Forcepoint DLP Administrator Course Student Guide

Forcepoint DLP
Administrator
Student Guide
Forcepoint Technical Enablement Program
Rev. CA0192
© 2020 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or
reduced to any electronic medium or machine-readable form without prior consent in writing
from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,
Forcepoint makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose.
Forcepoint shall not be liable for any error or for incidental or consequential damages in
connection with the furnishing, performance, or use of this manual or the examples herein. The
information in this documentation is subject to change without notice.
forcepoint.com i
Contents
1. Introduction to Forcepoint DLP.......................................................................................... 3
Define the acronym “DLP” and explain how it can affect an organization .............................. 6
Identify and define core DLP terms ....................................................................................... 7
Walk-through: Access Forcepoint Security Manager and perform initial configuration of
Forcepoint DLP ............................................................................................................... 8
Identify the different states of data that Forcepoint DLP can protect.................................... 15
Define what a DLP system module is and explain the basic function each module
performs ........................................................................................................................ 16
Walk-through: Locate and configure registered system modules in a DLP environment ...... 23
Identify the parts of a DLP incident envelope and where they are stored............................. 31
Given a flow diagram, explain the sequence of steps in a DLP transaction ......................... 32
Identify the different channels and associated transaction types that Forcepoint DLP can
protect ........................................................................................................................... 34
Identify available Forcepoint DLP product information resources and where they can be
accessed ....................................................................................................................... 35
Explain where Forcepoint DLP fits into the Human Point System ........................................ 36
2. Forcepoint DLP Licensing ................................................................................................ 45

Explain the DLP license types and their related features ..................................................... 48
Walk-through: Analyze the content of a DLP subscription file and deploy it to a DLP
environment .................................................................................................................. 52
3. Configuring Forcepoint DLP Classifiers.......................................................................... 62

List and explain each classifier type .................................................................................... 65
Walk-through: Create simple classifiers .............................................................................. 69
Walk-through: Create a regular expression classifier .......................................................... 78
Walk-through: Configure the parameters of a predefined script classifier ............................ 88
4. Configuring Forcepoint DLP Resources ......................................................................... 96

Walk-through: Configure and import from Active Directory ................................................ 100
List and explain each DLP resource .................................................................................. 111
Walk-through: Create a functional example of each DLP resource .................................... 120
List and explain the default action plans ............................................................................ 137
Walk-through: Create a custom action plan ....................................................................... 140
List and explain the default notifications ............................................................................ 145
Use dynamic variables in notifications ............................................................................... 148
Walk-through: Configure the default notification ................................................................ 149
5. Configuring DLP Policies and Rules ............................................................................. 156

Define what a DLP policy is, identify three broad types of them, and explain what they
do ................................................................................................................................ 159
Walk-through: Configure and test the Quick Web policy .................................................... 162
Walk-through: Configure and test a predefined policy ....................................................... 172
ii forcepoint.com
Walk-through: Configure and test a custom policy............................................................. 179
Explain how cumulative rules can be used in DLP ............................................................ 187
Explain the purpose and function of a rule exception ........................................................ 188
Explain how to perform a bulk update of multiple policies and rules .................................. 189
Explain how policy levels provide scope and processing order for policies, then create a new
policy level and assign policies to it ............................................................................. 190
Walk-through: Create a new policy level and assign policies to it ...................................... 192
6. Implementing OCR Analysis .......................................................................................... 200

Explain the capabilities and modes of OCR....................................................................... 203
Walk-through: Configure a policy engine to work with an OCR server ............................... 206
7. The Forcepoint One Endpoint ........................................................................................ 215

Identify the core features of the Forcepoint One Endpoint ................................................. 218
Explain the current OS and software compatibility of the Forcepoint One Endpoint........... 219
Explain the endpoint global and profile settings................................................................. 220
Walk-through: Install and configure the Forcepoint One Endpoint and browser
extension ..................................................................................................................... 222
Identify supported endpoint encryption methods ............................................................... 230
Walk-through: Use the Forcepoint One Endpoint to encrypt files copied to removable
media .......................................................................................................................... 231
Explain the DLP endpoint temporary bypass feature ......................................................... 238
Walk-through: Temporarily bypass the Forcepoint One Endpoint ...................................... 239
Walk-through: Configure the mode of the endpoint browser extension .............................. 247
Explain the DLP endpoint employee coaching feature....................................................... 259
Walk-through: Enable and test the employee coaching feature ......................................... 260
8. Working with Cloud Applications and CASB ................................................................ 267

Walk-through: Use the Online Applications feature to detect web file uploads to Google
Drive or Dropbox ......................................................................................................... 276
Connecting Forcepoint DLP to the CASB service .............................................................. 295
9. Analyzing DLP Incidents and Reporting........................................................................ 305

Define the core terminology of Forcepoint DLP incident reporting ..................................... 309
List and explain the report types in the report catalog........................................................ 311
Analyze an incident in an incident list report ...................................................................... 312
Reinforcing lab: Perform UI based incident workflow ......................................................... 314
Walk-through: perform a remediation operation on a batch of incidents ............................ 319
Explain the features of the incident risk ranking dashboard ............................................... 327
10. Maintaining Regulatory Compliance .............................................................................. 330

Define the term AUP (Acceptable Usage Policy) .............................................................. 333
Explain how to create policies that support your acceptable usage policy ......................... 334
Explain governmental regulatory compliance specifications .............................................. 335
forcepoint.com iii
Reinforcing lab: Deploy DLP policies that meet a specific set of regulatory compliance
specifications............................................................................................................... 336
Give a high-level overview of delegated administrators and role-based
permissions ................................................................................................................. 338
Walk-through: Configure a delegated administrator to have role-based permissions......... 343
11. Implementing Discovery ................................................................................................. 352

Define the core terminology specific to discovery operations............................................. 355
Walk-through: Configure and run a Forcepoint discovery policy and task.......................... 359
12. Creating Fingerprinting and Machine Learning Classifiers ......................................... 370

Define the terms specific to fingerprinting and machine learning ....................................... 374
Walk-through: Create file fingerprint classifiers.................................................................. 380
Walk-through: Create database fingerprint classifiers ....................................................... 398
Walk-through: Configure a machine learning classifier ...................................................... 415
13. Importing File Tagging Labels ....................................................................................... 427

Explain the functionality of classification labels and how to integrate them into the DLP data
labeling framework ...................................................................................................... 431
Walk-through: Integrate Boldon James into the DLP data labeling framework................... 432
Walk-through: Integrate Microsoft Information Protection into the DLP data labeling
framework ................................................................................................................... 458
14. Maintaining System Health ............................................................................................. 477

Examine the DLP system health dashboard for sustained high usage .............................. 481
Review the operational status of each DLP system module .............................................. 482
Identify and analyze the primary logs used by the DLP security manager ......................... 487
Explain the functionality of DLP system alerts ................................................................... 491
Identify the items included in a DLP backup ...................................................................... 493
Walk-through: Configure and perform a DLP backup task ................................................. 494
iv forcepoint.com
DLP Administrator Course >> 1
2 << DLP Administrator Course
4 Why is it important to master each of these objectives? Discuss some real-world examples.

4 What are each student’s goals for the course?
• What do they perceive currently as being the most critical needs of a DLP administrator?
• How will this module speak to those needs?

4 What is DLP?
• Data Loss Prevention refers specifically to any system that identifies, monitors, and protects data in
use (actions intercepted by endpoint agents), data in motion (actions intercepted by network
devices), and data at rest (files and other static items intercepted by crawler scans).
• Under a centralized management framework, DLP systems are designed to detect and prevent the
unauthorized use and transmission of confidential information through content inspection and
contextual analysis of transactions.
• Organizations frequently process information classified as sensitive, from either a business or legal
point of view. In addition to the risk of intrusion and gaining access to sensitive information by
unauthorized persons, there is also the risk of intentional or unintentional transmission of
information outside the organization.
• Many large companies now fall under oversight of government and commercial regulations that
mandate controls over information, such as GDPR (The EU General Data Protection Regulation),
HIPAA (the Health Insurance Portability and Accountability Act), or PCI DSS (Payment Card Industry
Data Security Standard). Some of these regulations stipulate regular information technology audits,
where organizations can fail if they lack suitable IT security controls and due-processes
standards.\index{regulatory compliance}

4 The policy engine is a software component that analyzes data transactions, such as web uploads, email
messages. During analysis, each transaction will result in either a clean transaction, or an incident: a
data event which violates one or more DLP rules.
4 The policy engine is a "platform independent" component, in that it exists on each component of the
DLP environment. All Policy Engines are expected to operate identically regardless of their platform.
4 The policy engine package is the term used to represent three bundled components, which exist for
each policy engine instance:
• The policy engine itself.
• The policy store, in which policies are stored using XML (Extensible Markup Language).
• The fingerprint repository, a local copy which is regularly synchronized with the primary fingerprint
repository on the Forcepoint Security Manager.

4 Prior to beginning this walk-through, make sure you have accessed the G04Labs environment using the
URL and credentials provided by your instructor.

Consider the following question: “Can Forcepoint DLP control data leaks to Box.com”?
Before we can answer this, the question has to be more specific.
1. Controlling Box.com as "data-in-use" means that Endpoint Agent can control client-side software (like
web browsers), so that offending files cannot be uploaded (or, in fact, cannot even reach OS networking
layer on the laptop where the endpoint client is installed).
2. Controlling Box.com as "data-in-motion" means that it is possible to intercept TCP/IP traffic that goes to
the Box.com. For “data-in-motion”, this is performed at the network proxy level.
3. Controlling Box.com as "data-at-rest" means the ability to scan files that are already posted on the
Box.com – connecting via Box API, downloading them and checking against the discovery policies.
Recognizing these 3 states of data is critical – they give a high-level picture of all possible channels
supported by Forcepoint DLP. For example, "Network Email" is "data-in-motion", but "Endpoint Discovery" is
"data-at-rest".

4 Forcepoint DLP has considerable flexibility regarding the hardware implementation. System modules
containing policy engines apply DLP rules, analyzing real-time transactions or (in case of discovery) static
files. These can exist on the Forcepoint Security Manager machine, on other Windows Servers, or on
Linux-based proxies such as the WCG (Web Content Gateway) and ESG (Email Security Gateway), or the
DLP Protector.
4 For this reason it is useful to discuss not just the hardware boxes themselves (or the respective virtual
guest machines on VMWare platforms), but the individual modules. These modules are hosts to
continuously running (or scheduled) software processes or services that perform DLP-related tasks. Each
module has an associated logging and debugging mechanism, and the ability to interact with other DLP
system modules.

4 The management server provides the core information loss technology, capturing fingerprints,
applying policies, and storing incident forensics. A deployment can include multiple Forcepoint
DLP servers to share the analysis load, but there is only one management server.
4 The management server also stores configuration settings, as well as the primary policy store, primary
fingerprint repository, and by default, the forensics repository.

4 Supplemental servers can be installed with only standalone components, such as the crawler, rather
than a full installation. This can help to conserve resources on the installation machine.
4 Full installations of supplemental Forcepoint DLP servers include a secondary fingerprint repository,
endpoint server, crawler, policy engine, and OCR server.

4 This diagram shows the flow of analyzed transactions between system modules (WCG, ESG, Protector,
etc.) and the FSM. All data transactions are intercepted by the system modules, and policy analysis is
done on the same system modules (or possibly load-balanced to supplementary DLP servers).
4 If an incident is detected, the incident data is then submitted to DLP Manager in real time, contained in
incident envelopes.

4 This chart shows all the sub steps that happen once a transaction is submitted to a Policy Engine.
1. The agent receives the traffic.

