Data Loss Prevention

Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) detects and prevents unauthorized transmission of confidential information, such as social security numbers, credit card numbers, bank account numbers and so on.

Browser-Based DLP capabilities allow you to enforce DLP by associating data types with a DLP ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

In the Data Loss Prevention tab, you can set rules based on specific events, data types and actions.

These actions are available within the DLP rules:

  • Detect - Performs the DLP scan but does not block the data.

  • Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a data type.

  • Allow - Acts as exclusions, allowing data transfer in certain events.

  • Block - Blocks the data without the DLP scan.

DLP Logs

  • Logs are sent for Block, Prevent, and Detect actions.

  • File upload and File download events generate log for each handled file, regardless of whether the event is blocked, prevented, detected, or allowed.

  • Text control and Paste events send logs for blocked, prevented, or detected incidents.

00:05: Data Loss Prevention or DLP is a technique to prevent unauthorized transmission of confidential information such as bank account numbers. This video shows how to apply DLP rules to data for example to files that you download or upload. While this video specifically details the steps for Harmony Endpoint, it is also applicable to Harmony Browse. 00:27: Log in to the Infinity Portal access the harmony endpoint administrator 00:31: portal and click policy and data loss prevention now click 00:35: DLP data type manager. 00:38: You can either use the existing data types in the default groups or create 00:42: custom data types. 00:44: To edit a data type expand the DLP group and select a data 00:48: type. 00:49: Click edit and edit the data type as per your requirement. 00:53: Click okay to save your changes. 00:56: To create a new custom data type click new and select data. 01:00: Follow the wizard to define the new data type and click finish. 01:04: The new custom data type is listed under custom data types group and 01:08: similarly new DLP groups. You create are listed under my groups. 01:13: Now, to create a DLP rule and associate with an event, click Data Loss Prevention. 01:19: Select a rule in the table and click "Clone" and then select "Clone Above" or "Clone Below". 01:24: Enter a rule name, select a device group and click "OK". 01:28: Select the rule you just created and click outbound events or inbound events 01:32: outbound event refers to transferring content to external resources 01:36: inbound event refers to downloading data. 01:40: To add an event, turn on the "Disable all" toggle button and click Add. 01:45: Make sure the Status toggle button is enabled. Select the Event type, Destination type, and Action. Select the Data types to associate with the DLP rule and click "Save". 01:56: Click "Save and Install" to install the new policy settings. 02:00: As the last step, click "INSTALL".

Use Case

You are a financial organization aiming to prevent the upload or download of files containing confidential and sensitive data, such as bank account numbers, tax and revenue details, by unauthorized users.

Known Limitations

Sample Data Type

For supported data and file types, see sk181662.

Legends Description

1

Name of the data type.

2

Date and time (in MM/DD/YY, HH:MM:SS XM format) when the data type was last modified.

3

Brief description of the data type.

4

Custom tags (category) for the data type. Helps in searching for data types.

5

Matching criteria:

  • Pattern

  • Keyword

  • Dictionary

  • Weighted Words

  • Template

  • File attribute

  • Compound (Combination of data types with a logical separator)

  • Group (Data type group)

6

The minimum number of times the matching criteria must be present in the file to trigger the DLP action specified in the policy capability rule. For example, if the matching criteria is Keyword, the value is credit and the Matching Threshold is 5, then the system takes the action specified by the policy capability rule if the file contains the term credit five times or more.

7

Policy capability rules where the data type is used.

8

Groups associated with the data type.

9

Add the data type to a group.

10

Duplicate the data type.

11

Edit the data type.

12

Comment.

13

Filter data type by category.

14

Search for a data type.

Creating a Custom Data Type

To create a custom data type:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. Click New and select Data type.

    The Add data type wizard appears.

  3. Enter the data type name, object comment (optional) and description.

  4. From the Data type recognition method list, select a recognition method:

    Recognition method Description

    Action

    Pattern

    Applies the action specified in the policy capability rule if the file contents match the threshold for the pattern. For example, 5523-2342.

    In the Patterns section, enter the pattern and click .

    Keyword

    Applies the action specified in the policy capability rule if the file contents match the threshold for the keyword. For example, Confidential, Secret.

    In the Keywords section, enter the keywords and click .

    Dictionary

    Applies the action specified in the policy capability rule if the file contents match the threshold for the terms in the dictionary. For example, Spain, China, United Kingdom.

     

    Each keyword must be specified in a single line in the UTF-8 format.

