DLPforDummies 2.4.1 Full JAC

Data LifeCycle
Prevention for Dummies

Guide
Implementation Guide for POCs and demos from scratch
Jorge Antonio Claret Cisneros Diego de Arribas

07 July 2020
Data Loss Prevention for Dummies Guide
Before you begin

Here are some things you will need before you begin this lab.
Option 1 - A configured DLP solution (this will be used when using Forcepoint virtual labs):
Your instructor will have guided you through the initial/basic configuration of your on-prem Email
Security solution. This will likely be performed in Forcepoint virtual labs however that is not a
requirement.
Option 2- An On-Prem DLP solution from Scratch (POCs or Partner internal Practice):
You will have an on-prem infrastructure either in the partner premises or with a customer/prospect
for POCs or demoing the DLP solution from Scratch.
A folder to store your DLP Screenshots:

Throughout the lab or POC implementation, you will be asked to take screenshots of your
configurations, please create a folder on your laptop or desktop to save these screenshots. Title
the folder with <Your Name>-DLP, this will help you for have tracking of what you have done on the
specific environment, especially when you are in POC you can have a technical memory to give to
the end-user as a reference.
In the case of the virtual labs, you will be asked to send a compressed archive of the screenshots
generated in this lab. Please provide descriptive names for your files so the the person that
receives them can identify quickly which step and what you are taking the screenshot of.
A means to get the files to a specific destination:

If your reports archive is over 20MB they will not go over email and will need to be sent via another
means.
1
TABLE OF CONTENTS
UNDERSTANDING YOUR ENVIRONMENT (BASE CONFIGURATION) ...................................4
SETTING UP THE BASICS (FOR FORCEPOINT VIRTUAL LAB ONLY) ...................................6
DOWNLOADING FSM SOFTWARE ................................................................................................ 22
KNOWING FSM SOFTWARE INSTALLATION ............................................................................ 22
INSTALLING THE SQL SERVER SOFTWARE ............................................................................. 24
CONFIGURING THE FORCEPOINT SECURITY MANAGER SOFTWARE ............................ 29
INSTALLING THE DLP COMPONENT ON FSM ........................................................................... 35
ADD AN AD SERVER (MICROSOFT DOMAIN CONTROLLER) IF REQUIRED. ................... 41
CONFIGURE USER DIRECTORY SETTINGS. ............................................................................... 42
BUILDING YOUR ENDPOINT ............................................................................................................ 43
INSTALLING THE ENDPOINT IN THE CLIENTS.......................................................................... 48
DLP POLICIES – PREDEFINED POLICIES .................................................................................... 53
USE CASE #1 - BASIC PII POLICIES ............................................................................................... 54
USE CASE #2 – THE USB DILEMMA .............................................................................................. 65
USE CASE #3 – THE USB DILEMMA – ENCRYPTING THE FILE ............................................ 67
USE CASE #4 - TRYING TO SHARE IN THE NETWORK ........................................................... 72
USE CASE #5 – STOPPING EDITING ON THE APPLICATIONS ............................................. 75
USE CASE #6 - PCI (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD) ........ 78
USE CASE #7 – CREDIT CARDS BE MORE SPECIFIC ............................................................... 82
2
USE CASE #8 – PATTERNS AND PHRASES................................................................................ 86
USE CASE #9 – FINGERPRINTING ................................................................................................. 93
USE CASE #10 – INSTALLING IRR SERVER .............................................................................. 103
USE CASE #11 – PROTECTING THE WEB CHANNEL.............................................................. 127
INSTALLING THE DLP COMPONENT ON A SUPPLEMENTAL DLP SERVER ................. 134
USE CASE #12 – IDENTIFYING TEXT ON AN IMAGE (WEB CHANNEL) ............................ 137
USE CASE #13 – FINDING TEXT AND TEXT ON AN IMAGE (EMAIL CHANNEL) ............ 169
USE CASE #14 – FINDING FILES IN THE DISK .......................................................................... 175
APPENDIX 1 – DLP POLICIES ........................................................................................................ 177
APPENDIX 2 – DLP ENDPOINT DETAILS................................................................................... 180
APPENDIX 3 - KNOWING THE COMPONENTS (FORCEPOINT DLP SOLUTION)........... 184
3
Understanding your environment (Base Configuration)
In order to start this implementation, we are assuming you have knowledge of how to build the
environment either on-prem or in the Forcepoint virtual desktop, remember you will need to
build the full required environment, when you finish to build you will see something similar to
the following, this scenario can change depending on the POC or Virtual Lab you are
implementing:
NOTE: Remember that this is just the beginning, please be sure to understand the dynamics of
this implementation so you can add/delete the components you require, for virtual lab you will
have the following considerations:
Name IP (this is an example IP Username/Password Description

it can change)
FSMServer 192.168.122.20 Windows User: Administrator Forcepoint Security Manager Server on Windows Server 2016
Windows Password: Provided
FSMUser: admin
FSM Password: Provided
Windows 10 192.168.122.21 Windows User: Administrator This is the Windows 10 client where you will install the DLP
Windows Password: Provided Agent
4
Components Required elements

Forcepoint Security Manager (FSM)  For Virtual Lab - Windows Server 2016 object
 For POC - Windows Server 2016 Standard or Data Center,
English version (obligatory), installed on a physical or
virtual server
SQL Express 2017  For Virtual Lab – This will be included or you can install it
on a separate Windows Server 2016 object
 For POC – You can obtain this from Microsoft Site and
install it either on FSM or on a separate Windos Server
2016 box, depending on the size of your testing.
OCR Server  For Virtual Lab – This will be included or you can download
DLP server software from the Forcepoint support site and
installed on a separate server
 For POC – You can use the one provided on the FSM or
you can download DLP server software from the
Forcepoint support site and installed on a separate server
Web Content Gateway (WCG)  For Virtual Lab – You can obtain the software from
Forcepoint support site and install it on CentOS Sever
Object
 For POC – You can obtain the software from Forcepoint
support site and install it on a separate CentOS server
either physical or virtual, you can also install it also on a
Forcepoint appliance.
Incident Risk Ranking Server (IRR)  For Virtual Lab – You can obtain the software from
Forcepoint support site and install it on CentOS Sever
Object
 For POC – You can obtain the software from Forcepoint
support site and install it on a separate CentOS server
either physical or virtual.
Important Tips/Notes
 ALWAYS DEPLOY or Save after making config changes. This is EXTREMELY important.
 There are a lot of referenced objects used in our DLP configuration.
 LAB IT UP!!! There are lots of configuration options. You will only get better with practice.
5
Setting up the Basics (for Forcepoint Virtual Lab only)

Identify your resources
1.- Identify your assigned user – usually this is the user that you use for connecting via RDP or Web
Example 1:
RDP console: watermelon.go4labs.net

Username: manuel.nolen
Password: uenMvbtk
Example 2:
https://watermelon.go4labs.net/login?username=manuel.nolen&password=uenMvbtk
2.- Identify and create your hostname for public access (all the instances of Go4Labs has a public IP
that can be used to integrate public services)
Take your user name and add the prefix “.lab.go4labs.net”, so in this case the result will be:
manuel.nolen.lab.go4labs.net
NOTE: Keep this information at your reach since you will be using it, in some of the following steps.
6
Note: Even we have all this lab pre-configured for you, it’s always important to
know how we prepared this for you.
Probably you will not need to deploy the first few tasks but you will become
wiser.
7
Installing Forcepoint Security Manager
8
Hardware for a Forcepoint Data Manager
 The above requirements are for physical machines

 On virtual Forcepoint Data Managers may have 10-40% drop in Performance
Outlined below are some tips for a successful installation of the Management Server
and its ongoing operation:
Windows Server Preparation - .NET Framework
NOTE: Sometimes Windows Server 2016 also needs to add .NET3.5
9
10
 Press NEXT Twice and Select the missing components
 Press INSTALL
11
Windows Server Preparation – Windows Updates
12
Windows Server Preparation – Synchronize Clocks
13
Windows Server Preparation – Remove Server Hardening for Installation (Optional)
14
Windows Server Preparation – To perform on all Solutions (Data, Email or Web)
Windows Server Preparation – All Endpoint Client Machines
Make sure to exclude the Forcepoint directory from your anti-virus scanning and real-
time scanning:
15
Windows Server Preparation – Disable Firewall
 Goto Control Panel then goto Windows Firewall

 Goto Turn Windows Firewall on or off
 Turn Windows Firewall OFF for private and public settings (this will be enable
later, please consider the ports needed by the FSM and any other component)
16
Windows Server Preparation – Disable Enhanced Security Configuration
Note: This step apply to all versions of Windows Server with IE, please verify it is correctly
disabled before beginning the installation. The following path can also be used, Server Manager
> Local Server > IE Enhanced Security Configuration > Turn it to off
17
Windows Server Preparation – Disable DEP and UAC
For DEP > Goto “System Properties” > Select “Advanced Tab” > Performance > Settings
18
For UAC > Goto “Control Panel” > Select “All Control Panel Items” > User Access
Control, after this don’t forget to reboot your server and continue after that.
19
Windows Server Preparation – Start Computer Browser Service
Windows Server Preparation – Host Name
20
Windows Server Preparation – Temporary File Location Folder
IMPORTANT – ALWAYS RESTART YOUR WINDOWS SERVER AFTER ALL

