#CyberFit Academy

Cyber Protect Cloud

Cloud Tech Associate
Data Loss Prevention
#CyberFit

#CyberFit Academy
 Meet your Instructor

Amos Dong
Partner Technology Evangelist
Amos is passionate in latest technology trends. He comes from a
Singapore solid technical IT infrastructure background. He has over 16 years
of experience in the IT industry. Holding multiple certifications
English from Microsoft, Cisco, VMware, and Red Hat. His interests and
specializations include Windows Server, Active Directory,
Amos.Dong@acronis.com
Exchange Server, Hyper-V and VMware virtualization, Microsoft
365 and Google Workspace, Cisco Routing and Switching,
Network Security, and Linux Server.

#CyberFit Academy
Learning Objectives

After completing this course, you will be able to

• Describe the use of DLP features that are available
in Device Control and in Advanced DLP
• Configure and operate each feature to meet service
level requirements
• Provide technical support to customers using
Device Control and Advanced DLP features

#CyberFit Academy
Course Modules

1. Case Study
2. High Level Overview and Benefits
3. Device Control Features
4. Advanced DLP Features
5. Configuring and Using Advanced DLP

#CyberFit Academy
Cyber Protect Cloud
Case Study

#CyberFit Academy
 How your employees unintentionally
leaked sensitive data
(Meet Kate)

Top sales person at company

Always on the go

One client meeting appointment to another

#CyberFit Academy
 Bad actors want your data

• Was working on a huge potential client's

quotation (RFQ) with her laptop at the back of a
taxi
• Saved the sensitive document into her personal
Google Drive to continue working later on
• In a rush she uploaded it to the wrong folder
where her holiday photo album were publicly
shared with loved ones

#CyberFit Academy
 Bad actors want your data

#CyberFit Academy
 Employee the greatest risk
to your organization

• Didn’t noticed uploaded to wrong folder

• A close friend, Anne messaged in IM asking for
the photos they took together during their
vacation last week
• Kate happily shared the holiday photo album
folder link where the quotation was also stored
• To make things worst, Anne is also an ex-
colleague who is working at a competitor
company
• Anne now has access to the quotation

#CyberFit Academy
 Once shared and you are done

× Document with highly sensitive data was

shared to a competitor
× Caused severe data leak and significant
damage to the company
× File sharing link is publicly available on
the Internet, web crawlers and bad
actors could also access to it
× Kate’s company could loose the bid to
this important project
× Potential risk can be extensive

#CyberFit Academy
 What you can do now?

✓ Check destination folder is correct

before saving work documents
✓ Do not upload work documents into non
company file sharing service
✓ Raise awareness on importance and
impact of data leakage
✓ Have a Data Loss Prevention solution in
place

#CyberFit Academy
 Using a Data Loss Prevention Solution
✓ With Advanced DLP it would
prevent this data leak from
happening
✓ DLP agent detects transfer of
sensitive documents to file
sharing services and blocks it
Data Loss
✓ Policy prohibits the transaction
and audit log entry is created for Prevention !!!
investigation
✓ Company could issue warning
to the affected employees on
how to handle confidential
documents

#CyberFit Academy
 Section Summary

Potential Kates are everywhere. Kate almost

1 unintentionally handed over company project to the
competitor

With a comprehensive DLP strategy, training, and

2 using DLP solution, organizations can help Kates
become a lot less dangerous

#CyberFit Academy
Cyber Protect Cloud
High Level Overview and Benefits

#CyberFit Academy
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs

#CyberFit Academy
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs

Data Loss Prevention

Advanced Data Loss Prevention

▪ Content Flows Control
▪ Content Discovery
▪ User Activity Monitoring

Technicians

Owner

#CyberFit Academy
Cyber Protect Cloud
Device Control Features

#CyberFit Academy
Module Outline

1. Using Device Control and Access

Settings
2. Device Types Allowlist and Alerts

#CyberFit Academy
Cyber Protect Cloud
Using Device Control and Access
Settings

#CyberFit Academy
Device Control
Strengthen your security services and minimize the risk of data leaks for clients
with essential data loss prevention (DLP)

Controlled local channels on

physical and virtual workloads
(Windows PC, workstation,
server):
• Peripheral and redirected devices
• Local and redirected ports
• Windows clipboard and redirected
clipboards

#CyberFit Academy
Device Control (continue)
Capabilities:
• Selective access control per device/port type (deny,
allow, read-only)
• Real-time alerts and notifications
• On workloads – on/off for all devices and ports
• In console – on/off per device/port type
• Control clipboard copy/paste operations
• Control screenshot captures
• Support of encrypted removable media
• Allowlisting
• Device type
• USB – granular, down to serial number
• Clipboard operations – within applications

Why? Proactively prevent data leaks and control data flows between devices and peripherals

