RSA DLP 9.6 Network

User Guide Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/ index.htm Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm. License Agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-Party Licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses_DLP_9.6.pdf file. Note on Encryption Technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Contents

Preface ...... 9 About This Guide...... 9 Product Version ...... 9 Organization of This Book ...... 9 RSA DLP Documentation...... 11 Related Documentation...... 11 RSA Support and Service ...... 12 RSA DLP Customer Support...... 12 RSA DLP Consulting Services...... 13 RSA DLP Education Services ...... 13 Contact RSA DLP...... 13

Part I: Using DLP Network ...... 15

Chapter 1: Getting Started as a User ...... 17 Preventing Data Loss or Misuse ...... 17 Why Protect Sensitive Information?...... 17 About the RSA Data Loss Prevention ...... 18 About Policies and Content Analysis ...... 19 Using Enterprise Manager ...... 20 About DLP Enterprise Manager ...... 20 Logging Into Enterprise Manager...... 20 Viewing Risk Summaries and Reports ...... 21 Handling Incidents...... 21 Viewing and Editing Your User Profile ...... 22 Introduction to DLP Network ...... 22 Features of DLP Network...... 23 Using Enterprise Manager with DLP Network...... 25

Chapter 2: Managing Incidents...... 27 Understanding Incidents and Events...... 27 The Incident List ...... 28 Search for Incidents ...... 31 View Incident Details ...... 31 Manage Incidents Using the Action Links ...... 31 Select the Columns to be Displayed in the Incident List...... 32 Export Search Results...... 32

Contents 3 RSA DLP 9.6 Network User Guide

E-mail Search Results...... 33 Schedule E-mail Notification of Search Results...... 33 Save a Search...... 34 Run a Saved Search ...... 35 Manage Saved Searches...... 35 Customize Search Criteria ...... 36 Incident List Columns...... 37 Handling Incidents ...... 39 Handling a Network Incident...... 40 Incident Action ...... 50 Managing Incident Statuses ...... 57 Create a Custom Incident Status...... 57 View Incident Status Details...... 57 Edit a Custom Incident Status...... 58 Set a Default Incident Status...... 58 Re-order Incident Statuses ...... 59 Delete Custom Incident Status...... 59

Chapter 3: Viewing Events...... 61 About Events...... 61 The Event List...... 63 Search for Events ...... 65 View Event Details ...... 65 Select the Columns to be Displayed in the Event List...... 66 Export Search Results...... 66 E-mail Search Results...... 67 Schedule E-mail Notification of Search Results...... 67 Save a Search...... 68 Run a Saved Search ...... 68 Manage Saved Searches...... 69 Customize Search Criteria ...... 70 Event List Columns ...... 71 Working with Network Event Details...... 74

Chapter 4: Working With Reports...... 81 About Reports ...... 81 Using the Dashboard...... 82 Dashboard Components...... 83 About the Report Manager...... 90 Available Reports...... 93 Viewing Reports ...... 106 Filtering Report Data ...... 109 Editing Reports ...... 111

Part II: Administering DLP Network ...... 115

4 Contents RSA DLP 9.6 Network User Guide

Chapter 5: Getting Started as Administrator ...... 117 Administration with Enterprise Manager...... 117 About DLP Enterprise Manager ...... 117 Logging Into Enterprise Manager...... 118 Defining Sensitive Content and Creating Policies...... 119 Managing Users, Groups, and Roles ...... 119 Customizing Notifications ...... 120 Using Advanced Administrative Features ...... 120 Viewing and Editing Your User Profile ...... 121 Introduction to Administering DLP Network ...... 121 Administrative Features of DLP Network...... 122 Using Enterprise Manager to Administer DLP Network...... 122

Chapter 6: Defining Sensitive Content ...... 125 About Sensitive Content and Content Blades...... 125 About Described-Content Blades...... 126 Accuracy of Detection ...... 126 Detection Methods...... 127 Weight, Score, Count, and Risk Factor ...... 128 Proximity ...... 130 Described-Content Blade Structure ...... 131 Detection in Document Headers, Footers, and Metadata ...... 132 Detection in HTML Form Data and URLs...... 133 About Fingerprinted-Content Blades...... 135 Fingerprinted-Content Blade Structure...... 136 File Fingerprinted-Content Blades...... 136 Database Fingerprinted-Content Blades ...... 139 Fingerprint Crawlers...... 140 Managing the Total Size of Fingerprints ...... 141 Updating Fingerprinted-Content Blades Automatically...... 142 About Whitelisting for Fingerprinted-Content Blades...... 143 Working With Content Blades...... 143 Managing Existing Content Blades ...... 144 Creating or Editing a Described-Content Blade ...... 150 Creating or Editing a Fingerprinted-Content Blade...... 158 Working With Fingerprint Crawlers...... 159 Managing Existing Fingerprint Crawlers ...... 159 Creating or Editing a File Crawler...... 163 Creating or Editing a Database Crawler ...... 168 Configuring Whitelist for File Crawlers...... 173 Managing Dictionaries...... 174 About Dictionaries...... 175 Viewing the List of Dictionaries...... 175 Viewing a Custom Dictionary ...... 177 Creating or Editing a Custom Dictionary ...... 177 Viewing a Reference Dictionary...... 178 Importing or Editing a Reference Dictionary ...... 178 Managing Entities ...... 179

Contents 5 RSA DLP 9.6 Network User Guide

About Entities ...... 180 Viewing the List of Entities...... 180 Viewing a Custom Entity...... 181 Importing or Editing a Custom Entity ...... 182 Using the Regular Expression Manager...... 183 Using the Regular Expression Manager ...... 183 Creating or Editing a Regular Expression ...... 185

Chapter 7: Setting Policies ...... 187 Understanding Policies ...... 187 Policy Structure...... 187 Content Blades...... 189 Product-Specific Attributes and Incident Rules...... 191 Detecting Encrypted Files...... 191 Managing Existing Policies ...... 193 Viewing a Policy...... 196 Creating or Editing a Policy...... 197 Activating or Customizing a Policy From a Template ...... 215

Chapter 8: Administering Your DLP Installation...... 219 Viewing DLP Status Overviews ...... 220 Managing Roles and Permissions ...... 221 Example Roles ...... 221 Viewing the List of Roles ...... 223 Viewing a Role ...... 224 Creating or Editing a Role ...... 225 Setting Up Groups and Users...... 235 Viewing the List of Groups and Users...... 235 Creating or Editing a DLP Group...... 237 Creating or Editing a DLP User...... 239 Giving LDAP Users Access to Enterprise Manager...... 241 Managing User Credentials...... 241 Viewing User Credentials...... 243 Creating or Editing a User Credential...... 243 Configuring LDAP Integration ...... 245 Viewing LDAP Settings ...... 245 Creating or Editing an LDAP Configuration...... 246 Configuring SIEM Integration...... 252 Viewing the SIEM Configuration...... 252 Creating or Editing a SIEM Configuration...... 253 System Alerts Configuration...... 254 Viewing System Alerts Settings ...... 255 Creating or Editing System Alerts Configuration...... 255 Managing Notifications and Messages ...... 256 Viewing the Automatic Notification Templates List...... 257 Viewing or Customizing an Email Notification Template ...... 259 Viewing or Customizing a Network Message ...... 261

6 Contents RSA DLP 9.6 Network User Guide

Viewing the Custom Manual Notification Templates List...... 262 Creating or Editing a Manual Notification Template ...... 263 Configuring the Notification Email Server...... 264 Advanced Administrative Options...... 266 Purging Events and Incidents ...... 266 Viewing Audit Records ...... 271 Viewing and Entering License Keys ...... 280 Exporting and Importing Configuration Files ...... 281 Upgrading Downstream Components and Configurations...... 284 Importing Reports...... 287 Setting Preferences ...... 291

Chapter 9: Administering DLP Network ...... 295 Using the DLP Network Administration Page...... 295 Administering the Network Controller ...... 298 Viewing Network Controller Status ...... 298 Viewing Network Device Status Details ...... 299 Viewing or Editing the Network Controller Configuration...... 300 Administering Managed Devices...... 303 Administering Sensors...... 303 Administering Interceptors ...... 308 Administering ICAP Servers ...... 316 Viewing Network Statistics ...... 320 Viewing Network ICAP Server Statistics...... 321 Viewing Network Sensor Statistics ...... 323 Viewing Network Interceptor Statistics...... 327 Blank Statistics Pages ...... 330 Secure Communication Among DLP Network Devices...... 331 IM Chat Protocol Behavior...... 331 MSN Windows Messenger ...... 332 Yahoo! Instant Messaging ...... 333

Chapter 10: Monitoring Sensitive Content in Webmail...... 335 Overview...... 335 Monitoring Webmail...... 336 Email Notification...... 336 Configure Sender Email Notification ...... 337 Corporate Email...... 337 Webmail Email ...... 337 Replacement Templates ...... 338 Email Recipient...... 338 Modify the Recipient Subject or Attachment Filename Template ...... 338 Modify the Email Body or Attachment Replacement Template ...... 339 Email Sender...... 339 Webmail Sender Notification-Supported Email Clients...... 339 Browsers Supported ...... 339

Contents 7 RSA DLP 9.6 Network User Guide

Chapter 11: Managing RSA DLP on Partner Devices ...... 341 Managing Partner Devices in Enterprise Manager ...... 341 Managing Existing Partner Devices ...... 342 Adding a Partner Device to Enterprise Manager ...... 345 Editing Partner Device Details ...... 346 Managing DLP Policies for a Partner Device ...... 347 Importing Existing DLP Policies from a Partner Device ...... 347 Enabling an Imported Policy for a Partner Device ...... 348 Creating a DLP Policy for a Partner Device ...... 350 Viewing DLP Policy Status for a Partner Device ...... 351 Managing Events and Incidents for a Partner Device ...... 351 Viewing Device-Specific Events and Incidents ...... 351

Appendixes...... 353

Appendix A: File Formats Supported by RSA DLP...... 355 Supported File Formats (for Text Extraction)...... 355 Supported File Formats (for Detection Only)...... 365 Categorized File Formats (for Policy Rules) ...... 368 ...... 371

Appendix B: DLP System Alerts ...... 373 Enterprise Manager Alerts ...... 373 DLP Network Alerts ...... 375

Appendix C: Using Enterprise Manager Pop-ups...... 379 Selecting Users and Machines from an LDAP Directory for DLP Operations ...... 379 Select Users or Machines using the Browse Tab...... 379 Select Users or Machines using the Search Tab...... 380 LDAP Search Filters...... 381

Appendix D: Database Connection Strings ...... 383 Oracle Connection Strings ...... 383 SQL Server Connection Strings...... 384 DB2 Connection Strings ...... 385

Glossary...... 387

Index ...... 403

8 Contents RSA DLP 9.6 Network User Guide

Preface

This guide is intended to help corporate data security compliance officers and administrators understand and use the features available to them through DLP Network from RSA. Both users and administrators access those features through the RSA DLP Enterprise Manager application.

Enterprise Manager provides an interface to DLP Network. Depending on your license settings and your access permissions, you may be able to use or administer all or portions of the Network product.

Topics: • About This Guide • RSA DLP Documentation • RSA Support and Service

About This Guide

Product Version

The information in this book is current as of DLP Network version 9.6. Corrections or updates to this information may be available through RSA SecurCare® Online, at https://knowledge.rsasecurity.com

Organization of This Book

This book includes the following parts, chapters, and appendixes: •Part I: Using DLP Network For executives, security specialists and compliance officers. Describes how to use DLP Network to assess overall security risk and act on incidents of inappropriate use of sensitive content. – Chapter 1, “Getting Started as a User.” Gives an overview of RSA DLP for the security specialist or compliance officer, including overviews of Enterprise Manager as well as a summary of the network product. – Chapter 2, “Managing Incidents.” Describes how to use Enterprise Manager to search for, view, analyze, and act on incidents of policy violation detected by DLP Network.

Preface 9 RSA DLP 9.6 Network User Guide

– Chapter 3, “Viewing Events.” Describes how to search for and view individual policy-violation events that have occurred and may have contributed to the creation of incidents. – Chapter 4, “Working With Reports.” Describes how to view, generate, and schedule summary reports of DLP activity, as well as how to create and use custom reports. Also explains how to use the Dashboard pages to assess overall organizational risk. •Part II: Administering DLP Network For security architects, system administrators, and information-technology specialists. Describes how to use Enterprise Manager to configure and maintain DLP Network so that it can detect and monitor inappropriate use of sensitive content. – Chapter 5, “Getting Started as Administrator.” Gives an overview of RSA DLP from an administrator’s perspective, including administering Enterprise Manager and configuring the Network product. – Chapter 6, “Defining Sensitive Content.” Describes what sensitive content is and how you can use DLP content blades—or create your own custom blades—to detect sensitive content in use in your organization. – Chapter 7, “Setting Policies.” Explains what DLP policies are and how they use content blades plus other kinds of information to detect and act on improper use of sensitive content, including by creating incidents from policy-violation events. Shows how to use existing DLP polices or create your own custom policies. – Chapter 8, “Administering Your DLP Installation.” Describes administrative tasks common to all the RSA DLP products, including setting up users and roles, managing notification messages, setting system defaults, and updating licenses. – Chapter 9, “Administering DLP Network.” Describes administrative tasks specific to DLP Network, including configuring managed devices (Sensor, Interceptors, and ICAP servers), viewing device status, and adding new devices. – Chapter 11, “Managing RSA DLP on Partner Devices.” Describes how to use Enterprise Manager to control DLP features on a partner device that implements Interoperability components of the RSA DLP SDK toolkit, including managing DLP policies for the device and events sent to Enterprise Manager by the device. • Appendixes: – Appendix A, “File Formats Supported by RSA DLP.” Lists the file types and extensions of all files in which RSA DLP can detect sensitive text content. – Appendix B, “DLP System Alerts” provides descriptions of the system alerts that are generated for the most common error scenarios for each DLP component. – Appendix C, “Using Enterprise Manager Pop-ups” describes how to use various Enterprise Manager pop-ups.

10 Preface RSA DLP 9.6 Network User Guide

– Appendix D, “Database Connection Strings.” Describes example connection strings to use when configuring a database scan group or a database-fingerprint crawler. – “Glossary.” Defines terms relevant to DLP Network and to content security in general.

RSA DLP Documentation

RSA Data Loss Prevention 9.6 Product Documentation is available on RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/ sets.aspx?product=dlp&_v=document. The following table lists the documents that are part of the RSA Data Loss Prevention 9.6.

Category Documents

User Guides • RSA DLP Network User Guide • RSA DLP Datacenter User Guide • RSA DLP Endpoint User Guide

Deployment Guides • RSA DLP Network Deployment Guide • RSA DLP Datacenter Deployment Guide • RSA DLP Endpoint Deployment Guide

Best Practices • RSA DLP Datacenter Best Practices • RSA DLP Endpoint Best Practices

Additional Documents • RSA DLP Policy Guide • RSA DLP Quick Start • RSA DLP Upgrade Guide • RSA DLP Maintenance Guide • RSA DLP Troubleshooting Guide

Category

Reports

90 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

– If a schedule icon ( ) appears next to a report, that report has been scheduled to be generated and emailed out. Hover over the email icon ( ) to view the list of email recipients. See “To view a report’s email recipients”. – If a delete icon ( ) appears next to a report, that report has been customized and saved. Only customized reports can be deleted. See “To delete a report”.

To open a report 1. If necessary, click the expand button to expand the category the report is in. 2. Click a report name. The report page opens and the report is generated. – Once a report is open, you can generate, customize, schedule, email, and print and export that report. See “Viewing Reports” on page 106.

To view a report’s email recipients

If an email icon ( ) appears next to a report, that report has been scheduled to be emailed out when it is generated. • Hover over the email icon ( ). The email addresses the report is scheduled to be sent to every time it is generated appear in a tooltip.

To delete a report

If a delete icon ( ) appears next to a report, you have the appropriate permissions to delete it. You can only delete reports you have created yourself. You can edit the standard reports that are provided with Enterprise Manager, but cannot delete them. 1. Click the delete icon ( ) adjacent to the report you want to delete. A confirmation dialog box appears. 2. Click OK to confirm you want to delete the report. The report is deleted.

Note: If the report is My Favorites, it is also deleted from there.

To add a report to My Favorites

The My Favorite Reports category allows you to put links to all the reports you use most often into one convenient location. 1. Open the report you want to add to My Favorite Reports category (see “To open a report” on page 91).

Chapter 4: Working With Reports 91 RSA DLP 9.6 Network User Guide

2. Click the Include in My Favorite Reports action button ( ) along the top of an open report. The report is now accessible via your My Favorite Reports category, as well as from its assigned category. Reports in My Favorite Reports category are also accessible via the Dashboard Quicklinks. See “Dashboard Reports” on page 84 for more details about Quicklinks. You can also add a report to your My Favorite Reports category as you edit it as described in “Editing Reports” on page 111.

To edit a report 1. To edit a report either: – Click the Edit icon ( ) next to the name of the report on the main Report Manager page. – Click the Edit and Schedule action button ( ) along the top of an open report. The Edit Report page appears. See “Editing Reports” on page 111 for more details about editing reports.

To synchronize event data with LDAP

If an LDAP server (such as Microsoft Active Directory) has been configured for your enterprise, you can synchronize event data with newer information retrieved from your LDAP server.

Note: The Update Event Data from LDAP and Event Data Update Status buttons that control this functionality are only visible to users with Admin privileges.

To synchronize event data with LDAP information: 1. On the Report Manager page, click the Update Event Data from LDAP button. The Update Event Data from LDAP dialog appears.

This dialog warns you that you are starting an update process that may be time and resource-consuming. 2. Click Proceed to continue with the update process; Cancel to return to the Report Manager with initiating the update process.

92 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

3. Click the Event Data Update Status button on the Report Manager to view the status of any event data updates that are in progress. The Event Data Update Status dialog appears.

This dialog provides the following information: – Last Update Attempt: The date and time the last event update process. – Number of Events waiting to be updated. The number of events that have yet to be updated. – Number of Events that have exceeded maximum update attempts. 4. Click OK to close the dialog.

Available Reports

The following RSA DLP Enterprise Manager reports are available by default, grouped into the listed categories.

The default date range for all reports is 3 months. To change the date range, see “To edit a report” on page 92.

My Favorite Reports

The My Favorite Reports category allows you to put links to all the reports you use most often into one convenient location. See “To add a report to My Favorites” on page 91 for more details.

Chapter 4: Working With Reports 93 RSA DLP 9.6 Network User Guide

Incident Summary Reports • Incidents by Organization. A bar chart displaying the number of incidents by business organizational unit. This chart displays a maximum of the top 10 business organizational unit. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

• Incidents by Incident Type. A pie chart displaying the number of incidents that have been generated for each DLP product. Click on any pie segment to open the incident list, displaying the incidents that pie segment represents.

94 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

• Incidents by Policy. A bar chart displaying the policies that have generated the most incidents. A maximum of 10 policies are displayed. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

• Incidents by Content Blade. A bar chart displaying the content blades that were matched to trigger the most incidents. A maximum of 10 content blades are displayed. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

Chapter 4: Working With Reports 95 RSA DLP 9.6 Network User Guide

• Incidents by Severity. A pie chart displaying the numbers of all open and in progress incidents in the specified date range, color-coded by severity. Click on any pie segment to open the incident list, displaying the incidents that pie segment represents.

• Incidents by Status. A bar chart displaying all incidents, by status. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

96 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

Incident Trend Reports • Incident Trend - by Organization. A bar chart displaying the numbers incidents by business organizational unit. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

• Incident Trend - by Incident Type. A bar chart displaying the numbers of incidents over time by DLP product type. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

Chapter 4: Working With Reports 97 RSA DLP 9.6 Network User Guide

• Incident Trend - by Policy. A bar chart, displaying the policies that have generated the most incidents over time. A maximum of 10 policies are displayed. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

• Incident Trend - by Severity. A bar chart displaying the number of incidents by severity over time. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

98 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

• Incident Remediation Trend. A bar chart displaying the number of incidents closed in comparison to those open, over time. Click on any bar segment to open the incident list, displaying the incidents that bar segment represents.

Incident Management Reports • Number of Incidents by Policy, Severity, Content. This is a composite report consisting of the following charts.

Chapter 4: Working With Reports 99 RSA DLP 9.6 Network User Guide

– Top Incidents by Policy. A bar chart displaying the policies that have generated the most incidents. A maximum of 20 policies are displayed. Click on any bar to open the incident list, displaying the incidents that bar represents.

– Top Incidents by Severity. A pie chart displaying all open and in progress incidents, color-coded by severity. Click on any pie segment to open the incident list, displaying the incidents that pie segment represents.

100 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

– Top Incidents by Content Blade. A bar chart displaying the content blades that were matched to trigger the most incidents. A maximum of 20 content blades are displayed. Click on any bar to open the incident list, displaying the incidents that bar represents.

• Active Policies. A tabular report listing all the active policies, and their status (enabled or disabled) for each DLP product.

• Open Incidents. This report consists of 4 tables displaying the following statistics about incidents that are currently open: – Statistics. This table lists the total number of incidents with a status of In Progress, and the total number of Escalated Open Incidents.

– Open Incidents by Assignee (Top 20). A table listing the 20 individuals who are assigned the most open incidents.

Chapter 4: Working With Reports 101 RSA DLP 9.6 Network User Guide

– Open Incidents by Severity. This table lists all open incidents, grouped by severity.

– Open Incidents by Policy (Top 20). This table lists the policies that have triggered the most open incidents, and the number of incidents each policy has generated. A maximum of 20 policies are listed.

• Quarantined Incidents. This tabular report lists up to 100 DLP Network incidents that have been quarantined and have a status of Open or In Progress. If there are more than 100 incidents that fit this criteria, the total count of quarantined incidents is displayed on the right side of the title bar.

DLP Network Reports • Top Offenders - Network. A composite report consisting of the following charts:

102 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

– Most Frequent Policy Violations. A bar chart displaying the policies that have generated the highest number of Network incidents. A maximum of 20 incidents are displayed. Click on any bar to open the incident list, displaying the incidents that bar represents.

– Policy Violations by Severity. A pie chart displaying the total number of Network incidents for each severity level. Click on any pie segment to open the incident list, displaying the incidents that pie segment represents.

Chapter 4: Working With Reports 103 RSA DLP 9.6 Network User Guide

– Top 20 Offending Senders. A table listing the senders responsible for the transmissions that were discovered to be in violation of policy. A maximum of 20 senders are displayed.

• Incidents by Host. A pie chart displaying the 20 machine host names/ip addresses that triggered the highest number of incidents, and the number of incidents each host generated.

• Incidents by Protocol. A bar chart displaying the protocols that triggered the highest number of incidents, and the number of incidents each protocol generated. Click on any bar to open the incident list, displaying the incidents that bar represents.

104 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

• Top Recipients. A bar chart displaying the email addresses of up to 20 intended recipients of the most transmissions that were in violation of policy, and the number of incidents (transmissions) sent to each recipient. Click on any bar to open the incident list, displaying the incidents that bar represents.

• Top Senders. A pie chart displaying the email addresses of up to 20 senders of the most transmissions that were in violation of policy, and the number of transmissions (incidents) each sender sent.

Chapter 4: Working With Reports 105 RSA DLP 9.6 Network User Guide

Dashboard Reports

Compliance Summary. A composite report providing a summary picture of the enterprise data-loss risk. This report consists of the following components: – Risk-Factor Gauges – Incidents By Product (Open and In Progress) – Incidents By Top 5 Policies – Incidents By Top 5 Content Blades – Risk Trend - Incidents Newly Opened by Severity – Incident Trend - Newly Opened – Incident Trend - Total Opened

Viewing Reports

Each Enterprise Manager report displays content and includes controls and options that allow you to tune the report for your business requirements.

Note: The format of the graph that is displayed and the filter parameters available depend upon the graph you selected to display.

106 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

Figure 5 Sample Report

Filters

Report Body

Once a report is open, you can edit, generate, schedule, email, print, and export that report, as described below.

To change the filter criteria of the report • With the report you want to refine open, edit the filter parameters as described in “Filtering Report Data” on page 109.

To edit the report 1. With the report you want to edit open, click the Edit and Schedule action link ( ) in the top menu. The Edit Report page appears. 2. Edit the report’s fields as described in “Editing Reports” on page 111.

Chapter 4: Working With Reports 107 RSA DLP 9.6 Network User Guide

To save the report under a different name 1. With the report you want save open, click the Save As action link on the report’s top menu. The Save Custom Report dialog box appears.

2. Enter a new name.

Note: All scheduling and emailing configured for the original report is maintained, as is the original report’s category. If you want to modify these properties, you must edit this report, see “Editing Reports” on page 111 for details.

3. Click Save.

To email the report (non-scheduled) 1. With the report you want to email open, click the Email Report action link in the top menu. The Email Report dialog appears.

2. For Report Format, specify either HTML or PDF. 3. Under Email report to, select one or both of the following: –Me. The logged-in user. –Other people. A comma-separated list of email addresses. 4. Click Send. This immediately sends an email report to the address(es) you specified. If you want to email a report according to a report generation schedule, you can add that information to the schedule. See “C. Set up report scheduling and emailing” on page 113.

108 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

To schedule the report 1. With the report you want to schedule open, click the Edit and Schedule action link ( ) from the top menu. The Edit Report dialog appears. The lower portion of this page includes the scheduling and email information:

2. Enter the schedule information for this report in the same manner as described in “C. Set up report scheduling and emailing” on page 113.

To print the report 1. With the report you want to print open, click the Print Version action link in the top menu. A print version of the report appears in a new browser. 2. Use your browser print function to print the report.

To export the report

You can export the data from any report into a Microsoft Office Excel Comma Separated Values (.csv) file.

1. With the report you want to export open, click the Export ( ) action link in the top menu. A browser-specific Save/Export dialog box appears. 2. Select whether you want to open or save the data to a specified file and location. Click OK.

Filtering Report Data

You can use the filter parameters available at the top of each report to filter the data displayed in each report.

Most reports can be filtered by date range, some reports have additional filters such as Product Type and Status.

Important: The filter parameters available for a report depend upon the type of report you have opened.

Chapter 4: Working With Reports 109 RSA DLP 9.6 Network User Guide

To filter by date 1. With the report you are interested in open, use the Date Range filters above the report to change the time period over which the report is displaying data.

– Select a pre-defined date range from the first drop-down menu. Custom, All (the default), Today, Yesterday, Last 7 Days, Last 30 Days, Last 3 Months, Last 6 Months, or Last Year.

Note: For Trend reports, you can only used these pre-defined data ranges, you cannot use the calenders to manually specify a date range.

– Type or use the calendars to specify a start date and end date for the range. If you type the date, it should be in the following format: MMM DD, YYYY. For example, May 2, 2007. 2. Add more filter criteria as needed and available (see “To add more filter criteria”, next). 3. Click Refresh. The report will re-fresh to display data from the new date range.

To add more filter criteria

Note: The filter parameters available depend upon the type of report you select.

1. With the report you are interested in open, select other parameters by which to filter your report:

–Organization. – Product. This allows you to filter the report by DLP product. Select either All Products..., Datacenter, Endpoint, or Network from the dropdown menu. – Policy. This allows you to filter the report by policy. Select either All Policies..., or use the dropdown menu to select an individual policy by name. – Severity. This allows you to filter the report by incident severity. Select either All Severities..., Low, Medium, High, or Critical. – Incident Status. This allows you to filter the report by incident status. Select either All Status..., Open, In Progress, or Closed.

110 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

– For Datacenter s:

• Agent Scan Group: Use the drop down menu to select an Agent Scan Group. • Display Scans: Once you have selected the Agent Scan Group you want to filter by, specify how you want the scans grouped, by week, by month, or by quarter. – For Datacenter Grid Scan Reports:

• Grid Scan Group: Use the drop down menu to select an Grid Scan Group. • Display Scans: Once you have selected the Grid Scan Group you want to filter by, specify how you want the scans grouped, by week, by month, or by quarter. 2. Click Refresh. The report will re-fresh to display data based on your new filter criteria.

Editing Reports

Use the Edit Report page to customize, schedule, and generate reports. • With the report you want to edit open, click the Edit and Schedule action link ( ) in the top menu. The Edit Report page appears.

A. Fill in the report summary

1. Enter the Report Name. Enter a unique name for the report as you want it to appear in the Report Manager. 2. Optionally enter text a description of the report you are editing. 3. Use the Report Category drop-down menus to choose the category you want your report to belong to. Reports are grouped by these categories on the Reports Manager.

Chapter 4: Working With Reports 111 RSA DLP 9.6 Network User Guide

4. Check the Add to My Favorite Reports box if you want this report added to your favorites on the Report Manager.

B. Select data filters

All reports can be filtered by date range, some reports have additional filters such as Product Type and Status.

Important: The filter parameters available for a report depend upon the type of report you are editing.

Specify the date range you want the report to include data from.

•Date Range. Select one of the following. – Select a pre-defined date range from the first drop-down menu. Custom, All (the default), Today, Yesterday, Last 7 Days, Last 30 Days, Last 3 Months, Last 6 Months, or Last Year.

Note: For trend reports, you can only select these pre-defined date ranges. You cannot use calenders to manually specify a date range.

– Type or use the calendars to specify a start date and end date for the range. If you type the date, it should be in the following format: MMM DD, YYYY. For example, May 2, 2007.

Specify other data filters, if available.

• Select Filter Criteria for report. Use the drop-down menus to select the parameters and values that you want to filter. For example you may want to only include Incident Status (parameter name) with values of Open or In Progress in your report. The second drop-down menu is populated with values relevant to the selection you make from the first menu.

112 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

C. Set up report scheduling and emailing

1. Click the Scheduling and Emailing link at the bottom of the Edit Report page to expand the section. Use this section to set up a scheduled report generation.

Note: If you are scheduling a report to be generated, you must also specify email recipients for the report each time it is generated.

2. Specify the report generation schedule. a. Specify the general frequency scale for the schedule (Daily, Weekly, Monthly, or Not Scheduled). b. Depending on your selection, additional controls appear on the screen. Choose specific subintervals or frequencies within the selected scale. c. Specify the time of day at which to generate the report. d. In the Start box, either type or use the calendar to specify the date you want the schedule to begin. 3. Use the Report format drop-down list to specify either HTML or PDF as the format in which the report is to be sent. 4. Use the Email Report to section to specify one or more email addresses where the scheduled report will be emailed each time it is generated. You can select one or both of the following: –Me. The logged-in user. –Other people. A comma-separated list of email addresses.

D. Save the report • Click Save to save the edited report. • Click Save As to save the report under a new name. The report is added to the selected report category on the Reports Manager page. • Click Cancel to cancel the save operation.

Chapter 4: Working With Reports 113 RSA DLP 9.6 Network User Guide

114 Chapter 4: Working With Reports RSA DLP 9.6 Network User Guide

II ADMINISTERING DLP NETWORK

If you are a DLP Network administrator—typically a security architect, system administrator, or information-technology specialist—you use RSA DLP Enterprise Manager to configure and maintain the Network product so that it can detect and monitor inappropriate use of sensitive content. This part describes how to perform those tasks. • Chapter 5: Getting Started as Administrator • Chapter 6: Defining Sensitive Content • Chapter 7: Setting Policies • Chapter 8: Administering Your DLP Installation • Chapter 9: Administering DLP Network • Chapter 10: Monitoring Sensitive Content in Webmail • Chapter 11: Managing RSA DLP on Partner Devices

115 RSA DLP 9.6 Network User Guide

116 RSA DLP 9.6 Network User Guide

5 Getting Started as Administrator

This chapter explains how to log into RSA DLP Enterprise Manager and start using the administrative functions of DLP Network.

For an overview of the RSA approach to data-loss prevention, plus summaries of each of RSA DLP products, see “Preventing Data Loss or Misuse” on page 17.

Note: Before beginning, obtain your Enterprise Manager user name and password from your system administrator.

Topics: • Administration with Enterprise Manager • Introduction to Administering DLP Network

Administration with Enterprise Manager

This section summarizes the basics of RSA DLP administration using Enterprise Manager. For further details and instructions, follow the cross-references in each subsection.

About DLP Enterprise Manager

RSA DLP Enterprise Manager is a web application with which you can configure and manage all the DLP products, including adding and deleting components of those products. Depending on which DLP products you are licensed for, Enterprise Manager can be deployed as a software installation or as a hardware appliance.

Enterprise Manager is typically integrated with an organization’s personnel directory, so that network users are automatically Enterprise Manager users as well. In addition, users can be defined explicitly within Enterprise Manager.

Chapter 5: Getting Started as Administrator 117 RSA DLP 9.6 Network User Guide

Enterprise Manager requires a database for storing the results of its analyses. Database requirements are listed in the deployment guides for the Network, Endpoint, and Datacenter products. Also, instructions for installing Enterprise Manager itself are included in the individual deployment guides.

Logging Into Enterprise Manager

Enter your user name and password, then click Login. If the login is successful, the Enterprise Manager Dashboard page appears.

For an explanation of the Dashboard page, see “Using the Dashboard” on page 82.

Note these navigation features of Enterprise Manager: • Use the tabs (Dashboard - Incidents - Reports - Policies - Admin) across the top of the page to access any portion of Enterprise Manager. • Click Help to view information and instructions specific to the Enterprise Manager page that is currently being displayed. • Click Log Out to exit from Enterprise Manager. • Click the link displaying your user name to view or edit your profile; see “Viewing and Editing Your User Profile” on page 121.

Session Timeout

After a long period of inactivity, your Enterprise Manager session will time out and you will be automatically logged out.

118 Chapter 5: Getting Started as Administrator RSA DLP 9.6 Network User Guide

Defining Sensitive Content and Creating Policies

At the core of RSA DLP’s data-loss prevention capability is its ability to very precisely define the sensitive content that it is to monitor. If your role as compliance officer or security expert includes creating or customizing sensitive content definitions, you can apply that content-definition capability to any security policy that you define for monitoring messages, user actions, and stored documents in your organization.

The content-detection modules that you can use or create are called content blades. They can consist of either precise descriptions of the classes of sensitive content they are built to detect, or generated numerical “fingerprints” of individual sensitive documents or portions of documents. See “Defining Sensitive Content” on page 125 for instructions on how to use Enterprise Manager to create or customize content blades.

When a product in RSA DLP analyzes a network transmission, user action, or stored document, it assesses the potential risk it represents by applying a specific policy to it. Policies can use content blades to analyze the content of the transmission, action, or document, and/or they can look at other aspects of the content, such as protocol, source, destination, or owner.

If your responsibilities include policy management, you can use Enterprise Manager to enable, customize, or create policies that are appropriate to your organization’s security needs. See “Setting Policies” on page 187 for complete instructions.

Managing Users, Groups, and Roles

If your responsibilities include administering your organization’s installation of RSA DLP, you may be responsible for managing the set of users and groups that have access to RSA DLP.

Access to various portions of RSA DLP is role-based: different users can access different parts of the Enterprise Manager interface and see different content in tables and reports, depending on their specific access privileges and permissions.

As an administrator, you assign privileges to roles that you create. You then assign those roles to user groups that you create. Finally, you assign the users that you create to one or more of those roles. User privileges thus come from the roles assigned to the groups to which the user belongs.

You can create DLP users and groups directly in Enterprise Manager, or you can integrate Enterprise Manager with your organization’s LDAP directory service and import users and groups from it.

See “Managing Roles and Permissions” on page 221, “Setting Up Groups and Users” on page 235, and “Configuring LDAP Integration” on page 245 for details.

Chapter 5: Getting Started as Administrator 119 RSA DLP 9.6 Network User Guide

Customizing Notifications

Enterprise Manager includes a notification service that sends email alerts to the appropriate users when a violation of security policy has been detected. A large number of different kinds of notifications are available, and all can be customized.

If your duties include managing notification content, you can customize some or all of the notification messages. Customization is not required; reasonable default content is provided for all messages.

See “Managing Notifications and Messages” on page 256 for a list of all notifications and instructions for customizing them.

Using Advanced Administrative Features

If you have the appropriate administrative privileges, you can use Enterprise Manager to perform these additional tasks: • Deleting events and incidents. For managing the enterprise database. Do not use this feature except under instruction from RSA DLP Technical Support. See “Purging Events and Incidents” on page 266. • Viewing Audit Records. For auditing purposes, Enterprise Manager records change activity in several categories of DLP administration such as the date on which an action occurred, the user that performed the action, and so on. You can use this feature to view these records. See “Viewing Audit Records” on page 271. • Downloading log files. For troubleshooting or debugging purposes, you can examine product log files. See “Viewing and Entering License Keys” on page 280. • Updating product licenses. If you receive a new license key from RSA, use this page to enter it. See “Viewing and Entering License Keys” on page 280. • Exporting and importing configurations. For troubleshooting or to preserve portions of your policy components during upgrade, you can export then re-import the configuration files for policy components. See “Exporting and Importing Configuration Files” on page 281. • Updating Upgraded Configurations. After performing an upgrade installation of Enterprise Manager, you have to use this feature to update the product configurations for each DLP product by distributing the upgraded configuration files from Enterprise Manager to the various DLP components. “To update component configurations” on page 286. • Importing Reports. This feature allows you to import new RSA DLP report templates as they become available. See “Importing Reports” on page 287. • Setting Preferences. This feature allows you to view and edit global, and DLP product-specific preference settings. See “Setting Preferences” on page 291. • Viewing documentation. Deployment and user documentation for the Network, Endpoint, and Datacenter products is available (in PDF form) from this page. The same documentation is also available through the Enterprise Manager online help.

120 Chapter 5: Getting Started as Administrator RSA DLP 9.6 Network User Guide

Viewing and Editing Your User Profile

As an Enterprise Manager user or administrator, you have the ability to view and edit the information in your user profile.

Viewing Your Profile

At the top right of the Enterprise Manager page, click the link that displays your user name.

The View User Profile page appears displaying your user information including group membership.

The password values are obscured.

Note: The group memberships are not editable.

4. Click Save to commit your changes. The changes take effect immediately.

Introduction to Administering DLP Network

This section gives an overview of the administrative aspects of RSA DLP Network and summarizes how you use Enterprise Manager to perform DLP Network administrative tasks. For a general overview of the Network product, see “Features of DLP Network” on page 23.

Chapter 5: Getting Started as Administrator 121 RSA DLP 9.6 Network User Guide

Administrative Features of DLP Network

This section summarizes Network administration. For detailed administration instructions, see “Administering DLP Network” on page 295.

Product Components

DLP Network includes the following components: • Network Controller. The main appliance that maintains information about confidential data and content transmission policies. The Network Controller manages and updates managed devices with policy and content-blade definitions, along with any changes to device configuration. • Managed devices. These devices help DLP Network to monitor network transmission and report or intercept the transmission: – Sensors. Deployed at network egress points, Sensors passively monitor traffic leaving the network or crossing network boundaries, analyzing it for the presence of sensitive content. Sensors cannot detect HTTP Puts. – Interceptors. Deployed as an inline mail transfer agent, an Interceptor allows you to monitor, quarantine, or block email (SMTP) traffic that contains sensitive content. Interceptors can also be used with an email encryption gateway to encrypt messages. –ICAP Servers. Deployed in association with a proxy server to monitor or block HTTP, HTTPS, or FTP traffic containing sensitive content. ICAP Servers can work in conjunction with your Exchange Servers in two ways: • ICAP Servers can monitor internal e-mail. See the Guide to RSA DLP for Internal E-mail, located on RSA SecurCare, for instructions. • ICAP Servers can work with your company’s Exchange server using ActiveSync protocol to monitor sensitive content that is downloaded to mobile devices. You can set the policy action, or remediation, to Audit for these types of policy violations. No other type of remediation is available. Even if you set the policy action to block, encrypt, or quarantine, only audit is enforced.

Note: BlackBerry devices do not support ActiveSync.

Using Enterprise Manager to Administer DLP Network

Use of Enterprise Manager for common administrative tasks is summarized earlier in this chapter (see “Administration with Enterprise Manager” on page 117). This section summarizes Network-specific administration.

You use Enterprise Manager to configure, manage, and monitor the state of the Network Controller and managed devices (Sensors, Interceptors, and ICAP servers).

122 Chapter 5: Getting Started as Administrator RSA DLP 9.6 Network User Guide

Configuring the Network Components

The DLP Network components are distributed as pre-loaded appliances, and each must be initially configured at the appliance. Once you have deployed and initially configured each appliance, you need to further configure each one to communicate with the Network Controller. This subsequent configuration is done using DLP Enterprise Manager.

For instructions on how to physically deploy and initially configure Network components, see the RSA DLP Network Deployment Guide. 1. Adding a Network Controller The Network Controller is a separate server that manages other DLP Network components, feeding them policy and gathering results. The Network Controller is deployed as a single appliance and must be configured prior to adding information about managed devices to Enterprise Manager. See “Administering the Network Controller” on page 298 for details about configuring the Network Controller. 2. Adding Managed Devices Once the Network Controller is configured, it appears in the Enterprise Manager Network Deployment Tree. You can now add any managed device that has already been physically deployed and initially configured.

Network Controller

Deployment tree Managed devices

See “Administering Managed Devices” on page 303 for details about configuring managed devices.

Subsequent changes to the configuration of either the Network Controller, or any of the managed devices, do not have to be made at the appliance level, configuration changes can be made using Enterprise Manager.

For more information on using Enterprise Manager with DLP Network, see the RSA DLP Network User Guide or the Enterprise Manager online help.

Chapter 5: Getting Started as Administrator 123 RSA DLP 9.6 Network User Guide

Creating Policies for DLP Network

When you create a policy to control your content analyses (see “Defining Sensitive Content and Creating Policies” on page 119), you have the option to define aspects of it that apply only to the Network product—for example, what protocols a specific policy applies to, or what specific policy actions should be taken at various severity levels.

If you want the Network settings of this policy to be enforced, you must be sure that the Network portion of the policy is enabled. See the discussion of enabled state under “Create Network-specific rules” on page 201.

124 Chapter 5: Getting Started as Administrator RSA DLP 9.6 Network User Guide

6 Defining Sensitive Content

Detecting and locating sensitive content is at the core of what RSA DLP does. This chapter describes how content blades perform that function and shows how you can use the DLP expert blades and also create your own custom versions of content blades and related components.

Topics: • About Sensitive Content and Content Blades • About Described-Content Blades • About Fingerprinted-Content Blades • About Whitelisting for Fingerprinted-Content Blades • Working With Content Blades • Working With Fingerprint Crawlers • Managing Dictionaries • Managing Entities • Using the Regular Expression Manager

About Sensitive Content and Content Blades

Sensitive content is information in the enterprise that needs to be protected from loss or misuse. Categories of sensitive information can include Personally Identifiable Information (PII), Payment Card Industry Data Security Standard (PCI) credit-card information, various kinds of corporate intellectual property, and other types of content.

RSA DLP uses modules called content blades to detect sensitive content. Analogous to “blades” in a rackable computer system, content blades can be used singly or in concert to accomplish different detection tasks. Each blade is typically designed to detect a particular category of sensitive content.

Content blades are the detection components of DLP policies (see “Setting Policies” on page 187). Any policy that is sensitive to document content must include one or more content blades.

Chapter 6: Defining Sensitive Content 125 RSA DLP 9.6 Network User Guide

RSA DLP uses two fundamentally different methods for detecting sensitive content which are implemented as two different types of content blades: • Described-content detection. A content description developed by RSA Knowledge Engineering or an administrator is used to detect sensitive content. The content description is encapsulated for use as a described-content blade. • Fingerprinted-content detection. Existing document or database content in your enterprise is used to generate unique fingerprints to detect sensitive content. The fingerprints are encapsulated for use as a fingerprinted-content blade.

Both methods of sensitive-content detection are highly accurate, and both can be used in the same policy.

About Described-Content Blades

Described-content detection involves creating a set of rules that specify the nature of the sensitive content to be detected. These detection rules are typically if/then statements of the form “if the document contains (such-and-such), then it may be sensitive”. A particular category of described content—for example, Social Security number—is a grouping of one or more of these detection rules.

The rules, in combination with each other and with context requirements such as weights (how important a given rule is), minimum and maximum scores (weights times number of occurrences), minimum matches (how many different rules must match before a document is considered a match), and proximity of matches (how close to each other the matches must occur in a document) become a whole—called a described-content blade—that accurately detects the specified kind of sensitive content.

Described-content detection analyzes the body text of many different formats of documents and transmissions, and also the text in headers, footers, or metadata for some formats. However, it cannot detect graphic images of sensitive content.

Accuracy of Detection

For described-content blades, accuracy is measured by two factors: recall and precision. Taken together, the ideal mix of recall and precision will ensure that you get 100% of the content that you need to secure and nothing that you don’t need to secure.

Recall

The first and most basic requirement for any data-loss prevention solution is the ability to identify any and all sensitive, regulated, or confidential information. With 100% recall, all sensitive documents or transmissions are caught.

High recall is achieved by casting a wide net to catch every piece of content that looks suspicious. (No false negatives.)

126 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Precision

Precision refers to the relevancy of the results returned. With 100% precision, no non-sensitive documents were incorrectly identified as sensitive. High precision can be thought of as the ability to differentiate between content that is truly sensitive and content that has similar characteristics but is not actually sensitive.

High precision is achieved with a narrow, focused search to make sure that every piece of content that is caught is truly sensitive. (No false positives.)

Balancing Recall and Precision

There are two kinds of errors that can arise from content analysis: false positives, in which non-sensitive documents appear in the list of sensitive documents, and false negatives, in which sensitive documents are missed. Recall and precision are directly related to the numbers of false positives and false negatives that occur: • As recall increases, precision tends to decline. If you ensure that you don’t miss any sensitive documents, you may increase the number of non-sensitive documents caught by mistake. • As precision increases, recall tends to decline. If you ensure that every document you catch is truly sensitive, you increase the chance that some sensitive documents are missed. If you are creating a described-content blade, you can adjust its weight and score parameters (see “Weight, Score, Count, and Risk Factor” on page 128) to balance precision and recall. Typically, you do this by performing content analysis on known test data, evaluating the results, and then “tightening” or “loosening” the settings to achieve the optimum balance. The expert blades from RSA have all been finely tuned for optimum detection, with very high recall and precision.

Detection Methods

When you create a described-content blade, you can set up any number of rules in it. The DLP content analyzer compares each rule to the content being analyzed, and if the rule is matched, that is one piece of evidence that the content may be sensitive.

You can employ any of the following types of rules in a rule set, alone or in combination: • Words and Phrases. These are keywords or phrases that are characteristic of the sensitive content you are searching for. For example, in analyzing for confidential company intellectual property, you might include internal project code names in a list of terms. • Dictionaries. These are simply lists of keywords and key phrases (see “Managing Dictionaries” on page 174). Dictionaries are a convenience when you want to use an extensive list of terms. For example, for a content blade that detects confidential HIPAA information, you might construct and include dictionaries with health-care terms, code sets, disease names, and so on.

Chapter 6: Defining Sensitive Content 127 RSA DLP 9.6 Network User Guide

You can create your own dictionaries or use any of those included with Enterprise Manager; see “Managing Dictionaries” on page 174. • Regular expressions. These are patterns of numbers, letters, and symbols that can match entire categories of formatted numbers or text—such as student or employee ID numbers, account numbers, addresses, and so on. You can create your own regular expressions or use any of the expressions included with Enterprise Manager; see “Using the Regular Expression Manager” on page 183. • Entities. These are small programs that validate a pattern using heuristics. Entities are more sophisticated and more accurate than regular expressions at identifying specific numeric or text formats like Social Security numbers, proper names, and credit-card numbers. RSA provides a set of entities for your use with RSA DLP.

Note: For both regular expressions and entities, you can minimize false positives by specifying exclusions, specific strings that would normally match but should not—because they are common dummy or test values (for example, a Social Security number of 123-12-1234).

Weight, Score, Count, and Risk Factor

Content analysis performed with a described-content blade involves comparing the content to the rules in the blade and assigning numeric values to matches that are found. The values for all the matches for all the rules are summed together, and the higher the total score is, the more highly sensitive the document is considered to be. The final measure of sensitivity of a document is its risk factor.

Weight and Score

You can assign each rule in a blade a weight, a number that indicates the relative importance of that rule. (Default value = 10.)

For example, in analyzing for credit card information, a rule that detects a number of the proper format is usually assigned a higher weight than a supporting rule that, for example, might detect the presence of related terms such as “expiration”, “credit card”, or “Amex”. Both rules are useful, especially in combination, but one is much more important.

The total number of matches to a given rule that occur in a document, times the weight of that rule, gives an interim value called the rule score for that document.

In a given document, the sum of all the rule scores for all the rules in the content blade is another interim value called the document score, which is a direct indicator (but not the final indicator) of the level of sensitivity of that document.

128 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Maximum Rule Score

You can assign a maximum score to certain individual rules in your blade, so that a large number of matches for one rule does not skew the overall results of your analysis, hiding the contributions of other (more important) rules.

