Improve company productivity with a Business Account.Sign Up

x
?
Solved

McAfee DLP Rule Query

Posted on 2015-01-21
7
Medium Priority
?
465 Views
Last Modified: 2015-01-27
Hello Experts,

I'm hoping someone can help. Does anyone know how to configure a rule to capture evidence on all data copied to storage devices, such as usb external drives?  I've created a "removable storage protection rule" in DLP to capture evidence, but I’m sure how to define "everything". I can only get it to work if I specify a text pattern to look for. HELP!!!
0
Comment
Question by:CNBELGIN
  • 3
  • 3
7 Comments
 
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 40564007
why don't you just disallow writing to removable media entirely?
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1500 total points
ID: 40564043
Typically for creating a reaction rule, there is "Available actions" that does "Store Evidence". It is supposed to instruct the agent to create a copy of the tagged content and saves it in the file share specified by the agent’s policy. But this action may not be applicable to all rule - you have to check if "removable storage protection rule" has that action listed. So far, I do not see it is able to do it. It is best to consult the McAfee Principal Tech Support and confirm. There is for other like the "screen capture protection rule" though. Else has to explore other means of DLP software (e.g. DeviceLock)

Also note this caveat
- Host Data Loss Prevention Removable Storage Protection Rules do not capture file source locations in the incidents
https://kc.mcafee.com/corporate/index?page=content&id=KB78403&actp=RSS

How to block all USB drives and set exclusions for specific USB drives using Host Data Loss Prevention 9.x
https://kc.mcafee.com/corporate/index?page=content&id=KB60861

Reference implementation guide
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20805/en_US/dlp_221_product_guide_en-us.pdf
0
 

Accepted Solution

by:
CNBELGIN earned 0 total points
ID: 40565081
Hey all thanks for your assistance.

Here's the solution for what i wanted to acheive.

In your rule.

Step 1 of 8. Do not select any application so that the rule includes all applicaitons.
Step 2 of 8. Do not select any tags or content categories.
Step 3 of 8. Select Apply this rule to all file types.
Step 4 of 8. Select Apply this rule to all file extensions.
Step 5 of 8. Do not select or use any document properties.
Step 6 of 8. Select Apply this rule to all encryption types Step 7 of 8. Select what actions you want to take to include Store Evidence.
Step 8 of 8. Select the user assignment group you want the rule to apply to.

This should collect evidence for all files copied to a USB storage device. It is my understanding that Removable Storage Protection rules are one of the only protection rules that do not require tags, content categories, or document properties.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 

Author Comment

by:CNBELGIN
ID: 40565091
In responce to David

We're also blocking storage devices, users need to request a bypass code. The above rule will then monitor their actions.
0
 
LVL 66

Expert Comment

by:btan
ID: 40565574
nice, thanks for sharing
0
 

Author Closing Comment

by:CNBELGIN
ID: 40572364
Thanks guys the links that btan provided are worth reading.
0
 
LVL 66

Expert Comment

by:btan
ID: 40572546
noted and thanks!
0

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
This is the conclusion of the review and tests for using two or more Password Managers so you don't need to rely on just one. This article describes the results of a lot of testing in different scenario's to reveal which ones best co-exist together.…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question