#CyberFit Academy
Supported Operating Systems

The device control module can protect computers running the

following operating systems:

Microsoft Windows 7 Service Pack 1 and later

Microsoft Windows Server 2008 R2 and later
macOS 10.15 (Catalina) and later
macOS 11.2.3 (Big Sur) and later
macOS 12.0 (Monterey) and later

→ Note: Agent for Data Loss Prevention for macOS supports only x64 processors (Apple
silicon ARM-based processors are not supported)

#CyberFit Academy
Device Control Section
Displays a summary of the module’s configuration

Access settings - Shows a summary

of device types and ports with
restricted (denied or read-only)
access
Device types allowlist - Shows how
many device subclasses are allowed
by excluding from device access
control

USB devices allowlist - Shows how many USB devices/models are allowed by
excluding from device access control
Exclusions - Shows how many access control exclusions have been set for Windows
clipboard, screenshot capture, printers, and mobile devices

#CyberFit Academy
Enable or Disable Device Control

1 In the service console, go to Devices > All devices

2 Do one of the following to open the protection plan panel:

• If you are going to create a new protection plan, select a machine to protect, click Protect, and
then click Create plan
• If you are going to change an existing protection plan, select a protected machine,
click Protect, click the ellipsis (...) next to the name of the protection plan, and then click Edit
3 In the protection plan panel, navigate to the Device control area, and click to turn the Device
control switch on or off
4 Do one of the following to apply your changes:
• If creating a protection plan, click Create
• If editing a protection plan, click Save

#CyberFit Academy
Enable or Disable Device Control

#CyberFit Academy
View or Change Access Settings

1 Open the protection plan panel for a protection plan and enable device control in that plan

2 Click the arrow icon next to the Device control switch to expand the settings, and then click the
link next to Access settings

3 On the page for managing access settings that appears, view or change access settings as
appropriate

#CyberFit Academy
View or Change Access Settings

#CyberFit Academy
Access Settings
i The access settings allow you to limit user access to the
following device types and ports:

Removable storage Bluetooth

Encrypted removable Optical drives
Printers Floppy drives
Clipboard USB
Screenshot capture FireWire
Mobile devices Redirected devices

#CyberFit Academy
OS Notification and Service Alerts
i You can configure device control to display OS notification to end
users if they try to use a blocked device type on protected computers

• When Show OS notification to end users if they try to use a blocked device
type or port check box is selected, agent displays a pop-up message in
notification area of protected computer if any of the following events occurs:
• A denied attempt to use a device on a USB or FireWire port
• A denied attempt to copy a data object to/from a certain device
• User attempts to access blocked device types on protected computers can
raise alerts that are logged in the service console
• It is possible to enable alerts for each device type or port separately by selecting
Show alert check box

#CyberFit Academy
 Section Summary
Device control module leverages a functional subset of the
agent for Data Loss Prevention on each protected
1 computer to detect and prevent unauthorized access and
transmission of data over local computer channels

It provides fine-grained control over a wide range of data

2 leakage pathways including data exchange using
removable media, printers, virtual and redirected devices,
and the Windows clipboard
Device control module can protect computers running the
3 following operating systems (and later) - Windows 7
Service Pack 1, Windows Server 2008 R2, macOS 10.15
(Catalina), macOS 11.2.3 (Big Sur), and macOS 12.0
(Monterey)

#CyberFit Academy
Cyber Protect Cloud
Device Type Allowlist and Alerts

#CyberFit Academy
Allow or Disallow Device Types Allowlist

#CyberFit Academy
Access Settings
i
Device Types Allowlist

• USB HID (mouse, keyboard, etc.)

• USB and FireWire network cards
• USB scanners and still image devices
• USB audio devices
• USB cameras
• Bluetooth HID (mouse, keyboard, etc.)
• Clipboard copy/paste within application

#CyberFit Academy
Exclude Individual USB Devices from Access Control

#CyberFit Academy
USB Devices Allowlist
i Intended to allow using certain USB devices regardless of any other
device control settings

• Add individual devices or device models to disable access control for

those devices
• Specify individual USB devices or USB device models to exclude from
device access control
• Two ways to identify devices in allowlist:
• Model of device - Collectively identifies all devices of a certain model. Each
device model is identified by vendor ID (VID) and product ID (PID)
• Unique device - Identifies a certain device. Each unique device is identified
by vendor ID (VID), product ID (PID), and serial number
• To add a device to allowlist, first need to add it to USB devices database

#CyberFit Academy
USB Devices Database
i The device control module maintains a database of USB devices from
which you can add devices to the list of exclusions

• A USB device can be registered with the database in any of these ways:
• Add a device on the page that appears when adding a device to the
exclusion list
• Add a device from the USB Devices tab of a computer's Inventory pane in the
service console
• Allow the device from an alert on denying access to the USB device