For example, if your credit card number-detection rule has a weight of 10, and a supporting rule (say, a date) has a weight of 2, you might assign the date rule a maximum rule score of 4. In that case, only 2 instances of a date in a document will contribute to the document’s score to establish the presence of that supporting evidence. But the bulk of the document’s score, if it is truly sensitive, will come from matches to the credit card number rule (which might be given a maximum score of 1000 or more).

Minimum Document Score

You can also assign a minimum score to the content blade as a whole, so that documents with a low score are dropped from consideration as sensitive. Depending on the number of rules you have, the weights and maximum rule scores assigned to those rules, and sensitivity of the content the blade is detecting, you can judge what an appropriate minimum document score might be. (In most cases, the default value of 10 is appropriate.)

Risk Factor

To facilitate comparison of relative risk across any number of documents, the DLP content analyzer finally adjusts each document score, normalizing it to a value between 0 and 100. This value is the risk factor presented in the tables and reports displayed by Enterprise Manager.

Match Counts

Every countable match to an active content blade is aggregated during content analysis of a file or transmission. This aggregated exact match count is the number displayed as the Match Count in incident and event detail pages. A content blade is active only when one or more policies that use it are enabled.

By default, exact match counting is enabled for all described-content blades that detect a number, such as a credit card number or Social Security Number, and for all fingerprinted-content blades. To enable exact match counting for a new described-content blade, you must select Count item for each Must Occur or May Occur rule for which you want every match counted on the New/Edit Described Content Blade page.

Very large files and transmissions with many matches to an active content blade can slow performance. If this may be a problem in your deployment, you can disable exact match counting for one or more active content blades to activate an internal limit to the number of matches counted for the blades. See “To disable exact match counting for a content blade” on page 149 for instructions.

Chapter 6: Defining Sensitive Content 129 RSA DLP 9.6 Network User Guide

To minimize memory consumption, the collection of data that enables the display of matched content in Enterprise Manager stops when the match count for a file or transmission reaches 1000. As a result, some matched content may not be viewable for some events. However, all matches are detected, counted, and used to determine match weight and risk factor.

Count Versus Score

You can configure a rule to ignore score when it calculates risk factor, and instead consider only the number of occurrences of a detected piece of content.

For example, you may create a content blade that assigns risk factor based on only the number of valid credit-card numbers that occur in a document. You may include additional rules that detect supporting evidence such as related terms, expiration dates, proper names, and so on. Those rules are taken into account in terms of maximum rule score, minimum document score, and whether or not the rules are required to be matched (see “Described-Content Blade Structure” on page 131). However, the ultimate risk factor is based solely on the number of matches to the primary (count-based) rule.

In most situations, you would define only one rule in a content blade to be count-based; any other, supporting rules would typically be score-based. An exception might be in a situation where you want to detect either of two related items—for example, Social Security Number (SSN) and Individual Taxpayer Identification Number (ITIN)—using a single content blade. In that case, you could create two detection rules and make then both count based. The risk factor of a given document would then depend only on the total occurrences of both types of numbers.

Proximity

An additional parameter that you can apply to your described-content blade as a whole specifies how close together in a document the rule matches must occur in order for the matches to be considered valid.

For example, if a Social Security number rule is matched at the beginning of a large document, but an associated rule for Proper Name encounters no match until near the document’s end, the two occurrences are probably not related and the matches should not count.

You specify a number of characters within which rule matches must occur in order to be counted toward the rule scores or document score. (Default value = 300.)

130 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Described-Content Blade Structure

For convenience, rules in a described-content blade are grouped into rule sets of the types described here.

Types of Rule Sets •Must Occur. Any rules that appear in this section are required. They describe content that must be present for a document match to occur. For example, in detecting documents containing credit-card information, an entity rule that identifies the number itself would probably be in the must-occur rule set. (You are not required to have any rules in this section.) •May Occur. These rules are optional (but see also “Minimum Unique Match Requirements,” next). They typically identify supporting content that is likely to be present in sensitive documents. For example, in detecting documents containing credit-card information, a term rule that lists related words (like the credit-card vendor’s name) and/or an entity rule that identifies a proper name or expiration date might increase the evidence that valid credit-card information is present. You can have more than one “May Occur” rule set in a content blade. But see “Minimum Unique Match Requirements” (next) for an explanation of the implications for matching. • Should Not Occur. These rules are also optional. They describe negative evidence—content that should not be present in the documents that this content blade is designed to match. For example, if this content blade is designed to detect employee financial content, it might happen that unwanted documents of a slightly different type (say, corporate annual reports) are commonly detected as well. By creating a Should Not rule set containing terms or expressions especially indicative of annual reports, it may be possible to keep them from being detected by this blade.

Note: The rules in a rule set are evaluated in the order in which they are listed on the New / Edit Described Content Blade page (see “Creating or Editing a Described-Content Blade” on page 150).

Minimum Unique Match Requirements

When creating a “May Occur” or “Should Not Occur” rule set, you can specify how many of the defined rules in the set must be matched in a document before any of the matches can be considered valid.

For example, if the rule set consists of a terms rule that lists vendor names, an entity rule that detects an address, and a regular expression rule that detects a telephone number (all in support of a credit-card entity rule in the “Must Occur” rule set), you might decide that at least two of those three rules must be matched before you can

Chapter 6: Defining Sensitive Content 131 RSA DLP 9.6 Network User Guide

consider there to be good supporting evidence that the document contains valid Social Security Number information. In that case, you would set the “minimum unique required matches” for the rule set to 2.

You can specify any value from 0 up to the total number of rules in the rule set. A value of 0 means that any rule that matches will count. A larger value means that at least that many rules must match for a document match to count. A value equal to the total number of rules makes this “May Occur” rule set function just like a “Must Occur” rule set—all rules must match for a document match to count.

Note that if you have two or more “May Occur” rule sets, the Minimum Unique Match requirements for all of them must be met for a document match to occur. If one rule set matches but another does not because the required minimum number of matches did not occur, the document will not be matched.

Note: Database fingerprinted-content blades employ a similar concept to “minimum unique required matches”, in that you can specify both required and optional database columns to match, plus a minimum number of the optional columns that must be matched. See “E. Specify column match criteria for content blade use” on page 171.

Detection in Document Headers, Footers, and Metadata

By default, RSA DLP detects sensitive content only in the body, or main text portion, of documents and messages it analyzes. However, many text-based documents include page headers and footers or have associated metadata such as title, author, and date of publication. You can create content blades that let RSA DLP find specific words or phrases in a document’s headers, footers, or metadata.

Header/footer detection can be especially useful for identifying confidential or internal documents, which typically include some sort of confidentiality notification in the header and/or footer. Metadata detection can be useful for finding documents with particular titles, by particular authors, containing particular search keywords, and so on.

When creating or editing a described-content blade, you have the option of choosing whether the blade should detect sensitive content in any or all of the elements of a document:

132 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

When displaying an incident in Enterprise Manager, the Incident Manager and Event Manager identify matched content with location tags, like this:

The above example shows a match to the word “sensitive” in the keywords metadata field, and a match to “Confidential—Internal Use Only” in the footer.

See “Supported File Formats (for Text Extraction)” on page 355 for a list of the document formats for which analysis of header, footer, and metadata text is supported.

Content-Blade Design Considerations

When creating a described-content blade that will detect sensitive content in non-body portions of a document, keep these considerations in mind: • The content blade will analyze only the document elements for which it was configured. Therefore, if "header" alone was selected when the blade was created, any "must occur", "may occur", and "should not occur" detection rules will apply only to document headers. • The proximity setting in a content blade applies only to the body. If "header" and/ or "footer" and/or "metadata" are the only elements selected for the blade, proximity is ignored; if "body" is also selected, the proximity value will apply only to body text.

Detection in HTML Form Data and URLs

You can configure DLP Network to detect sensitive data in HTML form data being transmitted in HTTP POST and GET messages. Form data in POST messages is by default detectable; to detect sensitive form data in GET messages requires setting an Enterprise Manager preference.

To achieve the best results in detecting sensitive form data in either type of message, RSA recommends that you use a specialized content blade.

If your organization needs to specifically detect and report on this kind of text in its content analysis, take the following steps: 1. Set the DLP preference that enables detection of content in URLs if you want to analyze GET messages (which pass form data in their URLs). See “Setting Preferences” on page 291. Enabling that preference causes GET messages, including their URLs, to be analyzed and tagged as form data.

Chapter 6: Defining Sensitive Content 133 RSA DLP 9.6 Network User Guide

Even if you do not set this preference, POST messages are tagged as form data and their HTML form data is analyzed. 2. Create or enable a described-content blade that is designed to detect only HTML form data. As shipped, DLP Network includes three expert content blades that are designed to locate content in HTML forms: – SSN Formatted in HTML forms – SSN Unformatted in HTML forms – Credit Card Number in HTML forms 3. Apply the content blade to an active policy and enable the policy for DLP Network.

Note: If any of your enabled policies already use the Credit Card Number or US Social Security Number content blade group, you can just enable the HTML form-specific blade from within that group, and it will automatically be added to the policy.

Note that the form-specific content blades are shipped in the disabled state. You must explicitly enable them in the Content Blade Manager to use them.

Consequences of Enabling HTML Form-Specific Content Blades

How message text gets processed by the content analyzer depends on whether URL detection is enabled, and whether one or more form-specific content blades is enabled: • If URL detection is disabled, HTML form data in GET-message URLs is not analyzed. • The form-specific content blades are designed differently from normal content blades that scan general body text. The form-specific blades analyze only the text extracted from form data, so they require less corroborative evidence than might be available in a larger sample of body text. • Form-specific content blades apply to HTML form data only (they do not search other types of messages). Because they are tuned for high recall on small samples, they would likely produce higher false positives if they were used in typical body text. • Non-form-specific content blades apply to all types of messages, so they can be used on HTML form data. In some cases, such a blade might find the same sensitive content that a form-specific content blade finds. So if your policy includes two content blades searching for the same information—one form-specific and the other non-form-specific—an instance of that information in HTML form data might cause both blades to match, inflating the match count for that event. (In messages that are not HTML form data, only the non-form-specific blade will ever be matched.)

134 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Creating a Custom HTML Form-Specific Content Blade

It is possible to create your own custom described-content blade that will detect sensitive information in HTML form data. The detection needs to be based on a regular expression that detects tag pairs, which the DLP text-extraction process places around every message that includes HTML form data.

Your blade’s regular expression should be of the following form: (?i)()[^<]*(\b)(sensitiveExpression)(\b)[^<]*()

where sensitiveExpression is the sensitive text to be found (or a regular expression that defines that text). It is not possible to use dictionaries or entities to perform the detection in this kind of content blade.

You may want to limit or eliminate rules that look for supporting evidence in the form data, since an HTML form entry might include the sensitive text itself (such as credit card number) but very little supporting evidence (such as card issuer or expiration date).

About Fingerprinted-Content Blades

Fingerprinting is a content-detection technique for identifying documents and transmissions that match all or parts of known sensitive content stored in your enterprise. Using RSA DLP, you can create fingerprinted-content blades to register and protect this content.

Fingerprinting is ideal to use to protect sensitive content when you know what that sensitive content is and where it is stored. For example, you can use fingerprinting to detect: • Source code and ISO images for proprietary software developed and maintained by your company. This sensitive content is often stored in a few well-secured repositories within a company. You may want to carefully monitor movements of this content and prevent it from being stored, copied, or emailed. • Sensitive information stored in databases used by your company. Specific database columns may include known sensitive information such as credit card numbers or Social Security Numbers that must by law be protected. The databases are usually stored in a few well-secured locations. You may want to carefully monitor this information as it moves into documents or emails within and possibly outside of your company. • Confidential information developed within your company. Marketing campaign materials and product specifications created before a product release are examples of this type of sensitive content. You may want to monitor the flow of these types of sensitive information within your organization and prevent it from being sent or copied outside of a department or the company.

Chapter 6: Defining Sensitive Content 135 RSA DLP 9.6 Network User Guide

Fingerprinted-Content Blade Structure

A fingerprinted-content blade is fundamentally an encapsulated set of fingerprints— hash values that uniquely identify all and parts of text content in a file, a complete file copy, or database cell content. All RSA DLP products can use policies containing fingerprinted-content blades to detect sensitive content.

Fingerprints are created by running a hash function against each complete file, or parts or all of the text in files, or database columns that you specify. The resulting fingerprints or hash values are unique numeric representations of files or text content that are much smaller than the original content.

Matches to fingerprints are determined by creating hash values of a scanned document or transmission and comparing those hash values to existing fingerprints. If one of the hash values matches a fingerprint, then the scanned entity is identical to or contains content identical to fingerprinted content and is flagged as a match.

Each fingerprint will match only an exact copy of the content from which it was derived. A content copy that is modified in any way, or content that is similar only in meaning, will not match the fingerprint and so will not be detected as sensitive content.

You cannot reconstruct the original file or database content from its fingerprints. The hash values that are the fingerprints are mathematical derivatives of the original content and cannot be manipulated to reconstruct that content.

You can create two types of fingerprinted-content blades. File fingerprinted-content blades detect all and parts of the text content in a file, or a complete file copy. Database fingerprinted-content blades detect a specific set of content from columns in a database row.

All fingerprinted-content blades are considered custom content blades because you must define the set of files or database rows and columns to be fingerprinted.

File Fingerprinted-Content Blades

A file fingerprinted-content blade is the encapsulated set of fingerprints (hash values) that can detect complete copies of a file or copies of sections of content from a file.

You can create two types of file fingerprints. Full and partial text fingerprints are intended to detect a match to all or part of the text in a fingerprinted file. Full binary fingerprints are intended to detect a complete file copy.

Full and Partial Text Fingerprinting

With full and partial text fingerprinting, fingerprints (hash values) are created for all and sections of the text in each file in file shares or directories you specify, and all of these fingerprints are encapsulated into a single fingerprinted-content blade.

136 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

This feature is intended for fingerprinting text-centric files—plain-text files, source code, and formatted-text files like Microsoft Word and Adobe PDF documents. By design, you cannot create text fingerprints of files with no readable text—compiled programs, ISO images, or graphics. Full-text fingerprints match complete file copies, while partial-text fingerprints match copies of a section of file content.

Partial-text fingerprints are designed to match an exact copy of about one-half of a page of text. More precisely, these fingerprints will match a scanned document or transmission if it contains 720 or more contiguous characters identical to contiguous characters in the fingerprinted file. If a fingerprinted file contains fewer than 325 contiguous characters, a complete duplicate of the file must be found to produce a match.

A policy using this type of file fingerprinted-content blade will compare the full-text and partial-text fingerprints to hash values of the text content of scanned documents and transmissions, and will detect exact copies of the complete fingerprinted file as well as exact copies of sections of each file. Scanned content that is not an exact copy of the file or file content will not match the fingerprints.

For example, suppose a company is preparing a marketing campaign for a new product and wants to detect and protect related marketing materials. A file share exists in a known location that contains all of the written marketing materials.

The company can create full and partial text file fingerprints of these marketing documents, and use the fingerprints to detect and prevent unauthorized copying and transmission of the documents and document content.

Figure 6 and Figure 7 illustrate how hash values are created for full-text and partial-text file fingerprints.

Figure 6 Full-text file fingerprinting

Chapter 6: Defining Sensitive Content 137 RSA DLP 9.6 Network User Guide

Figure 7 Partial-text file fingerprinting

The policy that uses this file fingerprinted-content blade will match scanned documents and transmissions that include all or part of the text content of the fingerprinted marketing documents.

Full Binary Fingerprinting

With full binary fingerprinting, fingerprints (hash values) are created based on the binary content of each file in file shares or directories you specify, and all of these fingerprints are encapsulated into a single fingerprinted-content blade

This feature is intended for fingerprinting whole text-based and non-text files. You must use it to create fingerprints of files that include no readable text such as compiled programs, ISO images, graphics, and photos. Full binary fingerprints match only complete file copies.

A policy using this type of file fingerprinted-content blade will compare its fingerprints to hash values of whole documents and transmissions, and will match complete exact copies of each fingerprinted file. It will not match image and graphic copies modified by operations such as resizing or color enhancement.

For example, suppose a company wants to protect compiled source code that is stored as ISO images. A file share exists in a known location that contains all of the ISO images.

The company can create full binary file fingerprints for all of the stored ISO images, and use the fingerprints to detect and prevent unauthorized copying and transmission of the images. (Note that if the file share includes text-based readme files or release notes or graphical image files, binary fingerprints are also created for them).

138 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Figure 8 illustrates how hash values are created for full-binary file fingerprints.

Figure 8 Full binary file fingerprinting

The policy that uses this file fingerprinted-content blade will detect scanned documents and transmissions that exactly match the fingerprinted files.

Database Fingerprinted-Content Blades

A database fingerprinted-content blade is the encapsulated set of fingerprints, or row-related hash values, that can be used to detect a content match to a specified combination of column content stored in a database row. The hash values are created by running a hash function against the content of all or selected columns of table rows in a database.

Fingerprint matches to a database fingerprinted-content blade are determined by comparing its row-related fingerprints to hash values derived from the text content of scanned documents and transmissions. A document or transmission that contains the required combination of column content from any single fingerprinted database row will be flagged as a match.

For example, suppose a hospital wants to detect and protect the personal data of its patients. A patient database exists in a known location and contains each patient name, Social Security Number, and other information in a single table row. Figure 9 illustrates the database.

Figure 9 Example table for database fingerprint creation

The company can create fingerprints for only the content of columns containing the patient name and Social Security Number, or for these required columns and optional columns that may provide more precise match criteria.

Chapter 6: Defining Sensitive Content 139 RSA DLP 9.6 Network User Guide

The policy that uses this fingerprinted-content blade will match scanned documents and transmissions that include the content of all required and optionally-required columns from any single database row. In the example of Figure 9, if the first three fingerprinted columns were required for a match to occur, content analysis of the following three lines would yield the results shown.

In this way, the sensitive information about each individual patient can be detected and protected from unauthorized copying and transmission.

Fingerprint Crawlers

To create a fingerprinted-content blade, you configure and run a fingerprint crawler.

A successful run of a fingerprint crawler: • Creates fingerprints of (hash values that uniquely identify) document or database content it finds in the location you specify, using the fingerprint-type parameters for file or database column content that you specify. • Sends the fingerprints to Enterprise Manager. • Enables a fingerprinted-content blade that includes the fingerprints.

Note: By default, a fingerprinted-content blade is created in a disabled state when its associated fingerprint crawler is created, and is automatically enabled after a successful run of the fingerprint crawler. You cannot manually disable or enable it.

There is a one-to-one correlation between a fingerprint crawler, the set of fingerprints it produces, and the fingerprinted-content blade created automatically using the fingerprints. Each successful run of a fingerprint crawler produces one set of fingerprint hash values that is included in one fingerprinted-content blade.

Types of Fingerprint Crawlers

RSA DLP supports two types of fingerprint crawlers.

File crawlers create fingerprints of all and parts of files stored in file shares and directories that you specify. You should create separate file crawlers to fingerprint different types of sensitive content. For example, for a software product under development, you may create one file crawler to fingerprint source code, another to fingerprint product design documents, and another to fingerprint marketing materials for the product.

140 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Database crawlers create fingerprints of table column content in databases stored by Microsoft SQL Server, Oracle, and IBM DB2 for Linux, UNIX and Windows. They can also fingerprint data stored in uniformly-organized data files such as csv (comma-separated-value) files. To connect to and get data from csv files, a database crawler uses Microsoft ADO (ActiveX Data Object) features.

You should configure one database crawler to fingerprint the content of each database you want to fingerprint. Each database crawler can define one query or one stored procedure to find content to fingerprint in the specified database. You should create separate queries, and therefore separate crawlers, for each potential data combination you want to detect in documents and transmissions.

Requirements for Crawler Configuration

When configuring a crawler, use the following guidelines: • Setup of RSA DLP Datacenter, including configuration of an Enterprise Coordinator and Site Coordinator, is a prerequisite to using crawler functionality. • The Enterprise Manager, Enterprise Coordinator, and Site Coordinator must have network connectivity and must be able to communicate with each other to send and receive fingerprint crawl requests, crawl statuses, and crawl results. • The Site Coordinator, which is the host that runs the crawler, must be able to access the data sources you want to fingerprint. • The Enterprise Coordinator and the Site Coordinator that hosts a database crawler must have the appropriate Microsoft SQL Server, Oracle, or IBM DB2 client software installed to access the database sources. See the installation chapter of RSA DLP Datacenter Deployment Guide for instructions. • The user ID used by the crawler to access the data sources on their host machine must have at least read permission to the source files or database.

Managing the Total Size of Fingerprints

One of two default limits applies to the maximum size of all fingerprints that can be deployed to DLP components: •20MB: Maximum that can be deployed to endpoint agents used by DLP Endpoint or discovery agents used by DLP Datacenter. •2GB: Maximum that can be deployed to DLP Datacenter grid workers or DLP Network.

Enterprise Manager tracks the total fingerprint size as you add and update fingerprinted-content blades by running and re-running fingerprint crawlers. New or updated fingerprints for a content blade will or will not be deployed depending on (1) how the size of fingerprints in the blade will affect the total fingerprint size and (2) the DLP components to which the fingerprints will be deployed.

Chapter 6: Defining Sensitive Content 141 RSA DLP 9.6 Network User Guide

If the new fingerprints for a content blade intended for deployment to DLP Endpoint endpoint agents or DLP Datacenter discovery agents will increase the total fingerprint size beyond the defined maximum (20MB by default), the Content Blade Manager will display a warning message and: • For DLP Endpoint: No new or updated fingerprints will be deployed to the endpoint agents. Fingerprint analysis continues but only with previously-deployed fingerprints. • For DLP Datacenter: No new or updated fingerprints will be deployed to the discovery agents when the next agent scan is initiated.

If the new fingerprints for a content blade intended for use by DLP Datacenter grid workers or DLP Network will increase the total fingerprint size beyond the defined maximum (2GB by default), the Content Blade Manager will display a warning message and: • For DLP Network: The new fingerprints will be deployed to the Network devices and fingerprint analysis will continue. However, performance may be affected because the maximum supported fingerprint size is exceeded. • For DLP Datacenter: No fingerprints will be deployed to the grid workers when the next grid scan is initiated. Fingerprint analysis will produce no matches, because there will be no fingerprints to match.

To avoid exceeding the size limits, fingerprint the smallest amount of critical data possible to get the fingerprints you need to match and protect sensitive content.

To correct fingerprint deployment problems and remove warnings after the size limits are exceeded, reduce the total fingerprint size below the maximum by deleting fingerprinted-content blades, which deletes the fingerprints associated with the blades.

Updating Fingerprinted-Content Blades Automatically

You can schedule periodic runs of fingerprint crawlers to automatically update fingerprints for sensitive file and database content. Periodic crawls automatically update the associated fingerprinted-content blade.

Setting up a regular crawler schedule is critical for keeping associated fingerprints up-to-date in situations where the files or database content you want to protect will be updated over time.

For how to set up a crawler schedule, see “E. Schedule file crawls” on page 167 for file crawlers and “F. Schedule database crawls” on page 172 for database crawlers.

142 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

About Whitelisting for Fingerprinted-Content Blades

Whitelisting is a technique that enables you to exclude all or parts of data from being identified or matched when you run a data scan that uses a fingerprinted content blade created to identify sensitive content stored in your enterprise. However, whitelisting can be configured only with file crawlers, and cannot be configured with database crawlers.

Using RSA DLP, you can configure the fingerprinted-content blades to detect whitelisted content and exclude it from creating violation. For example, your organization is working on the next release of a highly-competitive product. And, you want to ensure that the internal assets such as confidential documents and presentations related to the new release are not compromised. So, the organization decides to fingerprint these documents so that the a violation is created in the event of a security breach. However, you might have certain standard company information such as disclaimer information that you want to exclude from creating violations. In such an instance, you can whitelist the company disclaimer content so that it is removed from the fingerprinted content and is not matched during file scans.

A whitelist is a set of plain text snippets that is removed from sensitive files that you want to fingerprint. This is done prior to hashing the sensitive files at the time of the crawl. The sensitive files themselves are not modified in this process. The resulting fingerprints or hash values are unique numeric representations of files or text content that already excludes the content that you want to whitelist. This allows organizations to identify trusted and secure information and exclude the whitelisted content from creating events or incidents when someone tries to store, copy, or email.

Each whitelist matches only an exact copy of the content from which it is derived. The whitelisted text must exactly match the content in the sensitive files (other than capitalization and whitespace), else the whitelisted text is not be recognized and removed from the sensitive content. This can lead to false positives.

After configuring a whitelist, you must run the fingerprint crawler. This enables the whitelist with the fingerprinted-content blades.

For instructions to configure whitelist for file crawlers, see “Configuring Whitelist for File Crawlers” on page 173.

Working With Content Blades

You can use Enterprise Manager to enable/disable, view, edit, or delete an existing blade, and you can also create two different types of content blade.

Chapter 6: Defining Sensitive Content 143 RSA DLP 9.6 Network User Guide

Managing Existing Content Blades

You can use the Content Blade Manager to view, edit, or create both described-content blades and fingerprinted-content blades. To access the Content Blade Manager, click the Policies tab and then select Content Blade Manager from the Content Blades menu near the top of the page. The Content Blade Manager page (Figure 10) appears.

Figure 10 Content Blade Manager Page

Custom, Fingerprinted, Expert, and Template Blades

The page includes four lists: • Custom Content Blades lists the described-content blades ( ) that your organization has created, either from scratch or by customizing a content-blade template.

• Fingerprinted Content Blades lists the file fingerprinted-content blades ( ) and database fingerprinted-content blades ( ) that your organization has created. • Template Content Blades lists special editable described-content blades that RSA provides with RSA DLP. You can customize a template blade to detect organization-specific or industry-specific terms, then save it as the same template or else rename it and save it as a custom content blade. Note that you can re-sort the list of template blades to be displayed by industry, region, or name (or leave them un-grouped). • Expert Content Blades lists the described-content blades created by RSA Knowledge Engineering. Expert content blades typically target specific kinds of sensitive content (such as PCI or PII), and are grouped into specified categories.

144 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

You can add these content blades to policies that you create or customize, but you cannot view or customize their details. Note that, within their categories (such as Banking & Financial Services), the expert content blades are further collected into groups (such as Credit Card Number by Issuer). In such a case, click the underlined group title or the expand/ collapse icon ( ) beside it to reveal the individual blades:

Note: For more information on each of the expert content blades provided with RSA DLP, see RSA DLP Policy Guide.

You add content blades to a policy when you are creating or editing the policy; see “Creating or Editing a Policy” on page 197.

To enable or disable a content blade 1. Display the name of the individual content blade on the Content Blade Manager page: a. For a custom content blade or template content blade, simply click the Enabled or Disabled link in that blade’s row:

b. For an expert content blade, first open its group, then click the Enabled or Disabled link in the desired blade’s row:

Chapter 6: Defining Sensitive Content 145 RSA DLP 9.6 Network User Guide

A drop-down list appears:

2. Select the desired state from the drop-down list.

Note: You cannot enable or disable a fingerprinted-content blade. By default, a fingerprinted-content blade is created in a disabled state when its associated fingerprint crawler is created, and is automatically enabled after a successful run of the fingerprint crawler.

You can also enable or disable a custom content blade from its details page; see “To view a custom or template content blade” on page 147.

An enabled content blade must be explicitly added to a policy before it can be used by the policy (see “Specify content blades” on page 198).

Important: Exercise caution when disabling a blade, because this action disables its use in all policies, including active policies in which you expect it to function.

To delete a content blade • Custom blade. You can delete any of the custom content blades that you have created,. On the Content Blade Manager page, click the Delete icon ( ) in that blade’s row.

Important: You cannot delete a content blade that is currently in use by an active policy. You must first either delete the policy or edit it to remove the content blade, and then delete the content blade.

• Template blade. You can also delete template content blades. click the Delete icon ( ) in that blade’s row. Note that, if you delete a template content blade when the blades are displayed in categories (for example, by Industry), the blade that you delete will be removed from all categories that it is part of, not just the one from which you deleted it. • Fingerprinted blade. To permanently delete a fingerprinted-content blade, you must also either delete the blade’s associated fingerprint crawler (see “To delete a fingerprint crawler” on page 162) or stop future runs of the crawler (see “E. Schedule file crawls” on page 167 for file crawlers or “F. Schedule database crawls” on page 172 for database crawlers). • Expert blade. You cannot delete an expert content blade.

146 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

To view a custom or template content blade

You can view the details of any template described-content blade or any of the custom described-content blades that you have created. 1. In the Custom Content Blades or Template Content Blades lists on the Content Blade Manager page, click the name of the content blade that you want to view. The View Described-Content Blade page appears:

2. Note the content blade’s name, description, and rule sets. 3. To enable or disable the blade, select the Enabled or Disabled button.

Important: Exercise caution when disabling a blade, because this action disables its use in all policies, including in active policies in which you expect it to function.

An enabled content blade must be explicitly added to a policy before it can be used by the policy (see “Specify content blades” on page 198). 4. To edit the content blade, click Edit. The New / Edit Described Content Blade page appears. 5. Edit the content blade’s fields in the same manner as when creating a new content blade; see “Creating or Editing a Described-Content Blade” on page 150.

To view information about a fingerprinted-content blade 1. In the lower part of the Custom Content Blades list on the Content Blade Manager page, note the name of the fingerprinted-content blade that you want to view:

2. Note that none of this information is editable, and there is no link to view the blade, as there is for a described-content blade. To edit the blade name or

Chapter 6: Defining Sensitive Content 147 RSA DLP 9.6 Network User Guide

description, you must edit the fingerprint crawler that created the blade. Follow instructions in “Managing Existing Fingerprint Crawlers” on page 159. 3. Note that Enabled and Disabled selections are not available. You cannot enable or disable a fingerprinted-content blade. By default, a fingerprinted-content blade is created in a disabled state when its associated fingerprint crawler is created, and is automatically enabled after a successful run of the fingerprint crawler. 4. Note the total size of all fingerprinted-content blades 5. Click more info to see basic history and configuration information about the fingerprinted-content blade:

– Last Successful Run. The last time this fingerprint blade’s crawler was run. –Match Type. The kind of fingerprint blade this is (File or Database). – Fingerprint size. The total size of the fingerprints in this fingerprint blade.

To create a new content blade

To create a new described-content blade: 1. Take either of these steps: a. Near the top of the Content Blade Manager page, click New Described Content Blade. The New / Edit Described Content Blade page appears. b. Double-click the name of a template content blade, then click Edit on the View Described Content Blade page. The New / Edit Described Content Blade page appears 2. Fill in the information as described under “Creating or Editing a Described-Content Blade” (next).

To create a new fingerprinted-content blade:

A fingerprinted-content blade is created automatically by a successful run of its associated fingerprint crawler.

To create a fingerprinted-content blade, navigate to Admin > Settings > Fingerprint Crawler Manager and follow instructions described in “Creating or Editing a File Crawler” on page 163 or “Creating or Editing a Database Crawler” on page 168.

After you have created and run a fingerprint crawler, its associated content blade appears in the Content Blade Manager as a custom content blade.

148 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

To disable exact match counting for a content blade

By default, every countable match to an active content blade is counted during the content analysis of a file or transmission, in an unlimited fashion. If the file or transmission contains many matches, counting all of them may impact performance.

To avoid performance impact, if you are not required to find and count every match, you can disable exact match counting for all or individual active content blades: 1. Navigate to Policies > Content Blades > Content Blade Advanced Settings. The Content Blade Advanced Settings page appears:

2. Click Edit. The page changes to allow editing. 3. To disable exact match counting for all active content blades: Select Disabled, then click Save. Exact match counting is disabled completely, for all content blades, regardless of the settings for individual blades. 4. To disable exact match counting for one or several active content blades: a. Ensure that Enabled is selected, so that the blades you do not disable remain enabled.

Chapter 6: Defining Sensitive Content 149 RSA DLP 9.6 Network User Guide

b. Click List Content Blades. The page changes to list the content blades that support exact match counting. A check alongside a blade name indicates that exact match counting is enabled for the blade.

c. Unselect the content blades that you want to disable for exact match counting. d. Click Save. Exact match counting is disabled for the unselected content blades, and enabled only for the selected content blades.

Creating or Editing a Described-Content Blade

A described-content blade uses words and pattern-matching to identify sensitive content. For an overview, see “About Sensitive Content and Content Blades” on page 125.

You use the New / Edit Described Content Blade page to create a new described-content blade or edit an existing one. You reach this page by • clicking New Described Content Blade on the Content Blade Manager page (Figure 10 on page 144). • clicking New Described Content Blade in the content blades and severity-scale section of the New / Edit Policy page (see “Specify content blades” on page 198). (In this case, the page opens in a separate window.)

150 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

• clicking the Edit button when viewing an existing custom content blade (see “To view a custom or template content blade” on page 147).

Take the following steps to create or edit the described-content blade.

A. Fill in the summary

1. (Required) Enter a name for the blade in the Blade Name field. The name can contain letters (including accented letters), numbers, spaces, and underscores. It cannot include any of the following special characters: !@#$%^&*()+=-[]\';,./{}|\":<>? 2. (Optional) Describe the purpose or features of the blade in the Description field. 3. For This blade is, select a button to specify the state of this blade: – Enabled. The content blade is available for use in a policy. (You must still explicitly add it to the policy for it to be used; see “Specify content blades” on page 198). –Disabled. The content blade is not available for use in any policy.

Important: Exercise caution when disabling a content blade. Disabling a blade that is in use by a policy effectively removes that blade from the policy and can render the policy useless.

4. Select one or more of the checkboxes to specify which document or email parts you want this content blade to analyze for sensitive content: –Body. For a document, examine the body text. For an email message, examine the body text and the text in the From, To, Cc, Bcc, Date and Subject email headers. (By default, only this box is checked.) –Header. Examine page headers (for documents that have headers). –Footer. Examine page footers (for documents that have footers). – Metadata. Examine document metadata (such as author, title, keywords; for documents that have metadata fields). Note that configuring DLP to analyze parts of a document other than the body text can be complex. See “Detection in Document Headers, Footers, and Metadata” on page 132 for additional background.

Chapter 6: Defining Sensitive Content 151 RSA DLP 9.6 Network User Guide

B. Create a required rule set

In this area, you define one or more detection rules that must be matched in a document or transmission for its content to be considered sensitive. 1. In the Type and associated Value field, specify the detection technique to use in this rule. Depending on the rule type you choose, you either enter or select the value(s) that you want: – Words and Phrases. Enter a comma-separated list of individual words or phrases to look for in the content being analyzed. For example, in a content blade that detects confidential company product information, the keyword list might include project code names, version numbers, or trademark names. This field can hold up to 2000 characters. –Entity. Choose from the list of available entities (RSA-created software routines that algorithmically identify sensitive content), such as Social Security number or credit card number. Entities are more sophisticated and accurate at identifying certain classes of sensitive content than are regular expressions. – Expression from Library. Choose a regular expression provided by RSA or one that you created and stored in the Regular Expression Manager (see “Using the Regular Expression Manager” on page 183). Regular expressions are highly flexible in detecting content (such as account numbers or employee IDs) that follows a pattern. – New Regular Expression. Enter a regular expression directly into the Value field. If you want to test the expression first, click the Test Regular Expression link at the bottom of this page (see “D. Specify other settings” on page 155). –Dictionary. Choose a dictionary (a saved list of keywords) to use for detection. You can use an RSA-supplied dictionary or one that you have earlier created and saved; see “Managing Dictionaries” on page 174. 2. If the Type you just selected is either a regular expression or an entity, the Add Exclusion link appears beside the rule.

a. Click the link if you want to specify a particular value that should be excluded from content analysis. For example, if this rule uses a regular expression to detect a ten-digit account-number, you might enter 000-000-0000 as an

152 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

exception, if that value is commonly used as a test or dummy account value. Using this feature can help you avoid false-positive matches

Note: This value can be a regular expression.

b. Click the Add Exclusion link again if you want to add another exclusion. c. Click the Delete icon ( ) beside the Exclude field if you want to remove an exclusion. 3. In the Weight field, enter a value that specifies how heavily this rule should be counted compared to other rules in this rule set or other rule sets. The weight contributes to the final risk factor of a document or transmission being analyzed; see “Weight, Score, Count, and Risk Factor” on page 128. 4. In the Max Score field, enter a value for the maximum contribution to a document’s score that this rule is allowed to produce. A rule’s score equals its weight times the number of matches that occur in a document: if the weight is five and the maximum score is 1000, 200 matches to that rule in a given document will yield a score of 1000, and 201 or more matches will still yield a score of 1000. Defining a reasonable value for maximum score prevents one document with an extremely high score from depressing the apparent risk of other sensitive documents. See “Weight, Score, Count, and Risk Factor” on page 128.

Note: The maximum permitted value for Max Score is 10,000.

5. Select the Count item checkbox if you want this rule’s risk factor to be based solely on the number of matches that occur in a document, instead of on a calculated score (which involves weight and maximum score as well as number of matches). See “Weight, Score, Count, and Risk Factor” on page 128.

Note: Normally, you would use only one count-based rule per content blade, unless you have two rules that describe the same general kind of item (such as separate rules for formatted and unformatted versions of an account number, for example).

6. Click the Delete icon ( ) on the right if you want to remove this rule from the blade. (If this is the only rule in the required rule set, deleting it means that the blade must include at least one rule in the optional rule set.)

7. Click the Add button ( ) if you want to add another rule to the Must Occur rule set:

Chapter 6: Defining Sensitive Content 153 RSA DLP 9.6 Network User Guide

8. Fill out each additional required rule with the same process you used for the first.

Note: Each additional rule is logically an AND, which means that all the required rules must be matched for the overall rule set to be matched.

C. Create an optional rule set

In this area, you create a “May Occur” rule set—you define one or more detection rules that, if matched, can contribute to the overall score during content analysis of a document or transmission, but are not individually required to be matched. 1. In the Minimum required field, enter a number from 0 to the number of rules you define for this rule set. (You may need to define your rules before you know what number to enter here.) This field exists because, although no individual rule that you define in this rule set is required to be matched, you can require that some minimum number of them must be matched for any matches to count. 2. Fill in the Type, Value, Add Exclusion, Weight, and Max Score fields exactly as you do for the required rule set (see “B. Create a required rule set” on page 152).

3. Click the Add button ( ). to add another optional rule:

4. Fill out each additional optional rule with the same process you used for the first.

Note: Each additional rule in the “May Occur” rule set is logically an OR, which means that any optional rule that is matched will count toward the document score (as long as the required minimum number of rules are matched).

154 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

D. Specify other settings

This area includes fields that are global to the “Must Occur” and “May Occur” rule sets, plus links that allow you to add additional rule sets or test regular expressions. 1. In the Proximity field, enter a value (in characters) that describes a window within which all rule matches must occur if they are to be considered valid matches. If, for example, you enter a value of 500 and two rules in your required rule set are matched but the matches occur in locations separated by 600 characters, no match is considered to have occurred. See “Proximity” on page 130. 2. Minimum Score. Enter a number that represents the minimum document score (sum of all weighted matches for all rules) that must occur during content analysis for this content blade to be considered to have been matched. See “Weight, Score, Count, and Risk Factor” on page 128 for further explanation. 3. Test/Save Regular Expression. If you are creating a regular expression to enter as the value of a rule (see “B. Create a required rule set” on page 152), you can optionally test it by clicking the Test Regular Expression link. The Test/Save Regular Expression dialog box opens:

a. In the Enter Regular Expression field, enter the expression that you intend to use in a rule in this content blade. b. Optionally click Validate to verify that what you entered is a valid regular expression. You will receive an error message if it is not.

Chapter 6: Defining Sensitive Content 155 RSA DLP 9.6 Network User Guide

c. In the To test the expression above... field, enter or paste in some test text that includes the kind of content that your regular expression is meant to detect. d. Click Test to apply your regular expression to the test text. Portions of the text that the expression matches are highlighted. If you want to save this expression to the Regular Expression Manager (see “Using the Regular Expression Manager” on page 183), so that you can later apply it to other rules or content blades, do the following: a. Enter a name for the expression into the Name field. b. Optionally describe its purpose in the Description field. c. Click Save to save the expression to the Regular Expression Manager and close the dialog box. (Click Cancel to close the The Test/Save Regular Expression dialog box without saving your expression.) 4. Click the Advanced Options link to add more rule sets to your content blade.(Note that these options are not commonly used.) The two following links appear: Add Rule Set: May Occur a. Click this link to add a second optional rule set to the content blade:

Creating an additional optional rule set allows you to specify different weights, maximum scores, minimum required values, and so on, for different optional rules. b. Fill in the fields of this rule set exactly as you do for the first optional rule set (see “C. Create an optional rule set” on page 154). (Click the Delete Set link if you want to delete the added rule set.) c. If desired, click Add Rule Set: May Occur again to create another optional rule set.

156 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Add Rule Set: Should Not Occur a. Click this link to add a “negative-match” rule set to this content blade:

Matches to this rule set count against the document score generated by the other rule sets. If the document score based on this rule set is greater than the document score based on the other (positive) rule sets, the document is not matched. See “Weight, Score, Count, and Risk Factor” on page 128.

Note: If you create a Should Not Occur rule set, the content blade must also contain at least one Must Occur or May Occur rule set.

b. Fill in the Minimum required, Type, Value, Weight, and Max Score fields just as you would for a May Occur rule set (see “C. Create an optional rule set” on page 154), except remember that you are describing content that should not appear. c. Fill in the Proximity and Minimum Score fields just as you do for the blade as a whole (see “D. Specify other settings” on page 155). (In this sense, the negative-match rule set functions as an entire content blade, to be weighed against the “positive” portions of the blade.)

d. Click the Add button ( ) to add another Should Not Occur rule. Note that each additional rule is logically an OR, which means that any rule that is matched will count toward the “negative” document score (as long as the required minimum number of rules are matched). (Click the Delete icon ( ) beside an individual rule if you want to remove it.) e. Click the Delete Set link if you want to delete the entire Should Not Occur rule set. f. If desired, click Add Rule Set: Should Not Occur again to create another Should Not Occur rule set.

Chapter 6: Defining Sensitive Content 157 RSA DLP 9.6 Network User Guide

E. Save the content blade

1. In either the top or bottom toolbar, click Save to save the new described-content blade. (A new content blade does not exist until you click the Save button.) The blade now appears in the Content Blades list on the Content Blade Manager page (Figure 10 on page 144).

Note: You can click the Save button at any time. If the content blade is incomplete, it is nonetheless saved and you can later complete it by editing it; see “To view a custom or template content blade” on page 147. (Be sure to disable a partially completed blade when you save it.)

2. Click Save As to save this described-content blade under another name. (Click Cancel to stop creating or editing this content blade.)

Creating or Editing a Fingerprinted-Content Blade

A fingerprinted-content blade is created automatically by its associated fingerprint crawler. To create or modify a fingerprinted-content blade, you must create or edit and then run its fingerprint crawler: 1. Navigate to Admin > Settings > Fingerprint Crawler Manager. 2. Near the top or bottom of the Fingerprint Crawler Manager page, select New Crawler and then New File Crawler or New Database Crawler. The appropriate new crawler page appears. 3. Fill in the information as described under “Creating or Editing a File Crawler” on page 163 or “Creating or Editing a Database Crawler” on page 168. 4. Run the fingerprint crawler as explained in “G. Run the file crawler” on page 167 or “H. Run the database crawler” on page 173.

After you create a fingerprint crawler, its associated content blade appears in the Content Blade Manager as a custom content blade, initially in a disabled state. A successful run of the fingerprint crawler is required to enable the blade.

158 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Working With Fingerprint Crawlers

A successful run of a fingerprint crawler automatically creates or updates its associated fingerprinted-content blade. Therefore, to create or modify a fingerprinted-content blade, you create or edit and then run its fingerprint crawler.

You use Enterprise Manager to create, view, edit, run, or delete a fingerprint crawler.

Managing Existing Fingerprint Crawlers

You can use the Fingerprint Crawler Manager to view, edit, run, or delete an existing fingerprint crawler. To access the Fingerprint Crawler Manager, click the Admin tab and then select Fingerprint Crawler Manager from the Settings menu near the top of the page. The Fingerprint Crawler Manager page (Figure 11) appears.

Figure 11 Fingerprint Crawler Manager

Features of the Fingerprint Crawler Manager page

The page provides information about each existing fingerprint crawler: • Crawler Name. The name of the fingerprint crawler. •Type. Icons indicate the type of fingerprints created by the fingerprint crawler:

– File. The crawler creates full and partial text fingerprints of plain-text and formatted-text files, or full binary fingerprints of complete files, or both

– Database. The crawler creates fingerprints of all or specified parts of the content of a database • Description. An explanation of the features or purpose of the fingerprint crawler.

Chapter 6: Defining Sensitive Content 159 RSA DLP 9.6 Network User Guide

•Last Run. The date and time of the last crawl done by the fingerprint crawler. • Status. The current status of the crawler or a crawl:

Crawler Status Explanation

Completed A crawl has finished without problems, but may or may not have generated fingerprints.

Configuring The crawler is being configured, either because it is new or was edited.

Failed Configuration of the crawler has failed.

Failed Run The crawler encountered an unexpected error.

Ready The crawler is ready to run.

Running The crawler is actively running.

Waiting The crawler is in the process of being run by the Enterprise Coordinator (a pre-cursor to the Running state).

• more info. Opens a pop-up providing detailed information about the most recent run of the file or database fingerprint crawler:

Status Detail Explanation

Crawler Status The current status of the crawler. See the Status section above for a list of statuses and their explanations.

Last Run Start Time The date and time of the most recent start and completion of a run of Last Run End Time this crawler.

Elapsed Time Duration of the crawler run, from start to completion.

Crawler Type File or Database; the type of fingerprints created by the crawler. See the Type section above for more information.

160 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Status Detail Explanation

Files Filtered from For a file crawler, the number of files excluded from fingerprinting, Fingerprint based on criteria specified in the crawler definition. For more information, see “D. Specify content subsets to include and exclude” on page 165.

Directories Filtered For a file crawler, the number of directories excluded from from Fingerprint fingerprinting based on criteria specified in the crawler definition. For more information, see “D. Specify content subsets to include and exclude” on page 165.

Inaccessible Paths For a file crawler, the number of paths specified for fingerprinting that the crawler could not access. The files in these paths were not fingerprinted.

Number of Fingerprint For a file crawler, the number of errors encountered during the Generation Errors crawl. Errors such as these are counted: Unable to open a file, unable to open a password-protected file, and file type is unsupported for fingerprinting.

Rows Fingerprinted For a database crawler, the total number of rows fingerprinted in the specified database table.

Rows Unable to For a database crawler, the number of rows that should have been Fingerprint but were not fingerprinted. Errors such as these are counted: Binary data encountered (only text data in a database can be fingerprinted), connection to the database was lost.

• Run Now. Click to manually start a run of the crawler. •Stop. Click to manually stop a running crawl. The option is selectable only while a crawl is running. •Delete. Delete the fingerprint crawler. Deleting a fingerprint crawler deletes only the crawler, and does not delete its associated fingerprinted-content blade. The content blade can continue to be used in policies until you delete it.

To view a fingerprint crawler 1. You can view the details of any fingerprint crawler that you created. On the Fingerprint Crawler Manager page, click the name of the fingerprint crawler that you want to view. The Crawler Configuration - New/Edit page appears (see “Creating or Editing a File Crawler” on page 163 or “Creating or Editing a Database Crawler” on page 168). 2. To edit the fingerprint crawler, click Edit. Edit the fingerprint crawler’s fields in the same manner as when creating a new fingerprint crawler; see “Creating or Editing a File Crawler” on page 163 or “Creating or Editing a Database Crawler” on page 168.

Note: You cannot edit the name of a crawler once it has been created.

Chapter 6: Defining Sensitive Content 161 RSA DLP 9.6 Network User Guide

3. To run the crawler manually, click Run Crawler Now. The Status column for the crawler on the Fingerprint Crawler Manager page is updated to show that the crawler is running. 4. Click Cancel to close the Crawler Confirmation - New/Edit page.

To run a fingerprint crawler • On the Fingerprint Crawler Manager page, click Run Now in that crawler’s row. The Status column for the crawler is updated to show that it is running.

You can also start a run of a fingerprint crawler from its details page; see “Managing Existing Fingerprint Crawlers” on page 159.

Note: A successful run of a fingerprint crawler automatically creates or updates its associated fingerprinted-content blade. The blade appears in the Content Blade Manager as a fingerprinted content blade.

To create a new fingerprint crawler 1. Near the top of the Fingerprint Crawler Manager page, select New Crawler and then New File Crawler or New Database Crawler. The appropriate new crawler page appears. 2. Fill in the information as described under “Creating or Editing a File Crawler” (next) or “Creating or Editing a Database Crawler” on page 168.

To delete a fingerprint crawler • You can delete any of the fingerprint crawlers that you have created. On the Fingerprint Crawler Manager page, click the Delete icon ( ) in that crawler’s row.

Note: This operation deletes the fingerprint crawler only, and does not delete its associated fingerprinted-content blade. The content blade can continue to be used in policies until you delete it.

