McAfee Data Loss Prevention 9.2.2 Product Guide

More documents

Recommendations

Info

5Integrating McAfee DLP EndpointTagging and trackingspecific documents by applying the appropriate tag. After they are created, manual tags are pushed tousers at endpoints by the McAfee Agent client.The ability to classify documents with tags encourages users to take independent action to protect fileswithin their areas of responsibility. For example, users at medical facilities might be trusted to applyHIPAA tags to patient records that must be kept confidential by law.If the Allow Manual Tagging checkbox is not selected, file tagging can still be done manually — but only byadministrative users, who can tag or remove files individually or in groups.Application-based taggingTags that identify applications are applied when a file is saved using a specific application, and the tagdisplays whenever the user opens the file. When used with other properties of a unified rule, they canbe used to control files created by that application.Simple application‐based tagging rules monitor or block all files created by the application, butaddition of other rule parameters can qualify or extend those actions when used in a more specificcontext.Application tagging might be only one property of a unified rule. When an application definition isapplied, or applications sharing a particular strategy are used (for example, all applications areeditors), an application tag might be applied to a group of documents.How application tagging worksApplications can be deployed with tagging and protection rules by creating application definitions, thenapplying them to unified rules. They can also be applied manually, or by using a Discover CIFS scan.Importing an applications list and creating application definitions are efficient ways of handlingapplication‐related tagging and protection rules.For example, system administrators might import a list of all relevant applications available within theenterprise, create application definitions based on their needs, and implement these definitions withrelevant rules to maintain policies.When a user opens files with an application that is defined in a rule by an application definition, itproduces one event on the McAfee DLP Monitor per application session, not per sensitive file opened.The event includes all files that matched the specified conditions in that application session. Forexample, if the Store Evidence parameter is selected on the Data‐in‐Use action rule page, only files from thecurrent session are stored.The Enterprise Application ListThe Enterprise Application List contains a set of commonly‐used applications. You can add applicationsto the list, delete them, or add an application definition that bundles related applications.When an application is added to the Enterprise Application List, application‐based tags are applied tomatching files when they are found.Applications must be defined in the Enterprise Applications List before they can be referenced in a rule.If the applications you want to use do not appear on the list, you must add them.When an Endpoint application tag is used with unified rule parameters and associated action rules,files that are detected on endpoints, in network traffic, and repositories can be controlled with onerule. Application‐based tags might be used alone or collected in application definitions.For example, users who open Adobe Photoshop files on endpoints or on network shares might beallowed to view, but not modify those files — or they might not be visible at all. But before buildingsuch a rule, the .psd executable file would have to be added to the Enterprise Action List so that it is150 McAfee Data Loss Prevention 9.2.2 Product Guide
Integrating McAfee DLP EndpointTagging and tracking 5available for use in a unified rule. Once Photoshop files are defined as significant objects andsupplemented with other parameters, they can be detected and tagged when the unified rule is run,and an appropriate action might be taken at that time.Strategies for categorizing applicationsMcAfee DLP Endpoint software divides applications into four categories or strategies.A strategy is assigned to each application definition. You can change the strategy to achieve a balancebetween security and the computer’s operating efficiency. The strategies, in order of decreasingsecurity, are:• Editor — Any application that can modify file content. This includes “classic” editors like MicrosoftWord and Microsoft Excel, as well as browsers, graphics software, accounting software, and soforth. Most applications are editors.• Explorer — An application that copies or moves files without changing them, such as MicrosoftWindows Explorer or certain shell applications.• Trusted — An application that needs unrestricted access to files for scanning purposes. Examplesare McAfee ® VirusScan ®Enterprise, backup software, and desktop search software (Google,Copernic, and so forth).• Archiver — An application that reprocesses files. Examples are compression software such asWinZip, and encryption applications such as McAfee ® Endpoint Encryption for Files and Folderssoftware or PGP.Change the strategy as necessary to optimize performance. For example, the high level of observationthat an editor application receives is not consistent with the constant indexing of a desktop searchapplication. The performance penalty is high, and the risk of a data leak from such an application islow. Therefore, you should use the trusted strategy with these applications.Add a file extension parameterFile extensions can be defined along with other endpoint parameters to control applications by type.Before you beginCheck to see if the file extension parameter already exists on the Endpoint file extensionpop‐up menu. If not, you can add it by entering it in the Original Executable File Name pop‐upmenu on the Create Application Definition page, which will add it to the Enterprise Application List. Theadded file type can then be selected from the Application Definition pop‐up menu.Suppose you want to implement role‐based access on a Windows network engineering share. Youmight have developers who have full access, users who are allowed to manage the contents of thesite, and users who have special skills that are needed on specific document types.For example, a group of technical illustrators might need access to the Adobe Photoshop andIllustrator files on that share. You could create a rule that would allow only those users access to thosefiles.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Policies.• On your McAfee DLP appliance, select Policies.2 Click a policy and a rule, or create new ones.Make sure the policy is active and the Inherit Policy State state of the rule is set to Enabled.McAfee Data Loss Prevention 9.2.2 Product Guide 151
