Adding Data Types to Rules
The data types are the building blocks of the Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. rule base All rules configured in a given Security Policy. Synonym: Rulebase., and the basis of the DLP policy that you install on DLP Gateways - the basis of DLP functionality. Each data type specifies a data asset to protect.
Data Owners must know about the types of data that are under their responsibility and be able to tell you to what type of data they allow to go outside of the organization, and what data must be protected.
For example, a team leader of a programming team must know that lines of code are not allowed to move outside the organization, and demand its protection. A hospital administrator must have an example of a court order to release patient records to authorized domains.
|
Important:
|
Procedure:
-
Specify the Compliance Data Type
The compliance category contains built-in data types that represent accepted standards and regulatory requirements. For example, according to Payment Card Industry (PCI) compliance standards, credit card numbers of customers must not be sent to outside sources in clear text.
In the Data Loss Prevention Data Types window, data types are sorted according to category. An important category is the compliance category. The Data Types window lets you create data types that enforce compliance in accordance with regulatory standards.
Create Data TypesThe Data Loss Prevention Overview window > DLP Featured Data types toolbox lists the data types for:
-
Click the Compliance button to the data types in this category and how many are activated.
-
Business information
-
Personally identifiable information
-
Best Practice
-
Intellectual Property
-
Human Resources
-
Financial
In the Featured Data Types area of the toolbox, two actions are available:
Action
Use
View rule
Click View rule to see how the compliance data type is used in the DLP policy.
Add to policy
Click Add to policy to add the compliance data type to the DLP policy.
Clicking Compliance on the tool bar in the Data Types window filters out those data types which do not belong to the Compliance category. Check Point regularly adds to the number of built-in data types, but if none of the types is applicable to your needs - you can create a new data type and add it to the compliance category.
Built-in data types exist for:
-
EU Data Protection Directive
-
FERPA - Confidential Educational Records
-
GLBA - Personal Financial Information
-
HIPAA - Protected Health Information
-
ITAR - International Traffic in Arms Regulations
-
PCI DSS - Cardholder Data
-
PCI - Credit Card Numbers
-
PCI - Sensitive Authentication Data
-
U.S. State Laws - Personally Identifiable Information
-
UK Data Protection Act
To add a new data type to the compliance category
-
In the Data Loss Prevention Data Types window, click New.
The Data Type Wizard opens.
-
Select criteria such as keywords or a corporate template
-
On the last page of the wizard open, select Configure additional Data Type properties after clicking Finish.
-
Click Finish.
-
The data type properties window opens on the General Properties page.
-
Set the category to Compliance.
Note - You cannot change the category of a built-in data type, only add new data types to one of the pre-existing categories.
Specify Data Type GroupsYou can create a Data Type representation that is a group of existing Data Types.
To create a Data Type group:
-
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
-
From the navigation tree, click Policy.
-
Click New > Data Type Group.
The Group Data Type window opens.
-
Enter a Name for the group.
-
In the Group Members section, click Add.
-
Select the Data Types that are included in this Data Type group.
-
If necessary, add Data Owners to the group.
-
Click OK.
-
Click Save and then close SmartDashboard.
-
In SmartConsole, install the policy.
-
-
Create more complex Data Types per Organization
After you communicate with the organization Data Owners, you can specify Advanced Matching for Keyword Data Types, according to the organization confidentiality and integrity procedures.
You can add CPcode script files for more advanced match criteria to improve accuracy after a keyword, pattern, weighted keyword, or words from a dictionary are matched. If the CPcode script file has a corresponding value file (for constants values) or CSV file, add it here.
Note - You can add more than one CPcode script. All of the scripts must match the keywords or phrases to be recognized as matching the data type.
To add advanced matching Data Type CPcode script:
-
In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
-
From the navigation tree, click Data Types .
-
Select a Data Type and click Edit.
The Data Type window opens.
-
Click the Advanced Matching node.
