Data Loss Prevention by Scenario

In This Section:

Analytical Deployment

After auditing incidents identified by heuristic-driven rules, you begin to understand the needs of your organization. You can add more Data Types to the DLP policy to fit known scenarios. You can set more rules of the DLP policy to Ask User, to gather incident-handling data from users and better analyze their needs.

Automatic inspection of data based on Check Point heuristics. You may choose to combine provided Data Types to make your policy stricter, or to create Exceptions to allow specific conditions.
Rules in this stage will be set to Ask User, allowing your users to learn what is acceptable and what is not, to improve accuracy, and to provide explanations for their self-handling decisions.
In SmartView Tracker, you will review the self-handling actions and the explanations of users.

Creating New Rules

Create the rules that make up the DLP policy. At this stage, before creating your own Data Types, you can use any of the numerous built-in Data Types.

To create DLP rules:

In SmartDashboard, open the Data Loss Prevention tab > Policy.
Click New Rule.
A new line opens in the rule base table. The order of rules in the DLP policy does not matter. Each DLP gateway checks all installed rules.
In the Data column, click the plus to open the Data Type picker. Select the Data Type that you want to match against inspected content.
If you add multiple Data Types to one rule, they are matched on OR - if at least one of the Data Types is matched, the rule is matched.

In the Source column, leave My Organization or click the plus to select a specific item from Users, Emails, or Networks.

Note - If My Organization is the Source, you can right-click and select Edit. This opens the My Organization window, in which you can modify the definition of your internal organization. However, this definition is changed for all of DLP, not just this rule.

In the Destination column, choose one of the following:
- Leave Outside My Org - to inspect data transmissions going to a destination that is not defined in My Organization.
- Click the plus to select a specific item from Users, Emails, or Networks.
- If Source is not My Organization, you can select Outside Source.
  Outside Source - Used as a Destination of a DLP rule, this value means any destination that is external to the Source. For example, if the source of the rule is Network_A, and Outside Source is the destination, then the rule inspects data transmissions going from Network_A to any address outside of Network_A. In comparison, if the destination was Outside My Org, the rule would inspect only data transmissions going from Network_A to any address outside of the organization. Use Outside to create inter-department rules.
In the Action column, do one of the following:
- Leave Detect - To have a matching incident logged without disrupting the data transmission
- Right-click and select Inform User - To pass the transmission but send notification to user
- Right-click and select Ask User - To wait for user decision on whether to pass or discard.
- Right-click and select Prevent - To stop the transmission.
In the Track column, leave Log (to log the incident and have it in SmartView Tracker for auditing), or right-click and select another tracking option.
You can add a notification to the Data Owners: select Email and customize the notification that the Data Owners will see if this rule is matched.
In the Install On column, leave DLP Blades, to have this rule applied to all DLP Gateways, or click the plus icon and select a specific DLP gateway.
In the Time column, set a date and time of day that this is policy is enforced.
A rule that uses a time object applies only to connections that begin during the specified date and time period. If the connection continues past that time frame, it is allowed to continue. The relevant time zone is that of the Check Point Security Gateway enforcing the rule.
In the Category column, right-click and select a defined category.
In the Comment column, right-click and select Edit to enter a comment for the rule.

Internal DLP Policy Rules

Here are examples of how to create different types of rules that define when to examine traffic in environments you configure with the Exchange Security Agent.

Scenario 1: I want DLP to examine financial reports sent by users in the Finance department to all internal users (other than Finance department users) and external users. How can I do this?

Create a rule:
- Data = Financial Reports
- Source = Finance Dept
- Destination = Outside Source - rule matching occurs for all internal users other than Finance users and all external users
- Action = Ask User

Data	Source	Destination	Exceptions	Action
Financial Reports	Finance_Dept	Outside Source	None	Ask User

While this rule covers the scenario example, an organization may want fuller coverage and have stricter definitions as to what traffic is allowed and by whom. The next scenario includes a wider source definition.

Scenario 2: How do I make sure that financial reports are not sent by users outside of the Finance department?

Create another rule.
This rule applies to all traffic sent by all users in the organization (including Finance department users) to any destination.
- Data = Financial Reports
- Source = My Organization
- Destination = Any - rule matching occurs for any destination internal and external
- Action = Prevent

Data	Source	Destination	Exceptions	Action
Financial Reports	Finance_Dept	Outside Source	None	Ask User
Financial Reports	My Organization	Any	1	Prevent

To make sure there are no double matches in regards to reports sent by Finance department users, add an exception to the rule.
Without an exception, if a Finance department user sends a financial report to anyone, it will match the second rule (source=My Organization) and the first rule. When data matches more than one rule, the most restrictive action is applied and multiple logs are created. So without an exception, a financial report sent from a Finance department user will be blocked based on the Prevent action in the second rule and there will be multiple logs that audit the incident.

Exception Rule:

Data	Source	Destination	Protocol
Financial Reports	Finance_Dept	Any	Any

To summarize the results of these two rules:

The Ask User action will be applied for financial reports sent by Finance department users to all internal users other than Finance users.
The Ask User action will be applied for financial reports sent by Finance department users to all external users.
The Prevent action will be applied for financial reports sent by any user not in the Finance department to any external or internal user.

Scenario 3: Financial reports can only be sent within the Finance department. Any user that sends a financial report from outside the Finance department will get a notification and has to make a decision relating to what to do. How can I do this?

Create a rule.
- Data = Financial Reports
- Source = My Organization
- Destination = Any - rule matching occurs for any destination internal and external
- Action = Ask User

Data	Source	Destination	Exceptions	Action
Financial Reports	My Organization	Any	1	Ask User

Add an exception to not include reports sent from the Finance department to the Finance department.

