Securing Data

In This Section: Overview Enabling DLP DLP Rule Base Analyzing and Tracking DLP To Learn More About Data Loss Prevention

Overview

Data is more accessible and transferable today than ever before, and the vast majority of data is sensitive at different levels. Some is confidential simply because it is part of an internal organization and is not meant to be available to the public. Some data is sensitive because of corporate requirements and legal regulations.

The Check Point Data Loss Prevention Software Blade (DLP) lets you use the Firewall to prevent users from sending sensitive data to external networks. DLP helps you implement an automated corporate policy that catches sensitive and protected data before it leaves your organization.

For more about using DLP, see the R80.30 Data Loss Prevention Administration Guide.

Data Loss Prevention Features

These are the features that the Data Loss Prevention Software Blade uses:

• UserCheckä - Lets users handle data loss incidents with automated user notification and the unique Ask User mode. Each person in your organization learns the best practices to prevent future accidental leaks. These are the majority of DLP incidents and they can be handled quickly with the DLP Self Incident Handling Portal or the UserCheck client.
• MultiSpectä - Unmatched accuracy to identify and prevent incidents. DLP uses multi-parameter correlation with different customizable data types and with CPcode.
• Out of the Box Security - A rich set of defined data types recognizes sensitive forms, templates and data. DLP has a good out-of-the-box policy to make sure that the data stays in the internal network.
• Data Owner Auditing - Data Owners are the users in the organization that control the information and files for their own area or department. They get timely automated notifications and reports that show how their data is being moved. Without Data Owner control, system administrators can frequently be placed in an awkward position between managers and employees.
• CPcodeä - DLP supports fully customized data identification through the use of CPcode. You can define how email data matches DLP policies and rules.

  Note - See the R77 versions DLP CPcode Reference Guide.

Using a Mail Relay and Mail Server

You can configure the Security Gateway to send email notifications to users and Data Owners. If you are using email notifications, it is necessary for the Security Gateway to access a mail server and a mail relay.

We recommend that you use different computers for a mail server and a mail relay. For more about other deployments, see the R80.30 Data Loss Prevention Administration Guide.

Enabling DLP

You can configure a DLP rule that sends users to the DLP portal when they send questionable data. This rule lets users decide if they will send data that can potentially violate the security policy.

The DLP portal is a web page that informs users that the specified data is possibly against company policy. If the users Send the data, then the action is logged.

Important - If you are using Data Owners, it is necessary to configure a mail server in the DLP Portal and Mail Server window.

To enable DLP on an existing Security Gateway or cluster:

1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

   The General Properties window of the gateway opens.

2. From the navigation tree, select the General Properties view.
3. In the Network Security tab, select Data Loss Prevention.

   The Data Loss Prevention Wizard opens.

4. Click Next.

   The Email Domain and Active Directory page opens.

5. Enter the email domain for your company to let DLP distinguish between internal and external email addresses.
6. Optional: To enable the Security Gateway to access user information in an AD, enter the AD user name and password.

   The Security Gateway accesses information in the definition of My Organization.

7. Click Next.

   The My Organization Name page opens.

8. Enter different names and phrases that are used to identify your organization.

   DLP uses these names to accurately detect incidents of data loss.

9. Click Next.

   The DLP Portal and Mail Server page opens.

10. Optional: Enable the DLP portal.

    NOTE: It is not necessary to enable the DLP portal if UserCheck is enabled.

    1. Select Activate DLP Portal for Self Incident Handling.
    2. In Main URL, enter the URL for the DLP portal.
11. Optional: Enable a mail server to send DLP emails to users about possible DLP incidents.
    1. Select Mail Server.
    2. From Send emails using this mail server, select a mail server or click New.
    3. To create a new mail server, in the Mail Server window enter the settings for the mail server and click OK.
12. Click Next.

    The Protocols page opens.

13. Select one or more of these protocols to which the DLP policy applies.
    • Email
    • Web
    • File Transfer
14. Click Next.

    The Data Loss Prevention Blade Setup is Completed window opens.

15. Click Finish.

Adding Data Owners

When DLP incidents are logged, the DLP gateway can send automatic notifications to the Data Owners.

To add Data Owners to a Data Type:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, select Data Types.
4. Double-click a data type.

   The data type properties window opens.

5. From the navigation tree, select Data Owners.
6. Click Add.

   The Add Data Owners window opens.

7. Select the user or group who is responsible for this data and click Add.

   If the data owner is not in the list, click New. In the Email Addresses window, enter the name and email address of the data owner (or name a list of email addresses).

8. Add as many data owners as needed.
9. Click OK.

Notifying Data Owners

DLP can send automatic messages to Data Owners for incidents that involve the applicable data types.

To configure Data Owner notification:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, select Policy.
4. Right-click the Track cell of the rule and select Email.

   The Email window opens.

5. Select When data is matched.

   Data Owners are added to the Email Notification list.

6. Optional: Click Add and add more users to send notification emails to.
7. Use the default notification email message, or click Customize and enter the message.

   The default message is: The Check Point Data Loss Prevention system has found traffic which matches a rule

8. Click OK.

Using DLP with Microsoft Exchange

Internal emails between Microsoft Exchange clients use a proprietary protocol which is not supported by the Security Gateways. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the Security Gateway for inspection using the SMTP protocol encrypted with TLS. To supply Data Loss Prevention for Microsoft exchange, it is necessary that the Exchange server can communicate with the Security Gateway.

An Exchange Security Agent must be installed on each Exchange Server that sends traffic to the Security Gateway with DLP. Each agent is centrally managed through SmartConsole and can only send emails to one Security Gateway. If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.

To use the Exchange Security Agent it is necessary to configure settings in SmartConsole and on the Exchange server. For more about configuring an Exchange Security Agent, see sk103166.