McAfee Data Loss Prevention 9.2.2 Product Guide
McAfee Data Loss Prevention 9.2.2 Product Guide McAfee Data Loss Prevention 9.2.2 Product Guide
2Using McAfee DLP MonitorHow data is captured and processedCaptured data is indexed and analyzed in different databases that hold Data in Motion and Data at Rest. Youcan query the repositories directly using the options available in the user interface, or save queriesthat are to be run regularly as rules.Data in Use events are stored in an ePolicy Orchestrator database. The capture engine does not producethese events, so the database cannot be queried.When an object matches a query or rule, the result is reported to the McAfee DLP dashboards as anincident. Incidents can be sorted and filtered according to their attributes so that the most significantinformation can be identified and displayed.You need not search or save rules to get results. Standard policies that contain collections of rulesautomatically search live data in real time to produce incidents.How the capture engine worksThe capture engine captures, analyzes, and stores all network data. When the capacity of the McAfeeDLP Monitor appliance nears capacity, the earliest captured data is wiped by default — but time‐basedwiping can be configured from 30–180 days.The core component of McAfee DLP Monitor is a capture engine that extracts packets from networktraffic. The packets are indexed and analyzed, classified into object types, and saved in databases oncapture partitions. On McAfee DLP Discover appliances, significant data found during scan operationsis sorted and stored.You can query the McAfee DLP Monitor and McAfee DLP Discover databases directly using the optionsavailable in the user interface, and save queries you intend to run regularly as rules.When an object matches a query or rule, the result is reported to the dashboard as an incident.Standard policies that contain sets of rules automatically search captured data to produce incidents, andconcepts that match related parameters to network data can be used as a shortcut to find text‐baseddata quickly.How classification worksMcAfee DLP Monitor captures and indexes all monitored traffic. Placement of the appliance on thenetwork determines what is monitored.After the data is classified and analyzed, incidents can be extracted from the database by rules orqueries. When a query or rule matches any stored attribute, the entire database object it belongs to isreported to the dashboard as an incident.Microsoft Active Directory and OpenLDAP servers can be used with McAfee DLP Manager to extendcapture functionality beyond the local network.Captured data is retrievable from three different locations in the user interface. Attributes of databaseobjects are reflected in matching parameters available on the search, rules, and capture filters pages.There are three methods of extracting data from the capture database.• Extraction by query — Use the parameters available on the Basic and Advanced Search pages to querycaptured data.• Extraction by rules — Use the parameters available on the Add or Edit Rules pages to routinely findand display incidents in captured data.• Extraction by capture filter — Use the parameters available on the Content Capture Filter page to storeor ignore entire categories of captured data, limiting the amount of data that has to be recognizedand indexed by the capture engine.18 McAfee Data Loss Prevention 9.2.2 Product Guide
Using McAfee DLP MonitorTypical scenarios 2Typical scenariosTo find significant data in network traffic, use search parameters to form queries. Some typical usecases follow.Tasks• Find leaked documents on page 19Whether accidental or unintentional, confidential documents on corporate networks areoften open to discovery by unauthorized users.• Monitor sensitive files after close of business in different time zones on page 20If you are managing several McAfee DLP Monitor appliances in different time zones, youmight want to monitor data at the same local clock time in every location. For example,certain files might be allowed to enter or leave local networks during business hours — butafter 5 p.m. in any time zone, it might indicate a leak.• Find email using non-standard ports on page 20When non‐standard ports are used to transmit email, a deliberate attempt to conceal illegalactivity should be suspected.• Find evidence of frequent communications on page 21You might suspect that a particular user is communicating with an off‐site competitor. Youmight be able to identify the sources and destinations of frequent communications that willeventually reveal that leak.• Find source code leaving the network on page 22You can use the Source Code content type to find intellectual property that might be leavingthe company.• Find encrypted traffic and files on page 22Insiders attempting to conceal illegal activity or steal your intellectual property routinelyuse encryption.• Find unencrypted user data on page 23You might assume that user names and passwords are protected on your network as amatter of course, but that might not always be the case.• Find geographic users and incidents on page 23The classification engine sorts all network data into geographic locations. Find incidentsgenerated by users in other countries by defining geographic locations in your query.• Find evidence of foreign interference on page 23Protecting intellectual property can be difficult when sensitive data is so easily transportedbeyond national borders.• Search for social networking activity on page 24Employees who are accustomed to using social networking sites might not realize howmuch time they are spending on activities that reduce their productivity, or how muchsensitive information might be leaked when they use such sites in the workplace.• Find postings to message boards on page 24Employees sometimes spend company time posting to Internet sites that are notwork‐related.• Find frequently visited web sites on page 25Find web sites that are frequently visited by users who might routinely use the Internet tocomplete their job duties, but might enter URLs that can compromise network security.Find leaked documentsWhether accidental or unintentional, confidential documents on corporate networks are often open todiscovery by unauthorized users.This case helps you to locate leaked documents, then analyze the incidents to find out how they wereleaked.McAfee Data Loss Prevention 9.2.2 Product Guide 19
- Page 1: Product GuideRevision AMcAfee Data
- Page 6 and 7: ContentsFind host names in data at
- Page 8 and 9: ContentsDelete views . . . . . . .
