Solved

McAfee DLP Rule Query

Posted on 2015-01-21
7
412 Views
Last Modified: 2015-01-27
Hello Experts,

I'm hoping someone can help. Does anyone know how to configure a rule to capture evidence on all data copied to storage devices, such as usb external drives?  I've created a "removable storage protection rule" in DLP to capture evidence, but I’m sure how to define "everything". I can only get it to work if I specify a text pattern to look for. HELP!!!
0
Comment
Question by:CNBELGIN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40564007
why don't you just disallow writing to removable media entirely?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40564043
Typically for creating a reaction rule, there is "Available actions" that does "Store Evidence". It is supposed to instruct the agent to create a copy of the tagged content and saves it in the file share specified by the agent’s policy. But this action may not be applicable to all rule - you have to check if "removable storage protection rule" has that action listed. So far, I do not see it is able to do it. It is best to consult the McAfee Principal Tech Support and confirm. There is for other like the "screen capture protection rule" though. Else has to explore other means of DLP software (e.g. DeviceLock)

Also note this caveat
- Host Data Loss Prevention Removable Storage Protection Rules do not capture file source locations in the incidents
https://kc.mcafee.com/corporate/index?page=content&id=KB78403&actp=RSS

How to block all USB drives and set exclusions for specific USB drives using Host Data Loss Prevention 9.x
https://kc.mcafee.com/corporate/index?page=content&id=KB60861

Reference implementation guide
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20805/en_US/dlp_221_product_guide_en-us.pdf
0
 

Accepted Solution

by:
CNBELGIN earned 0 total points
ID: 40565081
Hey all thanks for your assistance.

Here's the solution for what i wanted to acheive.

In your rule.

Step 1 of 8. Do not select any application so that the rule includes all applicaitons.
Step 2 of 8. Do not select any tags or content categories.
Step 3 of 8. Select Apply this rule to all file types.
Step 4 of 8. Select Apply this rule to all file extensions.
Step 5 of 8. Do not select or use any document properties.
Step 6 of 8. Select Apply this rule to all encryption types Step 7 of 8. Select what actions you want to take to include Store Evidence.
Step 8 of 8. Select the user assignment group you want the rule to apply to.

This should collect evidence for all files copied to a USB storage device. It is my understanding that Removable Storage Protection rules are one of the only protection rules that do not require tags, content categories, or document properties.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:CNBELGIN
ID: 40565091
In responce to David

We're also blocking storage devices, users need to request a bypass code. The above rule will then monitor their actions.
0
 
LVL 64

Expert Comment

by:btan
ID: 40565574
nice, thanks for sharing
0
 

Author Closing Comment

by:CNBELGIN
ID: 40572364
Thanks guys the links that btan provided are worth reading.
0
 
LVL 64

Expert Comment

by:btan
ID: 40572546
noted and thanks!
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Make the most of your online learning experience.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question