McAfee Host Data Loss Prevention Best Practices: Protecting against data loss from external devices



Similar documents
Implementing McAfee Device Control Security

McAfee Host Data Loss Prevention 9.1 Cluster Installation Guide

McAfee epolicy Orchestrator 4.5 Cluster Installation Guide

Application Note. Configuring McAfee Firewall Enterprise for McAfee Web Protection Service

McAfee Gateway 7.x Encryption and IronPort Integration Guide

Release Notes McAfee Risk Advisor Software For use with epolicy Orchestrator and Software

Product Guide Revision A. McAfee Secure Web Mail Client Software

McAfee Optimized Virtual Environments for Servers. Installation Guide

Product Guide Revision A. McAfee Secure Web Mail Client Software

Total Protection Service

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

McAfee Solidcore Change Reconciliation and Ticket-based Enforcement

Release Notes for McAfee VirusScan Enterprise for Storage 1.0

McAfee Risk Advisor 2.7

Desktop Release Notes. Desktop Release Notes 5.2.1

epolicy Orchestrator Log Files

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

McAfee VirusScan Enterprise for Linux Software

Recommended Recommended for all environments. Apply this update at the earliest convenience.

Release Notes for McAfee epolicy Orchestrator 4.5

McAfee VirusScan Enterprise for Storage 1.0 Sizing Guide for NetApp Filer on Data ONTAP 7.x

Product Guide. McAfee Security-as-a-Service Partner SecurityDashboard 5.2.0

McAfee Agent Handler

Verizon Internet Security Suite Powered by McAfee User Guide

McAfee Cloud Identity Manager

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

McAfee Cloud Identity Manager

Upgrade Guide. McAfee Vulnerability Manager Microsoft Windows Server 2008 R2

McAfee Solidcore Product Guide

McAfee Cloud Identity Manager

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

Data Center Connector for OpenStack

Installation Guide. McAfee Security for Microsoft Exchange Software

McAfee epolicy Orchestrator

McAfee EETech for Mac 6.2 User Guide

Setup Guide. Archiving for Microsoft Exchange Server 2007

Installation Guide. McAfee epolicy Orchestrator Software

Data Center Connector for vsphere 3.0.0

McAfee VirusScan Enterprise 8.8 software Product Guide

Setup Guide. Archiving for Microsoft Exchange Server 2010

McAfee GTI Proxy Administration Guide

McAfee Total Protection Service Installation Guide

Setup Guide Revision B. McAfee SaaS Archiving for Microsoft Exchange Server 2010

Best Practices Guide. McAfee Endpoint Protection for Mac 1.1.0

McAfee UTM Firewall Control Center Product Guide. version 2.0

McAfee Data Loss Prevention 9.3.0

Product Guide. McAfee epolicy Orchestrator Software

McAfee Encrypted USB Hard Disk Non-Bio Quick Start Guide

McAfee Security for Microsoft SharePoint User Guide

Installation Guide. McAfee SaaS Endpoint Protection 5.2.0

McAfee SiteAdvisor Enterprise 3.5.0

Product Guide Revision A. McAfee Total Protection for Data Loss Prevention 9.2 Software

Product Guide. McAfee Endpoint Security 10

Network Threat Behavior Analysis Monitoring Guide. McAfee Network Security Platform 6.1

Seagate Media Sync User Guide

Product Guide Revision A. McAfee Data Loss Prevention Endpoint 9.3.0

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

McAfee Asset Manager Console

About Help Desk. McAfee Help Desk 2.0 Software. Product Guide. Functions of McAfee Help Desk software. Quarantine release.

McAfee SaaS Archiving

-lead Grabber Business 2010 User Guide

Royal Mail Group. getting started. with Symantec Endpoint Encryption. A user guide from Royal Mail Technology

Release Notes for McAfee(R) GroupShield(TM) version Patch 1 for Microsoft Exchange. Copyright (C) 2011 McAfee, Inc. All Rights Reserved CONTENTS

McAfee(R) Security Virtual Appliance 5.6 Installation Guide

McAfee SiteAdvisor Enterprise 3.5 Patch 2

McAfee Endpoint Encryption for PC 7.0

Product Guide. McAfee SaaS Endpoint Protection 5.2.0

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

McAfee Change Control and Application Control Product Guide For use with epolicy Orchestrator and 4.6.0

Clickfree Software User Guide

McAfee Cloud Single Sign On

For a list of supported environments for VirusScan Enterprise 8.7i on Microsoft Windows, see (McAfee) KnowledgeBase article KB51111.