Page 1:
Product GuideRevision AMcAfee Data
Page 6 and 7:
ContentsFind host names in data at
Page 8 and 9:
ContentsDelete views . . . . . . .
Page 10 and 11:
ContentsTypical scenarios . . . . .
Page 12 and 13:
Contents12 McAfee Data Loss Prevent
Page 14 and 15:
PrefaceFind product documentationTi
Page 16 and 17:
1McAfee DLP ManagerMcAfee DLP data
Page 18 and 19:
2Using McAfee DLP MonitorHow data i
Page 20 and 21:
2Using McAfee DLP MonitorTypical sc
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
2Using McAfee DLP MonitorSearch bas
Page 28 and 29:
2Using McAfee DLP MonitorUsing logi
Page 30 and 31:
2Using McAfee DLP MonitorSupported
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
2Using McAfee DLP MonitorRules used
Page 40 and 41:
2Using McAfee DLP MonitorFinding in
Page 42 and 43:
2Using McAfee DLP MonitorFinding in
Page 44 and 45:
2Using McAfee DLP MonitorUse concep
Page 46 and 47:
2Using McAfee DLP MonitorFind data
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
2Using McAfee DLP MonitorSearching
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
2Using McAfee DLP MonitorFinding do
Page 66 and 67:
3Managing McAfee DLP PreventHow McA
Page 68 and 69:
3Managing McAfee DLP PreventConfigu
Page 70 and 71:
3Managing McAfee DLP PreventConfigu
Page 72 and 73:
4Using McAfee DLP DiscoverTypical s
Page 74 and 75:
4Using McAfee DLP DiscoverTypical s
Page 76 and 77:
4Using McAfee DLP DiscoverRegisteri
Page 78 and 79:
4Using McAfee DLP DiscoverRegisteri
Page 80 and 81:
4Using McAfee DLP DiscoverCrawling
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
4Using McAfee DLP DiscoverOptimizin
Page 88 and 89:
4Using McAfee DLP DiscoverOptimizin
Page 90 and 91:
4Using McAfee DLP DiscoverManaging
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101: 4Using McAfee DLP DiscoverManaging
Page 104 and 105: 4Using McAfee DLP DiscoverScan stat
Page 108 and 109: 4Using McAfee DLP DiscoverSearch di
Page 114 and 115: 4Using McAfee DLP DiscoverRemediati
Page 122 and 123: 4Using McAfee DLP DiscoverGetting s
Page 124 and 125: 4Using McAfee DLP DiscoverGetting s
Page 126 and 127: 4Using McAfee DLP DiscoverConfiguri
Page 128 and 129: 4Using McAfee DLP DiscoverConfiguri
Page 130 and 131: 5Integrating McAfee DLP EndpointTyp
Page 138 and 139: 5Integrating McAfee DLP EndpointVie
Page 140 and 141: 5Integrating McAfee DLP EndpointCon
Page 142 and 143: 5Integrating McAfee DLP EndpointUni
Page 148 and 149: 5Integrating McAfee DLP EndpointTag
Page 172 and 173: 6Managing the Home pageHow the Home
Page 174 and 175: 7Using the Incidents dashboardTypic
Page 176 and 177: 7Using the Incidents dashboardSort
Page 178 and 179: 7Using the Incidents dashboardGetti
Page 180 and 181: 7Using the Incidents dashboardGetti
Page 182 and 183: 7Using the Incidents dashboardSet u
Page 184 and 185: 7Using the Incidents dashboardGener
Page 186 and 187: 7Using the Incidents dashboardCusto
Page 188 and 189: 7Using the Incidents dashboardContr
Page 190 and 191: 8Working with casesManage case perm
Page 192 and 193: 8Working with casesAdd, delete, or
Page 194 and 195: 8Working with casesModify casesYou
Page 196 and 197: 8Working with casesCustomize cases3
Page 198 and 199: 8Working with casesCustomize cases4
Page 200 and 201:
9Managing policies and rulesHow pol
Page 202 and 203:
9Managing policies and rulesTypical
Page 204 and 205:
9Managing policies and rulesTypical
Page 206 and 207:
9Managing policies and rulesManagin
Page 208 and 209:
9Managing policies and rulesAdd, mo
Page 210 and 211:
9Managing policies and rulesAdd, mo
Page 212 and 213:
9Managing policies and rulesManage
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
9Managing policies and rulesIdentif
Page 220 and 221:
9Managing policies and rulesIdentif
Page 222 and 223:
10Managing action rulesHow McAfee D
Page 224 and 225:
10Managing action rulesAdd, modify,
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
11Managing conceptsTypical scenario
Page 234 and 235:
11Managing conceptsAdd, apply, rest
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
12Using templatesTypical scenariosT
Page 242 and 243:
12Using templatesAdd, modify, and d
Page 244 and 245:
12Using templatesAdd, modify, and d
Page 246 and 247:
13Managing McAfee DLP systemsConfig
Page 248 and 249:
13Managing McAfee DLP systemsConfig
Page 250 and 251:
13Managing McAfee DLP systemsUsing
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
13Managing McAfee DLP systemsAdding
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
13Managing McAfee DLP systemsManagi
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
13Managing McAfee DLP systemsTechni
Page 282 and 283:
13Managing McAfee DLP systemsTechni
Page 284 and 285:
14Disaster recovery backup and rest
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
15Technical supportCreate a technic
Page 292 and 293:
Indexdevice class (continued)status
Page 294 and 295:
Indexuser groupscreating 275deletin
show all

McAfee Data Loss Prevention 9.2.2 Product Guide

Create successful ePaper yourself

Delete template?

Save as template?