force end-users to classify the file if it

never was classified previously
• Allows Admins to force users to classify

outbound email
Other Classification Features: Register Documents
Menu > Data Protection > Classification > Register Documents Tab
• Upload one file or

multiple files in zipped
format.
• Create package, which
contains document
signatures.
• Package is uploaded to
ePO database when no
Registration server
exists
• Distributed to endpoints
with next ASCII.
Uploading Registered Documents
• Select File Upload

(Action menu or
button).
• Browse and select file.
• Select file and

classification.
• Select Create
Package (Action menu
or button).
Other Classification Features: Whitelisted Text
Menu > Data Protection > Classification > Whitelisted Text Tab
• Ignore text during processing of file content.

• Used for text that commonly appears in files, such as boilerplates, legal disclaimers,
and copyright information.
• Will not cause content to be classified or tagged, even if parts of it match classification
or tagging criteria.
• If a file contains both tagged or classified and whitelisted data, it is not ignored.
Content Fingerprint Criteria
Link Tags to Content
Content fingerprint signatures are stored in a file's extended file attributes (EA), alternate data stream
(ADS), or in a hidden folder (ODB$). You can select the preferred technology on the Windows client
configuration Content Tracking page.
Application – Monitor or block files created by application or applications in application

definition.
Box – Create content fingerprinting of files hosted in the following corporate Box accounts.
Location – Create content fingerprinting & monitor or block files in the specified location of
files opened (or copied) from the following network shares (UNC).
SharePoint – Create content fingerprinting of files opened (or downloaded) from the
following SharePoint web addresses.
Web Application – Create content fingerprinting of files opened (or downloaded) from the
following web addresses (URL).
More on Tagging
Other Considerations
Password-protected files are only supported by application-based tagging rules,

not by content-based tagging rules. This is because the DLPe client cannot access
the protected content.
Marking an application as an Explorer application means that the DLPe client

disregards any content manipulation by the application.
Copy/paste, print screen, and content-based tagging rules do not apply.

Use the Explorer strategy only for Explorer-like applications, such as shell
applications.
Classification Review
Classify Confidential Data Build Content-based Reaction Rules

Monitor sensitive data transfer
By location
Prevent confidential data from

leaving the enterprise
By content
Notify administrator and end users

By file-type
Quarantine confidential data

By fingerprint
Enforce encryption
Classification Review (Continued)
High Level Process
Classify information to protect. Use classification criteria when the

document's sensitivity is known from a
Create classification and tagging reliable and easily identified pattern,
criteria. such as the word Confidential.
Create rules that associate sensitive Use tagging criteria when a pattern is
data with the appropriate classification not readily available.
and tagging criteria.
See Technical Article KB81640.
Define protection rules incorporating
classification and tagging criteria.
Review
• Built-in (sample) classifications • To control the distribution of

are available for use as a registered documents or
starting point. whitelisted text, upload these
• Built-in (sample) classifications files and create a package for
are able to be used but unable distribution to DLPe endpoints.
to Edit. You must duplicate • After classifications are
them to edit them. created, your next step is to
• Classifications consist of create data protection rules.
classification/content • Alternatively you can duplicate
fingerprinting criteria and Rulesets that are tied to
definitions. Classifications.
• Manual classification is
supported but not
recommended.
Begin Lab 5….
~ 10 Mins.
Definitions and Classifications

Publishing and Validating
policies
McAfee Confidential
Assign your Ruleset to a Policy object
1. Make note of current revision

and notice pending changes.
2. Make changes to any policy
setting is needed
3. If this is a discovery scan
make any changes as needed
here
4. Click the assign rule set(s) to a
policy
5. Verify the correct rulesets are
being applied
6. Apply selected policy
7. Notice changed revision and
no pending changes. Make
note of new revision.
Agent Wake Up
1. Select the system tree

2. On left select the DLP
labs
3. Select the systems to
be woken up
4. Select the wake up
agents
5. On System tree popup
select Force complete
policy and task update
and click OK
Verify Correct Policy on Endpoint
Log into Client, right

click the Shield and select
DLP Endpoint console.
Click About
If the Shied is not

running you can run the
“Launch Agent” batch file
on the desktop
Notice the Policy
Revision ID we just verified
Begin Lab 6….
~ 5 Mins.
Publishing and Validating Policies

