Professional Documents
Culture Documents
Acronis #CyberFit Cloud Tech Associate Advanced Data Loss Prevention 2023 Handout (1)
Acronis #CyberFit Cloud Tech Associate Advanced Data Loss Prevention 2023 Handout (1)
#CyberFit Academy
Meet your Instructor
Amos Dong
Partner Technology Evangelist
Amos is passionate in latest technology trends. He comes from a
Singapore solid technical IT infrastructure background. He has over 16 years
of experience in the IT industry. Holding multiple certifications
English from Microsoft, Cisco, VMware, and Red Hat. His interests and
specializations include Windows Server, Active Directory,
Amos.Dong@acronis.com
Exchange Server, Hyper-V and VMware virtualization, Microsoft
365 and Google Workspace, Cisco Routing and Switching,
Network Security, and Linux Server.
#CyberFit Academy
Learning Objectives
#CyberFit Academy
Course Modules
1. Case Study
2. High Level Overview and Benefits
3. Device Control Features
4. Advanced DLP Features
5. Configuring and Using Advanced DLP
#CyberFit Academy
Cyber Protect Cloud
Case Study
#CyberFit Academy
How your employees unintentionally
leaked sensitive data
(Meet Kate)
Always on the go
#CyberFit Academy
Bad actors want your data
#CyberFit Academy
Bad actors want your data
#CyberFit Academy
Employee the greatest risk
to your organization
#CyberFit Academy
Once shared and you are done
#CyberFit Academy
What you can do now?
#CyberFit Academy
Using a Data Loss Prevention Solution
✓ With Advanced DLP it would
prevent this data leak from
happening
✓ DLP agent detects transfer of
sensitive documents to file
sharing services and blocks it
Data Loss
✓ Policy prohibits the transaction
and audit log entry is created for Prevention !!!
investigation
✓ Company could issue warning
to the affected employees on
how to handle confidential
documents
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
High Level Overview and Benefits
#CyberFit Academy
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs
#CyberFit Academy
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs
Technicians
Owner
#CyberFit Academy
Cyber Protect Cloud
Device Control Features
#CyberFit Academy
Module Outline
#CyberFit Academy
Cyber Protect Cloud
Using Device Control and Access
Settings
#CyberFit Academy
Device Control
Strengthen your security services and minimize the risk of data leaks for clients
with essential data loss prevention (DLP)
#CyberFit Academy
Device Control (continue)
Capabilities:
• Selective access control per device/port type (deny,
allow, read-only)
• Real-time alerts and notifications
• On workloads – on/off for all devices and ports
• In console – on/off per device/port type
• Control clipboard copy/paste operations
• Control screenshot captures
• Support of encrypted removable media
• Allowlisting
• Device type
• USB – granular, down to serial number
• Clipboard operations – within applications
Why? Proactively prevent data leaks and control data flows between devices and peripherals
#CyberFit Academy
Supported Operating Systems
→ Note: Agent for Data Loss Prevention for macOS supports only x64 processors (Apple
silicon ARM-based processors are not supported)
#CyberFit Academy
Device Control Section
Displays a summary of the module’s configuration
USB devices allowlist - Shows how many USB devices/models are allowed by
excluding from device access control
Exclusions - Shows how many access control exclusions have been set for Windows
clipboard, screenshot capture, printers, and mobile devices
#CyberFit Academy
Enable or Disable Device Control
#CyberFit Academy
Enable or Disable Device Control
#CyberFit Academy
View or Change Access Settings
1 Open the protection plan panel for a protection plan and enable device control in that plan
2 Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to Access settings
3 On the page for managing access settings that appears, view or change access settings as
appropriate
#CyberFit Academy
View or Change Access Settings
#CyberFit Academy
Access Settings
i The access settings allow you to limit user access to the
following device types and ports:
#CyberFit Academy
OS Notification and Service Alerts
i You can configure device control to display OS notification to end
users if they try to use a blocked device type on protected computers
• When Show OS notification to end users if they try to use a blocked device
type or port check box is selected, agent displays a pop-up message in
notification area of protected computer if any of the following events occurs:
• A denied attempt to use a device on a USB or FireWire port
• A denied attempt to copy a data object to/from a certain device
• User attempts to access blocked device types on protected computers can
raise alerts that are logged in the service console
• It is possible to enable alerts for each device type or port separately by selecting
Show alert check box
#CyberFit Academy
Section Summary
Device control module leverages a functional subset of the
agent for Data Loss Prevention on each protected
1 computer to detect and prevent unauthorized access and
transmission of data over local computer channels
#CyberFit Academy
Cyber Protect Cloud
Device Type Allowlist and Alerts
#CyberFit Academy
Allow or Disallow Device Types Allowlist
#CyberFit Academy
Access Settings