McAfee Host Intrusion Prevention 8.0 Product Guide for use with epolicy Orchestrator 4.5

Using Websense Data Endpoint Client Software

A Buyer's Guide to Data Loss Protection Solutions

McAfee Policy Auditor 6.0 software Product Guide for epolicy Orchestrator 4.6

DP-313 Wireless Print Server

Best Practice Document Hints and Tips

PGP Portable Quick Start Guide Version 10.2

FX-BTCVT Bluetooth Commissioning Converter Commissioning Guide

Client Manager for Endpoint Protection (CMEP) User s Guide

VIRTUAL DESKTOP COMPANION SOFTWARE FOR WINDOWS

BUS-WATCH R1001/R4001 Quick Guide Series

McAfee(R) and Web Security Virtual Appliance 5.6 Installation Guide

NETGEAR genie Apps. User Manual. 350 East Plumeria Drive San Jose, CA USA. August v1.0

System Status Monitoring Guide. McAfee Network Security Platform 6.1

Creating a Virtual CDFS File Server

Corsair Flash Voyager USB 2.0 Flash Drive UFD Utility User s Manual

File and Printer Sharing with Microsoft Windows

Windows BitLocker Drive Encryption Step-by-Step Guide

McAfee Host Data Loss Prevention Administration Intel Security Education Services Administration Course

Anti-Spyware Enterprise Module software

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Setting Up on Your Palm. Treo 700wx Smartphone

File Management and File Storage

Transcription:

McAfee Host Data Loss Prevention Best Practices: Protecting against data loss from external devices

COPYRIGHT Copyright 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes. 2

Contents Protecting against data loss from removable devices and file systems.............. 4 Device control............................................................................. 4 Content protection rules..................................................................... 6................................................................................. 8 Use case: Blocking wireless communication.............................................. 8 Use case: Making all USB removable storage read-only except authorized devices.............. 10 Use case: Blocking files containing personal identity information............................ 11 Use case: Blocking files created by a GIS application..................................... 13 Use case: Disabling all CD/DVD burners from writing..................................... 14 3

Protecting against data loss from removable devices and file systems The purpose of this document is to provide a brief overview of ways to protect against data loss and to walk you through several use cases and best practices for data loss protection. Contents Device control Content protection rules Device control protects enterprises from the risk associated with unauthorized transfer of data from within or outside the organization. Data loss is defined as confidential or private information leaving the enterprise as a result of unauthorized communication through channels such as applications, physical devices, or network protocols. Memory sticks are the smallest, easiest, cheapest, and least-traceable method of downloading large amounts of data, which is why they are often considered the "weapon of choice" for unauthorized data transfer. McAfee Device Control allows monitoring and controlling external device behavior based on the device attributes rather than the content being copied. Using McAfee Device Control, devices attached to enterprise computers, such as smart phones, removable storage devices, Bluetooth devices, MP3 players, or Plug and Play devices, can be monitored, blocked, or configured to be read-only. There are two types of device control rules available in McAfee Device Control: Plug and Play device rules Removable storage device rules Plug and Play device rules Plug and Play device rules work on the device driver level, and can be used to block and monitor devices. Whenever a new device is plugged into the computer, McAfee Device Control will match the new device attributes against the device attributes defined in the Plug and Play device rule. If a match is found, McAfee Device Control will perform the action (block/monitor/notify user) defined by the device rule. Plug and Play device rules are used to restrict the use of peripheral devices such as Bluetooth adapters and modems. Although Plug and Play device rules can also be applied to removable storage devices, McAfee does not recommend using them for such devices. Pros and cons of Plug and Play device rules Pros: 4