2. The agent passes the traffic to the policy engine, through a handler referred to as the PEI (Policy Engine
Interface).
3. The policy engine performs analysis on the transaction, going through a set sequence of operations to
determine if the submitted transaction is clean, or if it contains a violation of a DLP rule. The policy
engine sends the result of the analysis back to the agent, which will then either block or allow the
transaction.
4. If an incident is created, the incident is passed to the FSM, contained in an incident envelope.
5. Tomcat, which is the instance of Apache on the FSM that performs most DLP operations, then inserts
the incident properties into the relevant incident database, where it becomes available for reporting.
6. The forensics for the incident are stored in the forensics repository.

4 The Cloud Application Agent is the only module we have not discussed so far – that content will be
featured later in this course, in the cloud applications and CASB module.
4 This chart also does not include endpoint, or data in use channels, which will be addressed in the
endpoint module.

4 WHY THE TRADITIONAL APPROACH IS BROKEN
4 The traditional approach to security is threat-centric.

• Not designed to be able to address these problems effectively
• The way threat-centric approaches work: activities or events are categorized based on a given policy
• Policies set at a given point in time are used to determine what’s good and what’s bad at ALL times
4 Some things are easy to classify as bad—those are threats are blocked. These have signatures that you
can quickly determine that is something you do not want in your network and you block them.
4 There are other activities that you know are good—from known employees who are legitimate. You
allow that to happen.
4 What is difficult is everything in the middle of the bell curve.

• The stuff that is hard to figure out whether it is a real problem—a bad activity or a legitimate activity
• The reason why it is difficult is a lack of context
• We don’t know enough about the event to understand whether it is good or bad - It’s like you’re
watching a movie and you only see a single frame. You have no idea what the whole movie is about.
You need to see much more of the movie.

4 A NEW PARADIGM
4 We shift the approach by behavior-centric methodology.

• This is human-centric cybersecurity
• We use it to provide context to make optimum security decisions
• You can detect individuals interacting with the system
• You figure out what is risky behavior, what is legitimate behavior, and give a risk-adaptive score
• You are able to continually re-visit your decisions
4 This allows our customers to give context to each of these events in that middle area and address it
effectively.
4 Here, we are watching a movie – not just looking at a single frame. A much better resolution allows us
to determine what is really good and what is really bad.

4 In this constantly shifting world of information, the human point system focuses on the constants of
PEOPLE and DATA.
4 This interaction is the most critical point to understand before we can stop the bad and free the good.

4 Human-centric cyber security requires:
• Highly developed traditional security technologies
• Mature, tuned analytic models that process human behavior and data flow in near real time
• A tight integration of products to automatically apply an adaptive security posture based on the
actual observed risks to your security

4 HUMAN POINT DESIGN TENETS
4 We made sure that each product element has best-in-class capabilities and would allow you to start
anywhere.
• Start with any of our elements
• You don’t have to buy them in any particular order, or buy all of them
• The more you buy, the better it gets
• The system integrates with unified management and policies
4 The key design tenet was to make sure that the Human Point System work with your existing
environment.
4 We know from talking to many CISOs that they’ve made many investments in their security
infrastructures. And nobody wants to do a rip and replace. So we made sure that we could integrate
with the existing security environments and infrastructure that our customers already have in place.
4 With one product installed, customers will begin to understand our capabilities:
• NGFW is the best on the market in terms of security effectiveness, according to the latest NSS lab
report.
• Web and Email Gateways are among the most efficient products on the market. With embedded
DLP engines for complete two-way protection with faster performance.
• CASB adds absolutely-necessary awareness and control of cloud applications.
• DLP prevents malicious and accidental leakage of critical data and IP.
• Insider Threat reports contextual information, which ensures analysts have the information they
need to act with confidence on security events.
• UEBA is the brain of this system, and it provides advanced insights into behavioral patterns without
the need for an experienced data scientist.

4 By sharing Forcepoint’s vision, we can help them to add products from the Forcepoint portfolio
when they get the opportunity. We are now on the Human Point Journey …

4 WE ARE LEADING IN THE JOURNEY TO RISK-ADAPTIVE SECURITY
4 Gartner believes risk-adaptive is the ultimate in getting the most effective security. And we have
designed the Human Point system to give you risk-adaptive security.
4 Forcepoint is going all-in on risk-adaptive security by:

• Retaining the best-in-class capabilities of our current, purpose-built product suite
• Creating significant value-add for customers that need to go beyond point products to add the
Human Point dimension to their protection
• Enabling our knowledgeable sales and services workforce to help customers understand and
implement the correct products to upgrade their current security solutions into state-of-the-art risk-
adaptive protection

4 Forcepoint’s DLP offerings are available in two versions: DLP for Compliance and DLP for Intellectual
Property (IP) Protection.
4 Forcepoint DLP for Compliance provides critical capability addressing compliance with features such as:
• Optical Character Recognition (OCR) identifies data imbedded in images while at rest or in motion.
• Robust identification for Personally Identifiable Information (PII) offers data validation checks, real
name detection, proximity analysis and context identifiers.
• Custom encryption identification exposes data hidden from discovery and applicable controls.
• Cumulative analysis for drip DLP detection (i.e., data that leaks out slowly over time).
• Integration with Microsoft Information Protection analyzes encrypted files and applies appropriate
DLP controls to the data.
4 Forcepoint DLP for IP Protection includes the capabilities above, plus applies the most advanced
detection and control of potential data loss with features such as:
• Machine learning allows users to train the system to identify relevant, never-before-seen data.
Users provide the engine with positive and negative examples to flag similar business documents,
source code and more.
• Fingerprinting of structured and unstructured data allows data owners to define data types and
identify full and partial matches across business documents, design plans and databases, and then
apply the right control or policy that matches the data.
• Analytics identify changes in user behavior as it relates to data interaction such as increased use of
personal email.

4 Customer / Company name: The name of the purchaser of this license.
4 Contact name: The name of the assigned contact who is authorized to manage this license.
4 Expiration date: The date this license will expire.
4 Issue date: The date this license was issued.
4 Product ID: The name of the product this license is for. Note that in this lab, the product name is for a
legacy license, which is no longer sold, but is equivalent to the current DLP for IP Protection license.
4 Usage limit: How many total seats (end users) the license was purchased for.

4 Remember, you must deploy after every license change! If you are replacing an expired license, DLP
analysis will not resume until a new, valid license has been deployed.

4 Forcepoint DLP policies use content classifiers to describe the data that is being protected. Content can
be classified according to file properties, key phrases, scripts, regular expression (regex) patterns, and
dictionaries. Forcepoint DLP can also fingerprint data, or administrators can provide examples of the
type of data to protect so the system can learn from it and make decisions via machine learning.

When looking at the classifier pyramid, the bottom level should be thought of as the least complex, with
complexity of classifiers increasing as you move towards the top.
Even so, avoid thinking of the simple classifiers at the bottom as “less precise”, or the classifiers at the top as
“more precise.”
The best practice when working with DLP classifiers will be to leverage multiple types of classifier at once.
For example, while a keyword classifier by itself may result in false positives, (the word “secret”, for
instance, may appear in a number of documents that do not actually contain sensitive data), a keyword
classifier used in conjunction with a regular expression, or one of the predefined script classifiers, can result
in much greater accuracy and precision in analysis and detection.
4 Key Phrases: Classify data by the presence of a keyword or phrase, such as “confidential.”
4 Dictionaries: Classify data using terms that belong to a certain knowledge domain, such as medical or
financial terms.
4 Regular Expression Patterns: Classify data by regular expression patterns. They are used to identify
alphanumeric strings of a certain format, such as `123-45-6789`.
4 File Properties: Classify data by file name, type or size. File name identifies files by their extension. File
type identifies files by metadata.
4 File classification labels: leverage third party file classification software. These will be discussed in a later
module.
4 Scripts: Also known as ‘predefined classifiers’, these let you classify data by context. They are used to
identify numeric data such as credit card numbers or intellectual property such as software design
documents and source code.
4 Machine Learning: creation of context sensitive script classifiers by registering positive and negative sets
of sample data.

4 PreciseID File System Fingerprinting (Unstructured): Fingerprints files or directories, including
SharePoint directories.
4 PreciseID Database Fingerprinting (Structured): Fingerprints database records directly from your
database or CSV files.
4 You need to understand the whole “classifier pyramid” to pick the most appropriate classifiers.
Even standard tasks like blocking credit card number (CCN) leaks can have very different
solutions depending on what you want to do:
4 * It is possible to block all 16-digit sequences by writing a simple regular expression such as `[0-
9]{16}` or `[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}`.
4 * It is possible to block cards that satisfy the Luhn algorithm by using the "Credit Cards (Wide)"
script classifier.
4 * It is possible to block card numbers that appear to be issued by Visa or MasterCard (or fit some
other known pattern). You could use some issuer-specific script classifiers.
4 * It is possible to block CCN-like numbers only if they appear next to human language usually
associated with credit cards. You could use the "Credit Cards (Narrow)" script.
4 * It is possible to block CCNs which exist in your databases. You could use a database
fingerprinting classifier.
4 Note that PreciseID File and Database Fingerprinting are indeed the most accurate way to
identify confidential or sensitive data, but they are extremely resource-intensive and should be
used sparingly.

4 Forcepoint DLP enables you to block the distribution information by defining a key phrase classifier. No
other data identification methods, such as fingerprinting, are required. Keyword or keyphrase classifiers
are most appropriate when dealing with code-names of internal projects, or unreleased product names.
4 When creating a key phrase classifier, the ‘Name’ and ‘Phrase to search’ do not need to be identical.
4 Keywords and phrases are not case-sensitive, but if the capitalization of two phrases is exactly the same,
they count as duplicates. (For example, “FactoryTestKeyWord” and “factorytestkeyword” count as two
non-identical instances of the keyword “FactoryTestKeyWord”.)
4 Keywords or phrases such as “top secret” or “confidential” sometimes indicate that classified
information is being distributed. Under most circumstances however, configuring these phrases without
any additional classifiers such as file type or regex would lead to a huge amount of false positives.
Note that if it is necessary to include a slash, tab, hyphen, underscore, or carriage return, you will need to
create a regular expression classifier instead.

4 A dictionary classifier is a container for words and expressions. Many predefined dictionaries are built
into Forcepoint DLP, including lists for medical conditions, financial terms, legal terms, credit card terms,
geographical locations, and more.
4 In DLP, you might create or customize a dictionary with a set of terms that reflect your line of business
and then use the dictionary in your policies, either as a classifier or an exception.
4 For example, you could combine a regular expression classifier which identifies all 13-digit numeric
strings, with a dictionary list of credit card terminology. Combining classifiers in this way will more
accurately target the desired content and reduce false-positives.
4 When matched with a threshold, weight defines how many instances of a phrase can be present, in
relation to other phrases, before triggering a policy. For example, if the threshold is 100 and a phrase’s
weight is 10, an email message, Web post, or other destination can have 9 instances of that phrase
before a policy is triggered, provided no other phrases are matched. If phrase A has a weight of 10 and
phrase B has a weight of 5, 5 instances of phrase A and 10 instances of phrase B will trigger the policy.
4 The system also deducts the weights of excluded terms. Matches that should be excluded and are
therefore not considered breaches are not accounted for in the summation of weight.
4 By default, if no weight is assigned, each phrase is given a weight of 1.
4 Note that It is possible to import dictionary lists using .csv files in UTF-8 encoding, as opposed to
entering each term in one at a time.

4 Regular expressions (sometimes referred to as “pattern matching”) are a powerful tool to describe
many useful sets of words, identifiers and phrases. They are the favorite tool to detect things like ZIP
codes, case sensitive keyphrases with many variations, or files that use standardized naming
conventions.
4 The last name of the German composer Haendel has been around for many centuries, with many
different accepted spellings. Contemporary foreign names tend to have even more spellings – think of
people like Osama bin Laden (his name is frequently spelled as “Usama bin Laden" or "bin Ladin“ – even
in English texts; and much more in other Western languages). If we do not want to have large set of
keywords (or create a „dictionary“ just for different spellings) – creating a regular expression may be a
better choice.

