Data Loss Prevention 9.4 introduces many new features and is now fully integrated in McAfee ePO. It provides a brand new interface and no longer relies on ActiveX. The new DLPe extensions include two new console modules, Classifications, and DLP Policy Manager, both of which allow for the configuration of DLPe policies and rules.
We’re going to discuss the installation and initial configuration steps to get DLPe up and running.
High Level Process
Before you begin
Step by Step Procedure:
Install the DLP extensions
Okay, let’s get started.
Check in the DLP Packages
Deploy the DLPe software
First, let’s deploy our new DLPe software. There are several ways to do this, but I’m just going to create a new test group and put my test DLP systems in there.
First, I’m going to create a group by going to the System Tree by clicking on Menu | System Tree. With My Organization selected on the left, I’m going to click on System Tree Actions | New Subgroups. I’ll just name this subgroup DLP Test.
Now, with DLP Test, I’m just going to move my test systems into this group by clicking on the system name and dragging it into the group. I’ll click okay when the confirmation box pops up.
Next, I’m going to create a client task. With your DLP Test selected, click on the Assign Client Tasks tab. Next, click on Actions | New Client Task Assignment. This will open up the Client Task Assignment Builder.
Next, we’ll fill in the Task Builder fields. In the Product Field, select McAfee Agent. In the Task Type field, select Product Deployment. Click Create New Task under the Task Name field.
In the Task Name section, let’s just call this task “Deploy DLP 9.4.0”.
In the Products and components section, use the first drop-down and select McAfee Data Loss Prevention 9.4.0. Then Click Save.
Now, let’s wake up the client that you put in the DLP Test group by selecting the DLP Test group, clicking on the System tab, put a check next to the test system, and then clicking on Wake Up Agents. This will tell the test client to initiate communication with the ePO server and pull down the latest client tasks and policies.
You can check to see if the task is being installed on the client if you take a look at the McAfee Agent Status log by clicking on the McAfee Agent Shield and selecting McAfee Agent Status Monitor on the client computer.
Enter the license information
Now that we have the DLPe Software installed, let’s configure the policies on the ePO Server.
In the McAfee ePO, select Menu | Configuration | Server Settings. Select Data Loss Prevention from the categories and click Edit in the bottom right.
In the License Keys section, enter your license key in the Key text box then click Add. You can also add additional licenses here in the future as well.
Creating a Rule Set
After the license key is added, we can go ahead and modify the policies. We’re just going to create a quick policy to block the word “Secret”, pop up a message, and report on that to ePO so that we can see that it was blocked.
Okay, our first step is to create our classification for the word “Secret”.
Select Menu | Data Protection | Classification
Here, we’ll want to create a new classification by clicking on the New Classification in the bottom left.
Let’s name this classification “Contains Secret Classification” and click OK
Now, let’s select Action | New Classification Criteria
We’ll Name this Classification Criteria “Contains Secret Criteria”
Since we’re just adding a word, we’ll want to choose the Dictionary Data condition on the left. I just want to quickly mention that the Advanced Pattern definitions can be used to detect variable patterns such as Social Security Numbers or credit card numbers. They use regular expressions to define what should be matched and there are many built in definitions.
After the Dictionary condition is listed on the right, you can click on the three dots and it’ll present you with all of the built in lists. You can select an existing list, but we’re going to create our own by clicking on the “New Item” button at the bottom. Let’s name this list “Contains Secret Dictionary” and at the bottom where it says “Phrase”, put in “secret” in that box and then click Add to the right. We’re going to use this to prevent the word secret from being copied. Save this dictionary list.
Use the filter items to find it by typing “secret” in that box and clicking GO. This will bring up your newly created dictionary and you can put a check next to it and then click OK. Now that that’s assigned, you can click Save to save your criteria. Now, you have to click Actions | Save Classification to save this classification.
Now that we have our classification created, we can go to our DLP Policy Manager to assign this classification. Go to Menu | Data Protection | DLP Policy Manager. First, we’ll want to create a new rule set. Click on Actions | New Rule Set and name this rule set “Prevent Secret from being copied”. Now, click on Prevent Secret from being copied. Here, we’ll see a few tabs but we’re only interested in the Data Protection tab for now. Click on Actions | New Rule | Clipboard Protection. Let’s name this rule “Prevent secret from being copied”. We’ll also need to change the state from Disabled to Enabled. Let’s also change the severity from Warning to Major.
In the bottom section, we’ll want to use our newly created classification. In the Classification section, click on the three dots on the right hand side. Select the Contains Secret classification and then click OK. Now, let’s move to the Reaction tab by clicking on “Reaction”. Here, let’s have the Prevent Action be to Block. In the User Notification section, click on the three dots to open the User Notification dialog box. Click on New Item at the bottom. Let’s type in “Tried to copy the word secret” in the Name section and put in “You have just tried to copy the word secret and have been blocked” in the Text to display section. Go ahead and click save after that. Now, check the “Tried to copy the word secret” user message and click OK. Lastly, let’s check the Report Incident box and then click save at the bottom right. We can now close the DLP Rule Set.
Next, we’ll want to assign this policy with the Policy Assignment Tab. Click on Policy Assignment tab. Next, click on Actions | Assign a Rule Set to policies. In the drop down, select your “Prevent Secret from being copied” rule set and assign it to the My Default DLP Policy. Then Click OK.
After you’ve assigned the policy, you’ll need to apply the selected policy by clicking Actions | Apply Selected Polices, and then Make sure that the My Default DLP Policy is checked and click OK.
Okay, let’s go ahead and wake up the agent again so that the new polices are sent down to the client system. Go to the system tree, find your test DLP system, check it, and click on Wake Up Agent.
Now that the DLP Policy has been sent to the client system, let’s test it out.
On the client system, open up two new notepads. In the first one, type out the word secret and highlight and copy it. Now, go to your second notepad and try to paste the word. It’ll block it and in the bottom right, a notification will appear and let you know that copying that word is blocked. Success!
Even though our example is to prevent copying this word to the clipboard, the same concept can be used to block other actions. You can create new block actions with the McAfee DLPe policies by going to the Rule Set in the DLP Policy Manager. You can navigate there by clicking on Menu | Data Protection | DLP Policy Manager, click on the Rule Set, and then click on Actions | New Rule at the bottom. Here’s the list of actions that you can block.
Application File Access Protection
Network Communication Protection
Network Share Protection
Removable Storage Protection
Screen Capture Protection
Web Post Protection
Reviewing DLPe Incidents
Even though McAfee DLPe has blocked these attempts to copy, as an administrator you’ll want to see these blocked incidents. You can also configure the policy not to block and only report when a copy attempt is made.
To review the incidents, go to Menu | Data Protection | DLP Incident Manager. In the DLP Incident Manger, you can see that there was an attempt to copy the word secret with the clipboard. You can review the details of the incident by clicking on the Incident ID number in the first column. Additionally, you can create an automated email or a reviewer with the Incident Tasks tab.
We have just taken a quick look at the workflow for the McAfee DLPe 9.4. As you can see, the interface is streamlined and runs natively in ePO, which allows for many benefits that the legacy DLP ActiveX control didn’t provide, such as the ability to assign policies to various groups easily. This allows for you to quickly create and assign DLPe policies depending on the different needs of your clients.