McAfee数据泄漏保护技术解决方案

合集下载

McAfee DLP数据防泄密产品资料

2. 系统代理程序
安装在所有的企业终端中，用于监控和预防数据丢失
3. 漫游用户
通过全面的强制实施，即使是移动便携式计算机上的数据也会受到保护
4. DLP 报告服务器
位于企业网络中，用于从各代理处收集数据
5. 数据指纹服务器/数据库
会对机密数据进行指纹加密，然后将指纹发布给 SIG DLP 设备
法规遵从得到简化
您是否已被法规遵从的分析和核查工作弄得焦头烂额？现在，您可以通过 McAfee DLP 全面的突发事件报告和监控工具，轻松收集重要数据，例如发送人、接收人、时间戳和数据证明。
回报
McAfee DLP 使您完全控制和监视从终端发出的数据，防止数据丢失，同时还避免您的企业成为负面报道的头条。
借助于 McAfee DLP，您可以：简单快捷地监控实时活动；采用集中管理的安全策略来规范和限制员工使用和传输敏感性数据的方式；生成详细的取证报告。而这一切都不会影响您的日常业务活动。McAfee DLP 可以预防通过内部渠道（如电子邮件、IM、CD 刻录、通过 USB 复制以及活动打印）所造成的数据丢失威胁；此外，您还可以避免由木马、蠕虫病毒或文件共享应用程序导致的数据丢失，它们会在员工不知情的情况下窃取其身份凭据，从而恶意获取敏感信息。
全面的保护，业务不受任何影响
即使数据被修改、复制、粘贴、压缩或加密，也能防止数据丢失或泄漏，而合法的业务活动不会受到影响。这款产品可保护 390 多种数据文件。独特的指纹算法和内容标记选项（位置、应用程序、文件类型、正则表达式、关键字及其他内容）加强了数据保护的广度和深度，真正确保了企业数据的安全。
如果能够轻松有效地防止数据丢失，您会不会倍感欣慰？如果同时还能让您确保始终遵从业界和政府法规，这是否更加振奋人心？现在，一切尽在您的掌握之中！

McAfee终端安全技术方案ToPsforSecureBusinessv

McAfee终端安全ToPs for Secure Business 技术解决方案McAfee(中国)公司Tel:2019年9月14日目录1方案概述................................................................................................. 错误！未定义书签。

2***客户信息安全现状及需求分析....................................................... 错误！未定义书签。

2.1网络现状......................................................................................... 错误！未定义书签。

2.2面临的安全威胁............................................................................. 错误！未定义书签。

2.3需求分析......................................................................................... 错误！未定义书签。

3McAfee SRM整体解决方案 ................................................................ 错误！未定义书签。

3.1McAfee SRM安全风险管理解决方案 ......................................... 错误！未定义书签。

3.1.1什么是安全风险............................................................. 错误！未定义书签。

McAfee DLP终端数据防泄密详细介绍_1.2

McAfee终端数据丢失防护解决方案功能介绍版本历史目录一、前言 (3)二、方案介绍 (3)2.1、数据泄漏的渠道广泛 (3)2.2、McAfee的数据防泄漏（DLP）解决方案 (3)三、保护策略介绍 (5)3.1、ePolicy Orchestrator 4.5 控制台中的Host DLP 策略管理器 (5)3.2、定义保护目标 (6)●外接设备控制 (6)●基于位置的保护 (7)●基于应用程序的保护 (8)●基于内容的保护 (8)●基于注册文档指纹的保护 (9)3.3、保护行为定义及举例 (10)●外设控制 (10)●可移动存储保护规则 (11)●WEB发布保护规则 (12)●打印保护规则 (13)●电子邮件发送保护规则 (14)●PDF/图像转换器保护规则 (15)●屏幕捕捉保护规则 (15)●剪贴板保护规则 (16)●文件系统保护规则 (16)●网络通信保护规则 (17)3.4、策略分配 (18)●基于用户分配 (18)●基于计算机分配 (18)3.5、审计报告过滤 (19)一、前言为了让您更好的认识企业数据保护的重要性，以及如何保护企业核心数据，避免数据泄漏事件的发生，本文档将对McAfee终端数据防泄密解决方案进行举例介绍，希望可以借助本文档让您借助McAfee寻找到适合于您企业的数据保护方法。

