The DLP policy defines which data is to be protected from transmission, including: email body, email recipients, email attachments (even if zipped), FTP upload, web post, web mail, and so on. The policy determines the action that DLP takes if a transmission is captured.
Manage the rules of the policy in the Data Loss Prevention > Policy page.
A Data Loss Prevention rule is made up of:
Best Practice - Create user groups for data access. For example: users with access to highly sensitive data, newly hired employees, employees on notice of termination, managers with responsibilities over specific types of data.
The rule base of the DLP gateway should look familiar if you have experience with the Check Point Firewall rule base, but there are differences.
When Identity Awareness is enabled, you can create access role objects and use them in the DLP policy. When Identity Awareness is enabled, in DLP:
Email Notifications for FTP and HTTP DLP violations
In addition to email notifications on SMTP DLP violations, you can configure notifications to be sent when the violation occurs using the FTP or HTTP protocols. To send these notifications, you must:
When you select Web or FTP in the Email Notifications area, the Web and FTP options are also selected in the Learn User Actions area. This lets DLP learn how the user decides to handle a DLP incident and apply the same decision for subsequent messages.
Access Roles in the Source or Destination of a Rule
Access role objects can be used in the Source or Destination column of a DLP rule. The presence of access roles makes DLP user aware. The access role object identifies users, computers, and network locations as one object. You can select specified users, user groups, or user branches as the object.
Redirection to an Authentication Captive Portal
Captive Portal redirection only applies to the HTTP and HTTPS protocols. Redirection occurs when the sender is unknown (the IP address does not map to any user in the AD) and the Action of the DLP rule is Identity Captive Portal and one of these conditions is also met:
Redirecting to the Captive Portal lets DLP:
Once known, these users can be matched against access roles in the policy.
Note - Captive Portal redirection occurs:
|
To Redirect HTTP traffic to the Captive Portal:
The Action column shows Identity Captive Portal.
Identifying Users Behind a Proxy
If your organization uses an HTTP proxy server behind the gateway, the identities of users behind the proxy will remain hidden unless you configure:
You can also configure the DLP gateway to strip the X-Forward-For header in outgoing traffic. Without the header, internal IP addresses are not be shown in requests to the internet.
To use X-Forwarded-For HTTP header:
Example DLP rule with Identity Awareness
These three rules show how Identity Awareness works with DLP:
Rule 1
Data |
Source |
Destination |
Protocol |
Action |
---|---|---|---|---|
PCI – Credit Card Numbers |
Finance_Dept (Access Role) |
Outside My Org |
Any |
Prevent |
In this rule:
Rule 2
Data |
Source |
Destination |
Protocol |
Action |
---|---|---|---|---|
PCI – Credit Card Numbers |
My Organization |
Outside My Org |
Any |
Prevent Identity Captive Portal |
In this rule:
Note - Enabling Identity Captive Portal on this rule means that HTTP or HTTPS connections passing from inside to outside of the organization must be identified with a user. |
Rule 3
Data |
Source |
Destination |
Protocol |
Action |
---|---|---|---|---|
PCI – Credit Card Numbers |
Finance_Dept (Access Role) |
Outside My Org |
Any |
Prevent Identity Captive Portal |
In this rule:
The DLP rule order does not matter. In this rule base, each transmission is checked against each rule.
Because the rule order does not matter, you can change the display of the DLP policy for your convenience.
If data matches a rule, and the rule has exceptions, the exceptions to a rule are checked. If the data matches any exception, DLP allows the transmission.
For example, consider a rule that captures emails containing more than fifteen employee names in the body of a message. If a user in the HR department sends a list of twenty employees to an outside address (such as their contractor), the email will be allowed without incident logging or any Data Loss Prevention action taken - because the same rule has an exception that allows users in the HR group to send lists of employee names outside your organization.
If the data matches multiple rules, one with an exception and one without exceptions, the rule without exceptions is used.
If the data matches multiple rules, the most restrictive rule is applied.
For example, if a user sends an email with an attached unencrypted PDF, the email can match two rules. One rule is Detect: detect emails to an external destination that contain PDF files. A second rule is Ask User: delay emails with PDF files that are unencrypted, until the user specifies that it is good to send. This rule will also inform the Marketing and Technical Communications manager that the PDF was released from the company to an external destination.
In this case:
For each DLP rule that you create for a Data Type, you also define what action is to be taken if the rule matches a transmission.
Action |
Description |
---|---|
Detect |
The transmission is passed. The event is logged and is available for your review and analysis in the Logs & Monitor view. The data and the email itself, or the properties of the transmission if not email, are saved in storage for future reference. You can choose to notify Data Owners of the event. This is true for all the following actions as well. |
Inform User |
The transmission is passed, but the incident is logged and the user is notified. |
Ask User |
The transmission is held until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision itself is logged in the Logs & Monitor Logs view under the User Response category. Administrators with full permissions or with the View/Release/Discard DLP messages permission can also decide whether the transmission should be completed or not from the Logs & Monitor view. This can be useful in the event that a user is not available to make sure if it should be sent. |
Prevent |
The data transmission is blocked. Best Practice - Check Point does not recommend using the Prevent action as a first choice. The action may prove disruptive. To improve the accuracy of rule matches, set rules to Prevent only when you have tested them with the less strict actions over a reasonable amount of time. |
Watermark |
Tracks outgoing Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) by adding visible watermarks or invisible encrypted text.
|
Note - If data matches multiple rules, the rule of the most restrictive action is applied. The order from most restrictive to least is: Prevent, Ask User, Inform User, Detect. |
The Detect action is set to rules by default because it is the least disruptive of the action options. When Data Loss Prevention discovers a transmission containing protected data, an incident is logged in the Logs & Monitor Logs view and other logging actions (if any) are taken.