i
Device Types Allowlist
#CyberFit Academy
Exclude Individual USB Devices from Access Control
#CyberFit Academy
USB Devices Allowlist
i Intended to allow using certain USB devices regardless of any other
device control settings
#CyberFit Academy
USB Devices Database
i The device control module maintains a database of USB devices from
which you can add devices to the list of exclusions
• A USB device can be registered with the database in any of these ways:
• Add a device on the page that appears when adding a device to the
exclusion list
• Add a device from the USB Devices tab of a computer's Inventory pane in the
service console
• Allow the device from an alert on denying access to the USB device
#CyberFit Academy
Excluding Process from Access Control
#CyberFit Academy
Excluding Process from Access Control
i On the Exclusions page, you can specify a list of processes that will not be
hooked
#CyberFit Academy
Device Control Alerts
#CyberFit Academy
Device Control Alerts
i The device control maintains an event log by tracking user attempts to
access controlled device types, ports, or interfaces
• Certain events can raise alerts that are logged in the service console
• When configuring the device control module, you can enable alerts for
most items listed under device Type (except screenshot capture) or
Ports
• If alerts are enabled, each attempt by a user to perform an operation that
is not allowed generates an alert
#CyberFit Academy
Device Control Alerts (continue)
i
To view alerts in the service console, go to Monitoring > Alerts
Within each device control alert, the console provides the following
information about the respective event:
• Type • Source
• Status • Action
• Message • Name
• Date and time • Information
• Device • User
• Plan name • Process
#CyberFit Academy
Section Summary
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
Advanced DLP Pack Features
#CyberFit Academy
Module Outline
1. Management Framework
2. Data Flow Policy Concept and
Features
3. Modes of Operation and Policy
Renewal
#CyberFit Academy
Cyber Protect Cloud
Management Framework
#CyberFit Academy
Supported Platforms
Agent for DLP
Microsoft Windows
2008 R2, 2012, 2012 R2, 2016, 2019, and
Server 2008 R2 or
2022
later
#CyberFit Academy
Main DLP Management Elements
Data Loss Prevention Policy
i A rule-based method of representing and managing preventive, monitoring,
and auditing controls in a DLP solution
#CyberFit Academy
Device Control Alerts
Data Loss Prevention Policy
i
Key policy requirements:
#CyberFit Academy
Main DLP Management Elements
Modes of Operation
i Allow managing the learning and enforcement logic of
DLP operations
#CyberFit Academy
Main DLP Management Elements
Advanced Settings
i
Detailed configuration of content inspection quality
#CyberFit Academy
Interrelations of DLP Management Elements
i A rule-based method of representing and managing preventive, monitoring,
and auditing controls in a DLP solution
• In a hierarchical organization, each unit, subunit, and the company has its own
independent DLP policy managed by its administrator and applied to workloads
registered in this division
• DLP management delegated to an administrator with the best knowledge of division
specifics
#CyberFit Academy
Interrelations of DLP Management Elements
Company
Unit
#CyberFit Academy
Policy Management Workflow
Reduces management labor costs
and increases DLP policy
consistency with client business
processes
• Provides administrators with a clear
logic of each management task to
simplify their completion, save time, and
reduce human errors
• Necessary for automatic policy creation
and renewal in the observation mode
Manual policy configuration and
editing supported in all workflow
phases
• Creation, adjustment, renewal,
troubleshooting
#CyberFit Academy
Section Summary
Advanced DLP addresses two essential challenges of
managing data loss prevention – Convenient management
1 by humans and the need of manual configuration of client-
specific DLP controls
To solve these challenges, the Advanced DLP
management framework uses the following three elements
2 – Data loss prevention policy, Observation and
enforcement modes of operation of the data flow policy,
and Advanced settings
For data loss prevention management in companies with a
hierarchical organizational structure containing units and
3 subunits, Advanced DLP implements the same logic of
administrative rights delegation that is used in the Cyber
Protect management portal
#CyberFit Academy
Cyber Protect Cloud
Data Flow Policy Concept and
Features
#CyberFit Academy
Business Data Flow Based DLP Policy
Easy to manage for MSPs, understand and verify for clients
Data flow
A type of data transfer used by
employees to perform job duties
(e.g. sending emails to clients or
chatting with colleagues in
i Policy rule specifies controls enforced over one or
Skype) more data flows
#CyberFit Academy
Business Data Flow Based DLP Policy
Easy to manage for MSPs, understand and verify for clients
#CyberFit Academy
Data Flow Rule Parameters
Sender
The initiator or initiators of a data transfer
controlled by the rule
A user, user list or user group
Recipient
One or more recipients or destinations of a data transfer
controlled by the rule
• Internal and external user contact, user list or group
