The Check Point Data Loss Prevention Software Blade provides the ability for you to quickly deploy realistic out-of-the-box detection capabilities based on expert heuristics.
However, optimal DLP must take time. To define data that should be prevented from transmission, you must take into account many variables, each changing in the context of the particular transmission: What type of data is it? Who owns it? Who is sending it? Who is the intended receiver? When is it being sent? What is the cost if tasks are disrupted because the policy is stricter than needed?
Data Loss Prevention Features
Check Point solves the complexity of Data Loss Prevention with unique features.
Without UserCheck, a security administrator, or even a security team, would have to check every email and data transfer in real time and approve or reject each. For this reason, other products offer only detection of suspicious incidents. With UserCheck, the decision-making is distributed to the users. They are presented with the reason for the data capture and must provide a reason for letting it pass (if the notification did not change their minds about sending it on). User decisions (send or discard) and reasons for sending are logged. With the original message and user decisions and reasons, you can develop an effective prevention policy based on actual use.
Data Loss Prevention Benefits
Check Point DLP saves time and significantly improves ROI. Its innovative technologies provide automation that negates the need for long and costly analysis and a team for incident handling. You can now move from a detection-only policy to an accurate and effective prevention policy without bringing in outside consultants or hiring a security team.
All of this functionality is easy to manage through the SmartConsole, in an interface similar to other Software Blades. You are not expected to be a DLP expert from the day of deployment. Check Point Data Loss Prevention guides you on how to customize and improve your DLP policy - with the Improve Accuracy flag, for example. The DLP Software Blade comes with a large number of built-in Data Types that can be quickly applied as a default policy. You can fine-tune the out-of-the-box policy to easily convert the confidentiality and integrity guidelines of your organization into automated rules. And later, you can create your own Data Types. This cycle of updating the policy, moving from a detection policy to a preventative policy, is close with the Check Point Logs & Monitor tool.
Content Awareness and Data Loss Prevention both use Data Type. However, they have different features and capabilities. They work independently, and the Security Gateway enforces them separately.
For more information on the Content Awareness Software Blade see the R80.30 Next Generation Security Gateway Guide.
Item |
Description |
---|---|
1 |
Internal network |
2 |
Data Loss Prevention Software Blade enabled on a Security Gateway |
3 |
Security Management Server |
4 |
HTTP proxy |
5 |
Mail server |
6 |
Active Directory or LDAP server |
7 |
Logs & Monitor view |
It catches all traffic containing data and being sent through supported protocols. Thus, when users send data that goes to an HTTP proxy (4) or a mail server (5), for example, the DLP gateway catches the data before it leaves the organization.
It scans the traffic, including email attachments, for data that should be protected from being sent outside the organization. This data is recognized by protocol, source, destination, and complex Data Type representations.
It can also scan internal traffic between Microsoft Exchange clients within the organization. This requires installation of the Exchange Security Agent on the Microsoft Exchange server. The agent forwards internal emails to the DLP gateway which then scans them. If the organization only uses Exchange servers for managing emails (internal and external), you can use this setup to also scan emails that are sent outside of the organization.
If the data does not match any of the rules of the DLP policy, the traffic is allowed to pass.
In an Integrated DLP Security Gateway deployment, the Data Loss Prevention Software Blade is enabled on a Security Gateway (or a ClusterXL Security Cluster). This makes it the DLP gateway (or DLP Security Cluster). The Firewall Software Blade, and optionally, other Network Security Software Blades, are also enabled on the gateway.
If the DLP gateway is on the perimeter, the SMTP server forwards only transmissions with destinations outside of the organization to DLP. Internal and external transmissions can be inspected by DLP if they are forwarded to DLP by the Exchange Security Agent on the Exchange Server. For external transmissions through the Exchange Security Agent the Exchange Server must have an accessible IP address to the DLP gateway.
In a Dedicated DLP gateway deployment , a separate gateway (2) (or cluster) is installed in addition to the protecting gateway (3) (or cluster). The Data Loss Prevention Software Blade is enabled on that separate gateway (2).
Install the dedicated DLP gateway (2) behind the protecting Security Gateway (3) to ensure its protection. We recommend that you enable only the Data Loss Prevention Software Blade to maximize the use of available hardware resources.
Best Practice - When you set up a dedicated DLP gateway (2), configure it in Bridge Mode. The bridge is transparent to network routing.
Item |
Description |
---|---|
1 |
Internal network |
2 |
Data Loss Prevention Software Blade enabled on a Security Gateway |
3 |
Security Gateway |
4 |
Security Management Server |
5 |
HTTP proxy |
6 |
Mail server |
7 |
Active Directory or LDAP server |
8 |
Logs & Monitor view |
As an alternative to putting the DLP gateway on the network perimeter, you can put the DLP gateway between the user networks and the servers, to allow DLP to inspect traffic before it goes to the servers. This deployment is the necessary configuration if you want to use a DLP rule that inspects data transmissions between departments.
For example, you can create a DLP rule that checks emails between internal groups: Source is a specific network, Destination is Outside Source (anything outside of this Source). Such a rule would be applied only if this deployment was used.
Item |
Description |
---|---|
1 |
Internal network |
2 |
Data Loss Prevention Software Blade enabled on a Security Gateway |
3 |
HTTP proxy |
4 |
Mail server |
5 |
Active Directory or LDAP server |
You can put the DLP gateway between the users and the switch, to directly protect a subnet.
The DLP gateway captures traffic and scans it against the Data Loss Prevention policy. If the data in the traffic matches a rule in the policy: