Solved

McAfee DLP Rule Query

Posted on 2015-01-21
7
375 Views
Last Modified: 2015-01-27
Hello Experts,

I'm hoping someone can help. Does anyone know how to configure a rule to capture evidence on all data copied to storage devices, such as usb external drives?  I've created a "removable storage protection rule" in DLP to capture evidence, but I’m sure how to define "everything". I can only get it to work if I specify a text pattern to look for. HELP!!!
0
Comment
Question by:CNBELGIN
  • 3
  • 3
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40564007
why don't you just disallow writing to removable media entirely?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40564043
Typically for creating a reaction rule, there is "Available actions" that does "Store Evidence". It is supposed to instruct the agent to create a copy of the tagged content and saves it in the file share specified by the agent’s policy. But this action may not be applicable to all rule - you have to check if "removable storage protection rule" has that action listed. So far, I do not see it is able to do it. It is best to consult the McAfee Principal Tech Support and confirm. There is for other like the "screen capture protection rule" though. Else has to explore other means of DLP software (e.g. DeviceLock)

Also note this caveat
- Host Data Loss Prevention Removable Storage Protection Rules do not capture file source locations in the incidents
https://kc.mcafee.com/corporate/index?page=content&id=KB78403&actp=RSS

How to block all USB drives and set exclusions for specific USB drives using Host Data Loss Prevention 9.x
https://kc.mcafee.com/corporate/index?page=content&id=KB60861

Reference implementation guide
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20805/en_US/dlp_221_product_guide_en-us.pdf
0
 

Accepted Solution

by:
CNBELGIN earned 0 total points
ID: 40565081
Hey all thanks for your assistance.

Here's the solution for what i wanted to acheive.

In your rule.

Step 1 of 8. Do not select any application so that the rule includes all applicaitons.
Step 2 of 8. Do not select any tags or content categories.
Step 3 of 8. Select Apply this rule to all file types.
Step 4 of 8. Select Apply this rule to all file extensions.
Step 5 of 8. Do not select or use any document properties.
Step 6 of 8. Select Apply this rule to all encryption types Step 7 of 8. Select what actions you want to take to include Store Evidence.
Step 8 of 8. Select the user assignment group you want the rule to apply to.

This should collect evidence for all files copied to a USB storage device. It is my understanding that Removable Storage Protection rules are one of the only protection rules that do not require tags, content categories, or document properties.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:CNBELGIN
ID: 40565091
In responce to David

We're also blocking storage devices, users need to request a bypass code. The above rule will then monitor their actions.
0
 
LVL 62

Expert Comment

by:btan
ID: 40565574
nice, thanks for sharing
0
 

Author Closing Comment

by:CNBELGIN
ID: 40572364
Thanks guys the links that btan provided are worth reading.
0
 
LVL 62

Expert Comment

by:btan
ID: 40572546
noted and thanks!
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now