二、方案介绍2.1、数据泄漏的渠道广泛无论是黑客攻击，还是内部人员故意泄漏，数据泄漏的途径由以下三个途径组成：1、物理途径——从桌面计算机、便携式计算机和服务器拷贝数据到USB，光驱和移动硬盘等移动存储介质上；通过打印机打印带出公司或者通过传真机外发。

功能介绍2、网络途径——通过局域网、无限网络、FTP、HTTP发送数据，这种方式可以是黑客攻击“穿透”计算机造成，也可能是内部员工有意或无意从计算机上外发，造成泄密。

3、应用途径——通过电子邮件、IM即时、屏幕拷贝，P2P应用或者“间谍程序”窃取信息。

企业DLP数据安全保护解决方案

• Educate users in real time
• Prevent confidential data loss
• Enforce policies anywhere
• Framework for policy authoring and tuning
MANAGE
• Detect content accurately
Minimum 256 MB RAM
18
Performance Statistics
• Network Monitor: 1Gb/sec (using an Endace card for >350 Mbps on Windows or >650 Mbps on Linux)
• Network Prevent (Email): 20 emails/sec
企业DLP数据安全保护解决方案
1
Agenda
为什么需要DLP？什么是DLP？赛门铁克是怎么做的？
2
为什么需要DLP？
内部员工或合作伙伴带来合规要求
的威胁
• 法律法规可能带来的罚款
• 引起了大多数数据泄漏事件
• 名誉损失
• 68% 的事件是由于员工的疏忽大 • HIPAA, PCI, SOX, Gramm-Leach-
Recommended: 500GB,
Recommended: 140 GB Ultra-fast SCSI
Recommended: 140 GB Ultra-fast SCSI
Recommended: 1.5 GB Available disk space
Microsoft Windows Server 2008 Standard and Enterprise Microsoft Windows Server 2012 Standard, Enterprise, and Data Center Red Hat Enterprise Linux 5.8, 5.9, 5.10, 5.11, 6.4, 6.5, 6.6 VMware ESX 4.x and later (not supported for DLP Network Monitor)

McAfee终端加密技术方案CDB 2020

XXXX加密技术解决方案目录1项目概述 (4)1.1项目背景 (4)1.2全硬盘加密建设需求 (4)2McAfee 加密组件介绍 (5)2.1McAfee公司简介 (5)2.2McAfee Drive Encryption产品介绍 (5)3测试环境 (7)3.1系统要求 (7)3.2加密硬件兼容性以及支持硬盘模式 (8)3.3测试拓扑 (8)4测试场景展现 (10)4.2ePO服务器 (10)4.2.1集中管理 (10)4.2.2群集说明 (11)4.3更改登入Logo (11)4.4Windows域用户实现单点登录 (12)4.5Windows非域用户单点登录 (14)4.6取消McAfee认证界面 (14)4.7Mac系统的全盘加密 (15)4.8系统恢复 (17)4.8.1Windows加密系统恢复 (17)4.8.2Mac加密系统恢复 (18)4.9USB存储加密 (19)5McAfee加密系统性能 (22)6代理部署场景 (23)6.1Windows代理部署 (23)6.2Mac OS X代理部署 (23)6.3部署方式对比 (24)7加密流程解析 (25)8项目实施培训 (26)9.1实施人员 (26)9.2实施阶段 (27)9.2服务方案 (28)9.2.1 McAfee服务等级介绍 (28)1 项目概述1.1项目背景XXXX公司目前大部分员工都配有笔记本电脑,出差频繁,存在笔记本电脑丢失的风险。