To configure crawlers globally with the Advanced tab

162 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

An alternative method for configuring fingerprint crawlers is to paste a complete, properly formatted XML configuration into the Advanced tab of the Global Crawler Settings popup.

Important: Use the Advanced tab only under instructions from RSA Technical Support or Professional Services.

1. Near the top of the Fingerprint Crawler Manager page, select Global Crawler Settings to make the Global Crawler Settings popup and its Advanced tab visible. 2. Paste the XML data into the tab field. 3. Click Save to save the XML data. 4. Re-run any existing fingerprint crawlers to update the blades that use the global crawler configuration settings. See “G. Run the file crawler” on page 167 and “H. Run the database crawler” on page 173.

Note that if you paste an XML configuration into the Advanced tab, that configuration overrides all other configuration settings that you have made for fingerprint crawlers.

Creating or Editing a File Crawler

A file crawler scans known sensitive content stored in file shares, directories, and files that you specify, and generates full and partial text fingerprints of file content, or a binary fingerprint of each entire file, or both. The fingerprints are sent to Enterprise Manager and encapsulated into a file fingerprinted-content blade that can be added to a policy to detect sensitive content. For an overview, see “About Fingerprinted-Content Blades” on page 135.

You use the Crawler Configuration - New/Edit page to create a new file crawler or edit an existing one. You reach this page by • selecting New Crawler and then New File Crawler on the Fingerprint Crawler Manager page • clicking the Edit button when viewing an existing file crawler on the Crawler Configuration - New/Edit page

Take the following steps to create or edit a file crawler.

A. Fill in the summary

Chapter 6: Defining Sensitive Content 163 RSA DLP 9.6 Network User Guide

1. (Required) In the Crawler Name field, enter a name for the file crawler. 2. (Required) In the Resulting Content Blade Name field, enter a name for the content blade that this file crawler will create. The name can be the same as or different from the name of the file crawler, and must not match the name of any existing custom content blade. The name can contain only unaccented letters (A–Z, a–z), numbers (0–9), and spaces. 3. (Optional) In the Description field, describe the purpose or features of this file crawler and its associated content blade.

B. Specify Site Coordinator and run-as credential

1. From the Run at Site drop-down list, select the Datacenter Site Coordinator that must be used to run the crawler. To create a user credential, click Admin > Users & Groups > Credentials. For more information, see “Creating or Editing a User Credential” on page 243. 2. From the Run as this user drop-down list, select the user credential that the crawler will use. This user must be a valid domain user in Site Coordinator domain. The user must have minimum full read permissions on all directories and files that you want the crawler to fingerprint. 3. (Optional) Click Validate User to verify that you entered a valid user name. (Note that this validation may not work if the user you entered is in a different domain from the Enterprise Coordinator).

C. Specify fingerprint types to create and paths to crawl

Specify the types of file fingerprints you want the crawler to create and complete UNC paths to the sensitive content you want to fingerprint. 1. For File Content Match, select one or both fingerprint types: – Full and Partial Text. The crawler will create fingerprints of all and parts of the text in text-centric files in the locations you specify in UNC Path fields (below). This option is intended to fingerprint text content in plain-text files, source code, and formatted-text files like Microsoft Word and Adobe PDF

164 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

documents. The associated content blade will detect exact text copies of all and parts of the fingerprinted files. – Full Binary. The crawler will create fingerprints of whole files in the locations you specify in Full UNC Path fields (below), based on their binary content and not their text content. This option fingerprints all files, both text and non-text, but must be used to create fingerprints of files that include no discernible text such as compiled programs, ISO images, and graphics or photos. The associated content blade will detect exact complete copies of the fingerprinted files. 2. (Optional) From the Default Credential drop-down list, select the default credential that the crawler will use to access all the specified UNC paths. The user must have full read privileges (specifically, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions) for the specified UNC paths. If you specify this default credential, you need not specify user credentials for individual paths (except those that the default user cannot access). For more information about how to create this user credential, see “Creating or Editing a User Credential” on page 243. 3. In the Full UNC Path field, enter one complete UNC path to a file share, directory, or file that you want to fingerprint. The crawler will create fingerprints for all files in the specified location for which it can create the type of fingerprints (Full and Partial Text, Full Binary, or both) you selected in the first step. 4. (Optional) From the Credential drop-down list, select the credential that the crawler will use for accessing the UNC path. These credentials will be used for this path instead of those of the default user (see the Default Credential field, above).

5. Click the Add button ( ) to add another UNC path with content to fingerprint (and optionally credentials). (Click the Delete icon ( ) beside a path to remove it and any entered credentials.)

D. Specify content subsets to include and exclude

Under Advanced Options, you specify the subdirectories and files to include in or exclude from fingerprinting, subordinate to the UNC Path field entries. If you specify nothing here, all content in the UNC paths you specified is fingerprinted. When multiple Advanced Options are used, the directory-based filters, Trailing Directory Name, and Full UNC Path take precedence over file-based filters, File Name, and File Extension, and the directory-based filter is executed first.

Chapter 6: Defining Sensitive Content 165 RSA DLP 9.6 Network User Guide

1. Select Include to include or Exclude to exclude subdirectories or files that match the other criteria you specify in the line.

Important: Specifying only Include lines limits fingerprinting to only the content that matches the include criteria. Specifying only Exclude lines reduces fingerprinting by the content subset that matches the exclude criteria. Specifying both Include and Exclude lines limits fingerprinting to the Include subset and then further reduces that subset by removing all Exclude matches from fingerprinting.

2. Under Type, select the item that describes the inclusion or exclusion you want to enable with this line: – File Extension. Include or exclude from fingerprinting all files with the file extension entered in the Value field. – File Name. Include or exclude from fingerprinting all files with the name entered in the Value field. – Trailing Directory Name. Include or exclude from fingerprinting all files in subdirectories with the name entered in the Value field. All directories and files in that subdirectory will be recursively included in or excluded from fingerprinting.

Important: To exclude a subdirectory when one of its higher level directories is included by a Trailing Directory Name line, you must exclude the subdirectory by its fully qualified name using a Full UNC Path line (next).

– Full UNC Path. Exclude from fingerprinting all files stored in the subdirectory defined in the Value field.

Note: This option automatically selects Exclude and disables the Include selection. To include additional UNC paths for fingerprinting, see “C. Specify fingerprint types to create and paths to crawl” on page 164.

3. Select RegEx if you want to enter a regular expression in the Value field. Use this option in combination with a Type selection to include or exclude all files and subdirectories with names or parts of names that match the regular expression. 4. In the Value field, depending on your other selections, enter a file extension (with no leading period), a file name, a subdirectory name, a full UNC path, or a regular expression to use as the match to trigger inclusion or exclusion of subdirectories or files.

5. Optionally click the Add button ( ) if you want to define other subdirectories or files to include in or exclude from fingerprinting.

166 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

E. Schedule file crawls

In this area, you optionally set up a schedule for runs of this crawler.

Important: You should set up a run schedule for a crawler if you expect new or modified content to be added over time to the sensitive content you want to fingerprint. Periodic crawls keep the crawler’s associated content blade up-to-date with the latest state of your sensitive content repository and ensure that your most recent sensitive content is fingerprinted and protected.

1. Click Schedule Crawler. The Schedule Crawler dialog box opens. 2. Specify the general frequency scale for the schedule (Daily, Weekly, Monthly, or Not Scheduled). 3. Depending on your selection, additional controls appear on the screen. Choose the specific subintervals or frequencies within the selected scale. 4. Specify the time of day at which to start each run of the crawler.

F. Save the file crawler

Click Save to save the crawler configuration.

G. Run the file crawler

Use one of these options to run the file crawler: • At the top or bottom of the Crawler Configuration - New/Edit page, click Run Crawler Now to run the file crawler. The button appears on the page after the crawler is created. • If Run Crawler Now does not appear on the page, return to the Fingerprint Crawler Manager page (select Admin > Settings > Fingerprint Crawler Manager), find the new file crawler in the list, wait for its status to change to Ready, and then click Run Crawler Now.

Important: To create or update a fingerprinted-content blade, you must successfully run its fingerprint crawler. After a successful crawl, the blade is created or updated automatically and appears in the Custom Content Blades section of the Content Blade Manager page (Figure 10 on page 144).

Chapter 6: Defining Sensitive Content 167 RSA DLP 9.6 Network User Guide

Creating or Editing a Database Crawler

A database crawler scans known sensitive content in a database and generates fingerprints of all or specified parts of the database. The fingerprints are sent to Enterprise Manager and encapsulated into a database fingerprinted-content blade that can be added to a policy to detect sensitive content. For an overview, see “About Fingerprinted-Content Blades” on page 135.

Note: RSA recommends that you install relevant operating system language packs if you are planning to fingerprint a database with data in non-English language.

You use the Crawler Configuration - New/Edit page to create a new database crawler or edit an existing one. You reach this page by • selecting New Crawler and then New Database Crawler on the Fingerprint Crawler Manager page • clicking the Edit button when viewing an existing database crawler on the Crawler Configuration - New/Edit page

Take the following steps to create or edit the database crawler.

A. Fill in the summary

1. (Required) In the Crawler Name field, enter a name for the database crawler. 2. (Required) In the Resulting Content Blade Name field, enter a name for the content blade that this database crawler will create. The name can be the same as or different from the name of the database crawler, and must not match the name of any existing custom content blade. The name can contain only unaccented letters (A–Z, a–z), numbers (0–9), and spaces. 3. (Optional) In the Description field, describe the purpose or features of this database crawler and its associated content blade.

168 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

B. Specify Site Coordinator and credentials

1. In the Run at Site field, select the Datacenter Site Coordinator to use to run the crawler. To create a user credential, click Admin > Users & Groups > Credentials. For more information, see “Creating or Editing a User Credential” on page 243. 2. From the Run as this user drop-down list, select the user credential that the crawler must use. This user must be a valid domain user in the Site Coordinator domain and must have minimum read permissions on all directories at the Datacenter site. 3. (Optional) Click Validate User to verify that you entered a valid user name. (Note that this validation may not work if the user you entered is in a different domain from the Enterprise Coordinator).

C. Specify database connection information

In this area, you specify the information required for the database crawler to connect to the database.

Note: This database crawler will not be able to connect to a database until the Microsoft SQL Server, Oracle, or IBM DB2 client software is installed on the Enterprise Coordinator machine and on the Site Coordinator machine that hosts the crawler. See the installation chapter of RSA DLP Datacenter Deployment Guide for instructions.

1. In the Database Connection String field, enter a database connection string to connect the Site Coordinator to the database. For valid string formats that connect

Chapter 6: Defining Sensitive Content 169 RSA DLP 9.6 Network User Guide

to Microsoft SQL Server, Oracle, and IBM DB2 databases, see “Database Connection Strings” on page 383.

Note: For security reasons, it is recommended that you do not include the credentials of the database user in the connection string. Because the connection string is stored as plain text, any password in the string is also stored as plain text. However, if you want to include credentials in the connection string you must provide a valid database username and password, and cannot mention a credential name that you have created on the Credentials page.

2. Specify the database user (must have at least read permission for the database): – Select Use “Run as user” credentials... if this scan group’s run-as user (specified in “B. Specify Site Coordinator and credentials” on page 169) is also the database user. – Select Select credentials to connect to database to specify a separate database user. And, from the Credential drop-down list, select the credential that must be used to connect to the database. (These credentials are encrypted and stored.)

Important: RSA recommends that the database administrator create a special database user for this purpose. The user should have read permission, but no higher privileges, on the database.

3. Click Validate Connection String to confirm that the database connection string and user credentials enable access to the database. This step is required before you can specify the database tables to fingerprint (see next). The validate operation returns a confirmation message if successful, and a message explaining the error cause if unsuccessful.

D. Specify database tables and columns to fingerprint

In this area, you enter the SQL database query or stored procedure that describes the table and columns to fingerprint in the specified database. 1. In the SQL Query (or stored procedure) field, enter a SQL query or specify a stored procedure for the database crawler to use to locate the database content you want to fingerprint. For example: – select * from CC_SSN_2007 instructs the crawler to fingerprint the content of all columns in the CC_SSN_2007 table in the database.

170 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Note: If you have a special character in the table name that you want to provide, you must provide the table name within square parentheses, [ ]. For example, if the table name is CCN-SSN, you must provide the SQL query as select * from [CCN-SSN].

– exec findImportantData instructs the crawler to run the findImportantData procedure stored with the database to find and then and fingerprint the content of all columns matched by the procedure. 2. Optionally, click Validate Query to confirm that the SQL query or stored procedure can access the specified database table and columns of data. The operation returns a confirmation message if successful, and a message explaining the error cause if unsuccessful.

Note: The database crawler has a cell-size limit of 64K. Any table cells with content over the 64K limit may produce unreliable results during the database crawl.

E. Specify column match criteria for content blade use

In this area, you specify how the fingerprinted-content blade created by the database crawler will determine if scanned document content is a match to the database fingerprints. • To require that the content of all fingerprinted columns in a database row be found in a document for the document to be a match, select Option 1. Note that if you entered a select * from statement in the SQL Query (or stored procedure) box to fingerprint the content of all columns in the specified database table, the content of all columns in a row must be found in a scanned document for that document to be a match. • To require that only a subset of the content of fingerprinted columns in a database row be found in a scanned document for the document to be a match, select Option 2, and then complete the fields that appear after the selection:

Chapter 6: Defining Sensitive Content 171 RSA DLP 9.6 Network User Guide

– Must Occur Columns (required). Enter a comma-separated list, with no spaces, of headers of fingerprinted columns that contain content that must be matched. The content of all of these required columns in the database row must occur in a document for the document to be a match. The list is case-insensitive. – May Occur Columns (optional). Cannot be modified. By default, all fingerprinted columns other than those specified as Must Occur Columns are classified as optional when determining a document match to fingerprints. When the content blade finds matches to optional columns, it increases the match weight assigned to the document. – Optional Columns Required. Enter the minimum number of optional fingerprinted columns with content that must be matched for a document to be considered a match. The content of at least this number of optional columns must be matched for a document to be a match to the content blade.

F. Schedule database crawls

In this area, you optionally set up a schedule for runs of this crawler.

G. Save the database crawler • Click Save to save the crawler configuration. (Click Cancel to close the Crawler Configuration - New/Edit page without creating the crawler or saving changes.

172 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

H. Run the database crawler

Use one of these options to run the database crawler: • At the top or bottom of the Crawler Configuration - New/Edit page, click Run Crawler Now to run the database crawler. The button appears on the page after the crawler is created. • If Run Crawler Now does not appear on the page, return to the Fingerprint Crawler Manager page (select Admin > Settings > Fingerprint Crawler Manager), find the new database crawler in the list, wait for its status to change to Ready, and then click Run Crawler Now.

Note: RSA recommends that you install relevant operating system language packs if you are planning to fingerprint a database with data in non-English language.

Configuring Whitelist for File Crawlers

A whitelisted file crawler prevents the whitelisted content from being considered as a match and generate a violation from known sensitive content stored in file shares, directories, and files that you specify while creating the file crawler. The fingerprinted-content blade that is created after whitelisting is sent to Enterprise Manager and Enterprise Coordinator. And, these fingerprinted content blade can be added to a policy. For an overview, see “About Whitelisting for Fingerprinted-Content Blades” on page 143.

Before you begin to configure whitelist, ensure the following: • The content that you want to whitelist must be saved as UTF 8 encoded text file. • All the files to be whitelisted must reside in the same directory. The fingerprint crawler does not traverse any subdirectories within the path mentioned in the configuration XML. • The UNC path that you specify in the whitelist configuration must be on the same domain and accessible from the Site Coordinator. • The maximum threshold of the content that you want to whitelist must be 128x20 KB. • The content that you want to whitelist must be an exact match to the content defined in a fingerprinted-content blade. Partial matches are not supported and will not be whitelisted.

Chapter 6: Defining Sensitive Content 173 RSA DLP 9.6 Network User Guide

To configure whitelisting for fingerprinted crawlers: 1. Near the top of the Fingerprint Crawler Manager page, select Global Crawler Settings. The Global Crawler Settings dialog box is displayed.

2. In the Advanced tab, provide the following XML data: file path where file path is the UNC path to the whitelist text file. 3. Click Save to save the XML data. 4. Re-run the existing fingerprint crawlers to produce updated blades that use the global crawler configuration settings. To re-run the file crawler, click the Run Now option of the updated file crawler when its status changes to Ready.

Managing Dictionaries

You can use the Dictionary Manager to create and modify dictionaries for use in described-content blades.

174 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

About Dictionaries

In RSA DLP, a dictionary is a stored list of terms and phrases. Dictionaries are used in content blades in place of, or in addition to, individual terms as identifiers of sensitive content. (See “Weight, Score, Count, and Risk Factor” on page 128.)

Dictionaries are a convenience in creating content blades, allowing you to enter a large number of terms without having to manually type them into the form. Dictionaries are a further convenience in that you can use an individual dictionary in multiple content blades. Subsequent edits of that dictionary automatically update all content blades that use it.

Viewing the List of Dictionaries

Use the Dictionary Manager page to view a list of your current dictionaries, from which you can view or edit an existing dictionary or create a new one. 1. With the Policy tab active (see, for example, Figure 10), click the Content Blades menu near the top of the page and select Dictionary Manager from the drop-down list. The Dictionary Manager page appears.

Figure 12 Dictionary Manager

The page contains two lists: • Custom Dictionaries are dictionaries created by or for your organization. Custom dictionaries might consist of organization-specific or industry-specific terms, used by a custom content blade and policy to detect the presence, transmission, or improper use of sensitive documents related to your organization or industry. Custom Dictionaries come in two types:

Chapter 6: Defining Sensitive Content 175 RSA DLP 9.6 Network User Guide

– A custom dictionary is created from within Enterprise Manager by a DLP customer or by an RSA professional, using the Dictionary Manager’s New/ Edit Dictionary page. You can use the Dictionary Manager to view or edit the content of a custom dictionary. – A reference dictionary is created outside of Enterprise Manager by an RSA professional, and then imported into Enterprise Manager using the Dictionary Manager’s New/Edit Reference Dictionary page. You can use the Dictionary Manager to view or edit basic information about a reference dictionary, and you can modify its content by uploading a replacement file. Reference dictionaries are in general created for use with custom entities (see “Managing Entities” on page 179), but you can add either type of dictionary to content blades that you create or customize. • Expert Dictionaries are dictionaries prepared by RSA Knowledge Engineering. They typically consist of industry-specific terms. For descriptions of the expert dictionaries provided with RSA DLP, see “Expert Dictionaries” in RSA DLP Policy Guide. You can add these dictionaries to content blades that you create or customize, but you cannot view or edit their content.

You add dictionaries to a content blade when you are creating or editing it; see “Creating or Editing a Described-Content Blade” on page 150.

You can take these actions on the Dictionary Manager page: • To delete any of the custom dictionaries that you have created, click the Delete icon ( ) in that dictionary’s row. • To view the contents of a custom dictionary, click its name; see “Viewing a Custom Dictionary” (next). • To create a new custom dictionary, click New Dictionary and follow instructions under “Creating or Editing a Custom Dictionary” on page 177. • To import a new reference dictionary, click (Upload) and follow instructions under “Creating or Editing a Custom Dictionary” on page 177.

176 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

Viewing a Custom Dictionary 1. On the Dictionary Manager page, click the name of the custom dictionary that you want to view. The View Dictionary page appears:

2. Note the dictionary name, description, and list of terms. 3. To edit the dictionary, click Edit and follow the instructions in “Creating or Editing a Custom Dictionary” (next).

Creating or Editing a Custom Dictionary

You use the New/Edit Dictionary page to create a new custom dictionary or edit an existing one. You reach this page by either of these methods: • Clicking New Dictionary on the Dictionary Manager page. • Clicking Edit when viewing a dictionary on the View Dictionary page.

Chapter 6: Defining Sensitive Content 177 RSA DLP 9.6 Network User Guide

Take these steps: 1. Enter (or revise) the dictionary’s display name. The name can contain letters (including accented letters), numbers, spaces, and underscores. It cannot include any of the following special characters: !@#$%^&*()+=-[]\';,./{}|\":<>? 2. Optionally add (or modify) a description of the dictionary. 3. Add (or delete or alter) dictionary words or phrases. Separate the words or phrases with commas or newlines. – The maximum number of characters you can use to specify dictionary words and phrases is 152,000. You can click the Character count button at any time to see a running count of how many characters you have used.

4. Click Save to save the new (or updated) dictionary.

Viewing a Reference Dictionary 1. On the Dictionary Manager page, click the name of the reference dictionary that you want to view. The View Reference Dictionary page appears:

2. Note the dictionary name, description, and uploaded-file name. 3. To edit the dictionary, click Edit and follow the instructions in “Importing or Editing a Reference Dictionary” (next).

Importing or Editing a Reference Dictionary

You use the New/Edit Reference Dictionary page to import a new reference dictionary or to edit an existing one. You reach this page by either of these methods: • Clicking (Upload) on the Dictionary Manager page.

178 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

• Clicking Edit when viewing a dictionary on the View Reference Dictionary page.

Take these steps: 1. Provide (or optionally edit) the display name of the reference dictionary. The name can include non-Roman characters, but cannot have any of these special characters: !@#$%^&*()+=-[]\';,./{}|":<>? 2. Optionally enter (or modify) its description. 3. If you are importing a new reference dictionary (or if you want to replace the existing dictionary file with a new one), specify the location (local or mapped on the machine from which you are accessing Enterprise Manager) of the dictionary file.

Note: Only a valid dictionary file will be uploaded. For instructions on creating reference dictionaries, contact RSA Customer Support or Professional Services.

4. Click Save to perform the upload and save the new values in the Name and Description fields.

The new (or edited) reference dictionary is now available for use in custom described-content blades, as explained in, for example, “B. Create a required rule set,” under “Creating or Editing a Described-Content Blade” on page 150.

Managing Entities

You can use the Entity Manager to create and modify entities for use in described-content blades.

Chapter 6: Defining Sensitive Content 179 RSA DLP 9.6 Network User Guide

About Entities

An entity is a generally small piece of executable code that is designed to detect a specific kind of sensitive content, such as a credit card number or government ID. Entities are more powerful than regular expressions because they can contain software algorithms that perform more than just pattern-matching.

Enterprise Manager allows you to use both built-in (expert) entities and custom entities (developed for your organization) in the content blades that you create.

Viewing the List of Entities

Use the Entity Manager page to view a list of your current entities, from which you can view or edit an existing entity or create a new one. 1. With the Policy tab active (see, for example, Figure 10 on page 144), click the Content Blades menu near the top of the page, and select Entity Manager from the drop-down list:

The Entity Manager page appears.

Figure 13 Entity Manager

180 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

The page contains two lists: • Custom Entities are entities created specifically for your organization. Custom entities are typically designed to detect organization-specific or industry-specific sensitive content. You can use Enterprise Manager to add custom entities to any content blades that you create or customize. An RSA representative can use the Entity Manager and other tools to view or edit the content of custom entities, or to create new ones. You also can use a custom entity to replace an expert entity. If you do so, the name of the replaced entity appears in the Overrides column of the custom entity description. • Expert Entities are entities created by RSA. They are typically designed to detect sensitive content in general categories, such as credit-card numbers or governmental ID numbers. See “Expert Entities” in RSA DLP Policy Guide for more detailed descriptions of all expert entities. You can use Enterprise Manager to add these entities to content blades that you create or customize, but you cannot use it to view or edit their content.

You add entities to a content blade when you are creating or editing the blade; see “Creating or Editing a Described-Content Blade” on page 150.

You can take these actions on the Entity Manager page: • To remove a custom entity that has been added to the custom-entity list, click the Delete icon ( ) in that entity’s row. • To view information about a custom entity, click the entity’s name; see “Viewing a Custom Entity” (next). • To add a new entity to the list of custom entities, or to edit a custom entity’s information, click New Entity and follow the instructions in “Importing or Editing a Custom Entity” on page 182.

Viewing a Custom Entity

You view information about a custom entity by clicking its name in the custom entity list on the Entity Manager page. The View Entity page appears:

Chapter 6: Defining Sensitive Content 181 RSA DLP 9.6 Network User Guide

The information available is the name of the entity, the name of the uploaded entity-definition file, and the name of the expert entity (if any) that this entity overrides.

To edit this information, or to re-import the compiled entity file, click Edit and follow instructions under “Importing or Editing a Custom Entity” (next).

Importing or Editing a Custom Entity

When you choose to add a new custom entity to Enterprise Manager, the New Entity page appears. When you choose to edit an existing custom entity, the Edit Entity page appears.

The pages have identical fields and controls, and nearly identical labels. 1. Provide (or optionally edit) the name of the entity. The name can include non-Roman characters, but cannot have any of these special characters: !@#$%^&*()+=-[]\';,./{}|":<>? 2. Optionally enter (or modify) its description. 3. If you are importing a new entity (or if you want to replace the existing entity file with a new one), specify the location (local or mapped on the machine from which you are accessing Enterprise Manager) of the compiled custom entity file.

Note: Only a valid, compiled entity will be uploaded. For instructions on creating custom entity files, contact RSA Customer Support or Professional Services.

182 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

4. If you want this entity to replace an existing expert entity, select an entity from the Override Expert Entity drop-down list:

The uploaded entity will replace the expert entity in all existing and future content blades that use the expert entity. On the Entity Manager page, the entry for the custom entity will note which expert entity it is overriding. 5. To remove an override, select None from the drop-down list. The custom entity is still available for use, but it no longer overrides any expert entity. 6. Click Save to perform the upload and save any new values in the Name, Description, and Override Expert Entity fields. The new (or edited) custom entity is now available for use in custom described-content blades, as explained in, for example, “B. Create a required rule set,” under “Creating or Editing a Described-Content Blade” on page 150.

Using the Regular Expression Manager

Regular expressions are powerful pattern-matching strings that you can use in a described-content blade to identify sensitive content. The Regular Expression Manager in Enterprise Manager exists to provide a storage location for regular expressions either provided by RSA or created by users in your organization.

When you create a rule for a content blade (see, for example, “B. Create a required rule set” on page 152), you can insert an existing regular expression from the Regular Expression Manager or you can create a new one. If you create a new expression, you can optionally save it into the Regular Expression Manager for later re-use in other content blades (see “D. Specify other settings” on page 155). You can also create and save an expression from the Regular Expression Manager page itself, as explained in this section.

Using the Regular Expression Manager

To view the Regular Expression Manager • With the Policy tab active, click the Content Blades menu near the top of the page and select Regular Expression Manager from the drop-down list. The Regular Expression Manager page (Figure 14) appears.

Chapter 6: Defining Sensitive Content 183 RSA DLP 9.6 Network User Guide

Figure 14 Regular Expression Manager

The regular expressions in the Regular Expression Manager are grouped into two lists: • Custom Regular Expressions. These expressions have been created by or for your organization. You can view or edit the content of these expressions, and you can add them to content blades that you create or customize. • Expert Regular Expressions. These expressions were created by RSA Knowledge Engineering. You can add them to content blades that you create or customize, but you cannot view or edit their content. You add regular expressions to a content blade when you are creating or editing it; see “Creating or Editing a Described-Content Blade” on page 150.

To delete a custom regular expression

• On the Regular Expression Manager page, click the Delete icon ( ) in that expression’s row. (Note that you are not able to delete expert regular expressions.)

To view or edit a custom regular expression 1. On the Regular Expression Manager page, click the name of the custom regular expression that you want to view.

184 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

The View Regular Expression page appears, displaying the name, description, and content of the expression.

2. To edit the expression, click Edit. The New / Edit Regular Expression page (see Figure 15 on page 186) appears. 3. Edit the expression’s fields in the same manner as when creating a new expression.

To create a new regular expression 1. On the Regular Expression Manager page, click New Regular Expression. The New / Edit Regular Expression page (Figure 15) appears. 2. Edit the expression’s fields as described in “Creating or Editing a Regular Expression” (next).

Note: You can also create a regular expression while you are creating or editing a described-content blade; see “B. Create a required rule set” on page 152 and “D. Specify other settings” on page 155.

Creating or Editing a Regular Expression

Use this page to create or edit a custom regular expression. You reach this page by clicking New Regular Expression on the Regular Expression Manager page (see Figure 14 on page 184).

Chapter 6: Defining Sensitive Content 185 RSA DLP 9.6 Network User Guide

Figure 15 New / Edit Regular Expression page

1. Enter a name (required) and a description (optional) for the expression. The name can contain letters (including accented letters), numbers, spaces, and underscores. It cannot include any of the following special characters: !@#$%^&*()+=-[]\';,./{}|\":<>? 2. Under Enter Regular Expression, type in the text of the regular expression.

Note: For help on understanding and creating regular expressions, see “Creating Regular Expressions” in RSA DLP Policy Guide.

3. To verify that the expression you have entered is syntactically valid, click Validate. An error message appears if your expression is invalid. 4. To test the expression’s capability, enter or paste into the To test the expression... field some sample text that includes text that should be matched by the expression, then click Test. Portions of the sample text that the expression matches are highlighted in yellow. 5. If necessary, revise and re-validate the expression, then re-test it until you are satisfied. 6. Click Save to save the expression to the Regular Expression Manager. (Click Cancel to close the new Regular Expression Page without saving the expression.)

186 Chapter 6: Defining Sensitive Content RSA DLP 9.6 Network User Guide

7 Setting Policies

This chapter explains how to use Enterprise Manager to set up and manage policies.

Topics: • Understanding Policies • Managing Existing Policies • Viewing a Policy • Creating or Editing a Policy • Activating or Customizing a Policy From a Template

Understanding Policies

In RSA DLP, a policy is a software reflection of your company’s regulations for protecting sensitive content. Policies capture your data security rules and the actions that should be taken when the rules are violated.

RSA provides an extensive list of pre-built templates for defining policies that meet your company’s security requirements.

Policy Structure

Structurally, a policy uses rules that locate or define sensitive documents or transmissions, defines actions that occur when the rules are violated, and specifies the notification, remediation, and escalation workflows that occur when events (policy violations) lead to incidents. Figure 16 summarizes how the parts of a policy fit into the workflow.

Chapter 7: Setting Policies 187 RSA DLP 9.6 Network User Guide

Figure 16 Policy rules and incident workflow

• The detection rules are implemented as content blades (see “About Sensitive Content and Content Blades” on page 125) attached to the policy. A content blade consists of either search criteria or fingerprints of individual sensitive documents. • The attribute rules allow for non-content-based triggering of events (policy violations)—based on, for example, transmission source or destination, file owner, or file type. • In the Endpoint product, a user’s desktop actions (such as copy and print) work in conjunction with either detection rules or attribute rules to trigger events. • The policy actions are automatically performed by a DLP product when an event occurs. They can include responses such as block, justify, and quarantine. • Incident rules define how one or more related events (depending on which DLP product is involved) can generate an incident, a higher-level issue that requires manual remediation by a security specialist. (See “Managing Incidents” on page 27). • Notification rules specify the individuals or groups to be notified when an incident is created based on the policy’s rules. • Escalation rules specify the individuals or groups that are to be notified and other actions that are to occur when an incident remains open beyond a certain amount of time.

188 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

Content Blades

The content-detection rules in a policy come from one or more content blades that the policy uses. Content blades are described in the previous chapter (see “Defining Sensitive Content” on page 125).

Content-Blade Types

RSA DLP supports two types of content blades: • Described-content blades. These content blades use keywords (terms), patterns (regular expressions), entities (software algorithms), or dictionaries (lists of terms) to find sensitive content in the text of any document. You can create your own described-content blades or obtain customized expert blades from RSA. See “Creating or Editing a Described-Content Blade” on page 150. • Fingerprinted-content blades. These content blades are unique digital digests of specific documents (or portions thereof) that your organization considers to be sensitive. You specify which documents are to be fingerprinted, and you can also specify whether to fingerprint database information as well as files. See “Creating or Editing a Fingerprinted-Content Blade” on page 158. When you create a policy, you choose which content blades to include in the policy, based on the kind of sensitive content that the policy addresses. An individual policy can include both kinds of blade.

Combining Content Blades in a Policy

The Content Blade Manager allows you to add multiple content blades to a single policy, and lets you specify how the blades are to be used, alone or in conjunction with the other blades in the policy.

Logical operators Each individual blade has an AND, OR, or NOT logical operator assigned to it. The operators have the following meanings: • AND. In general, the content detected by this blade and the previous blade in the list must be found for an event to occur. (An exception is an AND on the first blade in the list. In that position the operator is not evaluated.) •OR. In general, either the content detected by this blade or the previous blade in the list is sufficient to trigger an event. (An exception is an OR on the first blade in the list. In that position the operator is not evaluated.) •NOT. The content detected by this blade must not be found for an event to occur.

Chapter 7: Setting Policies 189 RSA DLP 9.6 Network User Guide

This is the evaluation logic used in interpreting the blade list: • The NOT operator assigned to a blade is unary; it applies only to the blade to which it is assigned. • AND and OR operators are binary, and relate their assigned blade (or logical set of blades that it is part of) to the immediately previous (higher in the list) blade or set of blades. • To determine the order of the operations, OR sets have the highest precedence and are evaluated first, followed by ANDs. NOTs have the lowest precedence, are evaluated last, and always function as AND NOT. Note that these precedence rules mean that it is possible to have OR expressions nested within ANDs, but it is not possible to have AND expressions nested within ORs.

Examples • Given the above rules, creating a blade list like this: OR Credit Card OR Social Security AND Company Confidential OR Contracts NOT EU IBAN is equivalent to writing the following logical expression:

((Credit Card OR Social Security) AND (Company Confidential OR Contracts)) AND (NOT EU IBAN)

• Changing the position of one of the blades, like this (for Company Confidential): OR Credit Card AND Company Confidential OR Social Security OR Contracts NOT EU IBAN makes it equivalent to a slightly different expression:

(Credit Card AND (Company Confidential OR Social Security OR Contracts)) AND (NOT EU IBAN) (Note that the operator on the first blade in a list is ignored, unless it is a NOT.)

• Changing one OR to an AND, like this (for Contracts): OR Credit Card AND Company Confidential OR Social Security AND Contracts NOT EU IBAN makes it equivalent to yet a different expression:

(Credit Card AND (Company Confidential OR Social Security) AND Contracts) AND (NOT EU IBAN)

190 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

• Changing the position of a NOT blade, like this (for EU IBANK): OR Credit Card AND Company Confidential NOT EU IBAN OR Social Security AND Contracts makes no change to the equivalent expression. All NOTs are evaluated as if they were at the end of the expression.

Product-Specific Attributes and Incident Rules

If a policy is used by more than one DLP product, portions of it (such as the attribute rules and incident rules) are different for each product that it applies to. For example: • For the Network product, the attribute rules include transmission characteristics such as network protocol, and one event (every event) leads to the creation of one incident. • For the Endpoint product, the attribute rules include user actions such as Copy to USB drive, and a minimum number of events must occur within a specified period of time for an incident to be created. • For the Datacenter product, there are file-date attribute rules, and either all events on a single computer are considered an incident, or all events belonging to a single user are considered an incident.

Detecting Encrypted Files

You can configure a DLP policy to create an event whenever an encrypted message or file is encountered. The encrypted message or file is detected and reported, but it is not decrypted, and its content cannot be extracted or analyzed. Content blades in the policy have no effect because no content analysis can be done on encrypted content.

Password-protected files are also detected and classified as encrypted. An exception to this behavior occurs with password-protected PST files that are not also encrypted. Password-protected PST files that are not encrypted are analyzed for sensitive content just like unprotected PST files.

To enable this detection, you select File is encrypted in the File Attributes dialog box on the Network, Endpoint, or Datacenter tab of the New/Edit Policy page.

Chapter 7: Setting Policies 191 RSA DLP 9.6 Network User Guide

RSA DLP supports detection of the encrypted and password-protected file types listed in Table 1. Files of these types encountered during a scan are reported on and counted as not scanned if a scan group’s Log Files Not Scanned checkbox is selected.

Table 1 Detectable encrypted and password-protected file types

Encrypted Password-protected

EFS (NTFS) encrypted files PST Note: Supported by DLP Datacenter only. (Microsoft Outlook Personal Folders files)

AES encrypted files: Microsoft Access AES Multiplus Comm

PGP encrypted files: Microsoft Word ASCII-armored PGP encoded ASCII-armored PGP signed Microsoft Excel ASCII-armored PGP Public Keyring Open PGP (new format packets) Microsoft PowerPoint 2007 PGP Compressed Data PGP Encrypted Data Zip PGP Public Keyring PGP Secret Keyring PGP Signature Certificate PGP Signed and Encrypted Data PGP Signed Data

192 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

Managing Existing Policies

If you have the “Manage Policies” privilege, you can create and administer policies. To do that, you need to access the Policy Manager page.

To use the Policy Manager page

In Enterprise Manager, click the Policy tab. The Policy Manager page appears.

Links

Policy list

Policy name Policy types Enabled/disabled Delete and description (Network, Endpoint, Datacenter) state of policy policy

The page lists the current policies and includes links to view or change the state of the policies. The pages also includes links to create policies or content blades.

You can manipulate the policy list itself or create new policies or content blades, as described in this section.

To view the contents of individual policies, see “Viewing a Policy” on page 196.

Note: The order in which policies appear on this page is important. In use, each document or transmission is analyzed for each policy in order (from the top of the list). The policy reported as being violated is the first policy that matched, regardless of whether other policies also matched. Put your most important policies highest in the list; see “To re-order the list of policies”.

Chapter 7: Setting Policies 193 RSA DLP 9.6 Network User Guide

If there are any problems with a policy, a warning icon ( ) appears next to the policy name, and a corresponding warning message appears at the top of the list. For example, a warning appears if one of your current policies has one or more disabled Content Blades associated with it. In this case, go to the Content Blade Manager and enable the Content Blade(s). See “To enable or disable a content blade” on page 145.

To re-order the list of policies 1. Click in the row of the policy that you want to move, then drag the policy to a position just above (if you are dragging upward) or below (if you are dragging downward) the policy whose position you want it to replace. As soon as you have made any position changes, an alert and the Save Policy Order button appear at the top of the list. 2. When you have finished re-ordering, click Save Policy Order to commit your changes. If you do not click Save Policy Order, your re-ordering will be lost when you leave the Policy Manager page.

To enable or disable a policy

To change the enabled/disabled state of a policy, do one of the following: • Change the enabled/disabled state from the Policy Manager: a. On the Policy Manager page, click the Enabled/Disabled link of the policy whose state you want to change. A dropdown menu appears.

b. Click the state you want the policy to be in, either Enabled of Disabled. • Change the enabled/disabled state from the policy page: a. Click the underlined policy name to view the policy. b. On the Policy page, click Edit to make the policy fields editable. c. Change the state of the policy, as described in “Access the Policy page” on page 197. d. Save the changed policy, as described in “Save the Policy” on page 215.

194 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

To delete a policy

1. Click the Delete icon ( ) in the policy’s row. A confirmation dialog appears. 2. If you click OK, the policy is removed from the policy list and can no longer be used in any content analysis.

Note: If you delete a policy that was activated from the Policy Template Library, only your activated instance is deleted. The original policy remains in the library, available for re-activation. If you delete a policy that has triggered any current events or incidents, those events and incidents are removed from the Enterprise Manager and will not appear in any reports or the results of any searches. The incidents and events are however, not removed from the enterprise database. For removing incidents and events from the database, see “Purging Events and Incidents” on page 266.

To view or edit a policy

In the policy list, click the name of the policy that you want to view or edit. The Policy page appears; see “Viewing a Policy” on page 196.

To activate a policy from the Policy Template Library 1. Click or hover over New Policy at the top of the policy list (or Policies at the very top of the Policy Manager page). 2. Select Use Policy Template (or Policy Template Library) from the drop-down menu. The Policy Template Library appears; see “Activating or Customizing a Policy From a Template” on page 215.

To create a new policy from a blank form 1. Click or hover over New Policy at the top of the policy list (or Policies at the very top of the Policy Manager page). 2. Select New blank policy (or New Policy) from the drop-down menu. The New / Edit Policy page appears; see “Creating or Editing a Policy” on page 197.

To create or manage content blades

Do one of the following: • Click Content Blades at the very top of the Policy Manager page (or hover over Content Blades and select Content Blade Manager from the drop-down menu). The Content Blade Manager page appears; see “Managing Existing Content Blades” on page 144. • Hover over Content Blades at the very top of the Policy Manager page and select New Described Content Blade from the drop-down menu. The New / Edit Described Content page appears; see “Creating or Editing a Described-Content Blade” on page 150.

Chapter 7: Setting Policies 195 RSA DLP 9.6 Network User Guide

To create or edit a regular expression

Hover over Content Blades at the very top of the Policy Manager page and select Regular Expression Manager from the drop-down menu. The Regular Expression Manager appears; see “Using the Regular Expression Manager” on page 183.

To create or edit a dictionary

Hover over Content Blades at the very top of the Policy Manager page and select Dictionary Manager from the drop-down menu. The Dictionary Manager appears; see “Managing Dictionaries” on page 174.

Viewing a Policy

If you click the name of a policy in the policy list on the Policy Manager page, the Policy page appears, allowing you to view or edit that policy’s settings.

1. Note the policy’s name, description, content blades, and rule sets. If desired, click the Network, Endpoint, or Datacenter tab to view product-specific settings. 2. To quickly enable/disable the policy, click the toggle button ( ) on the top menu. This is functionally equivalent to making the policy editable (see “Creating or Editing a Policy”, next), then setting the enable state. 3. To edit the policy, click Edit. The New / Edit Policy page appears, displaying the same information but with editable fields and active controls. 4. Edit the policy’s fields as described in “Creating or Editing a Policy”.

196 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

Creating or Editing a Policy

Use the New Policy page to create a policy from a blank form or use the Policy Manage page to edit an existing policy.

Task Reference

1. Access the Policy page. “Access the Policy page” on page 197

2. Fill in policy summary. “Fill in the policy summary” on page 197

3. Specify content blades. “Specify content blades” on page 198

4. Set the severity levels. “Set the severity scale” on page 200

5. Create product-specific rules. “Create Network-specific rules” on page 201

6. Save the policy. “Save the Policy” on page 215

Access the Policy page

Type of policy Action

New Select Policies > Policies > New Policy

Existing Select Policies > Policies > Policy Manager

Fill in the policy summary 1. Enter or edit the policy’s name. The name displays in the Policy List. 2. (Optional) Provide a text description of the policy. The description displays in the Policy List. 3. Set the state of the policy in the This policy is area. – Enabled (default). When you click Save, the policy is immediately enabled for use in all content analysis. –Disabled. When you click Save, the policy appears in the Policy list but is not used in content analysis until enabled.

Note: This setting applies to the policy as a whole; you must separately enable/disable the Endpoint/Network/Datacenter portions of it. A small icon displays for each product for which the policy is enabled.

Chapter 7: Setting Policies 197 RSA DLP 9.6 Network User Guide

= Network = Endpoint = Datacenter

4. Optional—Select the checkbox Log access to matched content (by default it is unchecked) to track the viewing of sensitive data by users of Enterprise Manager as they perform tasks while using the program. Log Access to Matched Content Enterprise Manager can log information when a user views matched content for a specific policy on the Incidents or Events page, downloads a file from the Event List page, or accesses a Quarantine Self Release page. You can download the logs from the Audit Records page.

Specify content blades

The Content Blades table (initially empty) lists the content blades that this policy uses for content analysis.

Before You Start

Enable the blade groups you want to use. See “To enable or disable a content blade” on page 145.

198 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

To add or modify content blades used: 1. Click Select blades to display Content Blades dialog box.

2. Select one or more tasks from the following table. Task Action

Include the blade in the Select the blade group’s checkbox. policy.

Remove the blade groups Unselect their checkboxes. from the policy.

Create a new content blade. Click New Described Content Blade and follow the instructions in “Creating or Editing a Described-Content Blade” on page 150”

3. Click Save. 4. Specify how each blade should be logically applied:

– Click the link beside each blade and select its logical type from the drop-down list:

Chapter 7: Setting Policies 199 RSA DLP 9.6 Network User Guide

• and—must be matched • or—one of a group that must have a match • not—must not be matched. – Click-drag any blades up or down to change their positions in the list. This action changes how the logical grouping occurs.

Set the severity scale

Use the Event Severity Scale to adjust the severity of events and incidents based on this policy.

Event Severity Scale provides five severity levels—Ignore, Low, Medium, High, Critical.

Depending on your requirements, do one of the following: • Click and drag the sliders left or right. The four sliders divide the colored bar into five severities, related to two scales: – The Risk Factor scale (0-100) defines severity ranges in terms of risk factor. – The Count scale (0-1000+) define severity ranges in terms of number of matches. • Enter the match count values in the severity text boxes.

For more information about risk factor and match count, see “Weight, Score, Count, and Risk Factor” on page 128.

To restore the slider settings to their original values, click Reset to Default.

200 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

Create Network-specific rules

Task Reference

Access the network tab. “1. Access the Network tab” on page 201

Set the enabled state. “2. Set the policy state” on page 201

Set up policy-violation “3. Set up policy-violation rules” on page 202 rules.

Specify incident-handling “4. Specify incident-handling rules” on page 211 rules.

Specify notification and “5. Specify notification and escalation rules” on page 212 escalation rules. 1. Access the Network tab

Procedure

Select Policies > Policies > Policy Manager > New Policy [existing policy] > Network: •RSA DLP to open a DLP policy that works with the RSA DLP Network product. • Partner, where Partner is the name of a partner device, to open a DLP policy intended to work with the partner device.

Note: You use the Partner option when Enterprise Manager controls the DLP features on a partner device. For more information, see “Managing DLP Policies for a Partner Device” on page 347.

2. Set the policy state

Procedure

Select the desired state of the Network version of this policy: – Enabled. When you click Save, the Network portion of this policy will be immediately enabled and will be used in all content analysis for DLP Network.

Note: You must also enable the Policy as a whole enabled.

–Disabled. When you click Save, this policy will appear in the Policy list, but will not be used in content analysis for DLP Network.

Chapter 7: Setting Policies 201 RSA DLP 9.6 Network User Guide

Important: If you want this policy to apply only to the Network product, be sure that the portions that apply to the other DLP products are disabled. Otherwise, the policy will be enabled for those products, using whatever default values are defined.

3. Set up policy-violation rules

Procedure

Task Reference

1. Specify the “Specify the transmission sender” on transmission sender. page 202

2. Create detection rules. “Create the detection rules” on page 204

3. Specify policy action. “Specify the policy action” on page 210

Specify the transmission sender You can set up rules that apply to transmission senders, users whose actions this policy examines. These rules apply to senders (email FROM field) only.

To set up transmission rules: 1. Click All Users.

202 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

The Select from Directory dialog box displays.

2. Use either the Browse tab or Search tab to select the users or groups. –Browse tab • Use the checkboxes to select the users or groups to whom you want this rule to apply.

• Click the right-arrow button ( ) to move your selection into the Include box.

• Use the left-arrow button ( ) to remove selected groups from the Include box.) –Search tab

a. In the Filter field, enter a query in standard LDAP search filter format. See “Save the Policy” on page 215.

b. In the Server field, select one of the following: • All to include all LDAP server configurations defined in Enterprise Manager • the configuration of the individual LDAP server that you want to search.

Chapter 7: Setting Policies 203 RSA DLP 9.6 Network User Guide

c. Click Search. The groups that meet your criteria are displayed. 3. Click Save.

Create the detection rules

Detection rules restrict what DLP Network considers an event, a violation, of this policy. These rules help you narrow the scope of violations you want to detect to make your policy most effective with the least amount of intrusion. 1. Configure the Protocol detection rule.

Note: The protocol detection rule cannot be deleted.

a. Click the link (by default Any Protocol) to specify what protocols are monitored. The Protocols Monitored dialog box appears. b. Select the subset of all supported transmission protocols that your company wants to monitor.

c. Click Save.

2. Optional—Click the Add button ( ) below the detection rule if you want to add another detection rule.

204 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

You can create one each of the following three types of rules: File Attributes, Transmission, and Device: – File Attributes Use this option to specify the attributes of files on which you want DLP Network to take action. i. From the drop-down box, select File Attributes. ii. Click the link (by default Any File Attribute). The Files Attributes dialog box opens. iii. Select the attributes you want to flag for your policy. See Table 2 on page 206 for file attribute field descriptions.

Note: Multiple file attributes are combined. For example, if you specify the following attributes: Document Type = Word Processor, File Extension = .bak, True File Type = .doc, DLP Network would consider as violations of policy all word processor documents with extensions of .bak but that are actually Microsoft Word documents.

iv. Click Save.

Chapter 7: Setting Policies 205 RSA DLP 9.6 Network User Guide

Table 2 File Attributes Descriptions and References

File Attributes Field Description Reference

Document type is The type of document that DLP See “Categorized File Formats (for Network will consider a violation. Policy Rules)” on page 368 for a complete list of supported document types for each category. Examples of document types are animation, database, word processor.

File extension is A comma-separated list of file See “Supported File Formats (for Text extensions. Only files with these Extraction)” on page 355 for listings extensions can be considered of all supported file extensions. violations.

