Introduction to Data Loss Prevention

In This Section: The Need for Data Loss Prevention DLP and Privacy The Check Point Solution for DLP Role of DLP Administrator

The Need for Data Loss Prevention

Data is more accessible and transferable today than ever before, and the vast majority of data is sensitive at various levels. Some is confidential simply because it is part of an internal organization and was not meant to be available to the public. Some data is sensitive because of corporate requirements, national laws, and international regulations. Often the value of data is dependent upon its remaining confidential - consider intellectual property and competition.

Leakage of your data could be embarrassing or worse, cost you industrial edge or loss of accounts. Allowing your organization to act in non-compliance with privacy acts and other laws could be worse than embarrassing - the integrity of your organization may be at stake.

You want to protect the privacy of your organization, but with all the tools making information sharing easier, it is easier to make an irrecoverable mistake. To make the matter more complex, along with the severity of data leakage, we now have tools which inherently make it easier to happen: cloud servers, Google docs, and simple unintentional abuse of company procedures - such as an employee taking work home. In fact, most cases of data leakage occur because of unintentional leaks.

The best solution to prevent unintentional data leaks is to implement an automated corporate policy that will catch protected data before it leaves your organization. Such a solution is known as Data Loss Prevention (DLP).

Data Loss Prevention identifies, monitors, and protects data transfer through deep content inspection and analysis of transaction parameters (such as source, destination, data object, and protocol), with a centralized management framework. In short, DLP detects and prevents the unauthorized transmission of confidential information.

Note - Data Loss Prevention is also known as Data Leak Prevention, Information Leak Detection and Prevention, Information Leak Prevention, Content Monitoring and Filtering, and Extrusion Prevention.

DLP and Privacy

DLP captures original data that caused a rule match, including the body of the transmission and attached files.

Best Practice - Disclose to your users how your DLP deployment works. Tell users that transmissions that violate the data security guidelines of your organization will be stored and may be read by security personnel.

Information disclosure recommendations:

1. Disclose the privacy policy BEFORE deploying DLP.
2. Translate the most important DLP rules into guidelines and tell your users what is not allowed and will result in captured transmissions.
3. Explain that DLP scans only transmissions originating from computers inside the organization (including any source that uses organization resources, such as Remote Access or VPN connections).
4. Explain how to handle Ask User violations.

   DLP incident notifications can be sent by email (for SMTP traffic) or shown in a system tray popup from the UserCheck client (for SMTP, HTTP, FTP, etc).

   If the incident of the notification is in Ask User mode, the user can click the Send or Discard link in the popup of UserCheck client: to handle the incident in real-time.

Important - Make your users are aware of the purpose of the UserCheck client: handle the DLP options directly from the popup.

If the user exits the client, the alternative web page that provides the Ask User options may not function.

1. Explain that captured transmissions will be logged and saved, and that some may be reported to managers (Data Owners).
2. Explain that captured emails, attachments, web posts, etc. will be available for review by security personnel.
3. Explain that review of original transmissions is for organization data security alone - you are not collecting personal information. Therefore, your users do not have, nor require, the option to not have their transmissions scanned.
4. Make sure that you maintain your guidelines: do not keep or use original transmissions for any use other than review of DLP incidents and rules.

The Check Point Solution for DLP

The Check Point Data Loss Prevention Software Blade provides the ability for you to quickly deploy realistic out-of-the-box detection capabilities based on expert heuristics.

However, optimal DLP must take time. To define data that should be prevented from transmission, you must take into account many variables, each changing in the context of the particular transmission: What type of data is it? Who owns it? Who is sending it? Who is the intended receiver? When is it being sent? What is the cost if tasks are disrupted because the policy is stricter than needed?

Data Loss Prevention Features

Check Point solves the complexity of Data Loss Prevention with unique features.

• UserCheckä - Provides rapid response for incident handling with automated user notification and the unique Ask User mode. Each person in your organization learns best practices as needed, preventing future unintentional leaks - the vast majority of DLP incidents - and quickly handling immediate incidents. The user handles these incidents either through the DLP Self Incident Handling Portal or through the UserCheck client.