#CyberFit Academy
Excluding Process from Access Control

#CyberFit Academy
Excluding Process from Access Control
i On the Exclusions page, you can specify a list of processes that will not be
hooked

• The access to Windows clipboard, screenshot capture, printers, and

mobile devices is controlled through hooks injected into processes
• If processes are not hooked, the access to these devices will not be
controlled
• This means that clipboard (local and redirected), screenshot capture,
printer, and mobile device access controls will not be applied to such
processes

Note: Excluding processes from access control is not supported on macOS

#CyberFit Academy
Device Control Alerts

#CyberFit Academy
Device Control Alerts
i The device control maintains an event log by tracking user attempts to
access controlled device types, ports, or interfaces

• Certain events can raise alerts that are logged in the service console
• When configuring the device control module, you can enable alerts for
most items listed under device Type (except screenshot capture) or
Ports
• If alerts are enabled, each attempt by a user to perform an operation that
is not allowed generates an alert

#CyberFit Academy
Device Control Alerts (continue)
i
To view alerts in the service console, go to Monitoring > Alerts

Within each device control alert, the console provides the following
information about the respective event:

• Type • Source
• Status • Action
• Message • Name
• Date and time • Information
• Device • User
• Plan name • Process

#CyberFit Academy
 Section Summary

On the Device types allowlist page, you can choose

1 device subclasses to exclude from device access
control. As a result, access to those devices is
allowed regardless of the access settings in the
device control module

The USB devices allowlist is intended to allow using

2 certain USB devices regardless of any other device
control settings. You can add individual devices or
device models to the USB devices allowlist to
disable the access control for those devices

#CyberFit Academy
 Section Summary

The access to Windows clipboard, screenshot

3 capture, printers, and mobile devices is controlled
through hooks injected into processes. If processes
are not hooked, the access to these devices will not
be controlled

The device control maintains an event log by

4 tracking user attempts to access controlled device
types, ports, or interfaces. Certain events can raise
alerts that are logged in the service console

#CyberFit Academy
Cyber Protect Cloud
Advanced DLP Pack Features

#CyberFit Academy
Module Outline

1. Management Framework
2. Data Flow Policy Concept and
Features
3. Modes of Operation and Policy
Renewal

#CyberFit Academy
Cyber Protect Cloud
Management Framework

#CyberFit Academy
Supported Platforms
Agent for DLP

Operating System Version

Microsoft Windows 7 7 SP 1, 8, 8.1, 10, and 11

Service Pack 1 or later

Microsoft Windows
2008 R2, 2012, 2012 R2, 2016, 2019, and
Server 2008 R2 or
2022
later

#CyberFit Academy
Main DLP Management Elements
Data Loss Prevention Policy
i A rule-based method of representing and managing preventive, monitoring,
and auditing controls in a DLP solution

Key policy requirements:

• Easy to understand and manage for specialists + understandable for non-

technical people
• Effectively enforce the principle of least privilege for preventing data leaks
1) Allow all data transfers used in the business process
2) Block any other transfers of sensitive data
3) Do not interrupt any non-sensitive data transfers

#CyberFit Academy
Device Control Alerts
Data Loss Prevention Policy
i
Key policy requirements:

Flexible configuration of conditions and actions

1) Permissions for controlling sensitive data flows – allow or block
2) Audit log collection – only meaningful events and their parameters
3) Administrative alerts – for critical events
4) End user notifications – when their real-time involvement is required and on
blocked operations due to policy violations

#CyberFit Academy
Main DLP Management Elements
Modes of Operation
i Allow managing the learning and enforcement logic of
DLP operations

Observation Mode Enforcement Mode

Policy learning and Policy enforcement logic

creating logic management
management

#CyberFit Academy
Main DLP Management Elements
Advanced Settings
i
Detailed configuration of content inspection quality

i Allowlisting of peripheral devices, network communications, destinations,

and applications

#CyberFit Academy
Interrelations of DLP Management Elements
i A rule-based method of representing and managing preventive, monitoring,
and auditing controls in a DLP solution

• In a hierarchical organization, each unit, subunit, and the company has its own
independent DLP policy managed by its administrator and applied to workloads
registered in this division
• DLP management delegated to an administrator with the best knowledge of division
specifics

Key policy requirements:

• Defined separately for each protection plan
• Maximum flexibility for policy creation, adjustment, renewal, and troubleshooting

#CyberFit Academy
Interrelations of DLP Management Elements

Company

Unit

Protection plan 1 Protection plan 2 Unprotected \\\\\\\\\\\

Protection plan 3
▪ Observation ▪ Enforcement workload ▪ Enforcement
▪ Advanced settings (ON) ▪ Advanced ▪ Advanced settings (OFF)
settings (OFF)

