Data Loss Prevention

Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. (DLP) detects and prevents unauthorized transmission of confidential information, such as social security numbers, credit card numbers, bank account numbers and so on.

Browser-Based DLP capabilities allow you to enforce DLP by associating data types with a DLP ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

In the Data Loss Prevention tab, you can set rules based on specific events, data types and actions.

These actions are available within the DLP rules:

  • Detect - Performs the DLP scan but does not block the data.

  • Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a data type.

  • Allow - Acts as exclusions, allowing data transfer in certain events.

  • Block - Blocks the data without the DLP scan.

  • Ask - Asks the user to provide justification before allowing data transfer based on the DLP scan results.

The Data Loss Prevention tab allows the administrator to enable and install the Gen AI Protect feature on the endpoints. Gen AI Protect monitors the use of various Gen AI tools by the endpoints. It detects and prevents the sharing of potential confidential information in the prompts to any Gen AI tools by the Endpoint Security Clients.

Notes:

  • You can find the policy version number in the bottom left corner of the page.

  • You can find both policy name and policy version number in the browser extension which is supported only for Windows client E88.70 and higher.

DLP Logs

  • Logs are sent for Block, Prevent, Detect, and Ask actions.

  • File upload and File download events generate log for each handled file, regardless of whether the event is blocked, prevented, detected, or allowed.

  • Text control, Copy and Paste events send logs for blocked, prevented, or detected incidents.

00:05: Data Loss Prevention or DLP is a technique to prevent unauthorized transmission of confidential information such as bank account numbers. This video shows how to apply DLP rules to data for example to files that you download or upload. While this video specifically details the steps for Harmony Endpoint, it is also applicable to Harmony Browse. 00:27: Log in to the Infinity Portal access the harmony endpoint administrator 00:31: portal and click policy and data loss prevention now click 00:35: DLP data type manager. 00:38: You can either use the existing data types in the default groups or create 00:42: custom data types. 00:44: To edit a data type expand the DLP group and select a data 00:48: type. 00:49: Click edit and edit the data type as per your requirement. 00:53: Click okay to save your changes. 00:56: To create a new custom data type click new and select data. 01:00: Follow the wizard to define the new data type and click finish. 01:04: The new custom data type is listed under custom data types group and 01:08: similarly new DLP groups. You create are listed under my groups. 01:13: Now, to create a DLP rule and associate with an event, click Data Loss Prevention. 01:19: Select a rule in the table and click "Clone" and then select "Clone Above" or "Clone Below". 01:24: Enter a rule name, select a device group and click "OK". 01:28: Select the rule you just created and click outbound events or inbound events 01:32: outbound event refers to transferring content to external resources 01:36: inbound event refers to downloading data. 01:40: To add an event, turn on the "Disable all" toggle button and click Add. 01:45: Make sure the Status toggle button is enabled. Select the Event type, Destination type, and Action. Select the Data types to associate with the DLP rule and click "Save". 01:56: Click "Save and Install" to install the new policy settings. 02:00: As the last step, click "INSTALL".

Use Case

You are a financial organization aiming to prevent the upload or download of files containing confidential and sensitive data, such as bank account numbers, tax and revenue details, by unauthorized users.

Known Limitations

Sample Data Type

For supported data and file types, see sk181662.

Legends Description

1

Name of the data type.

2

Date and time (in MM/DD/YY, HH:MM:SS XM format) when the data type was last modified.

3

Brief description of the data type.

4

Custom tags (category) for the data type. Helps in searching for data types.

5

Matching criteria:

  • Pattern

  • Keyword

  • Dictionary

  • Weighted Words

  • Template

  • File attribute

  • Compound (Combination of data types with a logical separator)

  • Group (Data type group)

6

The minimum number of times the matching criteria must be present in the file to trigger the DLP action specified in the policy capability rule. For example, if the matching criteria is Keyword, the value is credit and the Matching Threshold is 5, then the system takes the action specified by the policy capability rule if the file contains the term credit five times or more.

7

Policy capability rules where the data type is used.

8

Groups associated with the data type.

9

Add the data type to a group.

10

Duplicate the data type.

11

Edit the data type.

12

Comment.

13

Filter data type by category.

14

Search for a data type.

Creating a Custom Data Type

To create a custom data type:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. Click New and select Data type.

    The Add data type wizard appears.

  3. Enter the data type name, object comment (optional) and description.

  4. From the Data type recognition method list, select a recognition method:

    Recognition method Description

    Action

    Pattern

    Applies the action specified in the policy capability rule if the file contents match the threshold for the pattern. For example, 5523-2342.

    In the Patterns section, enter the pattern and click .