-
In Run these CPcode for each matched keyword to apply additional match criteria, add the CPcode scripts to run on each of the Data Type matches.
-
Add - Click to add CPcode scripts. The default file type is cpc. See the R77 versions CPcode DLP Reference Guide. .
-
View - Click to view a CPcode script in a text editor.
-
Remove - Click to remove CPcode scripts.
-
-
Click OK.
-
Click Save and then close SmartDashboard.
-
In SmartConsole, install the policy.
-
-
Add the created Data Type to a rule
For all Data Type representations, you can add CPcode scripts that run after a data type is matched. Then you can test the Data Types.
Specifying a Post Match CPcode for a Data Type-
In SmartConsole, select Security Policies > Shared Policies > DLP, and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
-
From the navigation tree, click Data Types.
-
Select a Data Type and click Edit.
The Data Type window opens.
-
Click the Advanced Matching node.
-
In the Run these CPcode scripts after this Data Type is matched to apply additional match criteria, add the CPcode scripts to run on each of the Data Type matches.
-
Add - Click to add CPcode scripts. The default file type is CPC.
-
View - Click to view a CPcode script in a text editor.
-
Remove - Click to remove CPcode scripts.
-
-
Click OK.
-
Click Save and then close SmartDashboard.
-
In SmartConsole, install policy.
Testing Data Types (Recommendation)Before installing a policy that contains new Data Types, you can test them in a lab environment.
Recommendation for testing procedure:
-
Create a Data Type.
-
Create a user called Tester, with your email address.
-
Create a rule:
-
Data = this Data Type
-
Action = Detect
-
Source = Tester
-
Destination = Outside
-
-
Send an email (or other data transmission according to the protocols of the rule) that should be matched to the rule.
-
In SmartConsole, open the Logs & Monitor > Logs view and check that the incident was tracked with the Event Type value being the name of the Data Type.
-
If the transmission was not caught, change the parameters of the Data Type. For example, if the Data Type is Document by Template, move the slider to a lower match-value.
-
If the transmission was caught, change the parameters of the Data Type to be stricter, to ensure greater accuracy. For example, in a Document by Template Data Type, move the slider to a higher match-value.
-
-
After fine-tuning the parameters of the Data Type, re-send a data transmission that should be caught and check that it is.
Important - If you change the action of the rule to Ask User, to test the notifications, you must change the subject of the email if you send it a second time.
If Learning mode is active, DLP recognizes email threads. If a user answers an Ask User notification with Send, DLP does not ask again about emails in the same thread.
-
Send another transmission, as similar as possible, but that must pass. Make sure it passes.
For example, for a Document by Template Data Type, try to send a document that is somewhat similar to the template but contains no sensitive data.
If the acceptable transmission is not passed, adjust the Data Type parameters to increase accuracy.
Exporting Data TypesYou can export to a file the Data Types that you have created or that are built-in. This allows you to share Data Types between DLP Gateways, when each is managed by a different Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
-
In SmartConsole, click Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
-
From the navigation tree, click Data Types.
-
Select the Data Type to export.
-
Click Actions > Export.
-
Save it as a file with the dlp_dt extension.
-
Click Save and then close SmartDashboard.
Importing Data TypesYou can share Data Types with another Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or recover a Data Type that was exported but then deleted. You can also obtain new Data Types from your value-added reseller or from Check Point and use this procedure to add the new Data Types to your local system.
Note - You can only export and then import Data Types on Security Management Servers that are the same version. For example, you can export and import Data Types on different R80.30 Security Management Servers. You cannot export Data Types from an R80 Security Management Server and then import them to an R80.30 Security Management Server.
Procedure
-
In SmartConsole, click Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
-
From the navigation tree, click Data Types.
-
Click Actions > Import.
-
Select the dlp_dt file holding the Data Type that you want.
-
Click Save.
-
Close SmartDashboard.
-
In SmartConsole, install the policy.
-
-
Install the Policy on the DLP Gateways.