Company DLP policy Unit DLP policy

#CyberFit Academy
Policy Management Workflow
Reduces management labor costs
and increases DLP policy
consistency with client business
processes
• Provides administrators with a clear
logic of each management task to
simplify their completion, save time, and
reduce human errors
• Necessary for automatic policy creation
and renewal in the observation mode
Manual policy configuration and
editing supported in all workflow
phases
• Creation, adjustment, renewal,
troubleshooting

#CyberFit Academy
 Section Summary
Advanced DLP addresses two essential challenges of
managing data loss prevention – Convenient management
1 by humans and the need of manual configuration of client-
specific DLP controls
To solve these challenges, the Advanced DLP
management framework uses the following three elements
2 – Data loss prevention policy, Observation and
enforcement modes of operation of the data flow policy,
and Advanced settings
For data loss prevention management in companies with a
hierarchical organizational structure containing units and
3 subunits, Advanced DLP implements the same logic of
administrative rights delegation that is used in the Cyber
Protect management portal

#CyberFit Academy
Cyber Protect Cloud
Data Flow Policy Concept and
Features

#CyberFit Academy
Business Data Flow Based DLP Policy
Easy to manage for MSPs, understand and verify for clients

Data flow
A type of data transfer used by
employees to perform job duties
(e.g. sending emails to clients or
chatting with colleagues in
i Policy rule specifies controls enforced over one or
Skype) more data flows

Sender, recipient, sensitivity category of transferred data,

whether the flow should be allowed or blocked, its record stored
in the audit log, and administrators alerted on this event

#CyberFit Academy
Business Data Flow Based DLP Policy
Easy to manage for MSPs, understand and verify for clients

Data flow policy

A set of business-level rules that
collectively specify all allowed
and prohibited business-related
sensitive data flows in the
organization
• Any transfer of sensitive data
that matches no permissive rule
in the policy is not required for
the business and blocked to
prevent data leakage
i Inherently understandable and
i Easy to manage and customize for
auditable by non-technical clients MSP administrators

#CyberFit Academy
Data Flow Rule Parameters

Sender
The initiator or initiators of a data transfer
controlled by the rule
A user, user list or user group

Recipient
One or more recipients or destinations of a data transfer
controlled by the rule
• Internal and external user contact, user list or group
• Peripheral device (removable storage, mapped drives,
redirected clipboard, printers)
• File sharing service, social network, internal and external host

#CyberFit Academy
Data Flow Rule Parameters
Permission
Preventive control applied to a matching data
transfer

Allow – allow any data transfer

matching the rule

Priority flag can be assigned to Allow

Exception – block any data transfer matching and Exception permissions to
the rule but allow the sender to override the block increase policy flexibility
in an extraordinary business situation by
requesting a one-time exception

Deny – block any data transfer matching

the rule without the ability to override the
block

#CyberFit Academy
Data Flow Rule Parameters
Sensitivity
Category of data controlled by the rule:
• Protected Health Information (PHI), Personally
Identifiable Information (PII), PCI DSS, Marked
as Confidential
• Non-sensitive data

Action
Monitoring and audit controls applied to a matching data transfer (optional parameter – No action by
default):
• Log – store event record in the audit log if the rule fires
• Notify – display to the user a real-time onscreen warning when their transfer is blocked
• Generate an alert – notify the administrator if the rule fires

#CyberFit Academy
Data Flow Policy Structure and Features
i
Policy Sections

Rules are grouped by data sensitivity categories for

better visual correlation and logical understanding by
administrators
i
Rule Types

• Explicit (non-default) – created manually or

automatically to either allow or block one or more
specific data flows
• Default – applied to any data transfer that matches
none of explicit rules specified in the policy section
for a data sensitivity category

#CyberFit Academy
Data Flow Policy Structure and Features (continue)
i
Rule Types – Default

• Exactly one default rule is created automatically for each sensitive

data category and for the non-sensitive data category
• Permissions of default rules for all sensitive data categories are
initially set to Exception and can be changed to Deny during policy
review before switching the plan into enforcement
• Non-sensitive default rule permission is always set to Allow and
cannot be changed
• Default rules cannot be deleted without deleting all explicit rules in
the same sensitive category
• Sender and Recipient fields of a default policy rule are non-
editable
• Default rule’s Recipient for a sensitive data category is Other – for
each particular explicit rule, it means any recipient not specified in
this rule
• Default rule’s Recipient for non-sensitive data is Any possible
recipient

#CyberFit Academy
Data Flow Policy Structure and Features (continue)
i Permission priority-based logic for rule
combinations

• Rule permission priorities (descending order)