• Peripheral device (removable storage, mapped drives,
redirected clipboard, printers)
• File sharing service, social network, internal and external host
#CyberFit Academy
Data Flow Rule Parameters
Permission
Preventive control applied to a matching data
transfer
#CyberFit Academy
Data Flow Rule Parameters
Sensitivity
Category of data controlled by the rule:
• Protected Health Information (PHI), Personally
Identifiable Information (PII), PCI DSS, Marked
as Confidential
• Non-sensitive data
Action
Monitoring and audit controls applied to a matching data transfer (optional parameter – No action by
default):
• Log – store event record in the audit log if the rule fires
• Notify – display to the user a real-time onscreen warning when their transfer is blocked
• Generate an alert – notify the administrator if the rule fires
#CyberFit Academy
Data Flow Policy Structure and Features
i
Policy Sections
#CyberFit Academy
Data Flow Policy Structure and Features (continue)
i
Rule Types – Default
#CyberFit Academy
Data Flow Policy Structure and Features (continue)
i Permission priority-based logic for rule
combinations
#CyberFit Academy
Data Flow Policy Structure and Features (continue)
i
Consolidation logic for rule actions
#CyberFit Academy
Advanced Settings
Used by DLP agents for content inspection and allowlisting in both observation and enforcement modes on
every workload to which the protection plan with configured advanced settings is applied
This setting turns on or off OCR in The content of password- In case of a control error
order to selectively extract pieces protected archives and occurs in DLP agent
of text in 31 languages for further documents cannot be inspected. operations, the data transfer
content inspection from graphical With this setting, Advanced DLP will be blocked if this option
files and images in documents, allows the administrator to select is enabled. Otherwise, the
messages, scans, screenshots, whether outgoing transfers of transfer will be allowed
and other objects password-protected data must despite the error
be allowed or blocked.
#CyberFit Academy
Advanced Settings (continue)
Used by DLP agents for content inspection and allowlisting in both observation and enforcement modes
on every workload to which the protection plan with configured advanced settings is applied
Allowlist for device types and Allowlist for remote hosts Allowlist for applications
network communications
Data transfers to the types of Data transfers to destination hosts Data transfers performed by
peripheral devices and in network specified in this list are allowed applications specified in this
communications checked in this regardless of their data sensitivity list are allowed regardless of
list are allowed regardless of their and the enforced data flow their data sensitivity and the
data sensitivity and the enforced policy. enforced data flow policy
data flow policy
#CyberFit Academy
Advanced Settings (continue)
Used by DLP agents for content inspection and allowlisting in both observation and enforcement modes
on every workload to which the protection plan with configured advanced settings is applied
#CyberFit Academy
Advanced Settings
#CyberFit Academy
Advanced Settings
#CyberFit Academy
Section Summary
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
Modes of Operations
#CyberFit Academy
Observation Mode
Automatic client-specific baseline policy generation with optional end user assistance
No need to learn client business details and define policy manually
The DLP agent monitors all outgoing transfers of sensitive data from
its workload
For each transfer, its data sensitivity, sender, and recipient
/destination is detected
If the baseline policy does not already have a data flow rule with the
same sender and sensitivity, a new rule is added to the policy
allowing any data transfer with the sender, recipient, and sensitivity
parameters of the detected one – otherwise, its recipient is added to
the recipient list of the existing data flow with the same sender and
sensitivity
#CyberFit Academy
Observation Mode (continue)
Automatic client-specific baseline policy generation with optional end user assistance
No need to learn client business details and define policy manually
The aggregate of all automatically generated data flow rules
becomes the baseline DLP policy
• Specific to the organization’s business processes
• Enforces the least privilege principle to allow only those transfers
of sensitive data necessary to perform all previously observed
business activities
Optionally, end user assistance may be leveraged to
increase the baseline policy accuracy
• Users may be asked to one-time justify transfers of sensitive data
to risky destinations or recipients (e.g. outside the organization)
#CyberFit Academy
Observation Mode Options
Allow balancing baseline policy accuracy with observation time and end user
involvement
Per-plan option selection
End user assistance may be chosen to
create or renew baseline policies for units
or job roles with higher security
requirements
No time limits
Administrator decides how long
the observation should continue
Rule generalization reduces
baseline policy size – a single rule is created
to control more than one data flows
From different senders but with identical