True file type is A comma-separated list of file See “Supported File Formats (for Text extensions that represent a file’s Extraction)” on page 355 for listings underlying file type. of all supported file extensions. You can consider the true file type to be the extension a file “should have” as determined by the text extraction process. For example, if a user deliberately changes the extension of a Microsoft Excel file to anything other than .xls, a policy that monitors for files with a true file type of .xls will catch the altered file. Also, the true file type can cover closely related files—for example, a file with actual extension .bak (a Microsoft Word backup file) will be caught by a policy that monitors for files with a true file type of .doc.

Include files without Files that have no extensions. extensions

File size is  Files that are larger than or equal to the size specified.

File is encrypted Encrypted files. See “Detecting Encrypted Files” on page 191. – Transmission Attributes To specify that only messages with specific transmission attributes can be violations: i. From the drop-down box, select Transmission Attributes ii. Click the link (by default Any Transmission Attribute). The Transmission Attributes dialog box opens.

206 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

iii. Select the type of transmission attribute you want. See Table 3 for a description of the transmission Attributes fields. Example: If you specify [email protected] in the From Sender field and select is, a violation can occur if [email protected] is the sender of a monitored message. If you instead select is not, a violation can occur only if the sender is not [email protected].

Note: The ActiveSync feature that monitors mobile device traffic works only with the From IP/To IP, URL, and To Device Type/ From Device Type transmission attributes and only on downloads to the monitored mobile device.

iv. Optional—Use a comma-separated list to add more than one entry for each attribute.

Note: Each of these fields has a maximum 3000 characters limit.

v. Click Save.

Chapter 7: Setting Policies 207 RSA DLP 9.6 Network User Guide

Table 3 Transmission Attributes

Transmission Attributes Description

From Sender/To Recipient Exact email address or a partial email address with wildcard characters to monitor anything coming from this sender or going to this recipient. For example: [email protected], *@acme.com

To Group Click Select Group(s) from Directory to display the LDAP Group selector window. This option allows you to set policies for groups of recipients. If you select is and select one or more groups from the LDAP directory, a violation can occur if a member of the group or groups is a recipient. See “Understanding How Policies are Applied to Groups of Senders and Recipients” in the Guide to RSA DLP for Internal E-mail for more information.

From IP/To IP Exact IP address or a range of IP addresses (separated by a forward slash) to monitor anything coming from or going to this IP address or anything downloaded from the IP address to a mobile device monitored with the ActiveSync feature. Enter the IP address in either IPv4 or IPv6 format. For example: IPv4: 10.5.195.18/24,10.5.195.50 IPv6: 2001:0DB8:0000:0001:0008:0800:200C:417A

208 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

Table 3 Transmission Attributes

Transmission Attributes Description

From Host/To Host Enter an exact or partial host name with wildcard characters to monitor anything coming from or going to a specific domain. For example: www.rsa.com, *@rsa.com, www.rsa.com.*

URL Enter an exact URL or a partial URL with wildcard characters to monitor anything going to a specific URL or directory, or anything downloaded from the URL or directory to a mobile device monitored with the ActiveSync feature.

To Device Type/ From Allows you to monitor incoming and outgoing Device Type HTTP traffic or outgoing ActiveSync traffic. • Select From to monitor sensitive content from a device in the organization to outside the organization. • Select To to monitor sensitive content leaving the organization to a device.

Note: The To selection applies to the ICAP server operating in RESPONSE MOD mode for Outlook Web Access, SharePoint, and ActiveSync, and to the Sensor with GET HTTP Response turned on.

Enter a device type, such as iPad, iPhone. Examples: • Select From and enter Mobile:* to monitor all HTTP traffic coming from mobile devices. • Select From and enter *iPad* or Mobile:*iPad to monitor all HTTP traffic coming from an iPad. • Select To and enter *iPad* or Mobile:*iPad* to monitor all ActiveSync traffic going to a iPad. • Select From and enter Desktop*linux* to monitor all HTTP traffic coming from an Linux Desktop.

Important: If you want to monitor mobile traffic, you should put Mobile:* as a prefix to avoid false positives.

Chapter 7: Setting Policies 209 RSA DLP 9.6 Network User Guide

–Device Use option to specify that only messages detected by any NW managed device, such as a named sensor, can be violations. For example, one sensor may be configured to monitor incoming mail, another to monitor outgoing mail, and you can write different policy for each sensor. To specify that only messages detected by certain devices are violations: i. Select Device from the drop-down box. ii. Click the link (by default Any Device). The Devices selection box appears with a list of the configured network devices:

iii. Select the network devices that you want to detect violations. iv. Click Save to save your selections.

Specify the policy action Specify one or more policy actions (automatic remediations) to take if the set of detection rules just defined is matched (and any of this policy’s content blades also match), and therefore an event occurs. You can specify different actions for different event severities.

To specify the policy action: 1. Select Any (the default), Low, Medium, High, or Critical. If the event severity is at or above the severity you have chosen, the action that you specify next will occur. 2. Use the drop-down list to choose an action – Allow – Audit Only – Encrypt & Audit – Quarantine & Audit – Block & Audit.

3. Optional—Click the Add button ( ) below the severity level if you want to specify that a different action for a different severity level.

210 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

4. Optional—Repeat step 3 as necessary. Create as many Severity-Action rules as needed. You might, for example, want to have a rule whereby Action is Audit Only if Severity = Medium or greater, but Action is Quarantine & Audit if Severity = High or greater:

5. Click New Rule and repeat steps 1-4 to create an additional policy-violation rule.

4. Specify incident-handling rules

In this section, you specify rules that define how incidents are generated from events and how those incidents are managed.

Note: In the Network product, each incident is based on a single event, and every event leads to the creation of an incident.

Chapter 7: Setting Policies 211 RSA DLP 9.6 Network User Guide

Table 4 Incident-Handling Rules

Field Description

Assign incident to Indicates whether an individual user or a group should be given ownership of incidents created as a result of violations of this policy. Choose the specific user or group from the drop-down list. If you want to choose a user from the LDAP directory, select Select User from directory.

Notify assignee(s) Checkbox if you want the owner to be notified by email when the incident is created.

Set incident severity to Specify a single severity level that all incidents created from violations of this policy are to have— or select the use event severity box to specify that the incident severity is to be equal to the severity of the event on which the incident is based.

Close incident if severity Select the checkbox and choose a threshold severity is from the drop-down list. (Default = Any.) If you do this, any incident whose severity is at or below your specified level will be created in an already-closed state. This will save analysts the effort of manually closing low-severity incidents.

5. Specify notification and escalation rules

These rules specify who gets notified when an incident occurs and how escalation of unresolved incidents happens. To specify notification rules: 1. Select a severity level from the if incident severity  link (default value = Any).

2. Select the user(s) and/or group that should be notified when an incident based on this policy is created. – Notify sender (if known). The sender of the message that contained the violations. If the message uses a protocol where the sender’s email address is unknown (FTP, IM, HTTP, and so on), DLP Network attempts to retrieve a valid user email from LDAP. – Notify sender’s manager (if known). The immediate manager of the sender of the message that contained the violations.

212 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

Note: The sender and the sender’s manager’s email addresses can only be retrieved from LDAP if the DLP Network IP Mapper service is installed. See the RSA DLP Network Deployment Guide for details.

– Notify this person and/or this group. A DLP user, a specific user selected from LDAP, or a DLP group. i. Click select next to Notify person and/or group. The Notify Person and/or Group dialog box is displayed.

ii. Select either User or DLP Group. If you select User, select between a DLP user or a user selected from the LDAP directory. iii. Click Save.

3. Optional. Click the Add button ( ) to create additional notification rules to apply other severities or to notify other people or groups.

4. Select one or more of the following checkboxes: – Enable self release of quarantined emails. Leave this enabled if you want senders of emails that were discovered to be in violation of this policy to acknowledge that they approve the content of the email, and either release or discard it. In either case, an incident is created. If the system has been configured to allow self-release of quarantined emails by the sender, this option is selected by default (see “Setting Preferences” on page 291 for details). To disable it specifically for this policy, uncheck this box. – Notify the sender immediately if the email is quarantined or blocked. Select this if the sender should be notified immediately whenever a message is quarantined or blocked because of a violation of this policy.

Chapter 7: Setting Policies 213 RSA DLP 9.6 Network User Guide

– Notify the sender if the email remains quarantined after. Select this and enter a time in hours or days, after which—if a message has been quarantined—the sender is notified.

– Quarantined emails expire after. Use these boxes to specify the number of hours or days after which quarantined emails will expire. – Upon expiration, notify sender and. Use this field to specify how quarantined emails should be expired: select either Release (sent to the intended recipient) or Discard. When the expiration occurs, the sender of the expired email is notified. 5. For If incident is open for, enter a time in hours or days, after which—if the incident is not yet closed —another notification is sent out.

6. Select any of the following recipients to be notified or actions to be taken when the specified time elapses: – Notify assignee. The incident owner. – Notify assignee’s manager. The immediate manager of the incident owner. – Notify this person and/or this group. A DLP user, a specific user selected from LDAP, or a DLP group. i. Click select next to Notify person and/or group. The Notify Person and/or Group dialog box is displayed.

214 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

ii. Select either User or DLP Group. If you select User, select between a DLP user or a user selected from the LDAP directory. For more information about selecting user from the LDAP directory, see “Selecting Users and Machines from an LDAP Directory for DLP Operations” on page 379. iii. Click Save. – Increase severity. Increase the severity of the incident by one step. 7. (Optional) Enter a name, and click Save Notification rule. Saves the notification/escalation rule set for later retrieval from the pre-defined notification rule set drop-down menu, enter a name, and click Save notification rule.

Save the Policy Click Save in the top or bottom toolbar.

The new or edited policy appears in the policy list on the Policy Manager page.

Activating or Customizing a Policy From a Template

Instead of creating a new policy from a blank form, you may be able to save time and effort by simply activating a policy template, or by customizing it to fit your organization’s content-security requirements. RSA DLP provides you with dozens of policy templates available for activation or customization.

A policy template is a fully implemented DLP policy with content blades and policy rules in place. In many cases you can activate it and use it as it is, or you can customize any of its information or rules, just as if it were a policy that you created from scratch.

Note: Some policy templates, such as those that address organization-specific intellectual property or confidential documents, cannot be activated until you have customized them to meet your security needs.

To view the Policy Template Library 1. In Enterprise Manager, click the Policy tab if necessary to bring it to the front. 2. Do one of the following: – Click or hover over Policies near the top of the page, then select Policy Template Library from the drop-down menu. – If the Policy Manager page is displayed, click or hover over New Policy, then select Use policy template from the drop-down menu.

Chapter 7: Setting Policies 215 RSA DLP 9.6 Network User Guide

The Policy Template Library page appears.

The library is a list of groups or categories of templates. Note that you can change the grouping by clicking any of the buttons along the top of the list. 3. To view information about individual policies, click the group name. The display changes to list the policy templates in that group.

For each policy template, you can view • Its name and description.

• Icons for each DLP product ( = Network, = Endpoint, = Datacenter) that a policy created from this template could support. • A control for activating the policy from the template. • A control for customizing the policy.

Note: For more detailed information on any of the policy templates, see “Expert Policies” in RSA DLP Policy Guide.

216 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

To activate a policy template:

When you activate a policy template, you are creating a policy, visible on the Policy Manager page, that is a copy of the template. Do the following: 1. Display the desired template in the Policy Template Library. 2. Click Activate. A pop-up appears that allows you to choose which products to enable the policy for:

3. Use the checkboxes to select the product(s), then click Activate Now. A copy of the template is created and added to the policy list on the Policy Manager page. From there you can view, disable, or edit the policy.

Note: The original template remains unchanged and available in the Policy Template Library.

To customize a policy template 1. Display the desired template in the Policy Template Library. See “To view the Policy Template Library” on page 215. 2. Click Customize or click the name of the policy. The New Policy / Edit Policy page appears, with the information for the selected template displayed in editable fields.

Chapter 7: Setting Policies 217 RSA DLP 9.6 Network User Guide

3. Optionally give the policy a new name, and edit any of its fields as if you were creating the policy without using a template. For more information, see “Creating or Editing a Policy” on page 197. 4. When you are ready to save your customized policy, click Save. The policy is created and added to the policy list on the Policy Manager page. From that page, you can view, disable, or further edit the policy. The original template remains unchanged in the Policy Template Library.

218 Chapter 7: Setting Policies RSA DLP 9.6 Network User Guide

8 Administering Your DLP Installation

You can use Enterprise Manager’s Admin tab to manage roles, groups, and user accounts, to set up incident notifications, view system information and status, and various other administrative functions.

Topics: • Viewing DLP Status Overviews • Managing Roles and Permissions • Setting Up Groups and Users • Managing User Credentials • Configuring LDAP Integration • Configuring SIEM Integration • System Alerts Configuration • Managing Notifications and Messages • Advanced Administrative Options

Chapter 8: Administering Your DLP Installation 219 RSA DLP 9.6 Network User Guide

Viewing DLP Status Overviews

When you click the Admin tab in Enterprise Manager, RSA Data Loss Prevention - Device Status page appears displaying the overview information about RSA DLP products that are active in your organization. This is the default Admin tab view page. If you navigate away from this page, you can return to it by selecting Status Overview under the Admin tab.

Network Status Overview

This section of the Status Overview page displays status information about the Network Controller and other managed devices in your DLP Network deployment.

For DLP Network, the DLP Status Overview page shows the following information: • Device Name. A list of all Network devices (Network Controller plus all managed devices) by name or IP address. You can click on the name or IP address of any device to open the configuration page of that device. See Chapter 9, “Administering DLP Network” on page 295 for details. • Device Type. The type of the device: Controller, Sensor, ICAP server, or Interceptor. • Status. The status of each device. The status can be:

220 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

–Up ( ). This device is up and running. –Down ( ). This device is not running. – Warning ( ). This device is running, but one or more of its processes has stopped running. – Details: Click this link to view details about the status of this device on the Device Status Details page. See “Viewing Network Device Status Details” on page 299 for a description of that page. • Up Since. The date and time this device was last started. •Up Time. The time that has passed since the device was last down. • Software Version. The RSA DLP software version running on this device. • Statistics. Click the View Statistics link to view statistical data about this device. Statistics are available for all managed devices, but not for the Network Controller. See “Viewing Network Statistics” on page 320 for details. •Logs. In the Network Controller row, click the Logs link to download a zip file (NetworkLogs.zip) of the DLP Network logs to your machine. The logs in the zip file include the Network Controller log files (messages-IDNumber.log), possibly a backup-service log file (backup.log), and XML configuration files for the managed devices.

Enterprise Manager

For Enterprise Manager, the DLP Status page includes links to the following log files:

• Application Log. This file (em.log) records messages from the Enterprise Manager application. To view the file, click the Application Log link and choose to either directly view the log or to save the file to your machine. • System Alerts Log. This file (alert.log) records all system alerts sent by Enterprise Manager (see “System Alerts Configuration” on page 254). To view the file, click the System Alerts Log link and choose to either directly view the log or save the log file to your machine. See “DLP System Alerts” on page 373 for a list of common system alert messages.

Managing Roles and Permissions

Every user of Enterprise Manager is assigned, through group membership, one or more roles. A role is a collection of permissions that define what parts of Enterprise Manager the user can see and what DLP tasks the user can perform.

Example Roles

Enterprise Manager comes with one default role—Admin Role—already defined. That role has full permissions to access all areas of Enterprise Manager and manage all aspects of all DLP products. Admin Role cannot be altered or deleted.

Chapter 8: Administering Your DLP Installation 221 RSA DLP 9.6 Network User Guide

If your own role includes sufficient privileges, you can create additional roles and thereby implement categories of DLP users. For example, you might create roles such as the following: • Executive. This role might include permissions to view the Dashboard, generate reports, and view (but not act on) incidents, for the purpose of assessing overall corporate risk and tracking trends in the risk level across the organization. • Incident Reviewer. This role might be filled by a number of people across the organization. An incident reviewer might be a domain expert or department manager who is in a position to understand the context of an incident involving transmissions, user actions, or documents related to his or her department or technical area. Incident reviewers see and remediate incidents of those policies for which they have incident permissions. • Security Specialist. This role might include permissions to view and modify incidents, view events, and generate reports, for the purpose of evaluating data-security risk and investigating incidents of policy violation. This role might also include permissions to use or view user credentials that are created for Datacenter. Security Specialists are the first responders in monitoring and remediating DLP incidents. A security specialist can see and review all incidents that come in, and might personally handle a given incident or assign it to an Incident Reviewer. You might create product-specific versions of this role to allow certain users to remediate only Network incidents or only Endpoint incidents, for example. • Compliance Manager. This role is similar to Security Specialist, but with increased capabilities and responsibilities. In practice, a Compliance Officer might direct the work of one or more Security Specialists. The Compliance Officer role adds the permission to view matched (sensitive) content in incidents and events. Restricting this permission to Compliance Officers (and Policy Managers) minimizes the number of people that have direct access to sensitive data. Also, a Compliance Officer can view the audit history of the DLP installation. • Policy Designer. This role might include full permissions to view, create, and delete content blades and policies. A policy designer creates and tests policies before they are enabled, and thus has permissions to view complete information, including matched content, on the events and incidents generated from those policies during testing. Once a policy is enabled in production, the Policy Designer will no longer have access to its content or to the events and incidents generated from it. However, if the policy subsequently needs revision or debugging, the DLP Administrator may temporarily give the Policy Designer full access to that policy and its incidents. • Policy Manager. This role is similar to Policy Designer, but with increased capabilities and responsibilities. In practice, a Policy Manager might direct the work of one or more Policy Designers. This role adds permissions to enable or disable all policies, to read the content of all incidents and events (and matched content), and to create policy-related reports.

222 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

• ProductName Administrator.These roles (one per DLP product) might include permissions to add, configure, and delete devices (such as Network Sensors) or software controllers (such as Datacenter Site Coordinators), to view product status, and to modify notification templates. The ProductName Administrator can start and stop monitoring activities, generate reports related to the product, and read the policy list and incident list. Additionally, the Datacenter administrator might include permissions to create, update, and delete the user credentials that are used to configure Datacenter components. To give one user administrative privileges over all DLP products, you could assign all three ProductName Administrator roles to that person. •DLP Administrator. This role might include permissions to perform all DLP activities that are not specific to any one product or related to policies. A DLP Administrator can create roles, users, and groups, create LDAP configurations, modify notification templates, configure the email server, delete imported reports, bulk-delete incidents, and read product status, and view the policy list and incident list. By default, this role has permissions to create, use, or delete user credentials used for Datacenter.

Your organization might have reasons for devising different roles from these. Also, depending on the size and needs of your organization, individual users might— through membership in more than one group—have more than one role. For instance (using the above example roles), someone with a Compliance Officer role might also be a Policy Manager. Or, a Compliance Officer might function without need for any Security Specialists, and a Policy Manager might function without need for any Policy Designers.

See Table 5 on page 231 for details of permission assignments for these example roles.

Viewing the List of Roles 1. With the Enterprise Manager Admin tab active, click Users & Groups > Roles & Permissions. The Roles page appears. The left side of the page is a list of all currently-defined roles. The right side of the page displays details of the role that is highlighted on the left. By default the right side of the page displays the details of the Admin Role.

Chapter 8: Administering Your DLP Installation 223 RSA DLP 9.6 Network User Guide

Note: The only role that is defined by default is Admin Role.

2. To view the details of a particular role, click its name in the list on the left, see “Viewing a Role” (next). 3. To delete a role that you have defined, click its name in the list on the left, then click Delete ( ) in the View Role panel on the right.

Note: You cannot delete the predefined Admin Role.

4. To create a new role, click New Role above the list of roles; The New/Edit Role page appears; see “Creating or Editing a Role” on page 225.

Viewing a Role 1. Open the View Role panel in one of the following ways: – Clicking the name of a role on the left side of the Roles page. – Clicking the name of a role when viewing the role assignments of a group in the DLP Group panel.

224 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

The View Role panel appears.

2. Note the Role Name and Description. Permissions are expressed through sets of checkboxes displayed on the tabs. All checkboxes are grayed because this view is not editable. 3. To change any of the settings (and if your permissions allow it), click Edit (). The checkboxes of the role become editable; select or clear any of them and save your changes as described in “Creating or Editing a Role” (next).

4. To delete the role, click Delete ( ). Note that you cannot delete the predefined Admin Role.

Creating or Editing a Role

You can create any number of roles to be adopted by the groups and users of your installation of RSA DLP. To create a new role or edit an existing one, take the following steps:

A. Fill in the role summary

1. Enter a name for the role in the Role Name field. 2. Optionally enter a description of the role.

Chapter 8: Administering Your DLP Installation 225 RSA DLP 9.6 Network User Guide

Completing the rest of the New/Edit Role form involves selecting or clearing various permissions checkboxes. Note that Enterprise Manager allows you to check or uncheck any combination of boxes, even though some combinations of permissions might be illogical.

B. Specify system permissions

These permissions are global across all policies and across all DLP products. 1. If necessary, click the System tab to make the system permissions visible.

226 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

2. Use the checkboxes to select the system permissions that you want to assign to this role. – For the upper set of permissions, you can separately enable Read and, in most cases, Update, Create, and Delete permissions. You can also use the All checkbox in each row to enable all available permissions for that row. – For the lower set of permissions, select a checkbox to enable the permission in that row. – At the top, select the All System Permissions checkbox if you want to select all the checkboxes in both sets of system permissions. (Clearing the All System Permissions checkbox clears all checkboxes in both sets of system permissions.)

Note: If you are assigning Create or Update permissions to Datacenter Configuration, Fingerprint Crawler, and Define Secure File Shares, make sure that you provide Use permission to this role on the Credentials tab.

The order of precedence for the Datacenter credential management permissions is Link to Role, Create, and List All. These permissions are also associated to the permissions specified in the Credentials tab. The following are the tasks associated with the permissions: • Link to Role. Allows the user to link roles to credentials. Additionally, the user will have permission to create, update, read, list, and use credentials. •Create. Allows the user to create Datacenter credentials. Additionally, the user will have permission to read, list, and user credentials. •List All. Allows the user to view all the credentials on the Credentials page. For more information on the permissions that can be set on the Credentials tab, see “E. Specify Datacenter credential permissions” on page 229.

Note: All permissions apply to all DLP products, except for the ProductName Configuration settings in the upper area and the ProductName - View Status permissions in the lower area. The System Maintenance permission enables license-key entry, product-log download, and bulk delete of incidents and events.

For examples of system permissions that you might assign to specific roles, see Column 2 in Table 5 on page 231.

Chapter 8: Administering Your DLP Installation 227 RSA DLP 9.6 Network User Guide

C. Specify policy permissions 1. Click the Policy tab to make the policy-related permissions visible:

2. Use the checkboxes to select the policy permissions that you want to assign to this role. a. Under Active Policies, select the checkbox for each active policy that you want this role to have access to. Select All Policies (current and future) to make sure that the role has access to all active policies at all times.

Note: All activated policies appear in this list, whether enabled or not. As policies in your installation are activated or deactivated, the content of this list changes.

b. Under Permission Area..., select the checkbox for each policy-related permission that you want this role to have. Select All Policy Permissions to check all the boxes in this area. (Clear All Policy Permissions to clear all the boxes in this area.)

Note that a role cannot have different permissions for different policies; the same set of enabled permissions applies to all policies enabled for that the role. If you need different permission sets for different policies, you can create separate roles for that purpose.

For examples of policy permissions that you might assign to specific roles, see Column 3 in Table 5 on page 231.

228 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

D. Specify report-viewing permissions

This table lists all currently defined reports. For each report, you can select whether this role can view the report.

For examples of report-viewing permissions that you might assign to specific roles, see Column 4 in Table 5 on page 231.

E. Specify Datacenter credential permissions

This tab is used to specify the permissions this role has on individual Datacenter user credentials that are created on the Credentials page.

Chapter 8: Administering Your DLP Installation 229 RSA DLP 9.6 Network User Guide

1. Click the Credentials tab to make the Datacenter credential-related permissions visible. All of the user credentials that are created for Datacenter are listed. 2. Select the checkboxes to specify the credential permissions that you want to assign to this role. The following are the permissions, in the order of precedence: –Use. Provides permission to use this credential while configuring Datacenter components. – Update. Provides permission to Update, Read, List All, and Use the credentials. –Delete. Provides permission to Delete, Read, List All, and Use the credentials. –Read. Provides permission to List All and Use the credentials. If you want to set permissions for all of the Datacenter credentials, select All Credentials (current and future).

Note: You can also assign Use permission to a role while creating a user credential for Datacenter. For more information, see “Creating or Editing a User Credential” on page 243. However, if you want to provide finer control (Read, Update, or Delete) to manage the credentials you must set those using the Credentials tab.

3. Click Save.

F. Save the role

Click Save to save the new or changed role.

Example Roles and Permissions

Table 5 lists a suggested assignment of permissions to the example roles described earlier. It represents only one of many possible ways of organizing DLP roles in your organization.

230 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Table 5 Permission assignments for sample DLP roles

System Policy Report Role permissions1 permissions permissions

Executive Reports - create Policy - Read (all policies) Read Assesses corporate risk Policies - Incidents - Read (all policies) (all reports) levels and trends. View audit history

Incident Reviewer (none) For one or more policies: (none) Sees and remediates Policy - Read incidents of those Incidents - Read all content policies for which he Incidents - Read sender/user/owner or she has incident Incidents - Update workflow permissions. Incident - Remediation: NW and/or DC2 Events - Read all content Events - Read sender/user/owner

Security Specialist Content Blades (R) For all policies: Read First responder for Policy - Read (all reports) incidents; may Incidents - Read remediate or assign Incidents - Read all content them to incident Incidents - Read sender/user/owner reviewers. Incidents - Update workflow Incident - Remediation: NW and DC2 Events - Read Events - Read all content Events - Read sender/user/owner

Compliance Officer Policies - Reorder For all policies: Read Manages security Policies - View Audit Policy - Read (all reports) specialists; can view History Incidents - Read incidents and events Reports - create Incidents - Read all content (including matched Network - View Incidents - Read sender/user/owner content), can Status Incidents - Matched content remediate; has access Endpoint - View Incidents - Update workflow to audit logs and Status Incident - Remediation: NW and DC2 reporting. Datacenter - View Incidents - Delete Status Events - Read Events - Read all content Events - Read sender/user/owner Events - matched content

Chapter 8: Administering Your DLP Installation 231 RSA DLP 9.6 Network User Guide

Table 5 Permission assignments for sample DLP roles (continued)

System Policy Report Role permissions1 permissions permissions

Policy Designer Content Blades (All) For policies under development: Read Creates and tests Policies - Create Policy - Read (policy-related policies and content Policies - Reorder Policy - Update reports) blades; evaluates Policy - Enable/Disable false-positive incidents Policy - Delete Incidents - Read Incidents - Read All Content Incidents - Matched Content Events - Read Events - Read All Content Events - Matched Content

Policy Manager Content Blades (All) For all policies: Read Manages policy Policies - Create Policy - Read (policy-related designer; responsible Policies - Reorder Policy - Update reports) for putting policies into Policies - View Audit Policy - Enable/Disable production. Can History Policy - Delete enable/disable policies. Reports - Create Incidents - Read Network - View Incidents - Read All Content Status Incidents - Matched Content Endpoint - View Events - Read Status Events - Read All Content Datacenter - View Events - Matched Content Status

DLP Network Notification For all policies: Read Administrator Templates (all) Policy - Read (all reports) Configures DLP Email Server Config Incidents - Read Network, can start or (R) stop controller and Network devices Configuration (all) Reports - Create Network - View Status Endpoint - View Status Datacenter - View Status

232 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Table 5 Permission assignments for sample DLP roles (continued)

System Policy Report Role permissions1 permissions permissions

DLP Endpoint Notification For all policies: Read Administrator Templates (all) Policy - Read (all reports) Configures DLP Email Server Config Incidents - Read Endpoint can start or (R) stop controller Endpoint Config (all) Reports - Create Network - View Status Endpoint - View Status Datacenter - View Status

Chapter 8: Administering Your DLP Installation 233 RSA DLP 9.6 Network User Guide

Table 5 Permission assignments for sample DLP roles (continued)

System Policy Report Role permissions1 permissions permissions

DLP Datacenter Notification For all policies: Read Administrator Templates (all) Policy - Read (all reports) Configures DLP Email Server Config Incidents - Read Datacenter, can create (R) sites and scan groups, Datacenter Config start and stop scans (all) Reports - Create Network - View Status Endpoint - View Status Datacenter - View Status

DLP Administrator Notification For all policies: Read Performs all templates (all) Policy - Read (all reports) non-product-specific User, Groups, Roles Incidents - Read configuration and (all) Incidents - Delete administrative tasks. Email Server Config Events - Read (all) LDAP Config (all) Policies - View Audit History Imported reports - Delete Network - View Status Endpoint - View Status Datacenter - View Status Datacenter - Read, Update, Use, and Delete Credentials Bulk Incident Delete System Maintenance

Admin Role (all) (all) (all)

1R = Read; U = Update; C = Create; D = Delete; All = all actions 2NW = DLP Network; DC = DLP Datacenter; EP = DLP Endpoint

For further descriptions of these example roles, see “Managing Roles and Permissions” on page 221

234 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Setting Up Groups and Users

Enterprise Manager allows you to define users and groups in two ways: you can create them directly in Enterprise Manager, or you can import them from your organization’s LDAP directory.

DLP users must belong to one or more groups, because users are assigned roles through the groups that they belong to. When you create a group, you must assign at least one role to it. When you create a user, you must assign that user to at least one group.

Viewing the List of Groups and Users

With the Enterprise Manager Admin tab active, click Users & Groups.

The Users and Groups page appears. The left side of the page is an expanding/ collapsing tree view of all defined groups and their users. The right side of the page displays details of the item (group or user) highlighted on the left.

To create a new DLP group 1. At the top of the left side of the Users and Groups page, click New Group. The New/Edit Group panel appears on the right side of the page. 2. Fill in the fields as described in “Creating or Editing a DLP Group” on page 237.

To create a new DLP user 1. At the top of the left side of the Users and Groups page, click New User. The New/Edit User panel appears on the right side of the page. 2. Fill in the fields as described in “Creating or Editing a DLP User” on page 239.

Chapter 8: Administering Your DLP Installation 235 RSA DLP 9.6 Network User Guide

To view a DLP group 1. On the left side of the Users and Groups page, click the name of the group whose details you want to view or change. The selected group’s details are displayed in the DLP Group panel, on the right side of the page. Alternatively, you can view the Group panel by clicking the name of a group when viewing the group memberships of a user in the DLP User panel.

2. Note the group name and description, plus these categories of information: – DLP User Members. Lists DLP users that are members of this group. – LDAP Group Association. Lists groups defined in your organization’s LDAP server that are defined as subgroups of this group. – Roles that apply to this group. The roles that members of this group can carry out.

To revise the group information (and if your permissions allow it), click Edit (). The fields of the group become editable; change any of the information as described in “Creating or Editing a DLP Group” on page 237. To remove the group from the system, click Delete ().

Note: The one default group is Admin Group. That group includes the default Admin Role and cannot be deleted.

236 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

To view a DLP user 1. On the left side of the Users and Groups page, click the name of the user whose details you want to view or change. Expand a group name if necessary to reveal the user’s name. The selected user’s details are displayed in the DLP User panel, on the right side of the page. Alternatively, you can view the User panel by clicking the name of a user when viewing the members of a group in the DLP Group panel.

2. Note the user name, email address and preferences, group memberships, and roles. If you want to revise the user information (and if your permissions allow it), click Edit ( ). The fields of the user become editable; change any of the information and save your changes in the same manner as when creating a new user; see “Creating or Editing a DLP User” on page 239. To remove the user from the system, click Delete ().

Note: The one default user is admin. That user belongs to the default Admin Group and includes the default Admin Role. You can edit certain properties of the admin user, but you cannot delete the user.

Creating or Editing a DLP Group

You can reach the New/Edit DLP Group panel in these ways: • By clicking New Group on the left side of the Users and Groups page.

Chapter 8: Administering Your DLP Installation 237 RSA DLP 9.6 Network User Guide

• By clicking Edit when viewing group details on the DLP Group panel.

In either case, the New/Edit DLP Group panel appears. Fill in the information as described below.

A. Fill in the group summary

1. Enter a name for the group in the Group Name field. 2. Optionally enter a description of the Group.

B. Assign users and groups to this group

The DLP User Members and LDAP Group Association tables show the DLP users and LDAP groups that are currently members of this group. If you are creating a new group, these lists are empty. 1. Beside DLP User Members, click Select DLP Users to bring up a dialog box from which you can select DLP users to add to the group.

2. Select the users and click Save. 3. Back in the Group panel, you can delete any of the current users by clicking Remove ( ) in that user’s row.

238 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

4. Select the group from the LDAP directory. Click Select a Group from LDAP. The Select from Directory pop-up window appears. Select the groups from the LDAP directory. For more information, see “Selecting Users and Machines from an LDAP Directory for DLP Operations” on page 379. Once you have created a DLP group that includes an LDAP group, all members of that LDAP group are automatically members of the DLP group and can log into Enterprise Manager with whatever permissions that group provides. There is no need to explicitly re-create them as DLP users. See “Giving LDAP Users Access to Enterprise Manager” on page 241 for details.

Note: Only the immediate members of an LDAP group are included as members of the DLP group it is mapped to. LDAP users in any other group, including subgroups of the selected LDAP group, are not included as members of the DLP group.

C. Assign roles to the group

Under Roles, select the checkboxes for the roles that members of this group are to be assigned.

D. Save the group

Click Save to save the new group.

If you are editing an existing group, you can also click Delete ( ) if you want to delete the group entirely.

Creating or Editing a DLP User

You can reach the Create/Edit User panel in these ways: • By clicking New User on the left side of the Users and Groups page. • By clicking Edit when viewing user details on the DLP User panel.

Chapter 8: Administering Your DLP Installation 239 RSA DLP 9.6 Network User Guide

The New/Edit User panel appears.

1. Enter values for the following fields: – Username. The user’s network ID. – First Name. The user’s given name. –Last name. The user’s surname. –Password. Enter the user’s default password. Your entry will be masked with asterisks. – Re-enter Password. Enter the password again, for verification. – Email Address. The user’s email address. – Send email as. (Optional) Choose HTML or Text as the user’s preferred email format. 2. Under Groups, select the checkboxes for the groups that this user is to be a member of. Beside each group, the roles assigned to that group are listed. 3. Click Save to save the new user. If you are editing an existing user, you can also click Delete ( ) if you want to delete the user entirely.

Note: For the default user admin, you can edit only the fields First Name, Last name, Password, Email Address, and Send email as. You cannot delete the user.

240 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Giving LDAP Users Access to Enterprise Manager

You can allow any of your organization’s users to access Enterprise Manager without using the Enterprise Manager interface to explicitly create them as DLP users. Do the following: 1. Create an LDAP configuration. See “Configuring LDAP Integration” on page 245. 2. Create a DLP group, and add an LDAP group to it that includes the user(s) that should be able to access Enterprise Manager. See “Creating or Editing a DLP Group” on page 237. 3. Assign to the DLP group one or more roles whose permissions are appropriate for the users of the LDAP group.

Any users of that LDAP group can now log into Enterprise Manager and will have the role(s) that you have assigned to the DLP group. The login ID for such a user will be the value of that user’s userPrincipalName or mail field in LDAP, depending on what is specified in your LDAP configuration’s Search Filter field. See “B. Specify LDAP parameters” on page 247 for more information.

Managing User Credentials

Note: For DLP Network, the user credentials are required only for creating fingerprinted-content blades.

DLP Datacenter requires authentication credentials while performing different operations. Because it is a distributed application that executes on multiple hosts and potentially across multiple domains, DLP Datacenter requires different sets of credentials at various stages of execution.

As the DLP administrator, you may need to supply explicit credentials when: • Configuring scan groups, worker sets, or Datacenter policies. • Creating or editing Enterprise Manager users. • Manually remediating Datacenter events or incidents.

Each set of credentials must represent a valid user with the appropriate permissions to perform the required task. The following table lists the various Datacenter operations and the respective credentials that are required to perform these operations. If you have not created these credentials, make sure that you create these credentials before performing the listed Datacenter operations.

Chapter 8: Administering Your DLP Installation 241 RSA DLP 9.6 Network User Guide

For more information, see “Creating or Editing a User Credential” on page 243.

DLP Operations Credentials

Configure File Fingerprint • File path credentials Crawler • Run as this user

Configure Database • Database connection credentials Fingerprint Crawler • Run as this user

Automatic Remediation The file path access credentials (Move to Secure)

Manual Remediation The file path access credentials

Define Secure File Shares The file path access credentials

Configure Site Coordinator Administrator

Commission Grid Worker • Run as this user • Deployment credentials • Remediation user

Create Grid Worker Set • Run as this user • Grid worker bootstrap • Remediation user

Configure Grid Group • Run as this user • Path credentials • Default user • Optional Settings - Credentials

Configure Database Scan • Run as this user Group • Database connection credentials

Configure Lotus Notes • Run as this user • Default user • Path credentials

Configure Repository Scan • Run as this user Groups • Path credentials (SharePoint, Exchange, • Default user Documentum, Livelink, and Filenet)

Configure Agent Group • Deploy as this user • Scan as this user • Optional Settings - Credentials

242 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Viewing User Credentials

With the Enterprise Manager Admin tab active, click Users & Groups > Credentials.

The Credentials page appears.

The Credentials page displays a list of user credentials that are created for administering DLP Datacenter.

Note: If a credential is in use for any of the component configurations, the delete icon for this credential is disabled.

You can perform the following tasks on this page: • Add a credential by clicking Add Credential.

• Delete a credential by clicking Delete beside the credential.

Creating or Editing a User Credential

You can access the Edit or Add Credential page by clicking: • A credential name on the Credentials page. The Edit Credential page appears. • Add Credential on the Credentials page.

Chapter 8: Administering Your DLP Installation 243 RSA DLP 9.6 Network User Guide

The Add Credential page appears.

1. Enter a name for the user credential in the Name field. This name will be listed in the Datacenter configuration pages while creating the infrastructure components of RSA DLP Datacenter—the Enterprise Coordinator and Site Coordinators, and the scan groups. 2. (Optional) Enter a description for the user credential that you want to create in the Description field. 3. In the Credential Configuration section, enter the following: – User Name. The user name for the user credential that you want to create. You must include the domain name along with the user name. For example, domain_name\administrator. Make sure that the user name is a valid domain user in the domain that you have specified, and the domain that you specify must be in the same domain as the Datacenter component that uses this credential. –Password. The password to authenticate the credential that you want to create. –Confirm Password. The password again, for verification. 4. (Optional) Click Check Password to verify that you have entered a valid Windows login credential.

Important: Any other credentials created such as File path credentials, Database connection credentials, File path access credentials, Deployment credentials, Remediation user, Grid worker bootstrap, Path credentials, Default user, Optional Settings - Credentials, and Database connection credentials cannot be validated using Check Password.

244 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

5. In the Set Permission section, select the roles that can use this credential for configuring the various Datacenter components.

Note: If you want to provide specific permissions, such as read, update, or delete, to manage the credential, see “Managing Roles and Permissions” on page 221.

6. Click Save.

Configuring LDAP Integration

You will need to provide LDAP settings so that Enterprise Manager knows how to communicate with the LDAP server (or servers) that hold your organization’s user and group information.

Your organization may have different LDAP servers for different domains. You can create and save a different LDAP configuration for each server.

Viewing LDAP Settings 1. With the Enterprise Manager Admin tab active, click Settings > LDAP Configuration. 2. The LDAP Configuration page appears. The left side of the page is a tree view listing all of the LDAP configurations that have been created. The right side of the page displays details of the LDAP configuration that is highlighted on the left.

To view or edit an existing LDAP configuration 1. On the LDAP Configuration page, click the name of the LDAP configuration whose details you want to view or change. Those configuration settings are displayed on the right side of the page. 2. If you want to revise the configuration settings, click Edit ( ). The LDAP settings become editable.

Chapter 8: Administering Your DLP Installation 245 RSA DLP 9.6 Network User Guide

3. Change any of the information and save your changes in the same manner as when creating a new LDAP configuration. See “Creating or Editing an LDAP Configuration” on page 246. 4. To remove this LDAP configuration from the system, click Delete ( ).

To create a new LDAP configuration

1. On the LDAP Configuration page, click New LDAP ( ) at the top of the left side of the page. A new LDAP configuration form appears on the right side. 2. Enter information into the fields and save your configuration as described in “Creating or Editing an LDAP Configuration” (next).

Creating or Editing an LDAP Configuration

To create or edit the LDAP configuration: A. Fill in the summary B. Specify LDAP parameters C. Map LDAP attributes D. Save the configuration

A. Fill in the summary

1. Enter a name for the LDAP configuration in the LDAP Name field. 2. Optional—Enter a description for this individual configuration.

246 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

B. Specify LDAP parameters

Specify values for the following LDAP parameters:

Field Name Field Description

Note: All parameters are required unless otherwise noted.

Username Enter the name used to log onto the LDAP Server. This LDAP user must have the correct permissions to access the LDAP server.

Password Enter the password for the user entered in the Username field.

Confirm Password Re-enter the password for confirmation. Once you have created and saved your LDAP configuration, DLP no longer displays this field.

Chapter 8: Administering Your DLP Installation 247 RSA DLP 9.6 Network User Guide

Field Name Field Description

Host Enter the FQDN or the IP address of the LDAP server.

Note: To use secure LDAP communication, you must enter the FQDN of the LDAP server.

Port Specify the port number used by the LDAP server. (Default = 389.)

Encrypted Optional—Select this checkbox if you want communication with the LDAP server to be encrypted.

Version Optional—From the drop-down menu, select the version number of your LDAP server.

Root DN Enter a root user (Distinguished Name) for the LDAP server. This DN will be the root for all access to the server.

Search Base Enter the schema base point that defines the part of the LDAP server that you want to be searched for users. For example, on an active directory LDAP, you can use dc=abc,dc=com, and on a SunOne LDAP, you can use dc=sunoneldap,dc=com.

Search Filter From the drop-down menu, select a search filter for locating user names. This limits the search of the LDAP tree to a subset of users, based either on userPrincipalName (user name) or mail (email address). In the second field, optionally enter a wildcard expression to further filter the searches. The expression can be either an asterisk (*), which returns all results, or a string followed by an asterisk (such as ACME*), which returns only those results that start with the given prefix.

Note: Whichever search attribute you select (userPrincipalName or mail), only users for whom that attribute is defined can be returned by a search. For example, if you select mail, users that do not have defined email addresses will not be found.

Search Order Optional—Enter an integer as a search-priority number. If you have created more than one LDAP configuration, Enterprise Manager will search the defined LDAP servers in ascending order, based on the number in this field.

248 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Field Name Field Description

Filter Attributes Optional—In a comma-separated list, enter the LDAP attributes that you want to be displayed in the dialog boxes that Enterprise Manager provides for selecting users or groups. Default value = cn, ou, uid.

DN Suffix Optional—Suffix to remove from DNS, to simplify display. For example, if all DNS include the suffix ou=Acme.com, enter ou=Acme.com to avoid displaying that portion of the DN.

Email Suffix Optional—Suffix to remove from email addresses to simplify display. For example, if all email addresses include the suffix acme.com, enter acme.com to avoid displaying that portion of an address.

Refresh Interval Optional—DLP Network only. Use the drop-down menu to select the interval at which DLP Network accesses the LDAP server to update its internal cache of user information. Specify either Per Hour, Per Day, or Per Week.

Refresh Start Time Optional—DLP Network only. Enter a date and time (format: 09/06/2007, 12:00 AM) or click the calendar icon to select a date (default time of 12:20 AM) on which the first LDAP update is to occur.

Paging Enabled Optional—This parameter is used for directory services support paged searches. Windows Active Directory supports paging and it is recommended to enable this field for Windows Active Directory. If the result set from an LDAP query contains more than 1000 items, enabling this option allows queries to retrieve all the items. Without paging, searches performed to Active Directory are limited to retrieve only a maximum of the first 1000 records.

Send Password to Optional—DLP Endpoint only. Select to send the Endpoint Agents LDAP password to the Endpoint agents. The Endpoint agents use this password to query the LDAP and get the details of the logged on user, for example, the LDAP group the user belongs to.

Test LDAP Parameters Click to validate the entries you have just made. Otherwise, errors will become evident only on attempting to access the LDAP server during operations.

Chapter 8: Administering Your DLP Installation 249 RSA DLP 9.6 Network User Guide

C. Map LDAP attributes

In this section, you specify the LDAP attributes that correspond to each of the user attributes used by Enterprise Manager. For each of the required fields listed here, you need to know what attribute your organization’s LDAP server uses to define it.

Note: Unless otherwise noted, all parameters are required.

Field Name Field Description

Email Address The LDAP attribute, for example, mail, that your LDAP server uses to specify an e-mail address.

Employee ID Optional—Enter the LDAP attribute that your LDAP server uses to specify an employee ID.

First Name Enter the LDAP attribute (for example, givenName) that your LDAP server uses to specify an employee’s first name.

Last Name Enter the LDAP attribute (for example, sn) that your LDAP server uses to specify an employee’s last name.

250 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Field Name Field Description

Display Name Enter the LDAP attribute (for example, displayName) that your LDAP server uses to specify an employee’s display name.

Phone Number. Optional—Enter the LDAP attribute (for example, phone) that your LDAP server uses to specify a telephone number.

Manager’s Name Optional—Enter the LDAP attribute that your LDAP server uses to specify an employee’s manager’s name.

Organization Optional—Enter the LDAP attribute (for example, org) that your LDAP server uses to specify an employee’s organization.

Department Optional—Enter the LDAP attribute (for example, dept) that your LDAP server uses to specify a department name.

SID Optional—Enter the LDAP attribute that your LDAP server uses to specify a Microsoft security identifier.

User Enter the LDAP attribute (for example, sAMAccountName) that your LDAP server uses to specify a user ID.

Group List Enter the LDAP attribute (for example, memberOf or nsrole) that your LDAP server uses to specify a list of groups associated with a given user.

Users login to domain as. Enter the LDAP attribute (for example, userPrincipalName or mail) that users use to login into the domain

ActiveSync Device ID Enter the LDAP attribute that your LDAP server uses to identify the active sync device, such as msExchDeviceID.

ActiveSync Device Type Enter the LDAP attribute that you LDAP Server users to identify the active sync device type, such as msExchDeviceType.

D. Save the configuration

Click Save to save this configuration.

If you are editing an existing LDAP configuration, you can also click Delete () if you want to remove the configuration entirely.

Chapter 8: Administering Your DLP Installation 251 RSA DLP 9.6 Network User Guide

Configuring SIEM Integration

Security Incident and Event Management (SIEM) applications enable gathering, analyzing, and using log data for compliance and security purposes.

If you have a SIEM application such as the RSA enVision Platform, installed and configured for integration with RSA DLP, you can then configure Enterprise Manager to export DLP events to that application. Once you complete this configuration, DLP data is exported automatically to the SIEM application.

Note: Your SIEM application must be already configured up to receive events generated by RSA DLP before you start this procedure. See http:// www.emc.com/security/rsa-envision.htm for more information about the RSA enVision Platform.

Viewing the SIEM Configuration 1. With the Enterprise Manager Admin tab active, click Settings > SIEM Configuration. 2. The SIEM Configuration page appears. This page displays the current (if any) SIEM configuration.

– To create a new SIEM configuration, click New. The configuration page appears with editable fields. Fill in the configuration fields as described in “Creating or Editing a SIEM Configuration” on page 253.

252 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

– To edit an existing SIEM configuration, click Edit. The configuration page appears displaying the same information but with editable fields. Edit the configuration fields as described in “Creating or Editing a SIEM Configuration” on page 253.

Creating or Editing a SIEM Configuration 1. On the SIEM Configuration page, either click Edit ( ) to edit an existing SIEM configuration; or New to create a new SIEM configuration. If your permissions allow it, the SIEM configuration settings become editable.

Either add new values for a new SIEM configuration, or change the values to edit an existing configuration, as follows: 2. Where necessary, enter the following summary information: – SIEM Application Name. The name of the SIEM application where DLP events will be exported. For example, enVision. – Description. An optional description about this configuration. 3. Enter the Syslog Settings. Syslog is the Transport Mechanism used to export data to the RSA enVision platform. The name and port number where the syslog server is running are needed to accept the data exported from DLP to enVision. – Syslog Hostname/IP Address. The Hostname or IP address of the machine where the syslog server is running. 4. Enter the Export Settings: – Enable Event Export.

Chapter 8: Administering Your DLP Installation 253 RSA DLP 9.6 Network User Guide

– Directory Data to Export. Select the type of directory data that will be added to the exported data. This is optional. You can select one, both, or neither checkboxes. By default, all checkboxes are cleared.

Note: Directory data can only be retrieved if your Enterprise Manager includes a valid LDAP configuration (see “Configuring LDAP Integration” on page 245).