→ Exception with "Prioritized" flag, Allow with
"Prioritized" flag, Deny, Exception, Allow
• Data transfer matching more than one rule with different
permissions specified for the same sensitive data category
is controlled by the matching rule with the highest priority
permission
• For a data transfer matching more than one rule with
different permissions specified for different sensitive data
categories
→ The matching rule with the highest priority
permission is defined for each sensitivity category
→ The most restrictive of these prevailing rules is
enforced over this data transfer

#CyberFit Academy
Data Flow Policy Structure and Features (continue)
i
Consolidation logic for rule actions

• If a data transfer matches more than one rule with

different options configured in the "Action" field,
the resulting set of options performed when
enforcing the policy over this data transfer is a
merge of all options configured in the rules
matching this data transfer

#CyberFit Academy
 Advanced Settings
Used by DLP agents for content inspection and allowlisting in both observation and enforcement modes on
every workload to which the protection plan with configured advanced settings is applied

Optical character Transfer of password- Prevent data transfer

recognition (OCR) protected data on errors

This setting turns on or off OCR in
order to selectively extract pieces
of text in 31 languages for further
content inspection from graphical
files and images in documents,
messages, scans, screenshots,
and other objects
The content of password-
protected archives and
documents cannot be inspected.
With this setting, Advanced DLP
allows the administrator to select
whether outgoing transfers of
password-protected data must
be allowed or blocked.
In case of a control error
occurs in DLP agent
operations, the data transfer
will be blocked if this option
is enabled. Otherwise, the
transfer will be allowed
despite the error

#CyberFit Academy
 Advanced Settings (continue)
Used by DLP agents for content inspection and allowlisting in both observation and enforcement modes
on every workload to which the protection plan with configured advanced settings is applied

Allowlist for device types and Allowlist for remote hosts Allowlist for applications
network communications

Data transfers to the types of
peripheral devices and in network
communications checked in this
list are allowed regardless of their
data sensitivity and the enforced
data flow policy
Data transfers to destination hosts
specified in this list are allowed
regardless of their data sensitivity
and the enforced data flow
policy.
Data transfers performed by
applications specified in this
list are allowed regardless of
their data sensitivity and the
enforced data flow policy

#CyberFit Academy
 Advanced Settings (continue)
Used by DLP agents for content inspection and allowlisting in both observation and enforcement modes
on every workload to which the protection plan with configured advanced settings is applied

The "Security level" indicator

In the “Create protection plan” and in the "Details" view of a protection

plan has three levels of settings use indication
Basic –more than one of the advanced settings is turned on
Moderate – more than one setting is turned on (excluding the
combination of “OCR”, “Transfer of password-protected data”, and
“Prevent data transfer on errors”
Strict – at least the combination of “OCR”, “Transfer password-
protected data”, and “Prevent data transfer on errors"

#CyberFit Academy
Advanced Settings

#CyberFit Academy
Advanced Settings

#CyberFit Academy
 Section Summary

In order to increase the level of service provisioning

1 automation and reduce its labor costs, Advanced DLP
implements a policy management workflow with a mix of
automatic and manual methods
Advanced DLP supports a business-level representation of
2 data loss prevention policies. The policy concept is based
on the notion of a business data flow, which describes a
type of data transfers used by end users to perform their
job duties
A data flow policy rule representation in the Data flow
3 policy view of the Protection service console has an
ordered structure

#CyberFit Academy
 Section Summary

In the Data flow policy view, rules are grouped according

4 to data sensitivity categories these rules are specified for.
The sensitivity category name is displayed right above the
group of rules belonging to this category
The advanced settings allow to increase the quality of data
5 content inspection in channels controlled by Advanced
DLP and exclude from any preventive controls data
transfers to peripheral device types in the allowlist,
categories of network communications, destination hosts,
as well as data transfers initiated by applications in the
allowlist

#CyberFit Academy
Cyber Protect Cloud
Modes of Operations

#CyberFit Academy
Observation Mode
Automatic client-specific baseline policy generation with optional end user assistance
No need to learn client business details and define policy manually

The DLP agent monitors all outgoing transfers of sensitive data from
its workload
For each transfer, its data sensitivity, sender, and recipient
/destination is detected
If the baseline policy does not already have a data flow rule with the
same sender and sensitivity, a new rule is added to the policy
allowing any data transfer with the sender, recipient, and sensitivity
parameters of the detected one – otherwise, its recipient is added to
the recipient list of the existing data flow with the same sender and
sensitivity

#CyberFit Academy
Observation Mode (continue)
Automatic client-specific baseline policy generation with optional end user assistance
No need to learn client business details and define policy manually
The aggregate of all automatically generated data flow rules
becomes the baseline DLP policy
• Specific to the organization’s business processes
• Enforces the least privilege principle to allow only those transfers
of sensitive data necessary to perform all previously observed
business activities
Optionally, end user assistance may be leveraged to
increase the baseline policy accuracy
• Users may be asked to one-time justify transfers of sensitive data
to risky destinations or recipients (e.g. outside the organization)

