Securing Data

In This Section: Overview Enabling DLP DLP Rule Base Analyzing and Tracking DLP To Learn More About Data Loss Prevention

Overview

Data is more accessible and transferable today than ever before, and the vast majority of data is sensitive at different levels. Some is confidential simply because it is part of an internal organization and is not meant to be available to the public. Some data is sensitive because of corporate requirements and legal regulations.

The Check Point Data Loss Prevention Software Blade (DLP) lets you use the Firewall to prevent users from sending sensitive data to external networks. DLP helps you implement an automated corporate policy that catches sensitive and protected data before it leaves your organization.

Data Loss Prevention Features

These are the features that the Data Loss Prevention Software Blade uses:

• UserCheckä - Lets users handle data loss incidents with automated user notification and the unique Ask User mode. Each person in your organization learns the best practices to prevent future accidental leaks. These are the majority of DLP incidents and they can be handled quickly with the DLP Self Incident Handling Portal or the UserCheck client.
• MultiSpectä - Unmatched accuracy to identify and prevent incidents. DLP uses multi-parameter correlation with different customizable data types and with CPcode.
• Out of the Box Security - A rich set of defined data types recognizes sensitive forms, templates and data. DLP has a good out-of-the-box policy to make sure that the data stays in the internal network.
• Data Owner Auditing - Data Owners are the users in the organization that control the information and files for their own area or department. They get timely automated notifications and reports that show how their data is being moved. Without Data Owner control, system administrators can frequently be placed in an awkward position between managers and employees.
• CPcodeä - DLP supports fully customized data identification through the use of CPcode. You can define how email data matches DLP policies and rules.

  Note - See the R77 CPcode DLP Reference Guide.

Using a Mail Relay and Mail Server

You can configure the Security Gateway to send email notifications to users and Data Owners. If you are using email notifications, it is necessary for the Security Gateway to access a mail server and a mail relay.

We recommend that you use different computers for a mail server and a mail relay. For more about other deployments, see the R80.10 DLP Administration Guide.

Enabling DLP

You can configure a DLP rule that sends users to the DLP portal when they send questionable data. This rule lets users decide if they will send data that can potentially violate the security policy.

The DLP portal is a web page that informs users that the specified data is possibly against company policy. If the users Send the data, then the action is logged.

Important - If you are using Data Owners, it is necessary to configure a mail server in the DLP Portal and Mail Server window.

To enable DLP on an existing Security Gateway or cluster:

1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

   The General Properties window of the gateway opens.

2. From the navigation tree, select the General Properties view.
3. In the Network Security tab, select Data Loss Prevention.

   The Data Loss Prevention Wizard opens.

4. Click Next.

   The Email Domain and Active Directory page opens.

5. Enter the email domain for your company to let DLP distinguish between internal and external email addresses.
6. Optional: To enable the Security Gateway to access user information in an AD, enter the AD user name and password.

   The Security Gateway accesses information in the definition of My Organization.

7. Click Next.

   The My Organization Name page opens.

8. Enter different names and phrases that are used to identify your organization.

   DLP uses these names to accurately detect incidents of data loss.

9. Click Next.

   The DLP Portal and Mail Server page opens.

10. Optional: Enable the DLP portal.

    NOTE: It is not necessary to enable the DLP portal if UserCheck is enabled.

    1. Select Activate DLP Portal for Self Incident Handling.
    2. In Main URL, enter the URL for the DLP portal.
11. Optional: Enable a mail server to send DLP emails to users about possible DLP incidents.
    1. Select Mail Server.
    2. From Send emails using this mail server, select a mail server or click New.
    3. To create a new mail server, in the Mail Server window enter the settings for the mail server and click OK.
12. Click Next.

    The Protocols page opens.

13. Select one or more of these protocols to which the DLP policy applies.
    • Email
    • Web
    • File Transfer
14. Click Next.

    The Data Loss Prevention Blade Setup is Completed window opens.

15. Click Finish.

Adding Data Owners

When DLP incidents are logged, the DLP gateway can send automatic notifications to the Data Owners.