• Department. Departmental data are added to the exported data. • Organization. Organizational data are added to the exported data. • Email Address. Email information are added to the exported data. • Send matched content logs to SIEM. Enterprise Manager exports matched content audit logs to the SIEM application. These logs track the viewing of sensitive data that happens while using Enterprise Manager. The default for this checkbox is clear.

Important: You must also have the Log access to matched content checkbox, located on the Policy page, selected for this to work. See step 4 under “Creating or Editing a Policy” on page 197.

– Transport Mechanism. Syslog. The export mechanism to use when exporting data to the SIEM application. This field is automatically populated and not editable. – Export Format. enVision. The format of the exported data. This must be a format that is understood by the SIEM application. This field is automatically populated and not editable. 5. (Optional) Click the green arrow to expand the Advanced Settings section then enter the Number of RSA enVision Bootstrap Messages. 6. Click Save to save the SIEM configuration.

System Alerts Configuration

Enterprise Manager, DLP Network, and DLP Datacenter can be configured to send alerts for the most common error scenarios to a Syslog daemon so that they can be managed by a full SIEM system such as RSA enVision, or to a centralized email address.

DLP Endpoint is configured by default to send alerts for the most common error scenarios to the local system’s Event Viewer

You can configure DLP Datacenter to send notifications on completion of scans.

Alerts can only be configured to be sent to a Syslog server if one has already been configured as part of a SIEM configuration (see “Configuring SIEM Integration” on page 252).

254 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Alerts can only be configured to be an email server if one has already been configured (see “Configuring the Notification Email Server” on page 264).

Appendix B, “DLP System Alerts”provides a list and descriptions of all DLP system alerts.

Viewing System Alerts Settings 1. With the Enterprise Manager Admin tab active, click Settings > System Alerts Configuration. 2. The System Alerts Configuration page appears. 3. If you want to revise the configuration settings, (and if your permissions allow it), click Edit ( ). The settings become editable. 4. Change any of the information and save your changes in the same manner as when creating a new System Alerts configuration; see “Creating or Editing System Alerts Configuration”.

Creating or Editing System Alerts Configuration 1. On the System Alerts configuration page, specify the Alerting Method for each product, as follows: – Enterprise Manager. • Syslog. Check this if you want alerts to be sent to a pre-configured Syslog server.

Chapter 8: Administering Your DLP Installation 255 RSA DLP 9.6 Network User Guide

• Email. Check this if you want alerts to be sent to an email address. If you select this, you also have to specify one or more email addresses (see below). – Network. • Syslog. Check this if you want alerts to be sent to a pre-configured Syslog server. • Email. Check this if you want alerts to be sent to an email address. If you select this, you also have to specify an email address (see below). 2. If you have selected an Email Alerting Method for any of the products, you must also specify an Alert Recipient. Enter one or more valid email addresses in the To Email Address field. For multiple addresses, use a comma or semicolon-separated list. All product email alerts will be sent to this address.

Note: The To Email Address field will only be enabled if you have already configured an email server. For more information, see “Configuring the Notification Email Server” on page 264.

3. Click Save to save your configuration settings.

Managing Notifications and Messages

Enterprise Manager sends automatic notifications to selected users or groups when an incident or in some cases an event (policy violation) occurs, when an incident’s severity is escalated, or when a scheduled report is run. The rules for when these notifications are sent out, and to whom, are determined by the policy that was violated.

You can also manually send a one-time email notification to one or more email addresses directly from the Incident Details page. See “Sending an E-mail Notification about this Incident” on page 54 for more details about sending this type of manual notification. You can use a default manual notification template to send this one-time notification, or you can create and use any number of custom manual notification templates.

DLP Network additionally displays messages in lieu of blocked or discarded web transmissions and sends emails when a transmission’s quarantine status changes.

Automatic notification templates are the standard formats used to send notifications and messages. Enterprise Manager provides notification templates for each type of message or notification you can send out. If you have the appropriate administrative permissions, you can set up and edit these templates to customize notifications and messages for your enterprise. For more information, see “Managing Roles and Permissions” on page 221.

256 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Viewing the Automatic Notification Templates List

With the Enterprise Manager Admin tab active, click Notifications > Automatic Templates.

The Notification and Message Templates list appears. The notification and template list allows you to view and customize any of the notifications and messages that Enterprise Manager sends out.

Enterprise Manager provides the following categories of automatic templates: • Email Notifications ( ). (All DLP products.) Notifications emailed to designated recipients. See “Automatic Email Notifications” for a list of these templates. • Network Messages ( ). Notifications sent in replacement of blocked or discarded transmissions, and messages that appear in the browser of the source of a blocked or discarded transmission of webmail and HTTP Posts. See “Automatic Network Messages (DLP Network)” for a list of these templates.

To view or edit an automatic notification template 1. Click the notification or message template you want to view or customize. The corresponding template appears. 2. To customize the message or notification, see “Viewing or Customizing an Email Notification Template” on page 259 “Viewing or Customizing a Network Message” on page 261.

Automatic Email Notifications

Enterprise Manager includes these email notification templates:

Incident Generation Notifications • Network Incident Generation - Notify Assignee. Email message sent to the assignee of a Network incident upon incident generation. • Network Incident Generation - Notify Sender. Email message sent to the originator of the transmission that is in violation of policy. • Network Incident Generation - Notify Sender’s Manager. Email message sent to the manager of the sender or originator of the transmission that is in violation of policy. • Network Incident Generation - Notify Others. Email message sent to a policy-defined list of email addresses upon Network incident generation.

Incident Escalation Notifications • Network Incident Escalation - Notify Assignee. Email message sent to the assignee of a Network incident upon incident escalation.

Chapter 8: Administering Your DLP Installation 257 RSA DLP 9.6 Network User Guide

• Network Incident Escalation - Notify Others. Email message sent to a policy-defined list of email addresses upon Network incident escalation. • Network Incident Escalation - Notify Assignee’s Manager. Email message sent to the manager of the assignee of a Network incident upon incident escalation. • Incident Escalation - Notify File Owner. Email message sent to the file owner upon incident escalation. • Incident Escalation - Notify File Owner’s Manager. Email message sent to the file owner’s manager upon incident escalation.

Quarantined/Blocked Email Notifications (DLP Network) • Quarantined/Blocked Email - Notify Sender. Email message sent to the sender or originator of an email that is quarantined or blocked as a result of being in violation of policy. • Quarantined Email - Time Delay. Email message sent after a policy-defined period of time to the sender of an email that is quarantined or blocked as a result of being in violation of policy. • Quarantined Email - Time Delay Administrator. Email message sent to the administrator when an email remains quarantined for a policy-defined period of time. • Quarantined Email - Expiration. Email message sent to the sender of an email when its quarantine period expires. • Quarantine Self-Release Sender Notification. Email message sent to the sender of an email that has been quarantined, but the user has been given self-release privileges (see “Setting Preferences” on page 291). This email notifies the user of the quarantine, and also provides a link to a page where they can either release or discard the quarantined email. • Quarantined email - Time Delay (Self-Release). Email message sent after a policy-defined period of time to the sender of an email that is quarantined as a result of being in violation of policy. This email notifies the user of the quarantine, and also provides a link to a page where they can either release or discard the quarantined email. This is only sent when email self-release has been enabled (see “Setting Preferences” on page 291 for information about globally enabling email self-release).

Other Email Notifications • RMS Template Deleted. This is the email that is sent when an RMS template is deleted from the AD RMS server. The address this email is sent to is the one specified as the Email Contact in the RMS Configuration page. • Scheduled Report. This is the email that is sent to a policy-defined list of email addresses when a scheduled report has been generated. • Email Report. Sent when a user clicks Email Report.

258 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Automatic Network Messages (DLP Network)

DLP Network includes these message templates: • Network ICAP Replace Message Template. The message sent by the DLP Network product as a replacement for the original email. • Network ICAP Discard Message Template. The message sent by the DLP Network product when the original email is discarded.

Viewing or Customizing an Email Notification Template 1. From the Automatic Notification List, click the email notification template you want to view or customize. The corresponding notification template appears.

2. To customize this template, click Edit.

Chapter 8: Administering Your DLP Installation 259 RSA DLP 9.6 Network User Guide

The notification template opens in a text editor.

Now the email notification template is editable, you can customize most of the fields. 3. Optionally enter one or more valid email addresses, separated by semi-colons, for both the cc (copy to) and bcc (blind copy to) fields. You can also click the directory icon ( ) to select users from your enterprise’s LDAP database. 4. (Optional) Edit the subject line of the notification. 5. Edit the message body of notification template using the standard text editor tools that are available from the top menu of the message body. Note that you can insert images such as company logos, and can insert links such as company website URLs. You can include the following variables for dynamic elements: – %incident_id% - Incident ID. – %date% - Date the incident occurred. – %policy_name% - Name of primary policy violated. – %severity% - Incident Severity. 6. Select View Source if you want to edit or view the message in standard HTML.

260 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

7. Click Save to save your edits or Cancel to return to the previous window.

Viewing or Customizing a Network Message 1. From the Notification List, click the Network message template you want to view or customize. The corresponding message template appears.

2. To customize this template, click Edit. The message template opens in a text editor.

Now the notification message template is editable, you can customize most of the fields. 3. Edit the notification template using the standard text editor tools that are available from the top menu of the message body.

Chapter 8: Administering Your DLP Installation 261 RSA DLP 9.6 Network User Guide

Note that you can insert images such as company logos, and can insert links such as company website URLs. You can include the following variables for dynamic elements: – %FILENAME% - Name of the file that was found to contain sensitive content. – %CLASSIFICATIONS% - Classifications. need more info – %POLICY% - Name of primary policy violated. 4. Select View Source if you want to edit or view the message in standard HTML. 5. Click Save to save your edits or Cancel to return to the previous window.

Viewing the Custom Manual Notification Templates List

With the Enterprise Manager Admin tab active, click Notifications > Manual Templates.

The Custom Manual Notification Templates list appears. The Custom Manual Notification Templates lists the names and descriptions of any custom manual notification templates you have created. From this page you can view or customize a manual notification template, delete it, or create a new template which will be added to this list.

To create a new Manual Notification Template

With the Manual Notification Templates list open, click New Notification Template above the list. A New Manual Template page appears. Fill in the fields as described in “Creating or Editing a Manual Notification Template” on page 263.

To delete a Manual Notification Template

1. With the Manual Notification Templates list open, click the ( )Delete link that corresponds to the template you want to delete. 2. A dialog appears asking you to confirm the deletion. 3. Click Yes to delete that template, Cancel to return to the Manual Notification Templates list.

To view a Manual Notification Template 1. With the Manual Notifications Template list open, click the name of the manual notification template whose details you want to view or change. The corresponding template appears. 2. Note the template name and description, the recipients of the notification, and the contents (Message Body) of the notification. 3. To edit the notification (if your permissions allow it), click Edit. Most of the fields of this message become editable; change any of the information as described in “Creating or Editing a Manual Notification Template” on page 263 for details.

262 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Creating or Editing a Manual Notification Template

You can reach the editable Incident Notification page in these ways: • By clicking New Notification Template at the top of the Manual Notification Templates list. • By clicking the name of the template you want to edit in the Manual Incident Notification Templates list. The Incident and Policy Notification page appears. Fill in the information as described below:

A. Fill in the notification summary 1. Enter a name for the notification template in the Template Name field. 2. Optionally enter a description of this template.

B. Add email details 1. Optionally enter one or more valid email addresses, separated by semi-colons, for both the cc (copy to) and bcc (blind copy to) fields. You can also click the directory icon ( ) to select users from your enterprise’s LDAP database.

Note: The main recipient of this manual notification is system-generated and displayed in the To field.

2. Enter an email subject line heading for this notification.

Chapter 8: Administering Your DLP Installation 263 RSA DLP 9.6 Network User Guide

C. Enter the notification contents 1. Edit the content you want in this manual notification template using the standard text editor tools that are available from the top menu of the message body. Note that you can insert images such as company logos, and can insert links such as company website URLs. You can include the following variables for dynamic elements about the incident to which this notification refers: – %incident_id% - ID of the incident. – %incident_link% - A link to the incident details. – %policy_name% - Name of primary policy violated. – %severity% - The severity of the incident. – %date% - The date on which this incident was generated. 2. Select View Source if you want to edit or view the message in standard HTML.

D. Save the notification

Click Save to save the notification.

Configuring the Notification Email Server

In order to email notification messages, you need to setup a SMTP mail server and specify whether or not it requires authentication.

To view email server settings:

With the Enterprise Manager Admin tab active, click Notifications > Email Server Config.

The Mail Server Configuration page appears. If a mail server has already been configured, its settings are displayed.

264 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

To create or edit a mail-server configuration: 1. With the Mail Server Configuration page open, click Edit. An editable version of the Mail Server Config page appears.

2. Required. Enter a valid SMTP hostname. For example, newton.acme.com 3. Required. Enter a valid SMTP Port number. Default: 25. 4. Required. Enter a From Email Address. This appears in the From field of messages that are automatically generated. This must be a valid email address. 5. If the SMTP mail server requires authentication for access, select the Server requires authentication checkbox and fill in the following fields: – Username. The user name under which Enterprise Manager will access the mail server. –Password and Re-enter Password. The password that Enterprise Manager will use for authentication on the server. 6. Click Save to implement the changes or Cancel to return to the previous window without saving the server configuration settings.

Chapter 8: Administering Your DLP Installation 265 RSA DLP 9.6 Network User Guide

Advanced Administrative Options

The tasks described in this section include application-support functions (accessed through the Support menu under the Admin tab) and a database-management function (accessed through the Settings menu under the Admin tab).

These are the available advanced options: • Purging Events and Incidents • Viewing Audit Records • Viewing and Entering License Keys • Exporting and Importing Configuration Files • Upgrading Downstream Components and Configurations • Importing Reports • Setting Preferences

Purging Events and Incidents

The amount of event and incident information collected and stored by your DLP deployment accumulates over time. Also when your DLP product detects a match to sensitive content, it sends Enterprise Manager an event and the extracted content of the file in which the content match was found. The files can consume a lot of storage over time on the Enterprise Manager machine.

At some point, you may want to free storage space on the Enterprise Manager machine, which stores the associated matched document content and on the Enterprise Manager database machine, which stores incident and event information. You may also want to purge incident and event data that are false positives.

Important: Keep the following in mind: • Create a backup of your database before you purge incidents or events. • A purge cannot be undone. Perform it with extreme caution.

You can perform the following using the Purge Events & Incidents page: • Purge Incidents. Purging incidents also purges associated events and matched content. • Purge Events. Purging events also purges associated matched content. • Purge Unmapped Events. Purging unmapped events also purges associated matched content.

266 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Purge Incidents

You can purge incidents that are not needed.

Note: You cannot start a new purge until the previously started purge is complete.

Before You Begin

You must have appropriate permissions to perform this task.

To purge incidents: 1. In Enterprise Manager, click Admin > Settings > Purge Events & Incidents. The Purge Events & Incidents page appears. 2. Ensure that Incidents is selected. 3. Specify the date range. Select one of the following: – Before this date – Between –All You can either use the calendar icon to select the dates from a pop-up calendar or type in the dates in the mmm dd, yyyy format. For example, Aug 21, 2012.

Note: You cannot purge incidents without selecting a date range.

4. Narrow down the list of incidents to be purged by specifying one or more of the filter options.

Note: If you select multiple filters, only the incidents matching all the selected filters are purged.

To purge incidents – With specific severity levels: Select Severity—Allows you to select one or more of the severity levels such as ignore, low, medium, high, and critical. – Created in specific DLP products: Select Products—Allows you to select one or more of the products you are licensed for, such as Network, Endpoint, and Datacenter.

Note: The partner incidents are part of the network events.

– With a specific status: Select Incident Staus—Allows you to select one or more incident statuses such as open and in progress. – With a specific validity: Select Validity—Allows you to select one or more incident validities such as real issue, non issue, and false positive.

Chapter 8: Administering Your DLP Installation 267 RSA DLP 9.6 Network User Guide

– Created as a result of violating specific policies: Select Policies Matched— Allows you to select one or more policies from the list. – Created by content blade associated with a policy match. Select Content Blades Matched—Allows you to select one or more content blades from the list. – Created by a specific user’s organization: Select Associated User’s Organization—Allows you to select the organization of the user associated with the incidents. – That includes a specific match count range: Select Match Count Range— Allows you to specify the range of match count. 5. Click Start Purge. The purge confirmation dialog appears. 6. Review the confirmation message and click Purge incidents. The incidents are purged permanently.

Purge Events

You can purge events that are not needed.

Note: You cannot start a new purge until the previously started purge is complete. If all the events associated with an incident are purged, the incident is purged automatically.

Before You Begin

You must have appropriate permissions to perform this task.

To purge events: 1. In Enterprise Manager, click Admin > Settings > Purge Events & Incidents. The Purge Events & Incidents page appears. 2. Select Events. Additional purge options are displayed. 3. Ensure that All Events is selected. 4. Ensure that Mapped Events is selected. 5. Specify the date range. Select one of the following: – Before this date – Between –All

268 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

You can either use the calendar icon to select the dates from a pop-up calendar or type in the dates in the mmm dd, yyyy format. For example, Aug 21, 2012.

Note: You cannot purge events without selecting a date range.

6. Narrow down the list of events to be purged by specifying one or more of the filter options.

Note: If you select multiple filters, only the events matching all the selected filters are purged.

To purge events – With specific severity levels: Select Severity—Allows you to select one or more of the severity levels such as ignore, low, medium, high, and critical. – Created in specific DLP products: Select Products—Allows you to select one or more of the products you are licensed for, such as Network, Endpoint, and Datacenter. – Created as a result of violating specific policies: Select Policies Matched— Allows you to select one or more policies from the list. – Created by content blade associated with a policy match. Select Content Blades Matched—Allows you to select one or more content blades from the list. – Created by a specific user’s organization: Select Associated User’s Organization—Allows you to select the organization of the user associated with the events. – That includes a specific match count range: Select Match Count Range— Allows you to specify the range of match count. 7. Click Start Purge. The purge confirmation dialog appears. 8. Review the confirmation message and click Purge mapped events. The events are purged permanently.

Purge Unmapped Events

Unmapped events are events that are not mapped to any incident. Unmapped events are created when a scan fails to complete, for example when a scan is aborted.

You can purge all events that are not mapped to incidents.

Note: You cannot start a new purge until the previously started purge is complete.

Chapter 8: Administering Your DLP Installation 269 RSA DLP 9.6 Network User Guide

Important: Events generated by scans in progress are not yet mapped to incidents. These events are also purged when you purge unmapped events. Therefore, you must purge unmapped events when scans are not in progress.

Before You Begin

You must have appropriate permissions to perform this task.

To purge all unmapped events: 1. In Enterprise Manager, click Admin > Settings > Purge Events & Incidents. The Purge Events & Incidents page appears. 2. Select Events. Additional purge options are displayed. 3. Ensure that All Events is selected. 4. Select Unmapped Events.

Important: This option may delete unmapped events generated by ongoing Datacenter scans, Network, or Endpoint. If you do not want to lose the unmapped events, make sure that no Datacenter scans are running and current date is not included in the filter criteria.

5. Specify the date range. Select one of the following: – Before this date – Between –All You can either use the calendar icon to select the dates from a pop-up calendar or type in the dates in the mmm dd, yyyy format. For example, Aug 21, 2012.

Note: You cannot purge unmapped events without selecting a date range.

6. (Optional) Narrow down the list of unmapped events to be purged by specifying one or more of the filter options.

Note: If you select multiple filters, only the unmapped events matching all the selected filters are purged.

To purge unmapped events – With specific severity levels: Select Severity—Allows you to select one or more of the severity levels such as ignore, low, medium, high, and critical. – Created in specific DLP products: Select Products—Allows you to select one or more of the products you are licensed for, such as Network, Endpoint, and Datacenter.

270 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

– Created as a result of violating specific policies: Select Policies Matched— Allows you to select one or more policies from the list. – Created by content blade associated with a policy match. Select Content Blades Matched—Allows you to select one or more content blades from the list. – Created by a specific user’s organization: Select Associated User’s Organization—Allows you to select the organization of the user associated with the events. – That includes a specific match count range: Select Match Count Range— Allows you to specify the range of match count. 7. Click Start Purge. The purge confirmation dialog appears. 8. Review the confirmation message and click Purge unmapped events. The unmapped events are purged permanently.

Viewing Audit Records

For auditing purposes, Enterprise Manager records change activity in several categories of DLP administration. If you select Admin > Support > Audit Records, you can track the changes that have been made to any of the categories listed below.

Select a category from the Change View drop-down list. The audit log for that category is displayed.

Matched Content Access Logs

At the top of the Audit Records page, the matched content access logs are available for download. The logs track sensitive data viewed by users of Enterprise Manager as they perform tasks while using the program and are available if you select the option (Log access to matched content) during individual policy creation. See “Creating or Editing a Policy” on page 197.

If you select the option during policy set up, Enterprise Manager creates and stores log files available for download. To download the logs, click Download Log. You can save the SensitiveDataAccessLogs.zip file as needed.The logs contain user names, timestamps, and event IDs from when Enterprise Manager users view matched content on incident or event pages, download files from event and incident details pages, or access Quarantine Self Release pages.

Chapter 8: Administering Your DLP Installation 271 RSA DLP 9.6 Network User Guide

Note: The audit categories shown at the bottom of the Audit Records page are a separate function from the Matched Content Access audit logs. However, for the Policy Audit Logs (see “Policy” on page 274), Enterprise Manager records when you select or clear the Log access to match content checkbox for a specific policy on the Policy page. See step 4 under “Creating or Editing a Policy” on page 197.

Additionally, you can export the matched content access information to SIEM. See step 4 under “Creating or Editing a SIEM Configuration” on page 253

Users

This page displays audit records of the creation, deletion, and updating of DLP users.

The following information, in reverse chronological order, is displayed for each update to a DLP user. • The Date on which the user update occurred. • The User that performed the update. • The type of Action that was performed (update, create, or delete) • The Entity that the action was applied to; in this case, the DLP user. • The Enterprise Manager database ID of the DLP user acted upon.

Groups

This page displays audit records of the creation, deletion, and updating of DLP groups.

The following information, in reverse chronological order, is displayed for each update to a DLP group. • The Date on which the group update occurred. • The User that performed the update.

272 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

• The type of Action that was performed (update, create, or delete) • The Entity that the action was applied to; in this case, the DLP group. • The Enterprise Manager database ID of the DLP group acted upon.

Roles

This page displays the audit records of the creation, deletion, and updating of DLP user roles.

The following information, in reverse chronological order, is displayed for each update to a DLP user role. • The Date on which the user role update occurred. • The User that performed the update. • The type of Action that was performed (update, create, or delete) • The Entity that the action was applied to; in this case, the DLP user role. • The Enterprise Manager database ID of the DLP user role acted upon.

Network Controller

This page displays audit records of changes to the configuration of DLP Network devices, including creating, deleting, or modifying the configuration of the Network Controller or any of its managed devices.

The following information, in reverse chronological order, is displayed for each change to the Network Controller or other device’s configuration. • The Date on which the configuration update occurred. • The User that performed the configuration update. • The type of Action that was performed (update, create, or delete) • The Entity that the action was applied to; in this case, the DLP Network device (Controller or managed device). • The Enterprise Manager database ID of the Network device acted upon.

Chapter 8: Administering Your DLP Installation 273 RSA DLP 9.6 Network User Guide

This page displays audit records of all logins to, and logouts from, Enterprise Manager. This also records failed logins.

The following information, in reverse chronological order, is displayed for each change to the Datacenter component’s configuration. • The Date on which the login/logout occurred. • The User that attempted to login/logout. • The type of Action that was performed (login or logout) • The Entity that the action was applied to; in this case, the DLP user that was logged in or out. • The Enterprise Manager database ID of the user that was logging in or out.

Policy

This page displays the audit records of the creation, deletion, and updating of DLP policies as well as audit records of the selection and clearing of the Log access to match content checkbox located on the Policy page. See step 4 under “Creating or Editing a Policy” on page 197.

The following information, in reverse chronological order, is displayed for each modification of a DLP policy. • The Date on which the policy was modified. • The User that modified the policy.

274 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

• The type of Action that was performed (update, create, delete, enable, disable). • The Entity that the action was applied to; in this case, the name of the DLP policy. • The Enterprise Manager database ID of the policy.

Note: For the tracking of the selection and clearing of the Log access to match content checkbox, the message “Disabled log access to match content” or “Enabled log access to matched content” appears in the Action column.

Event

This page displays the audit records of the deletion of DLP events.

The following information, in reverse chronological order, is displayed for each DLP event that is deleted. • The Date on which the configuration update occurred. • The User that performed the configuration update. • The type of Action that was performed—delete or purge. • The Entity that the action was applied to. • The Enterprise Manager database ID of the DLP component acted upon.

Chapter 8: Administering Your DLP Installation 275 RSA DLP 9.6 Network User Guide

Incident

This page displays the audit records of the deletion of DLP incidents.

The following information, in reverse chronological order, is displayed for each DLP incident that is deleted. • The Date on which the configuration update occurred. • The User that performed the configuration update. • The type of Action that was performed—delete or purge. • The Entity that the action was applied to. • The Enterprise Manager database ID of the DLP component acted upon.

Incident Status

This page displays the audit records of the creation, deletion, and updating of the incident statuses.

The following information, in reverse chronological order, is displayed for each modification of the incident statuses. • The Date on which the incident status was modified. • The User that modified the incident status. • The type of Action that was performed (update, create, delete).

276 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

• The Entity that the action was applied to; in this case, the name of the incident status. • The Enterprise Manager database ID of the incident status.

Remediation

This page displays audit records of successful manual remediations.

The following information, in reverse chronological order, is displayed for each DLP incident that is deleted. • The Date on which the remediation occurred. • The User who performed the remediation. • The type of Action (remediation) that was performed. • The Entity that the remediation was applied to, in this case, the name and location of the file that was acted upon. • The Enterprise Manager database ID of the file acted upon.

RMS Template

This page displays audit records of updates to RMS templates.

The following information, in reverse chronological order, is displayed for each RMS Template that is created/activated or deactivated.

Chapter 8: Administering Your DLP Installation 277 RSA DLP 9.6 Network User Guide

• The Date on which the update to the RMS template occurred. • The User that performed the update. • The type of Action that was performed (activate, deactivate, or create) • The Entity that the action applied to. In this case, the name of the RMS template. • The Enterprise Manager database ID of the RMS template.

RMS Server

This page displays audit records of updates to the RMS server.

The following information, in reverse chronological order, is displayed for each update to the RMS server configuration. • The Date on which the configuration update occurred. • The User that performed the configuration update. • The type of Action that was performed (update, or create) • The Entity that the action was applied to; in this case, the URL to the RMS server. • The Enterprise Manager database ID of the RMS server.

Partner Device

This page displays audit records for updates to the partner device configuration in Enterprise Manager.

The following information, in reverse chronological order, is displayed for each update to the partner device configuration. • The Date on which the update occurred. • The User that performed the update. • The type of Action that was performed (create, update, decommission, commission). • The Enterprise Manager database ID of the record.

278 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

• The Entity that the action was applied to; in this case, the partner device name and port.

Partner Device Policy—Change Notification

This page displays audit records of changes to the e-mail addresses set up to receive notification of DLP policy changes for partner devices.

The following information, in reverse chronological order, is displayed for each change to the e-mail notification configuration. • The Date on which the update occurred. • The User that performed the update. • The type of Action that was performed (add, delete). • The Enterprise Manager database ID of the record. • The Entity that the action was applied to; in this case, the name of the partner DLP policy.

Credential

This page displays audit records for the changes to user credentials in DLP.

The following information is displayed in reverse chronological order: • The Date on which the update occurred. • The User that performed the update. • The type of Action that was performed—create, update or delete. • The Enterprise Manager database ID of the record. • The Entity that the action was applied to.

EM CA Certificate

This page displays the audit records for the creation and renewal of the Enterprise Manager CA certificate.

The following information is displayed in reverse chronological order: • The Date on which the update occurred. • The User that performed the update. This field is empty if the action performed is Create. • The type of Action that was performed—create or renew.

Chapter 8: Administering Your DLP Installation 279 RSA DLP 9.6 Network User Guide

• The Enterprise Manager database ID of the record. • The Entity that the action was applied to.

EM Client Certificate

This page displays the audit records for the creation and renewal of the Enterprise Manager client certificate.

Viewing and Entering License Keys

You receive a separate license key for each DLP product that you purchase. You must enter the license keys into Enterprise Manager to make use of the full functionality of RSA DLP.

Note: You can configure DLP components and perform other actions without license information, however you cannot deploy policies until you have entered valid licenses.

To view license information 1. In Enterprise Manager, click the Admin tab. Select Support > Product Licenses from the drop-down menu. The RSA DLP Licenses page appears.

This page displays any current or expired license keys. For each DLP product, you can view this information: –Key Status. Either unlicensed, valid, or expired. – Expiration Date. Either a specific calendar date, unlimited, or 30 day trial.

280 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

–License Key. The license key itself. 2. If you want to submit updated keys, click Enter Keys ( ) in the top or bottom bar. See “To enter license key information,”.

To enter license key information

You may need to enter product key information when you first purchase a DLP product, or when you upgrade to a newer version.

Once you have clicked the Enter Keys ( )icon, the Licenses page opens in an editable format.

1. Enter your Company Name. 2. Enter the new license key in the appropriate text field. 3. In either the top or bottom menu, click Save to save your license key information. The Key Status and Expiration Date fields will automatically update to reflect the license your company has purchased.

Exporting and Importing Configuration Files

Important: Use the export/import features only to move customizations between Enterprise Manager machines running the same DLP release. Exporting and importing between different DLP releases is not supported.

You may need to export and import the configuration files for policy components for various reasons. For example: • For migrating tested customizations. You may want to customize and test policy components on a non-production Enterprise Manager machine and, after the customizations function as you intend, export and then import them onto a production Enterprise Manager machine. • For customer support diagnosis. RSA Customer Support may request that you send them your exported policies that they subsequently import for diagnostic purposes.

You can export the following policy components one at a time:

Chapter 8: Administering Your DLP Installation 281 RSA DLP 9.6 Network User Guide

• Policies. You can choose to export individual policies or all available policies. You can specify that all the components associated with each selected policy (content blades, regular expressions, and dictionaries) are also exported. • Content Blades. You can choose to export individual contents blades or all available content blades. You can specify that all the components associated with each selected custom content blade (regular expressions and dictionaries) are also exported. If you are exporting expert content blades, associated regular expressions and dictionaries are exported by default, but are proprietary and therefore encrypted. • Regular Expressions. You can choose to export individual custom and expert regular expressions or all available regular expressions. • Dictionaries. You can choose to export individual custom and expert dictionaries or all available dictionaries.

To export configuration files

Depending on the type of configuration files that you want to export, do one of the following: • Export Policies • Export Content Blades • Export Regular Expressions • Export Dictionaries

Export Policies 1. In Enterprise Manager, click the Admin > Support > Import/Export Configuration Files. The Import/Export page appears. 2. Click Export Policies. 3. Select the policies that you want to export. Select All Policies or All to select all policies. Select Export all associated components to export all the content blades, regular expressions, and dictionaries associated with the policies you have selected to export. 4. Click Export File. A browser-specific export dialog box appears allowing you to open or save the ZIP file containing the configuration files.

Export Content Blades 1. In Enterprise Manager, click the Admin > Support > Import/Export Configuration Files. The Import/Export page appears.

282 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

2. Click Export Content Blades. 3. Select the custom and expert content blades that you want to export. Select All Content Blades to select all custom and expert content blades. 4. Click Export File. A browser-specific export dialog box appears allowing you to open or save the ZIP file containing the configuration files.

Export Regular Expressions

1. In Enterprise Manager, click the Admin > Support > Import/Export Configuration Files. The Import/Export page appears. 2. Click Export Regular Expressions From Library. 3. Select the custom and expert regular expressions that you want to export. Select All Regular Expressions to select all custom and expert regular expressions. 4. Click Export File. A browser-specific export dialog box appears allowing you to open or save the ZIP file containing the configuration files.

Export Dictionaries 1. In Enterprise Manager, click the Admin > Support > Import/Export Configuration Files. The Import/Export page appears. 2. Click Export Dictionaries. 3. Select the custom and expert dictionaries that you want to export. Select All Dictionaries to select all custom and expert dictionaries. 4. Click Export File. A browser-specific export dialog box appears allowing you to open or save the ZIP file containing the configuration files.

To import configuration files

If you have configuration files you have previously exported, or that have been provided to you by Customer Support, you can import them as follows: 1. In Enterprise Manager, click Admin > Support > Import/Export Config Files. The Import/Export page appears. 2. Click Import Zip File. The Import Configuration File pop-up message appears.

Chapter 8: Administering Your DLP Installation 283 RSA DLP 9.6 Network User Guide

Note: This is only active if the user performing the Import action has the appropriate permissions (at minimum the Create Policy, Create Content Blade, and System Maintenance permissions, see “Managing Roles and Permissions” on page 221 for more details).

3. Click Browse and locate the zip file you want to import. 4. Click Import.

Upgrading Downstream Components and Configurations

Upgrading RSA DLP products to a new release involves software installations and configuration updates. Component software should be upgraded as soon as is practical after you manually upgrade the three primary components of RSA DLP software— Enterprise Manager, Enterprise Coordinator, and Network Controller. Component configurations must be updated after their upgrades are done, and can be done at other times.

You use the Upgrade Manager in Enterprise Manager to perform these tasks. For detailed information about upgrading DLP components, and when and why to use the Upgrade Manager during an upgrade, see the RSA DLP Upgrade Guide.

To upgrade component software

Note: This feature does not appear in Enterprise Manager if Automatically Upgrade Components is selected on the Enterprise Coordinator page. In this case, components are automatically upgraded after an Enterprise Coordinator upgrade. For more information, see “Viewing or Editing the Enterprise Coordinator Configuration” on page 548.

To finish upgrades of DLP Datacenter deployments, you must upgrade the downstream component software after performing an upgrade installation of the Enterprise Coordinator.

284 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

To start deploying the upgraded software:

1. In Enterprise Manager, click the Admin tab, then select Support > Upgrade Manager. The Upgrade Manager appears.

2. In the top of the page, select Datacenter. The Datacenter checkbox does not appear if downstream components of DLP Datacenter are already upgraded to the latest version. 3. Click Request Upgrade. A dialog appears, explaining that the downstream component upgrades will take place over time.

Chapter 8: Administering Your DLP Installation 285 RSA DLP 9.6 Network User Guide

4. Click OK to continue. The Upgrade Requests section displays information about the upgrades.

Important: The appearance of this information means only that the downstream component upgrades have started. It does not mean that the upgrades are complete.

DLP Datacenter components are upgraded when a scan that requires them starts. To verify that the software upgrades are complete after a scan finishes: – Agent-scan groups: Select Admin > Datacenter, click items on the left to display the Agent Groups list, click an agent-scan group name on the left and then its History tab on the right, then click a computer name in the Computer column. The component upgrade is either queued for the next scan or complete when its Last Reported Version column shows the latest software version. – Grid-scan and repository groups: Select Admin > Datacenter, click items on the left to display the Grid Groups or Repository Groups list, click a group name on the left and then its History tab on the right, then click Detail in the Worker Status column in the row with the most recent scan end date and time. The component upgrade is complete when the Last Reported Version column shows the latest software version.

To update component configurations

After you upgrade the software of your downstream components, you must update their configurations to match the configuration of the upgraded Enterprise Manager.

To start deploying updated configuration information from Enterprise Manager to all other DLP components:

1. In Enterprise Manager, click the Admin tab, then select Support > Upgrade Manager. The Upgrade Manager appears. 2. In the middle of the page, select the product configurations to update by selecting Network, Datacenter, or both. Selections displayed depend on the DLP products you have installed.

Note: A message like “Datacenter must be upgraded first” indicates that you must first upgrade the downstream component software of that DLP product before you can update the configurations. For details, see “To upgrade component software” on page 284.

3. Click Publish Configuration. A dialog appears, explaining that the operation will take place over time.

286 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

4. Click OK to continue. The Update Status section displays a status and the date and time when Enterprise Manager started deploying updated configuration information to other components.

Important: A Successfully Updated message in the Status column means only that configuration updates were sent from Enterprise Manager to other components. It does not mean that the updates were completed successfully on the other components.

Wait several minutes before performing additional operations in Enterprise Manager—in particular, avoid changing the configuration and starting scans. This should allow time for configurations to be updated and avoid possible conflicts and problems that may be caused by mismatched configuration information.

Importing Reports

Enterprise Manager includes a set of pre-defined reports; “Working With Reports” on page 81 discusses how to use and edit these reports. The Import Report function allows you to import new RSA DLP report templates as they become available.

Important: This functionality should only be used by RSA DLP support personnel who are familiar with BIRT-designed reports.

RSA DLP reports consist of a SQL statement that accumulates the data that will be displayed on the report, and a BIRT script (.rptdesign file) that is used to generate the report. Both of these are provided by RSA DLP support personnel.

Chapter 8: Administering Your DLP Installation 287 RSA DLP 9.6 Network User Guide

To import a report 1. In Enterprise Manager, click the Admin tab. Select Support > Import Report from the drop-down menu. The Import Report page appears.

2. Fill in the summary information as you would for any other report (you can find more information about these fields in “Editing Reports” on page 111): –Report Name. A name for the report. This must be a unique name that doesn’t already exist. This name appears on the Report List page. – Description. An optional description of the report. – Report Category. Use the pull-down menu to select the report this report belongs in. This is the category in which the report is displayed on the Report List page. 3. File to Import. Enter the name and path to the BIRT report file (.rptdesign) you want to import, or click Browse to navigate to the correct location. This is the BIRT script file that is used to generate the report. 4. SQL Statement. Enter the SQL Statement Name and SQL Statement query that will generate the data to include in the report. For examples of SQL statements, see “SQL Statement Examples” on page 289

288 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

5. Report Data Filters. – Select a Report Type, one of:

Note: An icon corresponding to the report type you select here will be displayed next to this report in the Report Manager. Selecting a report type here does not affect the actual format of the report.

• Pie • Bar • List • Line/Trend. – Select a Date Range, either: • Select a pre-defined date range from the first drop-down menu. All (the default), Today, Yesterday, Last 7 Days, Last 30 Days, Last 3 Months, Last 6 Months, or Last Year. • Type or use the calendars to specify a start date and end date for the range. If you type the date, it should be in the following format: Mon DD, YYYY. For example, May 2, 2007. – Use the checkboxes to select the further filter information that will be displayed in the imported report. For example you can choose to display information based on the SQL statement but further filter that information based on incident status. • Organization. (only available if you have a LDAP server configured). • Product. Filter by DLP product. • Policy. Filter by Policy name. • Severity. Filter by incident severity. • Incident Status. Filter by incident status. See “SQL Statement Examples” on page 289 for examples of how these filters work in conjunction with the SQL statement. 6. Click Save.

SQL Statement Examples

Example 1: select view_event.organization, count(*) from view_incident, view_policy, view_event where view_incident.deleted=’false’ and view_incident.policy_id=view_policy.policy_id and view_event.incident_id=view_incident.incident_id [and date:incident_creation_date], [and string:organization] In this example, the organization filter will look for [and string:organization] in sql. At the runtime this will get replaced with “and view_event.organization=’Marketing’”

Chapter 8: Administering Your DLP Installation 289 RSA DLP 9.6 Network User Guide

and [and date:incident_creation_date] will get replaced with “and view_incident.incident_creation_date=’March 1, 2009’”

Example 2: select view_policy.name, count(*)from view_incident, view_policy, view_event where view_incident.deleted=’false’ and view_incident.policy_id=view_policy.policy_id and view_event.incident_id=view_incident.incident_id [and date:incident_creation_date], [and string:policy] In this example, the policy filter will look for [and string:policy] in sql. At the runtime this will get replaced with “and view_policy.name=’SSN’”

Example 3: select view_incident.type, count(*) from view_incident, view_policy, view_event where view_incident.deleted=’false’ and view_incident.policy_id=view_policy.policy_id and view_event.incident_id=view_incident.incident_id [and date:incident_creation_date], [and string:product] In this example, the product filter will look for [and string:product] in sql. At the runtime this will get replaced with “and view_incident.type=’NETWORK’”

Example 4 select view_incident.status, count(*) from view_incident, view_policy, view_event where view_incident.deleted=’false’ and view_incident.policy_id=view_policy.policy_id and view_event.incident_id=view_incident.incident_id [and date:incident_creation_date], [and string:status] In this example the status filter will look for [and string:status] in sql. At the runtime this will get replaced with “and view_incident.status=’OPEN’”

Example 5 select view_incident.severity, count(*) from view_incident, view_policy, view_event where view_incident.deleted=’false’ and view_incident.policy_id=view_policy.policy_id and view_event.incident_id=view_incident.incident_id [and date:incident_creation_date], [and string:severity] In this example the severity filter will look for [and string:severity] in sql. At the runtime this will get replaced with “and view_incident.severity=’HIGH’”

290 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Setting Preferences

The Preferences page allows you to view and edit global, and DLP product-specific preference settings.

To view preferences

In Enterprise Manager, click the Admin > Settings > Preferences.

The RSA DLP preferences page appears.

To Edit Preferences 1. In Enterprise Manager, click Admin > Settings > Preferences.

Chapter 8: Administering Your DLP Installation 291 RSA DLP 9.6 Network User Guide

The RSA DLP preferences page appears.

2. Enter new values for the following Global Preferences: Policy Content Detection Settings: – Total Fingerprint size limit for Grid groups and Network. The default limit on the total size of fingerprint data that can be downloaded for content analysis from Enterprise Manager to the individual grid-worker machines in a Datacenter grid group or to the Network Controller. The default value is 2000 MB. – Total Fingerprint size limit for Endpoint groups. The default limit on the total size of fingerprint data that can be downloaded for content analysis from Enterprise Manager to the individual endpoint machines in an Endpoint group. The default value is 20 MB. – Total Fingerprint size limit for Datacenter Agent groups. The default limit on the total size of fingerprint data that can be downloaded for content analysis from Enterprise Manager to the individual agent machines in a Datacenter agent group. The default value is 20 MB.

292 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

Note: For DLP Datacenter and DLP Endpoint, you can override these default limits on fingerprint size on the Agent Settings tab of a Datacenter scan group configuration and on the Automatic Content Analysis settings of an Endpoint group respectively.

3. Edit new values for the following Network Preferences: – URL Content Detection Settings: • Detect Content in URLs. Enabling this preference causes HTTP POST (and GET, if a Network sensor has been configured to analyze HTTP GET traffic) transactions including their URLs, to be analyzed and tagged as form data.

Note: To achieve the best results in detecting sensitive form data, RSA recommends that you use a specialized content blade. See “Detection in HTML Form Data and URLs” on page 133 in Chapter 6, “Defining Sensitive Content”.

– Quarantined Email Settings. These settings cover the ability to release emails from quarantine by the senders of those emails. • Enable Quarantined Email Self Release. Enable this option to allow senders of emails that have been quarantined to take action by releasing or discarding the email. Enabling this option automatically enables self release for all DLP Network policies; it can be disabled on a per-policy basis. • Quarantine Expiration. The number of days after which the URL for self release expires. When a user who has self release privileges is notified that one of their messages has been quarantined, they are sent a notification that contains a link to a URL where they can choose the disposition of the message. This URL expires after the number of days selected here.

Note: You can modify the notification that is sent to users who have messages that have been quarantined, see “Managing Notifications and Messages” on page 256 for more details. When this Preferences page is not in edit mode (see “To view preferences” on page 291); there is a link in this Quarantined Emails Settings section that will re-direct you to the Notification List from where you can modify the notification that is sent out.

4. Edit new values for the following Datacenter Preferences: Remediation Settings. Users and Groups are assigned specific remediation rights and permissions (see “Setting Up Groups and Users” on page 235), this preference setting limits what remediation actions are permitted to all users of this instance of DLP Datacenter. – Delete File Options Allowed. This preference setting specifies what kind of delete file action users of this instance of DLP Datacenter can perform. One of:

Chapter 8: Administering Your DLP Installation 293 RSA DLP 9.6 Network User Guide

• Delete - Normal (able to be undone) • Delete - Secure (file cannot be recovered) • Both (the default). 5. Edit the Username Format Preference. Use the dropdown menu to select your preferred format for displaying user names, select one of: • Display Name. • Domain\sAMAccountName (the default). • User Principal Name. • Email Address. 6. Once you have finished editing your preferences, click Save.

294 Chapter 8: Administering Your DLP Installation RSA DLP 9.6 Network User Guide

9 Administering DLP Network

This chapter provides detailed instructions for using Enterprise Manager to administer RSA DLP Network. For a general summary of DLP Network, see “Introduction to DLP Network” on page 22. For an administrative overview, see “Introduction to Administering DLP Network” on page 121.

Topics: • Using the DLP Network Administration Page • Administering the Network Controller • Administering Managed Devices • Viewing Network Statistics • IM Chat Protocol Behavior

Using the DLP Network Administration Page

The DLP Network administration page is the focus for all DLP Network administration using Enterprise Manager. To access the administration page: 1. In Enterprise Manager, click the Admin tab. The Administration Status Overview page appears. 2. Beneath the Admin tab, click Network. The Network administration page (Figure 17) appears.

Chapter 9: Administering DLP Network 295 RSA DLP 9.6 Network User Guide

Figure 17 Network administration page

Network Controller Managed devices

Deployment Tree

The left side of the page is a tree view of the DLP Network deployment—The Network Controller and any managed devices that have been deployed and configured. The Network Controller can be collapsed or expanded to reveal the managed devices it communicates with. The type of device can be identified by its icon: Network Controller: , ICAP Server: , Interceptor: , and Sensor: .

The panel on the right side displays details about the item on the left side that is currently highlighted.

Note: DLP Network components are distributed as pre-loaded appliances, and must be initially configured at the appliance before configuring them in Enterprise Manager. For instructions on how to physically deploy and initially configure Network components, see the RSA DLP Network Deployment Guide.

Viewing Component Information

From the Network administration page, you can view or configure the following Network components:

To view summary Network status

1. Click the Network Controller in the deployment tree. The Network Controller panel appears. 2. Click the Status tab to view Network status. See also “Viewing Network Controller Status” on page 298.

296 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

To view or edit a Network Controller 1. Click the Network Controller in the deployment tree. That Network Controller panel appears. 2. Click the Config tab to view or edit the configuration; see “Viewing or Editing the Network Controller Configuration” on page 300.

To view or edit a managed device

1. If necessary, expand the Network Controller in the deployment tree to display the managed devices it is communicating with.

Note: You can also access a managed device’s page by clicking on its name in its Controller’s status panel. See “Viewing Network Controller Status” on page 298.

2. Click the name of a managed device in the deployment tree. The configuration page for that managed device appears. 3. View or edit the managed device, as described in: – “Administering Sensors” on page 303 – “Administering Interceptors” on page 308 – “Administering ICAP Servers” on page 316

Creating Network Components

To create a new Network Controller 1. Above the deployment tree, click New Network Device, then select New Controller from the drop-down menu. The Network Controller panel appears on the right. 2. Fill in the fields of the panel as described in “Configuring the Network Controller” on page 301.

To create a new Network managed device 1. Above the deployment tree, click New Network Device, then select the appropriate option from the drop-down menu; either New Sensor, New Interceptor, or New ICAP Server. The Configuration panel for that type of device appears on the right. 2. Fill in the fields of the panel as described in: – “Administering Sensors” on page 303 – “Administering Interceptors” on page 308 – “Administering ICAP Servers” on page 316

Chapter 9: Administering DLP Network 297 RSA DLP 9.6 Network User Guide

Administering the Network Controller

You can use the Network Controller panel of the Network administration page to view the overall Network status, to initially configure the Network Controller, and to modify its configuration settings.

Viewing Network Controller Status

When you first access the Network administration page (Figure 17), or if you click the name of the Network Controller in the tree view on the Network administration page and then click the Status tab in the Network Controller panel, the Network status information appears:

Figure 18 Network Controller Status tab

Note: See “Using the DLP Network Administration Page” on page 295 for an explanation of the left side of the Network administration page.

This tab displays summary status information for the Network Controller and all managed devices that have been configured to communicate with it.

For each Network device (Controller and managed devices), you can view the following information: – Device Name. A list of all Network devices (Network Controller plus all managed devices) by name/IP address. You can click on the name or IP address of any device to open the configuration page of that device. – Device Type. The type of the device, either Controller, Sensor, ICAP server, or Interceptor. – Status. The status of each device. The status can be: • Up ( ). This device is up and running.

298 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

• Down ( ). This device is not running. • Warning ( ). This device is running, but one or more of its processes has stopped running. • Details: Click this link to view more details about the status of this device on the Device Status Details page. See “Viewing Network Device Status Details” on page 299 for more details. – Up Since. The date and time this device was last started. –Up Time. The time that has passed since the device was last down. – Software Version. The RSA DLP software version running on this device. – Statistics. Click the View Statistics link to view statistical data about this device. Statistics available for all managed devices, but not the Network Controller. See “Viewing Network Statistics” on page 320 for more details. –Logs. In the Network device row, click the Logs link to download a zip file (NetworkLogs.zip) of the DLP Network logs to your machine. The logs in the zip file include the Network Controller log files (messages-IDNumber.log), possibly a backup-service log file (backup.log), and XML configuration files for the managed devices.