THIS STEPS, THIS WILL ENSURE THAT ALL CHANGES ARE APPLIED
BEFORE STARTING TO INSTALL YOUR FSM.
21
Downloading FSM Software

Goto “support.forcepoint.com” > Downloads > “Data & Insider Threat Security” > “Forcepoint
DLP” > “v8.7” > Download “Forcepoint DLP”
Note: Use your partner or enduser credentials to sign to Forcepoint support page, if you
don’t have one contact your partner or Forcepoint.
Knowing FSM Software Installation

As in all systems there are small details that you need to consider before continuing the
installation, when installing FSM you need to consider dependencies on the different components
you are considering to include:
For FSM you will need to install a SQL Server, for demo or PoCs for small amount of users you
can use SQL Express, but if you are considering a final and full installation you will need to
consider to install a SQL Server with a Standard or Data Center License, you can find these
details on the following link.
http://www.websense.com/content/support/library/deployctr/v85/dic_sys_req.aspx
In this particular case we are going to use the SQL Express Software.
22
NOTE: It is important to consider that during the installation of the FSM it will ask you to connect
to the SQL database in order to create the specific structure used to store all the events that are
needed for monitor, track, reports and Dashboards, so it will be important to install first the SQL
software.
If you try to install the FSM without installing the SQL Software first you will see this message in
the installation window:
So let’s go and install SQL Server First, go and download the software, once you have it
proceed to the installation …
NOTE: If for any reason you have executed the FSM Installation file before installing the SQL
Server Software, close the installer and during the exit phase select the “Keep Installation Files”
Checkbox, and then press the YES button, this way you will preserve all the previous steps you
have made, otherwise continue …..
You can install the SQL Express software on the same computer as the FSM for demo or PoCs
purposes, for final implementations is recommended to have it on a separate server or just be
careful with the requirements of memory, processor and hard disk in order to have both in the
same place.
23
Installing the SQL Server Software
You will need to install 2 (two) files:
Open the installation program of the SQL Server software with administrator privileges and select
the CUSTOM installation:
24
Press “INSTALL” and select “New SQL Server stand-alone installation”
ACCEPT” License Terms and press “NEXT”
When you reach the “Server Configuration” tab, change to AUTOMATIC the SQL Server
Browser service and press NEXT
25
When you reach the “Database Engine Configuration” tab, Select “Mixed Mode” and add a
password of your own to the sa account, which will be your superuser database account.
Continue until you finish the installation press CLOSE.
Now is time to install SQL Server Management Studio, this will be a main component for the
fingerprint database Use Case, install it with Administrator privileges.
You will receive the following message, but WAIT, Before Re-Starting the Windows Server
consider to verify the Network configuration on the SQL Express server.
26
Open SQL Server Configuration Manager and go to Network Configuration, and verify that Share
Memory, Named Pipes and TCP/IP are ENABLED, if not enable them by double-click each one
of them, one enable you need to restart the services, or you can go now and restart the Windows
Server
1.- Enable Named Pipes
27
2.- Enable TCP/IP
3.- Change to IP Addresses Tab and search for IPAll Section
Modify the following:
 TCP Dynamic Ports to Blank

 TCP Port to Port 1433
28
After this you need to restart the SQL Server Service, verify that the SQL Server service and
the SQL Server Browser are in RUNNING state.
Now is time to REBOOT the Windows Server.
Configuring the Forcepoint Security Manager Software
Once you finish, execute the FSM file with administrator privileges …
29
Press the Start button …
Select the “Accept” Checkbox and press NEXT …
30
Once you reach the “Installation Type” screen, select the Custom Option and press NEXT …
Press “Install” on the Forcepoint Management Infrastructure section, this should be the very first
option to install, once it is installed you can continue with the other options, in this case Forcepoint
DLP.
NOTE: You will install each one of the options separately as required.
31
Leave the default path ..
When it asks for SQL Server info, fill it up with your recent SQL Server installation info, verify your
SQL server IP address and use the correct one with Port 1433.
NOTE: PASSWORD is the one you assign to the sa user during the SQL Server Custom
Installation
32
Use the IP address where you are installing the FSM or in some cases the corresponding PE,
the Password is the one from the Windows Server Administrator
Create the FSM admin user Password according to your password strategy and add a working
email so you can receive notifications.
33
Leave unselected the “configure email settings” you can modify these ones later.
After this verify your final settings and press “NEXT” until the installation conclude.
When you finish close the setup windows and press YES when you are asked to exit the
installation, be sure you have selected the “Keep Installation files”.
After this step please REBOOT your Windows server in order to restart and finish any pending
components.
34
Installing the DLP Component on FSM
Once you have installed the FSM, you need to add the required components of the product, in
this case you will add the DLP Manager component.
This will install all the required infrastructure and predefined components so you can start to
work on the product.
35
Use the credentials you have already used for Windows Server Administrator and for the sa
user in the SQL Express Server.
36
It is possible that you can see the following message, since this is a demo you can ignore it, but
if you have the required space is better.
Select “YES” and continue with the installation, you can later add space to the disk.
Once you finished is time to start testing your FSM installation and add your license ….
37
Launch Security Manager through any of the following methods:
• Double-click the shortcut on the Desktop

• Open a browser and go to https://192.168.122.20:9443/manager/
• Use the following credentials to gain access:
Username: admin
Password: Password set during install
38
Add your license and validate it.
Verify is installed Correctly, goto Dashboard / Your Subscription is valid
Verify the license is correct ….. otherwise Update the license with the right one.
39
Verify your deployment configuration.
You will see the main components to start working with Policies and rules.
40
Add an AD server (Microsoft Domain Controller) if required.
Adding AD Server using GNS3, if you are using Forcepoint virtual desktop, otherwise follow
the configuration details from the local AD.
1. Navigate to GNS3.
2. Choose Domain Controller 2016 Server Object
3. Drag and Drop to the main window
4. Associate Domain Controller Server with Switch, using the

cable/link object.
5. Activate the Domain Controller Server (Start).
41
Configure User Directory Settings.
1. Navigate to Data > Settings > General > Directory Services.

Select New
2. Fill the User Directory information
3. Test the connection.
42
Building your endpoint
Downloading F1E Software (Forcepoint One Endpoint)
Goto “support.forcepoint.com” > Downloads > “Endpoint Security” > “Forcepoint One Endpoint”
> “20” > Download “Forcepoint One Endpoint v20.02.4499 package builder ”
Note: Use your partner or enduser credentials to sign to Forcepoint support page, if you
don’t have one contact your partner or Forcepoint.
After you download it, move all the files contained on the ZIP file to the following directory in the
FSM server, C:\Program Files (x86)\Websense\Data Security\client, after you perform this,
execute the builder program, this is going to generate a final installation file that can be
deployed on all the corresponding endpoints.
Select “Forcepoint DLP Endpoint”
43
Select the operating system where you are going to deploy the DLP Endpoint, there is going to
be generated a file per OS, also add the corresponding PASSWORD for modifying or deleting
the installation.
Leave the default installation path unless you have any specific strategy for this
44
Fill the IP address field with the corresponding info of the PE or Policy Engine that is going to
update your policy in the endpoint, in this case we are considering the FSM since it contains our
initial PE (Policy Engine).
On final implementations and if your corporate policy allows it, you can enable the automatic
software updates checkbox.
Select user interface mode:
Interactive
 The endpoint software user interface is displayed on all endpoint machines.

 Users can see a list of files that have been contained.
 Users have the option to open files to review their content, or save them to an authorized
location.
Stealth
 The endpoint software user interface is not displayed to the user and the software runs in
the background. Because they don’t see block notifications or continuation dialogs, it is
best reserved for discovery tasks and audit-only policies.
 Users do not know when files are contained.
45
Select where to install the installation Package
Press FINISH
Once you have the installation file, move it or deploy it to all the involved Windows/Mac/Linux clients you
are considering to protect with the endpoint. By using the following steps.
Open a network file sharing connection to the FSM server by selecting run - \\192.168.122.20\c$
46
Enter your network credentials for authorization of the file sharing.
Find the DLP endpoint installation file you just create, copy it to the corresponding client or clients and
execute them in order to install the DLP endpoint client, otherwise you will need a software distribution
tool for this purpose.
47
Installing the endpoint in the clients
After you move the installer to the corresponding clients, locate it in your hard disk, in this case we are
installting on a Windows 10 laptop.
Execute the file ..
Accept the Agreement
48
Select the corresponding installation PATH or leave the DEFAULT
Press INSTALL
49
After it finishes go and restart the client computer
After it reboots you should see the presence of the agent in your taskbar
Right Click the endpoint agent and select “Open Forcepoint DLP Endpoint”
50
You should see something like this, and you will need to identify two main details:
1. You should see on the Connection section that the connection status is “Connected”, if it shows
something different please go and troubleshoot the communication between the client and the
FSM, it could be possible that some Firewall, AV or intermediate Device is blocking the
communication.
2. You should see on the Endpoint Settings when it was performed the latest update of the rules and
the Status should be “Enabled”
Once you have these 2 ready, update the policy by selecting the Update button in the DLP Enpoint after
you verify the upload of the new policy, you can CONTINUE with the policies testing.
51
DLP Basic Use Cases