  Without UserCheck, a security administrator, or even a security team, would have to check every email and data transfer in real time and approve or reject each. For this reason, other products offer only detection of suspicious incidents. With UserCheck, the decision-making is distributed to the users. They are presented with the reason for the data capture and must provide a reason for letting it pass (if the notification did not change their minds about sending it on). User decisions (send or discard) and reasons for sending are logged. With the original message and user decisions and reasons, you can develop an effective prevention policy based on actual use.

• MultiSpectä - Provides unmatched accuracy in identifying and preventing incidents through multi-parameter correlation with Compound Data Types and customizable Data Types with CPcode.
• Out of the Box Security - A rich set of pre-defined Data Types recognizes sensitive forms, templates, and data to be protected. The Data Types are enforced in an effective out-of-the-box policy.
• Data Owner Auditing - The Data Owner is the person responsible for controlling the information and files of his or her own area in the corporation. Data Owners get timely and relevant information through automated notifications and reports that show exactly how their data is being moved. Check Point DLP gives Data Owners the information they need to handle usage issues directly related to their areas of responsibility. Without Data Owner control, the security administrator would often be placed in an awkward position between managers and employees.
• CPcodeä - DLP supports fully customized data identification through the use of CPcode. You define how data is to be matched by DLP, with the greatest flexibility possible. See the R77 CPcode DLP Reference Guide.

Data Loss Prevention Benefits

Check Point DLP saves time and significantly improves ROI. Its innovative technologies provide automation that negates the need for long and costly analysis and a team for incident handling. You can now move from a detection-only policy to an accurate and effective prevention policy without bringing in outside consultants or hiring a security team.

All of this functionality is easy to manage through the SmartConsole, in an interface similar to other Software Blades. You are not expected to be a DLP expert from the day of deployment. Check Point Data Loss Prevention guides you on how to customize and improve your DLP policy - with the Improve Accuracy flag, for example. The DLP Software Blade comes with a large number of built-in Data Types that can be quickly applied as a default policy. You can fine-tune the out-of-the-box policy to easily convert the confidentiality and integrity guidelines of your organization into automated rules. And later, you can create your own Data Types. This cycle of updating the policy, moving from a detection policy to a preventative policy, is close with the Check Point Logs & Monitor tool.

Content Awareness Software Blade

Content Awareness and Data Loss Prevention both use Data Type. However, they have different features and capabilities. They work independently, and the Security Gateway enforces them separately.

For more information on the Content Awareness Software Blade see the R80.10 Next Generation Security Gateway Guide.

How DLP Works

Item	Description
1	Internal network
2	Data Loss Prevention Software Blade enabled on a Security Gateway
3	Security Management Server
4	HTTP proxy
5	Mail server
6	Active Directory or LDAP server
7	Logs & Monitor view

1. The Data Loss Prevention Software Blade is enabled on a Security Gateway (2) (or a ClusterXL Security Cluster). This makes it a DLP gateway (or a DLP Security Cluster). Alternatively, a dedicated DLP gateway can sit behind a protecting Security Gateway.
2. You use the SmartConsole and the Security Management Server (3) to install the DLP Policy on the DLP gateway.
3. The DLP gateway (2) uses the built-in Data Types and rules to provide out-of-the-box Data Loss Prevention. It may use the Active Directory or LDAP server (6) to identify the internal organization.

   It catches all traffic containing data and being sent through supported protocols. Thus, when users send data that goes to an HTTP proxy (4) or a mail server (5), for example, the DLP gateway catches the data before it leaves the organization.

   It scans the traffic, including email attachments, for data that should be protected from being sent outside the organization. This data is recognized by protocol, source, destination, and complex Data Type representations.

   It can also scan internal traffic between Microsoft Exchange clients within the organization. This requires installation of the Exchange Security Agent on the Microsoft Exchange server. The agent forwards internal emails to the DLP gateway which then scans them. If the organization only uses Exchange servers for managing emails (internal and external), you can use this setup to also scan emails that are sent outside of the organization.

   If the data does not match any of the rules of the DLP policy, the traffic is allowed to pass.

4. The Logs & Monitor view (7) provides effective logging, tracking, event analysis, and reporting of incidents captured by the DLP gateway.