Viewing Network Device Status Details

The Network status page (see “Viewing Network Controller Status” on page 298) provides a high-level status overview of your Network Controller and all managed devices. To find out more details about any item in the list, click on a device name. The Device Status Details page appears.

Note: You can also access this page from the main DLP Status Overview page. See “Viewing DLP Status Overviews” on page 220 for more details.

Chapter 9: Administering DLP Network 299 RSA DLP 9.6 Network User Guide

The Device Status Details page displays the following information: – Process Name. The name of the process. –PID. The process ID. – Status. The status of this process. Either: • Active ( ). This process is running. • Inactive ( ). This process is idle. • Starting. This process is starting up, but not yet active. – Run Level. –CPU %. The percentage of the CPU being used by this process. –Memory (MB). The amount of memory, in MB, that this process is using. – Allocation (MB). The maximum amount of memory, in MB, that this process has been estimated to need. If the actual memory being used exceeds this amount, there may be a problem with this process. –Retry Count. The number of times this process attempted, unsuccessfully, to start. –Start Time. The time and date this process started. • The data on this page is automatically refreshed every ten seconds. • Click the << Back to Previous Page link at the top right of the page to return to the page from where it was launched; either the Network Status Overview (“Viewing Network Controller Status” on page 298) page, or the Administrative Status Overview (“Viewing DLP Status Overviews” on page 220) page.

Viewing or Editing the Network Controller Configuration

Use the Config tab of the Network Controller panel to view or edit the Network Controller Configuration settings, or to configure a new Network Controller.

300 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Editing the Current Network Controller

From the Network administration page (Figure 17 on page 296), if you click the name of the Network Controller in the tree view, then click the Config tab (the default view) in the Network Controller page, the configuration settings for the Network Controller appear:

1. Note the summary fields (not editable). 2. To delete the Network Controller, click the Delete button at the top or bottom of the panel.

Note: You can only delete a Network Controller if there are no managed devices configured to communicate with it.

3. To edit the configuration settings, click the Edit button, then fill in the fields as described in Configuring the Network Controller, next.

Configuring the Network Controller

You can access the editable state of the Network Controller panel in these ways: • For a new Network Controller: Above the deployment tree on the left side of the Network administration page (Figure 17 on page 296) use the New Network Device drop down menu, and select New Controller. The Network Controller panel appears, with all configuration fields editable. • For an existing Network Controller: Click on the name of the Network Controller in deployment tree on the left side of the Network administration page (Figure 17 on page 296). The configuration panel for the Controller appears. On this panel

Chapter 9: Administering DLP Network 301 RSA DLP 9.6 Network User Guide

with the Config tab active (the default view), if you click the Edit button, the configuration fields become editable.

Note: Only one Network Controller can be configured per instance of Enterprise Manager.

You can enter or change the following settings:

A. Fill in the Summary

If you need to enter or change the Controller name/IP Address, enter the values in these fields: • (Required.) Enter a name or an IP address for the Network Controller in the Controller Name field. The system validates this value. Note that only host names that follow the DNS standard (contain only unaccented letters, digits, and hyphens) are accepted. If necessary, you can create a DNS alias (CNAME) for the host and enter that name here. • (Optional.) Enter a description of the Network Controller in the Description field.

B. Add an override configuration

Network Controller configuration settings are stored in an XML file. You can override any default settings by inserting appropriately formatted, valid XML into the Override Configuration text field under the Config tab.

Important: Use an Override Configuration only under instructions from RSA Technical Support or Professional Services.

302 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

C. Save the Controller settings

• In either the top or bottom toolbar, click Save to save the Network Controller configuration settings. • Click Cancel to return to the (view-only) Network Controller page without saving the changes you have made.

Administering Managed Devices

If you have deployed a new managed device to your network, you need to add it to the Network Controller and Enterprise Manager before you can use it. Follow the instructions in this section.

For instructions on how to physically deploy and initially configure a managed device, see the RSA DLP Network Deployment Guide.

You can use the managed device panels of the Network administration page to view or edit the configuration of Network Sensors, Interceptors, and ICAP Servers.

Administering Sensors

A Sensor is a high-speed network monitor, plus an analysis engine that looks at the network traffic for DLP policy violations.

Before you configure a Sensor you need know if there are any restrictions you want to define, for example, if you want to limit the monitoring of traffic to certain networks. You also need to know if your enterprise uses certain ports for specific protocols.

If you enable system alerts, you need the name or IP address of a downstream SMTP host and one or more email addresses to send alert messages, and an email address where all undeliverable emails can be sent.

Viewing a Sensor

You can view Sensor configuration information in these ways: • Click the Sensor name in the Device Status pane (see “Viewing Network Controller Status” on page 298). • Click the Sensor name in the Deployment Tree (see “Using the DLP Network Administration Page” on page 295). The selected Sensor’s configuration information appears.

Chapter 9: Administering DLP Network 303 RSA DLP 9.6 Network User Guide

From this page you can: – Click Edit to open the configuration form in editable format. Edit the configuration settings in the same manner as when you add a Sensor, see “Configuring a Sensor”, below. – Click Delete. A confirmation dialog appears. Click OK to confirm the deletion, the Sensor is deleted from the Deployment Tree.

Configuring a Sensor

You can access the editable state of the Sensor Configuration page in these ways: • Above the deployment tree on the left side of the Network administration page (Figure 17 on page 296), if you use the drop-down New Network Device menu to create a New Sensor, the Sensor Configuration page appears with all configuration fields editable. • If you are viewing an existing Sensor Configuration page (see “Viewing a Sensor”, previous), click Edit to open the configuration form in an editable format.

You can enter or change the following settings:

A. Fill in the Summary

1. Enter the name or IP address of the Sensor in the Sensor Name or IP field. Required. 2. (Optional) Enter a description for the Sensor in the Description field.

304 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

B. Fill in general settings

1. Choose any of the following restrictions for the Sensor: – Ignore Local Traffic. Ignore the monitoring of traffic between originating networks. – Include HTTP Get Response. Analyze the response of HTTP GET operations. By design, this option enables analysis of response content. URL information is not available in the response, so it is not included in the event information. (Selecting this option will degrade Sensor performance.) 2. In the Origination Networks field, enter list of addresses for the originating networks. Outgoing traffic from these networks is monitored. Enter IP/mask addresses in the format of IPv4: 10.0.0.0/8 or IPv6: 2001:0DB8:0000:0001:0008:0800:200C:417A. Enter lists of addresses separated by commas, semi-colons or new lines. 3. In the Destination Networks field, enter a list of addresses for the destination networks. Destination networks can be left blank; that means traffic going

Chapter 9: Administering DLP Network 305 RSA DLP 9.6 Network User Guide

everywhere except to the origination networks is monitored. See Origination Networks (above) for accepted formats. 4. In the Excludes Networks field, enter one or more address ranges to exclude from monitoring that are sub-networks of defined origination and destination networks. Traffic going to these sub-networks is not monitored. For example, assume that an origination network is 10.0 and that two exclusion sub-networks are defined, 10.8.0 and 10.78.0. All connections from 10.0 are monitored except those from 10.8.0 and 10.78.0. 5. Select Files to Include in the Network Event Details. Select one of the following options to indicate which files to include in the Network Event Details file:

Note: Entries display on the Enterprise Manager Event Details and the Incident Details pages. Each entry is represented by a row in the Component Detail section of the Event and Incident Details pages. Network event entries are not necessarily items that violated any policy, but are files that were transmitted over the network.

– Include all files. All files monitored by the Network sensor are transmitted to the Enterprise Manager. All entries are also included. – Include all individual files and compound files, but only policy-violating subfiles. All individual files and compound files are transmitted to the Enterprise Manager. Only policy-violating subfiles are transmitted. Entries for all individual files and compound files, as well as policy-violating subfiles, are included. This option is the default value. – Include only policy-violating individual files and subfiles. All policy-violating individual files and subfiles are transmitted. Entries for all individual files and compound files, as well as policy-violating subfiles, are included. – None. This option excludes all files containing sensitive content from the Network event file. No sensitive data discovered by the Network sensor while monitoring network traffic that is leaving the network or crossing network boundaries is transmitted to the Enterprise Manager. However, DLP Network does transmit entries for individual files, compound files, and policy-violating subfiles.

Note: You might use this option if the Enterprise Manager and the Network Sensor are located in different countries and your company has policies preventing sensitive content from leaving a country.

6. Use Custom BPF (BSD Packet Filter): DLP Network uses BPF to configure how sensors monitor network traffic. If your sensor definition is complex, and cannot

306 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

be represented using the standard options available in the user interface, check this box to define your own custom BPF. If you check this box, a Custom BPF text box expands where you can enter your custom BPF.

Important: Using a custom BPF overrides any of the General Settings (above) and should be used with caution.

C. Enter protocols 1. Click the Protocols tab. DLP Network monitors the listed ports here for their associated protocols. It attempts to determine the appropriate protocol from the format of the data.

2. Specify the following default protocol behavior: – Monitor All Ports. Check this if you want all ports to be monitored. In most cases this is not necessary because most facilities already limit exposed ports. Using this option may have a detrimental effect on performance.

Note: Selecting Monitor All Ports does not mean that any protocols are monitored. You must specify the protocols to be monitored in the next section of the screen.

–Disable IPSec. Uncheck this box if you want monitoring of IPSec protocols enabled. When disabled (the default), traffic using IPSec protocols is ignored. Enabling this feature may have a detrimental effect on performance.

Note: Monitoring of IPSec protocols only occurs with IPSec unencrypted traffic using IPSec AH protocol or IPSec ESP protocol with NULL encryption.

Chapter 9: Administering DLP Network 307 RSA DLP 9.6 Network User Guide

3. Select the protocols you want to be monitored, and on which ports: If you regularly use a different port than the default ports, such as 8080 for a web server, then use this section of the screen to edit the port and protocol. – Include/Protocol. Select each protocol you want the Sensor to monitor. For each protocol you select, enter the following: • Ports. Enter the port(s) you want the Sensor to monitor for the selected protocol. Ports can be comma separated lists or ranges. Ranges are hyphen separated. You can use an asterisk (*) to specify any port greater or equal to 1024 and can use any to specify any port less than 1024.

Note: If you have previously selected Monitor All Ports (above), all ports are monitored, regardless of the specific port numbers entered here.

• Hard Quota. Optional. Specify a unit measure (KB, MB, or GB) from the drop down menu, and size. If the total amount of data queued in memory for this protocol exceeds this hard quota, then any new session data will be deleted. If no hard quota is specified, and large amounts of data accumulates in memory, system performance can be adversely affect. • Soft Quota. Optional. Specify a unit measure (KB, MB, or GB) from the drop down menu, and size. If the total amount of data queued in memory for this protocol is between the size specified here, and the hard quota number, then intermittent session data is deleted.

D. Save the Sensor

• In either the top or bottom toolbar, click Save to save the Sensor. Your new Sensor is now in the list of devices on the Status page. See “Viewing Network Controller Status” on page 298 for details. (Click Cancel to close the page without saving the Sensor.)

Administering Interceptors

An Interceptor is an in-line content monitoring and blocking component of DLP Network which is installed in line with your email delivery system.

Before you configure an Interceptor you need the names or IP addresses of the email hosts or the domains that are allowed to send email to this Interceptor.

An Interceptor can be configured to be the final delivery system for email to the internet for your enterprise. If this Interceptor is not the final delivery system, then you need the name or IP address of the SMTP smart host to which this Interceptor will deliver the email upon releasing an email for final delivery.

308 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

If you are using policies that call for email encryption, you need the name or IP address of an encryption host, if it is different from the SMTP smart host.

You need an email address where all undeliverable email and delivery error email messages can be sent by Interceptor.

Make sure your downstream MTA (SMTP smart host) and encryption host are configured to accept connections from this Interceptor.

Viewing an Interceptor

You can view Interceptor configuration information in these ways: • Click the Interceptor name in the Device Status pane (see “Viewing Network Controller Status” on page 298). • Click the Interceptor name in the Deployment Tree (see “Using the DLP Network Administration Page” on page 295). The selected Interceptor Configuration page appears.

From this page you can: • Click Edit to open the configuration form in editable format. Edit the configuration settings in the same manner as when you add an Interceptor, see “Configuring an Interceptor”, below. • Click Delete. A confirmation dialog appears. Click OK to confirm the deletion, the Interceptor is deleted from the Deployment Tree.

Configuring an Interceptor

You can access the editable state of the Interceptor Configuration page in these ways: • Above the deployment tree on the left side of the Network administration page (Figure 17 on page 296), if you use the drop-down New Network Device menu to create a New Interceptor, the Interceptor Configuration page appears with all configuration fields editable. • If you are viewing an existing Interceptor Configuration page (see “Viewing an Interceptor”, previous), click Edit to open the configuration form in an editable format.

Chapter 9: Administering DLP Network 309 RSA DLP 9.6 Network User Guide

You can enter or change the following settings:

A. Fill in the Summary

1. Enter the name or the IP address of the Interceptor in the Interceptor Name or IP field. Required. 2. (Optional) Enter a description of the Interceptor in the Description field. 3. Select a Mode. –Active. Select this mode if you plan to actively block or quarantine emails. In this mode, the Interceptor will enforce the policy actions when a violation is detected. – Scan and Tag. In this mode, the Interceptor adds RSA x-headers to all outgoing emails to indicate if DLP Network has inspected the email, what sensitive content the email contains, and what policy action (based on DLP Network policy definition) should be performed. If an encryption gateway is configured and the policy action is determined to be audit and encrypt, the x-header information is added to the outgoing emails and they are then forwarded to the encryption gateway. If an encryption gateway was not configured, or if the policy action is either quarantine or block, information about the intended policy action is added to the x-header and the email is released with the expectation that a downstream server read and act on that x-header information.

Important: If you want to use Scan and Tag mode, you must also enable one or more x-header settings (see “C. Add RSA X-Headers to Outgoing Emails” on page 313). If you do not enable these settings, no x-header information is added to outgoing emails.

• Scan and Tag Mode Settings. Generate DLP Incidents. Select this option if you want DLP Network to generate incidents when this Interceptor detects emails containing sensitive data as defined by DLP policies. DLP Network incidents are not generated in Scan and Tag mode unless this option is selected. With default state Open or Closed. If you have chosen to generate DLP incidents (above), select whether the incidents should be initially Open or Closed (the default).

310 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

B. Fill in General Settings

1. Enter the following information: – Smart Host. If this Interceptor is not the final email delivery system to the internet, specify the SMTP host to which this Interceptor should forward emails. This option is required unless you have selected that emails be delivered Directly to Internet, in which case it is grayed out. – Deliver directly to Internet. Check this if this Interceptor is the endpoint in your email delivery system that must deliver outbound emails to the Internet. If you do not select this, you have to specify a SMTP host to which the Interceptor will send emails. –Relay Domain. Required. Enter a space-separated list of hosts and domains that this Interceptor can relay mails to. For example: rsa.com rsa1.org 10.11.0

Note: This Interceptor will only accept emails these relay domains.

– Admin Alias. Required. Enter a valid email address for a DLP administrator or administrator group to receive messages about the status and state of the Interceptor and DLP Network operations. – Encryption Gateway. Enter the name or IP address of encryption host to which this Interceptor should forward the emails for encryption (if encryption host is different from Smart SMTP Host). This is required if policies have been defined with encryption actions.

Chapter 9: Administering DLP Network 311 RSA DLP 9.6 Network User Guide

–Use TLS. Check this box to enable TLS (Transport Layer Security). When TLS is enabled, the interceptor transmits mail as an encrypted string. (TLS encrypts the transmission, not the email itself.)

Note: Transport Layer Security is a protocol that guarantees privacy and data integrity between client/server applications communicating over the Internet.

– Maximum sizes for message queues. Specify a maximum number of messages allowed in the following queues. Once the maximum is reached, the Interceptor stops accepting new messages and the Administrator is automatically notified via email. • Input queue max size. Default 2000 messages. • Output queue max size. Default 2000 messages. Not valid when the Interceptor sends directly to the internet. • Encrypt queue max size. Default 2000 messages. • Quarantine queue max size. Default 2000 messages. – Queue thresholds. Specify warning and port close and reopen thresholds for automatic actions based on the percentage of the current queue size related to its specified maximum size. • Queue Warning Threshold. When this queue size is reached (85% by default), the Interceptor sends a Warning alert to configured alerting destinations. It sends an Info alert when the queue size falls back below the threshold. • Queue Port Shutdown Threshold. When this queue size is reached (95% by default), the Interceptor shuts down port 25 and sends a Critical alert about the shutdown to configured alerting destinations. • Queue Port Reopen Threshold. When the queue size falls back below this size (80% by default), the Interceptor reopens port 25 and sends an Info alert about the reopen to configured alerting destinations. 2. Select Files to Include in the Network Event Details. Select one of the following options to indicate which files to include in the Network Event Details file:

– Include all files. All files monitored by the Interceptor are transmitted to the Enterprise Manager. All entries are also included.

312 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

– Include all individual files and compound files, but only policy-violating subfiles. All individual files and compound files are transmitted to the Enterprise Manager. Only policy-violating subfiles are transmitted. Entries for all individual files and compound files, as well as policy-violating subfiles, are included. (This option is the default value.) – Include only policy-violating individual files and subfiles. All policy-violating individual files and subfiles are transmitted. Entries for all individual files and compound files, as well as policy-violating subfiles, are included. – None. This option excludes all files containing sensitive content from the Network event file. No sensitive data discovered by the Interceptor while monitoring network traffic that is leaving the network or crossing network boundaries is transmitted to the Enterprise Manager. However, DLP Network does transmit entries for individual files, compound files, and policy-violating subfiles.

Note: You might use this option if the Enterprise Manager and the Interceptor are located in different countries and your company has policies preventing sensitive content from leaving a country.

C. Add RSA X-Headers to Outgoing Emails

In Scan and Tag mode (see “A. Fill in the Summary” on page 310), the Interceptor adds RSA x-headers to all outgoing emails to indicate if DLP Network has inspected the email, the type of sensitive content the email contains, and the policy action that should be performed on the email.

X-header settings are disabled by default. If you specify that the Interceptor operate in Scan and Tag mode, you must also enable one or more of these x-header settings to define the DLP x-headers to add to outgoing emails.

• X-Header Settings. Specify one or more RSA x-headers to insert in message headers to provide details about message processing done on the Interceptor by DLP Network. – Inspected? Select to insert an x-header to indicate whether DLP Network has inspected the email. For example: X-RSA-Inspected: yes – Content Blade. Select to insert an x-header with the name of the content blade that matched sensitive content in the email, as defined by the matched DLP Network policy. For example: X-RSA-Classifications: US Social Security Number (the name of the matched content blade indicates that US Social Security numbers are the matched sensitive content).

Chapter 9: Administering DLP Network 313 RSA DLP 9.6 Network User Guide

– Action Taken. Select to insert an x-header with the policy action that should be performed on the message, as defined by the matched DLP Network policy. For example: X-RSA-Action: encrypt

D. Add Custom X-Headers to Content Analysis

By default, the From, To, Cc, Bcc, Date and Subject email headers are included in content analysis of an email message body. In the Custom X-Headers section, you can specify custom x-headers defined in your email system for the Interceptor to detect.

For example, assume that your existing email system adds a custom x-header to emails to flag and route them to an encryption server using tools outside of DLP Network. You can set up the Interceptor to detect this x-header and perform specific actions based on its detection, such as prevent the creation of a DLP event for a sensitive email that you know will be encrypted, create an event to help you monitor email encryption use, or block a sensitive email that was auto-forwarded.

•Custom X-Headers. Specify up to 10 custom x-headers that are already defined in your email system:

a. Click to add a new blank x-header line. b. Enter the name of the custom x-header that you want to detect. For example: Sensitivity

Set Up a Content Blade to Detect Custom X-Headers

As a separate task after you add custom x-headers to content analysis, you must set up a content blade to match the custom x-headers.

314 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Add these settings to a content blade to enable detection of custom x-headers: • Search for sensitive data in—Select Body to include email headers in content analysis. • Rule Set: Must Occur—Add a detection rule to match each custom x-header: –Type: Select New Regular Expression. –Value: Enter a regular expression with word boundaries that matches the exact full text string of the x-header and the x-header value you want to detect. (To see how the x-header and the value appear, look at the header of an email that has the flag set and includes the x-header.) For example, to match the custom x-header “Sensitivity” with a value of “company-confidential”: Sensitive: company-confidential You enter this regular expression to match the exact full phrase with word boundaries: \bSensitivity: company-confidential\b

Note: Do not enter a regular expression that simply detects the words such as “Sensitivity” or “company-confidential”, because this may produce many false positives.

E. Fill in Email Subject Line Settings

– Enabled. Check this box if you want to modify the subject lines of intercepted emails. – Replacement position. Specify whether you want text added before (Add prefix) or after (Add suffix) the original subject line. – Policy Action/Added Text. Specify the text (Added Text) you want added for each policy action: • Audit Only. The text you want added for this policy action. For example [AUDIT]. • Encrypt & Audit. The text you want added for this policy action. For example [ENCRYPT]. • Quarantine & Audit. The text you want added for this policy action. For example [QUARANTINE].

Chapter 9: Administering DLP Network 315 RSA DLP 9.6 Network User Guide

F. Save the Interceptor

1. In either the top or bottom toolbar, click Save to save the Interceptor. Your new Interceptor is now in the list of devices on the Status page. See “Viewing Network Controller Status” on page 298 for details. (Click Cancel to close the page without saving the Interceptor.)

Administering ICAP Servers

The ICAP Server monitors and blocks transmissions, preventing sensitive data from leaving the enterprise by way of the HTTP, HTTPS, FTP, protocols. In addition, ICAP can also audit ActiveSync transmissions.

You can also use the ICAP Server in conjunction with your company’s Microsoft Exchange Server to monitor sensitive internal emails.

Note: DLP enforces only audit action for ActiveSync protocol, even if the policy action is set to block, encrypt, or quarantine.

Viewing an ICAP Server

You can view ICAP Server configuration information in these ways: • Click the ICAP Server name in the Device Status pane (see “Viewing Network Controller Status” on page 298). • Click the ICAP Server name in the Deployment Tree (see “Using the DLP Network Administration Page” on page 295).

316 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

The selected ICAP Server Configuration page appears.

From this page you can: • Click Edit to the configuration settings. in the same manner as when you configure an ICAP Server, see “Configuring an ICAP Server”, below. • Click Delete to delete the ICAP Server from the Deployment Tree.

Configuring an ICAP Server

To edit the ICAP server configuration fields:

Use one of the following methods: • To create a new ICAP Server: – Go to Admin > Network > New Network Device > New ICAP Server. The ICAP Server Configuration page appears with all configuration fields available for editing. • To edit an exiting ICAP Server: a. Go to Admin > Network. b. Click the ICAP Server in the Deployment Tree.

Chapter 9: Administering DLP Network 317 RSA DLP 9.6 Network User Guide

c. Click Edit. The ICAP Server Configuration page appears with all configuration fields available for editing. You can enter or change the following settings:

Enter summary information

1. Enter a name or an IP address for the ICAP Server in the ICAP Server Name or IP field. 2. Optional—Enter a description of the ICAP server in the Description field.

Fill in ICAP general settings

1. Enter the amount of time in seconds after which the server is deemed to have timed out in the Server Timeout in Seconds field. 2. Select one of the following as a response Upon Server Timeout: – Fail Open. Select this option if you want to allow transmission after a server timeout. – Fail Closed. Select this option if you want to block transmission after a server timeout. 3. Select the HTTPS Encrypt Policy Action. This is how DLP Network should treat a HTTPS transmission that was in violation of a policy and when the action

318 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

for the policy is Encrypt, as this is not a true violation since it is HTTPS (not HTTP). Select one of the following: – Allow. Let the transmission through without generating any incidents. – Audit. Let the transmission through but generate an incident for monitoring purposes. –Discard. Block the transmission even if it was over HTTPS. 4. Optional. Enable the Transport Layer Security (TLS). This option enables encryption between your company’s Exchange Server, or a web proxy, and the ICAP server. You must perform additional manual steps on the ICAP Server. See the Guide to RSA DLP for Internal E-mail. 5. Optional. Enables exchange server scanning of internal e-mails. This option enables Exchange Server scanning of internal e-mail. You must perform additional manual steps on the ICAP server. See the Guide to RSA DLP for Internal E-mail.

Note: You must select this option if you want to enable Exchange Server scanning of internal e-mail.

6. Select Files to Include in the Network Event Details. Select one of the following options to indicate which files to include in the Network Event Details file:

Note: Entries display on the Enterprise Manager Event Details and the Incident Details pages. Each entry is represented by a row in the Component Detail section of the Event and Incident Detail pages. Network event entries are not necessarily items that violated any policy, but indicates the files were transmitted over the network.

– Include all files. All files monitored by the Network sensor are transmitted to the Enterprise Manager. All entries are included as well. – Include all individual files and compound files, but only policy-violating subfiles. All individual files and compound files are transmitted to the Enterprise Manager. Only policy-violating subfiles are transmitted. Entries for all individual files and compound files, as well as policy-violating subfiles, are included. This option is the default value. – Include only policy-violating individual files and subfiles. All policy-violating individual files and subfiles are transmitted. Entries for all individual files and compound files, as well as policy-violating subfiles, are included. – None.

Chapter 9: Administering DLP Network 319 RSA DLP 9.6 Network User Guide

This option excludes all files containing sensitive content from the Network event file. No sensitive data discovered by the Network sensor while monitoring network traffic that is leaving the network or crossing network boundaries is transmitted to the Enterprise Manager. However, DLP Network does transmit entries for individual files, compound files, and policy-violating subfiles.

Note: You might use this option if the Enterprise Manager and the Network Sensor are located in different countries and your company has policies preventing sensitive content from leaving a country.

7. Username Pattern (Regular Expression): The proxy server passes the username information to the ICAP server in a special header. Each proxy server sends this information in their own format. The regular expression helps ICAP server in understanding the username information that the proxy server provides. The default regular expression would work in most of the setups but you can customize the regular expression based on your requirements.

Note: To ensure that correct Regular Expression is created, consult RSA Technical Support or Professional Services.

8. Base64 Encoded Proxy Auth Info: The value conveys to the ICAP server that whether the username received by it is base64 encoded or not. The default value set is Yes. 9. Domain Mappings: This option helps to translate the username received from the proxy server to a form which can used to search the LDAP username. For example, corp\user is translated to [email protected]. This is necessary because the authentication information received by the ICAP server from the proxy server most of the times does not contain FQDN.

Save the ICAP Server

• In either the top or bottom toolbar, click Save to save the ICAP server. Your new server is now in the list of devices on the Status page. See “Viewing Network Controller Status” on page 298 for details.

Viewing Network Statistics

Enterprise Manager produces graphical representations of statistical information for all DLP Network devices except the Network Controller. These statistics can be used to understand and monitor the flow of traffic through each managed device to determine whether the devices are properly configured and are receiving traffic as expected.

320 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Once a device has been determined to be properly configured and a baseline of activity has been established, the DLP administrator can use the statistics on performance, traffic, and other factors to adjust the system configuration for optimum performance.

Network device statistics can be accessed from either the Status Overview (see “Viewing DLP Status Overviews” on page 220) page or from the Network Controller Status (see “Viewing Network Controller Status” on page 298) page.

Viewing Network ICAP Server Statistics

To view Network ICAP Server device statistics go to the DLP Status Overview page (see “Viewing DLP Status Overviews” on page 220) or the Network Controller Status page (see “Viewing Network Controller Status” on page 298) and click the View Statistics link adjacent to the ICAP Server device in which you are interested. The Network Device Statistics page for that ICAP Server appears.

Working with the ICAP Server Statistics Page

The upper portion of the Network Device Statistics page displays the following information: • Device Name. The name of the device. Click the name to open the configuration page for that device (see “Administering Managed Devices” on page 303 for more details). • Device Type. The type of managed device, either ICAP server, Interceptor, or Sensor. •Last Refresh. The Device Statistics page does not refresh automatically. The Last Refresh time displays the last time the user refreshed the browser window or changed the Time Range causing the page to reload. • << Back to Status Home Click this link to close the statistics page and return to the DLP Status Overview page.

Additionally, you can perform the following tasks from this page:

Changing the Time Range • Use the dropdown menu to select a different time range, the options are:

Chapter 9: Administering DLP Network 321 RSA DLP 9.6 Network User Guide

Last hour (default), Last 24 hours, Last 7 days, Last 30 days, Last 1 year The graphs for this device update to reflect statistics for the new time range.

Clearing Statistics 1. Click the Clear Device Statistics ( ) button at the top of the page. A confirmation dialog appears. 2. Click OK to clear this device’s statistics; Cancel to cancel the operation. All statistical data for this device is cleared.

Exporting Statistical Data • Click the Export as XML ( ) button at the top of the page to export this device’s statistical data in XML format. A browser-specific export dialog appears allowing you to specify where to save this .xml file.

Viewing the Sessions (by Protocol) Chart

This bar chart displays the total number of HTTP, HTTPS, FTP, or DLP for Exchange ActiveSync sessions per second that were processed by this ICAP server over the time range specified.

Note: Each data point in the chart reflects the average value received over a five minute period.

The following units of measure are used in this chart. • G (Giga), K (Kilo), M (Mega), m (milli), u (micro), NaN (no value available)

322 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Note: A zero value is a valid value that was received from the device, a NaN value means that no value was available.

Any gaps in between bars in the chart indicate that either no data was being received, or that this device was reset during that time period.

The table below the chart provides summary information about the statistics per protocol, and in total. These Min/Max/Average and Current numbers are in relation to the time range of the chart, for example, the average session per second over the selected time range.

Viewing Network Sensor Statistics

To view Network Sensor device statistics, go to either the DLP Status Overview page (see “Viewing DLP Status Overviews” on page 220) or the Network Controller Status page (see “Viewing Network Controller Status” on page 298) and click the View Statistics link adjacent to the Sensor device in which you are interested. The Network Device Statistics page for that sensor appears.

Working with the Sensor Statistics Page

The upper portion of the Network Device Statistics page displays the following information: • Device Name. The name of the device. Click the name to open the configuration page for that device (see“Administering Managed Devices” on page 303 for more details). • Device Type. The type of managed device, either ICAP server, Interceptor, or Sensor. •Last Refresh. The Device Statistics page does not refresh automatically. The Last Refresh time displays the last time the user refreshed the browser window or changed the Time Range causing the page to reload. • << Back to Status Home Click this link to close the statistics page and return to the DLP Status Overview page.

Additionally, you can perform the following tasks from this page:

Chapter 9: Administering DLP Network 323 RSA DLP 9.6 Network User Guide

Changing the Time Range • Use the dropdown menu to select a different time range, the options are: Last hour (default), Last 24 hours, Last 7 days, Last 30 days, Last 1 year The graphs for this device update to reflect statistics for the new time range.

Viewing the Sensor Traffic Chart

This bar chart displays the total number bits per second that are being processed through this sensor over the time range specified.

Note: Each data point in the chart reflects the average value received over a five minute period.

The following units of measure are used in this chart. • G (Giga), K (Kilo), M (Mega), m (milli), u (micro), NaN (no value available)

324 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Note: A zero value is a valid value that was received from the device, a NaN value means that no value was available.

The bandwidth data is displayed as either: •Throughput. Data displayed in green represents all traffic being monitored by this sensor. • Sampling Mode On. Data displayed in yellow indicates that Sampling Mode is enabled. When a sensor is dealing with very heavy loads of traffic it goes into sampling mode where, for performance purposes, it only monitors representative portions of network traffic.

Any gaps in between bars in the chart indicate that either no data was being received, or that this device was reset during that time period.

The table below the chart provides summary information about the bits per second flow. These Min/Max/Average and Current numbers are in relation to the time range of the chart, for example, the average session per second over the selected time range.

Viewing the Sensor Sessions (by Protocol) Chart

This bar chart displays the total number of sessions per second, categorized by protocol, that are being processed through this sensor over the time range specified.

Note: Each data point in the chart reflects the average value received over a five minute period.

Chapter 9: Administering DLP Network 325 RSA DLP 9.6 Network User Guide

The following units of measure are used in this chart. • G (Giga), K (Kilo), M (Mega), m (milli), u (micro), NaN (no value available)

Note: A zero value is a valid value that was received from the device, a NaN value means that no value was available.

Any gaps in between bars in the chart indicate that either no data was being received, or that this device was reset during that time period.

The table below the chart provides summary information about the sessions per protocol being processed by this sensor. These Min/Max/Average and Current numbers are in relation to the time range of the chart, for example, the average session per second over the selected time range.

Viewing the Unprocessed Queue Size (by Protocol) Chart

This bar chart displays the number of inbound sessions waiting to be processed by this sensor, by protocol, over the time range specified.

Note: Each data point in the chart reflects the average value received over a five minute period.

The following units of measure are used in this chart. • G (Giga), K (Kilo), M (Mega), m (milli), u (micro), NaN (no value available)

326 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Note: A zero value is a valid value that was received from the device, a NaN value means that no value was available.

Any gaps in between bars in the chart indicate that either no data was being received, or that this device was reset during that time period.

Viewing Network Interceptor Statistics

To view Network Interceptor device statistics, either the DLP Status Overview page (see “Viewing DLP Status Overviews” on page 220) or the Network Controller Status page (see “Viewing Network Controller Status” on page 298) and click the View Statistics link adjacent to the Interceptor device in which you are interested. The Network Device Statistics page for that Interceptor appears.

Working with the Interceptor Statistics Page

The upper portion of the Network Device Statistics page displays the following information: • Device Name. The name of the device. Click the name to open the configuration page for that device (see“Administering Managed Devices” on page 303 for more details). • Device Type. The type of managed device, either ICAP server, Interceptor, or Sensor. •Last Refresh. The Device Statistics page does not refresh automatically. The Last Refresh time displays the last time the user refreshed the browser window or changed the Time Range causing the page to reload. • << Back to Status Home Click this link to close the statistics page and return to the DLP Status Overview page.

Additionally, you can perform the following tasks from this page:

Chapter 9: Administering DLP Network 327 RSA DLP 9.6 Network User Guide

Viewing the Interceptor Message Processing Chart

This bar chart displays how many emails have been processed by this interceptor over the specified time range. The information is categorized as follows: • The total number of emails that have been sent to this interceptor. • The total number of emails that have been sent from this interceptor. (These are shown on the negative axis.) • The total number of emails that have been blocked by this interceptor. • The total number of emails that have been encrypted by this interceptor.

328 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

• The total number of emails that have been quarantined by this interceptor.

Note: Each data point in the chart reflects the average value received over a five minute period.

The following units of measure are used in this chart. • G (Giga), K (Kilo), M (Mega), m (milli), u (micro), NaN (no value available)

Note: A zero value is a valid value that was received from the device, a NaN value means that no value was available.

Any gaps in between bars in the chart indicate that either no data was being received, or that this device was reset during that time period.

Viewing the Interceptor Mail Queues Chart

This bar chart displays the following information about this interceptor over the specified time range: • The total number of emails in this interceptor’s in-queue. • The total number of emails in this inteceptor’s out-queue. • The total number of emails in this inteceptor’s quarantine-queue. • The total number of emails in this inteceptor’s encryption-queue.

Chapter 9: Administering DLP Network 329 RSA DLP 9.6 Network User Guide

Note: Each data point in the chart reflects the actual size of each individual mail queue on the interceptor at a given point in time.

The following units of measure are used in this chart. • G (Giga), K (Kilo), M (Mega), m (milli), u (micro), NaN (no value available)

Note: A zero value is a valid value that was received from the device, a NaN value means that no value was available.

Any gaps in between bars in the chart indicate that either no data was being received, or that this device was reset during that time period.

Blank Statistics Pages

There are some circumstances when you will see a blank statistics page:

Examples of when this blank statistics page is displayed are: • When you are trying to see statistics for a non-supported device. If a device is running DLP Network version earlier than 7.6, Enterprise Manager displays a Not Supported message in the Status Overview page. However, if the device is down, Enterprise Manager is unable to confirm what software version that device is running, and therefore displays the View Statistics link. Clicking that link in this circumstance will launch a blank statistics page.

330 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

• When you attempting to view statistics immediately after configuring a device. The frequency with which Enterprise Manager receives statistics is five minutes, so attempting to view statistics within five minutes of configuring a device result in blank statistics page. • Attempting to view statistics immediately after clearing statistics for a device. The frequency with which Enterprise Manager receives statistics is five minutes, so attempting to view statistics within five minutes of clearing statistics will result in a blank statistics page.

Secure Communication Among DLP Network Devices

Certificates control secure SSL communication among Enterprise Manager, the Network Controller, and Network appliances—Sensors, Interceptors, and ICAP Servers.

During initial DLP Network setup and after some changes to the machine configuration of a Network component host, certificates are automatically generated or regenerated and shared among the DLP host machines. Over time and in some situations, the certificates expire or become invalid and must be regenerated.

These changes to the machine configuration of a Network component host require no manual certificate regeneration: • IP address or hostname change • Network configuration change from static IP to DHCP or from DHCP to static IP A Network host machine must be removed from the DLP Network configuration in Enterprise Manager before a machine configuration change, and then re-added to the configuration in Enterprise Manager after the change. The remove and add operations automatically regenerate and share a new certificate for the changed Network host.

These changes on a Network host machine invalidate an existing certificate and require certificate regeneration on the changed machine: • Certificate expiration • Resetting the time on the machine

For instructions on how to regenerate certificates on DLP Network host machines, see the RSA DLP Maintenance Guide.

IM Chat Protocol Behavior

This section lists differences in the behavior of different chat protocols that you may need to take into consideration when DLP Network is auditing chat protocol traffic.

Chapter 9: Administering DLP Network 331 RSA DLP 9.6 Network User Guide

Note: DLP Network cannot audit chat protocols that use TLS encryption such as Google Talk (post beta versions) and AOL Instant Messaging (AIM) 6.8.

MSN Windows Messenger

Table 6 MSN Windows Messenger protocol

Chat room Behavior Chat (user to user) FTP (file transfer) (multiple users)

Incident Generated 1. When first user closes When the file transfer is 1. When first user closes their chat window. complete. their chat window. 2. After 5 minutes of 2. After 5 minutes of inactivity between inactivity between users. users.

Testing Considerations Users on the same Transfers between local See notes for Chat (user to network may generate users may go peer-to-peer user). two separate incidents, which means this traffic one for each side of the would not be analyzed by conversation. DLP Network.

Peer-to-peer or All chat room messages May go peer-to-peer All chat room messages proxy-based? go through MSN server. when the two nodes are in go through MSN server. the same network where no firewall is between them to prevent the peer-to-peer connection.

Session Behavior Each user-to-user session File transfer is done in See notes for Chat (user to is an aggregation of many one TCP session. user). small TCP sessions.

Third Party Clients No special considerations No special considerations No special considerations (Trillian or Pidgin) for MSN with 3rd party for MSN with 3rd party for MSN with 3rd party clients. clients. clients.

Web Based Chat Not supported. Not supported. Not supported.

332 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

Yahoo! Instant Messaging

Note: RSA DLP Network supports the Conference feature of Yahoo Messenger, but does not support Yahoo Messenger public chat rooms.

Table 7 Yahoo! Instant Messaging protocol

Conference Behavior Chat (user to user) FTP (file transfer) (multiple users)

Incident Generated When first user signs off. As soon as the file After all users have transfer is complete. signed off.

Testing Considerations Local Sessions may go Transfers between local See notes for Chat (user peer-to-peer. For Proxied users may go peer-to-peer to user). sessions, DLP Network which means this traffic analyzes the session after would not be analyzed by the first user has signed DLP Network. off. If both users remained signed on for an extended amount of time such as hours or days, the session analysis will not happen until one user signs off.

Peer-to-peer or The chat messages may The file transfer message The conference message proxy-based? try to go peer to peer first. may try to go peer to peer always go through Yahoo If the peer-to-peer first. If the peer-to-peer proxy server. connection fails it will go connection fails it will go through the Yahoo! proxy through the Yahoo proxy server. server.

Session Behavior Chat sessions between File transfers are done in See note for Chat (user to users take place in one one TCP Session. user) long TCP session. In some cases the first chat message and all of the following chat messages are spread in two different TCP sessions.

Third Party Clients No special considerations No special considerations No special considerations (Trillian or Pidgin) for Yahoo IM with 3rd for Yahoo IM with 3rd for Yahoo IM with 3rd party clients. party clients. party clients.

Web Based Chat Not supported. Not supported. Not supported.

Chapter 9: Administering DLP Network 333 RSA DLP 9.6 Network User Guide

334 Chapter 9: Administering DLP Network RSA DLP 9.6 Network User Guide

10 Monitoring Sensitive Content in Webmail

• Overview • Monitoring Webmail • Email Notification • Configure Sender Email Notification • Replacement Templates • Webmail Sender Notification-Supported Email Clients • Browsers Supported

The DLP Network ICAP Server allows your company to monitor sensitive content sent in webmail.

Overview

To monitor sensitive content in webmail with RSA DLP Network, you need to install the ICAP Server.

The DLP Network ICAP Server is one of the devices available as part of the DLP Network configuration. The ICAP Server allows the monitoring and blocking of transmissions, preventing sensitive data from leaving the enterprise by way of requests, and responses to HTTP, HTTPS, or FTP protocols.

If webmail containing sensitive content is sent and the policy action is set to block or audit, DLP sends automatic notification to the email sender to provide DLP policy violation information.

Chapter 10: Monitoring Sensitive Content in Webmail 335 RSA DLP 9.6 Network User Guide

Monitoring Webmail

To monitor webmail and set up automatic notification, perform the following tasks: 1. Install and setup the ICAP Server. See the RSA DLP 9.6 Network Deployment Guide for instructions. 2. Configure Sender Email Notification. 3. Configure Replacement Templates.

See Also • Email Notification • Webmail Sender Notification-Supported Email Clients • Browsers Supported

Email Notification

In DLP, both the sender and the receiver of an email containing sensitive content can be notified that the email was transmitted.

DLP Network displays messages in lieu of blocked or discarded webmail transmissions and sends email when a transmission’s quarantine status changes.

If webmail containing sensitive content is sent and the policy action is set to block and audit, the sensitive content in the body, subject, and attachments is replaced by a modified email sent from DLP.

336 Chapter 10: Monitoring Sensitive Content in Webmail RSA DLP 9.6 Network User Guide

Configure Sender Email Notification

You can configure the notification to send email to the sender’s webmail address, when possible, and the corporate email address when it is configured with LDAP and IP Mapper or BlueCoat/Squid-authenticated user setup.

Corporate Email

Enable notification to be sent to the sender’s email corporate email address.

Procedure 1. Access the Enterprise Manager console. 2. Select Policy > specific Policy > Notification Rules. 3. Select the Notify sender (if known) checkbox.

Webmail Email

Enable notification to be sent to the sender’s webmail address.

Procedure 1. Log on to the Enterprise Manager machine. 2. Navigate to Policies > Network 3. Under Network tab, scroll to Notfication Rules section. 4. Check the Notify sender by email at: checkbox. 5. Select Webmail address from the Notify sender by email at: drop down list. 6. Check the Notify sender’s manager check box, if you want to notify sender’s manager.

Chapter 10: Monitoring Sensitive Content in Webmail 337 RSA DLP 9.6 Network User Guide

Replacement Templates

You can configure the replacement templates that replace sensitive content for the email recipient and sender.

Email Recipient

The email recipient receives notification based on a default replacement template set in the nwsystemconfig.xml file. You can change the template by modifying the file located on the ICAP Server. • the subjectreplacetemplate is used to replace the subject. The default replacement for webmail subject lines that contain sensitive content is: ***Email Blocked - Contained Sensitive Information*** • the filereplacetemplate is used to replace the filename of the attachment containing sensitive content The default file replacement template is: _BLOCKED_BY_RSA.html To change the replacement template used for the body or attachment, use the Network ICAP Replace Message Template accessed from Enterprise Manager.

Modify the Recipient Subject or Attachment Filename Template

Change the default replacementsubject template or filereplacement template from the ICAP Server.

Procedure 1. Access the ICAP Server. 2. Change directory to /opt/tablus/config/ 3. Open the nwsystemconfig.xml file. 4. Search for or . 5. Make your edits. 6. Save the file. 7. Restart the ICAP Server using the following command: moncmd restart icapserver

338 Chapter 10: Monitoring Sensitive Content in Webmail RSA DLP 9.6 Network User Guide

Modify the Email Body or Attachment Replacement Template

See Viewing or Customizing a Network Message.

Email Sender

The email sender receives notification based on the Network Incident Generation - Notify Sender template. You can modify this template using Enterprise Manager.

See Also Viewing or Customizing an Email Notification Template

Webmail Sender Notification-Supported Email Clients

Sender notification is supported in the following ways for the listed webmail clients.

Sensitive Data in Body Sensitive Data in Sensitive Data in Body Webmail Content Attachment and Attachment

AOL v1 Supported Supported Supported

AOL v2 Supported Supported Supported

Gmail v1 Supported when chat is Supported when chat is Supported when chat is enabled. enabled. enabled.

Gmail v2 Supported when chat is Supported when chat is Supported when chat is enabled. enabled. enabled.

Yahoo v2 Supported Not supported Supported

Livemail Supported Not supported Supported

Browsers Supported

Automatic notification is supported for webmail accessed on Chrome, Firefox, and Internet Explorer browsers including Microsoft Silverlight and Adobe Flash plugins.

Chapter 10: Monitoring Sensitive Content in Webmail 339 RSA DLP 9.6 Network User Guide

340 Chapter 10: Monitoring Sensitive Content in Webmail RSA DLP 9.6 Network User Guide

11 Managing RSA DLP on Partner Devices

Partners can use the RSA DLP SDK toolkit to add RSA DLP features to a device. Interoperability components of the toolkit allow the device to connect to and turn over DLP control to Enterprise Manager.

This chapter describes how Enterprise Manager works with a partner device that implements Interoperability components of the RSA DLP SDK toolkit. For information about setting up Enterprise Manager to manage DLP for a partner device, see the technical note Managing Partner Device DLP with Enterprise Manager.

Topics: • Managing Partner Devices in Enterprise Manager • Managing DLP Policies for a Partner Device • Managing Events and Incidents for a Partner Device

Managing Partner Devices in Enterprise Manager

A partner device is a third-party product that includes built-in RSA DLP features. A device that incorporates Interoperability components of the RSA DLP SDK toolkit can turn over control of its DLP features to Enterprise Manager. Administrators and users may then use Enterprise Manager to control DLP policies used by and events and incidents detected by the device.

To transfer DLP feature control from a partner device to Enterprise Manager, you define the location of the device to Enterprise Manager and import and enable existing DLP policies on the device in Enterprise Manager. These actions provide the foundation for Enterprise Manager to take control of DLP features for the device.

After a device comes under Enterprise Manager control, most of the operations that Enterprise Manager can perform are applicable to the device. Because the device sends its detected events and incidents to Enterprise Manager, you can view and work with them in the same ways that you work with events and incidents detected by the RSA DLP products. You can also use any RSA DLP policy template available in Enterprise Manager to create DLP policies for the device.

Chapter 11: Managing RSA DLP on Partner Devices 341 RSA DLP 9.6 Network User Guide

Managing Existing Partner Devices

You use the Partner Devices page to view, edit, and add information about a partner device for DLP feature management.

To access the Partner Devices page

To access the Partner Devices page, click the Admin tab, and then select Partners in the menu near the top of the page. The page (Figure 19) appears with a list of all defined partner devices.

Figure 19 Partner Devices Page

342 Chapter 11: Managing RSA DLP on Partner Devices RSA DLP 9.6 Network User Guide

To view detailed information about a partner device

You can view detailed information for any partner device listed on the Partner Devices page. • On the Partner Devices page, click the name of the device that you want to view. The Edit Device page appears.

The page shows the device’s location—its host name or IP address and associated port—and other details provided to Enterprise Manager by the device.

To edit partner device details

Important: You can edit device details through Enterprise Manager only if allowed by the partner device implementation.

You can change the location of a partner device (its host name or IP address and port), its name, and its description in Enterprise Manager.

For detailed instructions, see “Editing Partner Device Details” on page 346.

Chapter 11: Managing RSA DLP on Partner Devices 343 RSA DLP 9.6 Network User Guide

To add a partner device to Enterprise Manager

You must add a partner device to Enterprise Manager before you set up Enterprise Manager to control DLP features for the device.

For detailed instructions, see “Adding a Partner Device to Enterprise Manager” on page 345.

To decommission a partner device

You decommission a partner device to stop communication between it and Enterprise Manager. The device continues to detect events, but does not send them to Enterprise Manager and does not receive new or updated policies from Enterprise Manager.