4 File Classifiers by Type are not affected by file extensions or file renaming. Instead, they analyze the
actual binary contents of each file.
4 One of the filetype collections is "Encrypted Files of Known Formats" – it contains various password-
protected office formats and archives. This collection is important from various points of view:
• It may indicate malware activity – e.g., exfiltrating encrypted archives. Therefore this classifier can
be used in the "Data Theft" quick policies.
• Encrypted files cannot be extracted. To avoid a security hole, all transactions containing unknown
encrypted files can be blocked by a DLP rule. (This does not mean that sending out encrypted files
would become impossible. For example, file and email message encryption can still happen in an
email gateway; but it is important that this happens after DLP analysis in the flow of traffic.

4 An example of Base64 transformation:
• If you send a file attachment with a size of 300KB (and the email message itself is short), the
attachment is Base64-encoded – and the total email message size becomes 400KiB. Such an
attachment could match file size classifiers in two different ways:
• If the file size classifier is a range of [290KB <-> 310KB], the message triggers the rule because of
the 300KB attachment.
• If the file size classifier is a range of [390KB <-> 410KB], the message triggers the rule because of
the 400KB size of the whole message.

4 Script classifiers are based on custom code, most commonly either Python or C++. Scripts are developed
by the Forcepoint DLP development team and are proprietary.
4 It is not possible to create custom script classifiers, however many have configurable parameters.
4 Think of script classifier sensitivity as a net: a wider net will catch more fish, while a narrower net will
catch less. For a credit card classifier:
• Wide sensitivity means any number that passes a Luhn check (a standard method of verifying credit
card numbers using last digit checksum) will be considered a match.
• Default sensitivity requires some additional context with the number, such as “CCN”, “CSV”, or
“Cardholder.”
• Narrow sensitivity requires even more context.

4 Users in Active Directory are imported directly into the FSM so that user attributes and other directory
information are readily available during analysis, and for incident reporting. This eliminates the
necessity of having to continually access corporate user directories which can adversely affect their
performance. By default, imports are scheduled at daily at 11:00PM, but the time can be modified.
4 Selecting the User Directory Entries icon on the main resources page displays a list of users, groups, and
computers that you have imported from a user directory such as Microsoft Active Directory, Active
Directory Application Mode (ADAM), or Lotus Domino. .csv files are also supported. After import, these
users, groups, and computers are identifiable sources or destinations of sensitive information in your
organization.
4 There are likely too many users and groups to display on one screen. Use the Search for field to filter the
display to just users and groups that meet certain criteria. You can enter free text or an asterisk (*) into
this field. (The asterisk is a wild card operator meaning to search all.)
4 Note that Forcepoint DLP requires that users have a valid email address in Active Directory in order to
be imported. Once the user is configured with a valid email, DLP can import any user attribute that
exists in Active Directory.

4 DLP supports the creation of custom user directory groups, created by an LDAP query string. This allows
filtering of incidents and reports by LDAP attributes. This also allows application of policy rules by LDAP
attributes.
4 An LDAP query is a command that asks a directory service for some information. For instance, if you'd
like to see which groups a particular user is a part of, you'd submit a query that looks like this:
(&(objectClass=user)(sAMAccountName=yourUserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))

4 Forcepoint DLP allows you to add or manage custom users—that is, users not part of the imported user
directory service. As with imported users, in order to be created in Forcepoint DLP, a user must have
both a user name and an email address. All other information fields are optional.

4 Custom Computers allow administrators to set up a list of local computers that are possible sources or
destinations of information in your organization, aside from the computers in the user directory.
Computers can be identified by either hostname or IP address, and require that an FQDN (Fully Qualified
Domain Name) be specified.

4 The domain resource allows administrators to define the domains that are sources or destinations of
information in your organization, typically for HTTP or FTP transactions.
4 You can enter a concrete domain name that is the name of a specific computer—like
www.example.com.
4 You can also use wildcards that indicate a group of computers—for example, *.example.com,
w*.example.com, www-?.example.com.

4 Use business units to set up a logical grouping of user directory entries (users, computers, networks,
etc.) that may be a source or destination of information in your organization.
4 A business unit is larger than a group but smaller than the company. A business unit could comprise all
the Marketing teams in your organization, regardless of their location.
4 When you create a business unit, you add users and computers to it. You can then assign it to a policy so
that only these users and computers are permitted to send data of a particular type outside the
company.
4 If a business unit includes computers and users but a policy applies only to users, DLP applies the policy
only to users in the business unit.

4 Endpoint devices allow administrators to configure specific removable media devices to be permitted or
blocked, or even use the Forcepoint DLP endpoint to encrypt file transfers.
4 Removable media will most commonly be flash drives or external USB drives, which can be specified by
device name or serial number.
4 If you do not define any endpoint devices, all devices will be covered when you select the removable
media channel as a destination in your DLP rules.
4 A common use case is to specify a list of serial numbers for approved flash drives. This allows you to
encrypt file transfers to these drives, while blocking file transfers to any other removable media device.

4 Forcepoint provides a long list of built-in applications, such as Microsoft Word, that you can choose to
monitor on the endpoint when you set up your endpoint policy. These include common desktop, Web,
and SaaS (software as a service) applications. If there are endpoint applications that you want to define
that are not on the list, use this screen to define those applications.
4 Specifying an application as a Trusted Application indicates that DLP does not need to enforce rules on
transactions originating in that application. Trusted applications are also permitted to write any type of
information to removable media.
4 It is possible to configure the action to take for screen capture operations performed using this
application. You can permit, permit and audit, or block and audit screen captures. Note that the built-in
applications are identified by the application metadata. This is a very secure method of identifying
application usage.
4 When you add your own applications, however, they are identified by their executable name.
Occasionally, users try to get around being monitored by changing the executable name. For example, if
you’re monitoring “winword.exe” on users’ endpoint devices, they may change the executable name to
“win-word.exe” to avoid being monitored.

4 All endpoint applications must be part of an application group.
4 Because the DLP endpoint monitors transactions at the kernel level, content can be analyzed as
applications access and manipulate data. Endpoint application operations that can be monitored are:
Cut/Copy, Paste, or File Access.
4 Great care must be taken when enabling file access monitoring on an application. If an application
creates an excessively large amount of file activity, monitoring its file access can negatively impact the
performance of the entire host machine.
• Examples of this include Outlook, especially if configured to use a remote .pst file with active
caching, or the command prompt, which is not just a command line, but also frequently performs
many background file operations.

4 If you are using Forcepoint Web Security, it is possible through the linking service to import URL
categories from the web database and use them as a source or destination in DLP rules.
4 For example, you may define a rule that credit card numbers cannot be posted to known fraud sites.
(Please note that Data Security does not monitor URL categories on endpoint Web channels.)
4 URL categories are imported from the Web Security category database. You can view them, but you
cannot change them.
4 Periodically click Update Now to reconnect with the database and update your category list.
4 Note that Forcepoint DLP supports both predefined and custom categories. In your policy, you define
whether these categories are authorized or unauthorized destinations of sensitive information.
4 If you are using Web Security, more than one category can be identified for a single URL: one for the
static URL category—such as blogs— and one for the dynamic content, such as gambling if the blog is
about gambling. Web Security looks up static URL categories and the gateway module analyzes dynamic
content. Both categories are reflected in your incident reports.
4 To take advantage of the Web Security URL categories, you must configure and enable the Websense
Linking Service.

4 The above case study information was collected from a large financial DLP customer with over 20,000 users.
It shows how important educating your users can be! Most leaks are not a result of bad actors – more
commonly they are simple mistakes, and once a user is aware that behavior is problematic, they will cease.
4 Step 1: Setting Up User Notifications
• This customer’s evaluation began in January. For several months, they only monitored policy violations
over the SMTP Channel, indicated by the Passive Monitoring phase in the chart.
• Each violation potentially contained hundreds and sometimes thousands of customer records.
• In May, DLP was configured to issue notifications to any employee that triggered an incident. Users
were notified immediately that their current action violated company policy.
• The result was an immediate 50% decline in the total number of incidents for the month of May.
4 Step #2: Protecting Data with Encryption
• In June, they began automatically encrypting emails, while still sending notifications.
• When an email went out with confidential info, the email was encrypted and a notification was sent to
the sender.
• The results in June were are amazing, but not atypical - the number of incidents dropped off to the
lowest levels yet.
• Aside from securing data, the organization now had new visibility into seasonal trends in their
communications.
• For example, the incident increase from August to October was traced back to higher than volumes of
traffic from applications/communications.

4 For network email, if a released email had attachments dropped, they will be reattached and encrypted
if the encrypt on release option is selected.
4 Mobile email requires the use of a protector deployed in mobile agent mode.
4 Chat and Plain Text will only be able to be monitored using a protector on a span port, and will only be
able to be monitored – meaning the only action available for those two channels is permit.

4 For network email, if a released email had attachments dropped, they will be reattached and encrypted
if the encrypt on release option is selected.
4 Mobile email requires the use of a protector deployed in mobile agent mode.
4 Chat and Plain Text will only be able to be monitored using a protector on a span port, and will only be
able to be monitored – meaning the only action available for those two channels is permit.

4 Note that both the Include links so that recipients can perform operations on the incident and Allow
recipients to release quarantined email by replying to the notification options will require additional
configuration using Exchange to enable the capability. These configuration requirements will be
discussed in detail in the DLP System Engineer course.
4 Refer to
http://www.websense.com/content/support/library/data/v87/force_mailbox/forcereleaseMB.pdf for
more documentation on the Force Release feature.

Note that %Event Time% and %Incident Time% are different: Event time is when the original transaction
occurred, and incident time is when analysis of the transaction was complete and determined to be an
incident.

4 Policy configuration should not start directly from configuration in the FSM: some advance planning is
usually required.
4 Policies and their rules should fit two very different kinds of requirements:
• Identifying data that is relevant and important to protect
• Making rules specific enough to reduce false positives during analysis.
4 Many beginning users want to log every transaction as an incidents. This is a bad idea; Forcepoint
consultants and partners should always work to help set the right expectations.
4 Usually, it is only worth creating incidents if they can be processed relatively quickly (while the
quarantined emails are still relevant). Even monitoring policies only make sense if their results are
analyzed by humans.
4 Creating thousands of incidents every day is only justified in large and complex organizations with
dedicated DLP staff.

4 Policies in Forcepoint DLP are simply a collection of rules. A rule consists of a condition (describing what
data matches this rule), and resources (action plans, sources and destinations this rule applies to).
4 The Condition tab of a rule shows one or more classifiers and related thresholds – this tab specifies data
classification, or which data is considered interesting/confidential.
4 Severity and Action specifies the severity level and the actions for each channel. For example, Network
Email might be quarantined, Endpoint Email blocked, and Endpoint Removable Media files encrypted.
4 Furthermore, you can specify "Source" and "Destination" – These are where we can specify which
source users and which destinations this rule will apply to.

4 Were the file uploads blocked? If not, how could we change our policy to block them?
4 How can we view the results of these tests?



4 Why was the transaction allowed after we included a second phrase from our dictionary classifier?

4 Please note that matches are counted independently for every user, for each rule, in each policy engine.
4 If the traffic of the same user is routed through various Content Gateways or Email appliances, it is
possible for them to have multiple counters running at once – the counter in each policy engine is
independent. This makes it important when using cumulative DLP to have one user’s traffic routed
consistently to the same proxy.
4 It is also important to be aware that all counters on all policy engines drop to 0 whenever somebody
deploys a policy change. If it is likely that multiple deployments will be taking place for a period,
consider disabling your cumulative rules, or at least lowering the time frame on them drastically. this
reduces the chance that counters will be reset, causing you to potentially miss important incidents.