STANDARD and Compliance Predefined Use Cases
52
DLP Policies – Predefined Policies

 Select Policy Management – DLP Policies – Manage Policies
 Select Add – Predefined Policies
 Press Next
53
Use Case #1 - Basic PII Policies
 On the Region section, select CALA / Mexico and Press NEXT
54
On the Industries section, select Finance and Banking and Software
 Press NEXT, then Press FINISH
55
 You should see all the Predefined policies selected associated to Mexico / Banking &
Software
 Select Mexico PII and you should see on the right all the corresponding Pre-defined
classifiers
 Repeat same steps for “Credit Cards” and “Regulations, Compliance and Standards”
56
 Press the “Use Policies” button and then Select the “Deploy” button
 You will see the policies in process of being applied to all the components of the DLP
configuration
 When if finishes press “Close”
 Go again to Policy Management / DLP Policies / Manage Policies
 You will see now the selected Policies in the screen
57
 Select Mexico PII: RFC (Default)
 Then Select the Rule Link
58
 Goto Severity & Action tab and modify the Action Plan for “at least 3”
 Goto Destinations and verify that Endpoint printing is enabled
 Press OK and Deploy
59
Testing your first Rule
Once you have verified that your endpoint is running and connected we can test it with the First
DLP Policy you have already created.
You will need to create 2 (two) text documents using either Wordpad or Notepad
1.- First document should have some text to validate in this case just add one line containing
the following text:
 CIDJ681025JF8
2.- Second document should have similar text but in this case should contain 3 lines with
different text but with the same format.
 CIDJ681025JF8
 DIGA270109RH7
 CIJC250211NM8
3.- Save your documents with different names
60
4.- Let’s verify our First Rule
 If it finds only one match it will Audit Only

 If it finds at least 3 matches, it will Block the action
5.- Try to print each one of the files to a PDF format
61
6.- When you try to print the file with only ONE line, the print process SUCCEED and you are able to
create the PDF file
7.- When you try to print the file with THREE lines, the print process was BLOCKED, you can see the
alert message that shows that the operation has been blocked and the file was not created.
62
Verifying your activity on the FSM (Forcepoint Security Manager)
Goto Reporting -> Data Loss Prevention -> Incidents
You will see the following information:
 The Channel where the incident occurs

 The severity
 The Action taken – in this case Blocked as defined in the rules
 The Rule that matches the incident, including the text that fires the rule
 And the name of the file you try to print, which you can view or download
You will also see some changes in the Dashboard view:
63
64
Use Case #2 – The USB Dilemma

 If you are working with Forcepoint Virtual environment follow these instructions to add a
virtual USB to the Win10 Client, otherwise you can test with a real USB

 Go to File on your Win10 Console and select USB device
 Select USB device and press Close
65
 You will see a new USB Drive (D:) in your File manager
 Try to SAVE or COPY the file with one line and also the one with three lines, you should
obtain this result on the last one.
66
Use Case #3 – The USB Dilemma – Encrypting the file
 Go to FP One Endpoint application and set Encryption password
 On the Win10 client create a new file with 5 instances of the RFC
 CIDJ681025JF8
 DIGA270109RH7
 CIJC250211NM8
 CIDP040822YT6
 DIGP681025JF8
 Goto -> Policy Management -> Resources -> Action Plans
67
 Create a New Action Plan
 Fill the name and modify the actions on the Endpoint Channels section, when you finish
press OK
68
 Go to Policy Management -> DLP Policies -> Manage Policies and search the Mexican
PII policy you created
 Open the current action plan properties, enable the last match option, change the value
of matches to at least 5, with severity High and select the action plan you just create:
69
 Goto your Windows 10 Client and verify that the new rule has been updated, using the
Forcepoint Endpoint One application “update” button
70
 Choose the new file with the 5 instances of RFC and try to save it to the USB Drive, you
should get a message like this one.
 Verify that the file has been encrypted and the decrypting tools are available.
71
You will see that under Action column, the action was enforced with encryption on the USB channel
Use Case #4 - Trying to share in the network

Goto your Win10 client and try to establish a connection to the FSM server by establishing a network
File Sharing.
Open a network file sharing connection to the FSM server by selecting run - \\192.168.122.20\c$
Enter your network credentials for authorization of the file sharing.
Validate that you have 2 (two) file windows.
72
Goto your recent policy on Policy Management -> DLP Policies -> Manage Policies, and select the
“Mexico PII” rule you have been using and open it for EDIT.
Goto the Destination Tab and enable the “Endpoint LAN” option
73
Press OK and Deploy, after this go back to the Win10 Client and update the policy in the DLP Endpoint.
After updating the policy try to move your create files from the Win10 client to the FSM server and see
the RESULTS.
You should see something like this …..
Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
You will see that under Channel column, the action was detected on the LAN Channel.
74
Use Case #5 – Stopping Editing on the Applications
PrintScreen Scenario
 Go to Policy Management -> Resources -> Endpoint Applications

 Select Wordpad and modify Screen Capture parameter to “Block & Audit”
75
 Verify that the F1E is updated on the Win10 client

 Open Wordpad on the Win10 client and try to “Print the Screen” using the SendKey option at the
top of the console window
This event was triggered while trying to do a Printscreen on the Wordpad application.
76
Cut/Paste Scenario
 Go to Policy Management -> Resources -> Endpoint Applications Groups
 Select Office Applications
 Add the Paste button -> Save and DEPLOY
77
Use Case #6 - PCI (Payment Card Industry Data Security

Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard
for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands but administered by the Payment Card Industry
Security Standards Council. The standard was created to increase controls around cardholder data
to reduce credit card fraud.
Goto Policy Management -> DLP Policies -> Manage Policies -> Credit Cards section -> Credit
Cards Rule
Goto -> Severity & Action tab -> enable and add a 2 matches event with severity High and
Action Plan to Block All.
Press OK and then press NO before DEPLOY, we will modify another rule before that.
78
Goto Policy Management -> DLP Policies -> Manage Policies -> PCI -> PCI: Credit-Card
Numbers (default) and then edit the rule
Goto -> Severity & Action tab -> enable and add a 2 matches event with severity High and
Action Plan to Block All.
Press OK and then DEPLOY.
79
 Goto Win10 Client and simply copy/paste the info below on an excel type of file and save
it with the name you decide:
CCN
3925-2700-8985-2094 5007 2341 7254 6560 4795690530897980
6119-6661-5526-2515 4492 0099 9803 7376 6864436888091170
5361-0153-4188-4880 4860 8276 1506 5601 4274011228563020
6715-5329-8954-5376 4771 6409 4004 2171 3702856617474500
6716-2240-5692-6858 5669 7981 3497 5937 4583887662144650
4350-1144-7091-5585 5515 6831 9905 4594 6114288268505050
3911-6797-8376-2357 5181 3708 9291 6195
6468-6780-1264-4519
4354-9482-2743-1594
5752-0034-6540-3536
NEXT ACTION – TRY TO PRINT IT OR MOVE IT TO A DIFFERENT DIRECTORY

IN A SHARED DIRECTORY IN THE FSM FOR EXAMPLE AND SEE HOW IT
BEHAVES (YOU CAN VIEW USE CASE #4).
You should see a blocking message like this:
80
You will be able to see all the affected Policies that are enabled and the associated file for
forensic research.
81
Use Case #7 – Credit Cards be more specific
Goto Policy Management -> DLP Policies -> Manage Policies -> Credit Cards section ->
And enable the following rules:
 American Express
 Mastercard
 VISA
 Don’t DEPLOY until you finish enabling all the mentioned rules.
 Once you finished press OK and Deploy
 Goto your Win10 client and update the policy by pressing the UPDATE button
 Create a file with the following info:
type: Visa
number: 4532 7931 8374 6550
cvv: 457
exp: 12/18
name: Luke Skwalker
Address: Calle 37 b sur 27-29 envigado
type: American Express
number: 3445 202966 40628
cvv: 570
exp: 08/19
name: Han Solo
Address: Calle 43 # 5-13 El Poblado Medellin
type: Mastercard
number: 5554 4269 4901 1171
cvv: 805
exp: 10/18
name: Darth Vader
Address: Av Industriales 45-37 Torre Sur piso 10
82
 Then test again, you will see again an error

 Goto FSM Server -> Reporting -> Data Loss Prevention -> Incidents
 Verify the rules that are triggered
 Now you are able to see more specific rules for specific formats of credit cards.
 Verify your Dashboard
83
DLP Not-that-Basic Use

Cases
Custom Use Cases
84
Content Classifiers:
 Building blocks’ to use in policy creation

 Classifiers identify data to protect
 Used to create condition for rule
Type of Classifiers:
Typical usage of Classifiers:
 Internal Physical Assets: Unique identifiers assigned to equipment, personnel, inventory

(requires custom regex or fingerprint).
 Internal Technical Assets: Unique processes, procedures, systems (requires file or
database fingerprint).
 Internal Contingency Plans: Unique plans that may impact liability of the business
(requires custom classifier or fingerprint).
 Internal Customer Data: Such as name, address, account information, usage metrics
(requires custom regex or fingerprint).
 Business and Technical Drawing Files: Detecting true file types such as: DWG, DXF,
PTC, STL, and more (No OCR needed).
 Summary: Most Manufacturing Data classifiers will be custom, will require some tuning
(custom policies + thresholding).
85
Use Case #8 – Patterns and Phrases
For patterns you will usually need a custom regex (regular expression), for Phrases can be any
type of fixed text.
Key Phrases
 Define a specific word or phrase that may indicate classified information:
• Product code names

• Confidential projects
• Any confidential or reserved term
 Not case sensitive

 Exact match includes slashes, tabs, hyphens, underscores, and carriage returns
Best Practices Using Key Phrases
 Avoid common words that lead to false positives.