    Keyword

    Applies the action specified in the policy capability rule if the file contents match the threshold for the keyword. For example, Confidential, Secret.

    In the Keywords section, enter the keywords and click .

    Dictionary

    Applies the action specified in the policy capability rule if the file contents match the threshold for the terms in the dictionary. For example, Spain, China, United Kingdom.

     

    Each keyword must be specified in a single line in the UTF-8 format.

     

    Note - The recommended file formats are Microsoft Word and .txt.

    Upload the dictionary file.

    Weighted Words

    Applies the action specified in the policy capability rule if the file contains keywords and the cumulative weight matches or exceeds the threshold.

     

    Use this method to specify multiple keywords.

     

    For example, consider two keywords:

    • credit with Weight=1 and Max. Weight=3

    • transaction with Weight=2 and Max. Weight=30

    and Matching Threshold=15.

     

    If the file contains six occurrences of credit, each contributing a Weight of 1. That is, 1x6=6. As the Max. Weight=3, the final weight is 3.

     

    If the file contains eight occurrences of transaction, each contributing a Weight of 2. That is, 2x8=16. As the Max. Weight=30, the final weight is 16.

     

    As the sum of final weights of credit and transaction, that is, 16+3=19 is greater than the Matching Threshold, the system applies the specified action in the policy capability rule.

     

    If the sum of the final weights of the keywords is less than the Matching Threshold, then the file is uploaded or downloaded.

    1. Click New.

    2. Enter these:

      • Keyword

      • Weight - Weight for each occurrence of the keyword.

      • Max. Weight - Maximum allowed for weight for the keyword.

    3. If the keyword is a regular expression, turn on the Regex toggle button.

    4. Click Add.

    5. Repeat steps a through d to add the next keyword.

    Template

    Applies the action specified in the policy capability rule if the file contents match the threshold for the terms in the template. For example, a template with a set header, footer and logo.

    If the template contains images, the DLP is triggered only if the file contains the images in the same format as in the specified template.

    		 Upload the template file.

    File attribute

    Applies the action specified in the policy capability rule if the file:

    • Matches the specified file name.

    • Size is equal to or greater than the specified file size.

    • Type matches the specified file type.

    Select any of these and enter a value:

    • File name. For example, Account Numbers, Employee Details.

    • File size. File size in Byte, KB, MB or GB.

    • File type.

      • Click and select the file type(s) from the list.

  5. Click Next.

    Note - This step does not apply to Template and File attribute recognition methods.

  6. Select the matching threshold.

    The minimum number of times the matching criteria must be present in the file to trigger the DLP. For example, if the matching criteria is Keyword, the value is credit and the Matching Threshold is 5, then the system takes the action specified by the policy capability rule if the file contain the term credit five times or more.

    Note - This step does not apply to Template and File attribute recognition methods.

  7. Click Finish.

    The new custom data type is listed under Custom Data Types.

  8. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  9. Click Confirm.

  10. To discard all the changes, click Discard at the top.

    The change detected window appears.

  11. Click Confirm.

Creating a Custom Data Type Group

To create a custom data type group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. Click New and select Group.

    The New Data type Group window appears.


  3. Enter a group name, object comment (optional) and description.

  4. To add predefined data types to the group, click in the Predefined Data types field and select the data type.

  5. To add custom data types to the group, click in the Custom Data types field and select the data type.

  6. Click Save.

    The new data type group is listed under My Groups.

  7. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  8. Click Confirm.

  9. To discard all the changes, click Discard at the top.

    The change detected window appears.

  10. Click Confirm.

Adding an Existing Data Type to a Group

To add an existing data type to a group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand Custom Data Types or Predefined Data Types and select the data type.

  3. Click Add to group.

  4. Select the group(s) from the list.

  5. Click Add.

  6. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  7. Click Confirm.

  8. To discard all the changes, click Discard at the top.

    The change detected window appears.

  9. Click Confirm.

Editing a Data Type or Group

Note - If you edit a data type, the changes are reflected in all the groups that contain this data type.

To edit a data type or group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand the DLP group and select the data type or the group.

  3. Click Edit.

  4. Make the required changes.

    Note - In the Check Point Recommended and Predefined Data Types DLP groups, you can edit only Matching level and Add object comment.

  5. Click OK.

  6. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  7. Click Confirm.

  8. To discard all the changes, click Discard at the top.

    The change detected window appears.

  9. Click Confirm.

Duplicating a Data Type or a Group

To duplicate a data type or group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand the DLP group and select the data type or the group within.

  3. Click Duplicate.

  4. Make the required changes.

  5. Click OK.

  6. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  7. Click Confirm.

