DLP Rule Base

The rules in the DLP Rule Base are not applied sequentially, all the rules are applied to each data transmission. If the data matches multiple rules, the most restrictive rule is applied. The order from most restrictive to least is:

1. Rule with an exception
2. Action - Prevent
3. Action - Ask User
4. Action - Inform User
5. Action - Detect

Managing the DLP Rule Base

Use SmartConsole to create and configure DLP rules.

To open the DLP Rule Base:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartConsole.

   SmartConsole opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, click Policy.

These are the fields that manage the rules for the DLP Rule Base.

Field	Description
Flag	Mark a rule to Follow Up or Improve Accuracy.
Name	Name of the rule.
Data	Data type for this rule.
Source	Who or what starts the connection: Users and Administrators, network, or email domains. If Identity Awareness is enabled, you can use Access Roles.
Destination	Who or what completes the connection: Users and Administrators, network, or email domains. If Identity Awareness is enabled, you can use Access Roles.
Protocol	Type of network protocol for this rule.
Exceptions	Number of exceptions that allow traffic for this rule.
Action	DLP action that is done when traffic matches the rule.
Track	Tracking and logging action that is done when traffic matches the rule.
Severity	Set the severity level for this rule. Use Severity to help filter Data Loss Prevention incidents with SmartEvent.
Install On	Network objects that will get the rule of the security policy. The Policy Targets option installs the rule on all firewall gateways.
Time	Time period that DLP enforces this rule.
Category	DLP category for this rule.

DLP Rule Exceptions

When a data transmission matches criteria of an exception to a DLP rule, the rule Action is not applied. If the data matches two DLP rules, and only one of the rules has an exception, the rule without exceptions is applied.

To create an exception for a DLP rule:

1. In SmartConsole, go to Manage & Settings > Blades.
2. In the Data Loss Prevention section, click Configure in SmartDashboard.

   SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab.

3. From the navigation tree, select Policy.

   The Policy window opens and shows the DLP Rule Base.

4. Right-click the Exceptions cell for a rule and select Edit.

   The Exceptions for Rule window opens.

5. Click New Exception.
6. Configure these settings for the exception: Data Type, Source, Destination, Protocol.
7. Click OK.
8. Install the policy.

DLP Rule Actions

For each DLP rule that you create for a data type, you also define what action is to be taken if the rule matches a transmission.

Action	Description
Detect	The Firewall sends the data. The event is logged in the Logs & Monitor > Logs view and is available for your review and analysis in the Logs & Monitor Access Control views and SmartEvent. The data and the email itself, or the properties of the transmission if not email, are saved in storage for future reference.
Inform User	The Firewall sends the data, but the incident is logged and the user is notified.
Ask User	The Firewall blocks the data and DLP holds it until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision itself is logged in the Logs & Monitor Logs tab of SmartConsole. Look at the predefined query: DLP > User Actions.
Prevent	The Firewall blocks the data. Note: Check Point does not recommend using the Prevent action as a first choice. The action may prove disruptive. To improve the accuracy of rule matches, set rules to Prevent only when you have tested them with the less strict actions over a reasonable amount of time.
Watermark	Tracks Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) and adds visible watermarks or invisible encrypted text. By default, all rules are created without a watermark action. Watermarks can be created and edited without having to apply them. Once a watermark object is created, it can be reused in multiple rules.

Sample Rule Base

This table shows a sample DLP Rule Base. These are the settings for the columns that are not shown:

• Source - My Organization
• Destination - Outside My Organization
• Install On - DLP Blades
• Protocol - Any
• Time - Any

  Flag	Name	Data	Exceptions	Action	Track	Severity	Category
  Follow Up	Salesforce Reports	Salesforce Reports	None	Ask User Restricted	Log	High	Business
  No Flag	PCI - Credit Card Numbers	PCI - Cardholder Data PCI - Credit Card Numbers	None	Prevent	Log	Critical	Compliance
  No Flag	SEC Filings - Draft or Recent	SEC Filings - Draft or Recent	None	Detect	Log Email	High	Financial
  No Flag	Source Code	Source Code	1	Detect	Alert	High	Intellectual Property

Salesforce Reports - When users send data that matches the Salesforce Reports Data Type category, they are asked to confirm the data transmission. A watermark with the word Restricted is added to Microsoft Word, Excel and PowerPoint files. This incident is logged with High severity.

PCI - Credit Card Numbers - Users are blocked from sending data that matches the PCI - Cardholder Data, and PCI - Credit Card Numbers Data Type categories. These incidents are logged with Critical severity.

SEC Filings - Draft or Recent - Data transmissions that matches the SEC Filings - Draft or Recent Data Type category are logged with High severity. An email is sent to the Data Owners for each incident.

Source Code - Data transmissions that matches the Source Code Data Type category are logged with High severity. A pop-up window opens in SmartView Monitor for each incident.

Analyzing and Tracking DLP

To keep a strong Data Loss Prevention policy, it is necessary to do an analysis of DLP incidents. These clients can help with your DLP analysis:

• The Logs & Monitor > Logs tab of SmartConsole
• SmartEvent

You can use the Follow Up flag in SmartConsole for the DLP rules. If you find one or more incidents that you want to change or fine-tune, set the Data Type or rule to Follow Up.

Note - To use a Windows 7 computer to view DLP incidents in the Logs & Monitor > Logs tab of SmartConsole, or SmartEvent, you must install Microsoft Office 2010. These SmartConsole clients do not show DLP incidents, if these EML files are associated with another application.

Analyzing DLP Incidents in the Logs

You can open the log of an incident and see the actual data that caused the incident. It is not necessary to review most of the incidents manually, but the data transmission (for example, the email or attachment) is saved.

Important - The DLP logs can contain personal emails and web posts that were captured. You must let the users know that this can happen. Failure to do so may cause your organization to be in conflict with local privacy laws.

To analyze DLP logs:

1. In SmartConsole, go to Logs & Monitor.
2. In Logs tab, click Favorites (star icon), and select DLP > Incidents.
3. Select a time frame in the search field, to refine the list of incidents:
   • Last Hour
   • Today
   • Last 24 Hours
   • Yesterday
   • This Week
   • Last 7 Days
   • This Month
   • Last 30 Days
   • All Time
   • Custom - specify the Start and End date and time in the window that opens, an click OK

   The Data Loss Prevention logs for the category are shown.

Event Analysis Views Available in SmartConsole

As of R80, the Event Analysis views of the SmartEvent GUI have been incorporated into the SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways.

To Learn More About Data Loss Prevention

To learn more about securing data, see these guides:

• R80.30 Data Loss Prevention Administration Guide.
• R77 versions DLP CPcode Reference Guide.