并且笔记本电脑存有大量公司机密文件，一旦丢失的笔记本电脑被外部人员破解，机密文件被他人获取会造成公司巨大损失。

员工携带笔记本电脑外出为正常业务需求，笔记本电脑由于自身的便携性，丢失的风险不可避免。

为防止丢失的笔记本电脑里的数据遭到他人获取，需要使用技术手段保证未经授权的访问不可读取存储在笔记本电脑中的数据。

全磁盘加密技术从磁盘底层进行加密，保证在未解密的情况下，任何未经授权的访问都不可读取磁盘内的信息。

McAfee数据保护---端点加密解决方案

McAfee端点加密
全硬盘加密（Device Encryption）
.DOC
.XLS
.APPS
1
Lorem ipsum dolor sit amet Lorem ipsum dolor sit amet
文件/应用程序
1
对于被授权的用户和应用程序，文件是全文本格式并且具有完全的可见性
2
操作系统
2
文件被转换成为扇区格式
SafeBoot® practically runs on any computer that runs Windows!
Well diversified enterprise customer base 36% of the world's top 50 companies are SafeBoot’s customers*
Microsoft PKI Entrust PKI Active Directory Novell NDS LDAP
SafeBoot® Admini Recovery
How do I get my Password back? • Secure offline Challenge/Response Password Recovery
SafeBoot® CE – The Document is Encrypted
Minimum System Requirements
SafeBoot® Server:
•
Operating System: WinXP, Win2003 Server, Windows Vista
• Memory: 512MB • Disk-Space: 200MB
Synchronizing local machine with database database = SafeBoot Server checking for machine configuration updates checking for Windows logon updates checking for screen saver updates checking for user updates checking for file updates checking for hash updates transferring audit information finished synchronization Shutting down SafeBoot Configuration Manager

McAfee信息安全技术解决方案

McAfee信息安全技术解决方案录1方案概述62安全需求分析82、1存在的安全风险82、1、1系统终端面临的安全威胁82、1、2网络上存在的安全威胁92、1、3现有安全产品的不足92、1、4安全管理问题102、2需求分析102、2、1在系统层面102、2、2 在网络层面112、2、3整体解决方案113McAfee SRM整体解决方案123、1方案设计原则123、2McAfee SRM安全风险管理解决方案123、2、1什么是安全风险123、2、2McAfee SRM安全风险管理133、2、3安全风险管理体系的实现163、3McAfee SRM 的实现 183、3、1 McAfee SRM 部署步骤 183、3、2McAfeeSRM 部署的产品194McAfee TOPS 及MNAC 的部署204. IMeAfee TOPS的部署204、1、lePO的部署204、1、2防病毒客户端VSE8、5i 及Anti-Spyware8、5的部署224、1、3McAfee HIPS7、0的部署234、1、4SiteAdvisor 的部署 244、1、5部署架构图244、2MNAC的部署254、3部署后的维护建议284、3、1制定严格的病毒防治规范294、3、2建立快速、有效的病毒应急体系304、3、3加强计算机安全培训304、3、4建立动态的系统风险评估措施314、3、5建立病毒事故分析制度314、3、6确保恢复，减少损失314、3、7加强技术防范措施315McAfee IntruShield的部署335、1、1 McAfee IntruShield 系统功能 335、1、2方正证券IntruShield部署方案355、1、3IntruShield产品系列376方案优势386、1TOPS产品特点386、k 1TOPS集中管理服务器ePO386、1、2McAfee VirusScan Enterprise8、5i406、1、3主机入侵防护HIPS7、0446、1、4MNAC (McAfee Network Access Control) 476、2IntruShield 产品优势 486、2、1检测及防御功能496、2、1、1网络攻击特征检测496、2、1、2 异常检测506、2、1、3DoS/DDoS 攻击防御506、2、1、4 入侵防护功能516、2、2实时过滤蠕虫病毒和Spyware间谍程序536、2、3 虚拟IPS536、2、4灵活的部署方式546、2、5具备风险识别的入侵防御566、2、6內置Web安全保护576、2、7永远在线的管理平台576、2、8SSL加密攻击检测586、2、9领先的虚拟內部防火墻586、2, lOMcAfee IntruShield所获最新国际奖项597华东地区金融证券典型案例607、1上海交通银行607、2上海浦发银行647、3上海证券交易所667、4最新案例上海银联681方案概述McAfee作为全球最大的专业安全厂商，为全球100多个国家提供业界领先的基于动态安全风险管理的安全整体解决方案，其最大的特点是：以安全风险的控制为基础，实时地了解安全风险变化的原因，并且结合先进的系统防御和网络防御解决方案，帮助客户及时消除各类安全威胁，建设主动的防御体系和完善的风险管理流程。

