4 Replies Latest reply: Oct 11, 2012 1:21 PM by cpredovic RSS

    DLP monitoring only


      Hey Guys,


      I've just installed DLP 9.2 on a test server to try it out.


      I've had a look and trying to find a setting or option to run monitoring only.  A it like running Learning mode in HIPS.


      ""I want to see if we can log what devices are being connected to machines and what files/history of what is being copied off


      Any ideas?



        • 1. Re: DLP monitoring only

          That's a device rule that you want at least -- which will tell you what devices are being plugged and unplugged. 


          As you'll see from the dense following 4 paragraphs, it's really quite simple.   ;-)


          See also, chapter 2 of https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 23000/PD23614/en_US/dlp_920_pg_endpt-epo45_en-us.pdf   (assuming you have ePO 4.5... there's a separate product guide for 4.6 I think).


          In the Menu> Data Protection>  DLP Policy widget, Device rules, add new removable storage device rule,  call it "monitor all removable storage devices", include all devices, exclude nothing,  click nexxt, select Monitor online/offline , next.   ;finish.   Make sure the rule is Enabled (which ironically you verify by the disable button being available near the top), and press Apply near the upper left to crap the policy out to the ePO.  


          Then, in ePO, in your system tree,  under the sub group you wanna test this on,    go to policies,  DLP policies,  ... Duplicate the default Data Loss Prevention Computer Assignment group policy to a new DLP policy that adds the name "policies activated" to it (e.g name the copy McAfee Default Computers Assignment Group (policies activated)  ) , edit settings on this new policy, checkmark "logged in user" and "local user"  for the rule "monitor all removable storage devices." (assuming you took my naming advice in paragraph 2).     Click save,   do a wake up agents on the hosts that are in the system tree under where you added this policy.    Plug in some usb cruft into one of the hosts that's in this test subgroup where you've created this policy.  Do another wake up agents on those hosts to compel the epo agent on the clients to push the dlp agent events up to epo, then in ePO Menu> Data Protection>  DLP Monitor, wait a few minutes, refresh, and hope to see some  "plug" events.    


          If you access ePO with a web browser on a machine that's not the ePO server, if Menu> Dataprotection> DLP Monitor doesn't come up for you and gives you WCF errors and the like,  check the  (Menu>data protection> DLP Monitor> Tools> Options>  WCF service path) and be sure the URL is  pointing to ePO's hostname rather than local host.


          See, it's really quite simple.   *cough* *snort* *choke*


          Caveat:  I'm new at this and the setup was done with consulting help, and I've almost surely gotten something wrong in my recollection above.    


          The McAfee Quickstart consulting service for HDLP deliveered by Accuvant is actually pretty good on this product and pretty good bang for the buck because this stuff is just ... stupid complicated.  I'm sure your McAfee sales rep might be willing to sell you some 4 hour blocks of Quickstart.  They're remote screenshare consulting help from what seem to be pretty well trained Accuvant guys.  You schedule a 4 hour block with em, get assigned a consultant,  when the 4 hour block starts,  use it all up, and in that time if you come in with a simple agenda like this, you'll learn a ton riding along with someone experienced who's 100% focused on your issue for 4 hours and has done countless new setups like this.     It's not terribly expensive, and you can use the 4 hour blocks any time though they expire in a year.  McAfee does their best to make the front end of quickstart a little miserable, but once you're in Accuvant land, it's actually pretty pleasant.  Expect to wait a few days lead time for your scheduled slot.  If you're deploying network DLP at all, I do not recommend quickstart.  Get someone fleshy onsite and experience who knows the gamut.  


          Good luck and godspeed.


          Message was edited by: Regis on 8/22/12 10:39:53 PM CDT


          Message was edited by: Regis on 8/22/12 11:02:11 PM CDT
          • 2. Re: DLP monitoring only

            You sir are a bonafied legend - up and running without issue.....next I'm going to attempt monitoring file copies....thanks for your help!!!!!!!!!!!

            • 3. Re: DLP monitoring only

              Holy cats, that all worked out?        I'm shocked!     Glad it helped!  


              Message was edited by: Regis on 8/22/12 11:30:21 PM CDT
              • 4. Re: DLP monitoring only

                Wow, thanks very much for the pointers. I just installed today and was pulling hair trying to get events to show in the monitor. I missed the bit about copying/editing the computer policy and I also missed the bit about applying the policy changes to ePO. Thanks again!