You might want to leave all your rules in Detect at first. Then you can review the logs and decide which rules are needed according to your organization's actions. This could save you and your users a lot of time and make your explanations of what they need to know and what to do much more specific to their needs.
A primary consideration for creating Data Loss Prevention rules is how to audit incidents.
In the rule base of the Data Loss Prevention policy, the Track column offers these options:
Option |
Meaning |
---|---|
Sends an email to a configured recipient |
|
Log |
Records the incident in the Logs & Monitor view (All the other tracking options also log an incident). |
Alert |
Opens a pop-up window in the SmartView Monitor. |
SNMP Trap |
Sends an SNMP alert to the SNMP GUI. This uses the fwd process, to run the |
User Defined (alert) |
Sends one of three possible customized alerts. The alerts are defined by the scripts specified in the main Menu > Global Properties > Log and Alert > Alert Commands. The alert process on the Log server runs the scripts. |
Store Incident |
Determines how the data should be stored and deleted (if at all). The options are:
|
Store Incident
Store Incident tracking options determine how data that matches a DLP rule is stored (or not stored). These options are available:
Store Option |
Meaning |
---|---|
Yes |
Note: For FTP and HTTP, only those elements of the message that violate DLP rules are stored. |
Only as Text |
Note: For FTP and HTTP, only those elements of the message that violate DLP rules are shown in the HTML page which stores the information. |
Don't Store |
When the rule is matched, the incident is logged and the data deleted so that it cannot be viewed in the Logs & Monitor view. Note: The deletion of the data can be prevented by other store options. If a scanned message matches a number of store incident options, the option with highest priority has precedence:
|
Delete |
Logs the incident and immediately deletes the data. Select this example for sensitive data such as credit card numbers. Note: If the email that contains the sensitive data also has an attachment that must be watermarked, the email is not deleted. The email is saved but you cannot view it with the Logs & Monitor view. |
Resolving Store Incident Conflicts
If a scanned message matches a number of different DLP rules, and each rule has a different store option, the option with highest priority has precedence. For example, if an email matches these rules:
Rule |
Store Incident Option |
Priority |
---|---|---|
Rule_1 |
Only as text |
3 |
Rule_2 |
Yes |
2 |
Rule_3 |
Don't store |
4 |
The store incident option related to Rule_2 has the highest priority. The data will be stored even though the email matched a rule (Rule_3) configured to delete the data.
Changing the Priority
The Only as Text store option can be configured to have a higher priority than Yes. To change the priority:
$DLPDIR/config/dlp.conf
Each message protocol has its own section. For example:
)
:ftp (
:enabled (1)
:maximum_words_to_log (14)
:maximum_chars_to_words_in_log (490)
:cleanup_session_files (1)
:save_incident_quota_percentage (85)
:allow_append_cmd (0)
:view_incident_dispute_option (yes)
)
view_incident_dispute_option
The default value is Yes.
Yes
to Text
.dlp.conf
.The Time column in the DLP Rule table holds a time object or group of time objects. The time object is the same time object as used in the Firewall Rule Base.
Notes -
|
To create a time object:
A window opens showing a list of existing time objects. You can select an existing time or create a new one.
Note - Existing time object can be reused. |
The days when the time object enforces the DLP rule. The time object can be enforcing the DLP rule each day, specified days of the week, a specified month or all months.
If you have more than one time object, you can merge them into a group. When a condition in one of the time objects in the group is met, the DLP rule is enforced.
To create a time group object:
The Time Group window opens.
The DLP blade supports the extraction and scanning of these compressed archive types:
For any rule in the policy, you can choose that it be deployed on specific Enforcing Gateways.
To deploy a rule on specific Enforcing DLP Gateways:
Defined DLP Gateways appear in a menu.
Check Point Data Loss Prevention supports various data transmission protocols.
It is recommended that you enable protocols as needed in your deployment. Start with only SMTP. Observe the logs on detected emails and user responses for handling them. Later, add FTP to the policy. For emails and large uploads, users do not expect instant responses. They can handle incidents in the Portal or UserCheck client for emails and uploads without disturbing their work, especially if your users know what to expect and how to handle the incidents.
HTTP, which includes posts to web sites, comments on media sites, blogging, and web mail, is another matter. Users do expect that when they press Enter, their words are sent and received instantly. If an employee uses HTTP for mission-critical work, having to decide whether a sentence is OK to send or not every instance is going to be extremely disruptive. Therefore, it is recommended that you enable HTTP only after you have run analysis on usage and incidents.
You can also enable inspection for Exchange Agent emails and the HTTPS protocol.
To select protocol deployment for all gateways:
Important - If you clear all of the protocol checkboxes, Data Loss Prevention will have no effect. |
To select protocol deployment per gateway:
The properties window of the gateway opens.