Overview of DLP Rules

A Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. consists of:

  • Flag - your indicator for rules to handle. No Flag, Follow Up, Improve Accuracy - mark rules for scanning in Policy and for access from the Overview page.

  • A Data Type to protect - some Data Types are complex, others are as simple as one word. You can make your rule baseClosed All rules configured in a given Security Policy. Synonym: Rulebase. as long as needed.

  • A transmission source - by default, your entire internal organization (the policy checks all data transmissions coming from any user in your organization containing the defined Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade.), or a selected user, group, segment, or network.

    >

    Best Practice - Create user groups for data access. For example: users with access to highly sensitive data, newly hired employees, employees on notice of termination, managers with responsibilities over specific types of data.

  • A destination - By default, anything that is outside of the internal organization. You may select to make the destination any network object defined in the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to protect data movement between groups of users inside your organization. You can make the destination a specific domain, such as Gmail or Hotmail for private emails.

  • A protocol - By default Any, but you can select to have the rule apply only to HTTP posts, or only to FTP uploads. To view the protocol column, right-click the heading line of the policy and select Protocol.

  • Exceptions - If exceptions to this rule have been added to allow specific traffic. A value valid for the main rule is valid in an exception. Be careful! Exceptions are matched first. If a data transmission matches an exception in the policy, it stops the procedure.

  • An action to take - DLP responses if a data transmission matches the other parameters of the rule: detect and log, inform sender or data owner, delay until user decides, or prevent the transmission.

  • A tracking option - When data transmissions match Data Loss Prevention rules, they are logged as incidents in the Logs & Monitor view by default. You can add email notifications here and other tracking methods.

  • A severity level - Set the severity of the rules in your policy, to help in filtering and reporting while auditing Data Loss Prevention incidents through the Logs & Monitor view. High and Critical rules should be the first that you audit and, if you decide to keep this severity level, they should be moved from Detect to Ask as soon as your users understand what is expected of them.

  • Install On - Security Gateways with Data Loss Prevention enabled. Default value is all DLP Security Gateways.

  • A time range - A period of time during which the DLP rule is enforced.

  • Category - Label for types of rules. Built-in rules have default categories. To change the category of a new rule, right-click and select from the list.

  • Comment - Optional notes for rules.

The rule base of the DLP Gateway should look familiar if you have experience with the Check Point Firewall rule base, but there are differences.

  • DLP rules are based on Data Types and are created through an easy-to-use wizard. Protocols (services) used to transmit data and the people who transmit data are secondary, defining issues.

  • DLP rules usually scan communications from the internal organization going out. Firewall rules usually scan communications from outside coming into the internal network.

  • The method that DLP rules match data is different.