Device control Allow for blocking any type of device. Block devices at a very low level, before the driver has a chance to load. Allow for easy blocking of entire device classes and bus types (such as "block all USB"). Cons: The device blocking is based only on the device attributes and does not inspect content. Can only block or monitor. Cannot make a device read only. Recommended use cases: Block all Bluetooth adapters and modems The enterprise wants to restrict end users from using Bluetooth and modem communication to transfer data. Block all Wireless communication The enterprise wants to restrict end users from using wireless communication while connected to the corporate network. See Use case: Blocking wireless communication. Removable storage device rules Removable storage device rules are used for blocking and monitoring removable storage devices such as flash drives, MP3 players, and external hard drives. They can block, monitor, or configure the removable storage to read-only. Whenever a new removable storage device is plugged into the computer, McAfee Device Control will match the new device attributes against the device attributes defined in the removable storage device rule. If a match is found McAfee Device Control will perform the action defined by the device rule. Removable storage device rules work on the file system level, and allow for more flexibility than Plug and Play device rules. For example, the removable storage device rule can match a device based on its file system type (NTFS, FAT32) or file system volume label. In addition, they provide more accurate device names. For example an ipod is recognized by the Plug and Play mechanism as USB mass storage device, whereas the removable storage rule recognizes it as Apple ipod, which is more meaningful. (This description fits older ipods. The ipod Touch is recognized as a Windows Image Acquisition device.) McAfee recommends using removable storage device rules, rather than Plug and Play device rules, to control all devices that provide removable storage, such as USB mass storage devices, Flash Drives ("Disk on Key"), and CD\DVD. NOTE: Since Plug and Play device rules are applied on the device driver level, they are applied before removable storage device rules. The implication is that if a removable storage device is blocked by both types of rule, the removable storage device rule will not be applied. Pros and cons of removable storage device rules Pros: Allow read-only mode for removable storage devices. Allow for greater flexibility for device matching (file system type, volume label). Cons: The device blocking is based only on the device attributes and does not inspect content. Recommended use cases: Make all USB removable storage read-only except authorized devices. An enterprise has purchased a specific brand of encrypted flash drive and would like to restrict the use of any other flash drive. See Use case: Making all USB removable storage read-only except authorized devices. 5

Content protection rules Disable all CD/DVD burners from writing. The enterprise wants to restrict engineering end users from using CD/DVD burners to write CDs. McAfee Device Control is not able to analyze the content written to CD/DVD therefore removable storage device rules should be used. See Use case: Disabling all CD/DVD burners from writing. Content protection rules Unlike device control functionality that blocks the entire device, content protection rules protect individual files based on their content. When a file is copied to a network shared folder or a removable storage device McAfee Host Data Loss Prevention performs deep content analysis to classify the content, and performs one (or more) of the following actions: Block Moves the file to the local quarantine folder and deletes its content from the removable storage. This action is not available for network shared folders. Monitor Sends an incident event to the Host DLP ( in version 3.0, the epolicy Orchestrator) database for monitoring and case management. Store Evidence Stores the original file that was copied so it can be viewed in the Host DLP Monitor. Notify user Shows a popup to the end-user as notification of the action that was performed. Encrypt Encrypts the file using McAfee Endpoint Encryption. This action is available in version 3.0. Removable storage protection rules Removable storage protection rules allow for blocking and monitoring of individual files being written to removable devices according to file attributes and their content classification. When a file is copied to a removable storage device, the Host DLP Agent inspects, analyzes, and classifies the file content, and if the file classification matches one or more of the removable storage protection rules, the agent will apply the action defined in the rule. Host DLP provides several content classification techniques, including: Regular expression matching Keyword Application that created or edited the file Current storage location Where the file is being copied to. McAfee recommends using removable storage protection rules whenever an enterprise allows use of removable storage devices, but wants to restrict (or monitor) the data that is written to them. Pros and cons of removable storage protection rules Pros: Allow blocking individual files according to their content and attributes, rather than block the entire device. Cons: uses CPU resources to analyze every file copied to removable media. 6

