McAfee Data Loss Prevention 9.2.2 Product Guide
Share Embed Flag
Download ePaper

McAfee Data Loss Prevention 9.2.2 Product Guide

McAfee Data Loss Prevention 9.2.2 Product Guide McAfee Data Loss Prevention 9.2.2 Product Guide

kb.mcafee.com
from kb.mcafee.com More from this publisher
12.07.2015 Views

2Using McAfee DLP MonitorHow data is captured and processedCaptured data is indexed and analyzed in different databases that hold Data in Motion and Data at Rest. Youcan query the repositories directly using the options available in the user interface, or save queriesthat are to be run regularly as rules.Data in Use events are stored in an ePolicy Orchestrator database. The capture engine does not producethese events, so the database cannot be queried.When an object matches a query or rule, the result is reported to the McAfee DLP dashboards as anincident. Incidents can be sorted and filtered according to their attributes so that the most significantinformation can be identified and displayed.You need not search or save rules to get results. Standard policies that contain collections of rulesautomatically search live data in real time to produce incidents.How the capture engine worksThe capture engine captures, analyzes, and stores all network data. When the capacity of the McAfeeDLP Monitor appliance nears capacity, the earliest captured data is wiped by default — but time‐basedwiping can be configured from 30–180 days.The core component of McAfee DLP Monitor is a capture engine that extracts packets from networktraffic. The packets are indexed and analyzed, classified into object types, and saved in databases oncapture partitions. On McAfee DLP Discover appliances, significant data found during scan operationsis sorted and stored.You can query the McAfee DLP Monitor and McAfee DLP Discover databases directly using the optionsavailable in the user interface, and save queries you intend to run regularly as rules.When an object matches a query or rule, the result is reported to the dashboard as an incident.Standard policies that contain sets of rules automatically search captured data to produce incidents, andconcepts that match related parameters to network data can be used as a shortcut to find text‐baseddata quickly.How classification worksMcAfee DLP Monitor captures and indexes all monitored traffic. Placement of the appliance on thenetwork determines what is monitored.After the data is classified and analyzed, incidents can be extracted from the database by rules orqueries. When a query or rule matches any stored attribute, the entire database object it belongs to isreported to the dashboard as an incident.Microsoft Active Directory and OpenLDAP servers can be used with McAfee DLP Manager to extendcapture functionality beyond the local network.Captured data is retrievable from three different locations in the user interface. Attributes of databaseobjects are reflected in matching parameters available on the search, rules, and capture filters pages.There are three methods of extracting data from the capture database.• Extraction by query — Use the parameters available on the Basic and Advanced Search pages to querycaptured data.• Extraction by rules — Use the parameters available on the Add or Edit Rules pages to routinely findand display incidents in captured data.• Extraction by capture filter — Use the parameters available on the Content Capture Filter page to storeor ignore entire categories of captured data, limiting the amount of data that has to be recognizedand indexed by the capture engine.18 McAfee Data Loss Prevention 9.2.2 Product Guide

Using McAfee DLP MonitorTypical scenarios 2Typical scenariosTo find significant data in network traffic, use search parameters to form queries. Some typical usecases follow.Tasks• Find leaked documents on page 19Whether accidental or unintentional, confidential documents on corporate networks areoften open to discovery by unauthorized users.• Monitor sensitive files after close of business in different time zones on page 20If you are managing several McAfee DLP Monitor appliances in different time zones, youmight want to monitor data at the same local clock time in every location. For example,certain files might be allowed to enter or leave local networks during business hours — butafter 5 p.m. in any time zone, it might indicate a leak.• Find email using non-standard ports on page 20When non‐standard ports are used to transmit email, a deliberate attempt to conceal illegalactivity should be suspected.• Find evidence of frequent communications on page 21You might suspect that a particular user is communicating with an off‐site competitor. Youmight be able to identify the sources and destinations of frequent communications that willeventually reveal that leak.• Find source code leaving the network on page 22You can use the Source Code content type to find intellectual property that might be leavingthe company.• Find encrypted traffic and files on page 22Insiders attempting to conceal illegal activity or steal your intellectual property routinelyuse encryption.• Find unencrypted user data on page 23You might assume that user names and passwords are protected on your network as amatter of course, but that might not always be the case.• Find geographic users and incidents on page 23The classification engine sorts all network data into geographic locations. Find incidentsgenerated by users in other countries by defining geographic locations in your query.• Find evidence of foreign interference on page 23Protecting intellectual property can be difficult when sensitive data is so easily transportedbeyond national borders.• Search for social networking activity on page 24Employees who are accustomed to using social networking sites might not realize howmuch time they are spending on activities that reduce their productivity, or how muchsensitive information might be leaked when they use such sites in the workplace.• Find postings to message boards on page 24Employees sometimes spend company time posting to Internet sites that are notwork‐related.• Find frequently visited web sites on page 25Find web sites that are frequently visited by users who might routinely use the Internet tocomplete their job duties, but might enter URLs that can compromise network security.Find leaked documentsWhether accidental or unintentional, confidential documents on corporate networks are often open todiscovery by unauthorized users.This case helps you to locate leaked documents, then analyze the incidents to find out how they wereleaked.McAfee Data Loss Prevention 9.2.2 Product Guide 19

Using <strong>McAfee</strong> DLP MonitorTypical scenarios 2Typical scenariosTo find significant data in network traffic, use search parameters to form queries. Some typical usecases follow.Tasks• Find leaked documents on page 19Whether accidental or unintentional, confidential documents on corporate networks areoften open to discovery by unauthorized users.• Monitor sensitive files after close of business in different time zones on page 20If you are managing several <strong>McAfee</strong> DLP Monitor appliances in different time zones, youmight want to monitor data at the same local clock time in every location. For example,certain files might be allowed to enter or leave local networks during business hours — butafter 5 p.m. in any time zone, it might indicate a leak.• Find email using non-standard ports on page 20When non‐standard ports are used to transmit email, a deliberate attempt to conceal illegalactivity should be suspected.• Find evidence of frequent communications on page 21You might suspect that a particular user is communicating with an off‐site competitor. Youmight be able to identify the sources and destinations of frequent communications that willeventually reveal that leak.• Find source code leaving the network on page 22You can use the Source Code content type to find intellectual property that might be leavingthe company.• Find encrypted traffic and files on page 22Insiders attempting to conceal illegal activity or steal your intellectual property routinelyuse encryption.• Find unencrypted user data on page 23You might assume that user names and passwords are protected on your network as amatter of course, but that might not always be the case.• Find geographic users and incidents on page 23The classification engine sorts all network data into geographic locations. Find incidentsgenerated by users in other countries by defining geographic locations in your query.• Find evidence of foreign interference on page 23Protecting intellectual property can be difficult when sensitive data is so easily transportedbeyond national borders.• Search for social networking activity on page 24Employees who are accustomed to using social networking sites might not realize howmuch time they are spending on activities that reduce their productivity, or how muchsensitive information might be leaked when they use such sites in the workplace.• Find postings to message boards on page 24Employees sometimes spend company time posting to Internet sites that are notwork‐related.• Find frequently visited web sites on page 25Find web sites that are frequently visited by users who might routinely use the Internet tocomplete their job duties, but might enter URLs that can compromise network security.Find leaked documentsWhether accidental or unintentional, confidential documents on corporate networks are often open todiscovery by unauthorized users.This case helps you to locate leaked documents, then analyze the incidents to find out how they wereleaked.<strong>McAfee</strong> <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> <strong>9.2.2</strong> <strong>Product</strong> <strong>Guide</strong> 19

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!