4 With an exception, it is possible to change the condition, source, destination, severity, or action plan for
a rule, for a specific scenario. However, exceptions cannot be cumulative.
1. When there is a transaction, rules are evaluated.
2. If a rule is matched, its exception is evaluated, if any.
3. If the exception is matched, the exception action is taken. In other words, exceptions are evaluated
only when their rules are matched.
4 For example:
• The rule “Pizza” indicates that email messages from John Doe that have the word “pizza” in them
should be encrypted.
• An exception to “Pizza” indicates that messages that include 5 instances of “pepperoni” should be
quarantined.
• As a result, messages from John Doe with both “pizza” and 5 instances of “pepperoni” are
quarantined.

4 Batch Operations lets you update or delete multiple items at once. For example, select Update All Rules
of Current Policy to change fields for all the rules of a selected policy at once, or for currently selected
rules. This overrides the settings in the policy and reduces time and effort involved.
4 Select Update All Exceptions of Current Rule to change specific exceptions or all exceptions in a selected
rule.
4 Select Update Rules to make changes to selected rules or all rules across all policies, and select Update
Exceptions to change selected exceptions or all exceptions across all rules.
4 Select Delete Policies to delete a batch of policies at once: a screen appears so you can choose which
policies to delete.

4 Here is an example of a two-policy level structure. If a match is found for the ‘High Priority Policies’
level’s policies, then policies within the lower level ‘Default Priority Level’ will not be evaluated.
4 There might be some advantages for such policy configuration:
• Marginal improvement in performance. Skipping some lower priority policies might be helpful for
the PE performance, but the high-priority DLP rules are not broken too often to leave significant
impact.
• Cleaner reporting. If some data transaction is known to break some important rules, we sometimes
do not want to bury this fact among many other breaches of less important rules.
• Avoiding timeouts. This may be most important: evaluating all DLP policy rules (if they are not
ordered by priority in any way) may lead to timeouts. In this case the transaction could be allowed
and not reported as an incident even though it could breach some high-priority rules.

4 How can we test our new policy level structure? Discuss as a class, and test your theories.

4 The OCR server enables the system to analyze image files being sent through network channels, such as
email attachments and web posts.

4 The OCR server enables the system to analyze image files being sent through network channels, such as
email attachments and web posts.
4 The server determines whether the images are textual, and if so, extracts and analyzes the text for
sensitive content. There is no special policy attribute to configure for optical character recognition
(OCR). If sensitive text is found, the image is blocked or permitted according to the active policies.
4 The server can also be used to locate sensitive text in images during network discovery.
4 This feature does not support either handwriting or images containing text that is skewed more than 10
degrees.
4 To use OCR, install a supplemental Forcepoint DLP server; the OCR server is automatically included in
supplemental Forcepoint DLP server installations.

4 OCR supports a large list of languages natively, with no need for a language pack.
4 English is enabled by default, while other languages must be activated – however, note that the more
languages that are enabled, the longer analysis will take. Be cautious not to cause timeouts.

4 The OCR server can analyze images that meet the following criteria:
• 32,000 x 32,000 pixels or less
• 300 DPI resolution for images with large text (10 point font and larger)
• 400-600 DPI for images with small text (9 point font or smaller)

4 Why wasn’t the image blocked on the first attempt? Examine the image. What attributes determine if
an image is submitted for OCR analysis?

4 How did changing OCR accuracy to Accurate affect how Forcepoint DLP handled the image?


4 Previously, when installing Forcepoint DLP, the DLP endpoint installation files were included.
4 Consequently, if a version of the DLP endpoint was released more recently than the Forcepoint DLP
version you installed, you would be installing an outdated endpoint in a new DLP environment.
4 However, because endpoint files are now decoupled from Forcepoint DLP, the installation files for the
Forcepoint One Endpoint must be downloaded from the Forcepoint website.
4 This guarantees your endpoint version will be up to date when it is installed.

4 Endpoint client software resides on an endpoint machine (such as a laptop or workstation). It monitors
real-time traffic and applies security policies to applications and storage media, as well as data at rest.
The client software allows administrators to analyze content on endpoint machines and block or
monitor policy breaches (defined in endpoint profiles).
4 Administrators can create policies that allow full content visibility without restricting device usage.
4 When endpoint client software is installed, it attempts to connect to a Forcepoint DLP server to retrieve
policies and profiles.

4 Whereas previous versions of the DLP endpoint were included with the Forcepoint DLP installation files,
you must now download the Forcepoint One Endpoint from the Forcepoint support website:
https://support.forcepoint.com/Downloads
4 You will need to extract the downloaded endpoint files into the Forcepoint DLP endpoint folder:
\Forcepoint\Data Security\client\
4 After extracting the files, proceed with endpoint package creation as per the normal procedure. You will
complete this procedure in the walk-through.

Download the latest version of the Forcepoint One Endpoint.
1. Logon to the Security Manager Windows Desktop using the same Windows account used for the
Websense Data Security Manager service (in your lab, this is fpcert\Administrator). Note that crypto
keys are associated to this account.
2. On the “Security Manager” machine, open a web browser and navigate to:
https://support.forcepoint.com/Downloads
3. Sign in with your support site credentials. If you do not have credentials for the site, ask the course
instructor to provide you with the endpoint files.
4. Download the latest version of the Forcepoint One Endpoint Package Builder.

Extract the endpoint files to the DLP endpoint folder.
1. Open Windows File Explorer and browse to the DLP endpoint folder:
C:\Program Files (x86)\Websense\Data Security\client\
2. Copy the downloaded .zip file to this folder and extract the files. Make sure they do not extract into a
new sub-folder.
3. Copy and paste the file WebsenseEPClassifier.pkg.zip into the folder:
C:\Program Files (x86)\Websense\Data Security\client\OS X
Note: WebsenseEPClassifier.pkg.zip file is a DLP endpoint classifier exclusively for Mac endpoints running
Forcepoint DLP Endpoint.

Build an endpoint package.
1. Double click the endpoint package builder file to run it, and create a new Windows endpoint:
C:\Program Files (x86)\Websense\Data Security\client\WebsenseEndpointPackageBuilder.exe
2. Save the newly created endpoint package to the network shared folder:
C:\Forcepoint\My_Share

Note: Antivirus or other security software should be disabled to ensure the Forcepoint One Endpoint installs
successfully.
1. On “Windows Test Machine,” expand the system tray by clicking the up arrow. You will see the icon for
Windows Defender in the tray.
2. Double click the Windows Defender Icon. Defender dashboard launches.
3. Click on “Virus and Threat Protection” in left pane.
4. Click on “Manage Settings” under ”Virus and Threat Protection” in the right pane.
5. Move the slider for Real-time protection to the off position. You will see a Windows notification on the
right edge of the screen indicating that virus protection has been turned off.

6. On “Windows Test Machine,” locate the shared network folder \\fp-sec-svr\my_share\ from the
“Security Manager” machine.
7. Copy the endpoint installer package from the shared folder to the desktop, then double click it to install
the endpoint.
8. Reboot “Windows Test Machine,” and confirm the endpoint is running after the machine reboots.
9. Open the Endpoint UI from the system tray, and then click Update. Ensure the endpoint is able to
connect and that the timestamp changes.

You should now be able to:
1. Download the latest version of the Forcepoint One Endpoint.
2. Extract the endpoint files to the DLP endpoint folder.
3. Build an endpoint package.
4. Install the endpoint package, and confirm it updates successfully.

4 The Block LAN – Encrypt RM action plan, as a reminder, should block on endpoint LAN, encrypt with
profile key on endpoint removable media, and permit on all other channels.

4 What happens if you copy the file from the flash drive over to the security manager and open it there?
Why?


4 The Block LAN – Encrypt RM action plan, as a reminder, should block on endpoint LAN, encrypt with
profile key on endpoint removable media, and permit on all other channels.

4 Is a new incident generated for the file copy?


4 The DLP Endpoint browser extension is installed on all supported browsers when the DLP Endpoint itself
is installed.
4 It allows for browser activity to be more easily monitored, and it passes monitored traffic to the DLP
Endpoint for analysis.
4 However, the extension has been known to cause performance or latency issues as a result of
misconfigured policies or other causes. If this occurs, it may be desirable to place the browser extension
into either of the monitoring or disabled modes to reduce the performance impact for your end users
and allow time for troubleshooting.
4 Although currently the ability to configure mode selection for the browser extension is limited to the
Chrome browser extension only, in the future this function will also apply to the Firefox and Safari
browser extensions.

4 The Chrome browser extension mode is configured from the endpoint profile settings:
Deployment > Endpoint Profiles > Profile > Properties
4 The mode configuration can be set on each endpoint profile in use, allowing you to specify a group of
endpoints in monitor mode, and a separate group of endpoints in enabled mode.

Create a rule that monitors Online Application transactions.
1. Access the DLP Policy Management page:
Policy Management > DLP Policies > Manage Policies
2. Click the Add button and then select Custom Policy.

3. On the General tab, name the new policy “Online Application Test Policy”, and then click Next.

4. On the Condition tab, click the Add button, and choose File Properties to open the “Select a Content
Classifier” window.
5. Find the “ZIP File” classifier in the list. (Optionally, use the Filter by text box to refine the list.) Select it
and click OK.

6. Change the action for channels Endpoint HTTP and Endpoint HTTPS to Block. Then proceed to the
Destination tab. Confirm that the check boxes in the “Web” section for Endpoint HTTP and Endpoint
HTTPS are selected. Do not make any other changes to this tab.

Deploy DLP policy and configuration changes.
7. Click Finish to complete creating the policy and rule.
8. Click Yes on the Deployment Needed pop-up window.

1. On the “Security Manager” machine, open the DLP tab of Forcepoint Security Manager and navigate to:
Deployment > Endpoint Profiles

2. Click on the Default profile, then select the Properties tab.
3. In the Forcepoint Browser Extension section, change the Chrome Extension Mode to Monitoring Only.
4. Click on Save and Close, then deploy.

1. On the “Windows Test machine,” update the Forcepoint One Endpoint
2. Confirm that the endpoint has received the update.
3. Upload the same test_zip_file.zip used previously from “Windows Test Machine” to dataleaktest.com.
4. The upload should succeed.
5. If you check incident reporting in Security Manager, there should be a new incident created with
“Permitted” as the action.

3. In the Forcepoint Browser Extension section, change the Chrome Extension Mode to Monitoring Only.

1. On the Security Manager, change the mode of the browser extension to “Enabled.” Deploy and confirm
the endpoint receives the update.
2. Upload test_zip_file.zip again from “Windows Test Machine” to dataleaktest.com.
3. You should see a block warning. If you check incident reporting in Security Manager, there should be a
new incident created with “Blocked” as the action.

4 For DLP administrators who wish to educate end users about policy violations to help users self-correct
their own behavior, the Employee Coaching feature is invaluable.
4 Enabling the feature allows a DLP administrator to configure the endpoint confirmation pop-up to
provide the at-risk employee with additional information about the breach:
• What policy has been violated
• How many instances of sensitive information were detected
4 The Employee Coaching feature can be configured on each endpoint profile. The setting, which is
labeled Show incident details in the confirm dialog and the Log Viewer, is found here:
Deployment > Endpoint Profiles > Profile > Properties

3. In the Interactive Mode Options section, select the Show incident details in the confirm dialog and the
Log Viewer option.

4 Note that DLP Manager, System Modules, and Endpoint Clients should be running the latest version of
DLP 8.6. Endpoint Clients should be using Forcepoint One Endpoint version 19.x. If you run older
versions of the software, you might not see the latest verbiage from the Employee Coaching feature.