Data	Source	Destination	Protocol
Financial Reports	Finance_Dept	Finance_Dept	Any

More Options for Rules

After setting up the basics of a rule, you can do more.

Rule Names and Protocols

The name of DLP rules is not visible by default, but you may need to see or change the name. For example, if you are following the logs of a rule, you can match the name in the logs to the name in the policy.

To see rule names in the policy, right-click the rule base headers and select Name.

By default, all rules of the DLP policy scan data over the protocols as defined in the gateway properties. You can set a rule to scan only specified protocols.

To see the protocols of rules, right-click the rule base headers and select Protocol.

Setting Rule Severity

You can set the severity rating of a rule. This enables you to filter results in SmartEvent and provide more relevant reports with SmartReporter. You can also sort and group the Rule Base by severity.

To set severity of a rule: in the Severity column, leave Medium, or right-click and select a severity.

Flagging Rules

You can flag a rule for different reminders. Flag a rule as Improve Accuracy if it did not catch data as expected. Flag a rule as Follow up, to set a reminder that you want to work on this rule or the Data Types used by it.

You can jump to flagged rules from Overview. In Policy you can group rules by flags.

For example, you create a new rule using the built-in Data Type Employee Names. You know that this is a placeholder Data Type - you are going to have to supply the list of names of employees in your organization. You flag this rule for Improve Accuracy and continue working on the rule base. Later you can find the rule for Employee Names easily, by grouping the rules by flags or by the Overview link. Then you can edit the Data Type, starting from Policy.

It is recommended that if you import Data Types from Check Point or your vendor, that you flag rules using these Data Types as Follow up, and check the results of these rules in SmartView Tracker and SmartEvent as soon as you can. This ensures that you get any needed assistance in understanding the Data Types and how they can be optimally used.

To set a flag on a rule: in the Flag column, right-click and select a value.

Logs and events generated from rules that are flagged with Follow up are also marked with Follow up. After you view the logs and events, you can remove the Follow up flag.

To see logs generated by Follow up rules:

Open SmartView Tracker.
In the Network & Endpoint tab, open Predefined > DLP Blade > Follow Up.

To see events generated by Follow up rules:

Open SmartEvent.
In the Events tab, open Predefined > DLP > DLP Follow Up Events.

Predefining Rules

You can define rules that you think you might need, and disable them until you want them to actually match traffic.

To disable rules:

Open Data Loss Prevention > Policy.
Right-click the rule to disable and select Disable Rule.
If this changes the install policy, re-install the policy on DLP Gateways.

To enable rules:

Open Data Loss Prevention > Policy.
Right-click the disabled rule.
It is marked with a red X in the rule base.
Click Disable Rule to clear the selection.

Rule Exceptions

Sometimes you may want to create exceptions to a rule in the DLP policy.

For example, a public health clinic that must comply with the Health Insurance Portability and Accountability Act (HIPAA), should not allow patient records to leave the clinic's closed network. However, the clinic works with a specific social worker in a city office, who must have the records on hand for the patients' benefit. As the clinic's Security Administrator, you create an exception to the rule, allowing this data type to be sent to the specific email address. You could make this case even better: in the exception, include a secondary data type is a Dictionary of patient names who have signed a waiver for the social worker to see their records. Thus, with one rule, you ensure that only records that the social worker is allowed to see are sent to the social worker's office. DLP prevents anyone from sending records to an unauthorized email address. It ensures that no employee of the clinic has to deal personal requests to have the records sent to unauthorized destination - it simply cannot be done.

Creating Exceptions

To create an exception to a DLP rule:

Open Data Loss Prevention > Policy.
Right-click the Exceptions column of the rule and select Edit.
The Exceptions for Rule window opens.
Click New Exception.
The original rule parameters appear in the table.
Make the changes to the parameters to define the exception.
Install the policy on the DLP gateway.

Creating Exceptions with Data Type Groups

You can define a combination of Data Types for an exception: "allow this data if it comes with the second type of data". This could be both the original Data Type and another data type - such as patient record + patient name who signed.

To specify complex Data Types for Exceptions:

In the Data column of the exception, click the plus button.
In the drop-down list, select the Data Types to add to the Exception.
Select the Data Types to add to the Exception.
Click Add.

Creating Exceptions for Users

You can define an Exception to apply to data that comes from a specific user, group, or network: "allow this type of data if it comes from this person".

To specify Exceptions based on sender:

In the Source column, click the plus button or right-click and select Add.
The list of senders includes all defined users, user groups, networks, gateways, and nodes. If you make any selection, the default My Organization is removed.
Select the objects that define the source from which this data should be allowed.
If My Organization is the Source, you can right-click and select Edit. This opens the My Organization window, in which you can change the definition of your internal organization. This definition is changed for all of DLP, not just this rule.

Creating Exceptions for Destinations

You can define an Exception to apply to data that is to be sent to specific user, group, or network: "allow this type of data if it is being sent to this person".

To specify Exceptions based on destination:

In the Destination column, click the plus button.
The list of recipients includes all defined users, user groups, networks, gateways, and nodes. If you make any selection, the default Outside My Org (anything that is not in My Organization) is removed.
Select the objects that define the destination to which this data should be allowed.

Creating Exceptions for Protocols

You can define an Exception to apply to data that is transmitted over a specific protocol: "allow this data if it is being sent over this protocol".

To specify Exceptions based on protocol

In the Protocol column, click the plus button.
The list of protocols includes DLP supported protocols. If you make any selection, the default Any is removed.
Select the protocols through which this data should be allowed.