  8. To discard all the changes, click Discard at the top.

    The change detected window appears.

  9. Click Confirm.

Deleting a Data Type or a Group

Note - Before you delete a data type, make sure to remove the data type from the group(s) and policy capability rules.

To delete a data type or group:

  1. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  2. In the Data Type Name list, expand the DLP group and select the data type or the group within.

  3. Click Delete.

    The Deleting a data type window appears.

  4. Click Delete Data Type.

  5. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  6. Click Confirm.

  7. To discard all the changes, click Discard at the top.

    The change detected window appears.

  8. Click Confirm.

Managing Microsoft Sensitivity Labels for DLP

Harmony Endpoint allows you to integrate Sensitivity labels from Microsoft Purview Information Protection into your DLP system, providing an additional layer of data protection based on predefined sensitivity classifications.

Step 1 - Copy the Microsoft Sensitivity label names and their UUIDs from Microsoft Purview

  1. Log in to Microsoft Purview Portal: https://purview.microsoft.com/

  2. Go to Solutions > Information protection > Labels.

  3. Click the label name for which you want to find the UUID.

  4. Copy the UUID in the Label ID or GUID section.

  1. Install the Exchange Online Management Module

    The Microsoft Purview Security & ComplianceClosed Check Point Software Blade on a Management Server to view and apply the Security Best Practices to the managed Security Gateways. This Software Blade includes a library of Check Point-defined Security Best Practices to use as a baseline for good Security Gateway and Policy configuration. PowerShell uses the Exchange Online Management Module for connection.

    1. Open PowerShell as an administrator.

    2. Run the following command:

      Install-Module -Name ExchangeOnlineManagement -Force

    3. If the system prompts to install NuGet or trust the repository, enter Y and press Enter.

  2. Connect to the Microsoft Purview Security & Compliance Center.

    1. Run the following command to create a session:

      Connect-IPPSSession

    2. In the Microsoft login page that appears, authenticate with the Microsoft 365 administrator credentials.

      Note - The administrator must have Compliance Administrator or Information Protection Administrator roles.
    3. If your Microsoft Purview portal has Multi-Factor Authentication (MFA), complete the MFA process.

    Once authenticated, the session connects to the Microsoft Purview Security & Compliance Center.

    Now, you can run Microsoft Purview Security & Compliance PowerShell commands, such as managing labels, policies, or settings.

  3. To view the UUID of the labels, run the following commands:

    Get-Label | Select-Object DisplayName, Name, Guid

    UUDI command example

  4. Copy the UUID of the labels.

  5. To disconnect the session, run the following command:

    Disconnect-ExchangeOnline

Step 2 - Creating Microsoft Sensitivity Labels in Harmony Endpoint

  1. Log in to Infinity Portal and access the Harmony Endpoint Administrator Portal:

  2. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  3. Click Manage Labels.

    The Manage Sensitivity Labels Dashboard window appears.

  4. Click New.

  5. In the Name field, enter a name for the label. For example, MIP_EXAMPLE.

  6. In the UUID field, enter the label UUID. For more information, see Step 1 - Copy the Microsoft Sensitivity label names and their UUIDs from Microsoft Purview.

  7. Click Add.

  8. Click OK.

    Note - The newly created label is now listed in Sensitivity Labels under Data Type Name section.

    It also shows the label details:

    • Date modified

    • Description

    • Tags - Shows tags assigned, if any, for further categorization

    • Where used - Shows the DLP rule name that uses this label to enforce protection.

    • Groups - Shows if the label is part of any group.

    You can use Tags and Groups to better organize and manage the sensitivity labels.

  9. To edit a label, select the label you want to edit, click Edit, update the field and then click Apply.

     

  10. To delete a label, select the label you want to delete, click Delete and then click Delete Data Type.

  11. Click Save.

  12. Click Confirm.

Step 3 - Assign Sensitivity Labels to DLP Rules

After creating Sensitivity labels in Harmony Endpoint, you must assign them to the DLP rules to enforce data protection based on these sensitivity labels.

To assign sensitivity labels to a DLP rules, see Creating a DLP Rule and Associating with an Event.

Creating a DLP Rule and Associating with an Event

  1. Go to Policy > Data Loss Prevention.

  2. Add a rule:

    1. Select a rule.

    2. Click Clone and click Clone Above or Clone Below.

      Note - If you have selected the default rule, select Clone Above.

      The Clone Rule window appears.

    3. In the Name field, enter a rule name.

    4. From the Applied to list, select a device(s) to which you want to apply the rule.

    5. Click OK.

  3. To enable the Gen AI protection:

    1. Select the rule to which the Gen AI protection must be associated.

    2. From the list of tabs, select Settings tab.

    3. Select Enable GenAI protect.

    4. Click Save & Install, to apply the rule on the applicable endpoints.

  4. Click one of these tabs:

    • Outbound events - Outbound data refers to transferring content to external resources.