#CyberFit Academy
Observation Mode Options
Allow balancing baseline policy accuracy with observation time and end user
involvement
Per-plan option selection
End user assistance may be chosen to
create or renew baseline policies for units
or job roles with higher security
requirements
No time limits
Administrator decides how long
the observation should continue
Rule generalization reduces
baseline policy size – a single rule is created
to control more than one data flows
From different senders but with identical
recipients and sensitivity
To different recipients but with identical
senders and sensitivity

#CyberFit Academy
Baseline Policy Review and Adjustment
Clients inherently know how and where to their sensitive information may be transferred,
they should review and validate the policy consistency with business processes
MSP administrator presents to client the
baseline data flow policy automatically
created in the observation period
Client reviews each data flow in the
baseline policy and validates its
consistency with their business
processes
• Clicking “View events” allows client and
administrator to review the justification
provided by the end user when this rule
was generated
All data flows used in business
operations should remain allowed

#CyberFit Academy
Baseline Policy Review and Adjustment (continue)
Clients inherently know how and where to their sensitive information may be transferred,
they should review and validate the policy consistency with business processes
Irrelevant data flows or potential data leakage
channels already known to the client or
identified in the review should be blocked
Based on client’s instructions, MSP manually
adjusts the policy by editing, deleting, and
creating data flow rules
The default rule for each sensitive data category
section must be assigned either Deny or
Exception permission to prohibit any data
transfer that matches no explicit rule in the
policy
After client approval, the reviewed policy is
switched to enforcement

#CyberFit Academy
Enforcement Mode
Data loss prevention with the ability to extend the enforced policy by learning from end users
Enforced policy components
Data flow policy created in the observation mode,
adjusted, and approved by the client
• Controls any intercepted data transfer that matches
any of its data flow rules
Default enforcement policy
• Controls data transfer operations that do not match
any explicit rule in the enforced policy
• Control logic is enforcement option dependent
Strict enforcement option
Both observation-based and default policy
components are enforced as is without changes
Adaptive enforcement option
Prevents data leakage while continue learning
new end user-justified data flows and adding
them to the enforced policy
Default rules with Exception permission and Log action

#CyberFit Academy
Policy Renewal
Unit-wide, for a user or part of users in a unit

1. Delete all rules in the enforced unit policy

2. Switch the plan applied to all unit workloads in the observation mode to
start policy renewal
3. Once the renewal period is completed, review with the client and adjust
the automatically created baseline unit policy
4. Switch the applied plan to the enforcement mode or apply to the unit
another plan in the enforcement mode

Unit-wide renewal
[observation mode]

#CyberFit Academy
Policy Renewal (continue)
Unit-wide, for a user or part of users in a unit

1. Delete from the policy enforced on the user workload all rules with the
user as the single Sender
2. Remove the user from all Sender lists in the enforced policy rules
3. Apply a plan in the observation mode to the user workload for starting
renewal
4. Once the renewal period is completed, review with the client and adjust
the automatically created baseline policy for the user
5. Switch the plan applied to the user workload to the enforcement mode
or apply to it another plan in the enforcement mode

Renewal for user(s)

[observation mode]

#CyberFit Academy
Policy Renewal (continue)
Unit-wide, for a user or part of users in a unit

1. Delete from the policy enforced on the unit workload all rules with the user as the single Sender
2. Remove the user from all Sender lists in the enforced policy rules
3. Switch permissions of all default rules in the enforced policy to Exception and turn on the Log
option in their actions
4. Apply a plan in the adaptive enforcement mode to the user’s workload for starting renewal
5. Once the renewal period is completed, review with the client and adjust the automatically
created baseline policy for the user
6. Apply a plan with the appropriate enforcement mode option to the user workload

Renewal for user(s)

[adaptive enforcement mode]
#CyberFit Academy
Policy Renewal
Difference between using the observation mode and the
adaptive enforcement mode

Observation mode-based renewal

• No rules from the unit policy are enforced over user data transfers
during the renewal
Adaptive enforcement mode-based renewal
• The unit policy rules for sender groups with the user's membership are
also enforced over data transfers from this user during the renewal
• Renewal will not create new individual rules for the user that would
contradict with or match these already existing policy rules for sender
groups
Which of these two methods is more effective for user policy
renewals for a particular client depends on its specific IT security
requirements.