To decommission a partner device: 1. On the Partner Devices page, check the box near the name of the device that you want to decommission.

2. Near the top of the page, click Decommission Selected Devices. 3. Click OK to confirm that you want the selected devices decommissioned.

To commission a partner device

You commission a partner device to start or restart communication between it and Enterprise Manager. The device resumes sending events to Enterprise Manager and receiving new and updated policies from Enterprise Manager.

To commission a partner device: 1. On the Partner Devices page, find the device that you want to commission.

2. On the device line, click the Decommissioned status, and select Commission from the drop-down list.

344 Chapter 11: Managing RSA DLP on Partner Devices RSA DLP 9.6 Network User Guide

Adding a Partner Device to Enterprise Manager

Note: Some partner devices do not support this operation. Instead, they contact Enterprise Manager and are added automatically to the list of partner devices. To determine if a device adds itself in this way to Enterprise Manager, see the partner device documentation.

When you add a partner device to Enterprise Manager, you define its location, name, and description. By default, the device is added in a decommissioned state. You must commission the device in Enterprise Manager to start communication between it and Enterprise Manager.

To add a partner device to Enterprise Manager: 1. Near the top of the Partner Devices page, click Add Device. The Add Device page appears.

2. Enter the location of the device—its host name or IP address and a port number for Enterprise Manager to use to communicate with the device. 3. Click Verify to confirm that Enterprise Manager can contact the device. A successful connection returns information that the partner device is configured to send to Enterprise Manager and displays it on the bottom of the page.

Note: Depending on its SDK implementation, a device may send any of these details to Enterprise Manager: Product and vendor name, SDK version, status interval, last time the device was reachable, and event queue size.

4. Enter a name and optional description for the device. 5. Click Save. The Partner Devices page appears and the device list includes the newly added device.

Chapter 11: Managing RSA DLP on Partner Devices 345 RSA DLP 9.6 Network User Guide

Editing Partner Device Details

You edit the definition of a partner device in Enterprise Manager to change its location if the device moves to a different machine, and to change its name or description.

Note: You can edit additional device details through Enterprise Manager only if allowed by the partner device implementation. More editable fields appear on the page if more details can be changed.

To modify the location or description of a partner device in Enterprise Manager: 1. On the Partner Devices page, click the name of the device that you want to modify. The Edit Device page appears.

2. To modify the device location, change its host name or IP address and the port number on the device to use for Enterprise Manager contact. 3. Click Verify to confirm that Enterprise Manager can contact the device at the new location. If not, correct the location information. 4. To modify the description, change the text description as desired. 5. Click Save.

346 Chapter 11: Managing RSA DLP on Partner Devices RSA DLP 9.6 Network User Guide

Managing DLP Policies for a Partner Device

If DLP policies are already in use on a partner device, you can import the partner DLP policies into Enterprise Manager to transfer their management to Enterprise Manager. To complete the management transfer to Enterprise Manager, each imported policy must be mapped to an RSA DLP policy that is enabled in Enterprise Manager.

Importing Existing DLP Policies from a Partner Device

You import existing DLP policies from a partner device to Enterprise Manager to allow Enterprise Manager to take over DLP policy management for the device.

Note: Before importing policies, you export them from the partner device console and move the exported policies to a location accessible by Enterprise Manager. For how to export DLP policies from the partner console, see the partner documentation.

1. Navigate to Policies > Policies > Import Partner Policy. The Import Partner Policy page appears.

2. Click Browse, and find and select the zip file containing the DLP policies to import. 3. Click Import Configuration. 4. If any names of partner DLP policies to be imported are the same as DLP policies in use in Enterprise Manager, Enterprise Manager suspends the import operation and asks how to resolve the name conflicts.

Chapter 11: Managing RSA DLP on Partner Devices 347 RSA DLP 9.6 Network User Guide

5. Select one of these options to resolve policy name conflicts: – To resolve all name conflicts in the same way, click Rename All, Overwrite All, or Skip All to perform the selected action. – To resolve name conflicts individually, select one resolution for each listed conflict: • Rename this policy (“Imported” will be suffixed) — Import the policy and append the string _Importedcurrent_date_time to its name. • Overwrite the existing policy — Import the policy and overwrite the existing policy and its dependencies. • Skip importing this policy — Do not import the policy. 6. Click Continue Import.

The import process unbundles the partner DLP policies into Enterprise Manager. Any partner DLP policy that matches an RSA DLP policy (as calculated by hash values) is automatically mapped to the RSA DLP policy. The import process also adds all imported policies to the Policy Manager page in a disabled state—you must manually enable the imported policies.

Enabling an Imported Policy for a Partner Device

Imported policies are available to enable in Enterprise Manager only if their associated partner device is in a Commissioned state. For information on how to commission a partner device, see “To commission a partner device” on page 344.

An imported partner DLP policy that matches an existing RSA DLP policy in Enterprise Manager is automatically mapped to the RSA DLP policy during the import process. To active an automatically mapped policy, you need only enable the policy in Enterprise Manager.

If the imported partner policy had no match and was not mapped, you must manually map the imported partner policy to an RSA DLP policy, select at least one remediation action for the policy, and enable the mapped RSA DLP policy in Enterprise Manager.

Note: Any policy template available in Enterprise Manager can be used as the starting point for an RSA DLP policy to map to an imported partner policy.

348 Chapter 11: Managing RSA DLP on Partner Devices RSA DLP 9.6 Network User Guide

Enable an Automatically Mapped Imported Policy

To enable a partner policy that was automatically mapped during import: 1. Navigate to Policies > Policies. The Policy Manager page appears. 2. On the Policy Manager page, find the imported policy name, click Disabled, and select Enabled.

Enable an Unmapped Imported Policy

To enable a partner policy that was not automatically mapped during import: 1. Navigate to Policies > Policies. The Policy Manager page appears. 2. On the Policy Manager page, select an active or create a new RSA DLP policy to which you will map the imported partner policy by doing one of the following: – Click the name of an active DLP policy to select it, click Partner (where Partner is the name of the partner device, such as IronPort ESA) on the Network tab, and select Edit to modify the policy. – Select New Policy, name the new DLP policy, and click Partner (where Partner is the name of the partner device, such as IronPort ESA) on the Network tab. 3. In the first policy violation rule, map the partner policy to the RSA DLP policy: a. Click Select Policies and select a partner policy from the list. Selecting All Policies maps all of the partner policies to the RSA DLP policy. b. Optionally, add at most one detection rule for file and transmission attributes that you want the device to detect. For information on how to add detection rules for file and transmission attributes, see “Create the detection rules” on page 204.

Note: The file and transmission attributes that you can select are only those defined for and detectable by the partner device.

c. Select at least one severity level to act on and an associated remediation action: Click Any and select a severity level, then click Select Action and select an action.

Note: The actions that you can select are only those defined for the partner device.

4. Select users and groups to automatically notify when the policy changes: a. At the bottom of the Notification Rules section, select If policy is changed, email. b. Click Select user from directory to select the users and groups to notify. 5. Select Enabled to specify that RSA DLP policy be enabled when you save it. 6. Optionally, define additional policy violation rules, incident handling rules, notification rules, and escalation rules for the policy. You define these rules in the

Chapter 11: Managing RSA DLP on Partner Devices 349 RSA DLP 9.6 Network User Guide

same way that you define them for any other RSA DLP policy. For information on how to define these rules in a policy, see “Creating or Editing a Policy” on page 197. 7. Click Save. The Policy Manager page appears with the DLP policy in the Enabled state.

Enterprise Manager sends the policy to the partner device and takes control of DLP management on the device. Future changes to the policy in Enterprise Manager are automatically sent to the partner device.

Creating a DLP Policy for a Partner Device

You create a DLP policy for use by a partner device in the same way that you create any other DLP policy. You can use any policy template as a starting point, and the policy can include any content blades and any number of rules to include or exclude content. For information about policy creation, see “Creating or Editing a Policy” on page 197.

These differences apply when you create a DLP policy for use by a partner device: • A partner DLP policy that can be mapped to the RSA DLP policy in Enterprise Manager must already be defined on the partner device and known to Enterprise Manager. Partner policies become known to Enterprise Manager in two ways: – After you explicitly import the DLP policies from a partner device into Enterprise Manager. – After you set up communication between a partner device and Enterprise Manager and commission the device in Enterprise Manager. Commissioning a device triggers transmission of existing DLP policies from the device to Enterprise Manager. While the device is commissioned, any DLP policy added on the device is automatically transmitted to Enterprise Manager. • You can select any policy template available in Enterprise Manager as the starting point to create the RSA DLP policy to map to the imported partner policy. • You use a New Policy page specific to the device to create the policy. For example, to create a policy for the Cisco IronPort ESA device, you use the IronPort ESA page that appears when you select IronPort ESA on the New Policy > Network tab. • The first policy violation rule in the RSA DLP policy must define the partner device policy to which it maps. • The policy violation rule that defines the partner device policy must include at least one remediation action supported by the partner device. By default, action selections are limited to actions supported by the partner device. • Each policy violation rule can optionally contain at most one detection rule for file or transmission attributes.

These differences also influence how an imported partner policy is enabled in Enterprise Manager. For information on importing partner policies, see “Enabling an Imported Policy for a Partner Device” on page 348.

350 Chapter 11: Managing RSA DLP on Partner Devices RSA DLP 9.6 Network User Guide

Viewing DLP Policy Status for a Partner Device

You can see the status of all policies, including those enabled for partner devices, on the Policy Manager page. To open the Policy Manager page, select the Policies tab in Enterprise Manager.

If a policy is disabled by the partner device, you see a policy status of “disabled for device”, where device is the name of the partner device that disabled the policy. For instructions on disabling a DLP policy from a partner device, see the partner product documentation.

Managing Events and Incidents for a Partner Device

You manage events and incidents from a partner device in the same way that you manage other DLP events and incidents. For information about event management, see “Viewing Events” on page 61. For information about incident management, see “Managing Incidents” on page 27.

Viewing Device-Specific Events and Incidents

You can view device-specific events and incidents using both Quick Search and Advanced Search on the event and incident list pages.

To view only device-specific events and incidents in the event or incident list: 1. Select Incidents > Events to open the event list or Incidents > Incidents to open the incident list. 2. Do one of the following: – In the Quick Search field, enter the device or vendor name, then click Go. – Click Advanced Search, enter the device or vendor name in the Add Keywords field, then click Search.

The list refreshes to show only events or incidents that include the specified device or vendor name.

Chapter 11: Managing RSA DLP on Partner Devices 351 RSA DLP 9.6 Network User Guide

352 Chapter 11: Managing RSA DLP on Partner Devices RSA DLP 9.6 Network User Guide

APPENDIXES

• Appendix A: File Formats Supported by RSA DLP • Appendix B: DLP System Alerts • Appendix C: Using Enterprise Manager Pop-ups • Appendix D: Database Connection Strings

353 RSA DLP 9.6 Network User Guide

354 RSA DLP 9.6 Network User Guide

A File Formats Supported by RSA DLP

This appendix lists those file formats that RSA DLP can detect or extract text content or metadata from.

Topics: • Supported File Formats (for Text Extraction) • Supported File Formats (for Detection Only) • Categorized File Formats (for Policy Rules)

Supported File Formats (for Text Extraction)

The table for each category of file types provides the following information: • Application/Format. The software application and file format associated with the extension. The formats are ordered alphabetically in each table. • Versions. The software versions of the file format that are supported for analysis. • Extensions. The customary file extensions for the file type. •Text? Whether body text can be extracted for analysis: Y = Yes; N = No. • Metadata? Whether file metadata (title, author, keywords, and so on) or headers and footers can be extracted for analysis: Y = Yes; N = No; P = partial (some non-standard metadata fields not extracted).

Categories: • Archive Formats • Computer-Aided Design Formats • Database Formats • Display Formats • Graphic Formats • Interoperability Standards Formats • Mail Formats • Multimedia Formats • Presentation Formats

Appendix A: File Formats Supported by RSA DLP 355 RSA DLP 9.6 Network User Guide

• Spreadsheet Formats • Text and Markup Formats • Word Processing Formats

Archive Formats

DLP can analyze the following archive file formats.

Application/Format Versions Extensions Text? Metadata?

7-Zip 4.57 7Z Y N

BinHex N/A HQX Y N bzip2 N/A bz2 Y N

Expert Witness (EnCase) N/A E01, l01 etc. Compression Format

GZIP 2 GZ Y N

ISO-9660 CD Disc Image Format N/A ISO Y N

Java Archive N/A JAR Y N

Legato EMailXtender Archive N/A EMX Y N

MacBinary N/A BIN Y N

Mac Disk copy Disk Image N/A DMG Y N

Microsoft Backup File N/A BKF Y N

Microsoft Cabinet Format 1.3 CAB Y N

Microsoft Compressed Folder N/A • LZH YN • LHA

Microsoft Entourage N/A ? Y N

Microsoft Outlook Express N/A DBX Y N

Microsoft Outlook Personal Store 2007 PST Y N

356 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Application/Format Versions Extensions Text? Metadata?

OASIS Open Document Format N/A • ODS YN • SXC • STC • ODT • SXW • STW

Open eBook Publication Structure N/A EPUB Y N

PKZIP through 9.0 ZIP Y N

RAR archive 2.0 through 3.5 RAR Y N

Shell Scrap Object File N/A SHS Y N

Tape Archive N/A TAR Y N

UNIX Compress N/A Z Y N

UUEncoding all UUE Y N

WinZip through 10 ZIP Y N

Computer-Aided Design Formats

DLP can analyze the following Computer-Aided Design file formats.

Application/Format Versions Extensions Text? Metadata?

AutoCAD Drawing R13, R14, 2000 DWG Y Y (R15), 2004 (R18), 2007 (R21)

AutoCAD Drawing Exchange R13, R14, 2000 DXF Y Y (R15), 2004 (R18), 2007 (R21)

CATIA formats 5 CAT1 Y Y

Microsoft Visio 5, 2000, 2002, 2003, VSD Y Y 2007

MicroStation 7, 8 DGN Y N

Omni Graffle NA GRAFFLE Y Y

1.All CAT file extensions; for example, CATDrawing, CATProduct, CATPart, and so on.

Appendix A: File Formats Supported by RSA DLP 357 RSA DLP 9.6 Network User Guide

Database Formats

DLP can analyze the following database file formats.

Application/Format Versions Extensions Text? Metadata?

Microsoft Access 95, 97, 2000, 2002, MDB Y N 2003, 2007, 2010

Microsoft Project 2000, 2002, 2003, MPP N Y 2007

Display Formats

DLP can analyze the following display file formats.

Application/Format Versions Extensions Text? Metadata?

Adobe PDF 1.1 to 1.7 PDF Y Y

Graphic Formats

DLP can analyze the following graphic file formats.

Application/Format Versions Extensions Text? Metadata?

Digital Imaging and N/A DCM N Y Communications in Medicine

Enhanced Metafile N/A EMF Y Y

Graphics Interchange Format N/A GIF N Y

Lotus Pic N/A PIC Y N

JPEG N/A JPEG N Y

Portable Network Graphics N/A PNG N Y

Tagged Image File through 6.01 TIFF N Y

Windows Bitmap N/A BMP N Y

Windows Metafile 3 WMF Y N

1.The following compression types are supported: no compression, CCITT Group 3 1-Dimensional Modified Huffman, CCITT Group 3 T4 1-Dimensional, CCITT Group 4 T6, LZW, JPEG (only Gray, RGB and CMYK color space are supported), and PackBits.

358 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Interoperability Standards Formats

DLP can analyze the following interoperability standards file formats.

Application/Format Versions Extensions Text? Metadata?

Health Level 7 HL7 Y N

Mail Formats

DLP can analyze the following mail file formats.

Application/Format Versions Extensions Text? Metadata?

Domino XML Language1 N/A DXL N Y

Legato Extender N/A ONM N Y

Lotus Notes database 4, 5, 6.0, 6.5, 7.0, 8.0 NSF N Y

Mailbox2 Thunderbird 1.0, MBX N Y Eudora 6.2

Microsoft Outlook 97, 2000, 2002, 2003, MSG Y P 2007

Microsoft Outlook Express Windows 6, EML Y Y MacIntosh 5

Microsoft Outlook Personal Folder 97, 2000, 2002, 2003 PST N Y

Text Mail (MIME) N/A various Y Y

1.Only supports non-encrypted embedded files. 2.MBX files created by other common mail applications are typically supported for text extraction.

Multimedia Formats

DLP can analyze the following multimedia file formats.

Application/Format Versions Extensions Text? Metadata?

Advanced Streaming Format 1.2 • ASF N Y • WMA • WMV

Appendix A: File Formats Supported by RSA DLP 359 RSA DLP 9.6 Network User Guide

Application/Format Versions Extensions Text? Metadata?

Audio Interchange File Format N/A AIFF

MPEG-1 Audio layer 3 ID3 v1 and v2 MP3 N Y

Presentation Formats

DLP can analyze the following presentation file formats.

Application/Format Versions Extensions Text? Metadata?

Apple iWork Keynote 2, 3, ‘08, ‘09 GZ Y N

Applix Presents 4.0, 4.2, 4.3, 4.4 AG Y N

Corel Presentations 6, 7, 8, 9, 10, 11, 12, SHW Y N X3

Lotus Freelance Graphics 2 2 PRE Y N

Lotus Freelance Graphics 96, 97, 98, R9, 9.8 PRZ Y N

Macromedia Flash through 8.0 SWF Y N

Microsoft PowerPoint PC 4 PPT Y P

Microsoft PowerPoint Windows1 95, 97, 2000, 2002, • PPT Y P 2003 • PPS • POT

Microsoft PowerPoint Windows 2007 • PPTX2 Y Y XML • PPTM • POTX • POTM • PPSX • PPSM

Microsoft PowerPoint Macintosh 98 PPT Y N

2001, v.X, 2004 PPT Y P

OpenOffice Impress 1, 1.1 SXP Y Y

StarOffice Impress 6, 7 SXP Y Y

1.Extraction of text from header and footer of notes is not supported for PPT files. 2.Macro-enabled text can be extracted from PPTX files.

360 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Spreadsheet Formats

DLP can analyze the following spreadsheet file formats.

Application/Format Versions Extensions Text? Metadata?

Apple iWork Numbers ‘08, 2009 GZ Y N

Applix Spreadsheets 4.2, 4.3, 4.4 AS Y N

Comma Separated Values N/A CSV Y N

Corel Quattro Pro 5, 6, 7, 8, X4 • WB2 Y P • WB3 • QPW

Data Interchange Format N/A DIF Y Y

Lotus 1-2-3 96, 97, R9, 9.8 123 Y P

2, 3, 4, 5 WK4 Y N

Lotus 1-2-3 Charts 2, 3, 4, 5 123 Y N

Microsoft Excel Windows 2.2 through 2003 • XLS Y Y • XLW • XLT • XLA

Microsoft Excel Windows XML 2007 • XLSX1 Y Y • XLTX • XLSM • XLTM • XLAM

Microsoft Excel Charts 2, 3, 4, 5, 6, 7 XLS Y N

Microsoft Excel Macintosh 98, 2001, v.X, 2004 XLS Y Y

Microsoft Office Excel Binary 2007 XLSB2 Y N Format

Microsoft Works Spreadsheet 2, 3, 4 S30 S40 Y N

Oasis Open Document Format 1,23 • ODS Y Y • SXC • STC

Appendix A: File Formats Supported by RSA DLP 361 RSA DLP 9.6 Network User Guide

Application/Format Versions Extensions Text? Metadata?

OpenOffice Calc 1, 1.1 • SXC Y Y • ODS • OTS

StarOffice Calc 6, 7 • SXC Y Y • ODS

1.Macro-enabled text can be extracted from XLSX files. 2.Macro-enabled text can be extracted from XLSB files. 3.Generated by OpenOffice Calc 2.0, StarOffice 8 Calc, and IBM Lotus Symphony Spreadsheet 3.0.

Text and Markup Formats

DLP can analyze the following text and markup file formats.

Application/Format Versions Extensions Text? Metadata?

ANSI N/A TXT Y N

ASCII N/A TXT Y N

Extensible Forms Description N/A • XFDL YN Language • XFD

HTML 3, 4 • HTM Y P • HTML

Microsoft Excel Windows XML 2003 XML Y Y

Microsoft Word Windows XML 2003 XML Y Y

Microsoft Visio XML 2003 VDX Y Y

MIME HTML N/A MHT Y Y

Rich Text Format 1 through 1.7 RTF Y P

Unicode Text 3, 4 TXT Y N

XHTML 1.0 • HTM Y Y • HTML

XML (generic) 1.0 XML Y Y

362 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Word Processing Formats

DLP can analyze the following word processing file formats.

Application/Format Versions Extensions Text? Metadata?

Adobe FrameMaker Interchange 5, 5.5, 6, 7 MIF Y N Format

Apple iChat Log AV, AV 2, AV 2.1, LOG Y N AV 3

Apple iWork Pages ‘08, 2009 GZ Y N

Applix Words 3.11, 4, 4.1, 4.2, 4.3, AW Y N 4.4

Corel WordPerfect Linux 6.0, 8.1 WPS Y P

Corel WordPerfect Macintosh 1.02, 2, 2.1, 2.2, 3, 3.1 WPS Y N

Corel WordPerfect Windows 5, 5.1 WO Y P

6, 7, 8, 9, 10, 11, 12, WPD Y P X3

DisplayWrite 4 IP Y N

Folio Flat File 3.1 FFF Y Y

Founder Chinese E-paper Basic1 3.2.1 CEB Y N

Fujitsu Oasys 7 OA2 Y P

Haansoft Hangul 97, 2002, 2005, 2007 HWP Y N

IBM DCA/RFT (Revisable Form SC23-0758 -1 DC Y N Text)

JustSystems Ichitaro 8 through 2009 JTD Y P

Lotus AMI Pro 2, 3 SAM Y P

Lotus AMI Professional Write Plus 2.1 AMI Y N

Lotus Word Pro 96, 97, R9 LWP Y P

Lotus SmartMaster 96, 97 MWP Y N

Microsoft Word PC 4, 5, 5.5, 6 DOC Y N

Appendix A: File Formats Supported by RSA DLP 363 RSA DLP 9.6 Network User Guide

Application/Format Versions Extensions Text? Metadata?

Microsoft Word Windows 1.0 and 2.0 DOC Y N

6, 7, 8, 95, 97, 2000, DOC2 Y Y 2002, 2003

Microsoft Word Windows XML 2007, 2010 • DOCX YY • DOCM3 • DOTX • DOTM

Microsoft OneNote 2007, 2010 ONE Y Y

Microsoft Word Macintosh 4, 5, 6, 98, 2001, v.X, DOC Y Y 2004

Microsoft Works 2, 3, 4, 6, 2000 WPS Y N

Microsoft Windows Write 1, 2, 3 WRI Y N

Oasis Open Document Format 1, 24 • ODT Y Y • SXW • STW

OpenOffice Writer 1, 1.1 • SXW Y Y • ODT

Omni Outliner 3 • OPML YN • OO3 • OPML • OOUTLINE

Skype Log File NA DBB Y N

StarOffice Writer 6, 7 • SXW Y Y • ODT

WordPad through 2003 RTF Y P

XML Paper Specification N/A XPS Y N

XyWrite 4.12 XY4 Y N

1.On Windows 32-bit platforms only. 2.Macro-enabled text can be extracted from DOC files. 3.Macro-enabled text can be extracted from DOCM files. 4.Generated by OpenOffice Writer 2.0, StarOffice 8 Writer, and IBM Lotus Symphony Documents 3.0.

364 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Supported File Formats (for Detection Only)

The following file formats can be detected but neither text nor metadata can be extracted from the files.

Ability Office (SS, DB, GR, AC3 Audio File Format ACT WP, COM)

Adobe FrameMaker Adobe FrameMaker Markup AES Multiplus Comm Language

Aldus Freehand (Macintosh) Aldus PageMaker (DOS) Aldus PageMaker (Macintosh)

Amiga IFF-8SVX sound Amiga MOD sound Apple Double

Apple Single Applix Alis Applix Asterix

Applix Graphics ARC/PAK Archive ASCII-armored PGP encoded

ASCII-armored PGP Public ASCII-armored PGP signed Audio Interchange File Format Keyring

AutoDesk Animator FLIC AutoDesk Animator Pro FLIC AutoDesk WHIP Animation Animation

AutoShade Rendering CADAM Drawing CADAM Drawing Overlay

CCITT Group 3 1-Dimensional COMET TOP Word Compactor/Compact Pro G31D) Archive

Computer Graphics Metafile Convergent Tech DEF Comm. Corel Draw CMX

CorelDRAW cpio Archive (UNIX/VAX/SUN) CPT Communication

Creative Voice (VOC) sound Curses Screen Image (UNIX/VAX/ Data Point VISTAWORD SUN) dBase Database DCX Fax DEC WPS PLUS

DECdx Desktop Color Separation (DCS) Device Independent file (DVI)

DG CEOwrite DG Common Data Stream (CDS) DIF Spreadsheet

Digital Document Interchange Digital Imaging and Disk Doubler Compression Format (DDIF) Communications in Medicine

EBCDIC Text ENABLE ENABLE Spreadsheet (SSF)

Encapsulated PostScript (raster) Envoy (EVY) Executable

Executable UNIX/VAX/SUN FileMaker (Macintosh) Framework

Appendix A: File Formats Supported by RSA DLP 365 RSA DLP 9.6 Network User Guide

Framework II FTP Session Data GEM Bit Image

GIF Graphics Environment Manager Harvard Graphics (GEM VDI)

Hewlett-Packard Honey Bull DSA101 HP Graphics Language (HP-GL)

HP Graphics Language HP Printer Control Language IBM 1403 Line Printer (Plotter) (PCL)

IBM DCA-FFT IBM DCF Script Informix SmartWare II

Informix SmartWare II Informix SmartWare II Database Informix SmartWare Communication File Spreadsheet

Interleaf JPEG File Interchange Format KW ODA G31D (G31) (JFIF)

KW ODA G4 (G4) KW ODA Internal G32D (G32) KW ODA Internal Raw Bitmap (RBM)

Lasergraphics Language Link Library Link Library UNIX/VAX/ SUN

Lotus AMIDraw Graphics Lotus Notes Bitmap Lotus Notes CDF

Lotus Screen Cam Lyrix MacBinary

Macintosh Raster MacPaint Macromedia Director

MacWrite MacWrite II MASS-11

Micrografx Designer Microsoft Access 2007 Microsoft Device Independent Bitmap

Microsoft Document Imaging Microsoft Excel 2007 Microsoft Excel 2007 (MDI) Macro-Enabled Spreadsheet Tmpl. Spreadsheet Template

Microsoft Office Drawing Microsoft Office Groove Microsoft Publisher

Microsoft Wave Sound Microsoft Windows Cursor (CUR) Microsoft Windows Group Graphics File

Microsoft Windows Help File Microsoft Windows Icon (ICO) Microsoft Windows OLE 2 Encapsulation

Microsoft Word (UNIX) Microsoft Works (Macintosh) Microsoft Works Communication (Macintosh)

Microsoft Works Microsoft Works Database Microsoft Works Database Communication (Windows) (Macintosh) (PC)

366 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Microsoft Works Database Microsoft Works Spreadsheet MIDI (Windows) (Macintosh)

MORE Database Outliner MPEG-1 Video MPEG-2 Audio (Macintosh)

MS DOS Batch File format MS DOS Device Driver MultiMate 4.0

Multiplan Spreadsheet Navy DIF NBI Async Archive Format

NBI Net Archive Format Netscape Bookmark file NeWS font file (SUN)

NeXT/Sun Audio NIOS TOP Nota Bene

NURSTOR Drawing Object Module UNIX/VAX/SUN ODA/ODIF

ODA/ODIF (FOD 26) Office Writer OLE DIB object

OLIDIF Open PGP (new format packets) OS/2 PM Metafile Graphics

Paradox (PC) Database PC COM executable PC Library Module

PC Object Module PC PaintBrush PC True Type Font

PCD Image PeachCalc Spreadsheet Persuasion Presentation

PEX Binary Archive (SUN) PGP Compressed Data PGP Encrypted Data

PGP Public Keyring PGP Secret Keyring PGP Signature Certificate

PGP Signed and Encrypted PGP Signed Data Philips Script Data

Plan Perfect Portable Bitmap Utilities (PBM) Portable Greymap Utilities (PGM)

Portable Network Graphics Portable Pixmap Utilities (PPM) PostScript File

PRIMEWORD Program Information File Q & A for DOS

Q & A for Windows Quadratron Q-One (V1.93J) Quadratron Q-One (V2.0)

Quark Express (Macintosh) QuickDraw 3D Metafile (3DMF) QuickTime Movie

Real Audio Reflex Database RIFF Device Independent Bitmap

RIFF MIDI RIFF Multimedia Movie SAMNA Word IV

Serialized Object Format (SOF) SGI RGB Image SGML Encapsulation

Simple Vector Format (SVF) SMTP document Stuff It Archive (Macintosh)

Appendix A: File Formats Supported by RSA DLP 367 RSA DLP 9.6 Network User Guide

Sun Raster Image SUN vfont definition Supercalc Spreadsheet

SYLK Spreadsheet Symphony Spreadsheet Targon Word (V 2.0)

Transport Neutral Truevision Targa Ultracalc Spreadsheet Encapsulation Format

Uniplex (V6.01) Uniplex Ucalc Spreadsheet UNIX SHAR Encapsulation

Usenet format Volkswriter VRML

Wang Office GDL Header WANG PC Wang WITA Encapsulation

WANG WPS Comm. Windows Animated Cursor Windows Bitmap

Windows C++ Object Storage Windows Icon Cursor Windows Micrografx Draw (DRW)

Windows Palette Windows Video Word Connection

WordERA (V 1.0) WordMARC word processor WordPerfect General File

WordPerfect Graphics 1 WordPerfect Graphics 2 WordStar

WordStar 2000 WordStar 6.0 WriteNow

Writing Assistant word X Bitmap (XBM) X Image X Pixmap (XPM) processor

Xerox 860 Comm. Xerox Writer word processor

Categorized File Formats (for Policy Rules)

This section lists the supported file types in each of the categories available when using the File Attributes dialog box to select file categories to which a given DLP Network policy-detection rule is to apply.

It the table, file types in bold are formats for which DLP can analyze the text content for sensitive data. File types not in bold represent file formats that DLP can recognize but cannot extract text content from.

Category Supported file types

Unknown Any unrecognized file type.

AutoDesk Animator FLIC, AutoDesk Animator Pro FLIC, Lotus Screen Cam, Animation Macromedia Flash, Macromedia Director

368 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Category Supported file types

bzip2, cpio archive (CRC Header), cpio archive (CHR Header), Expert Witness (EnCase) Compression Format, ISO-9660 CD Disc Image Format, SUN PEX Binary Compound Archive, OASIS Open Document Format, OLE Compound Document, LHA Archive, MacBinary, Mac Disk Copy Disk Image, PAK/ARC Archive, RAR, Self-extracting Archives, Shell Scrap Object File, StuffIt (MAC), TAR, ZIP Archive

Ability, Filemaker MAC, Microsoft Access 2007, dBase, Microsoft Access, Microsoft Access 95, Microsoft Access 97, Microsoft Access 2000, Paradox, Reflex, Microsoft Database Works for MAC, Microsoft Works for DOS, Microsoft Works for Windows, MIXED Framework, MIXED Framework II, Office Writer, SmartWare II

Desktop FrameMaker, Maker Markup Language, Microsoft Publisher, PageMaker for publishing Macintosh, PageMaker for Windows, Quark Xpress MAC

Ability, Microsoft Outlook, Microsoft Entourage, Microsoft Works for MAC, MIME, Email SMTP

Apple Double, Apple Single, ASCII-armored PGP encoded, ASCII-armored PGP Public Keyring, BinHex, Compactor / Compact Pro, Disk Doubler, GZ Compress, IBM Lotus Notes Database NSF/NTF, IBM Lotus Notes Representation of Domino Elements in XML, Legato EMailXtender Archive (EMX), Legato Extender (ONM), Java Archive (JAR), LHA Archive, MacBinary, Mac Disk Copy Disk Image File, Microsoft Backup File, Microsoft Cabinet Format (CAB), Microsoft Outlook, Encapsulation Microsoft Outlook PST, MIME, OLE Compound Document, Open PGP Message Format, PGP Compressed Data, PGP Encrypted Data, PGP Public Keyring, PGP Secret Keyring, PGP Signature Certificate, PGP Signed and Encrypted Data, PGP Signed Data, RAR, Serialized Object Format (SOF), 7-Zip, SHAR, SMTP, Transport Neutral Encapsulation Format, WANG Office GDL Header, PAK/ARC Archive, cpio archive (CHR Header), cpio archive (CRC Header), Sun PEX Binary archive, Stuff It (MAC), TAR, Unix Compress, UU encoded, ZIP Archive

ELF Executable, MS-DOS Batch File, MS-DOS Device Driver, MS-DOS/Windows Program, PC COM Executable, Unix Executable (3B20), Unix Executable (Basic-16), Executable Unix Executable (Bell 5.0), Unix Executable (iAPX 286), Unix Executable (MC680x0), Unix Executable (PDP-11/pre-System V VAX), Unix Executable (VAX), Unix Executable (WE32000), Unix Executable (x86)

FAX DCX FAX Format (PCX images)

Font NeWS bitmap font, SUN vfont Definition, TrueType Font

General purpose Advanced Streaming Format (ASF), Apple Binary Property List Format, FTP Session Data, Netscape Bookmark File, Program Information File (PIF), SmartWare II, (miscellaneous) Windows Group, Windows Help File, WordPerfect auxiliary file

HTML HTML

HTTP None

Library DOS/Windows Object Library, ELF Dynamic Library

Mixed Windows C++ Object Storage

Appendix A: File Formats Supported by RSA DLP 369 RSA DLP 9.6 Network User Guide

Category Supported file types

MPEG Movie, QuickTime Movie, RIFF Multimedia Movie, Video for Windows (AVI), Movie Windows Media Video Format (WMV)

DOS/Windows Object Module, ELF Relocatable, Unix Object Module (old MS 8086), Object module Unix Object Module (VAX Demand), Unix Object Module (Z8000)

Planning/outline MORE MAC

PostScript Encapsulated PostScript, PostScript

Apple iWork Keynote, Applix Graphics, Corel Presentations, Lotus Freelance 96, Harvard Graphics, Lotus Freelance 97, Lotus Freelance for DOS, Lotus Freelance for OS/2, Lotus Freelance for Windows, Microsoft PowerPoint 2000, Microsoft Presentation Visio, Oasis Open Document Format (ODP), Persuasion, Portable Document Format (PDF), PowerPoint 95, PowerPoint 97, PowerPoint MAC, PowerPoint PC, Microsoft PPT 2007 XML, Microsoft PPT Macro 2007 XML, StarOffice XML

Ability, CCITT G3 1D, Curses Screen Image, DICOM, FPX Format, GEM Bit Image, Graphics Interchange Format (GIF87a), Graphics Interchange Format (GIF89a), JPEG Interchange Format, Lotus Ami Pro Draw, Lotus Notes Bitmap, MacPaint, Microsoft Document Imaging Format, MS Windows Device Independent Bitmap, OLE DIB object, PC Paintbrush Graphics (PCX), PCD Format, Photoshop Document (.psd), Portable Bitmap Utilities ASCII Format, Portable Bitmap Utilities Binary Format, Raster Image Portable Greymap Utilities ASCII Format, Portable Greymap Utilities Binary Format, Portable Network Graphics (PNG), Portable Pixmap Utilities ASCII Format, Portable Pixmap Utilities Binary Format, RIFF Device Independent Bitmap, SGI Image, Sun Raster, Targa, TIFF, Windows Animated Cursor, Windows Bitmap, Windows Cursor, Windows Icon Format, Windows Metafile, Windows Metafile (no header), Windows Palette, WordPerfect Graphics, X Bitmap Format, X Pixmap

Scheduling/ Microsoft Project, Microsoft Project 4, Microsoft Project 4.1, Microsoft Project 98, Planning Microsoft Project 2000, Microsoft Project 2007, PlanPerfect

AC3 Audio File Format, Amiga IFF (8SVX) Sound, Amiga MOD, Audio Interchange File Format (AIFF), Creative Voice (VOC), Microsoft Wave, MIDI, MPEG Audio, Sound NeXT/Sun Audio Data, Real Audio, RealMedia Streaming Media, RIFF MIDI, Windows Media Audio Format (WMA)

Ability, Apple iWork Numbers, Applix Spreadsheets, CSV (Comma Separated Values), Data Interchange Format (DIF), Enable Spreadsheet, Lotus 1-2-3, Lotus 1-2-3 97, Lotus 1-2-3 Formatting, Lotus 1-2-3 Release 9, Microsoft Excel, Microsoft Excel 2000, Microsoft Excel 2007 XML, Microsoft Excel 95, Microsoft Excel 97, Microsoft Excel Binary 2007, Microsoft Excel Macro 2007 XML, Microsoft Excel Spreadsheet XML, Microsoft Works for MAC, Microsoft Works for Windows, Microsoft Works for Windows, Multiplan (Mac), Multiplan (PC), OpenOffice Calc, ODF Spreadsheet, PeachCalc, Quattro Pro 9+ for Windows, Quattro Pro for DOS, Quattro Pro for Windows, SmartWare II, StarOffice XML, Supercalc, SYLK, Symphony, UltraCalc, Uniplex Ucalc

Text Text, Unicode

370 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

Category Supported file types

AutoCAD DXF, AutoCAD DXF, AutoDesk Drawing (DWG), AutoDesk WHIP, AutoShade Rendering, CADAM Drawing, CADAM Drawing Overlay, CATIA Formats (CAT*), Computer Graphics Metafile (CGM), Computer Graphics Metafile (CGM), Computer Graphics Metafile (CGM), Corel CMX, Corel Draw, DeVice Independent file (DVI), Enhanced Metafile, Freehand MAC, GEM VDI, Harvard Graphics Chart, Harvard Graphics Configuration File, Harvard Graphics Palette, Vector graphic Harvard Graphics Symbol File, HP Graphics Language, HP Graphics Language (Plotter), HP Printer Control Language, Intergraph Standard File Format (ISFF) V7 DGN (non-OLE), Lasergraphics Language, Lotus PIC, Micrografx Designer, Microsoft Office Drawing, Microsoft Visio, Microsoft Visio XML, MicroStation V8 DGN (OLE), NURSTOR Drawing, ODF Drawing, Omni Graffle (.graffle) XML File, OS/2 PM Metafile, QuickDraw 3D Metafile, QuickDraw Picture, Simple Vector Format (SVF), VRML, Windows Draw (Micrografx)

APPLIX ASTERIX, Ability, ACT, ALIS, Apple iChat format, Apple iWork Pages, AppleWorks File, Applix Words, CDA / DDIF, CEOwrite, COMET TOP, Convergent Technologies DEF Comm. Format, CPT, DCA-FFT (IBM Final Form), DCA-RFT (IBM Revisable Form), DCF Script, DCS, DECdx, DG Common Data Stream (CDS), Display Write, DSA101 (Honeywell Bull), EBCDIC Text, Enable Word Processing, Envoy, Folio Flat File, Founder Chinese E-paper Basic (ceb), Haansoft Hangul, HP Word PC, HWP(Arae-Ah Hangul), IBM 1403 Line Printer, IBM Writing Assistant, ICHITARO V4-10, Interleaf, JustSystems Ichitaro, Lotus Ami Pro, Lotus Ami Pro Style Sheet, Lotus Notes CDF, Lotus Word Pro 96, Lotus Word Pro 97, Lyrix Word Processing, MacWrite, MacWrite II, Maker Interchange Format (MIF), MASS-11, MHT format, Microsoft Office Groove Format, Microsoft Pocket Word, Microsoft Word 2000, Microsoft Word 2007 XML, Microsoft Word 95, Microsoft Word 97, Microsoft Word for Macintosh, Microsoft Word for PC, Microsoft Word for PC Driver, Microsoft Word for PC Glossary, Microsoft Word for PC Miscellaneous File, Microsoft Word for PC Style Sheet, Microsoft Word for Windows, Microsoft Word Macro 2007 XML, Microsoft Word UNIX, Microsoft Word XML, Microsoft Works for Word processor DOS, Microsoft Works for MAC, Microsoft Works for Windows, Microsoft XML Paper Specification(XPS), MultiMate, MultiMate Advantage, MultiMate Advantage Footnote File, MultiMate Advantage II, MultiMate Advantage II Footnote File, MultiMate Footnote File, Multiplus (AES), Navy DIF, NBI Async Archive Format, NBI Net Archive Format, NIOS TOP, Oasys format, ODA / ODIF, ODA / ODIF, ODA / ODIF, ODA / ODIF, ODF Text, Omni Outliner (.oo3) File, Omni Outliner (.opml) File, OOutliner (.ooutline) File, Philips Script, Portable Document Format, PRIMEWORD, Q & A for DOS, Q & A for Windows, Q-One V1.93J, Q-One V2.0, Rich Text Format (RTF), SAMNA Word, SGML, Skype Log File, SmartWare II, StarOffice Text XML, SWF, Targon Word, Uniplex, USENET, Vistaword, Volkswriter, WANG PC, WANG WITA, WANG WPS, Windows Write, Word Connection, WordERA, WordMARC, WordPerfect, WordPerfect Configuration File, WordPerfect Driver, WordPerfect Hyphenation Dictionary, WordPerfect MAC, WordPerfect Macro, WordPerfect Miscellaneous File, WordPerfect Resource File, WordPerfect Spelling Dictionary, WordPerfect Thesaurus, WordPerfect VAX, WordStar, WordStar 2000, WPS-PLUS, WriteNow MAC, Xerox 860, Xerox Writer, XHTML, XYWrite / Nota Bene, Yahoo Instant Messenger History

XML XML

Appendix A: File Formats Supported by RSA DLP 371 RSA DLP 9.6 Network User Guide

372 Appendix A: File Formats Supported by RSA DLP RSA DLP 9.6 Network User Guide

B DLP System Alerts

This appendix provides descriptions of the alerts and messages that are generated for the most common error scenarios for each DLP component.

The DLP components can be configured to send alerts to a Syslog daemon so that they can be managed by a full SIEM system such as RSA enVision, or to a centralized email address. For instructions on configuring your RSA DLP to do this, see “System Alerts Configuration” on page 254.

DLP Endpoint is configured by default to send alerts for the most common error scenarios to the local system’s Event Viewer.

Topics: • Enterprise Manager Alerts • DLP Network Alerts

Enterprise Manager Alerts

The table below provides descriptions of the alerts and messages that are generated for the most common error scenarios for Enterprise Manager.

Alert ID Message and Description

EM-000 Initializing RSA DLP Enterprise Manager Bootstrap Message. This message is sent when a SIEM configuration is created or updated.

EM-999 RSA DLP Enterprise Manager release number.build number Heartbeat Message. This message is sent every hour to indicate that Enterprise Manager is up and running.

EM-001 Low disk space on DLP partition This alert is sent if the disk space on system partition falls below a specified value. The system partition is the drive on which Enterprise Manager is installed; by default C:\Program Files\ RSA\Enterprise Manager The default value is 50MB.

Appendix B: DLP System Alerts 373 RSA DLP 9.6 Network User Guide

Alert ID Message and Description

EM-002 Low disk space on matched files partition This alert is sent if the disk space on the matched files partition falls below a specified value. The matched files partition is the drive where matched content data is stored; by default C:\rsa The default value is 50MB.

EM-003 Unable to communicate with the database This alert is sent if the Enterprise Manager cannot connect to the database.

EM-004 Unexpected error while indexing events/incidents This alert is sent if an exception is thrown while indexing events and incidents.

EM-005 Unable to communicate with Enterprise Coordinator This alert is sent when there is a loss of connectivity between Enterprise Manager and Enterprise Coordinator.

EM-006 Unable to communicate with Network Controller This alert is sent when there is a loss of connectivity between Enterprise Manager and Network Controller.

EM-007 Unable to communicate with Event Loader This alert is sent when there is a loss of connectivity between Enterprise Manager and the Event Loader.

EM-008 RSA DLP CA certificate aliased - {0} is going to expire on {1} This alert is sent when a certificate is about to expire in the DLP Endpoint infrastructure.

EM-009 Unable to communicate with Endpoint Coordinator This alert is sent when one or more the Endpoint Coordinators did not report the status for a specified duration.

EM-010 Unable to communicate with Endpoint Coordinator web server This alert is sent when the Enterprise Manager is unable to communicate with the web server that is used as the file store for the Root Endpoint Coordinator.

EM-011 Unable to communicate with Endpoint Coordinator message broker This alert is sent when the Enterprise Manager is unable to communicate with the Message Broker component on the Root Endpoint Coordinator. The Enterprise Manager cannot receive status messages from the Endpoint components until this problem is resolved.

EM-012 Unable to communicate with Endpoint Coordinator Certificate join service This alert is sent when the Enterprise Manager is unable to communicate with the Certificate Services component on the Root Endpoint Coordinator. The Enterprise Manager cannot renew or issue certificates to Endpoint Coordinators and Endpoint agents until this problem is resolved.

EM-013 Datacenter Grid Scan Finished This alert is sent when a grid scan is complete.

374 Appendix B: DLP System Alerts RSA DLP 9.6 Network User Guide

Alert ID Message and Description

EM-014 Datacenter Agent Scan Finished This alert is sent when an agent scan is complete.

EM-015 Exceeded total size of Endpoint Fingerprint This alert is sent when the total size of the Fingerprinted-Content Blades used by the Endpoint policies exceed a specified limit. The Enterprise Manager cannot send policy updates until problem is resolved.

EM-016 RSA DLP Endpoint infrastructure will switch to a new CA Certificate on New-CA-start-date. Agents must renew certificates by Existing-CA-Expiry-Date This alert is sent when the validity of the existing CA certificate is about to expire. The Endpoint agent certificates are renewed before the expiry of the existing CA certificate.

DLP Network Alerts

The table below provides descriptions of the alerts and messages that are generated for the most common error scenarios for DLP Network.

Alert ID Message and Description

NW_000 Initializing DLP Network DEVICETYPE: HOSTNAME This alert is sent when a Network device is rebooted and each time the configuration file is loaded. NOTE: Only sent for syslog alerting; not sent out as an email alert.

NW_999 DLP Network DEVICETYPE(VERSION), Uptime: UPTIME Heartbeat Message. This message is logged once every hour to inform that a Network device is up and also logs the latest uptime. NOTE: Only sent for syslog alerting; not sent out as an email alert.

NW_001 Low disk space. Disk space usage on '/' is at 95% This alert is sent when disk usage of the Network device exceeds the high percentage value. The default limit is 85% usage.

NW_002 Low inodes condition. Inode usage on '/' is at 4% This alert is sent when inode usage exceeds the high percentage value (an inode is a record in a filesystem that contains information about a file or directory such as its size, owner, and so on.). The default value is 95% usage.

NW_003 Controller flow control transition to OFF: Inadequate disk space to accept events from managed devices This alert is sent when the local disk space usage of the Network controller exceeds a specified limit and the Network Controller stops accepting audits from the Network managed devices. The default limit is 85%

Appendix B: DLP System Alerts 375 RSA DLP 9.6 Network User Guide

Alert ID Message and Description

NW_004 Controller flow control transition to ON: Accepting events from managed devices This alert is sent following a NW-003 alert (above), when the usage drops below a specified value and audits from Network managed devices are again accepted by the Network Controller The default limit is 95%

NW_005 DLP Managed Device (DEVICE: HOSTNAME) not connected to controller This alert is sent when the Network Controller is unable to connect with a configured managed device.

NW_006 DLP Network Controller unable to communicate with DEVICETYPE: DEVICE ADDRESS This message is generated when a configured managed device stops communicating with the Network Controller.

NW_007 Process failed: ProcessName This alert is sent when the Monitor program on a Network device (controller, interceptor, sensor, icap-server) experiences a sub-process fail. Monitor will attempt to restart a process three times; the alert is sent after the third failed try.

NW_008 Unable to start NW process: ProcessName This alert is sent when the Monitor program on a Network device (controller, interceptor, sensor, icap-server) is unable to start a Network process.

NW_009 Sensor queue too large: PROTOCOL_TYPE This alert is sent if the protocol dispatch queue on the sensor exceeds a specified size/time. The default size is 3000 items on a queue, the default time to be above this size is 60 minutes.

NW_010 Interceptor: PATH_TO_MAIL_QUEUE mail queue above 100% (size: nnnn), closing port 25 This Critical alert is sent when the size of the mail queue on the interceptor significantly exceeds the specified percentage threshold. The default is 85%, set on the interceptor configuration page of Enterprise Manager. The displayed size is the total size of the queue.

NW_011 Interceptor: All mail queues and disk space usage are below critical level, opening port 25 This Info alert is sent when the sizes of mail queues and percentages of space used by the queues decreases to equal to or less than 80% of the specified high values after the thresholds were exceeded (after a NW-010 Critical alert). You set the maximum sizes and percentages for each mail queue in the interceptor configuration page of Enterprise Manager.

