Print Download PDF Send Feedback

Previous

Next

Fine Tuning Source and Destination

In the Rule Base, you can change the default Source (My Organization) and the default Destination (Outside My Org) to any network object, user, or group that is defined in SmartConsole, and you can fine tune user definitions specifically for DLP.

To create a domain object:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).
  2. Click New > Network Object > More > Domain.

    The New Domain window opens.

  3. In Enter Object Name, enter the URL of the domain.
  4. Clear FQDN.
  5. Click OK.
  6. Publish the changes.

Creating Different Rules for Different Departments

You can set the Source of a rule to be any defined user, group, host, network, or VPN. You can then set the Destination to be Outside. The rule will inspect data transmissions from the source to any destination outside of the source. This will create DLP rules specific to one group of users.

Note the different between Outside Source (external to a source that is a subset of My Organization) and Outside of My Org (external to My Organization).

To enable use of Outside Source, the DLP gateway must be functioning in front of the servers that handle the data transmission protocols. For example, to use Outside on SMTP transmissions, the DLP gateway must inspect the emails before the Mail Server does.

Alternatively, the Destination of the rule could be another user, group, host, and so on. This would create DLP rules to inspect and control the data transmissions between two groups of users.

Examples:

  1. DLP rule to prevent the Finance Department from leaking salary information to employees.
    • Source = Finance (define a group to include users, groups, or network that defines the Finance Department)
    • Destination = Outside Source (any destination outside of Finance, internal or external to My Organization)
    • Data Type = Salary Reports (define a Data Type Group that matches spreadsheets OR regular expressions for salaries in dollars - ([0-9]*),[0-9][0-9][0-9].[0-9][0-9] and employee names)

      Data

      Source

      Destination

      Action

      Salary Reports

      Finance

      Outside Source

      Prevent

  2. DLP rule to prevent permanent employees from sending customer lists to temporary employees.
    • Source = My Organization
    • Destination = Temps (define a group of temporary employee user accounts)
    • Data Type = Customer Names (built-in Data Type customized with your dictionary of customer names)

      Data

      Source

      Destination

      Action

      Customer Names

      My Organization

      Temps

      Prevent

  3. Different DLP rules for different departments.

    The Legal Department sends confidential legal documents to your legal firm. They need to be able to send to that firm, but never to leak to anyone else, either inside the organization or outside.

    HR needs to send legal contracts to all employees, but not to leak to anyone outside the organization.

    All other departments should have no reason to send legal documents based on your corporate template to anyone, with the exception of sending back the contracts to HR.

    The first rule would be:

    • Source = Legal (a group that you define to include your Legal Department)
    • Destination = Outside Source (to prevent these documents from being leaked to other departments as well as outside the organization)
    • Data = built-in Legal Documents
    • Exception = allow the data to be sent to your lawyers email address
    • Action = Ask User

    The second rule would be:

    • Source = HR
    • Destination = Outside My Org
    • Data = built-in Legal Documents
    • Action = Ask User

    The third rule would be:

    • Source = selection of all groups excluding Legal and HR
    • Destination = Outside Source (to prevent users from sharing confidential contracts)
    • Data = built-in Legal Documents
    • Exception = allow the data to be sent to HR
    • Action = Ask User

Note - In this rule, you would have to exclude the two groups if you want to ensure that the previous rules are applied. If you chose My Organization as the source of the third rule, it would apply to the users in Legal and HR and thus negate the other rules.

Isolating the DMZ

To ensure that data transmissions to the DMZ are checked by Data Loss Prevention, define the DMZ as being outside of My Organization.

For example, the PCI DSS Requirement 1.4.1 requires that a DMZ be included in the environment to prevent direct Internet traffic to and from secured internal data access points.

To ensure traffic from My Organization to the DMZ is checked for Data Loss Prevention:

  1. Make sure that the DLP gateway configuration includes a definition of the DMZ hosts and networks.
  2. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  3. From the navigation tree, click My Organization.
  4. In the Networks section, make sure that:
    • Anything behind the internal interfaces of my DLP gateways is selected
    • Anything behind interfaces which are marked as leading to the DMZ is NOT selected
  5. Click Save and then close SmartDashboard.
  6. In SmartConsole, Install Policy.

Defining Strictest Security

You may choose to define the strictest environment possible. Using these settings ensures that data transmissions are always checked for Data Loss Prevention, even if the transmission is from and within your secured environment.

Important - You must ensure that legitimate transmissions are not blocked and that Data Owners are not overwhelmed with numerous email notifications. If you do use the settings explained here, set the actions of rules to Detect until you are sure that you have included all legitimate destinations in this strict definition of what is the internal My Organization.

To define a strict My Organization:

  1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click My Organization.
  3. In the Email Addresses section, remove the defined items.
  4. Configure the VPN settings:
    1. In the VPN section, click All VPN traffic.
    2. Click Exclusions.
    3. In the VPN Communities window, add the communities that are NOT checked by DLP.
    4. Click OK.
  5. Configure the Networks settings:
    1. In the Networks section, click Select specific networks and hosts.
    2. Click Edit.
    3. In the Networks and Hosts window, select the defined Check Point network objects to include in My Organization.
    4. Click OK.
  6. Configure the Users settings:
    1. In the Users section, click These users, user groups and LDAP groups only.
    2. Click Edit.
    3. In the User Groups and Users window, select the defined users, user groups, and LDAP groups that you want to include in My Organization.
    4. Click OK.
  7. Click Save and then close SmartDashboard.
  8. In SmartConsole, Install Policy.