 Use conditional logic to look for specific combinations and/or thresholds.
 Consider creating key phrases for unique words not typically found in a dictionary.
 Combine classifiers with predefined patterns, scripts, dictionaries & fingerprints
whenever possible for greater accuracy.
Goto Policy Management -> Content Classifiers -> Patterns&Phrases
Goto NEW -> Key Phrase
86
Fill the fields with proper information, for phrase to search select the phrase you want to search
inside the content:
Press OK you will see a message similar to this one, indicating you need to associate this new
classifier with a rule, you can add it now or wait, for the moment press CANCEL.
You can verify that your new classifier has been added:
87
Goto Policy Management -> DLP Policies -> Manage Policies -> Add -> Custom Policy
 Fill the information on the corresponding FIELDS
STEP 1 – General TAB, fill the fields and press NEXT
Step 2 – Add the classifier on the Condition TAB, by pressing Add button, search for the
name of your recent created classifier and press OK, you will see it on the list of
classifiers, press NEXT
88
Step 3 – On Severity & Action TAB, add a new match line for at least 2 incidents and
assign an ACTION PLAN, press NEXT
Next Steps – Leave default values for the rest and press NEXT until you get to FINISH,
you will be able to see the new Policy/Rule, go ahead and DEPLOY
 Goto your Win10 Client and update the policy by pressing the UPDATE button.
 Create a file with the following text, just copy/paste it, it contains your key phrase
embedded
Star Wars is an American epic space-opera media franchise created by George Lucas, which
began with the eponymous 1977 film and quickly became a worldwide pop-culture phenomenon.
The franchise has been expanded into various films and other media, including television series,
video games, novels, comic books, theme park attractions, and themed areas, comprising an all-
encompassing fictional universe.The franchise holds a Guinness World LimeStone Records title
for the "Most successful film merchandising franchise". In 2020, the total value of the Star Wars
franchise was estimated at US$70 billion, and it is currently the fifth-highest-grossing media
franchise of all time.
 Try to Print/Move/Save the file in order to trigger your new rule.

 Since this time the Action Plan is just to audit, let’s verify the incidents
 Verify your Dashboard
89
Dictionaries
 Dictionaries are containers for words and expressions.

 Forcepoint provides over 100 predefined dictionaries.
• Examples: medical conditions, legal terms, credit card terms, celebrities, etc.
• They are proprietary and encrypted.
 You can create custom dictionaries.
 Rules can combine dictionaries with other classifiers.
 Thresholds set the number of matches required to trigger a rule.
90
Patterns (also named Regular Expressions)
 Over 100 pre-defined patterns, some are used by the Policy Template Wizard
 Create your own classifiers using regular expressions
 Goto Policy Management -> Content Classifiers -> Patterns&Phrases

 Select New -> Regular Expression
 Fill the name and description fields
 On the Value field use the following regular expression: login([123]|_internal)?\.php
 This regular expression will match with any of the following:
1. login.php
2. login1.php
3. login2.php
4. login3.php
5. login_internal.php
 Prres OK, then CANCEL

 Goto Policy Management -> DLP Policies -> Manage Policies
 Add a new rule to the LimeStone Policy you created in the last Use Case
91
 Under General TAB fill the new name of the rule, Press NEXT
 Under Condition TAB select your newly created regular expression:
 Under Severty&Action TAB add a new match for at least 3 incidents or events with an
Audit Action Plan, Press NEXT until the end, then FINISH and DEPLOY
 GoTo Win10 Client -> Update the policy
 Create a file with the information mentioned before and test the file and let’see the
results.
92
Predefined Scripts
 Python scripts allow unlimited analysis
• Weighted scoring
• Complex conditional statements
• Context sensitive
• External dictionaries
• Tunable
• Developed exclusively by Forcepoint
 More accurate than regular expressions
 Analyze content and context using statistical analysis or decision trees.
 Three sensitivity levels: default, wide (less accurate) and narrow (more focused and
accurate)
Use Case #9 – FingerPrinting
Fingerprinting of structured and unstructured data allows data owners to define data types and
identify full and partial matches across business documents, design plans and databases, and
then apply the right control or policy that matches the data.
 File Fingerprinting (Unstructured): files or directories, including Microsoft SharePoint and

IBM Domino directories.
 Database Fingerprinting (Structured): database records directly from your database
table, Salesforce table, or CSV file.
Database Fingerprinting (DB Fingerprinting) Scenario
Goto FSM Server -> Find the SQL Server Management Studio -> Connect to the SQL Server
DB using your previous SQL sa credentials.
93
Add a new database or create a new database and fill it with useful information that can be
used to match any possible Data Loss in the configured channels, in this example we are
recovering a backup of a DB.
Select Databases -> Restore DB -> Device -> Add -> Search for the corresponding database
(Northwind.bak) usually positioned on the Backup Subdirectory -> Select Database -> Press
OK.
94
Press OK button, you should now see your DB loaded on the SQL Server Studio:
NEXT STEP is to establish a trusted association between the FSM and the DB we have just
added.
Configure your ODBC Connector on your Crawler
Goto your FSM and locate the ODBC Connector installer on the following route:
 C:\Windows\SysWOW64\odbcad32.exe
Go and start the installation, use the “User SDN” TAB, and select ADD
95
Select SQL Server from the list and press FINISH
Fill the Empty Fields and choose the device where the SQL Server is installed in this case the
local FSM Server, then press NEXT.
96
You will need to authenticate to the SQL Server you can either use the user for the DB or the
workstation authentication, select which suits you better.
If the authentication process was correct, you will be able to see a list of DB that are already
working on the SQL Server, go and select the Database where you are going to be connected,
and press NEXT.
You will see a window like this, Select “Test Data Source” to verify the configuration
97
If you receive the following message then you are CONNECTED and VERIFIED!!!! Press OK
twice and continue with the configuration
Goto FSM -> Policy Management -> Content Classifiers -> Database Fingerprinting
Select NEW -> Database Table Fingerprinting
98
 Fill the name of the new DB Fingerprint classifier
 Fill the information to authenticate to the SQL Server via the ODBC Connector
 Select the table and the fields you are going to use for matching
99
Go ahead press NEXT and then FINISH, when you reach the creation message press CANCEL
and wait until the Crawler finishes to fingerprint the DB.
 Goto Policy Management -> DLP Policies -> Manage Policies
 Add a Custom Policy using the new classifier
 Configure it and DEPLOY
100
 Goto your Win10 Client and update the policy using the DLP Endpoint Client Update
button.
 Copy/Paste the following data and create a document or spreadsheet file with the
following info on it:
Davolio Nancy
Fuller Andrew
Leverling Janet
Peacock Margaret
Buchanan Steven
Suyama Michael
King Robert
Callahan Laura
Dodsworth Anne
 Try to print it or move it

101
Risk Analytics and DLP

IRR (Incident Risk Ranking) Server
102
Use Case #10 – Installing IRR Server
An analytics engine is used to calculate incident risk, rank it with similar activity, and assign it a risk
score, the analytics engine works on a CentOS server.
This is how your FSM Main Dashboard looks like before Analytics engine is integrated.
If you are working with Forcepoint Virtual Desktop, you should have a CentOS server added in
your GNS3 environment.
 Open the Console Window of the CentOS Server
 Login with User : root / Passw : Forcepoint 1
 Run the following command “nmtui” in order to edit/configure the Server IP
103
 Edit the interface and goto -> IPv4 Configuration and change “Automatic” to “Manual”,
then Select “Show”, that will enable the configuration window
Select “Add” button and configure fix addresses to the server, in this case I am going to use:
 Addresses: 192.168.122.19
 Netmask: 255.255.255.0
 Gateway: 192.168.122.1
 DNS Server: 8.8.8.8
After finishing move to OK using either TAB or Down Arrow Key
Press “Back” and then “Quit”, after that execute the following commands:
 Ifdown eth0
 Ifup eth0
 Verify the IP using the “ip a show eth0” command.
104
 Download Analytics software from support.forcepoint.com site with your credentials on

the Chrome browser on your landing machine
 Download wscp on your landing machine and install it
Transfer your “AnalyticsEngine86” file from your landing machine to your new CentOS server
 Transfer it to the tmp directory
 Return to the CentOS console

 Once you are on the CentOS server, change to the /tmp directory (cd /tmp)
 You should already have the AnalyticsEngine86 file there
 Perform the following instructions (answer Yes or y when asked):
 yum -y install epel-release
 yum –y install open-vm-tools
 yum -y install apr apr-util perl-Switch unixODBC freetds
 yum –y install ntpdate
 ntpdate time.nist.gov
 chmod +x AnalyticsEngine86
 ./AnalyticsEngine86
105
 When prompted, enter the IP address of the Forcepoint management server.