#CyberFit Academy
 Section Summary

There are two modes of operation. Observation

1 mode and Enforcement mode

Observation mode implements a logic of monitoring

and learning sensitive data flows from client
2 computers and turns them into permissive data flow
rules of the baseline policy. Data leakage is not
prevented in the Observation mode
Observation mode has three options that allow
service providers to balance the accuracy of
3 baseline policy generation with the observation
period duration and the need to utilize end user
assistance. Allow all, Justify all, and Mixed
#CyberFit Academy
 Section Summary

In Enforcement mode, the reviewed and approved

4 data flow policy created for the company or unit is
enforced and prevents leakage of sensitive data
from protected workloads by applying permissions
and actions specified in the policy rules

5 Enforcement mode has two options. Strict

enforcement and Adaptive enforcement

#CyberFit Academy
Cyber Protect Cloud
Configuring and Using Advanced
DLP

#CyberFit Academy
Module Outline

1. Creating Data Flow Policy and Policy

Rules
2. Enabling Protection Plans
3. Data Loss Prevention Events
4. Widgets on the Overview Dashboard

#CyberFit Academy
Cyber Protect Cloud
Creating Data Flow Policy
and Policy Rules

#CyberFit Academy
Creating the Data Flow Policy and Policy Rules
Automatic Creation of Data Flow Policy
1 Log in to the Cyber Protection service console as an administrator

2 Navigate to Management > Protection plans

3 Click Create plan

4 Expand the Data Loss Prevention section and click the Mode row

5 In the Mode dialog, select Observation mode, and select how to the process data transfers:
[ Allow all | Justify all | Mixed ]
6 Save the protection plan and apply it to the workloads from which you want to collect data to build
the policy

#CyberFit Academy
Automatic Creation of Data Flow Policy

#CyberFit Academy
Automatic Creation of Data Flow Policy

#CyberFit Academy
Automatic Creation of Data Flow Policy

#CyberFit Academy
Automatic Creation of Data Flow Policy

#CyberFit Academy
Creating the Data Flow Policy and Policy Rules
Configure Data Flow Policy Manually
1 In the Cyber Protect service console, navigate to Protection > Data flow policy

2 Click New data flow rule

3 The New data flow rule pane expands on the right

4 Select a sensitivity category, add a sender and a recipient, and define the permission for data
transfers for the selected category, sender, and recipient: [ Allow | Exception | Deny ]
5 (Optional) Select an action that should be executed when the rule is triggered: [ Write in log |
Generate an alert | Notify the end user when a data transfer is denied ]
6 Click Save

7 Repeat steps 2 to 5 to create multiple rules of different sensitivity categories and options, and verify
that the resulting rules correspond to the options that you selected

#CyberFit Academy
Configure Data Flow Policy Manually

#CyberFit Academy
Configure Data Flow Policy Manually

#CyberFit Academy
Configure Data Flow Policy Manually

#CyberFit Academy
Configure Data Flow Policy Manually

#CyberFit Academy
 Section Summary

Data Flow Policy and Policy Rules can be created

1 automatically by selecting Observation mode in the
Protection Plan or configured manually by configuring
New data flow rule in Data flow policy tab

#CyberFit Academy
Cyber Protect Cloud
Enabling Protection Plans

#CyberFit Academy
Enabling Advanced DLP in Protection Plans
To create a protection plan with Advanced DLP
1 Navigate to Management > Protection plans

2 Click Create plan

3 Expand the Data Loss Prevention section and click the Mode row

4 The Mode dialog opens.

• To start the creation or renewal of the data flow policy, select Observation mode and then select how to
process data transfers: [ Allow all | Justify all | Mixed ]
• To enforce the existing data flow policy, select Enforcement mode, and then select how strictly to enforce the
data flow policy rules: [ Strict enforcement | Adaptive enforcement (Enforcement with learning) ]

5 Click Done to close the Mode dialog

#CyberFit Academy
Enabling Advanced DLP in Protection Plans
(continue)
To create a protection plan with Advanced DLP

6 (Optional) To configure optical character recognition, allowlists, and more protection options, click
Advanced Settings
7 Save the protection plan and apply it to the workloads that you want to protect

#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans

#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans

#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans

#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans

#CyberFit Academy
Enabling Advanced Data Loss Prevention in
Protection Plans

#CyberFit Academy
 Section Summary

Advanced DLP features can be included in any protection

1 plan for a customer tenant if the Protection service and the
Advanced DLP pack are enabled for this customer

Advanced DLP is the advanced module of the Data loss

2 prevention feature group. The Advanced DLP features and
Device control can be used independently or together in
which case their functional capabilities are coordinated

#CyberFit Academy
Cyber Protect Cloud
Data Loss Prevention Events

#CyberFit Academy
Data Loss Prevention Events
To view the events for a rule in the data flow policy

Log in to the Cyber Protect console as an administrator

Navigate to Protection > Data flow policy

Locate the rule for which you want to view the events and click the ellipsis at the end of the rule
line
Select View events