Installing DLP Software

Solution Requirements: Client Hardware
Minimum Platform Requirements for Client Systems
Component Specification
Hard drive: 200 MB minimum;

Hard drive
CPU: Intel Pentium III 1 GHz or faster
Memory 1 GB minimum (2 GB recommended)
100 megabit LAN serving all clients and the ePO server
Network Basic TCP/IP networking between clients/servers
configured and working
These are minimum system requirements only. Actual requirements vary among deployments.
Solution Requirements: Client Operating Systems
• Windows 7 SP1 32-bit or 64-bit

• Windows 8 or 8.1 32-bit or 64-bit
• Windows 10 (32-bit and 64-bit) Version 1507 - 1803 (April 2018 Update)
• Windows Server 2008 SP2 32-bit or 64-bit
Microsoft • Windows Server 2008 R2 SP1 64-bit
Windows OS • Windows Server 2012 and 2012 R2 64-bit
• Windows 2016 (64-bit)
File System Discovery Rules and Network Communication Protection Rules are
not supported on servers.
• OS X Yosemite 10.10 or Later

• OS X El Capitan 10.11 or Later
Mac OS X
• macOS Sierra 10.12 or Later
• macOS High Sierra 10.13 or Later
• Citrix XenApp 7.11 – DLP 11 Patch 2
• Citrix XenApp 7.9 – DLP 11 HF2
• Citrix XenDesktop 7.8 – DLP 11 HF2
Virtualization Systems
• Citrix XenApp 6.0, 6.5 – DLP 11. 0 - .4 (6.5 Feature Pack 2 only)
• Citrix XenDesktop 7.0, 7.1 and 7.5 - DLP 11.0 and HF2 (7.0 Only)
• Citrix XenDesktop 7.6 - DLP 11.2 – 11. 4 ( 7.6 Patch 3 Only)
Solution Requirements: Browsers

Apple Mac • Safari 6.0 and later (on Mac OS X)
• Google Chrome 32 Bit
• Google Chrome 64 Bit
Windows • Microsoft Internet Explorer 6 - 11
• Mozilla Firefox
• Microsoft Edge
Software-based Install
DLP Endpoint / Discover
DLP Discover and Endpoint are software-

based agents that can be deployed the
associated OS platform.
ePO Menu > Client Task Catalog > McAfee

Agent > Product Deployment > Actions >
New Task
Various Methods of Deployment – Shown in

Lab guide
Software-based Install
DLP Registration Server
DLP Discover Registration Server is a

software-based agent that can be deployed
on a Windows server platform.
ePO Menu > Client Task Catalog > McAfee

Agent > Product Deployment > Actions >
New Task
DLP Prevent Installation
.ISO – Used on Physical Appliances. OVA – Used for VM Servers Installations
• Install DLP Prevent on model 4400 or 5500 • Install on your own ESX or ESXi Server
appliances • Install ESX or ESXi on 4400 or 5500 Appliances
Hyper-V Installations
• DLP Prevent 11.0.300 and Higher can install ,ps.Zip into Hyper-V
• Supported Platforms Windows 2012 and Windows 2016
DLP Prevent MTA Requirements

• MTA must send all or a portion of email traffic to DLP Prevent for Processing
• MTA Must be able to inspect email headers to identify email arriving from DLP Prevent and act on
those headers.
• MTA must ensure that email received from DLP Prevent are routed to the intended destination and
not back to DLP Prevent.
DLP Monitor Installation
• .ISO – Used on Physical Appliances. OVA – Used for VM Servers Installations
• Install DLP Monitor on model 4400, 5500, or 6600 • Install on your own ESX or ESXi Server
appliances
The capture port is set to promiscuous mode. You must
The capture port can be connected to a SPAN port or enable promiscuous mode on a portgroup or virtual switch
a network tap. to allow the appliance to passively inspect copies of all
network packets that pass through the network.
DLP Monitor Additional Notes