1. Which browser currently supports endpoint browser extension mode configuration through the
Forcepoint Security Manager UI?
• Chrome is currently the only supported browser for this feature.
2. Into which folder must endpoint files be extracted before building an endpoint package?
• \Forcepoint\Data Security\client\
3. What incident details can be shown in the DLP endpoint confirmation pop-up window using the
Employee Coaching feature?
• What policy has been violated
• How many instances of sensitive information were detected
4. The HTTP and HTTPS action for a policy rule is configured to “block” and the browser extension mode is
configured for “monitoring only.” A violation of the rule has occurred on the browser. What action is
taken?
• The transaction is not blocked.

Why do we need an Online Applications feature for DLP?
4 Many online applications use nonstandard methods to upload files, for example, Gmail, Box, iCloud, or
Google Drive. With files being split up by the application before upload, it is possible to have the file
name in one HTTP transaction, and the content in a separate transaction.
4 This makes detecting and analyzing files uploaded to these applications very difficult to achieve for the
DLP endpoint. The new Online Applications feature was created to provide enhanced detection and
analysis of these transactions.

Previously, in order to ensure that files uploaded to online applications were analyzed by the DLP endpoint,
it was necessary to enable file access monitoring for each browser in use. The result of this was that every
file the browser touched, without exception, was analyzed.
That workaround was less than ideal. A lot of unnecessary files were analyzed as a result, which tended to
cause performance issues for the endpoint.

The Online Applications feature deals with this issue by enabling file access monitoring for a browser’s
processes only when the active tab URL matches a URL in a preconfigured list.
The list is defined in DLP Manager, contains multiple preconfigured services, and can also be edited to
include custom URLs for other online applications.
The Online Applications feature is supported only by the Chrome and Firefox browsers.

Preconfigured services included in the Online Application list are:
4 Drive
4 Box
4 Google Mail
4 iCloud
4 Dropbox
4 Yahoo Mail
4 Amazon

The list of preconfigured applications is managed in Endpoint Global Properties:
Settings > General > Endpoint > Detection
In order to enable the Online Applications feature, select the Enable web file uploads analysis check box.
New URLs can be added, and the feature permits the use of the asterisk (*) wildcard, which matches any
character or string.

Although you are technically using the Online Applications feature to monitor the file access of a web
browser, the designated channel for all transactions that are analyzed by the Online Applications feature is
Endpoint HTTP/S.
This allows for simplified creation and management of DLP rules and policies, as well as allows you to
monitor browser transactions without using the File Access option. This is desirable, as using File Access can
often lead to performance repercussions.
Note, there is a Details column to the right of the Action column, which is not shown in the screenshot on
the slide. Admins can use this to distinguish regular HTTP endpoint analysis from Online Apps analysis.

Note that you cannot enable the Online Applications feature if File Access monitoring is still enabled on the
“Browsers” Endpoint Application Group. These settings are located in Policy Management > Resources >
Endpoint Application Groups > Browsers.
The File Access setting enables monitoring file activity of an application at the kernel level. In the Endpoint
Operations settings, File Access must be unselected before you can use the Online Applications feature.
Unselecting File Access is a safeguard to prevent failed, inaccurate, or even duplicate analysis of browser
transactions by the endpoint.

In the following scenario, your company is concerned that employees can bypass your DLP solution by
uploading .zip files and sending them through Google Mail. You need a solution to detect any .zip files being
uploaded through web browsers to various online applications, including Google Mail.
You’ll perform the following tasks to complete the walk-through:
1. Confirm that prerequisites to enable the Online Applications feature are present.
2. Enable the Online Applications feature.
3. Add a custom URL to the Online Applications list.
4. Create a rule that monitors Online Application transactions.
5. Deploy DLP policy and configuration changes.
7. Upload a test file to an online application.
8. Confirm an incident was created and review the associated forensic information.

Confirm that prerequisites to enable the Online Applications feature are present.
1. On the “Security Manager” machine, sign into Forcepoint Security Manager and access the DLP tab.
2. Access the Endpoint Operations settings for the “Browsers” Endpoint Application Group:
Policy Management > Resources > Endpoint Application Groups > Browsers
3. Confirm that the File Access check box is not selected. If it is selected, then unselect it and save your
settings.
Note: In order to use the Online Applications feature, File Access must be disabled on every Endpoint
Application group that contains a web browser, including the Browsers group. This is relevant if you have
added web browsers to other Endpoint Application Groups in your environment.

Enable the Online Applications feature.
1. Access the Online Application feature settings:
General > Endpoint > Detection
2. Enable the Online Application feature by selecting the Enable web file uploads analysis check box.

Add a custom URL to the Online Applications list.
1. If you are specifying a customer online application, in the URL text entry field, enter a URL using a
wildcard to cover all subdomains, such as:
*.onlineapplication.com
2. Note that using a domain like the example above will only match domains with subdomains present.
To match a URL without a subdomain, leave out the dot:
*onlineapplication.com
3. Click the Add button to include your custom URL in the list.
Note: In this walk-through, you will be using the Gmail application (mail.google.com). In a production
environment, you will perform this step if your application is not included in this list.

Create a rule that monitors Online Application transactions.
1. Access the DLP Policy Management page:
Policy Management > DLP Policies > Manage Policies
2. Click the Add button and then select Custom Policy.

3. On the General tab, name the new policy “Online Application Test Policy”, and then click Next.

4. On the Condition tab, click the Add button, and choose File Properties to open the “Select a Content
Classifier” window.
5. Find the “ZIP File” classifier in the list. (Optionally, use the Filter by text box to refine the list.) Select it
and click OK.

6. Click Next two times, until you are on the Destination tab. Confirm that the check boxes in the Web
section for Endpoint HTTP and Endpoint HTTPS are selected. Do not make any other changes to this
tab.

Deploy DLP policy and configuration changes.
1. Click Finish to complete creating the policy and rule.
2. Click Yes on the Deployment Needed pop-up window.

Confirm that the endpoint has received the update.
1. On the “Windows Test Machine”, expand the system tray and open the Endpoint interface by
double clicking on the icon for the Forcepoint One Endpoint.
2. Confirm that Connection Status indicates the endpoint is “Connected”, and then click Update. Confirm
that the timestamp next to Updated changes to reflect the time you requested the update.

Upload a test file to an online application.
1. Still on the “Windows Test Machine”, locate the file:
C:\Forcepoint\Data Class Resource Files\test zip file.zip
2. If you do not already possess an account with one of the services monitored by the Online Application
feature, Google mail (https://mail.google.com/) is both free and quick to set up.
3. Once you have an accessible account either with Google Mail or another of the preconfigured Online
Application services, open the Firefox web browser and upload test zip file.zip to the online service.

Confirm an incident was created, and review the associated forensic information.
1. On the “Security Manager” machine, access Forcepoint Security Manager and view this incident report:
Reporting > Data Loss Prevention > Incidents (last 3 days)
2. Confirm that the test file you uploaded triggered an incident, which should be viewable in this report.
3. Note that because the file was detected using the Online Applications feature, the Channel for the
incident will show as Endpoint HTTP or HTTPS, even though you are technically monitoring file access.

1. Confirm that prerequisites to enable the Online Applications feature are present.
2. Enable the Online Applications feature.
3. Add a custom URL to the Online Applications list.
4. Create a rule that monitors Online Application transactions.
5. Deploy DLP policy and configuration changes.
7. Upload a test file to an online application.
8. Confirm an incident was created and review the associated forensic information.

1. What setting in Forcepoint Security Manager must be disabled in order to enable the Online
Applications feature?
• File Access must be disabled for the “Browsers” Endpoint Application Group in order to enable the
Online Applications feature.
2. What analysis channels will incidents detected by the Online Applications feature always use?
• The Online Applications feature will always use the Endpoint HTTP/S channels for analysis.
3. How would you enter a URL using a wildcard in the Online Applications list, if the URL does not have a
subdomain?
• The wildcard would preface the URL without a dot, for example:
*onlineapplications.com
4. What are the potential repercussions of using File Access to monitor browser transactions, instead of
the Online Applications feature?
• Using File Access to monitor all browser transactions means that every single file the browser
touches will be analyzed, resulting in potential false positive or irrelevant incidents, as well as
potential system performance issues.

What’s new regarding DLP and CASB integration?
As CASB matures and its functionality expands, a more complete and efficient means of integrating with
other Forcepoint products is needed.
4 Licensing has been simplified and brought more in line with other Forcepoint subscription models.
4 Logging, scanning, and incident reporting have all been improved.

4 With the release of Forcepoint DLP 8.6, perpetual licensing (no end date) for CASB is revoked.
4 Beginning in DLP 8.7 and going forward, there will be a separate CASB license for the CASB product,
instead of associating the CASB license with the DLP product.
4 Forcepoint DLP, however, still retains the option to purchase a perpetual license with no end date.

4 The Download Diagnostics button on the System Health dashboard has always provided a means to
download logs from each DLP agent.
4 More recently, log files from CASB cloud agents have been included in the download along with the rest
of your agent logs.
4 Below right is an example of the archives included. Note that these are the complete log files, not partial
files.

Forcepoint CASB supports API and Web connections for the following cloud services:
4 Salesforce
4 Microsoft Office 365 and Azure
4 Microsoft Exchange Online
4 Amazon Web Services (AWS)
4 Google G Suite
4 Dropbox
4 Box
4 ServiceNow
Each of these apps has different information on prerequisites for connection to these apps; refer to
https://my.skyfence.com/resources/ServiceProviderAPIConnectionGuide.pdf.

Use the CASB Service tab of the Settings > General > Services page to connect, disconnect, and configure
the CASB service.
With a Forcepoint DLP Cloud Applications subscription, the CASB service:
4 Provides content inspection for files used in cloud collaboration applications, including downloaded,
uploaded, shared, and stored files
4 Applies DLP policies to sensitive data
To connect Forcepoint DLP to the CASB Service:

1. From Security Manager, use the CASB Service tab of the Settings > General > Services page to connect,
disconnect, and configure the CASB service.
2. Click Connect.

3. Enter the following information from the Forcepoint CASB fulfillment letter:
• The Access key ID
• The Access key secret for the account
• The Service URL
4. Click Connect.
• The connection process is initiated. This may take some time to complete.
Once Forcepoint DLP has connected successfully to the CASB service, it is automatically enabled and the
CASB Service tab is updated.
For more information refer to:
https://www.websense.com/content/support/library/data/v86/help/configure_casb.aspx

Starting with DLP 8.6, CASB supports discovery scans on supported cloud services.
There are four prerequisites to setting up a cloud discovery scan:
1. The CASB service must be set up in:
Settings > General > Services > CASB Service
2. At least one discovery policy must be enabled.
3. The CASB service must have Enable data at rest discovery checked:
Settings > General > Services > CASB Service > Edit
4. A CASB action must be selected for the discovery policy action plan.
Note: Only one scan can be set up per CASB asset. This means that if you have three Box accounts, you will
need to create a task for each account.

4 Once the prerequisites for a cloud scan are in place, you will need to deploy DLP to push the scan
configuration to the cloud agent.
4 There is no need to initiate the scan – once it is deployed, it will run continuously.
4 Incidents created by cloud discovery will not show the action taken, only the channel and other basic
incident properties.

For each defined discovery scan, you can select the policies that are to be used in the scan.
Policy Management > Discovery Policies > Cloud Discovery Scans
A scan is only performed for a single CASB application. For example, If you want to perform a scan for both a
Dropbox and a Box service, you must configure separate scans for each application.

4 In some cases, a manual “reset scan” is required for the system to work as expected:
• After any modification of the CASB asset configuration
• After any modification of the relevant DLP policies/rules
• If you need to restart the scan for any reason
Note that unlike a DLP network discovery scan, a cloud discovery scan will not show scan statistics in the
task list while running.