Content protection rules Recommended use cases: Block copying of files containing personal identity information (PII). There are many forms of PII: Social Security Number (SSN), driver's license number, National Identification Number, and so on. McAfee Host Data Loss Prevention contains pre-defined regular expression patterns (Secured Text Patterns) that can be used to create these rules. See Use case: Blocking files containing personal identity information. NOTE: version 3.0 introduces regular expression validators to reduce false positives. Blocking copying of files created by a Geographic Information System (GIS) application to removable storage. Certain applications create files that contain binary information that cannot be content inspected. provides a unique technology to classify content based on the application that creates or edits the file. See Use case: Blocking files created by a GIS application. By creating application-based tagging rules the Host DLP Agent can tag any file that is created by a GIS application. This tag can then be used in removable storage protection rules to block or monitor copying of GIS files to removable storage. Network file system protection rules Network file system protection rules are very similar to removable storage protection rules, but they apply to the Windows network file system (shared folders) rather than devices. They support monitoring files copied to a defined Windows share, but it do not support blocking the copy operation. version 3.0 introduces the ability to encrypt files that are copied to the network, to enforce compartmentalization policies, using McAfee Endpoint Encryption. Recommended use cases: Monitor all files containing credit card numbers being copied to public folders on a file server. Many organizations provide public folders for file sharing on the network. Reckless users can copy sensitive files to these folders. Using McAfee Host Data Loss Prevention you can create a network file system protection rule to Monitor, Notify User, and Store Evidence for every file that contains sensitive information, such as credit card numbers, when copied to the public folder on the network. Ideally, such files should also be encrypted. Compartmentalization (available in version 3.0 using McAfee Endpoint Encryption integration) Assume your organization has an engineering group, a finance group, and a sales group. You can use the version 3.0 and McAfee Endpoint Encryption integration to generate three encryption keys FINANCE_KEY, ENGINEERING_KEY and SALES_KEY. Each key is available only to members of that group to unlock files. Using these keys in network file system protection rules can ensure that every sensitive file that is copied to a network shared folder will be properly encrypted, and visible only to authorized users. 7

The following examples demonstrate the techniques discussed in the text. Use case: Blocking wireless communication Use case: Making all USB removable storage read-only except authorized devices Use case: Blocking files containing personal identity information Use case: Blocking files created by a GIS application Use case: Disabling all CD/DVD burners from writing Use case: Blocking wireless communication Assume an organization wants to restrict end users from using wireless communication while connected to the corporate network. With McAfee Device Control it is possible to define a policy that differentiates between users who are online (connected to the corporate network) and those who are offline. The following example shows how to block wireless adapters while a user is connected to the corporate network. Example 1 In the Navigation Bar under Device Management, select Device Definitions. 2 Right-click in the device definitions panel, and click Add New Plug and Play Device Definition. Type Wireless Network Adapters to rename, and press Enter. 3 Double-click the device definition to edit it. Select Device Class, then select Network Adapters and click OK. 4 Select Device Name. The definition parameter edit dialog box appears. 5 Click Add New and type wireless into the text box. Select the Allow Partial Match option. 6 Click Add New and type wlan into the text box. Select the Allow Partial Match option. 8

7 Click Add New and type 802.11 into the text box. Select the Allow Partial Match option. Click OK twice to complete the definition. 8 In the Navigation Bar under Device Management, select Device Rules. 9 Right-click in the device definitions panel, and click Add New Plug and Play Device Rule. Type Block wireless network adapters when online to rename, and press Enter. 10 Double-click to edit the rule. Select Wireless Network Adapters in the Include column. Click Next. 11 Select Block, Monitor, and Notify User. 9

12 For each action, deselect the Offline option. Click Finish. Use case: Making all USB removable storage read-only except authorized devices Assume an organization that purchased a specific brand of encrypted flash drives and would like to restrict the use of all other flash drives. Example 1 In the Navigation Bar under Device Management, select Device Definitions. 2 Right-click in the device definitions panel, and click Add New Removable Storage Device Definition. Type USB Removable Storage to rename, and press Enter. 3 Double-click the device definition to edit it. Select Bus Type, select USB and click OK. 4 Right-click in the device definitions panel again, and click Add New Removable Storage Device Definition. Type McAfee Encrypted USB Devices to rename, and press Enter. 5 Double-click the device definition to edit it. Select Bus Type, select USB Vendor ID/Product ID and click Add New. The definition paramete edit dialog box appears. 6 Click Add New to add each of the following devices: Vendor ID 1A4B 1A4B 1A4B Product ID 022A 3220 3200 Description McAfee Standard Encrypted USB McAfee Standard Driverless Encrypted USB McAfee Zero-Footprint Bio 10