Integrated DLP Security Gateway Deployment

In an Integrated DLP Security Gateway deployment, the Data Loss Prevention Software Blade is enabled on a Security Gateway (or a ClusterXL Security Cluster). This makes it the DLP gateway (or DLP Security Cluster). The firewall Software Blade, and optionally, other Network Security Software Blades, are also enabled on the gateway.

If the DLP gateway is on the perimeter, the SMTP server forwards only transmissions with destinations outside of the organization to DLP. Internal and external transmissions can be inspected by DLP if they are forwarded to DLP by the Exchange Security Agent on the Exchange Server. For external transmissions through the Exchange Security Agent the Exchange Server must have an accessible IP address to the DLP gateway.

This deployment is supported on one of these:

• An R75 or higher SecurePlatform or Gaia Security Gateway or cluster
• An open server Security Gateway or cluster

Dedicated DLP gateway Deployment

In a Dedicated DLP gateway, the Data Loss Prevention Software Blade is enabled on a gateway (2) (or a ClusterXL Security Cluster). This makes it a DLP gateway (or DLP Security Cluster). No other Network Security Software Blade, is enabled. For example, the firewall Software Blade is not enabled on the gateway, so the gateway does not enforce the Security Policy. The DLP gateway can sit behind a protecting Security Gateway (3).

Item	Description
1	Internal network
2	Data Loss Prevention Software Blade enabled on a Security Gateway
3	Security Gateway
4	Security Management Server
5	HTTP proxy
6	Mail server
7	Active Directory or LDAP server
8	Logs & Monitor view

Best Practice - When you set up a dedicated DLP gateway (2), configure the DLP gateway as a bridge. The bridge is transparent to network routing.

A dedicated DLP gateway deployment is supported on:

• R75 or higher UTM-1 or Power-1 appliance
• R75 or higher ClusterXL Security Cluster - running either on a UTM-1 or Power-1 Appliance, or on an open server.
• R71 or higher open server Security Gateway.
• R71 or higher DLP-1 appliance - This deployment supports two management modes:
  • Locally Managed - The DLP-1 appliance combines a DLP enforcement gateway together with some Security Management Server functionality. A locally managed DLP-1 appliance is responsible only for the management of its own DLP Security Policy.
  • Centrally Managed - The DLP-1 appliance only enforces the DLP Security Policy which a Security Management Server on a different machine defines and manages.

Alternative Gateway Deployments

As an alternative to putting the DLP gateway on the network perimeter, you can put the DLP gateway between the user networks and the servers, to allow DLP to inspect traffic before it goes to the servers. This deployment is the necessary configuration if you want to use a DLP rule that inspects data transmissions between departments.

For example, you can create a DLP rule that checks emails between internal groups: Source is a specific network, Destination is Outside Source (anything outside of this Source). Such a rule would be applied only if this deployment was used.

Item	Description
1	Internal network
2	Data Loss Prevention Software Blade enabled on a Security Gateway
3	HTTP proxy
4	Mail server
5	Active Directory or LDAP server

You can put the DLP gateway between the users and the switch, to directly protect a subnet.

What Happens on Rule Match

The DLP gateway captures traffic and scans it against the Data Loss Prevention policy. If the data in the traffic matches a rule in the policy:

1. Incident is logged.
   • The data is stored in a safe repository on a log server or Security Management Server that stores DLP logs.
   • The DLP gateway logs an incident with the Logs & Monitor view.
2. Action of rule is performed.
   • If the matched rule is set to Detect, the user gets no notification. A DLP log incident is created, and the actual data is stored.
   • If the matched rule is set to Inform User, DLP notifies the user that the captured traffic violates DLP rules. The traffic is passed.
   • If the matched rule is set to Ask User, DLP notifies the user that the message is being held and contains a link to the DLP Portal, where the user decides whether the transmission should go through or be dropped. User decisions, and reasons for sending, are logged for your analysis.
   • If the matched rule is set to Prevent, the traffic is blocked. The user and the Data Owner may be notified.
3. Optionally, Data Owners, and other users set to be notified, will get notification about the incident.

Role of DLP Administrator

DLP provides various auditing tools: automatic notifications to data owners when transmission of protected data was attempted; user notifications and self-handling portal; tracking and logging, event details, charts, graphs, filtered lists, and reports from the Logs & Monitor view.