To audit user activity (upload, download, share) enable activity import apply the CASB API policies and
inspect file contents if relevant.
4 The API based CASB service is set up in:
Settings > General > Services > CASB Service
4 The CASB service must have Enable activity import checked.

To apply a DLP rule to audit the activity on a CASB application you must check the CASB Service box on the
Destination tab on the Policy Rule screen.
4 The API based CASB service is applied in:
Main > Policy Management > DLP Policies > Policy Rule Destination
4 The CASB service option must be selected.

1. How has CASB licensing changed with recent releases of Forcepoint DLP?
• CASB licensing is now separate from DLP licensing and will no longer be available as a permanent
license.
2. Is it possible to collect CASB agent logs through the DLP dashboard? How?
• Yes, by using the “Download Diagnostics” button from the DLP System Health Dashboard.
3. In order to perform a cloud discovery scan on a G-Suite account and two separate Box accounts, how
many different scan tasks must you create?
• Three. One for each CASB asset, even if one asset has multiple accounts.
4. How do you initiate a cloud discovery scan?
• Once the discovery policy has been deployed, there is no need to initiate a cloud discovery scan; it
will run continuously.

4 Unlike the Force-release feature which has fewer requirements, the "action links" only work for admins
who possess the privileges needed for that workflow.
4 Action links are embedded in notification messages (The command text is encrypted).
4 When an admin clicks a link, an email is generated – sending that email to an FSM monitored mailbox
will enact the specified action on the incident. Each subsequent action link clicked will generate another
email to send.

4 Details of the selected incident appear at the bottom of the screen. In this preview, you can see:
• Violations
• Forensics
• Properties
• History
4 The Violations section displays either violation triggers or violated rules.
• Violated rules displays which rules were violated by the incident. Click the information icon to view
more details, such as the policy and action plan for the rule. Only the first 500 rules or 500 MB for
the incident are displayed.
• Violation triggers displays the precise values that triggered the violation and how many of those
triggers were found. Click the numeric link to view details about the trigger. Only the first 500
triggers or 500 MB for the incident are displayed.
4 The Forensics tab shows information about the original transaction.
• For data loss prevention incidents that occurred on an email or a mobile channel, it displays the
message subject, from, to, attachments, and message body. You can click links for details about the
source or destination of the incident, such as email address, manager, and manager’s manager. You
can retrieve thumbnail photos, if configured. You can also open attachments. The bottom portion of
the incident screen displays the message body.
• For data loss prevention incidents that occurred on a Web channel, the forensics could include the
URL category property.
• For discovery incidents, forensics includes the hostname and file name.
4 The Properties tab displays all incident details, including:

• Incident number
• Severity
• Status
• Action
• Channel
• Information about the source and destination of the incident
4 The History tab displays the incident history, including all workflow operations performed and
comments added.
4 Tune Policy allows for the source of an incident to be excluded from the policy directly from
incident reporting.
4 Manage Report allows for the report columns to be customized (what data in the report is
shown), or the report filters changed (what data is included in the report).

4 The batch operations feature enables administrators to perform simultaneous operations on all
retrieved incidents in an incident report.
4 This has the added benefit of allowing you to run incident operations in the background while working
in other pages of the Security Manager.

4 The following operations are currently capable of being applied using the batch processing feature:
• Assign
• Change status
• Change severity
• Ignore incident
• Tag incident
• Add comments
4 The Delete operation can currently be applied to an entire report but does not yet use the batch
processing feature to do so.
4 The following operations will be added to batch processing capabilities in a future version of Forcepoint
DLP:
• Delete
• Remediate > Release
• Escalate

4 While reviewing an incident report, first select all the incidents on which you will perform an operation.
4 Then when you select an operation to run, a message will pop up in Security Manager. You will be asked
to select one of two options:
• Apply the operation to only the incidents you have selected
• Apply the operation to all incidents in the open incident report

In the following scenario, a new DLP policy in your environment has produced an unexpectedly large
number of incidents in a short period of time. You need to remediate these incidents en masse, and in a
manner that will allow to you continue working on your other assigned projects.
Tasks
1. Run the provided script to generate incidents.
2. Open an incident report.
3. Select all incidents created by a specific policy.
4. Run a batch operation on the selected incidents.
5. Confirm the desired changes have been made.

First, run the provided script to generate incidents.
1. Earlier in this module, you created a rule to detect zip files. Confirm that this rule is enabled and
deployed.
2. On the “Security Manager” machine, locate the file:
C:\Forcepoint\Data Security Resource Files\bulk_incident_creation.bat

3. Right click the file and select Run as Administrator. A command prompt window will open and
execute a series of commands. Wait for the script to complete and the command prompt window to
disappear.

Second, open an incident report.
1. While still on the “Security Manager” machine, access the DLP Security Manager.
2. Open an incident report:
Reporting > Data Loss Prevention > Incidents (last 3 days)

Third, select all incidents created by a specific policy.
1. Using the arrow button in the column header, filter the Policies column to show only incidents created
by the .zip file detection policy.

Fourth, run a batch operation on the selected incidents.
1. Click on Workflow, then Change Status. Choose Change Status > Closed to mark these incidents as
resolved.
2. When the Change Status batch operation pop-up window appears, select All Filtered Incidents and
then click OK.

Fifth, confirm the desired changes have been made.
1. Click on Workflow, then Change Status. Choose Change Status > Closed to mark these incidents as
resolved.
2. When the Change Status batch operation pop-up window appears, select All Filtered Incidents and
then click OK.
3. Wait for the “Batch action completed successfully” message to appear, then click on Refresh to
update the report.
4. Confirm that the status of the selected incidents has changed to closed.

1. Run a script to generate incidents.
2. Open an incident report.
3. Select all incidents created by a specific policy.
4. Run a batch operation on the selected incidents.
5. Confirm the desired changes have been made.

4 The clause of GDPR quoted above indicates that DLP incident analysts should not process personal user
data without explicit instruction to do so – meaning that in order to be compliant, an organization must
prove it has protected the privacy of their user data, even from the DLP analysts.
4 Forcepoint has multiple ways to achieve this through delegated administrator settings and role-based
configuration.

4 Configure customized permissions for the role as follows:
• Under Status, select the status reports to which this role should have access:
• The Dashboard shows system alerts, statistics, and an incident summary over the last 24 hours.
• The System Health screen enables you to monitor the performance of Forcepoint DLP servers
and protectors.
• The Endpoint Status screen summarizes the results of endpoint connectivity tests. (Not included
in Forcepoint Web Security or Forcepoint Email Security.)
• The Mobile Status contains details of the traffic being monitored by Forcepoint DLP over
specific periods, such as data that has breached policies and the actions taken.
• Under Reporting, select the Data Loss Prevention & Mobile incident and reporting functions that
this role should be able to access.
• Select Summary reports to give administrators with this role access to data loss prevention
summary reports.
• Select Detail reports to give administrators with this role access to data loss prevention incident
detail reports.
• When this option is selected, several more are made available:
• Select View violation triggers to allow administrators to view the values that trigger
violations.
• Select View forensics to allow administrators to view forensics for this incident. (Users who
aren’t allowed to see this confidential data cannot see a preview of the email message or
the content of the transaction in other channels.)
• Select Perform operations on incidents to allow administrators with this role to be able to

perform all escalation, remediation, and workflow operations on data loss prevention
or mobile incidents.
• Select Export incidents to a PDF or CSV file to allow administrators with this role to
bulk export DLP or mobile incidents from an incident report to a PDF or CSV file.
Exports include all data in the current report.
• Select Incident Risk Ranking reports to allow administrators with this role to access Incident
Risk Ranking and My Case reports.
• Select Hide source and destination to prevent administrators with this role from seeing
source and destination information like usernames and IP addresses. Instead, reports will
show sources and destinations as unique IDs generated by the system. This does not affect
the source and destination fields in the syslog. Syslog always displays names.
• Select the Discovery incident and reporting functions for this role. Discovery functions are not
included in Forcepoint Web Security or Forcepoint Email Security.
• Summary reports - Select this option to give administrators with this role access to
discovery summary reports.
• Detail reports - Select this option to give administrators with this role access to discovery
detail reports. When this option is selected, more are made available:
• View violation triggers - Select this option if you want the administrator to view the
values that trigger discovery violations.
• Perform operations on incidents - Select this option if you want administrators with
this role to be able to perform all escalation, remediation, and workflow operations
on discovery incidents.
• Export incidents to a PDF or CSV file - Select this option if you want to allow
administrators with this role to bulk export discovery incidents from an incident
report to a PDF or CSV file. Exports include all data in the current report.
• Mark Send email notifications if administrators with this role should be notified when an
incident is assigned to them.
• Under Policy Management, select the policy management functions this role should be able
to perform.
• Data loss prevention policies - Can configure DLP policies for all channels as well as
content classifiers and resources.
• Discovery policies - Can configure discovery policies, tasks, content classifiers, and
resources.
• Sample database records - Can view sample database information when editing a
database fingerprinting classifier, including database, Salesforce, and CSV classifiers.

• Under Logs, select the logs to which this role should have access.
• The Traffic log contains details of the traffic being monitored by Forcepoint DLP over
specific periods, such as data that has breached policies and the actions taken.
• The System log displays system events sent from different Forcepoint components, for
example Forcepoint DLP servers, protectors, or policy engines.
• The Audit log displays actions performed by administrators in the system.
• Under Settings, select which General settings options administrators with this role should be
able to access.
• Services - Administrators can configure local and external services like Linking Service
and Microsoft RMS.
• Archive Partitions - Administrators can select incident partitions, then archive, restore or
delete them.
• Policy Updates - Administrators can update predefined policies to the latest version.
• Analytics - Administrators can configure settings used to calculate risk scores in the
Incident Risk Ranking report.
• All other general settings - Administrators can configure all other settings in the Settings
> General menu.
• Indicate whether administrators in this role can configure Data Security module
Authorization settings.
• Under Deployment, select which functions administrators with this role should be able to
perform.
• Manage system modules - Give this role the ability to register modules with the
management server.
• Manage endpoint profiles - Give this role the ability to view and edit endpoint profiles.
Administrators can add new endpoint profiles, delete profiles, and rearrange their order.
(Not included in Forcepoint Web Security or Forcepoint Email Security.)
• Deploy settings - Give this role the ability to deploy configuration settings to all system
modules.

4 What is different after logging in as Tmuller?
4 What is missing from the UI?
4 How has incident reporting changed?

4 It is common for security policies to mandate that secure data be kept in specific locations on the
network, or follow precise file naming conventions.
4 In spite of this, users will often make copies of sensitive files and relocate them, or copy and paste
sensitive data into localized documents for easier access.
4 Discovery allows administrators to seek out and identify locations on the network where sensitive data
is located, and provide remediation as necessary.

1. Select which type of file labeling system to use.
2. Import the file labeling tags.
3. Select which file labeling tags to assign.
4. Create a policy using a file labeling classifier.
5. Create an endpoint discovery policy to label files.

1. Source and Destination settings
2. By creating either an endpoint or network discovery task
3. Analyzed data is temporarily copied back to the crawler, which may result in high bandwidth usage.

As we come to the top of the classifier Pyramid, it is helpful to remind ourselves of the classifiers and their
functions.
4 Key Phrases: Classify data by the presence of a keyword or phrase, such as “confidential.”
4 Dictionaries: Classify data using terms that belong to a certain knowledge domain, such as medical or
financial terms.
4 Regular Expression Patterns: Classify data by regular expression patterns. They are used to identify
alphanumeric strings of a certain format, such as `123-45-6789`.
4 File Properties: Classify data by file name, type or size. File name identifies files by their extension. File type
identifies files by metadata.
4 File classification labels: leverage third party file classification software. These will be discussed in a later
unit.
4 Scripts: Also known as ‘predefined classifiers’, these let you classify data by context. They are used to identify
numeric data such as credit card numbers or intellectual property such as software design documents and
source code.
4 Machine Learning: creation of context sensitive script classifiers by registering positive and negative sets of
sample data.
4 PreciseID File System Fingerprinting (Unstructured): Fingerprints files or directories, including SharePoint
directories.
4 PreciseID Database Fingerprinting (Structured): Fingerprints database records directly from your database or
CSV files.
We will now be focusing on the Machine Learning and Fingerprinting classifiers.
Remember that PreciseID File and Database Fingerprinting are indeed the most accurate way to identify
confidential or sensitive data, but they are extremely resource-intensive and should be used sparingly.