 Enter a user name for a Forcepoint DLP administrator account with System modules
permissions.
 Enter the account password.
 The analytics engine verifies that it can connect to the management server.
 Go back to FSM
 See the added DLP Dashboard with new Risk section
 Go to Settings / General / Deployment

 You should see the new IRR server added
106
Since the IRR option analyzes all the events that have a risk score higher than 4, we will need to
modify the configuration so it can show also the low and medium events we have been
generating.
 Go to Settings / General / Reporting
 Goto Incident Risk Ranking TAB

 Modify Incident Risk Ranking to 0-10 (All)
 Press OK
107
 Since the Risk section updates each 24 hrs during the night, you need to force the
update.
 Go To the CentOS server where the Analytics Engine is installed and go to the following
directory: /opt/websense/AnalyticsEngine/scripts
 Execute ./ae_run
 Go back to FSM and you should see the Top Cases updated
108
Extend DLP reach to the Web Channel

DLP WCG (Web Content Gateway) Server
**** Network License needed or Full WCG required
109
There are two Web Content Gateway module options available for Forcepoint DLP.
 The one included with Forcepoint DLP Network provides DLP over the web channel
including encrypted SSL content. This core Forcepoint DLP component permits the use of
custom policies, fingerprinting, and more.
 The one included in Forcepoint Web Security provides SSL decryption, URL
categorization, content security, web policy enforcement, and more. In this deployment
mode, the gateway is limited to the web DLP quick policies.
We are going to work with the one included with the DLP Network license, the DLP WCG engine
works on a CentOS server or a Forcepoint appliance.
The WCG requires the following:
 Interface C (control) – the purpose of this is to connect to the FSM in order to receive
configurations.
 Interface P1 – This will be the proxy interface and it will be used as the gateway/next hop
for all the traffic that will be analyzed.
 RAM 6Gb and 2 vCPUS
If you are working with Forcepoint Virtual Desktop, you should have a CentOS server added in
your GNS3 environment for this WCG server, it should not have links enabled to the switch
because you need first to configure the interfaces on the virtual engine.
Open the configuration option
Goto General Settings and increase the RAM and the vCPU parameters.
110
Goto the network tab and modify the adapters value to “2”, after that APPLY and OK
Go and enable the link button and you will see that now you have 2 interfaces in the server.
Connect both of them to the switch, and start the CentOs server, you will have then ready the
server for configuration.
111
 Open the Console Window of the CentOS Server

 Login with User : root / Passw : Forcepoint 1
 Run the following command “nmtui” in order to edit/configure the Server IP
Edit the interface and goto -> IPv4 Configuration and change “Automatic” to “Manual”, then
Select “Show”, that will enable the configuration window
Select “Add” button and configure fix addresses to the server, in this case I am going to use:
 Addresses: 192.168.122.21
 Netmask: 255.255.255.0
 Gateway: 192.168.122.1
This will be the C Interface, after finishing move to OK using either TAB or Down Arrow Key
112
Press “Back” and then “Quit”, after that execute the following commands:
 Ifdown eth0
 Ifup eth0
 Verify the IP using the “ip a show eth0” command.
You will need to add a secondary interface in order to configure the P1 interface, add a
secondary interface and configure it with the following addresses
 Addresses: 192.168.122.22
 Netmask: 255.255.255.0
 Gateway: 192.168.122.1
 After configuring it, enable it and verify the IP using the “ip a show eth1” command.
113
Once you have configured your interface, you need to configure the hostname and the
corresponding hosts file in order to have the correct interface associations.
So the first step is to download the software from the Forcepoint support site, once you have it,
upload it to the CentOS server.
Copy it to the tmp directory, once there unpack it using the command gunzip and then tar -xvf to
expand the installation files, you can also use a single command to unpack the software:
tar -xvzf ContentGateway84xSetup_Lnx.tar.gz
114
Before installing the WCG, you will need to disable the network manager and install some
dependencies (libraries)
 chkconfig --levels 2345 NetworkManager off

 service NetworkManager stop
If you are connected to a yum repository you can install these packages with the following command:
 yum install -y apr apr-util bind-utils compat-db47 ftp gd iptables-services krb5-workstation

libicu libpng12 libwbclient nc ncurses-devel net-tools perl perl-Switch perl-URI perl-
autodie perl-libwww-perl readline-devel redhat-lsb-core tcl unzip
 After the process is complete execute ./wcg_install.sh
 Accept the Agreement by pressing “q” and “y”
Configure the password of the admin, it should have a specific format.
115
Enter an email for alerts
You will have to select how you want to install this WCG, in this particular case you will select option 2,
this is because we are only considering the WCG as a component of Forcepoint DLP without the web
security.
Enter the Forcepoint Security Manager address that will control this WCG and leave the default
port assignments by selecting “X”
This will be a single node so leave the default selection for this.
116
Leave the configuration as an Only Proxy Mode
Verify your configuration and if it’s correct you can continue the installation by selecting “y”.
If everything is OK you should see the following messages:
117
Go back to your FSM server, open a browser session and try to access the WCG with the
following information:
 https://192.168.122.22:8081
Goto Configure TAB -> Subscription -> Use the subscription Key from FSM and introduce it to
the WCG Subscription Field and APPLY
After doing this you will need to restart the engine, Goto Basic Section on Configure TAB and
press RESTART
118
After restart Goto Configure TAB -> Basic -> General -> Features -> Enable ON the integration
Section and verify that Web DLP is selected -> APPLY -> Restart
After restart Goto Configure TAB -> Security -> Web DLP -> Fill the empty fields with the FSM
admin information in order to register the Forcepoint DLP -> Press Register
Verify the succeed message and restart
119
Goto FSM -> Deployment -> System Modules, verify the presence of the WCG -> Deploy
In order to be able to INSPECT HTTPS traffic we need to make the WCG trustable to our
endpoints, so in order to do that we need to generate a certificate that we will upload on the
required browsers.
In this particular case we are going to consider mainly 2 types of browsers (Chrome and Firefox),
each one of them has a different way to configure, so we will explain both methods to you.
120
Creating a certificate on the WCG
Connect via your browser to you WCG Admin interface and authenticate:
 https://192.168.122.21:8081
Goto Configure TAB -> Basic -> General -> And enable HTTPS protocol on the protocols
division of the features section.
Then press APPLY and RESTART, this should enable a new section SSL on the configure
TAB.
Now Goto SSL -> Internal Root CA -> Create Root CA -> Select Country (MX) -> Fill the fields
with asterisk as a minimum -> Press the “Generate and Deploy” button
121
If succeded you will see the following message, go ahead and RESTART the WCG.
After this you will need to backup the public and private cert keys so you can import them on
the corresponding browsers, after doing this move the certificate keys to your Win10 Client.
NOTE: If you don’t have Chrome Browser or Firefox on your Win10 Client you will have to
install it.
122
Loading the certificate on the Chrome Browser
Goto your File Manager in your Win10 Client and double-Click the PCAcert you have just
copied.
You will see the following window, for general browsers this will be sufficient, but there are
some browsers that needs to install it in the different way, for the moment press the Install
Certificate button.
Select “Local Machine” and Press NEXT
123
Place the certificate on the “Trusted Root Certification Authorities” certificate store.
Press OK you should get a success message, now you can start to test the web channel with
Chrome
124
Goto your Chrome Browser Proxy Settings and Enable Manual Proxy Setup, fill the address
with your WCG IP address and the Port should be 8080 -> SAVE -> Restart the browser.
Let’s validate the Internet Connection and that the traffic is going thru the DLP WCG.
Loading the certificate on the Firefox Browser
Open your Firewfox Browser -> Goto Options
125
Select “Privacy and Security” -> Scroll Down -> View Certificates -> Import
Select your PCACert file and OPEN it -> Select TRUST to identify both websites and email
users -> Press OK
Now let’s configure the proxy in the firefox Browser -> Goto General -> Network Settings ->
Manual Proxy Configuration and fill the Proxy fields for HTTP and HTTPS -> Press OK ->
Restart Firefox Browser and TEST.
126
Use Case #11 – Protecting the Web Channel
Let’s modify our rules to detect on the web channel
Goto FSM -> Policy Management -> Resources -> Endpoint Application Groups -> Browsers ->
Enable the FILE ACCESS option -> Press SAVE & CLOSE -> Select DEPLOY
Goto FSM -> Policy Management -> DLP rules -> Manage Policies -> Select your
“Patterns&Phrase” rule -> Modify the severity action plans
Goto Destination TAB -> Endpoint Applications -> Edit -> Select All & Move to the Include
section -> press OK -> DEPLOY
Goto your Win10 Client and UPDATE the policy
127
Open your Chrome or firefox browser and goto “dlptest.com” site, try to HTTP/HTTPS Post your
sample files that belongs to the Phrase rule you just modify.
 Verify the rules that are triggered, as you can see the test was blocked by the Endpoint
not by the WCG, let’s do some extra config.
Goto your FSM -> Deployment -> System Modules -> Web Content Gateway and SELECT the
Forcepooint Web Content Gateway line by double-clicking it.
Goto HTTP/HTTPS TAB and from the Mode field change from Monitoring to Blocking -> Press
OK -> DEPLOY
128
Goto your Win10 Client -> DLP Endpoint -> Update -> now try to write several times the phrase
on the text window and press SUBMIT
You will see a different message, now the WCG is the one answering
129
 Verify the rules that are triggered, as you can see now the it was blocked by the WCG.
130
Finding Data on Images with DLP

