Data Loss Prevention

Data Loss Prevention (DLP) detects and prevents unauthorized transmission of confidential information, such as social security numbers, credit card numbers, bank account numbers and so on.

DLP capabilities allow you to enforce DLP by associating data types with a DLP rule.

To access Data Loss Prevention page, sign in to the Check Point Infinity Portal, access the Harmony SASE Administrator Portal, and click Data Loss Prevention.

DLP policy is enforced on files being uploaded.

In the Data Loss Prevention page, you can set rules based on data types and actions.

These actions are available within the DLP rules:

  • Detect - Performs the DLP scan and detects the confidential information, but does not block the data.

  • Prevent - Performs the DLP scan and prevents data transfer if it finds a match to a data type.

Use Case

You are a financial organization aiming to prevent the upload of files containing confidential and sensitive data, such as bank account numbers, tax and revenue details, by unauthorized users.

Known Limitations

  • DLP is not applied if the file size is greater than 16 MB.

  • Supports Agent version 11.7 or higher.

Creating a DLP Rule

  1. Sign in to the Check Point Infinity Portal and access the Harmony SASE Administrator Portal.

  2. Click Data Loss Prevention.

  3. Click the Policy tab.

  4. Click Add New Rule.

    A new row appears in the table.

  5. Specify these:

    1. In the Name column, enter a rule name.

    2. In the Members and Groups column, select a user or a group to which you want to apply the rule. The default value is Any.

      1. Hover over the Members and Groups column and click Add Source > Groups or Members.

        The Manage Groups and Members window appears.

      2. To add a group, select Groups and in the search groups field, search and select a group(s).

      3. To add a member, select Members and in the search members field, search and select a member(s).

      4. Click Apply Changes.

    3. In the Service column, add a service to which you want to apply the rule. The default value is Any.

    4. Hover over the Service column, click Add Service, and select one of these:

      • Web Categories:

        1. Select Web Categories.

          The Manage Web Categories window appears.

        2. Search and select one or more categories and click Apply.

      • Custom URLs:

        1. Select Custom URLs.

          The Manage Custom URLs window appears.

        2. Search and select one or more URLs and click Apply.

        3. To add a new custom URL, click Add Custom URL.

          The Add Custom URL window appears.

        4. Enter these:

          1. Name - Name of the custom URL.

          2. (Optional) Description

          3. In the URL field, enter the list of URLs or upload a .CSV file with the list of URLs.

            Note -

            • Do not add any protocols (http:// , https://) , query parameters (?) or anchors (#). If the URL includes a www prefix, include it as part of the domain. Wildcard (*) is supported and can only be used at the beginning of the domain, for example, *.example.com.

            • When uploading a CSV file with custom URLs, make sure the file does not include a header or subject line. Each row should contain only a single URL.

          4. Click Add URL.

          The system creates the URL and displays it in the Custom URLs page.

      • Applications:

        1. Select Applications.

          The Add Applications window appears.

        2. Search the application for which you want to apply the rule.

        3. Hover over the application and click .

        4. Click Apply Changes.

    5. In the Data Types column, add a data type to which you want to apply the rule. The default value is Any.

      1. Hover over the Data Types column, click Add Data Type, and select Add Data Types.

        The Edit Data Types window appears.

      2. Search and select the data type or a group.

        You can specify up to 100 data types.

      3. Click Apply.

    6. In the Action column, select either of these:

      1. Prevent - Block actions if sensitive data is detected and log the event.

      2. Detect - Log the event.

    7. Turn on the Status toggle button.

    Notes:

    • To create a rule above or below a particular rule, hover over the rule and scroll to the end of the row, click and select Create Above or Create Below.

    • To duplicate a rule above or below a particular rule, hover over the rule and scroll to the end of the row, click and select Duplicate Above or Duplicate Below.

    • To delete a rule, hover over the rule and scroll to the end of the row, click , and select Delete.

Data Type Manager

Legends Description

1

Name of the data type.

2

Date and time (in MM/DD/YY, HH:MM:SS XM format) when the data type was last modified.

3

Brief description of the data type.

4

Custom tags (category) for the data type. Helps in searching for data types.

5

Matching criteria:

  • Pattern

  • Keyword

  • Dictionary

  • Weighted Words

  • Template

  • File attribute

  • Compound (Combination of data types with a logical separator)

  • Group (Data type group)

6

The minimum number of times the matching criteria must be present in the file to trigger the DLP action specified in the policy capability rule. For example, if the matching criteria is Keyword, the value is credit and the Matching Threshold is 5, then the system takes the action specified by the policy capability rule if the file contains the term credit five times or more.

7

Policy capability rules where the data type is used.

8

Groups associated with the data type.

9

Add the data type to a group.

10

Duplicate the data type.

11

Edit the data type.

12

Filter data type by category.

13

Search for a data type.