To add Data Owners to a Data Type:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, select Data Types.
4. Double-click a data type.

   The data type properties window opens.

5. From the navigation tree, select Data Owners.
6. Click Add.

   The Add Data Owners window opens.

7. Select the user or group who is responsible for this data and click Add.

   If the data owner is not in the list, click New. In the Email Addresses window, enter the name and email address of the data owner (or name a list of email addresses).

8. Add as many data owners as needed.
9. Click OK.

Notifying Data Owners

DLP can send automatic messages to Data Owners for incidents that involve the applicable data types.

To configure Data Owner notification:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, select Policy.
4. Right-click the Track cell of the rule and select Email.

   The Email window opens.

5. Select When data is matched.

   Data Owners are added to the Email Notification list.

6. Optional: Click Add and add more users to send notification emails to.
7. Use the default notification email message, or click Customize and enter the message.

   The default message is: The Check Point Data Loss Prevention system has found traffic which matches a rule

8. Click OK.

Using DLP with Microsoft Exchange

Internal emails between Microsoft Exchange clients use a proprietary protocol which is not supported by the Security Gateways. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the Security Gateway for inspection using the SMTP protocol encrypted with TLS. To supply Data Loss Prevention for Microsoft exchange, it is necessary that the Exchange server can communicate with the Security Gateway.

An Exchange Security Agent must be installed on each Exchange Server that sends traffic to the Security Gateway with DLP. Each agent is centrally managed through SmartDashboard and can only send emails to one Security Gateway. If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.

To use the Exchange Security Agent it is necessary to configure settings in SmartConsole and on the Exchange server. For more about configuring an Exchange Security Agent, see sk103166.

DLP Rule Base

The rules in the DLP Rule Base are not applied sequentially, all the rules are applied to each data transmission. If the data matches multiple rules, the most restrictive rule is applied. The order from most restrictive to least is:

1. Rule with an exception
2. Action - Prevent
3. Action - Ask User
4. Action - Inform User
5. Action - Detect

Managing the DLP Rule Base

Use SmartDashboard to create and configure DLP rules.

To open the DLP Rule Base:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, click Policy.

These are the fields that manage the rules for the DLP Rule Base.

Field	Description
Flag	Mark a rule to Follow Up or Improve Accuracy.
Name	Name of the rule.
Data	Data type for this rule.
Source	Who or what starts the connection: Users and Administrators, network, or email domains. If Identity Awareness is enabled, you can use Access Roles.
Destination	Who or what completes the connection: Users and Administrators, network, or email domains. If Identity Awareness is enabled, you can use Access Roles.
Protocol	Type of network protocol for this rule.
Exceptions	Number of exceptions that allow traffic for this rule.
Action	DLP action that is done when traffic matches the rule.
Track	Tracking and logging action that is done when traffic matches the rule.
Severity	Set the severity level for this rule. Use Severity to help filter Data Loss Prevention incidents with SmartEvent.
Install On	Network objects that will get the rule of the security policy. The Policy Targets option installs the rule on all firewall gateways.
Time	Time period that DLP enforces this rule.
Category	DLP category for this rule.

DLP Rule Exceptions

When a data transmission matches criteria of an exception to a DLP rule, the rule Action is not applied. If the data matches two DLP rules, and only one of the rules has an exception, the rule without exceptions is applied.

To create an exception for a DLP rule:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, select Policy.

   The Policy window opens and shows the DLP Rule Base.

4. Right-click the Exceptions cell for a rule and select Edit.

   The Exceptions for Rule window opens.

5. Click New Exception.
6. Configure these settings for the exception: Data Type, Source, Destination, Protocol.
7. Click OK.
8. Install the policy.

DLP Rule Actions

For each DLP rule that you create for a data type, you also define what action is to be taken if the rule matches a transmission.