4 A Binary Signature is created for exact file matching for all types of files (textual or binary).
4 Textual Signature (SSH – self synchronized hashes that allow detecting excerpts of fingerprinted text) is
also created for files that text can be extracted from them.
4 Files over 10 MB get special treatment called ‘Huge File’ signature. Huge file signature consists of Binary
Signature and partial Textual Signature (5 MB from the beginning and 5MB from the bottom). Even if
text is not available, some fingerprint data can be derived.
4 Data is often manipulated in a variety of ways. Documents are edited and modified. Information may be
cut out of one document type, such as MS Word and copied into another, such as Quattro Pro, or even
zipped. Since Data Security extracts and evaluates the content itself, file type or internal formatting are
irrelevant. Generally, most people are just trying to get their jobs done and there is no malicious intent
to circumvent corporate security policies. However, it is easy for protected content to get mixed with
unprotected content or for a user to send an email attachment without recognizing the sensitivity of the
data. Data Security Suite can capture and/or monitor these unintended releases of confidential data as
well as offer remediation options.

4 Fingerprint analysis works by looking at the content in question, such as an outbound email, and
creating a hash-set in the same manner that fingerprints are created, as was discussed earlier. The hash-
set of the outbound email is compared against the fingerprint repository. If there is a match or a partial
match, the rule is triggered.

4 Entire document fingerprinted, including the disclaimer
4 Document has not been fingerprinted, yet the disclaimer triggers a policy
4 Fingerprinting the disclaimer as an Ignored Section prevents it from triggering a policy when Non-
Confidential.doc is analyzed.

4 The Policy Engine receives data for analysis from the crawler, during discovery jobs. It sends structured
data to the FPR for analysis (servers only). It also analyses unstructured data, using FPNE information
received from FPR. Fingerprint data is stored in the master fingerprint repository (FPR) on the DS
Manager and then propagated to all components with a PE package, i.e., protectors, DS Servers and
WSGA, so that they each have the capacity to analyze all content locally.
4 Fast Proof of Non-Existence, FPNE is a probabilistic data structure commonly called Bloom filter that
allows to test membership of some item (in our case – sequence of $N$ consecutive words) in some set
(in our case – set of all sequences of $N$ consecutive words found in confidential documents). This set
involves hash functions; the data structure can make mistakes called *false positives* (i.e., it may falsely
assert that the $N$-sequence exists in confidential documents, but in fact it was never encountered in
any confidential document. You can adjust the accuracy of Bloom filter by making the data set larger.

4 Files that were used when creating the fingerprint can be viewed and edited from the status window of
the selected fingerprint classifier. Also note that this is where files can be removed from the fingerprint.

4 Identify most important content (2% rule)
• Business plans
• Marketing strategies
• High-level design documents
4 Keep Fingerprint Repository under about 14 GB
4 Fingerprint uncompressed documents if possible
4 Create ignored-sections fingerprint for boilerplate text chunks
4 Use the Forcepoint Security Manager to delete fingerprints
• Deleting the original fingerprinted file does not remove the fingerprint classifier

4 In order to fingerprint a database, the Data Security server must be able to connect to the data source
over a supported interface. Only “read” access is necessary. System Data Source Names (System DSNs)
are recommended. For User DSNs to be available for all DLP crawlers, they would need to be defined
under the same user that the DLP software processes are running. Any database that has an ODBC
connector driver can be supported.

4 In order to use database fingerprinting without huge number of false positives it is necessary to require
certain number of database cells in the target document. The more fields are considered confidential,
the fewer records we need to match. E.g., if only one field (database column) is considered confidential
we require at least 5 such fields, etc.
4 There is a reason why DB Fingerprinting is called "structured fingerprinting". We need to see the
confidential fields from the same DB record in order to have a single match. If confidential field values
are from different records, this is not considered a match. If DB fields are so sensitive that even
scattered field values should be protected, consider creating a dictionary classifier from the DB values.

4 SVM (Support Vector Machines) – a Machine Learning algorithm is used to sort the texts.

4 File Classifiers by Type are not affected by file extensions or file renaming. Instead, they analyze the
actual binary contents of each file.
4 One of the filetype collections is "Encrypted Files of Known Formats" – it contains various password-
protected office formats and archives. This collection is important from various points of view:
• It may indicate malware activity – e.g., exfiltrating encrypted archives. Therefore this classifier can
be used in the "Data Theft" quick policies.
• Encrypted files cannot be extracted. To avoid a security hole, all transactions containing unknown
encrypted files can be blocked by a DLP rule. (This does not mean that sending out encrypted files
would become impossible. For example, file and email message encryption can still happen in an
email gateway; but it is important that this happens after DLP analysis in the flow of traffic.

1. Once a fingerprinting classifier is created, will it be able to identify the fingerprinting content via the
Network Channel?
• No, the classifier needs to be added to a policy first.
2. What is the recommended maximum size for a Fingerprint Repository?
• 14 GB
3. When should you use a Database fingerprint?
• When trying to prevent the leakage of database records.
4. What is the encoding format for a CSV file with Database fingerprinting?
• UTF-8
5. Provide a scenario where Machine Learning would be more effective than File Fingerprinting.
• Proprietary source code vs. other source code
• Our legal documents vs. other legal documents
• One author’s prose vs. any other text in that language

After successfully completing this module, you will be able to:
4 Explain the functionality of classification labels and how to integrate them into the DLP data labeling
framework.
4 Integrate Boldon James into the DLP data labeling framework.
4 Create a file labeling classifier to manage files that contain sensitive or proprietary information.
4 Create and deploy a data usage policy using a file labeling classifier.
4 Create and deploy a discovery policy with an action plan capable of assigning file classification labels.
4 Integrate Microsoft Information Protection into the DLP data labeling framework.

What is third-party classification label software and what is it used for?
4 Classification software helps you to improve security and compliance by protectively marking files.
4 Forcepoint DLP integrates with this software to add labels to files, modify labels based on discovery
policies, and to import labels for detection.
4 DLP detects these labels using standard policies and rules and does so with a high degree of accuracy.
4 You can configure additional automated labeling actions using remediation scripts for network
discovery.

4 Organizations can use a supported third-party classification system, such as Boldon James Classifiers, to
label files. Forcepoint DLP can integrate with these third-party systems.
4 Classification labeling establishes a set of standards to manage files that contain sensitive or proprietary
information.
4 You can have one or more levels of sensitivity and therefore multiple classification labels.
4 Classification labels allow you to intercept files that have been classified with a sensitive or proprietary
label.

4 You can create policies to assign file labels in Forcepoint Security Manager that are applied by the DLP
Endpoint.
4 Forcepoint Security Manager can import classification labels created by third-party systems such as
Boldon James and Microsoft Information Protection. This enables Forcepoint Security Manager to assign
labels to those files and detect them.

In this scenario, your company wants to use the Boldon James Classifier system to manage sensitivity levels
of files. You need to enable and configure this file Classifier system. You need to verify the system allows
Forcepoint DLP to import labels for detection and to add labels to files based on discovery policies.

4 Select Boldon James classifier to perform the import process of Boldon James file labels.
4 The Microsoft Information Protection (MIP) process will be discussed later in this module.

4 Perform the Import Labels procedure. The required spif.xml file can be found in the Boldon James
spif.xml file folder located on the desktop of the Forcepoint Security Manager.

4 Finalize the list of labels to import from the Boldon James host before locating and importing labels for
auto-tagging and detection.
4 The spif.xml file is located in the Boldon James spif.xml folder located on the desktop of the “Security
Manager” machine.
4 From the Boldon James host, any updates made to labels must be published in order to update the
spif.xml file. Confirm the published updates by observing the file’s new timestamp before you import
labels.

4 After you import the available labels, you will still need to select which labels are to be used in DLP.
4 This list shows the labels imported into DLP from the Boldon James spif.xml file.
4 If this list is incorrect, you will need to go back to the Boldon James host and confirm the updates of
labels were successful by selecting Publish Configuration from the Classifier Administration menu in
the Actions panel and then try again.

4 Select the Apply file labels check box.
4 Note that by default, the third option, “When the file has a tag whose priority…”, does not get selected.
4 Click OK, then deploy.

4 You will need to create a name for the file labeling classifier and select “Bolden James Classifier” as the
labeling system.
4 Imported file labels will appear in the All Labels list. Select the check box for each label you want to
place in the Detected Labels list to activate labels for DLP policies.
4 Click OK at the bottom right (not shown in screenshot) to continue.

4 You will need to create a name for the file labeling classifier and select “Bolden James Classifier” as the
labeling system.
4 Imported file labels will appear in the All Labels list. Select the check box for each label you want to
place in the Detected Labels list to activate labels for DLP policies.
4 Click OK at the bottom to continue.

Click on Create Rule from Classifier at the top of the File Labeling page to bring up the Screen shown on the
next slide.

2. Enter “Boldon James” as the name for your new rule.
3. Select Add this rule to a new policy and enter “Boldon James” as the Policy name.
4. Click OK to create the new rule and policy.
5. Click Deploy to deploy your changes.

6. Verify that your new policy has been created from the Manage DLP Policies screen (Data > Policy
Management > DLP Policies > Manage Policies).
7. If necessary, click on the Boldon James rule to edit the Severity & Action, Source, or Destination
settings for the rule.

4 Create a DLP policy as normal. When adding a classifier, be sure to select File Labeling to assign a
classifier based on the Boldon James detected labels (from previous slide).
4 For this walk-through, you will be creating a policy to apply the Boldon James Classifier: Confidential
label to any file containing the key phrase “Confidential.”

Create a policy and rule that are both called “BJ Confidential”.

5. Select Add > Patterns & Phrases from the drop-down menu.
6. Click Next to bring up the Select a Content Classifier window shown on the next slide.

4 Create a new key phrase classifier and name it “Confidential”.
4 You can also filter the list for “Confidential*” to bring up a list of all existing Confidential classifiers.

8. In the Add Key Phrase window, enter “Confidential” for the Name and Phrase to search.
9. Click OK to return to the Select a Content Classifier window shown on the next slide.

10. Select “Confidential” from the Content Classifier List. This is the Keyword Classifier you created in the
previous slide.
11. Click OK to return to the Manage Discovery Policies > Policy Rule screen.

4 Click Next to configure Severity & Action.

4 Click on the edit icon for the first Action Plan to bring up the Action Plan Details window shown on the
next slide. The edit icon appears at the far left of the action plan.

14. Click on the Discovery tab in the Action Plan Details Window.
15. In the Endpoint Discovery section, select First Label.
16. Select “Classification: Confidential” from the drop-down list of Boldon James labels.
17. Click OK to return to the Manage Discovery Policies > Policy Rule screen.
18. It is likely you will see a pop-up window asking if you want to deploy your changes. Do not deploy your
changes yet. If you deploy before you finish creating the policy, then the policy is not created, and
you will need to begin this process anew.

