Professional Documents
Culture Documents
Forcepoint DLP Administrator Course Student Guide
Forcepoint DLP Administrator Course Student Guide
Administrator
Student Guide
Forcepoint Technical Enablement Program
Rev. CA0192
© 2020 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or
reduced to any electronic medium or machine-readable form without prior consent in writing
from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,
Forcepoint makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose.
Forcepoint shall not be liable for any error or for incidental or consequential damages in
connection with the furnishing, performance, or use of this manual or the examples herein. The
information in this documentation is subject to change without notice.
forcepoint.com i
Contents
1. Introduction to Forcepoint DLP.......................................................................................... 3
Define the acronym “DLP” and explain how it can affect an organization .............................. 6
Identify and define core DLP terms ....................................................................................... 7
Walk-through: Access Forcepoint Security Manager and perform initial configuration of
Forcepoint DLP ............................................................................................................... 8
Identify the different states of data that Forcepoint DLP can protect.................................... 15
Define what a DLP system module is and explain the basic function each module
performs ........................................................................................................................ 16
Walk-through: Locate and configure registered system modules in a DLP environment ...... 23
Identify the parts of a DLP incident envelope and where they are stored............................. 31
Given a flow diagram, explain the sequence of steps in a DLP transaction ......................... 32
Identify the different channels and associated transaction types that Forcepoint DLP can
protect ........................................................................................................................... 34
Identify available Forcepoint DLP product information resources and where they can be
accessed ....................................................................................................................... 35
Explain where Forcepoint DLP fits into the Human Point System ........................................ 36
ii forcepoint.com
Walk-through: Configure and test a custom policy............................................................. 179
Explain how cumulative rules can be used in DLP ............................................................ 187
Explain the purpose and function of a rule exception ........................................................ 188
Explain how to perform a bulk update of multiple policies and rules .................................. 189
Explain how policy levels provide scope and processing order for policies, then create a new
policy level and assign policies to it ............................................................................. 190
Walk-through: Create a new policy level and assign policies to it ...................................... 192
forcepoint.com iii
Reinforcing lab: Deploy DLP policies that meet a specific set of regulatory compliance
specifications............................................................................................................... 336
Give a high-level overview of delegated administrators and role-based
permissions ................................................................................................................. 338
Walk-through: Configure a delegated administrator to have role-based permissions......... 343
iv forcepoint.com
DLP Administrator Course >> 1
2 << DLP Administrator Course
DLP Administrator Course >> 3
4 Why is it important to master each of these objectives? Discuss some real-world examples.
1. Controlling Box.com as "data-in-use" means that Endpoint Agent can control client-side software (like
web browsers), so that offending files cannot be uploaded (or, in fact, cannot even reach OS networking
layer on the laptop where the endpoint client is installed).
2. Controlling Box.com as "data-in-motion" means that it is possible to intercept TCP/IP traffic that goes to
the Box.com. For “data-in-motion”, this is performed at the network proxy level.
3. Controlling Box.com as "data-at-rest" means the ability to scan files that are already posted on the
Box.com – connecting via Box API, downloading them and checking against the discovery policies.
Recognizing these 3 states of data is critical – they give a high-level picture of all possible channels
supported by Forcepoint DLP. For example, "Network Email" is "data-in-motion", but "Endpoint Discovery" is
"data-at-rest".
4 Some things are easy to classify as bad—those are threats are blocked. These have signatures that you
can quickly determine that is something you do not want in your network and you block them.
4 There are other activities that you know are good—from known employees who are legitimate. You
allow that to happen.
4 This allows our customers to give context to each of these events in that middle area and address it
effectively.
4 Here, we are watching a movie – not just looking at a single frame. A much better resolution allows us
to determine what is really good and what is really bad.
4 We made sure that each product element has best-in-class capabilities and would allow you to start
anywhere.
• Start with any of our elements
• You don’t have to buy them in any particular order, or buy all of them
• The more you buy, the better it gets
• The system integrates with unified management and policies
4 The key design tenet was to make sure that the Human Point System work with your existing
environment.