Action	Description
Detect	The Firewall sends the data. The event is logged in the Logs & Monitor > Logs view and is available for your review and analysis in the Logs & Monitor Access Control views and SmartEvent. The data and the email itself, or the properties of the transmission if not email, are saved in storage for future reference.
Inform User	The Firewall sends the data, but the incident is logged and the user is notified.
Ask User	The Firewall blocks the data and DLP holds it until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision itself is logged in the Logs & Monitor Logs tab of SmartConsole. Look at the predefined query: DLP > User Actions.
Prevent	The Firewall blocks the data. Note: Check Point does not recommend using the Prevent action as a first choice. The action may prove disruptive. To improve the accuracy of rule matches, set rules to Prevent only when you have tested them with the less strict actions over a reasonable amount of time.
Watermark	Tracks Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) and adds visible watermarks or invisible encrypted text. By default, all rules are created without a watermark action. Watermarks can be created and edited without having to apply them. Once a watermark object is created, it can be reused in multiple rules.

Sample Rule Base

This table shows a sample DLP Rule Base. These are the settings for the columns that are not shown:

• Source - My Organization
• Destination - Outside My Organization
• Install On - DLP Blades
• Protocol - Any
• Time - Any

  Flag	Name	Data	Exceptions	Action	Track	Severity	Category
  Follow Up	Salesforce Reports	Salesforce Reports	None	Ask User Restricted	Log	High	Business
  No Flag	PCI - Credit Card Numbers	PCI - Cardholder Data PCI - Credit Card Numbers	None	Prevent	Log	Critical	Compliance
  No Flag	SEC Filings - Draft or Recent	SEC Filings - Draft or Recent	None	Detect	Log Email	High	Financial
  No Flag	Source Code	Source Code	1	Detect	Alert	High	Intellectual Property

Salesforce Reports - When users send data that matches the Salesforce Reports Data Type category, they are asked to confirm the data transmission. A watermark with the word Restricted is added to Microsoft Word, Excel and PowerPoint files. This incident is logged with High severity.

PCI - Credit Card Numbers - Users are blocked from sending data that matches the PCI - Cardholder Data, and PCI - Credit Card Numbers Data Type categories. These incidents are logged with Critical severity.

SEC Filings - Draft or Recent - Data transmissions that matches the SEC Filings - Draft or Recent Data Type category are logged with High severity. An email is sent to the Data Owners for each incident.

Source Code - Data transmissions that matches the Source Code Data Type category are logged with High severity. A pop-up window opens in SmartView Monitor for each incident.

Analyzing and Tracking DLP

To keep a strong Data Loss Prevention policy, it is necessary to do an analysis of DLP incidents. These clients can help with your DLP analysis:

• The Logs & Monitor > Logs tab of SmartConsole
• SmartEvent

You can use the Follow Up flag in SmartDashboard for the DLP rules. If you find one or more incidents that you want to change or fine-tune, set the Data Type or rule to Follow Up.

Note - To use a Windows 7 computer to view DLP incidents in the Logs & Monitor > Logs tab of SmartConsole, or SmartEvent, you must install Microsoft Office 2010. These SmartConsole clients do not show DLP incidents, if these EML files are associated with another application.

Analyzing DLP Incidents in the Logs

You can open the log of an incident and see the actual data that caused the incident. It is not necessary to review most of the incidents manually, but the data transmission (for example, the email or attachment) is saved.

Important - The DLP logs can contain personal emails and web posts that were captured. You must let the users know that this can happen. Failure to do so may cause your organization to be in conflict with local privacy laws.

To analyze DLP logs:

1. In SmartConsole, go to Logs & Monitor.
2. In Logs tab, click Favorites (star icon), and select DLP > Incidents.
3. Select a time frame in the search field, to refine the list of incidents:
   • Last Hour
   • Today
   • Last 24 Hours
   • Yesterday
   • This Week
   • Last 7 Days
   • This Month
   • Last 30 Days
   • All Time
   • Custom - specify the Start and End date and time in the window that opens, an click OK

   The Data Loss Prevention logs for the category are shown.

Event Analysis Views Available in SmartConsole

As of R80, the Event Analysis views of the SmartEvent GUI have been incorporated into the SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways.

To Learn More About Data Loss Prevention

To learn more about securing data, see these guides:

• R80.10 Data Loss Prevention Administration Guide.
• R77 CPCode Administration Guide.