• The appliance does not support using continuous DHCP configuration
• Ensure that the Virtual Appliance is connected and setup within a port group to monitor traffic
DLP Prevent 11
Setup and configuration
McAfee Confidential
ePO
Email Prevent Workflow

5
Prevent
2
3
1
Exchange
Users 4
Email Gateway
1 message
User sends
via
2 Policy on the
MTA directs
3 Inspects
Prevent:
msg 4 X-Headers,
MTA examines
and
5generated
Incidents are
for any
Exchange to the specific adds X-Headers takes the DLP action, and a
outbound Email (outbound) (if necessary) and appropriate copy is sent to
gateway (MTA) messages to returns message action. ePO
McAfee Email back to the MTA (Block, Bounce,
Prevent for Encrypt, Quarantine,
Redirect)
inspection
ePO
Web Prevent Workflow

5
Prevent
2
3
1
Users 4
Web Proxy
1browsing
User’s Web 2 Proxy server 3 Inspects
Prevent
the 4either
Proxy Server
presents a
5generated
Incidents are
for any
session optionally
is directed to an performs SSL payload and custom block DLP action, and a
outbound web decryption, then returns either an page to the end copy is sent to
proxy appliance forwards a copy Allow or Block user, or allows ePO
of the traffic to message in the the traffic through
Web Prevent via ICAP Response depending on the
an ICAP request. response
DLP Prevent Clustering
Clustering enable High Availability within multiple DLP Prevent systems utilizing VIP (Virtual IP)
Ensure to point ICAP traffic to VIP.
DLP Monitor
Setup and Configuration
McAfee Confidential
ePO
DLP Monitor Workflow
4
1. The switch receives network DLP Monitor
packets from internal users and
servers
2
2. McAfee DLP Monitor receives
copies of network packets via
Span / Tap
Span/TAP and analyzes them.
1 3
3. The switch also sends packets
through firewall to internet. Users / Servers Egress Switch Firewall
4. Any resulting incidents

Generated by Monitor are
reported to ePO.
Using a Traffic Aggregator
DLP Monitor
DLP Monitor DLP Monitor
An Intelligent traffic
aggregator device
Span
can be used to load Span
Span
balance sessions
across multiple
Monitor appliances
on high bandwidth
segments Tap
Users / Servers Egress Switch Firewall

Install
• .ISO – Used on Physical Appliances. OVA – Used for VM Servers Installations
• Install DLP Monitor on model 4400, 5500, or 6600 • Install on your own ESX or ESXi Server
appliances
The capture port is set to promiscuous mode. You must
The capture port can be connected to a SPAN port or enable promiscuous mode on a portgroup or virtual switch
a network tap. to allow the appliance to passively inspect copies of all
network packets that pass through the network.
DLP Monitor Additional Notes

• The appliance does not support using continuous DHCP configuration
• Ensure that the Virtual Appliance is connected and setup within a port group to monitor traffic

DLP Monitor Overview
• Ability to analyze Specific Protocols

within Policy Catalog in ePO
• Able to ignore East – West Traffic to

reduce noise
• All Incidents reported in ePO DLP

Incident Manager

Begin Labs 7 - 9….
~ 60 Mins.
Installing DLP Endpoint

Install DLP Prevent
Testing DLP Policies
Justifications
McAfee Confidential
Justification vs Notification
Justification Benefits Notification Benefits

• Teaching Tool • Teaching Tool
• Self Help Tool • Tracking
• Reduction in Help Desk Calls • Data Classification leak risk mitigated
• Tracking
Drawbacks
Drawbacks • Possible more help desk calls
• Ability to have leaked data depending on
criteria
• Initial confusion from end-users

Begin Lab 10….
~ 35 Mins.
Request Justification for Web Post Protection

Configure and Run
DLP Discover 11.0
McAfee Confidential
DLP Discover Overview
• Discover Servers – Lists current

discover servers.
• Scan operations – Provides ability

to See current, create, edit, and
delete scans.
• Data Analytics & Inventory –

Allows drilling into conducted
scans to identify data found. In
New Drillable OLAP format.
• Definitions – Create credentials for

use with scans, setup of Box,
CIFS, Database, Sharepoint
Discover scans and more.