- Page 10 and 11: ContentsTypical scenarios . . . . .
- Page 12 and 13: Contents12 McAfee Data Loss Prevent
- Page 14 and 15: PrefaceFind product documentationTi
- Page 16 and 17: 1McAfee DLP ManagerMcAfee DLP data
- Page 20 and 21: 2Using McAfee DLP MonitorTypical sc
- Page 22 and 23: 2Using McAfee DLP MonitorTypical sc
- Page 24 and 25: 2Using McAfee DLP MonitorTypical sc
- Page 26 and 27: 2Using McAfee DLP MonitorSearch bas
- Page 28 and 29: 2Using McAfee DLP MonitorUsing logi
- Page 30 and 31: 2Using McAfee DLP MonitorSupported
- Page 32 and 33: 2Using McAfee DLP MonitorSupported
- Page 34 and 35: 2Using McAfee DLP MonitorSupported
- Page 36 and 37: 2Using McAfee DLP MonitorSupported
- Page 38 and 39: 2Using McAfee DLP MonitorRules used
- Page 40 and 41: 2Using McAfee DLP MonitorFinding in
- Page 42 and 43: 2Using McAfee DLP MonitorFinding in
- Page 44 and 45: 2Using McAfee DLP MonitorUse concep
- Page 46 and 47: 2Using McAfee DLP MonitorFind data
- Page 48 and 49: 2Using McAfee DLP MonitorFind data
- Page 50 and 51: 2Using McAfee DLP MonitorFind data
- Page 52 and 53: 2Using McAfee DLP MonitorSearching
- Page 54 and 55: 2Using McAfee DLP MonitorSearching
- Page 56 and 57: 2Using McAfee DLP MonitorSearching
- Page 58 and 59: 2Using McAfee DLP MonitorSearching
- Page 60 and 61: 2Using McAfee DLP MonitorSearching
- Page 62 and 63: 2Using McAfee DLP MonitorSearching
- Page 64 and 65: 2Using McAfee DLP MonitorFinding do
- Page 66 and 67: 3Managing McAfee DLP PreventHow McA
Using <strong>McAfee</strong> DLP MonitorTypical scenarios 2Typical scenariosTo find significant data in network traffic, use search parameters to form queries. Some typical usecases follow.Tasks• Find leaked documents on page 19Whether accidental or unintentional, confidential documents on corporate networks areoften open to discovery by unauthorized users.• Monitor sensitive files after close of business in different time zones on page 20If you are managing several <strong>McAfee</strong> DLP Monitor appliances in different time zones, youmight want to monitor data at the same local clock time in every location. For example,certain files might be allowed to enter or leave local networks during business hours — butafter 5 p.m. in any time zone, it might indicate a leak.• Find email using non-standard ports on page 20When non‐standard ports are used to transmit email, a deliberate attempt to conceal illegalactivity should be suspected.• Find evidence of frequent communications on page 21You might suspect that a particular user is communicating with an off‐site competitor. Youmight be able to identify the sources and destinations of frequent communications that willeventually reveal that leak.• Find source code leaving the network on page 22You can use the Source Code content type to find intellectual property that might be leavingthe company.• Find encrypted traffic and files on page 22Insiders attempting to conceal illegal activity or steal your intellectual property routinelyuse encryption.• Find unencrypted user data on page 23You might assume that user names and passwords are protected on your network as amatter of course, but that might not always be the case.• Find geographic users and incidents on page 23The classification engine sorts all network data into geographic locations. Find incidentsgenerated by users in other countries by defining geographic locations in your query.• Find evidence of foreign interference on page 23Protecting intellectual property can be difficult when sensitive data is so easily transportedbeyond national borders.• Search for social networking activity on page 24Employees who are accustomed to using social networking sites might not realize howmuch time they are spending on activities that reduce their productivity, or how muchsensitive information might be leaked when they use such sites in the workplace.• Find postings to message boards on page 24Employees sometimes spend company time posting to Internet sites that are notwork‐related.• Find frequently visited web sites on page 25Find web sites that are frequently visited by users who might routinely use the Internet tocomplete their job duties, but might enter URLs that can compromise network security.Find leaked documentsWhether accidental or unintentional, confidential documents on corporate networks are often open todiscovery by unauthorized users.This case helps you to locate leaked documents, then analyze the incidents to find out how they wereleaked.<strong>McAfee</strong> <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> <strong>9.2.2</strong> <strong>Product</strong> <strong>Guide</strong> 19