McAfee Data Loss Prevention 9.2.2 Product Guide

Integrating McAfee DLP EndpointTagging and tracking 5A tag label can be either application‐ or location‐based, and in McAfee DLP Manager, might be appliedin one of three ways:• By rule (automatically)• Directly (manually)• By scanning a Windows repository (automatically)After tags are created, the files to which they are applied can not only be tracked, but controlled bypre‐programming Data‐in‐Use action rules that fire when tagged objects are found.Using tagsIn the network product suite, unified rules might contain location or application‐based tags. Theymight be used alone, or in combination with other parameters to identify and apply actions to data atrisk anywhere within the reach of the McAfee DLP Manager.Users who have administrative privileges can create Tag Labels on the Endpoint Configuration page, thenselect them from menus on Edit Rules pages to define a condition for automatically applying them. Ifused on those pages, they can also be added automatically to CIFS (Windows) repositories andendpoints through Discover scans.When tag labels are used on unified rules pages, they can be applied as needed to files that match theconditions of the rules, or existing tags can be applied to a specific set of files that are defined by therule.For example, the Pharmaceutical Industry Drug Code Data rule might be modified to include an ExistingTag Label that identifies and tracks any document containing that code. An Email Protection Rule mightthen be added to prevent users from sending those documents to competitors.This particular rule applies only to data in motion, but email protection is covered by all McAfee DLPproducts.Applying tags with unified rulesMany files can be tagged in a single operation by using tags in combination with unified policy rules.When a tag is added to a network rule, it is not only extended to endpoints, but it can be used toimpose a wide variety of conditions on the targeted data before the tag is applied.Many different network and endpoint parameters might be used to automatically apply tags whensensitive data is detected — and if specific conditions are not met, they might not be applied at all.For example, a network rule might be used in an Asian bank to find and apply privacy tags to all filesthat contain China UnionPay credit card numbers. But the administrator might want to tag those filesonly if they are being posted to a known "carders" web site by an insider who is under investigation.In such a case, the rule might contain a user name selected from an LDAP server, and the HTTP_Postprotocol might be added to establish criminal intent. If both of those conditions are found, an ExistingTag Label would be automatically applied, and a Web Post Reaction action rule might also be applied toblock the attempt and store evidence.Applying tags manuallyTag labels can be added by any user who has administrative privileges. If the Allow Manual Taggingcheckbox is selected during that process, the tag is visible to trusted users, who can use it to classifyMcAfee Data Loss Prevention 9.2.2 Product Guide 149