Creating a CIFS Share Scan

Creating a SharePoint Scan

Creating a Database Scan
▪ Supports database discover scan for

the following databases:
▪ Microsoft SQL Server
▪ Oracle
▪ MySQL
▪ DB2
▪ Filters
▪ For All DB’s
▪ All Schemas
▪ All Tables
▪ Or selected ones of the above based
on operators and values in the filters

Inventory, Classification, Remediation, and Registration Scans
▪ Inventory -Designed to collect file inventory

data (Fastest)
▪ Classification – Helps in planning the

protection strategy and analyse file content
▪ Remediation – Analyse files and performs

remediation actions
▪ Document Registration – Creates file

signatures that match Fingerprinted
Criteria to track and identify files.

Discover scanning for Box
• Extends DLP to Cloud Storage Provider of Box
• Scans Box just like an on premise repository – Seen as just another repository in the
list.
• Has special reporting, such as which files have been shared anonymously
• Provides a basis for prioritized manual remediation
• Can also do automated remediation such as resetting permissions, encrypting (with

FRP), removing, and RMS.

Creating a New Box Account for training
Navigate to: https://www.box.com/pricing Select the Individual “FREE” account by clicking the
• Select Individual Plans Signup button there.
Enter the required information, to create the Box account so you can use this in the labs today.

New Data Analytics
Through built in Online Analytical Processing
• DLP Discover now has 3 different

views.
• Dashboard <seen here> used
to quickly filter and review.
• Grid – Classic OLAP View we
worked with before
• Raw Data – Provides data on
all content found in the scan
selected.
• Still has a built-in OLAP data module

that exposes multidirectional data
patterns of the analysed files.

DLP Network Discover -
Registration

Master Registration archtecture
Web Prevent
Email Prevent
DLP Monitor
Master Registration Server
Discover 1 Discover 2

Registration Server config

DLP Discover – Registration scan
▪ Registration scan option for supported

repositories
▪ Enforced by NDLP Prevent/Monitor
▪ Registration database NOT pushed to
Prevent/Monitor
Matching done on DLP Registered Documents
Service

DLP Discover Registration Overview
• Registration Scans – ability to

automatically extract content from
files based on selected fingerprint
criteria
• Registered Documents – Provides

the ability to define classifications
and remediation scans or policies
for DLP Prevent and Monitor
• Cannot be ran on Databases, only

support file repositories
• Signatures are used as fingerprints

to identify data, to prevent it from
leaving the network

Document Registration Scans
▪ Documents Registration – configured in

the DLP Discover New scans
▪ Signatures – Allows for a cap for

signatures to be created and stored on the
registration server.
▪ Repositories– Similar to the DLP CIFS

Scan to identify where the signatures
reside
▪ Fingerprint Criteria – Provides isolation of

IP, or Classified content to create
fingerprinting.

Incident and Case
Management
McAfee Confidential
Incident and Event Monitoring Overview
DLP Incident Manager:

▪ Displays policy violations
(incidents).
DLP Operations:
▪ Displays administrative events.
DLP Case Management:

▪ Allow administrators to collaborate
on the resolution of related
incidents.
DLP Incident Manager, Operational Events, and Case Management

DLP Incident Manager
Menu page > Data Protection > DLP Incident Manager
Analytics Tab: Graphical overview

of violations with drill down
incidents (Not Shown Here) o View and manage incidents (policy violations).
Incident List tab: Current policy
violation events o DLP Operations page works in a similar manner
Incident Tasks tab: Actions to take with administrative events.
on all or part of list / Set reviewer,
purge or email events
Incident History tab: Historic
incidents

DLP Operations
Menu page > Data Protection > DLP Operations
Operational
Events List
• View and manage

administrative events.
• Similar operation as Operational

DLP Incident Manager. Event Tasks

DLP Operations
Menu page > Data Protection > DLP Operations
Operational
Events History
User Information

Creating Set Reviewer Rule
Incident Tasks or Operations Tasks Tabs
✓ Name
(required)
✓ Description
✓ State
✓ Reviewer or
Group
✓ Rule Criteria
Tasks always
run on
unassigned
incidents.
After a
reviewer is
set, it is not
possible to
override the
reviewer.

