?
Solved

McAfee DLP Rule Query

Posted on 2015-01-21
7
Medium Priority
?
423 Views
Last Modified: 2015-01-27
Hello Experts,

I'm hoping someone can help. Does anyone know how to configure a rule to capture evidence on all data copied to storage devices, such as usb external drives?  I've created a "removable storage protection rule" in DLP to capture evidence, but I’m sure how to define "everything". I can only get it to work if I specify a text pattern to look for. HELP!!!
0
Comment
Question by:CNBELGIN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40564007
why don't you just disallow writing to removable media entirely?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1500 total points
ID: 40564043
Typically for creating a reaction rule, there is "Available actions" that does "Store Evidence". It is supposed to instruct the agent to create a copy of the tagged content and saves it in the file share specified by the agent’s policy. But this action may not be applicable to all rule - you have to check if "removable storage protection rule" has that action listed. So far, I do not see it is able to do it. It is best to consult the McAfee Principal Tech Support and confirm. There is for other like the "screen capture protection rule" though. Else has to explore other means of DLP software (e.g. DeviceLock)

Also note this caveat
- Host Data Loss Prevention Removable Storage Protection Rules do not capture file source locations in the incidents
https://kc.mcafee.com/corporate/index?page=content&id=KB78403&actp=RSS

How to block all USB drives and set exclusions for specific USB drives using Host Data Loss Prevention 9.x
https://kc.mcafee.com/corporate/index?page=content&id=KB60861

Reference implementation guide
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20805/en_US/dlp_221_product_guide_en-us.pdf
0
 

Accepted Solution

by:
CNBELGIN earned 0 total points
ID: 40565081
Hey all thanks for your assistance.

Here's the solution for what i wanted to acheive.

In your rule.

Step 1 of 8. Do not select any application so that the rule includes all applicaitons.
Step 2 of 8. Do not select any tags or content categories.
Step 3 of 8. Select Apply this rule to all file types.
Step 4 of 8. Select Apply this rule to all file extensions.
Step 5 of 8. Do not select or use any document properties.
Step 6 of 8. Select Apply this rule to all encryption types Step 7 of 8. Select what actions you want to take to include Store Evidence.
Step 8 of 8. Select the user assignment group you want the rule to apply to.

This should collect evidence for all files copied to a USB storage device. It is my understanding that Removable Storage Protection rules are one of the only protection rules that do not require tags, content categories, or document properties.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:CNBELGIN
ID: 40565091
In responce to David

We're also blocking storage devices, users need to request a bypass code. The above rule will then monitor their actions.
0
 
LVL 64

Expert Comment

by:btan
ID: 40565574
nice, thanks for sharing
0
 

Author Closing Comment

by:CNBELGIN
ID: 40572364
Thanks guys the links that btan provided are worth reading.
0
 
LVL 64

Expert Comment

by:btan
ID: 40572546
noted and thanks!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question