Hello, in this document, we’re going to talk about creating a block rule for cloud storage such as Microsoft’s OneDrive. In DLPe, we have the ability to block files that match certain criteria’s from being uploaded. These criteria are fully customizable and can be anything from a single word to an advanced pattern, and there are many built in criteria’s such as social security numbers or credit card numbers. After you’ve selected a criteria, you can configure DLPe to block sending files to cloud services.
We’re just going to create a policy to block Social Security Numbers from being sent to OneDrive, pop up a message, and report on that to ePO so that we can see that it was blocked.
Our first step is to create a criteria that will identify Social Security Numbers and prevent those from being accessed. You can use an existing criteria if you already have one in mind.
Select Menu | Data Protection | Classification
Here, we’ll want to create a new classification by clicking on the New Classification in the bottom left.
Let’s name this classification “Contains Social Security Numbers Classification” and click OK
Now, let’s select Action | New Classification Criteria
We’ll Name this Classification Criteria “Social Security Numbers Criteria”
Since we’re adding a criteria for Social Security Numbers, we’ll want to click on the arrow next to Advanced Pattern.
Then, we’ll click on the three dots next to the field and in the popup menu, we’ll type in Social Security in the Filter Items box and hit go. Put a check next to Social Security Number and then click OK at the bottom.
Now that that’s assigned, you can click Save to save your criteria. Lastly, you have to save this classification by clicking on Actions | Save Classification.
Now that we have our classification created, we can go to our DLP Policy Manager to assign this classification. Go to Menu | Data Protection | DLP Policy Manager.
First, we’ll want to create a new rule set. Click on Actions | New Rule Set and name this rule set “Prevent SSN from sent to OneDrive Rule Set”. Now, click on your new rule set.
Then, click on Actions | New Rule | Cloud Protection. Let’s name this rule “Prevent SSN from being sent to OneDrive Rule”. We’ll also need to change the state from Disabled to Enabled. Let’s also change the severity from Warning to Major.
In the bottom section, we’ll want to use our newly created classification. In the Classification section, click on the three dots on the right hand side. Select the Contains Social Security Numbers Classification and then click OK.
Next, put a check next to the Onedrive.
Now, let’s move to the Reaction tab by clicking on “Reaction”. Here, let’s have the Prevent Action be to Block. In the User Notification section, click on the three dots to open the User Notification dialog box. Now, check the “Default cloud protection user notification” user message and click OK. Lastly, let’s check the Report Incident box and then click save at the bottom right. We can now close the DLP Rule Set.
Next, we’ll want to assign this policy by clicking on the Policy Assignment Tab. Click Actions | Assign a Rule Set to policies. In the drop down, select your “Prevent Social Security Numbers from being sent to OneDrive” rule set and assign it to the My Default DLP Policy. Then Click OK.
After you’ve assigned the policy, you’ll need to apply the selected policy by clicking Actions | Apply Selected Policies, and then Make sure that the My Default DLP Policy is checked and click OK.
Okay, let’s go ahead and wake up the agent again so that the new policies are sent down to the client system. I’m just going to perform a collect and send props from the client.
Now that the DLP Policy has been sent to the client system, let’s test it out.
On the client system, I’m going to copy the file to the Onedrive location and perform a sync. As you can see, it’ll block it and in the bottom right, a notification will appear and let you know that the file was blocked due to sensitive content. Success!
Reviewing DLPe Incidents
Even though McAfee DLPe has blocked these attempts to copy, as an administrator you’ll want to see these blocked incidents. You can also configure the policy not to block and only report when a copy attempt is made.
To review the incidents, go to Menu | Data Protection | DLP Incident Manager. In the DLP Incident Manager, you can see that there was an attempt to copy the SSNs. You can review the details of the incident by clicking on the Incident ID number in the first column. Additionally, you can create an automated email or a reviewer with the Incident Tasks tab.
The DLP Cloud protection rules protects against a user sending files to a cloud service. This would help secure your environment from this avenue of data leakage.