Creating Automatic Mail Notification Rule
• Incident Tasks or Operations Tasks Tabs
• Name (required)
• Description
• State
• Events to process
• Recipients (at least
one)
• Subject and Body
• Attach Evidence
• Rule Criteria

DLP Case Management
Collaborate on Resolution of Related Incidents
Helpful for scenarios where multiple incidents share common properties or are related.
Scenario:
▪ User often generates several incidents after business hours.
▪ Suspicious activity or user's system has been compromised.
▪ Assign incidents to a case to track violations.
Scenario:
▪ Remediation scans show sensitive files recently added to a publicly accessible repositories.
▪ Assign incidents to team to take action (add comments, change priority, or notify key
stakeholders).

Creating Cases
Group and Review Related Incidents
✓ Title
✓ Owner
✓ Assigned/Unassigned
✓ Priority
✓ Status
✓ Resolution

Create a Set Reviewer Task
Before You Begin
Menu > User Management > Permission Sets
Create a reviewer or designate a group reviewer with Set Reviewer permissions for DLP Incident
Management and Operations Events.

Create a Set Reviewer Task
Before You Begin

DLP Server Tasks
Predefined Tasks
Menu page > Server Tasks

Queries Overview
Actionable Objects that Display in Charts/Tables
Exportable to four formats:

▪ CSV: Use with spreadsheets.
▪ XML: Transform data.
▪ HTML: View as a web page.
▪ PDF: Obtain printable results.
Can use as dashboard monitors.
Can run manually or on schedule.
Ability to Email built queries as
reports, and schedule the delivery of
the email.
You cannot modify or delete the default dashboards and predefined. To change them,
duplicate, rename, and modify the renamed dashboard or query.

Queries Overview (Continued)
Public and Private Queries
Private queries:
▪ Exist in user’s Private Group list.
▪ Only available to the creator.
Public queries:
▪ Exist in the Shared Groups list
▪ Available to everyone who has
permissions use public queries.
▪ Administrators and users with
appropriate permissions can make
their queries private.
Use query permissions to assign specific levels of query

functionality to permission sets, which are assigned to
individual users.

Data Loss Prevention Reports
Two Ways to Run Reports
Reports tab: New Report
Query tab: Actions > New Report from

Selection

Working with Reports
Page Elements
Elements:
‒ Images
‒ Page breaks
‒ Query Charts
‒ Text
‒ Query Tables
• Dragged and dropped into report layout, then

positioned.
• Can be combined in any order.
• Can duplicated, as needed.

Working with Reports (Continued)
Headers and Footers
• Logo
• Date/Time
• Page Number
• User Name
• Custom text

DLP Dashboards
View Product Properties
• Add, duplicate, import,

or export dashboard.
• Add monitor to custom
dashboard.
DLP: Incident Summary:
Number of Incidents per
day (data in-use/in-motion).
DLP: Operations
Summary: Number of
Incidents per severity (data
in-use/in-motion).
DLP: Policy Summary:
Number of Incidents per
rule set (data in-us/in-
motion).

DLP Dashboards Overview (Continued)
Predefined Dashboards
Incident Summary:
▪ Displays number of incidents per day, severity, type, and rule set.
▪ Helpful for analysis.
Operations Summary:
▪ Displays number of events over time, agent status, operational mode and version, product
distribution, and scan status.
▪ Helps you monitor your environment.
Policy Summary:
▪ Displays metrics about policies, such as enforced rule sets, bypassed users, undefined
device classes for Windows devices, privileged users.
▪ Helps you monitor your policies, as well as deployment and updates.