NW_012 Interceptor: Mail relay mail.acme.com not responding on port 25 This alert is sent when the Network interceptor is unable to connect to the mail relay (encryption host or smart host) on port 25.

NW_013 ICAPServer is not listening on ICAP port 1344 This message is generated if ICAPServer.py (the main ICAP server process) is not operating correctly.

376 Appendix B: DLP System Alerts RSA DLP 9.6 Network User Guide

Alert ID Message and Description

NW_014 ICAPServer has not received any requests in 480 minutes, check network connectivity When the ICAP Server has not received any requests from the ICAP client (for example the BlueCoat proxy) for the specified time.

NW_015 DLP network appliance entering sample mode This alert indicates that tcpflow is currently in sampling mode.

NW_016 DLP network appliance exiting sample mode This alert indicates that tcpflow is currently not in sampling mode.

NW_017 DLP network appliance - no packets sampled in over 10 minutes, check network connectivity This alert is sent when no packets have been received by the sensor’s network interface (NIC) in the last 10 minutes. The network interface can be either a Xyratex card or a standard NIC card (installed in eth1).

NW_018 DLP NW Monitor program not responding A Network Monitor program periodically checks whether the Network Monitor process is running, and if it is running, it also checks and see if the Network Monitor process/ service can be connected from a Monitor client program. If the NW monitor is not running or if the Monitor process/ service can not be connected to, this alert is generated.

NW_023 Interceptor: PATH_TO_MAIL_QUEUE mail queue above nn% (size: nnnn) This Warning alert is sent when the size of a mail queue on the Interceptor exceeds the current threshold (nn% of the total queue size). The size is the number of messages in the queue. You set the threshold for the mail queue on the Interceptor configuration page in Enterprise Manager.

NW_024 Interceptor: PATH_TO_MAIL_QUEUE mail queue below warning level, nn% (size: nnnn) This Info alert is sent when the size of a mail queue on the Interceptor decreases to equal to or below the current threshold. The displayed percentage (nn%) is the percentage of size below the current threshold. The size is the number of messages in the queue.

Appendix B: DLP System Alerts 377 RSA DLP 9.6 Network User Guide

378 Appendix B: DLP System Alerts RSA DLP 9.6 Network User Guide

C Using Enterprise Manager Pop-ups

This chapter describes how to use various Enterprise Manager pop-ups.

Selecting Users and Machines from an LDAP Directory for DLP Operations

The Select from Directory pop-up window allows you to select users or machines from an LDAP integrated with DLP. You can use one of the following methods to select users or machines: • Select Users or Machines using the Browse Tab • Select Users or Machines using the Search Tab

Select Users or Machines using the Browse Tab

Before You Begin • An LDAP directory is configured in the Enterprise Manager. For more information, see “Configuring LDAP Integration” on page 245. • Verify that you have the appropriate permissions to perform this task. For more information, see “Managing Roles and Permissions” on page 221.

Appendix C: Using Enterprise Manager Pop-ups 379 RSA DLP 9.6 Network User Guide

To select users or machines using the Browse tab: 1. In the Select from Directory pop-up window, click the Browse tab.

2. Use the checkboxes to select the users or machines.

3. Click to move the selected entries into the Selected Users/Machines box. 4. Click Save.

Select Users or Machines using the Search Tab

380 Appendix C: Using Enterprise Manager Pop-ups RSA DLP 9.6 Network User Guide

To select users or machines using the Search tab: 1. In the Select from Directory pop-up window, click the Search tab.

2. In the Filter field, enter an LDAP search filter. For more information, see “LDAP Search Filters” on page 381. 3. From the Server drop-down list, select the configured LDAP server to search for entries. 4. Click Search. 5. From the search results, select the entries that you want to include. You can select multiple entries by pressing and holding down the CTRL key, and clicking the entries.

6. Click to move the selected entries into Selected Users/Machines box. 7. Click Save.

LDAP Search Filters

An LDAP search filter must be constructed as defined in RFC 2254: String Representation of LDAP Search Filters.

The LDAP search filter is defined by the following rules: filter = “(“ filtercomp ”)” filtercomp = and / or / not / item and = “&” filterlist or = “|” filterlist not = “!” filter

Appendix C: Using Enterprise Manager Pop-ups 381 RSA DLP 9.6 Network User Guide

filterlist = 1*filter item = simple / present / substring / extensible simple = attr filtertype value filtertype = equal / approx / greater / less equal = “=” approx = “~=” greater = “>=” less = “<=”

Each search filter consists of parentheses-enclosed attribute-value pairs, used to build operator-prefixed expressions that are also enclosed in parentheses. The following table shows examples of the format.

Query Result

(cn=*gem*) Returns entries with gem somewhere in the common name.

(ou=engineering) Returns entries with engineering as the organizational unit.

(|(ou=qa)(ou=quality*)) Returns entries whose organizational unit is either qa or starts with quality.

(&(objectClass=user)(|(cn=smit*)(cn=garc*)(cn=kris*))) Returns entries of users whose common names begin with smit, garc, or kris.

382 Appendix C: Using Enterprise Manager Pop-ups RSA DLP 9.6 Network User Guide

D Database Connection Strings

This appendix presents examples of database connection strings for DLP. You can use any of these strings to • Allow a scan group’s grid workers to connect to a database for scanning. You provide the string as described in “C. Specify database connection information” on page 723. • Allow the Site Coordinator that hosts the crawler to connect to a database for fingerprinting. You provide the string as described in “C. Specify database connection information” on page 169.

Note: For security reasons, do not include the credentials of the database user in the connection string. Because the connection string is stored as plain text, any password in the string is also stored as plain text.

Oracle Connection Strings

Using database name:

Provider=OraOLEDB.Oracle;Data Source=DBName;

Provider=OraOLEDB.Oracle;Data Source=DBName;OSAUTHENT=1;

where DBName is the name of the Oracle database to be scanned. Note that use of these connection strings requires that you first copy the file tnsnames.ora from your Oracle Server host into the Network\admin subdirectory (within the Oracle Client installation directory) on the Enterprise Coordinator and on each grid-worker. For example: C:\app\acme\product\11.1.0\client_1\Network\Admin\tnsnames.ora

Appendix D: Database Connection Strings 383 RSA DLP 9.6 Network User Guide

• Use the first string if you supply database-user credentials in the fields provided for that purpose. • Use the second string (which includes OSAUTHENT=1) if you are using the scan group’s run-as user as the database user. In this case, the Oracle database administrator must enable Windows OS authentication on the target database.

Using IP address of database host:

Provider=OraOLEDB.Oracle;Data Source=(DESCRIPTION=(CID=GTU_APP)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST =IPAddress)(PORT=PortNum)))(CONNECT_DATA=(SID=DBName)(SERVER=DEDICATED)));

Provider=OraOLEDB.Oracle;Data Source=(DESCRIPTION=(CID=GTU_APP)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST =IPAddress)(PORT=PortNum)))(CONNECT_DATA=(SID=DBName)(SERVER=DEDICATED))); OSAUTHENT=1;

where IPAddress is the IP address of the Oracle Server host, PortNum is the port number that the server listens on, and DBName is the Oracle database name or database service name. (These connection strings do not require availability of the tnsnames.ora file.) • Use the first string if you supply database-user credentials in the fields provided for that purpose. • Use the second string (which includes OSAUTHENT=1) if you are using the scan group’s run-as user as the database user. In this case, the Oracle database administrator must enable Windows OS authentication on the target database.

For more information on valid connection-string formats, see your Oracle database product documentation.

SQL Server Connection Strings

Using database name:

Provider=sqloledb;Data Source=DBServer;Initial Catalog=DBName;

Provider=sqloledb;Data Source=DBServer;Initial Catalog=DBName; Integrated Security=SSPI;

where DBServer is the host name or IP address of the database server machine (optionally with port number following a comma at the end, like 127.0.0.1,1433), and DBName is the name of the database to be scanned. • Use the first string if you supply database-user credentials in the fields provided for that purpose. • Use the second string (which includes Integrated Security=SSPI) if you are using the scan group’s run-as user as the database user.

384 Appendix D: Database Connection Strings RSA DLP 9.6 Network User Guide

Using database instance name:

Provider=sqloledb;Data Source=DBServer\DBInstance;Initial Catalog=DBName;

Provider=sqloledb;Data Source=DBServer\DBInstance;Initial Catalog=DBName; Integrated Security=SSPI;

where DBServer\DBInstance is the host name (or IP address) of the database machine and the SQL Server instance name. • Use the first string if you supply database-user credentials in the fields provided for that purpose. • Use the second string (which includes Integrated Security=SSPI) if you are using the scan group’s run-as user as the database user.

For more information on valid connection-string formats, see your SQL Server database product documentation.

DB2 Connection Strings

Connection-string examples are included for both the IBM OLE DB provider (IBMDADB2) and the Microsoft OLEDB provider (DB2OLEDB).

For IBM OLE DB Provider for DB2 (IBMDADB2)

Specifying database network address:

Provider=IBMDADB2;Database=SalesDB;Network Address=10.31.252.127; Protocol=TCPIP;Port=50000;

Specifying database-host address:

Provider=IBMDADB2;Database= SalesDB;Hostname=10.31.252.127; Protocol=TCPIP;Port=50000;

Working with KERBEROS authentication: If the DB2 server is configured for KERBEROS authentication, the run-as user credentials and the user credentials supplied on the scan-group or crawler configuration page are not used and you need not provide any credential-related parameters in the connection string. Any of the above strings is usable.

For Microsoft OLEDB Provider for DB2 (DB2OLEDB)

Provider=DB2OLEDB;Network Transport Library=TCPIP; Network Address=10.31.252.127;Network Port=50000; Initial Catalog=SalesDB;Package Collection=DLP;Default Schema=DLP;

Appendix D: Database Connection Strings 385 RSA DLP 9.6 Network User Guide

where Initial Catalog is the name of the database, Package Collection is the the DRDA target collection for storing and binding DB2 packages (could be same as the Default Schema), and Default Schema is the SCHEMA name of the target collection of tables and views.

Working with KERBEROS authentication: If the DB2 server is configured for KERBEROS authentication, the run-as user credentials and the user credentials supplied on the scan-group or crawler configuration page are not used. Instead, you need to supply Integrated Security and Principal Name parameters in the connection string:

Provider=DB2OLEDB;Network Transport Library=TCPIP; Network Address=10.31.252.127;Network Port=50000;Initial Catalog=SalesDB; Package Collection=DLP;Default Schema=DLP;Integrated Security=SSPI; Principal Name=iim\db2admin;

where Integrated Security=SSPI specifies that Security Support Provider Interface is to be used for authentication, and Principal Name is the KERBEROS Principal name (here in domain\user format) for authenticating to the database.

For more information on valid connection-string formats, see your IBM DB2 database product documentation.

386 Appendix D: Database Connection Strings RSA DLP 9.6 Network User Guide

Glossary

action mode A monitoring mode in DLP Network (when an Interceptor is present) in which messages that violate policies can be quarantined or otherwise modified. Compare scan-and-tag mode.

action rule A policy rule that is a usage scenario with a set of usage restrictions, defined when creating the policy (for example, audit transmission of PII from anyone). Compare detection rule.

action taken An attribute of an incident. It notes the action that a DLP product performed on the message involved in the incident.

Active Directory A Windows LDAP directory service that unifies user management across multiple Windows applications. One way to choose users or computers to scan is to select them from an Active Directory list.

agent See discovery agent or endpoint agent.

Allow In DLP Network, to permit the transmission of content that violates a security policy without taking any action. Compare Audit, Discard, Quarantine, Encrypt.

appliance The deployment method for DLP Network. The components of DLP Network are pre-installed on one or more appliance machines, which are then deployed on the customer’s network.

attribute analysis Classification of a document based on external features (such as sender, recipient, IP address), physical attributes (such as file size, file extension, true file type), or detection of encrypted content. Some policy rules are based on attribute analysis.

Glossary 387 RSA DLP 9.6 Network User Guide

attribute rule In a policy, a detection rule that uses attribute analysis to determine whether a document or transmission is sensitive. Compare content-detection rule.

Audit In DLP Network, to permit the transmission of content that violates a security policy, while noting (and saving) the specifics of the violation. Compare Allow, Discard, Quarantine, Encrypt.

automatic remediation An action taken by DLP in immediate response to a policy violation. In addition to creating an event, the DLP product performs an action such as Quarantine, Move to Secure, or Encrypt. Compare manual remediation.

Block See Discard.

categorizer See content analyzer.

configuration file An XML file that holds configuration settings for an RSA DLP product or policy or content blade.

content analysis The process of evaluating the text content of a message or document to discover whether it violates a security policy. Compare text conversion.

content analyzer The component of a DLP product that performs content analysis. The content analyzer uses content blades to perform the analysis.

content blade A set of detection rules that describe a certain kind of sensitive content (for example, credit card number or corporate financial information). You can define a content blade by specifying terms, dictionaries, regular expressions, and entities, or create one by fingerprinting known sensitive content.

content-detection rule A content-blade component that includes a term list, a dictionary, a regular expression, or an entity. Content-detection rules are matched against document or message content to determine whether the content is sensitive.

Content Blade Manager The portion of Enterprise Manager that allows you to create and edit content blades.

388 Glossary RSA DLP 9.6 Network User Guide

crawler See fingerprint crawler.

credentials Authentication information (usually user name and password) used to log into an application, or to access a file or database.

Dashboard An interactive screen in Enterprise Manager that displays overviews of data-loss risk and recent DLP activity.

database 1. See Enterprise Manager database.

2. A structured-content object that is crawled (to create a fingerprinted-content blade) or scanned by DLP Datacenter (to detect sensitive content).

database crawler A type of fingerprint crawler that creates fingerprints of column content stored in databases and stored in or extracted into uniformly-organized data files such as .csv (comma-separated-value) files.

database fingerprint A hash value created by a database crawler to detect an exact copy of the content of one column in one database table row. Used in row-based combinations by a database fingerprinted-content blade to detect sensitive content.

database A type of fingerprinted-content blade that uses fingerprinted-content blade database fingerprints to detect sensitive content in documents and transmissions.

described content A kind of sensitive content, defined by the actual text it contains. Compare fingerprint.

described-content blade A content blade that describes (using terms, dictionaries, regular expressions, and/or entities) the kind of content that the blade is to detect. Compare fingerprinted-content blade.

detection rule A policy rule that specifies when a document or transmission is to be considered sensitive. Compare action rule. Detection rules include attribute rules and content-detection rules.

Glossary 389 RSA DLP 9.6 Network User Guide

Discard In DLP Network, to prevent (block) the transmission of content that violates a security policy. Compare Allow, Audit, Quarantine, Encrypt. (Requires use of an Interceptor.)

dictionary A saved set of terms to import into a content blade. In Enterprise Manager, the Dictionary Manager allows you to create and edit dictionaries.

Dictionary Manager The portion of Enterprise Manager that allows you to create and edit dictionaries.

discovery agent A small piece of software (application or service) that executes on a desktop, notebook, file-share server, or other computer to preserve information security. DLP Datacenter uses agents to scan for stored files whose contents or characteristics might constitute policy violations.

DLP Data-loss prevention (also called data-leak prevention or content-loss prevention). The prevention of loss or misuse of an organization’s sensitive or confidential data. RSA DLP provides comprehensive tools for data-loss prevention.

DLP content blade See content blade.

DLP Datacenter An RSA product that scans files on users’ computers, identifying any files containing content that violates a security policy and allowing an administrator to take appropriate action with them.

DLP Endpoint An RSA product that monitors actions (such as printing or copying) on users’ computers, and blocks or logs any such actions that violate a security policy.

DLP Enterprise Manager See Enterprise Manager.

DLP Network An RSA product that monitors activity on an organization’s network, and blocks, encrypts, or logs any transmissions whose content violates a security policy.

DLP policy See policy.

390 Glossary RSA DLP 9.6 Network User Guide

DNS name Fully qualified computer host name as specified by a Domain Name Server. In DLP Datacenter, you can use either DNS name or IP address to specify servers in a scan group. When installing DLP Network, you will need to provide DNS names or IP addresses of the appliance machines.

document score The raw risk level assigned to a document or message in relation to a given content blade. A document score is basically the sum of all rule scores (the number of rule matches times the weight of that rule). Document score is subject to limits and is further normalized to arrive at the document’s final risk factor.

email self-release See self-release.

endpoint agent A small piece of software (application or service) that executes on a desktop, notebook, file-share server, or other computer to preserve information security. DLP Endpoint uses agents to monitor actions of computer users that might constitute policy violations.

Enterprise Manager The common administrative and user interface for DLP Network, DLP Endpoint, and DLP Datacenter.

Enterprise Manager The database in which Enterprise Manager stores database incidents, events, fingerprints, and configuration information from all products in RSA DLP.

entity A proprietary C++ program that uses regular expressions and algorithms to identify sensitive data of a given kind (such as a credit card number or social security number). RSA provides a set of entities that you can use as detection rules in custom content blades—either alone or in conjunction with other information such as keyword terms and regular expressions—to accurately identify instances of your organization’s sensitive information.

enVision RSA enVision, a proprietary SIEM application.

Glossary 391 RSA DLP 9.6 Network User Guide

event An instance of detection of a policy violation (due to presence of sensitive content or some other triggering condition). One or more events occurring in some relation to each other may be required for an incident to occur.

Event List The portion of Enterprise Manager that a user accesses to review and take action on events.

expert A pre-built content blade, regular expression, or [blade, regular expression, dictionary developed by RSA Knowledge dictionary] Engineering. RSA makes a number of expert blades, regular expressions, and dictionaries available to RSA DLP customers.

expiration In DLP Network, the amount of time available to review a message after it has been quarantined. If the expiration time passes without review, the message is discarded.

false negative In content analysis, the erroneous classification of a sensitive document as non-sensitive. As false negatives increase, the recall of the analysis decreases.

Occurrence of false negatives means that sensitive content is being missed. Compare false positive.

false positive In content analysis, the erroneous classification of a non-sensitive document as sensitive. As false negatives increase, the precision of the analysis deceases.

Excessive false positives require costly manual effort to separate them from the truly sensitive documents. Compare false negative.

file converter See text converter.

file crawler A type of fingerprint crawler that creates fingerprints of all and parts of text-based and non-text files stored in file shares and directories.

file fingerprint A hash value created by a file crawler and used by a file fingerprinted-content blade to detect an exact copy of all or part of the text in a file, or an exact and complete binary copy of a text-based or non-text file.

392 Glossary RSA DLP 9.6 Network User Guide

file fingerprinted-content A type of fingerprinted-content blade that uses file blade fingerprints to detect sensitive content in documents and transmissions.

file type A document structure and format, typically identified by a filename extension (such as .doc or .txt). DLP Datacenter allows you to filter your scans by file type and summarizes the highest-risk documents by file type. When you set up a policy in DLP Network, you can specify the file types that it applies to.

fingerprint A hash value that uniquely identifies all and parts of the text content in a file, a complete exact copy of a file, or the content of a column in a database table row. See database fingerprint and file fingerprint. Compare described content.

fingerprint crawler A component of RSA DLP that locates and fingerprints known sensitive content on an organization’s network. See file crawler and database crawler.

fingerprint file A file containing the set of all fingerprints created by a run of a file crawler or a database crawler and sent to Enterprise Manager for encapsulation in a fingerprinted-content blade.

fingerprinted-content blade A content blade that uses fingerprints of known sensitive content to detect copies of that content in scanned documents and transmissions. See database fingerprinted-content blade and file fingerprinted-content blade. Compare described-content blade.

fingerprinting A content-detection technique for identifying documents and transmissions that match all or parts of known sensitive content stored in an enterprise. See fingerprint and fingerprinted-content blade.

footer See header/footer.

full binary fingerprint A hash value generated by a file crawler and used by a file fingerprinted-content blade to detect a complete and exact copy of a text-based or non-text file.

Glossary 393 RSA DLP 9.6 Network User Guide

full-text fingerprint A hash value generated by a file crawler and used by a file fingerprinted-content blade to detect a complete and exact copy of all of the text in a text-based file.

GLBA The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), Federal legislation that includes provisions requiring financial institutions to protect consumers’ personal financial information. RSA DLP can help customers achieve compliance with GLBA.

group A set of users with common privileges. You can set up user groups in Enterprise Manager.

header/footer In page-based documents, text that appears at the top and bottom of each page, but that is not considered part of the document content. RSA DLP can detect sensitive information in some documents’ headers and footers.

HIPAA The Health Insurance Portability and Accountability Act (Kennedy-Kassebaum bill), Federal legislation that— among other things— seeks to protect personal health information such as medical and insurance records. RSA DLP can help customers achieve compliance with HIPAA regulations.

host name See DNS name.

ICAP Server Internet Content Accessibility Protocol server. A component of DLP network that works with a proxy server (configured as an ICAP client) to monitor or block HTTP, HTTPS, or FTP traffic containing sensitive information.

incident One or more occurrences of an event (policy violation), considered to be severe enough to merit attention by an Enterprise Manager user (such as a compliance officer or security specialist). Each DLP policy defines how its events are converted into incidents.

Incident List The portion of Enterprise Manager that a user accesses to review and take action on incidents.

394 Glossary RSA DLP 9.6 Network User Guide

intellectual property Important, valuable, and possibly confidential information owned by an organization. RSA DLP products can help customers protect against loss or misuse of their intellectual property.

Interceptor In DLP Network, a managed device that intercepts email (SMTP) traffic and supports quarantining and/or rejecting messages that contain sensitive information.

listener In DLP Network, a process in the Sensor.

Lotus Notes ***

managed device In DLP Network, a Sensor, Interceptor, or ICAP Server.

manual remediation An action taken by an Enterprise Manager user (such as a compliance or security officer) in response to an incident. Depending on the DLP product, remediation can include actions such as Quarantine, Delete, Audit, or Encrypt. Compare automatic remediation.

match For a content blade, to detect the presence of sensitive content in a document or transmission being analyzed. If a content blade matches a portion of a document, the match may constitute a policy violation.

maximum [rule] score For a given content-detection rule, the maximum score (number of times the rule is matched in a document times the weight of the rule) that the rule is allowed to contribute to the document score. For a rule that might have a large number of matches in a given document, the rule score can be capped so that it doesn’t overwhelm the scores of other (perhaps more important) detection rules.

May Occur In a described-content blade, a detection rule (detection rule) that—if it is matched in a document—constitutes positive evidence that the document matches the content blade. (However, a match to the content blade could possibly occur even if this rule itself is not matched.) Compare Must Occur, Should Not Occur.

Glossary 395 RSA DLP 9.6 Network User Guide

metadata Data associated with a document but not part of its content—such as Author, Title, Subject, and Keywords. RSA DLP can detect sensitive information in some documents’ metadata.

minimum [document] score The minimum document score (weight times number of occurrences) for a given content blade that a document must have to be subject to a policy action (such as Audit or Quarantine). Compare maximum score.

minimum unique required In a content blade that contains more than one optional (or May Occur) or negative (Should Not Occur) content-detection rule, the minimum number of those rules that must be matched for the blade to be considered matched.

monitor In DLP Network, to track network transmissions for the purpose of detecting policy violations. DLP Network can monitor transmissions passively (with a Sensor) or actively (with an Interceptor).

Must Occur In a described-content blade, a detection rule that (detection rule) must be matched in a document for the document to be considered a match to the content blade. Compare May Occur, Should Not Occur.

Network Controller The component of DLP Network that manages the entire process of sensing or intercepting messages, analyzing them, and taking the appropriate action. The Network controller sends policy information and configuration settings to managed devices, receives events, and forwards results to Enterprise Manager.

network tap In DLP Network, a hardware device that splits or regenerates network traffic between any two network devices. It is the preferred method for installing a DLP Network Sensor on an existing network. Compare switch.

notification email An email automatically sent to an administrator when an incident (policy violation) has occurred.

notification template A customizable template used to generate notification emails.

396 Glossary RSA DLP 9.6 Network User Guide

partial-text fingerprint A hash value generated by a file crawler and used by a file fingerprinted-content blade to detect an exact copy of about one-half of a page of text from a text-based file.

PCI DSS Payment Card Industry (PCI) Data Security Standard, a compliance program designed to reduce loss or misuse of credit-card information. RSA DLP products can help customers achieve compliance with PCI DSS.

permission A capability to view or change some aspect of RSA DLP or its data. You use Enterprise Manager to assign permissions to roles, which can be assigned to individual groups and thence to users.

PII Personally Identifiable Information. Any information (such as Social Security number) that potentially can be used to uniquely identify, contact, or locate a single person. RSA DLP can help customers protect against loss or misuse of PII on their intranets.

policy A set of tests to apply to—and DLP actions to take on—scanned documents, network transmissions, or user actions, based on many factors that are encoded in the policy rules.

policy action An action taken by DLP in immediate response to a policy violation. Many policy actions are automatic remediations (such as quarantining or blocking) of the file or message that caused the violation.

policy definition The set of rules (policy rules) by which a policy is defined.

policy engine The component of a DLP product that performs content analysis on transmissions or documents to determine whether a policy violation has occurred.

Policy Template Library A set of policy templates provided with RSA DLP and available in Enterprise Manager.

Policy Manager A part of Enterprise Manager that allows users to create and administer policies.

policy module See policy.

Glossary 397 RSA DLP 9.6 Network User Guide

policy rule A rule defined when creating a policy. Policy rules consist of detection rules and action rules.

policy template A predefined policy that you can customize to fit your organization’s needs. In RSA DLP, the Policy Template Library includes a range of federal, state, and international regulatory templates, plus commonly used enterprise data-privacy templates.

precision A measure of the correctness of detection of sensitive data during a scan. If all reported detections are true instances of the targeted sensitive data (that is, if there are no false positives), precision is 100%. Compare recall.

preferences Settings that the Enterprise Manager administrator can change to alter how RSA DLP functions. For example, permissions control the maximum allowable total size of fingerprint data, how to handle quarantined email, and whether to use a secure delete (shred).

privilege See permission.

protocol A set of rules for transmission of information over a network. DLP Network can monitor transmissions that use several different protocols (such as HTTP and SMTP).

protocol handler The component of DLP Network that determines which protocol a network message is using and then routes it to the appropriate module that extracts the message content. Compare text converter.

proximity In a document, a window (in number of characters) within which a content blade’s separate detection rules must match for that document to be considered a match for the content blade. For example, if two different rules match in a document (and if two rule-matches are required), the document will not be considered matched if the rule matches are separated by more characters than the proximity value.

398 Glossary RSA DLP 9.6 Network User Guide

publish configuration An administrative function of Enterprise Manager that, following an upgrade installation of Enterprise Manager, distributes the upgraded configuration files from Enterprise Manager to the various DLP components.

Quarantine A DLP Network policy action—to temporarily hold content that violates a security policy, preventing its transmission until it has been reviewed by a designated owner or group. Compare Allow, Audit, Discard, Encrypt. (Requires use of an Interceptor.)

recall A measure of the completeness of detection of sensitive data during a scan. If all actual instances of the targeted sensitive data are detected, recall is 100%. Compare precision.

regex See regular expression.

regular expression A string pattern or template that matches (is a concise description of) a set of strings. Regular expressions are commonly used to find instances of particular substring sets within a larger string (such as a document). DLP content blades can use regular expressions to locate sensitive content.

Regular Expression The portion of Enterprise Manager that allows you Manager to create and edit regular expressions for use in custom content blades.

remediation An action taken in response to an incident or event. RSA DLP supports both automatic remediation and manual remediation.

report A graphical or tabular presentation of incident or event activity. Enterprise Manager includes reporting capabilities and also allows administrators to create custom reports.

Report Manager The component of Enterprise Manager that allows you to create and manage built-in and custom reports.

Glossary 399 RSA DLP 9.6 Network User Guide

risk factor A numeric indication of the level of security risk represented by a given document or network transmission. Risk factor is computed based on quantity and type of sensitive information.

Specifically, risk factor is a normalized (0–100) version of document score, the raw value obtained by applying a content blade’s detection rules to the document.

role A set of privileges or permissions that together describe a type of Enterprise Manager user—such as administrator, compliance officer, or executive. See also group, user.

RSA DLP Datacenter See DLP Datacenter.

RSA DLP Endpoint See DLP Endpoint.

RSA DLP Enterprise See Enterprise Manager. Manager

RSA DLP Network See DLP Network.

rule See policy rule, detection rule, content-detection rule, action rule.

rule score The contribution to document score (a document or message’s raw risk level) provided by a single content-detection rule. The rule score is basically the number of times the rule is matched in the document times the weight of the rule. Rule score is subject to a limit (maximum rule score) assigned by the rule’s creator.

scan-and-tag mode A monitoring mode in DLP Network (when an Interceptor is present) in which messages that violate policy are tagged and noted, but not blocked or otherwise altered. Compare action mode.

sensitive content Content in an organization that should be protected from loss or misuse. RSA DLP detects sensitive content in two ways—as described content (defined in described-content blades) and as fingerprints (defined in fingerprinted-content blades).

400 Glossary RSA DLP 9.6 Network User Guide

Sensor In DLP Network, a managed device that passively monitors traffic leaving the network or crossing network boundaries, supporting detection of messages that contain sensitive information.

severity level A user- or administrator-assigned indication of the seriousness (low, medium, high, critical) of an incident.

Should Not Occur In a described-content blade, a detection rule (detection rule) that—if it is matched in a document—constitutes evidence that the document does not match the content blade. Compare May Occur, Must Occur.

SIEM Security Incident and Event Management. SIEM applications such as enVision enable gathering, analyzing, and using log data for compliance and security purposes.

switch A hardware device that distributes network messages among multiple components (such as computers). It is possible to install a DLP Network Sensor on a switch in an existing network. Compare network tap.

term An individual word or a phrase used as part of the definition of a described-content blade. Dictionaries, regular expressions, and entities can also appear in the definition of a described-content blade.

text conversion The process of converting the file format of intercepted messages or scanned documents to plain text, so that the text content can be analyzed. Compare content analysis.

text converter The module that converts binary file data to text.

text extractor See text converter.

threshold See activity threshold, minimum score.

tracker The DLP Network process that performs content analysis and policy application.

user An individual with access to Enterprise Manager and the DLP products. You can set up users in Enterprise Manager. See also group.

Glossary 401 RSA DLP 9.6 Network User Guide

UNC Universal (or Uniform) Naming Convention, a specification for uniquely naming resources on Windows networks.

URL Universal Resource Locator, the unique HTTP address of a network resource. DLP Network can detect sensitive content in URLs that hold HTML form data.

violation See event.

weight A factor to apply to a detection rule in a content blade. You use weights to make some rules more important than others.

402 Glossary RSA DLP 9.6 Network User Guide

Index

A in DLP Network 19 accuracy in content detection 126 overview 19 activating a policy from the Policy Template precision 127 Library 195 recall 126 Active Policies report 101 risk factor 128, 129 ActiveSync protocol 316 rule score 128 Audit Only (remediation action) 210 score 128, 130 audit records 271 Content Blade Manager 144 automatic remediation 210 content blades 119, 125 Block & Audit 210 See also content analysis, described-content Encrypt & Audit 210 blades, fingerprinted-content blades Quarantine & Audit 210 Content Blade Manager 144 creating 195 B custom 136, 144 binary fingerprints 138, 165 database fingerprinted 139 BIRT reports, importing 287 deleting 146 Block & Audit (remediation action) 210 detection methods used 126 enabled requirement for policies 145, 147 C enabling or disabling 145, 147 CA SB-1386 17 exclusions in 152 chat protocols expert 144 MSN Windows Messenger 332 file fingerprinted 136 Yahoo! instant messaging 333 fingerprinted 135 compiled programs, fingerprinting 138 list of 144 Compliance Summary by Product report 106 list of, in a policy 189, 199 Compliance Summary report 106 logical combinations in a policy 189, 199 components match count 129, 149 upgrading software 284 overview of 125 configuration files policies and 125 importing 283 updating automatically 142 updating 286 Controller status (DLP Network) 298 configuring count the Network Controller 298 in a rule set 152 content analysis in content analysis 130 accuracy of detection 126 crawlers. See fingerprint crawlers count 130 creating document score 128 a content blade 195 false negatives 126 a custom dictionary 177 false positives 127 a database crawler 168 a described-content blade 148, 150, 198

Index 403 RSA DLP 9.6 Network User Guide

a dictionary 196 enabling 151 a file crawler 163 exclusions in 128 a fingerprint crawler 162 maximum rule score 129 a fingerprinted-content blade 148, 158 minimum document score 129 a policy (from a blank form) 195, 197 minimum unique matches 131 a policy (from a template) 217 policies and 198 a regular expression 185, 196 proximity value 130 custom content blades 144 rule sets 131 described 144 URL-specific 133 fingerprinted 136, 144 viewing 147 custom dictionaries 175 weights 128 customizing notifications 120 detect content in URLs (preference) 293 device status details (DLP Network) 299 D dictionaries 152, 174 Dashboard 20, 82, 118 about 175 customizing 88 as a rule type 127 filters 87 creating 196 list of reports 84 creating (custom dictionary) 177 quicklinks 84 custom 175 risk factor gauges 83 deleting 176, 181 updating 87 editing 177, 178, 196 database connection strings 169, 383 editing (custom dictionary) 177, 178 DB2 examples 385 expert 176 Oracle examples 383 importing (reference dictionary) 178 SQL Server examples 384 viewing 176, 177 database crawlers. See fingerprint crawlers viewing (reference dictionary) 178 database fingerprinted-content blades. See Dictionary Manager 175, 180 fingerprinted-content blades directory service. See LDAP database-scan groups disabling connection strings 383 a content blade 145, 147 data-loss prevention (DLP) 17 a policy 194, 197, 201 DB2 database connection strings 385 Discard (remediation action) 46 default role 221, 224 DLP Datacenter Delete File Options (preference) 293 overview (for users) 19 deleting DLP Endpoint a custom content blade 146 overview (for users) 18 a dictionary 176, 181 DLP Enterprise Manager. See Enterprise Manager a fingerprint crawler 162 DLP Network a fingerprinted-content blade 146 See also Network Controller, Sensors, a policy 195 Interceptors, ICAP Servers a regular expression 184 audit records for 272, 273, 274, 275, 276, 277, described content 19, 126 278 described-content blades 19, 126 components of 24 and graphic files 126 configuring 122, 123, 295 and headers/footers 126 content analysis in 19 and metadata 126 Controller status 298 creating 148, 150, 198 device status details 299 detection methods used 127 incidents and events 25 editing 147, 150 managed devices 24, 122

404 Index RSA DLP 9.6 Network User Guide

overview (for administrators) 121 events overview (for users) 18, 22 about 61 policies for 19, 124 audit records for 275 protocol support 23 bulk deleting 266 reports for 26 details 74, 76 status overview 220 purging 195 DLP users. See users searching for 84 document score 128 viewing 61 viewing for a partner device 351 E viewing summary information 74 editing workflow 62 a custom dictionary 177, 178 exact match count 129, 149 a database crawler 168 exchange server a described-content blade 147, 150 enable encryption with Network 319 a dictionary 177, 178, 196 exchange server scanning a file crawler 163 internal emails 319 a fingerprint crawler 161 exclusions (in content blades) 128, 152 a policy 195, 196, 197 expert content blades 144 a regular expression 185, 196 expert dictionaries 176 email notification 337 expert entities 181 email notifications 257 exporting editing a template 259 DLP Data to a SIEM application 253 viewing a template 259 incidents 56 email self-release 46, 293 reports 109 Enable Email Self-release (preference) 293 enabling F a content blade 145, 147 false negatives 126 a policy 194, 197, 201 false positives 127, 128 Encrypt & Audit (remediation action) 210 file attributes 201 Encrypt and Release (remediation action) 46 file crawlers. See fingerprint crawlers encrypted files, detecting 191 file fingerprinted-content blades. See exception for password-protected PST files 191 fingerprinted-content blades encryption file types enable between Network and exchange for event file attributes 205 server 319 list of all supported types 355 Enterprise Manager Fingerprint Crawler Manager 159 Dashboard 20, 118 fingerprint crawlers 140, 159 for administering DLP Network 122, 295 See also fingerprinting, fingerprinted-content for administering RSA DLP 219 blades logging into 20, 118 Advanced tab 162 managing DLP for a partner device 341 configuration requirements for 141 overview (for administrators) 117 creating 162 overview (for users) 20 creating a database crawler 168 session timeout 21, 118 creating a file crawler 163 entities 152 database connection strings 169, 383 as a rule type 128 database crawlers 141, 168 expert 181 deleting 161, 162 enVision 252 editing 161 Event List 63 editing a database crawler 168

Index 405 RSA DLP 9.6 Network User Guide

editing a file crawler 163 total fingerprint size limit 292 file crawlers 140, 163 types of fingerprints 136 Fingerprint Crawler Manager 159 footers. See headers/footers Global Crawler Settings 162 full-binary fingerprints 138, 165 global settings 162 full-text fingerprints 136, 137, 164 of csv files 141 of DB2 databases 141 G of Oracle databases 141 GLBA 17 of SQL Server databases 141 graphic images, fingerprinting 138 running 161, 162 group running a database crawler 173 LDAP group running a file crawler 167 set policy for groups of recipients 208 scheduling 142 groups 119, 235 scheduling a database crawler 172 audit records for 272 scheduling a file crawler 167 creating 237 status 160 editing 236, 237 status of last run 160 role requirement for 235 stopping 161 viewing 236 viewing 161 viewing list of 235 fingerprinted-content blades 19, 135, 136 See also fingerprinting, fingerprint crawlers H basic information for 147 hash values. See fingerprinting Content Blade Manager 144 headers/footers, detecting content in 126, 132, 151 creating 148, 158 HIPAA 17 deleting 146 HTML form data, detecting content in 133 of databases 139 HTTP protocol 122 of files 136 HTTPS protocol 122 policies and 198 structure 136 I types 136 ICAP Servers 24, 122 updating automatically 142 adding 316 viewing info for 147 timeout settings 318 fingerprinting 19, 135 IM chat protocols. See chat protocols See also fingerprint crawlers, importing fingerprinted-content blades a reference dictionary 178 database fingerprints 139 configuration files 283 file fingerprints 137, 139 reports 287 fingerprints (defined) 136 Incident List 28 full-binary fingerprints 136, 138, 165 Incident Management reports 99 full-text fingerprints 136, 137, 164 Incident Remediation Trend report 99 limits 141 Incident Resolution report 85 of compiled programs 138 Incident Status report 83 of databases 141 Incident Summary reports 94 of graphic images 138 Incident Trend - by Incident Type report 97 of ISO images 138 Incident Trend - by Organization report 97 of source code 137 Incident Trend - by Policy report 98 of text-based files 137 Incident Trend - by Severity report 98 partial-text fingerprints 136, 137, 164 Incident Trend - Total Opened report 87 size limits 141 Incident Trend reports 97

406 Index RSA DLP 9.6 Network User Guide

incident-handling rules 201 L incidents 27 LDAP 119, 245 acting on 40 creating a new configuration 246 actions 50 editing configuration settings 245 adding comments to 52 groups 236 and events 27 specify Group for which to apply policy 208 assigning new user 52 users, accessing Enterprise Manager 241 audit records for 276 viewing configuration settings 245 bulk deleting 266 license keys changing severity of 53 entering 281 changing status of 50 viewing 280 changing validity of 53 log access to matched content 198, 254 closing 56 log files deleting 56 audit records 271 details 39, 40 Network Controller 221, 299 exporting 56 system alerts 221 handling an incident 40 login page (Enterprise Manager) 20, 118 incident ID 27 logins, audit records for 274 purging 195 logs reopening 55 matched content searching for 31, 84 download 271 understanding 27 viewing for a partner device 351 M viewing matched content 49 managed devices 24, 122 viewing notifications 49 manual remediation viewing summary information 42 Audit Only 210 viewing workflow history 50 audit records for 277 workflow 28 Discard 46 Incidents by Content Blade report 95 Encrypt and Release 46 Incidents by Host report 104 Release 46 Incidents by Incident Type report 94 self-release 46 Incidents by Organization report 94 match count setting 129, 149 Incidents by Policy report 95 matched content Incidents by Product report 85 audit records for 271 Incidents by Protocol report 104 send to audit logs to SIEM application 254 Incidents by Severity report 85, 96 maximum [rule] score 129, 152 Incidents by Status report 96 May Occur (rule set) 131, 154 Incidents by Top 5 Content Blades report 86 metadata, detecting content in 126, 132, 151, 355 Incidents by Top 5 Policies report 85 minimum [document] score 129, 155 Incidents Trend - Newly Opened report 86 minimum unique matches 131, 154 Interceptors 24, 122 Most Frequent Policy Violations (NW) report 103 adding 308 MSN Windows Messenger 332 downstream MTA 309 Must Occur (rule set) 131, 152 interception modes 310 My Favorite Reports 84, 93 SMTP 309 internal email N exchange server scanning 319 Network Controller 24, 122 IP (intellectual property) 17, 125 audit records for 273 ISO images, fingerprinting 138 configuring 298

Index 407 RSA DLP 9.6 Network User Guide

log files, downloading 221, 299 viewing policy status for 351 Network Event Details password-protected files, handling 191 select files to transmit 306, 312, 319 passwords Network Exchange Scanning 208 for authenticating to email server 265 Network messages for DLP users 240 editing a template 261 for Enterprise Manager login 20, 118 viewing a template 261 PCI (Payment Card Industry Data Security Network. See DLP Network Standard) 17, 125 notification and escalation rules 201 permissions 119, 221, 225 notification email server, configuring 264 phrases (as a rule type) 127 notifications 120 PII (Personally Identifiable Information) 17, 125 about 256 policies 119 email notifications 257 activating from the Policy Template Library 195, email server configuration 264 217 Network messages 259 content blades in 198 templates for 256 content-blade list 189, 199 viewing list of 257 creating for a partner device 348, 350 notification-templates list 257 creating from a blank form 195, 197 NPI (Non-Public Personal Information) 17 creating from a template 217 deleting 195 O editing 195, 196, 197 Open Incidents by Assignee report 101 enabling and disabling 194, 197, 201 Open Incidents by Policy report 102 enabling for a partner device 348 Open Incidents by Severity report 102 importing from a partner device 347 Open Incidents report 101 incident-handling rules 201 operators for combining content blades in a list of 193 policy 189, 199 managing for a partner device 347 Oracle database connection strings 383 Network-specific settings for 19, 201 notification and escalation rules 201 P order (in the policy list) 193 partial-text fingerprints 136, 137, 164 overview of 19, 187 partner devices protocol support (DLP Network) 201 adding 344, 345 reordering (in the policy list) 194 commissioning 344 severity scale for 200 creating a DLP policy for 348, 350 viewing 195, 196 decommissioning 344 viewing status for a partner device 351 details of 343 policy actions 43, 210 DLP policy management 347 policy content detection settings (preferences) 292 editing details 343, 346 policy detection settings (preferences) 293 enabling a DLP policy for 348 policy list 193 Enterprise Manager control of DLP on 341 Policy Manager 193 event management 351 policy permissions 228 importing DLP policies from 347 Policy Violations by Severity (NW) report 103 incident management 351 ports 308 list of 342 precision 127 managing 342 preferences overview 341 delete file options 293 viewing events from 351 detect content in URLs 293 viewing incidents from 351 editing 291

408 Index RSA DLP 9.6 Network User Guide

enable quarantined email self-release 293 adding to My Favorites 91 fingerprint size limit 292 BIRT reports 287 policy content detection settings 292 Compliance Summary 106 policy detection settings 293 Compliance Summary by Product 106 Quarantine Expiration (preference) 293 Dashboard 84 quarantined email settings 293 data filters 112 remediation settings (Datacenter) 293 deleting 91 setting 291 editing 107, 111 viewing 291 emailing (non-scheduled) 108 protocol support (DLP Network) 23 exporting 109 specifying ports for 307 filtering 109 protocols supported filtering by date 110, 112 ActiveSync 316 generating 106 proximity (in content analysis) 130, 155 importing 287 purging incidents and events 195 Incident Management Reports 99 Incident Remediation Trend 99 Q Incident Resolution 85 Quarantine & Audit (remediation action) 210 Incident Status 83 quarantined email settings (preferences) 293 Incident Summary reports 94 quarantined emails Incident Trend - by Incident Type 97 enabling self-release 293 Incident Trend - by Organization 97 expiration 293 Incident Trend - by Policy 98 releasing and discarding 46 Incident Trend - by Severity 98 working with 45 Incident Trend - Total Opened 87 Quarantined Incidents report 102 Incident Trend Reports 97 quicklinks Incidents by Content Blade 95 Dashboard 84 Incidents by Host 104 event searches 84 Incidents by Incident Type 94 incident searches 84 Incidents by Organization 94 Incidents by Policy 95 R Incidents by Product 85 recall 126 Incidents by Protocol 104 Regular Expression Library 152, 183 Incidents by Severity 85, 96 viewing 183 Incidents by Status 96 regular expressions 152, 155, 183 Incidents by Top 5 Content Blades 86 as a rule type 128 Incidents by Top 5 Policies 85 creating 185, 196 Incidents Trend - Newly Opened 86 deleting 184 Most Frequent Policy Violations (NW) 103 editing 185, 196 My Favorite Reports 84, 93 viewing 184 Open Incidents 101 Release (remediation action) 46 Open Incidents by Assignee 101 remediation settings (preferences) 293 Open Incidents by Policy 102 replacement templates Open Incidents by Severity 102 replace sensitive content 338 Policy Violations by Severity (NW) 103 Report Manager 90 printing 109 using 90 Quarantined Incidents 102 report permissions 229 Report Manager 90 reports 81 Risk Trend - Incidents Newly Opened by Active Policies 101 Severity 86

Index 409 RSA DLP 9.6 Network User Guide

saving 108 a fingerprint crawler 161, 162 scheduling 109, 113 synchronizing event data 92 S Top 20 Offending Senders (NW) 104 scheduling Top Incidents by Content Blade 101 a database crawler 172 Top Incidents by Policy 100 a file crawler 167 Top Incidents by Severity 100 score (in content analysis) 128, 130 Top Offenders Network 102 searches Top Recipients 105 for events 84 Top Senders 105 for incidents 31, 84 viewing 106 quicklinks 84 risk factor 128, 129 Select Files to Include in the Network Event gauges 83 Details 306, 312 Risk Trend - Incidents Newly Opened by Severity self-release 46 report 86 enabling 293 RMS sensitive content 17, 125 RMS server, audit records for 278 See also content analysis, content blades RMS template, audit records for 277 sensitive data roles 119, 221, 236 tracking the viewing of 198 assigning to a group 239 Sensors 24, 122 audit records for 273 adding 303 creating 224, 225 BPF 306 default 221, 224 BSD packet filter 306 deleting 224, 225 restrictions on 305 editing 225 session timeout 21, 118 examples 222 severity scale (in a policy) 200 viewing 224 Should Not Occur (rule set) 131, 155 Roles page 223 SIEM application RSA DLP send matched content logs to 254 administering with Enterprise Manager 219 SIEM integration overview of data-loss prevention (DLP) 17 configuring 252 product overviews 18 viewing configuration 252 RSA enVision 252 Site Coordinators See also SIEM integration database crawler host 169 rsahtmlform tag 135 file crawler host 164 rule score 128 SMTP protocol 122 rule sets (in content blades) 131 source code, fingerprinting 137 May Occur 131 SQL Server database connection strings 384 Must Occur 131 status order of evaluation 131 Controller (DLP Network) 298 Should Not Occur 131 device details (DLP Network) 299 rule types overview for DLP 220 dictionaries 127 stopping entities 128 a fingerprint crawler 161 regular expressions 128 system alerts words and phrases 127 configuration 254 running list of 373 a database crawler 173 log file, downloading 221 a file crawler 167 system permissions 226

410 Index RSA DLP 9.6 Network User Guide

T webmail inbox 337 terms 152 weight (in content blades) 128, 152 terms (as a rule type) 127 Whitelisting 143 text fingerprints 136, 164 words (as a rule type) 127 TLS 319 Top 20 Offending Senders (NW) report 104 X Top Incidents by Content Blade report 101 x-headers Top Incidents by Policy report 100 content blade setup to detect 314 Top Incidents by Severity report 100 custom 314 Top Offenders - Network report 102 RSA 310, 313 Top Recipients report 105 Top Senders report 105 Y transmission attributes 201 Yahoo! instant messaging 333 transparent operation 23 Transport Layer Security 319

U updating configurations 286 upgrading components manually 284 URLs detecting content in 133, 293 user groups. See groups users 119, 235 See also run-as users, credentials adding to a group 238 audit records for 272 creating 239 editing 237, 239 LDAP, accessing Enterprise Manager 241 viewing 237 viewing list of 235

V viewing a described-content blade 147 a dictionary 176, 177 a fingerprint crawler 161 a fingerprinted-content blade 147 a policy 195, 196 a reference dictionary 178 a regular expression 184 Network event details 76 Network incident details 39 Regular Expression Library 183

W web notification corporate email 337

Index 411 RSA DLP 9.6 Network User Guide

412 Index