     

    Note - The recommended file formats are Microsoft Word and .txt.

    Upload the dictionary file.

    Weighted Words

    Applies the action specified in the policy capability rule if the file contains keywords and the cumulative weight matches or exceeds the threshold.

     

    Use this method to specify multiple keywords.

     

    For example, consider two keywords:

    • credit with Weight=1 and Max. Weight=3

    • transaction with Weight=2 and Max. Weight=30

    and Matching Threshold=15.

     

    If the file contains six occurrences of credit, each contributing a Weight of 1. That is, 1x6=6. As the Max. Weight=3, the final weight is 3.

     

    If the file contains eight occurrences of transaction, each contributing a Weight of 2. That is, 2x8=16. As the Max. Weight=30, the final weight is 16.

     

    As the sum of final weights of credit and transaction, that is, 16+3=19 is greater than the Matching Threshold, the system applies the specified action in the policy capability rule.

     

    If the sum of the final weights of the keywords is less than the Matching Threshold, then the file is uploaded or downloaded.

    1. Click New.

    2. Enter these:

      • Keyword

      • Weight - Weight for each occurrence of the keyword.

      • Max. Weight - Maximum allowed for weight for the keyword.

    3. If the keyword is a regular expression, turn on the Regex toggle button.

    4. Click Add.

    5. Repeat steps a through d to add the next keyword.

    Template

    Applies the action specified in the policy capability rule if the file contents match the threshold for the terms in the template. For example, a template with a set header, footer and logo.

    If the template contains images, the DLP is triggered only if the file contains the images in the same format as in the specified template.

    		 Upload the template file.

    File attribute

    Applies the action specified in the policy capability rule if the file:

    • Matches the specified file name.

    • Size is equal to or greater than the specified file size.

    • Type matches the specified file type.

    Select any of these and enter a value:

    • File name. For example, Account Numbers, Employee Details.

    • File size. File size in Byte, KB, MB or GB.

    • File type.

      • Click and select the file type(s) from the list.

  5. Click Next.

    Note - This step does not apply to Template and File attribute recognition methods.

  6. Select the matching threshold.

    The minimum number of times the matching criteria must be present in the file to trigger the DLP. For example, if the matching criteria is Keyword, the value is credit and the Matching Threshold is 5, then the system takes the action specified by the policy capability rule if the file contain the term credit five times or more.

    Note - This step does not apply to Template and File attribute recognition methods.

  7. Click Finish.

    The new custom data type is listed under Custom Data Types.

  8. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  9. Click Confirm.

  10. To discard all the changes, click Discard at the top.

    The change detected window appears.

  11. Click Confirm.

Creating a Custom Data Type Group

To create a custom data type group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. Click New and select Group.

    The New Data type Group window appears.


  3. Enter a group name, object comment (optional) and description.

  4. To add predefined data types to the group, click in the Predefined Data types field and select the data type.

  5. To add custom data types to the group, click in the Custom Data types field and select the data type.

  6. Click Save.

    The new data type group is listed under My Groups.

  7. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  8. Click Confirm.

  9. To discard all the changes, click Discard at the top.

    The change detected window appears.

  10. Click Confirm.

Adding an Existing Data Type to a Group

To add an existing data type to a group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand Custom Data Types or Predefined Data Types and select the data type.

  3. Click Add to group.

  4. Select the group(s) from the list.

  5. Click Add.

  6. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  7. Click Confirm.

  8. To discard all the changes, click Discard at the top.

    The change detected window appears.

  9. Click Confirm.

Editing a Data Type or Group

Note - If you edit a data type, the changes are reflected in all the groups that contain this data type.

To edit a data type or group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand the DLP group and select the data type or the group.

  3. Click Edit.

  4. Make the required changes.

    Note - In the Check Point Recommended and Predefined Data Types DLP groups, you can edit only Matching level and Add object comment.

  5. Click OK.

  6. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  7. Click Confirm.

  8. To discard all the changes, click Discard at the top.

    The change detected window appears.

  9. Click Confirm.

Duplicating a Data Type or a Group

To duplicate a data type or group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand the DLP group and select the data type or the group within.

  3. Click Duplicate.

  4. Make the required changes.

  5. Click OK.

  6. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  7. Click Confirm.

  8. To discard all the changes, click Discard at the top.

    The change detected window appears.

  9. Click Confirm.

Deleting a Data Type or a Group

Note - Before you delete a data type, make sure to remove the data type from the group(s) and policy capability rules.