#CyberFit Academy
To View the Events for a Rule in the Data Flow
Policy

#CyberFit Academy
To View the Events for a Rule in the Data Flow
Policy

#CyberFit Academy
Data Loss Prevention Events
To view details about an event in the DLP events list
1 Log in to the Cyber Protect console as an administrator

2 Navigate to Protection > DLP events

3 Click an event in the list to view more details about it

4 The Event details pane expands to the right

5 Scroll down and up in the Event details pane to view the available information

6 The details that are displayed in the pane depend on the type of rule and rule settings that
triggered the event

#CyberFit Academy
To View Details About an Event in the DLP Events List

#CyberFit Academy
Data Loss Prevention Events
To filter events in the DLP events list
1 Log in to the Cyber Protect console as an administrator

2 Navigate to Protection > DLP events

3 In the upper left, click Filter

4 Select sensitivity category, workload, action type, user, and channel from the drop-down menus

5 You can select more than one item in the drop-down menus. Filtering applies the logical operator
OR between items in the same menu, but the logical operator AND is used between items from
different menus

#CyberFit Academy
Data Loss Prevention Events (continue)
To filter events in the DLP events list

6 For example, if you select PHI and PII sensitivity category, the result will return all events that
contain PHI or PII, or both. If you select sensitivity category PHI and action Write access, only
events that match both categories will appear in the filtered result
7 Click Apply

8 To view all events again, click Filter, then Reset to default, and finally click Apply

#CyberFit Academy
To Filter Events in the DLP Events List

#CyberFit Academy
To Filter Events in the DLP Events List

#CyberFit Academy
To Filter Events in the DLP Events List

#CyberFit Academy
Data Loss Prevention Events
To search for events in the DLP events list
1 Repeat steps 1-2 from the previous procedure (To filter events in the DLP events list)

2 From the drop-down list to the right of Filter, select a category in which you want to search:
Sender, Destination, Process, Message subject, or Reason
3 In the text box, enter the phrase you are interested in and confirm by pressing Enter on the
keyboard
4 Only events matching the phrase you entered appear in the list

5 To reset the list of events, click the X sign in the search text box and press Enter

#CyberFit Academy
To Search for Events in the DLP Events List

#CyberFit Academy
To Search for Events in the DLP Events List

#CyberFit Academy
Data Loss Prevention Events
To view the list of events related to specific rules in the data flow policy

1 Log in to the Cyber Protect console as an administrator

2 Navigate to Protection > Data flow policy

3 Select the check box in front of the name of the policy rule you are interested in

4 You can select multiple policy rules if needed

5 Click View events

6 The view switches to Protection > DLP events and the events that are related to the policy rules
that you selected appear in the list

#CyberFit Academy
To View the List of Events Related to Specific Rules in the
Data Flow Policy

#CyberFit Academy
To View the List of Events Related to Specific Rules in the
Data Flow Policy

#CyberFit Academy
 Section Summary

Data Loss Prevention Events can be viewed from Data flow

1 policy tab by clicking on ellipse more button or directly in
the DLP events tab. DLP events can also be filtered and
searched in the DLP events tab

#CyberFit Academy
Cyber Protect Cloud
Widgets on the Overview
Dashboard

#CyberFit Academy
Widgets on the Overview Dashboard
Customizable widgets that give an overview of operations
i You can find the following Advanced Data Loss Prevention widgets on the Overview
dashboard under Monitoring

• Five Advanced DLP widgets available:

1. Sensitive data transfers
2. Outbound sensitive data categories
3. Top senders of outbound sensitive data
4. Top senders of blocked sensitive data transfers
5. Recent DLP events
• Widgets are updated every five minutes
• Widgets have clickable elements that enable to investigate and
troubleshoot issues
• Can download the current state of dashboard or send it via email in PDF
or/and XLSX format

#CyberFit Academy
Customizable Widgets that Give an Overview of Operations

#CyberFit Academy
Customizable Widgets that Give an Overview of Operations

#CyberFit Academy
Customizable Widgets that Give an Overview of Operations

#CyberFit Academy
Customizable Widgets that Give an Overview of Operations

#CyberFit Academy
Customizable Widgets that Give an Overview of Operations

#CyberFit Academy
Customizable Widgets that Give an Overview of Operations

#CyberFit Academy
 Section Summary

There are five(5) different DLP related widgets that can be

1 customized in the Overview Dashboard tab –
• Sensitive data transfers
• Outbound sensitive data categories
• Top senders of outbound sensitive data
• Top senders of blocked sensitive data transfers
• Recent DLP events

#CyberFit Academy
Thank you for watching!

#CyberFit Academy
Cyber Foundation
Building a More Knowledgeable Future

Create, Spread and Protect

Knowledge with Us!
www.acronis.org
#CyberFit
Building New Schools
Publishing Education Programs
Publishing Books

#CyberFit Academy