recipients and sensitivity
To different recipients but with identical
senders and sensitivity
#CyberFit Academy
Baseline Policy Review and Adjustment
Clients inherently know how and where to their sensitive information may be transferred,
they should review and validate the policy consistency with business processes
MSP administrator presents to client the
baseline data flow policy automatically
created in the observation period
Client reviews each data flow in the
baseline policy and validates its
consistency with their business
processes
• Clicking “View events” allows client and
administrator to review the justification
provided by the end user when this rule
was generated
All data flows used in business
operations should remain allowed
#CyberFit Academy
Baseline Policy Review and Adjustment (continue)
Clients inherently know how and where to their sensitive information may be transferred,
they should review and validate the policy consistency with business processes
Irrelevant data flows or potential data leakage
channels already known to the client or
identified in the review should be blocked
Based on client’s instructions, MSP manually
adjusts the policy by editing, deleting, and
creating data flow rules
The default rule for each sensitive data category
section must be assigned either Deny or
Exception permission to prohibit any data
transfer that matches no explicit rule in the
policy
After client approval, the reviewed policy is
switched to enforcement
#CyberFit Academy
Enforcement Mode
Data loss prevention with the ability to extend the enforced policy by learning from end users
Enforced policy components
Data flow policy created in the observation mode,
adjusted, and approved by the client
• Controls any intercepted data transfer that matches
any of its data flow rules
Default enforcement policy
• Controls data transfer operations that do not match
any explicit rule in the enforced policy
• Control logic is enforcement option dependent
Strict enforcement option
Both observation-based and default policy
components are enforced as is without changes
Adaptive enforcement option
Prevents data leakage while continue learning
new end user-justified data flows and adding
them to the enforced policy
Default rules with Exception permission and Log action
#CyberFit Academy
Policy Renewal
Unit-wide, for a user or part of users in a unit
Unit-wide renewal
[observation mode]
#CyberFit Academy
Policy Renewal (continue)
Unit-wide, for a user or part of users in a unit
1. Delete from the policy enforced on the user workload all rules with the
user as the single Sender
2. Remove the user from all Sender lists in the enforced policy rules
3. Apply a plan in the observation mode to the user workload for starting
renewal
4. Once the renewal period is completed, review with the client and adjust
the automatically created baseline policy for the user
5. Switch the plan applied to the user workload to the enforcement mode
or apply to it another plan in the enforcement mode
#CyberFit Academy
Policy Renewal (continue)
Unit-wide, for a user or part of users in a unit
1. Delete from the policy enforced on the unit workload all rules with the user as the single Sender
2. Remove the user from all Sender lists in the enforced policy rules
3. Switch permissions of all default rules in the enforced policy to Exception and turn on the Log
option in their actions
4. Apply a plan in the adaptive enforcement mode to the user’s workload for starting renewal
5. Once the renewal period is completed, review with the client and adjust the automatically
created baseline policy for the user
6. Apply a plan with the appropriate enforcement mode option to the user workload
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
Configuring and Using Advanced
DLP
#CyberFit Academy
Module Outline
#CyberFit Academy
Cyber Protect Cloud
Creating Data Flow Policy
and Policy Rules
#CyberFit Academy
Creating the Data Flow Policy and Policy Rules
Automatic Creation of Data Flow Policy
1 Log in to the Cyber Protection service console as an administrator
4 Expand the Data Loss Prevention section and click the Mode row
5 In the Mode dialog, select Observation mode, and select how to the process data transfers:
[ Allow all | Justify all | Mixed ]
6 Save the protection plan and apply it to the workloads from which you want to collect data to build
the policy
#CyberFit Academy
Automatic Creation of Data Flow Policy
#CyberFit Academy
Automatic Creation of Data Flow Policy
#CyberFit Academy
Automatic Creation of Data Flow Policy
#CyberFit Academy
Automatic Creation of Data Flow Policy
#CyberFit Academy
Creating the Data Flow Policy and Policy Rules
Configure Data Flow Policy Manually
1 In the Cyber Protect service console, navigate to Protection > Data flow policy
4 Select a sensitivity category, add a sender and a recipient, and define the permission for data
transfers for the selected category, sender, and recipient: [ Allow | Exception | Deny ]
5 (Optional) Select an action that should be executed when the rule is triggered: [ Write in log |
Generate an alert | Notify the end user when a data transfer is denied ]
6 Click Save
7 Repeat steps 2 to 5 to create multiple rules of different sensitivity categories and options, and verify