Creating a Custom Data Type

To create a custom data type:

  1. Sign in to the Check Point Infinity Portal and access the Harmony SASEAdministrator Portal.

  2. Click Data Loss Prevention.

  3. Click the Data Type Manager tab.

  4. Click New and select Data type.

    The Add data type wizard appears.

  5. Enter the data type name, object comment (optional) and description.

  6. From the Data type recognition method list, select a recognition method:

    Recognition method Description

    Action

    Pattern

    Applies the action specified in the policy capability rule if the file contents match the threshold for the pattern.

    For example:

    • Matches a sequence - 5523-2342

    • Employee numbers that have an EMP prefix, followed by 5 digits - EMP-\d{5}

    • Where, EMP- is the fixed prefix for all employee IDs, and \d{5} is exactly 5 digits (\d represents a digit, and {5}indicates that it must be exactly 5 digits long)

      • Match example: EMP-12345

    In the Patterns section, enter the pattern and click .

    Keyword

    Applies the action specified in the policy capability rule if the file contents match the threshold for the keyword. For example, Confidential, Secret.

    In the Keywords section, enter the keywords and click .

    Dictionary

    Applies the action specified in the policy capability rule if the file contents match the threshold for the terms in the dictionary. For example, Spain, China, United Kingdom.

     

    Each keyword must be specified in a single line in the UTF-8 format.

     

    Note - The recommended file formats are .doc, .docx and .txt.

    Upload the dictionary file.

    Weighted Words

    Applies the action specified in the policy capability rule if the file contains keywords and the cumulative weight matches or exceeds the threshold.

     

    Use this method to specify multiple keywords.

     

    For example, consider two keywords:

    • credit with Weight=1 and Max. Weight=3

    • transaction with Weight=2 and Max. Weight=30

    and Matching Threshold=15.

     

    If the file contains six occurrences of credit, each contributing a Weight of 1. That is, 1x6=6. As the Max. Weight=3, the final weight is 3.

     

    If the file contains eight occurrences of transaction, each contributing a Weight of 2. That is, 2x8=16. As the Max. Weight=30, the final weight is 16.

     

    As the sum of final weights of credit and transaction, that is, 16+3=19 is greater than the Matching Threshold, the system applies the specified action in the policy capability rule.

     

    If the sum of the final weights of the keywords is less than the Matching Threshold, then the file is uploaded or downloaded.

    1. Click New.

    2. Enter these:

      • Keyword

      • Weight - Weight for each occurrence of the keyword.

      • Max. Weight - Maximum allowed weight for the keyword.

    3. If the keyword is a regular expression, turn on the Regex toggle button.

    4. Click Add.

    5. Repeat steps a through d to add the next keyword.

    Template

    Applies the action specified in the policy capability rule if the file contents match the threshold for the terms in the template. For example, a template with a set header, footer and logo.

    If the template contains images, the DLP is triggered only if the file contains the images in the same format as in the specified template.

    		 Upload the template file.

    File attribute

    Applies the action specified in the policy capability rule if the file:

    • Matches the specified file name.

    • Size is equal to or greater than the specified file size.

    • Type matches the specified file type.

    Select any of these and enter a value:

    • File name: For example, Account Numbers, Employee Details.

    • File size: File size in Byte, KB, MB or GB.

    • File type:

      • Click and select the file type(s) from the list.

  7. Click Next.

    Note - This step does not apply to Template and File attribute recognition methods.

  8. Select the matching threshold.

    The minimum number of times the matching criteria must be present in the file to trigger the DLP. For example, if the matching criteria is Keyword, the value is credit and the Matching Threshold is 5, then the system takes the action specified by the policy capability rule if the file contain the term credit five times or more.

    Note - This step does not apply to Template and File attribute recognition methods.

  9. Click Finish.

    The new custom data type is listed under Custom Data Types.

  10. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  11. Click Confirm.

  12. To discard all the changes, click Discard at the top.

    The change detected window appears.

  13. Click Confirm.

Creating a Custom Data Type Group

To create a custom data type group:

  1. Sign in to the Check Point Infinity Portal and access the Harmony SASE Administrator Portal.

  2. Click Data Loss Prevention.

  3. Click the Data Type Manager tab.

  4. Click New and select Group.

    The New Data type Group window appears.

  5. Enter a group name, object comment (optional) and description.

  6. To add predefined data types to the group, click in the Predefined Data types field and select the data type.

  7. To add custom data types to the group, click in the Custom Data types field and select the data type.

  8. Click Save.

    The new data type group is listed under My Groups.

  9. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  10. Click Confirm.

  11. To discard all the changes, click Discard at the top.

    The change detected window appears.