19. Click Finish.
20. Deploy your changes.
21. You can now create an Endpoint Discovery task that uses this policy.


1. What is classification labeling and what does it do?
• Classification software helps you to improve security and compliance by protectively marking files.
• Classification labels allow you to intercept files that have been identified as having sensitive or
proprietary data.
• DLP detects these labels using standard policies and rules and does so with a high degree of
accuracy.
2. What are some third-party applications you must have in order to use the DLP Data Labeling feature?
• Example applications include Boldon James and Microsoft Information Protection (MIP).
3. What is the operation called that gets third-party file labeling recognized in DLP?
• Importing or Import Labels

4 Microsoft Information Protection (MIP) is a cloud-based solution that helps an organization apply labels
to classify, and optionally protect the organization’s documents and emails that reside in Microsoft
Azure and Office 365.
4 MIP in Office 365 requires that the administrator for that account create and enable the Azure
Information Protection resource in the Azure Portal for the corresponding Office 365 account. Creating
and enabling this service is documented in the Microsoft help pages and is therefore beyond the scope
of this course.
4 Microsoft Azure and Office 365 supports applying labels as follows:
• Automatically by administrators who define rules and conditions.
• Manually by users while creating/editing documents.

4 Note: Microsoft Information Protection (Cloud based) should not be confused with Microsoft Rights
Management Services (on-prem based).
4 A key reason to choose one service over the other is which platform it runs on: cloud (MIP) or on-
premises (RMS).
4 There are two protection templates available for MIP. One provides read-only permissions; the other
provides write/modify permissions to protected content. Choose whichever template meets your needs.

In the following scenario, your company wants to integrate the Microsoft Information Protection (MIP)
feature with Forcepoint DLP in order to manage two different levels of file sensitivity. You will need to
ensure that secure project files cannot be copied internally, and that files containing top-secret IP are
prevented from leaving the corporate network via any Forcepoint DLP monitored channel.
1. Integrate Forcepoint DLP with Office 365.
2. Import the MIP labels created in Office 365.
3. Create file labeling classifiers and assign MIP labels to them.
4. Create DLP policies using the newly created classifiers.
5. Assign MIP labels to test files.
6. Test the DLP policies to ensure they are functioning as expected.

4 Select the correct user account with administration permissions.
4 User account must have Admin Consent permission to be successful when logging onto Office 365.
4 The User account on the Office 365 site must be a member of the Organization Management group (the
group name may appear as Azure Information Protection Admin instead of Organization
Management.). This operation is performed from the Office 365 interface.

3. Enter the credentials for your E3 level or higher Office 365 account. Use the credentials provided by
your instructor.
4. Click Import Labels.

4 If you supplied incorrect credentials, DLP changes the credentials form to look similar to the one on the
right with a line, in red, inserted above the instructions saying “User name or password could not be
confirmed.” In this case, you must re-attempt to enter your credentials as in Step 3.
4 If the credentials are correct, DLP displays the Error dialog shown at the right. The Error dialog indicating
that DLP could not import the DLP labels. This is because you have not yet integrated your DLP system
with your Office 365 system. In this case, you are ready to proceed to Step 5.

4 NOTE: You only integrate your DLP with your Office 365 account once. Not once per user in the Office
365 account, but just once. Thus, you will only see the dialog in this slide once per integration. Since you
will be using a provided account for this walkthrough, you may not be prompted to accept these
permissions in this instance.

4 Once the Admin Consent has been granted, perform the actions to import labels successfully.
4 You must already have created and published file labels from Boldon James administration prior to
importing labels.

There are two visual cues that the import was successful:
4 DLP displays the green banner above the login credentials indicating success.
4 The Last import details window contains a list of imported labels.

4 This is the result of failure to successfully logon to Office 365 with Admin Consent permissions.
4 Verify the user account has the appropriate permissions and try again.

After importing labels, before you can use them in DLP policies, you must create a labeling classifier, and
assign one or more of the MIP labels you imported to the classifier. We will create two classifiers, one for
each imported label. To do this:
1. From the DLP Menu, select Policy Management > Content Classifiers > File Labeling.
2. Click New to create a new classifier. DLP displays the windows shown at the top of the next slide.

We will be creating two classifiers in this walk-through.
Call the first classifier MIP - Secure Project and add the Secure Project label into it.
Call the second classifier MIP - Top Secret IP and add the Top Secret IP label into it.
The dialog at left provides fields to define a labeling classifier. Provide a unique name for the classifier.
3. Specify a unique name.
4. Optionally, specify a description.
5. Select Microsoft Information Protection from the Labeling System drop-down list.
6. From the list of File Labels under All Labels, check which to assign to this classifier, and then click the
right arrow to move them to the Detected Labels box. The result appears similar to the window to the
right.
7. Click OK. DLP creates the classifier and returns to the File labeling menu as shown in the next slide.

Notice the classifiers you created in the preceding step are now listed on the page. Create two policies using
these classifiers.
1. From the DLP menu, select Policy Management > DLP Policies > Manage Policies. DLP displays the page
in the lower-right.
2. Click Add and select Custom Policy from the resulting drop-down menu. DLP displays the page on the
next slide.

4 Note that even if Endpoint Lan is the only channel selected on the destination tab, as in the MIP –
Secure Project rule, Network Printing Control will still be displayed in the Destination list. This is normal
and expected behavior.
3. Create a custom policy called MIP, with two rules in the policy.
• “MIP – Top Secret IP”: This rule should detect any file labeled as Top Secret IP and block any
attempt to send it out of the corporate network.
• “MIP – Secure Project”: This rule should detect any file labeled as Secure Project and audit the
transaction if the file is moved to any network location via LAN.

1. Logon to the “Windows Test Machine.”
2. Open Word, and click the username at the top to switch accounts.
3. Enter your Office 365 credentials.
4. After logging in, click Sensitivity in the ribbon and select the Secure Project label.
5. Create a second word document, and repeat step 4, this time selecting the Top Secret IP label.
If you do not see the sensitivity option in the ribbon after logging in, log out of all office accounts, restart the
machine, and log in again after rebooting.

1. From the “Windows Test Machine,” open your browser and navigate to:
http://dataleaktest.com
2. Click on Test 3: File Upload
3. Click Choose File and select the word document you created in step 6 labeled as Top Secret IP.
4. Click Upload File, and you should then receive an alert stating the transaction has been blocked, as
seen.
You can now confidently state that files labeled as Top Secret IP will be blocked if they are leaked over
monitored channels.

5. Close your browser, and open File Explorer by clicking the Folder icon in the task bar.
6. Copy the file created in step 6 labeled as Secure Project to any network location.
7. You should receive an alert stating that the file has been contained, as seen.
You can now confidently state that files labeled as Secure Project will be blocked if they are attempted to be
moved to a remote network location from a user’s workstation.
Congratulations, you have now successfully created, imported, and detected MIP labels using Forcepoint
DLP.

1. Create and publish MIP labels in Office 365.
2. Integrate Forcepoint DLP with Office 365.
3. Import the MIP labels created in Office 365.
4. Create file labeling classifiers and assign MIP labels to them.
5. Create DLP policies using the newly created classifiers.
6. Assign MIP labels to test files.
7. Test the DLP policies to ensure they are functioning as expected.

1. Consider the Boldon James and Microsoft Information Protection (MIP) file labeling systems. Which can
assign a label through auto-tagging? Which can detect a label?
• Boldon James supports file labeling and Detection
• MIP supports Detection
2. Where would you go to configure Bolden James Classifier and Microsoft Information Protection located
inside DLP?
• Data > General > Services > File Labeling tab
3. How does Admin Consent affect your ability to import labels from MIP?
• You must be able to sign in using a user account that has Admin Consent permissions that allow the
import of labels.
4. Where would you go to confirm if any file labels have been imported?
• Data > General > Services > File Labeling tab (Last Import column)
5. Which feature is NOT supported by MIP?
• A. File labeling

4 Explain the functionality of classification labels and how to integrate them into the DLP data labeling
framework.
4 Integrate Boldon James into the DLP data labeling framework.
4 Create a file labeling classifier to manage files that contain sensitive or proprietary information.
4 Create and deploy a data usage policy using a file labeling classifier.
4 Create and deploy a discovery policy with an action plan capable of assigning file classification labels.
4 Integrate Microsoft Information Protection into the DLP data labeling framework.

While the Forcepoint Security Manager will always show information for the primary fingerprint repository,
supplemental servers will display information about the secondary repositories. Likewise, only supplemental
servers will display information about OCR performance.

4 It’s important to monitor policy engine health on a regular, even daily, basis. If yellow bars appear in the
analysis status display, this means that transactions have already been missed. Consider reducing the
load on this policy engine by implementing more supplemental servers to assist.

4 Visit https://www.websense.com/content/support/library/data/v87/help/help.pdf#page=343! For a
detailed list of all configurable columns and their function.

4 The audit log can be used to investigate unauthorized or irregular changes to the system that might
jeopardize employee privacy or breach an IT security compliance policy.
4 It can also be helpful to review if there is a pending deploy on the DLP manager, but it is unclear what
changes have been made since the last deployment was performed.

1. Unlikely. Spikes in memory usage are to be expected, only consistent high usage over long periods of
time merit further investigation.
2. Packet loss and dropped transactions, as well as throughput statistics
3. No, backups can only be restored to the same version of DLP they were taken from.


Forcepoint DLP Administrator Course Student Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forcepoint DLP Administrator Course Student Guide

Uploaded by

Copyright:

Available Formats

Forcepoint DLP

2. Forcepoint DLP Licensing ................................................................................................ 45

3. Configuring Forcepoint DLP Classifiers.......................................................................... 62

4. Configuring Forcepoint DLP Resources ......................................................................... 96

5. Configuring DLP Policies and Rules ............................................................................. 156

6. Implementing OCR Analysis .......................................................................................... 200

7. The Forcepoint One Endpoint ........................................................................................ 215

8. Working with Cloud Applications and CASB ................................................................ 267

9. Analyzing DLP Incidents and Reporting........................................................................ 305

10. Maintaining Regulatory Compliance .............................................................................. 330

11. Implementing Discovery ................................................................................................. 352

12. Creating Fingerprinting and Machine Learning Classifiers ......................................... 370

13. Importing File Tagging Labels ....................................................................................... 427

14. Maintaining System Health ............................................................................................. 477

4 << DLP Administrator Course

DLP Administrator Course >> 5

6 << DLP Administrator Course

DLP Administrator Course >> 7

DLP Administrator Course >> 9

DLP Administrator Course >> 15

16 << DLP Administrator Course

DLP Administrator Course >> 17

DLP Administrator Course >> 19

32 << DLP Administrator Course

1. The agent receives the traffic.

DLP Administrator Course >> 33

34 << DLP Administrator Course

4 The traditional approach to security is threat-centric.

4 What is difficult is everything in the middle of the bell curve.

DLP Administrator Course >> 37

4 We shift the approach by behavior-centric methodology.

38 << DLP Administrator Course

DLP Administrator Course >> 39

40 << DLP Administrator Course

DLP Administrator Course >> 41

42 << DLP Administrator Course

4 Forcepoint is going all-in on risk-adaptive security by:

DLP Administrator Course >> 43

48 << DLP Administrator Course

4 Expiration date: The date this license will expire.

4 Issue date: The date this license was issued.

DLP Administrator Course >> 55

DLP Administrator Course >> 59

DLP Administrator Course >> 63

DLP Administrator Course >> 65

66 << DLP Administrator Course

DLP Administrator Course >> 67

68 << DLP Administrator Course

76 << DLP Administrator Course

84 << DLP Administrator Course

DLP Administrator Course >> 85

86 << DLP Administrator Course

DLP Administrator Course >> 99

DLP Administrator Course >> 111

112 << DLP Administrator Course

DLP Administrator Course >> 113

114 << DLP Administrator Course

DLP Administrator Course >> 115

116 << DLP Administrator Course

DLP Administrator Course >> 117

118 << DLP Administrator Course

DLP Administrator Course >> 119

136 << DLP Administrator Course