To delete a data type or group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand the DLP group and select the data type or the group within.

  3. Click Delete.

    The Deleting a data type window appears.

  4. Click Delete Data Type.

  5. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  6. Click Confirm.

  7. To discard all the changes, click Discard at the top.

    The change detected window appears.

  8. Click Confirm.

Creating a DLP Rule and Associating with an Event

  1. Go to Policy > Data Loss Prevention.

  2. Add a rule:

    1. Select a rule.

    2. Click Clone and click Clone Above or Clone Below.

      Note - If you have selected the default rule, select Clone Above.

      The Clone Rule window appears.

    3. In the Name field, enter a rule name.

    4. From the Applied to list, select a device(s) to which you want to apply the rule.

    5. Click OK.

  3. Click one of these tabs:

    • Outbound events - Outbound data refers to transferring content to external resources.

      Examples:

      • Uploading file to a file sharing website.

      • Entering text in a text box of an external resource, such as ChatGPT.

      • Pasting text in a text box of an external resource, such as ChatGPT.

      Note - Enforcement of DLP for Paste and Text Control events is only supported for Generative AI sites.

    • Inbound events - Inbound data refers to downloading data and sharing content within internal corporate resources.

      Example - Downloading file from a file sharing website.

  4. Click Add.

    The Data Protection - New Event window appears.

  5. By default, the event is enabled. To disable, turn off the Status toggle button.

  6. From the Event type list, select one of these:

    • File upload - To apply the DLP rule when you upload a file to an external resource.

    • Text control - To apply the DLP rule when you type text in an external resource text box. For example, in ChatGPT.

    • Paste - To apply the DLP rule when you paste content into an external resource. For example, ChapGPT.

    • File download - To apply the DLP rule when you download a file from an internal resource.

    Note - Enforcement of DLP for Paste and Text Control events is only supported for Generative AI sites.

  7. From the Destination type list, select one of these type to which you want to apply the rule:

    Destination type

    Enter these

    All

    N/A

    Url

    In the URL field, enter the web addresses to which you want to apply the rule.
    Domain

    In the Domain field, enter the domain to which you want to apply the rule.

    Category

    From the Categories & sub categories list, select one or more categories.

    Notes:

    • In Inbound events, you can only choose a URL or Domain.

    • In Inbound events, if a source is added for DLP scanning, files downloaded from that source are not scanned by Threat Emulation.

  8. From the Action list, select one of these:

    • Detect - Performs the DLP scan but does not block the data.

    • Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a data type.

    • Allow - Acts as exclusions, allowing data transfer in certain events.

    • Block - Blocks the data without the DLP scan.

  9. To associate data types with an event, in the Data types section, click and select the data type or a group.

    Note - This step is applicable only if the Action is Detect or Prevent.

  10. Click Save.

    The events are displayed in the Outbound events and Inbound events columns in the DLP rule.

  11. To delete an event, select the event that you want to delete and click Delete.

  12. To edit an event, select the event that you want to edit, click Edit, make the required changes and click OK.

  13. To disable all events, turn off the Disable all toggle button.

  14. Click Save & Install.

    The Install Policy window appears.

  15. Click Install.

Rule Configuration Logic

The rule configuration logic offers a systematic method for applying policy rules to events. The system prioritizes the most specific events and progresses through four levels of specificity:

  1. URL

  2. Domain

  3. Category

  4. All

Note - The Paste and Text control events, only have access to the Category level.

Scenarios

Specific Event

Most specific event is the URL https://domain1.com/url1.html.

Result

Specific Event

Most specific event is the URL https://domain1.com/url2.html.

Result

Specific Event

Most specific event is the Domain domain1.com.

Result

Specific Event

The Category of domain2.com is Computers / Internet.

Since there are no specific events for the URL or Domain, the Category event is selected.

Result

Specific Event

The Category of domain3.com is Education.

Since there are no specific events for the URL or Domain, the Category event is selected.

Result

Specific Event

Since there are no specific events for the URL, Domain, or Category, the event with the destination All is selected.

Result

When multiple events are relevant for the same incident, the events with the strict action is selected.

Specific Event

The Category of domain5.com are Computers / Internet and Education.

Since there are no events for the URL or Domain, only two events for the Category are relevant, and the system selects the event with stricter action.

Result

Specific Event

Since there are no events for the URL, only two events for the Domain domain1.com are relevant.

Result