  12. Click Confirm.

Adding an existing Data Type to a Group

To add an existing data type to a group:

  1. Sign in to the Check Point Infinity Portal and access the Harmony SASE Administrator Portal.

  2. Click Data Loss Prevention.

  3. Click the Data Type Manager tab.

  4. In the Data Type Name list, expand Custom Data Types or Predefined Data Types and select the data type.

  5. Click Add to group.

  6. Select the group(s) from the list.

  7. Click Add.

  8. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  9. Click Confirm.

  10. To discard all the changes, click Discard at the top.

    The change detected window appears.

  11. Click Confirm.

Managing a Data Type or Group

  1. Sign in to the Check Point Infinity Portal and access the Harmony SASE Administrator Portal.

  2. Click Data Loss Prevention.

  3. Click the Data Type Manager tab.

  4. In the Data Type Name list, expand the DLP group and select the data type or the group.

  5. To edit a data type or group, click Edit.

    1. Make the required changes.

      Note - If you edit a data type, the changes are reflected in all the groups that contain this data type.

    2. Click OK.

  6. To duplicate a data type or group, click Duplicate.

    1. Make the required changes.

    2. Click OK.

  7. To delete a data type or group, click Delete.

    The Deleting a data type window appears.

    Note - Before you delete a data type, make sure to remove the data type from the group(s) and policy capability rules.

    1. Click Delete Data Type.

  8. To permanently save all the changes to the database, click Save at the top.

    The change detected window appears.

  9. Click Confirm.

  10. To discard all the changes, click Discard at the top.

    The change detected window appears.

  11. Click Confirm.

Managing Microsoft Sensitivity Labels for DLP

Harmony SASE allows you to integrate Sensitivity labels from Microsoft Purview Information Protection into your DLP system, providing an additional layer of data protection based on predefined sensitivity classifications.

Step 1 - Copy the Microsoft Sensitivity label names and their UUIDs from Microsoft Purview

  1. Log in to Microsoft Purview Portal: https://purview.microsoft.com/

  2. Go to Solutions > Information protection > Labels.

  3. Click the label name for which you want to find the UUID.

  4. Copy the UUID in the Label ID or GUID section.

  1. Install the Exchange Online Management Module

    The Microsoft Purview Security & Compliance PowerShell uses the Exchange Online Management Module for connection.

    1. Open PowerShell as an administrator.

    2. Run the following command:

      Install-Module -Name ExchangeOnlineManagement -Force

    3. If the system prompts to install NuGet or trust the repository, enter Y and click Enter.

  2. Connect to the Microsoft Purview Security & Compliance Center.

    1. Run the following command to create a session:

      Connect-IPPSSession

    2. In the Microsoft login page that appears, authenticate with the Microsoft 365administrator credentials.

      Note - The administrator must have Compliance Administrator or Information Protection Administrator roles.
    3. If your Microsoft Purview portal has Multi-Factor Authentication (MFA), complete the MFA process.

    Once authenticated, the session connects to the Microsoft Purview Security & Compliance Center.

    Now, you can run Microsoft Purview Security & Compliance PowerShell commands, such as managing labels, policies, or settings.

  3. To view the UUID of the labels, run the following commands:

    Get-Label | Select-Object DisplayName, Name, Guid

  4. Copy the UUID of the labels.

  5. To disconnect the session, run the following command:

    Disconnect-ExchangeOnline

Step 2 - Creating Microsoft Sensitivity Labels in Harmony SASE

  1. Log in to Infinity Portal and access the Harmony SASE Administrator Portal:

  2. Go to Policy > Data Loss Prevention and click DLP Data Type Manager.

  3. Click Manage Labels.

    The Manage Sensitivity Labels Dashboard window appears.

  4. Click New.

  5. In the Name field, enter a name for the label. For example, R&D Source Code.

  6. In the UUID field, enter the label UUID. For more information, see Step 1 - Copy the Microsoft Sensitivity label names and their UUIDs from Microsoft Purview.

  7. Click Add.

  8. Click OK.

    Note - The newly created label is now listed in Sensitivity Labels under Data Type Name section.

    It also shows the label details:

    • Date modified

    • Description

    • Tags - Shows tags assigned, if any, for further categorization

    • Where used - Shows the DLP rule name that uses this label to enforce protection.

    • Groups - Shows if the label is part of any group.

    You can use Tags and Groups to better organize and manage the sensitivity labels.

  9. To edit a label, select the label you want to edit, click Edit, update the fields and then click Apply.

     

  10. To delete a label, select the label you want to delete, click Delete and then click Delete Data Type.

  11. Click Save.

  12. Click Confirm.

Step 3 - Assign Sensitivity Labels to DLP Rules

After creating Sensitivity labels in Harmony SASE, you must assign them to the DLP rules to enforce data protection based on these sensitivity labels.

To assign sensitivity labels to a DLP rule, see Creating a DLP Rule.

DLP Logs

  • Logs are sent for Prevent and Detect.

  • File upload event generates a log for each handled file, regardless of whether the event is prevented, or detected.