Solved

McAfee DLP Rule Query

Posted on 2015-01-21
7
372 Views
Last Modified: 2015-01-27
Hello Experts,

I'm hoping someone can help. Does anyone know how to configure a rule to capture evidence on all data copied to storage devices, such as usb external drives?  I've created a "removable storage protection rule" in DLP to capture evidence, but I’m sure how to define "everything". I can only get it to work if I specify a text pattern to look for. HELP!!!
0
Comment
Question by:CNBELGIN
  • 3
  • 3
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40564007
why don't you just disallow writing to removable media entirely?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40564043
Typically for creating a reaction rule, there is "Available actions" that does "Store Evidence". It is supposed to instruct the agent to create a copy of the tagged content and saves it in the file share specified by the agent’s policy. But this action may not be applicable to all rule - you have to check if "removable storage protection rule" has that action listed. So far, I do not see it is able to do it. It is best to consult the McAfee Principal Tech Support and confirm. There is for other like the "screen capture protection rule" though. Else has to explore other means of DLP software (e.g. DeviceLock)

Also note this caveat
- Host Data Loss Prevention Removable Storage Protection Rules do not capture file source locations in the incidents
https://kc.mcafee.com/corporate/index?page=content&id=KB78403&actp=RSS

How to block all USB drives and set exclusions for specific USB drives using Host Data Loss Prevention 9.x
https://kc.mcafee.com/corporate/index?page=content&id=KB60861

Reference implementation guide
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20805/en_US/dlp_221_product_guide_en-us.pdf
0
 

Accepted Solution

by:
CNBELGIN earned 0 total points
ID: 40565081
Hey all thanks for your assistance.

Here's the solution for what i wanted to acheive.

In your rule.

Step 1 of 8. Do not select any application so that the rule includes all applicaitons.
Step 2 of 8. Do not select any tags or content categories.
Step 3 of 8. Select Apply this rule to all file types.
Step 4 of 8. Select Apply this rule to all file extensions.
Step 5 of 8. Do not select or use any document properties.
Step 6 of 8. Select Apply this rule to all encryption types Step 7 of 8. Select what actions you want to take to include Store Evidence.
Step 8 of 8. Select the user assignment group you want the rule to apply to.

This should collect evidence for all files copied to a USB storage device. It is my understanding that Removable Storage Protection rules are one of the only protection rules that do not require tags, content categories, or document properties.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:CNBELGIN
ID: 40565091
In responce to David

We're also blocking storage devices, users need to request a bypass code. The above rule will then monitor their actions.
0
 
LVL 61

Expert Comment

by:btan
ID: 40565574
nice, thanks for sharing
0
 

Author Closing Comment

by:CNBELGIN
ID: 40572364
Thanks guys the links that btan provided are worth reading.
0
 
LVL 61

Expert Comment

by:btan
ID: 40572546
noted and thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now