Vendor ID 1A4B 1A4B Product ID 3500 3400 Description McAfee Zero-Footprint Non-Bio McAfee Encrypted USB Hard Disk TIP: Use the mouse to select the Product ID and Description text boxes. 7 In the Navigation Bar under Device Management, select Device Rules. 8 Right-click in the device definitions panel, and click Add New Removable Storage Device Rule. Type Block all USB except McAfee to rename, and press Enter. 9 Double-click to edit the rule. Select USB Removable Storage in the Include column, and select McAfee Encrypted USB Devices in the Exclude column. Click Next. 10 Select Monitor, Notify User and Read Only. Click Finish. Use case: Blocking files containing personal identity information The following example shows how to create a content-based tagging rule that will tag any file containing a social security number, and how to create a removable storage protection rule that will prevent copying these files to removable storage. Example 1 In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rules panel, click Add New Content Based Tagging Rule, and type SSN Tagging Rule to rename the rule. 11

2 Double-click the rule to edit it. From the pre-defined list of secured text patterns, check Social Security Number. Click Next. 12

3 On the tags page, click Add New, type SSN Tag in the Name text box, click OK, then Finish. 4 In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, click Add New Removable Storage Protection Rule, and rename it Block PII copied to removable storage. 5 Double-click the rule to open the wizard. You can skip all of the steps except the following: a On the tags page, select the SSN tag created in step 4. b On the actions page, select Block, Monitor, Notify User, and Store Evidence. Use case: Blocking files created by a GIS application The following example shows how to create an application-based tagging rule that will tag any file that is created or edited by a Geographic Information System (GIS) application, and how to create a removable storage protection rule that will prevent copying GIS files to removable storage. Example 1 In the Navigation Bar under Applications, select Enterprise Applications List. 2 Right-click in the application list panel, and click Add. Browse to the GIS application executable, then click Open. Note the exact executable name. You will need it in the next step. Click Add, then Close. 3 In the Navigation Bar under Applications, select Application Groups. Right-click in the panel, and click Add New Application Group. Type GIS Applications in the Name text box and press Enter. 13

4 Double-click the GIS Applications group. Browse to the name of the vendor and select it. Click the plus sign next to the name to view the details. If there are other products by the same vendor you don't want to include in the rule, deselect them. 5 In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rules panel, click Add New Application Based Tagging Rule, and type GIS Tagging Rule to rename the rule. 6 Double-click the rule, select GIS Applications, then click Next. 7 (Optional) Click Select from list, select Graphic files, then click Next three times to reach the Tags page. 8 Click Add New, name the tag GIS Tag, click OK, then Finish. 9 In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, click Add New Removable Storage Protection Rule, and rename it Block GIS files copied to removable storage. 10 Double-click the rule to open the wizard. You can skip all of the steps except the following: a On the tags page, select the GIS Tag created in step 6. b On the actions page, select Block, Monitor, Notify User, and Store Evidence. Use case: Disabling all CD/DVD burners from writing Assume an organization wants to restrict engineering end users from using CD/DVD burners to write CDs. McAfee Host Data Loss Prevention is not able to analyze the content written to CD/DVD, therefore removable storage device rules should be used. Limitation: The following CD/DVD burners are not protected in McAfee Host Data Loss Prevention v2.2: 14

Alcohol 120% Iomega Hotburn Example 1 In the Navigation Bar under Device Management, select Device Definitions. 2 Right-click in the device definitions panel, and click Add New Removable Storage Device Definition. Type CD/DVD Devices to rename, and press Enter. 3 Double-click the device definition to edit it. Select CD/DVD Drives and click OK to close the definition dialog. 4 In the Navigation Bar under Device Management, select Device Rules. 5 Right-click in the device definitions panel, and click Add New Removable Storage Device Rule. Type Block all CD-R burning to rename, and press Enter. 6 Double-click to edit the rule. Select CD/DVD Devices in the Include column. Click Next. 7 Select Notify User and Read Only. Click Finish. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information