      Examples:

      • Uploading file to a file sharing website.

      • Entering text in a text box of an external resource, such as ChatGPT.

      • Pasting text in a text box of an external resource, such as ChatGPT.

      Note - Enforcement of DLP for Paste and Text Control events is only supported for Generative AI sites.

    • Inbound events - Inbound data refers to downloading data and sharing content within internal corporate resources.

      Example - Downloading file from a file sharing website.

  5. Click Add.

    The Data Protection - New Event window appears.

  6. By default, the event is enabled. To disable, turn off the Status toggle button.

  7. From the Event type list, select one of these:

    Event Type

    Applies to

    Description
    File upload Outbound events To apply the DLP rule when you upload a file to an external resource.
    Text control

    Outbound events

    		 To apply the DLP rule when you type text in an external resource text box. For example, in ChatGPT.
    Paste

    Outbound events

    		 To apply the DLP rule when you paste content into an external resource. For example, ChatGPT.
    File download

    Inbound events

    		 To apply the DLP rule when you download a file from an internal resource.
    Copy

    Inbound events

    To apply the DLP rule when you copy content from an internal resource.

    Note - Enforcement of DLP for Paste and Text Control events is only supported for Generative AI sites.

  8. From the Destination type list, select one of these type to which you want to apply the rule:

    Destination type

    Applies to

    Description

    All

    File upload

    N/A

    Url

    • File upload

    • File download

    • Copy

    In the URL field, enter the web addresses to which you want to apply the rule.

    Application

    • Text control

    • Paste

    In the Applications field, select the application(s) to which you want to apply the rule.
    Domain

    • File upload

    • File download

    • Copy

    In the Domain field, enter the domain to which you want to apply the rule.

    Category

    • File upload

    • Text control

    • Paste

    From the Categories & sub categories list, select one or more categories.

    Notes:

    • In Inbound events, you can only choose a URL or Domain.

    • In Inbound events, if a source is added for DLP scanning, files downloaded from that source are not scanned by Threat Emulation.

  9. From the Action list, select one of these:

    • Detect - Performs the DLP scan but does not block the data.

    • Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a data type.

    • Allow - Acts as exclusions, allowing data transfer in certain events.

    • Block - Blocks the data without the DLP scan.

    • Ask - Asks the user to provide justification before allowing data transfer based on the DLP scan results.

  10. To associate data types with an event, in the Data types section, click and select the data type or a group.

    Note - This step is applicable only if the Action is Ask, Detect or Prevent.

  11. Click Save.

    The events are displayed in the Outbound events and Inbound events columns in the DLP rule.

  12. To delete an event, select the event that you want to delete and click Delete.

  13. To edit an event, select the event that you want to edit, click Edit, make the required changes and click OK.

  14. To disable all events, turn off the Disable all toggle button.

  15. Click Save & Install.

    The Install Policy window appears.

  16. Click Install.

Rule Configuration Logic

The rule configuration logic offers a systematic method for applying policy rules to events. The system prioritizes the most specific events and progresses through these levels of specificity:

  1. URL

  2. Application

  3. Domain

  4. Category

  5. All

Note - The Paste and Text control events have access only to the Application and Category levels.

Scenarios

Specific Event

Most specific event is the URL https://domain1.com/url1.html.

Result

Specific Event

Most specific event is the URL https://domain1.com/url2.html.

Result

Specific Event

Most specific event is the Domain domain1.com.

Result

Specific Event

The Category of domain2.com is Computers / Internet.

Since there are no specific events for the URL or Domain, the Category event is selected.

Result

Specific Event

The Category of domain3.com is Education.

Since there are no specific events for the URL or Domain, the Category event is selected.

Result

Specific Event

Since there are no specific events for the URL, Domain, or Category, the event with the destination All is selected.

Result

Specific Event

Most specific event is the ApplicationGrammarly.

Result

Specific Event

Most specific event is the ApplicationChatGPT.

Result

Specific Event

Most specific event is the ApplicationChatGPT.

Result

Specific Event

Most specific event is the CategoryArtificial Intelligence (AI).

Result

When multiple events are relevant for the same incident, the events with the strict action is selected.

Specific Event

The Category of domain5.com are Computers / Internet and Education.

Since there are no events for the URL or Domain, only two events for the Category are relevant, and the system selects the event with stricter action.

Result

Specific Event

Since there are no events for the URL, only two events for the Domain domain1.com are relevant.

Result