DLP Dashboards
Example - DLP: Policy Summary Dashboard
Links to detail

Securing Cloud Storage Services
File & Removable Media Protection v5.0
McAfee Endpoint Assistant App v2.0
McAfee Confidential
Solution Highlights – Securing cloud storage services
▪ End-to- end security

▪ Customer owns the encryption keys
▪ Secure Cloud Storage Services: Box , Dropbox, Dropbox for Business, Google Drive , OneDrive, and
One Drive for Business
▪ Platforms: Windows, Android, iOS
▪ Ability to select the below protection level actions for OOB supported providers:
▪ Report
▪ Audit
▪ Encrypt (Allow/Enforce)
Report Audit Encrypt
Sync Folder
Endpoint Assist App

Solution Highlights – Accessing data on mobile
devices
▪ Secure Access to encrypted files on iOS/Android devices

▪ Audits for provisioning, recovery, file access
McAfee ePO
via Conduit Platform
Endpoint Assist App

Securing Cloud Storage: Solution Overview
File &
Removable
Media Protection
McAfee ePO
Mobile Connector
(Conduit Platform)
• Centralized Management
• Integrated Policy
Management & Reporting Endpoint
Assistant App
• Windows: All files in specified folder will be transparently “encrypted” before syncing with Cloud Storage
• iOS and Android: Encrypted files accessed will be transparently “decrypted” before allowing users to view

Creation of FRP Keys – Step 1

FRP Key Assignment

Mobile device access: Admin selects users for enrollment

User enrollment for Endpoint Assistant App
Click link in the email to send the App to your Cell phone or scan the QR Code

Encrypted file access on mobile device
Short Video showing End User Experience

Survey Time

DLP 11 Training Deck 25 July 2018

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

DLP 11 Training Deck 25 July 2018

Transféré par

Droits d'auteur :

Formats disponibles

McAfee DLP 11

Scott Kelley – Channel Enablement Engineer

Building Hours Class Hours

Rest Rooms Meals

▪ Importance of DLP ▪ Network DLP Monitor

▪ Solution Architecture Overview ▪ Incident Management & Case Management

▪ Classification and Tagging ▪ DLP Discover & Registration Server

▪ Publishing Policies ▪ Network DLP Prevent with Clustering

• A: Click to watch the short video that will help

• B: Use the Catalog button, to show all

• C: This will display any current systems that

• Selecting catalog will display a list of various

Lab 1 Solution Architecture

0 500 1000 1500 2000 2500 3000 3500

Based on Ponemon Institute research 2018

$4.20M is the average cost

Costly fines Damaged Loss of customers

Emailing confidential Copying customer

Printing financial Sending internal

Rising success rate of Keeping up with Lack of visibility and

Both a technical problem and a business

▪ Detect and Identify: Identifies when data is in use, in

Data Types Data Loss Vectors Solution

Data-at-Rest DLP Discover

Gartner Magic Quadrant Enterprise

8 Consecutive Years as a Leader

McAfee Confidentiality Language

Extensive, effective, and integrated

Automation of monitoring, reporting, and auditing reduces costs!

Uploading In the Cloud Downloading

Cloud Protection Rule Cloud Discovery Scan Application Tagging

New Cloud Discovery Feature

Network Share Applications

Fully ePO Managed

Systems Management Network Devices

DLP Prevent Mobile MobileIron

• DLP Discover for Cloud • Unification Completed (including DB Scans)

• DLP Prevent VM / Appliance • Directional Removable Storage Protection

• Manual Classification • Auto Propagate Attachment Classification

• Additional Mac Features (Cloud,

• Extends DLP protection to cloud storage providers

• Provides a basis for prioritized manual remediation

• Can do automated remediation such as

• First time install of DLPe 10.x does require reboot;

• Future upgrades from 10.x will not require reboot

• Upgrade from 9.3.x to 10.x requires reboot

▪ The file classification of the attachment/s will be added

▪ Automatic Chrome protection fallback

▪ Improved compound objects handling (e.g. ZIP)

▪ Removable Storage protection - Bulk copy fix

▪ Sandboxed FRP Encrypt reaction in Removable Storage protection

▪ Manually classify file by right click in Finder

▪ Report device properties in Removable Storage protection rule

▪ Report Short match-string

▪ Rich Text (HTML) supported in:

▪ User Notification configuration also includes:

▪ Definitions import/export in CSV format available for:

▪ REST API support for import of above definitions

▪ Simple ability to connect and test with

▪ Connection with Skyhigh Tenant to pull

▪ Provides push, sync and delete of DLP

▪ Ability to see Last Synchronization, number

• 41 Various Updates covering DLP Endpoint Highlights

DLP Extension Highlights Network DLP Highlights

Possible SkyHigh Integration Walkthrough