DLP OCR server
**** You need to install a supplemental DLP server for this to work.
131
Included with DLP Network & Discovery:
The OCR server enables the system to analyze image files being sent through network channels,
such as email attachments and web posts. The server determines whether the images are textual,
and if so, extracts and analyzes the text for sensitive content. There is no special policy attribute
to configure for optical character recognition (OCR). If sensitive text is found, the image is blocked
or permitted according to the active policies.
The server can also be used to locate sensitive text in images during network discovery.
This feature does not support either handwriting or images containing text that is skewed more
than 10 degrees.
Summary: Support for many image file types + images embedded within Microsoft Office
documents and PDFs.
In this particular case you will need to install a supplemental DLP server that contains the OCR
Server, this needs to be installed on a Windows Server which need to be tuned similarly as the
Forcepoint Security Manager and install only the DLP Server component, this will automatically
add the OCR Server on it.
Execute the FSM file with administrator privileges on the new WinServ …
132
Press the Start button …
Select the “Accept” Checkbox and press NEXT, select the Custom option …
133
Installing the DLP Component on a supplemental DLP Server
In this case you will add the DLP Manager component.
This will install all the required infrastructure and predefined components including the OCR
Server.
You will see the components to be installed -> Press NEXT
Select the IP address of the server where you are installing the DLP Server component.
134
Select Computner name and user with sufficient rights on the server (Administrator) -> Press
NEXT.
It is possible that you can see the following message, since this is a demo you can ignore it, but
if you have the required space is better.
You will need to register the Forcepoint Security Manager -> Use the IP of the server and the
credentials of the admin for the FSM -> Press NEXT.
135
Confirm Installation -> Press INSTALL -> If you find this message press YES
Continue until you FINISH -> Goto FSM and validate the presence of the new DLP Server on
the Deployment -> System Modules section -> you will see the new server with the OCR Server
on it.
136
Use Case #12 – Identifying Text on an Image (Web Channel)

Creating an image to test
In order to test the detection of the text inside an image, we will use the rules created on Use
Case #8 Patterns and Phrases with the word “LimeStone”, so go ahead and use your Win10
client and Open your favorite image editor and create an image containing several instances of
the word “LimeStone”.
Something like this:
Note: I create this one using Paint and save it as a JPEG image.
Goto FSM -> Settings -> Deployment -> Select your WCG Server -> Policy Engine
Enable OCR -> Select the recently installed OCR Server on the supplemental DLP Server
Press OK -> DEPLOY
137
Once you finish connect to dlptest.com or to your email account (Gmail or Hotmail), and try to
add your images as an attachment, you will see a Upload Failed message
Goto FSM -> Reporting -> Data Loss Prevention -> Incidents (7 days)
138
Covering the Email Channel

DLP EGW (Email Gateway) Server
**** Network License needed or Full EGW required
139
There are two Email Gateway module options available for Forcepoint DLP.
 The one included with Forcepoint DLP Network provides DLP over the email channel. This
core Forcepoint DLP component permits the use of custom policies, fingerprinting, and
more.
 The one included in Forcepoint Email Security provides Phishing, Antispam, Drip DLP,
email encryption, Image Analysis, URL Wrapping, and more. In this deployment mode, the
gateway is limited to the Email DLP quick policies.
We are going to work with the one included with the DLP Network license, the DLP EGW engine
works on a Vmware environment using an ISO or OVA format or a Forcepoint appliance.
The EGW requires the following:
 Interface C (control) – the purpose of this is to connect to the FSM in order to receive
configurations.
 Interface P1 – This will be the email interface and it will be used as the gateway/next hop
for all the traffic that will be analyzed.
 RAM 6Gb and 2 vCPUS
If you are working with Forcepoint Virtual Desktop, you should have an email appliance first
boot added in your GNS3 environment for this EGW server, it should not have links connected
to the switch so Go and enable the link button and you will see that you have 4 interfaces in the
appliance.
Select ports “C” and “P1”, connect both of them to the switch, and start the appliance, you will
have then ready the appliance for configuration.
140
Goto GNS3 -> Right-Click the email appliance -> Select Console
This will open a session to the appliance and show you the initial installation message
Type “yes”
Press ENTER and then “q” (quit)
Accept the Subscription Agreement by typing “yes”
Type 1 to select the security mode
141
Type “yes” to confirm
Type the hostname for the email appliance
Enable the NTP option in the email appliance and type the name of the NTP server:
time.nist.gov, you can add more than one if you want.
Type number 10 for Mexico City Time Zone or select the corresponding time zone you are
located in.
142
Type the password based on the requirements described in the instructions
Type “yes” so you can help us in improving our products for you.
Verify your configuration and if everything looks OK just type “yes”
Type “no” on the C interface so you will type a fixed IP on it.
143
Type the networking configuration with the corresponding IP address, Subnet Mask, Default
Gateway and DNS Server(s), if everything looks OK just type “yes” and ENTER
Press ENTER again
Verify your full configuration if everything is OK, type “yes” and then ENTER.
144
You will see the installation process beginning, wait until it ends, after the installation ends, the
appliance will restart and you will see the following screen to continue the preparation of the
appliance.
As you can see you already have configured the C interface (management interface), but you
also need to have the P1 interface configured, for that you will use the CLI (Command Line
Interface).
Type your user (admin) and password (the one you just create).
Type “config” at the prompt, it will ask you for the admin password and press ENTER, after this
you will see that you are in the configuration mode
145
Type the following command -> set interface ipv4 –interface p1 –ip 192.168.122.31 –mask –
255.255.255.0 –gateway 192.168.122.1
Press ENTER and they type the following command to set the DNS info -> set interface dns –
dns1 192.168.122.1 –dns2 8.8.8.8
Press ENTER and then type exit -> ENTER, you will return back to the first level of the CLI,
then type -> show interface info, this will show you if the P1 interface is configured as you
want.
Type EXIT and you have finished configuring the appliance.
146
After this we need to add the Email component to our FSM so it can be managed.
Goto FSM server (Windows) -> Find “Forcepoint Security Setup” -> Select it and start the
application
Once it starts, select Install
Then on Introduction press NEXT
On Component Selection press NEXT
147
On Configuration select your Database Location and the user/password you have used before.
Then type the password for the user where the FSM is installed
Leave the Default path for the Database you have already installed before, press NEXT
148
Type the IP address of the recently installed Email GW
Leave the Default path for installing the EGW component
149
Verify your configuration and then press INSTALL
After the installation finishe you will see the following message -> Press DONE
Goto FSM -> You will see the New Email tab on the upper left cornet, select it, and change to
the email environment.
150
You will be asked for an Email License, type your license here and press OK.
Once it is validated you will see the expiration date and the amount of registered users, Press
CONTINUE
After this you will have to choose, either use the Wizard or go directly to the dashboard you can
accomplish the configuration either way, in this case we are going to go directly to the Email
Security Dashboard.
151
When you see the following window just press SKIP
You will see the FMS window just go to the Email section of the FSM.
We need to validate some configurations before continuing, find the appliances icon in the top-
right of the FSM window and select it.
You will see the new appliance added and registered with the FSM, validate the information
152
If the configuration is OK, Go and select again the Mail section of the FSM
Configure User Directory Service Settings
1. Go to FSM (Forcepoint Security Manager)

2. Navigate to Email > Settings > General > Users > User Directories.
3. Press the Add button.
4. Give a name on “User Directory Name” field
5. “User Directory Type” select “Microsoft Active Directory”
6. Configure settings for Active Directory (Native Mode®).
3. Press OK
NOTE: In a POC you would use the Cache address option.
153
Verify Domain Groups
Any domains you want to protect MUST be added to Domain Groups.
 Navigate to Settings > Users > Domain Groups

 Select Protected Domain > add your Go4Lab domain
 Press OK
NOTE: Remember that your domain address wil be your lab id plus the
extension“.lab.go4labs.net”, for example, if your lab id is bev.siwicki.
 Your domain address will be “bev.siwicki.lab.go4labs.net”.
Configure User Auth

Adding some type of User Auth is always recommended.
 Navigate to Settings > Users > User Authentication

 Select Add> add your Go4Lab domain
154
1. Goto User Directories -> move your user directory (Active Directory) to the
Recipients section
2. Press OK
Configure Mail Routing
This configuration is extremely important to get right. These settings tell the email gateway
where to send mail when it receives it both inbound and outbound. It makes this decision based
on the Recipient or the Recipients Domain in the received mail.
Example: The below email route configuration says, when a message is received, look at the
domain it is being sent to (the Recipient), perform a DNS lookup on that domains MX record,
and send this mail to the destination found from the MX lookup.
Add a User Directory-Based Route
1. Navigate to Settings > Inbound/Outbound > Mail Routing