that the resulting rules correspond to the options that you selected
#CyberFit Academy
Configure Data Flow Policy Manually
#CyberFit Academy
Configure Data Flow Policy Manually
#CyberFit Academy
Configure Data Flow Policy Manually
#CyberFit Academy
Configure Data Flow Policy Manually
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
Enabling Protection Plans
#CyberFit Academy
Enabling Advanced DLP in Protection Plans
To create a protection plan with Advanced DLP
1 Navigate to Management > Protection plans
3 Expand the Data Loss Prevention section and click the Mode row
#CyberFit Academy
Enabling Advanced DLP in Protection Plans
(continue)
To create a protection plan with Advanced DLP
6 (Optional) To configure optical character recognition, allowlists, and more protection options, click
Advanced Settings
7 Save the protection plan and apply it to the workloads that you want to protect
#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans
#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans
#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans
#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans
#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
Data Loss Prevention Events
#CyberFit Academy
Data Loss Prevention Events
To view the events for a rule in the data flow policy
Locate the rule for which you want to view the events and click the ellipsis at the end of the rule
line
Select View events
#CyberFit Academy
To View the Events for a Rule in the Data Flow
Policy
#CyberFit Academy
To View the Events for a Rule in the Data Flow
Policy
#CyberFit Academy
Data Loss Prevention Events
To view details about an event in the DLP events list
1 Log in to the Cyber Protect console as an administrator
5 Scroll down and up in the Event details pane to view the available information
6 The details that are displayed in the pane depend on the type of rule and rule settings that
triggered the event
#CyberFit Academy
To View Details About an Event in the DLP Events List
#CyberFit Academy
Data Loss Prevention Events
To filter events in the DLP events list
1 Log in to the Cyber Protect console as an administrator
4 Select sensitivity category, workload, action type, user, and channel from the drop-down menus
5 You can select more than one item in the drop-down menus. Filtering applies the logical operator
OR between items in the same menu, but the logical operator AND is used between items from
different menus
#CyberFit Academy
Data Loss Prevention Events (continue)
To filter events in the DLP events list
6 For example, if you select PHI and PII sensitivity category, the result will return all events that
contain PHI or PII, or both. If you select sensitivity category PHI and action Write access, only
events that match both categories will appear in the filtered result
7 Click Apply
8 To view all events again, click Filter, then Reset to default, and finally click Apply
#CyberFit Academy
To Filter Events in the DLP Events List
#CyberFit Academy
To Filter Events in the DLP Events List
#CyberFit Academy
To Filter Events in the DLP Events List
#CyberFit Academy
Data Loss Prevention Events
To search for events in the DLP events list
1 Repeat steps 1-2 from the previous procedure (To filter events in the DLP events list)
2 From the drop-down list to the right of Filter, select a category in which you want to search:
Sender, Destination, Process, Message subject, or Reason
3 In the text box, enter the phrase you are interested in and confirm by pressing Enter on the
keyboard
4 Only events matching the phrase you entered appear in the list
5 To reset the list of events, click the X sign in the search text box and press Enter
#CyberFit Academy
To Search for Events in the DLP Events List
#CyberFit Academy
To Search for Events in the DLP Events List
#CyberFit Academy
Data Loss Prevention Events
To view the list of events related to specific rules in the data flow policy
3 Select the check box in front of the name of the policy rule you are interested in
6 The view switches to Protection > DLP events and the events that are related to the policy rules
that you selected appear in the list
#CyberFit Academy
To View the List of Events Related to Specific Rules in the
Data Flow Policy
#CyberFit Academy
To View the List of Events Related to Specific Rules in the
Data Flow Policy
#CyberFit Academy
Section Summary
#CyberFit Academy
Cyber Protect Cloud
Widgets on the Overview
Dashboard
#CyberFit Academy
Widgets on the Overview Dashboard
Customizable widgets that give an overview of operations
i You can find the following Advanced Data Loss Prevention widgets on the Overview
dashboard under Monitoring
#CyberFit Academy
Customizable Widgets that Give an Overview of Operations
#CyberFit Academy
Customizable Widgets that Give an Overview of Operations
#CyberFit Academy
Customizable Widgets that Give an Overview of Operations
#CyberFit Academy
Customizable Widgets that Give an Overview of Operations
#CyberFit Academy
Customizable Widgets that Give an Overview of Operations
#CyberFit Academy
Customizable Widgets that Give an Overview of Operations
#CyberFit Academy
Section Summary
#CyberFit Academy
Thank you for watching!
#CyberFit Academy
Cyber Foundation
Building a More Knowledgeable Future
#CyberFit Academy