Before you begin your audit, configure your DLP policy. First, define Data Types.

To create and refine the DLP policy:

• Deploy out-of-the-box Data Loss Prevention with a basic policy. This policy provides strong detection capabilities from Day-1.
• You can customize pre-defined Data Types to improve policy accuracy. Some provided Data Types are placeholders for dictionaries of proprietary information. These Data Types are flagged for your attention. Integrate your organization's data with your DLP policy to make it more accurate for your needs.
• Choose Data Types.

  Become familiar with the wide range of provided Data Types. Enable and disable the rules in the DLP policy that suit your needs.

• Create your own Data Types with the easy to use wizard.

  Enforce confidentiality guidelines of your organization. Ensure that information belonging to Data Owners stays within their control. Enforce data protection by using your Data Types in DLP rules.

• Monitor incidents and communicate to data owners.

  The DLP gateway catches attempted transmissions of protected data and logs incidents. You can see these incidents in the Logs & Monitor Logs view. You will decide, with the Data Owners, what incidents also require notification to the Data Owners. As you monitor the incidents, create guidelines to fine tune the DLP policy.

• Refine the policy.

  When an email or FTP upload is held because it matches a rule in the Data Loss Prevention policy, it disrupts users. Sometimes this is the best preventative action, but in other situations it is unnecessary. Monitor user actions to see whether users agree that the data should not have been sent or that users have reasons for the transmissions.

• Maintain policy over time.

  Generate Data Owner reports and audit user actions. Look at the logs that the Logs & Monitor Logs view provides and make sure the DLP policy works smoothly and prevents transmission of protected data.

DLP Permissions for Administrator Accounts

You can assign a DLP administrator full DLP permissions or a subset of permissions.

With full permissions, a DLP administrator can:

• See all fields of the logs in the Logs & Monitor Logs view.
• See the captured data (the actual email, FTP files and HTTP posts).
• Send or discard quarantined user emails.

An alternative to assigning a full set of permissions is to configure a subset. This gives you the flexibility to assign only some of the permissions. For example, permissions to only see the fields of the logs but not to see the captured data or send or discard quarantined emails.

Configuring Full DLP Permissions

To configure full permissions:

1. In SmartConsole, select Manage & Settings > Permissions & Administrators.
2. Double-click the administrator account or click New create a new administrator user account.

   The Administrator Properties window opens, and shows the General page.

3. In Permission Profile, click the drop-down menu and then click New.

   The Permissions Profile Properties window opens.

4. In Enter Object Name, enter the name for the DLP admin profile.
5. Make sure Read/Write All is selected.
6. From the navigation tree, click Monitoring and Logging.
7. Select these options:
   • DLP logs including confidential fields
   • View/Release/Discard DLP messages
8. Click OK.
9. Close the administrator window and publish the changes.

Configuring a Subset of Permissions

To configure a subset of permissions for the DLP administrator:

1. In SmartConsole, select Manage & Settings > Permissions & Administrators.
2. Double-click the administrator account or click New create a new administrator user account.

   The Administrator Properties window opens, and shows the General page.

3. In Permission Profile, click the drop-down menu and then click New.

   The Permissions Profile Properties window opens.

4. In Enter Object Name, enter the name for the DLP admin profile.
5. Select Customized and click Edit.
6. From the navigation tree, click Access Control.
7. In the Additional Policies section, configure Read or Write permissions for Data Loss Prevention.
8. From the navigation tree, click Monitoring and Logging.
9. Select one or more of these options:
   • DLP Logs including confidential fields - Permissions to view all fields of DLP logs in the Logs & Monitor Logs view. When this check box is cleared, an administrator sees the text **** Confidential **** and not the actual content of fields defined as confidential.
   • View/Release/Discard DLP messages - Permissions to view emails and related incidents from within the Logs & Monitor Logs view. With this permission, administrators can also release (send) or discard quarantined emails from within the Logs & Monitor Logs view.

     Note - If you select all of these options with Write permissions, the administrator has full DLP permissions.

10. Click OK.
11. Close the administrator window and publish the changes.