4 We know from talking to many CISOs that they’ve made many investments in their security
infrastructures. And nobody wants to do a rip and replace. So we made sure that we could integrate
with the existing security environments and infrastructure that our customers already have in place.
4 With one product installed, customers will begin to understand our capabilities:
• NGFW is the best on the market in terms of security effectiveness, according to the latest NSS lab
report.
• Web and Email Gateways are among the most efficient products on the market. With embedded
DLP engines for complete two-way protection with faster performance.
• CASB adds absolutely-necessary awareness and control of cloud applications.
• DLP prevents malicious and accidental leakage of critical data and IP.
• Insider Threat reports contextual information, which ensures analysts have the information they
need to act with confidence on security events.
• UEBA is the brain of this system, and it provides advanced insights into behavioral patterns without
the need for an experienced data scientist.
4 Gartner believes risk-adaptive is the ultimate in getting the most effective security. And we have
designed the Human Point system to give you risk-adaptive security.
4 Contact name: The name of the assigned contact who is authorized to manage this license.
4 Product ID: The name of the product this license is for. Note that in this lab, the product name is for a
legacy license, which is no longer sold, but is equivalent to the current DLP for IP Protection license.
4 Usage limit: How many total seats (end users) the license was purchased for.
Settings > General > Services > CASB Service > Edit
4. A CASB action must be selected for the discovery policy action plan.
Note: Only one scan can be set up per CASB asset. This means that if you have three Box accounts, you will
need to create a task for each account.
• Select the Discovery incident and reporting functions for this role. Discovery functions are not
included in Forcepoint Web Security or Forcepoint Email Security.
• Summary reports - Select this option to give administrators with this role access to
discovery summary reports.
• Detail reports - Select this option to give administrators with this role access to discovery
detail reports. When this option is selected, more are made available:
• View violation triggers - Select this option if you want the administrator to view the
values that trigger discovery violations.
• Perform operations on incidents - Select this option if you want administrators with
this role to be able to perform all escalation, remediation, and workflow operations
on discovery incidents.
• Export incidents to a PDF or CSV file - Select this option if you want to allow
administrators with this role to bulk export discovery incidents from an incident
report to a PDF or CSV file. Exports include all data in the current report.
• Mark Send email notifications if administrators with this role should be notified when an
incident is assigned to them.
• Under Policy Management, select the policy management functions this role should be able
to perform.
• Data loss prevention policies - Can configure DLP policies for all channels as well as
content classifiers and resources.
• Discovery policies - Can configure discovery policies, tasks, content classifiers, and
resources.
• Sample database records - Can view sample database information when editing a
database fingerprinting classifier, including database, Salesforce, and CSV classifiers.
• Under Settings, select which General settings options administrators with this role should be
able to access.
• Services - Administrators can configure local and external services like Linking Service
and Microsoft RMS.
• Archive Partitions - Administrators can select incident partitions, then archive, restore or
delete them.
• Policy Updates - Administrators can update predefined policies to the latest version.
• Analytics - Administrators can configure settings used to calculate risk scores in the
Incident Risk Ranking report.
• All other general settings - Administrators can configure all other settings in the Settings
> General menu.
• Indicate whether administrators in this role can configure Data Security module
Authorization settings.
• Under Deployment, select which functions administrators with this role should be able to
perform.
• Manage system modules - Give this role the ability to register modules with the
management server.
• Manage endpoint profiles - Give this role the ability to view and edit endpoint profiles.
Administrators can add new endpoint profiles, delete profiles, and rearrange their order.
(Not included in Forcepoint Web Security or Forcepoint Email Security.)
• Deploy settings - Give this role the ability to deploy configuration settings to all system
modules.
5. Select Microsoft Information Protection from the Labeling System drop-down list.
6. From the list of File Labels under All Labels, check which to assign to this classifier, and then click the
right arrow to move them to the Detected Labels box. The result appears similar to the window to the
right.
7. Click OK. DLP creates the classifier and returns to the File labeling menu as shown in the next slide.