2. Under User Directory Based-Routes select Add
3. Type the name, in this case I use “Inbound Mail Route”
155
4. Move your Go4Lab AD to the Recipients box at the bottom
5. Under Delivery Method select SMTP Server IP Address and add the mail server IP to
that list
6. Under Delivery Options check Use TLS
156
7. Select OK
Add a Domain-Based Route
1. Navigate to Settings > Inbound/Outbound > Mail Routing

2. Under Domain-based Route section select default
3. Ensure the settings look that those in the below image
4. Select OK
NOTE: Something to note. In 99% of instances you will not have to configure a User Directory-
based Route. The “default” Domain-based Route will be sufficient.
157
This config is specific to Go4Labs
IP Groups - the root of most issues
IP Groups are an extremely simple concept but are the most forgotten configuration in all email
deployments.
Trusted IP Groups simply tell the gateway what IPs it can trust to either receive mail from or send
mail too. ANYTHING that sends mail to or receives mail from the gateway must have its IP placed
in this list.
 Navigate to Settings > Inbound/Outbound > IP Groups > Trusted IP Addresses
 Add IPs to the list

 Add your FSM IP and your Mail Server IP (FSM needs to be able to send out alerts, Mail
Server is what sends and receives emails)
 Press OK
158
Activate ALL Inbound email filters
1. Navigate to Main > Policy Management > Policies > Inbound Default
2. Under Rules select each rule individually and enable all of them.
3. Make sure to select OK after enabling each rule and when complete OK on the
policy.
After completing this your rules should look like the following.
159
Update user Email in AD
NOTE: Please consider any of the users in the list of AD (Users Group)
1. Open GNS3 > Right Click on the DC and select Console
2. Login to the DC (Domain Controller)
3. Open Active Directory Users and Computers
160
4. Go to Users > double click the selected user
 Update the email address in the General Tab with the corresponding
format explained before User_Name@<Your Go4Labs Domain>
Ex. Barbara@manuel.nolen.lab.go4labs.net
5. Close out of AD and log off
Verify Directory Settings
 After modifying your selected user email information, verify the changes
 Goto FSM (email) -> Settings -> Users -> User Directories
161
Select Synchronize -> after that Select View
You should see that users email is now synced to the email gateway with the
corresponding domain name of your lab.
162
Setting up the webmail object
Goto GNS3 -> Double-Click your webmail object -> Select Configure
Find Network Configuration -> Press EDIT button
Uncomment the “static config” section and adjust the values, I will used the following as an
example.
# Static config for eth0

auto eth0
iface eth0 inet static
address 192.168.122.35
netmask 255.255.255.0
gateway 192.168.122.1
up echo nameserver 192.168.122.1 > /etc/resolv.conf
Press SAVE and then OK -> STOP and START the WebMail Object
163
When is available again -> Double-Click again your webmail object -> Select Auxiliary console
On the prompt type the command “ip a” and validate that you have the right configuration on
your interface.
Close your auxiliary console and return to you landing machine
164
Setting up the email server
 Configure the mail server to accept communications from your lab domain.
 Open the browser on the land machine
 Navigate to http://192.168.122.35/?admin
 Use “User” admin and “Password” Forcepoint1
 Select Domains > Add Domain
 Fill out settings like below:

o Name: bev.siwicki.lab.go4labs.net
o IMAP Server: 192.168.122.35 (Webmail)
o IMAP Port: 143
o SMTP Server: 192.168.122.31 (P1 interface of ESG)
o SMTP Port: 25
o SMTP Secure: STARTTLS
o Use Authentication: Disable
165
NOTE: After saving for the first time re-open the Domain you have added, sometimes the Port on
the SMPT side changes, in case this happens fix it and change it to Port=25 and press UPDATE
Leave the admin interface by pressing Log Off
166
Login into Mail Client
 Open again the Rainloop mail client but this time by simply putting in the IP of
192.168.122.35
 At login enter barbara@<YOUR Go4Labs Domain> and any password you want .
(ex. barbara@bev.siwicki.lab.go4labs.net)
You will see the user on the top right side of the email client.
167
Testing your first inbound/outbound message
Outbound
1. Select New
2. Craft a message just like the following and send it to your Forcepoint/Partner email
address.
3. You should receive the message in your work inbox within minutes.
168
Use Case #13 – Finding Text and Text on an Image (Email

Channel)
You can use several of the existent rules and policies to test DLP on the Email Channel, let-s
consider Use Cases #6, 8 and 12
Applying Use Case #6 – PCI / Credit Cards & Use Case #8 – Patterns & Phrases
 Goto FSM (Data) -> Policy Management -> DLP Policies -> Manage Policies ->
Limestone Policy –> Limestone Rule -> Edit the rule
 Goto Destination Tab -> Email section -> Enable Inbound/Outbound
 Press OK -> DEPLOY
169
Goto your Win10 Client -> Connect to your email interface -> Perform the following tests based on the
files that you have already generate:
 Send the work “limestone” in the body of the email as many times as needed so the rule apply
 Try to attach a file containing the word “Limestone” as many times as needed so the rule apply
 Try to attach an image file containing the word “Limestone” as many times as needed so the rule
apply
Verify your results on the Incidents Reports and verify which channel blocks each one, you will see the
following behavior
The reason is that we have already configured to apply the rule on the endpoint and web channel
environment, and this is because we have an endpoint installed and we are using a proxy configuration
in the browser, let-s view it from a different angle.
We will work with the PCI rules now.
 Goto your FSM server, considering that it doesn’t have the endpoint or a proxy configuration.
 Open an email session from the browser located in the FSM server
 Try to perform the same exercises as before and see the behavior
You will be able to see now the email channel working….
170
And what about images ….
Applying Use Case #12 – Indentyfing Text on an image
Goto FSM (Data) -> General -> System Modules -> Forcepoint Email Security -> Policy Engine
Enable OCR services
Goto FSM Server -> Try to send an image via email and see the results in the incident report,
sending the image with Credit Card info was identified and in Quarantine
171
Digging with Crawlers

DLP Discovery
**** Discovery License needed
172
Goto FSM (Data) -> Policy Management -> Discovrey Policies -> Manage Policies -> add any
policy like you do with DLP Policies, in this case I select Mexico PII policy
Modify the Severity & Action of the chosen policy according to your testing
Press OK and NO to continue configuring
173
Goto FSM (Data) -> Policy Management -> Discovery Policies -> Endpoint Discovery Tasks
Select NEW and fill the info for scheduling the Discovery Tasks
Fill the Name Field
On select the endpoints for scan , leave the “ALL” Default and press NEXT
On the scheduler section select ONCE in the pull-down menu
174
On the policies section, goto Selected policies and choose the rule you create for discovery
On Advanced tab, leave the default – “Only on policy update”
Press Finish and DEPLOY
Use Case #14 – Finding files in the disk
After it finishes -> Goto your Win10 Client -> Update your policy at the endpoint, after it finishes
you will see the Discovery section of the endpoint enabled and the Discovery Status will change
from Idle to Running, when it finishes scanning your hard disk, it will send the results to the
report section of the FSM
175
Goto FSM -> Reporting -> Discovery -> Incidents
You will see the results of the discovery process and the findings.
176
Appendix 1 – DLP Policies

Policies are empty containers that hold rules and exception rules.
Policies and rules – Configuration Window
177
Rules
Rules define the protection logic.
 Components
o Condition
 Classifiers
 Condition Logic (AND, OR, NOT), thresholds
 Resources
o Severity & Action
 Cumulative rules
o Sources
o Destinations
Example Rule
178
Creating Policies
 Predefined Policy Templates
o Provides immediate access to pre-defined sets of policies

o Enables data protection to meet regulatory compliance standards such as GLBA
and HIPAA
o Policies are based on Natural Language Processing and PreciseID Patterns
 (Regular Expressions)
 Quick Policies
o Email DLP Policy

o Web DLP Policy
 Custom Policies
179
Appendix 2 – DLP Endpoint Details
What is ENDPOINT and Data Endpoint?
An endpoint is a laptop, server etc. that applies Forcepoint DATA policies independently of the
network-based Forcepoint DATA installation.
F1E ENDPOINT has 2 parts: it can intercept data (Data Endpoint); it also can send Web traffic
to the cloud proxy (Web Endpoint)
Data Endpoint intercepts “data-in-use”:
• Sent to removable media

• Sent via HTTP, HTTPS, FTP; Sent via Microsoft Outlook (via plug-in)
• Copied to shared folders/local-area network (LAN)
• Accessed or manipulated by a standard application or even downloaded by an online
application
• Sent to a local or network printers
Endpoints can run endpoint discovery tasks on their local hard drives
Endpoints have policy-enforcement options:
• Block
• Permit
• Confirm (Endpoint Only)
• Encrypt
• Encrypt with user password
Note: Encrypt is available for removable media only. Additionally, drop attachment and
quarantine are NOT available actions for Endpoint.
180
Endpoint Platforms & Features
 Supported platforms
o Windows 2008/2012/2016 Servers and Windows 7/8/10

o Red Hat/CentOS 4.8, 5.1, 5.5 (not all features supported)
o 32 & 64-bit support
o Mac OS endpoint
 Endpoint email-channel support

 PreciseID database and file fingerprint detection
 Original file access time can be preserved (for backups)
 Improved printing
Why Is an Endpoint Needed?
 Some computers, like laptops, may not be on the protected network.

o Some data cannot be protected at the network level.
o Removable media
 Encrypted communications cannot be analyzed. Replaced by looking into specific
applications .
 Some operations benefit from being done on the client.
o Discovery is much less efficient when done by servers for each and every one of
the clients.
 CPU intensive
 Bandwidth intensive
181
Endpoint Application Groups
Screen capture
 Screen capture is blocked, when specified applications are running.

 The screen capture would be sent as forensics, when blocked.
File access
 Read access can be intercepted.

 Some files (tmp directory, etc.) are excluded.
Cut/Copy/Paste
 Monitoring of copy and paste operations.

(Note: Content is analyzed only on paste, even if the rule is on copying.)
Endpoint Discovery
Local discovery allows analysis of files on local drives.

Multiple endpoints handle multiple discovery tasks.
 Run multiple tasks, simultaneously, on a single machine.

 Run different tasks on different machines.
Scanning can be configured to
 Scan only when computer is idle

 Pause when computer is running on batteries
Deploying the Data Endpoint Client
Forcepoint Data Security Endpoint deployable using
 Manual
 Microsoft-based tools
 System Center Configuration Manager (SCCM)
 Systems Management Server (SMS)
182
Two installers
 ForcepointEndpoint_XXbit.exe for Windows

 LinuxEndpoint_SFX_installer_elX for Linux
 . . .Updates deployable automatically
Endpoint Action Plans
Available action-plan options for the endpoint
 HTTP/HTTPS: Permit, block, confirm

 Application: Permit, block, confirm
 Removable media: Permit, block, confirm, encrypt
 LAN: Permit, block, confirm
 Printing: Permit, block, confirm
 Confirm and encrypt are unique to the endpoint.
183
Appendix 3 - Knowing the components (Forcepoint DLP

solution)
Licensing
A DLP Solution requires a license to run the different components offered. These licenses are
based on:
1. Which components will be used?

2. How many users/seats does the organization have? (could be implemented for part of
the company, e.g., finance organization)
These are the current DLP subscription offerings:
 Forcepoint DLP Endpoint

 Forcepoint DLP Network
 Forcepoint DLP Cloud Applications
 Forcepoint DLP Discovery
Customers who own our Email and Web Security products can “add-on” DLP licensing to those
products.
184
Forcepoint DLP Endpoint (in-use) - Endpoint protects your critical data on Windows and Mac
machines, both on and off the corporate network. It includes advanced protection and control for
data at rest (discovery), in motion and in use. It integrates with Microsoft Azure Information
Protection to analyze encrypted data and apply appropriate DLP controls. The DLP endpoint
monitors web uploads, including HTTPS, as well as uploads to cloud services like Office 365 and
Box Enterprise. Full integration with Outlook, Notes and email clients.
Forcepoint DLP Network (in-motion) - DLP Network stops the theft of data in motion through
email and web channels. This solution helps identify and prevent malicious and accidental data
loss from outside attacks, or from insider threats. OCR (Optical Character Recognition)
recognizes data within an image. Analytics identify DLP incidents to help stop the theft of data by
more easily spotting high-risk user behaviors.
Forcepoint DLP Cloud Applications (at rest) - Powered by Forcepoint CASB, DLP Cloud
Applications extends the advanced analytics and single control of Forcepoint DLP to critical cloud
applications, including Office 365, Salesforce, Google Apps, Box and more.
Forcepoint DLP Discovery (at rest) - DLP Discovery identifies sensitive data across your
network, as well as data stored in cloud services like Office 365 and Box Enterprise. Advanced
fingerprinting technology identifies regulated data and intellectual property at rest, and protects
that data by applying appropriate encryption and controls.
185
Policy Engine
Policy Engine is the DATA component responsible for all data analysis and policy enforcement
Components of Policy Engine Package
Policy Engine Package contains:
 PE – Policy Engine
 XML – Based Policies
 Fingeprinting Repository
You will find a PE component on any of these implementations including the FSM:
186
FORCEPOINT PROTECTOR
Linux based (CentOS) server

 Software appliance
 Available also on V5K
Monitor and/or block traffic via SPAN Port
 Transparently (inline)
 Explicitly
Supported protocols
 HTTP – Monitoring, Blocking
 SMTP – Monitoring, Blocking (explicit MTA)
 FTP – Monitoring
 IM – Monitoring (MSN, Yahoo, AIM)
 ICAP – explicitly HTTP/S and FTP monitoring/blocking
PROTECTOR – MONITOR ONLY
PROTECTOR – INLINE
187
PROTECTOR – ICAP INTEGRATION
FORCEPOINT DATA SERVER (DSS)
Windows based server

 Windows Server 2012
 Windows Server 2016
Roles (any or all):
 Additional Analysis Engine (PE)
 Crawler
o Discovery Server
o Fingerprinting Server
 Endpoint Server
 Can host SMTP Agent
 OCR Server
188
FORCEPOINT ONE ENDPOINT (F1E)
189

DLPforDummies 2.4.1 Full JAC

Uploaded by

Copyright:

Available Formats

You might also like

DLPforDummies 2.4.1 Full JAC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DLPforDummies 2.4.1 Full JAC

Uploaded by

Copyright:

Available Formats

Data LifeCycle

Prevention for Dummies

Jorge Antonio Claret Cisneros Diego de Arribas

Before you begin

A folder to store your DLP Screenshots:

A means to get the files to a specific destination:

UNDERSTANDING YOUR ENVIRONMENT (BASE CONFIGURATION) ...................................4

SETTING UP THE BASICS (FOR FORCEPOINT VIRTUAL LAB ONLY) ...................................6

DOWNLOADING FSM SOFTWARE ................................................................................................ 22

KNOWING FSM SOFTWARE INSTALLATION ............................................................................ 22

INSTALLING THE SQL SERVER SOFTWARE ............................................................................. 24

CONFIGURING THE FORCEPOINT SECURITY MANAGER SOFTWARE ............................ 29

INSTALLING THE DLP COMPONENT ON FSM ........................................................................... 35

ADD AN AD SERVER (MICROSOFT DOMAIN CONTROLLER) IF REQUIRED. ................... 41

CONFIGURE USER DIRECTORY SETTINGS. ............................................................................... 42

BUILDING YOUR ENDPOINT ............................................................................................................ 43

INSTALLING THE ENDPOINT IN THE CLIENTS.......................................................................... 48

DLP POLICIES – PREDEFINED POLICIES .................................................................................... 53

USE CASE #1 - BASIC PII POLICIES ............................................................................................... 54

USE CASE #2 – THE USB DILEMMA .............................................................................................. 65

USE CASE #3 – THE USB DILEMMA – ENCRYPTING THE FILE ............................................ 67

USE CASE #4 - TRYING TO SHARE IN THE NETWORK ........................................................... 72

USE CASE #5 – STOPPING EDITING ON THE APPLICATIONS ............................................. 75

USE CASE #7 – CREDIT CARDS BE MORE SPECIFIC ............................................................... 82

USE CASE #8 – PATTERNS AND PHRASES................................................................................ 86

USE CASE #9 – FINGERPRINTING ................................................................................................. 93

USE CASE #10 – INSTALLING IRR SERVER .............................................................................. 103

USE CASE #11 – PROTECTING THE WEB CHANNEL.............................................................. 127

INSTALLING THE DLP COMPONENT ON A SUPPLEMENTAL DLP SERVER ................. 134

USE CASE #14 – FINDING FILES IN THE DISK .......................................................................... 175

APPENDIX 1 – DLP POLICIES ........................................................................................................ 177

APPENDIX 2 – DLP ENDPOINT DETAILS................................................................................... 180

APPENDIX 3 - KNOWING THE COMPONENTS (FORCEPOINT DLP SOLUTION)........... 184

Understanding your environment (Base Configuration)

Name IP (this is an example IP Username/Password Description

Components Required elements

Setting up the Basics (for Forcepoint Virtual Lab only)

RDP console: watermelon.go4labs.net

Installing Forcepoint Security Manager

Hardware for a Forcepoint Data Manager

 The above requirements are for physical machines

Windows Server Preparation - .NET Framework

NOTE: Sometimes Windows Server 2016 also needs to add .NET3.5

 Press NEXT Twice and Select the missing components

Windows Server Preparation – Windows Updates

Windows Server Preparation – Synchronize Clocks

Windows Server Preparation – Remove Server Hardening for Installation (Optional)

Windows Server Preparation – To perform on all Solutions (Data, Email or Web)

Windows Server Preparation – All Endpoint Client Machines

Windows Server Preparation – Disable Firewall

 Goto Control Panel then goto Windows Firewall

Windows Server Preparation – Disable Enhanced Security Configuration

Windows Server Preparation – Disable DEP and UAC

Windows Server Preparation – Start Computer Browser Service

Windows Server Preparation – Host Name

Windows Server Preparation – Temporary File Location Folder

IMPORTANT – ALWAYS RESTART YOUR WINDOWS SERVER AFTER ALL

Downloading FSM Software