信息安全数据泄露的预防与应对措施

信息安全数据泄露的预防与应对措施在当今这个信息化高度发展的时代，信息安全问题日益凸显，尤其是数据泄露事件频发，给企业和个人的利益带来了极大损失。

为了保护企业和个人的信息安全，本文将从专业角度分析信息安全数据泄露的预防与应对措施。

一、数据泄露的常见途径数据泄露的途径多种多样，主要包括：内部人员泄露、外部攻击、设备损坏、非法访问等。

针对这些途径，我们需要采取相应的预防措施。

二、预防数据泄露的措施1.加强内部人员管理：对内部人员进行信息安全培训，提高他们的安全意识，防止因操作失误或恶意行为导致数据泄露。

2.完善信息安全制度：建立健全信息安全制度，对数据的访问、传输、存储等环节进行严格控制，确保数据安全。

3.加强网络安全防护：采用防火墙、入侵检测系统等安全设备和技术，防止外部攻击者入侵企业网络。

4.加密敏感数据：对敏感数据进行加密处理，即使数据泄露，也能保证数据的安全性。

5.定期备份数据：定期对重要数据进行备份，防止数据因设备损坏等原因丢失。

6.限制数据访问权限：根据员工的工作职责，合理分配数据访问权限，避免无关人员接触到敏感数据。

7.加强设备管理：对企业的计算机、移动存储设备等进行管理，防止非法携带敏感数据外出。

三、应对数据泄露的措施1.及时发现泄露：建立数据监控系统，实时监控企业数据流动，一旦发现异常，立即采取措施。

2.立即采取应急措施：在发现数据泄露后，立即启动应急预案，对泄露的数据进行封堵、清理。

3.评估泄露影响：分析数据泄露的范围和影响，评估可能的损失，制定相应的补救措施。

4.通知相关方：及时通知涉及数据泄露的企业和个人，告知他们采取措施保护自身信息安全。

5.加强信息安全防护：在应对数据泄露的过程中，总结经验教训，加强企业的信息安全防护能力。

6.依法追责：对于恶意泄露数据的行为，依法予以追究，严惩泄露者。

通过上述预防措施和应对措施的实施，可以有效降低数据泄露的风险，保障企业和个人的信息安全。

然而，信息安全是一个长期、动态的过程，需要企业和个人时刻关注信息安全动态，不断调整和优化安全策略，才能确保信息安全。

McAfee数据保护---端点加密解决方案

Simple Architecture
SafeBoot Client SafeBoot Client
Dynamic IP address Listening Port: 5556 (configurable)
Dynamic IP address Listening Port: 5556 (configurable)
Financial Services / Insurance Technology Manufacturing Telecoms / Utilities Business Services and Consulting Retail Healthcare
Note: * Based on Forbes Global Top 2000 list as of 2007
Windows Boot Up
SafeBoot Client Agent starts
Load User Profile
SB Client tries contacting the SafeBoot Server
SafeBoot® on the PC/Laptop

Client Boot Sequence
SafeBoot PreBoot Screen
Username: Jiexin256 Password: *******
Authentication takes place
SafeBoot Key loaded
SafeBoot loads Original MBR
Microsoft PKI Entrust PKI Active Directory Novell NDS LDAP
SafeBoot® Administration

McAfee HDLP数据防泄漏方案

虫和文件共享应用程序等导致的机密数据丢失，这
类威胁会在员工不知情的情况下窃取员工的数据。
系统要求
功能
对终端设备提供的多层保护
McAfee ePO 服务器操作系统 • Microsoft Server 2003 SP1、
Microsoft Server 2003 R2
无与伦比的保护 • 控制用户通过网络、应用程序和存储设备发
McAfee DLP Endpoint 只是全面数据保护解决方案的一部分。McAfee Total Protection™ for Data 将 McAfee DLP Endpoint 和 McAfee Endpoint Encryption 相结合，提供了一套更加全面的数据保护解决方案。
等。同时，该解决方案还能帮助您预防木马、蠕
送、访问和打印敏感数据的方式。保护电子邮
• 通过监控并防范针对企业最敏感数据的高风险用户行为，基于主机的防护可以防止数据通过企业的终端设备泄漏出去
桌面机和笔记本电脑终端操作系统
• Microsoft Windows XP • Professional SP1 或更高版本 • Microsoft Windows 2000 SP4 或更高版本
• 全面监控 - 向审计人员、高级管理人员和其他利益相关者证明遵从了内部安全策略和相关法规
打印等常见渠道可能成为数据丢失的途径，不管是无意还是恶意都可能会给您带来
0 数以百万计的成本损失。
451 防止数据丢失应做到防患于未然
全面的保护，业务不受任何影
60 每天都会有与您企业类似的公司因信息被恶意或借助该解决方案，即使数据被修改、复制、粘贴、
借助于 McAfee DLP Endpoint，您可以：简单快成为负面新闻报道的主角。

赛门铁克平板电脑的数据泄露防护解决方案

赛门铁克平板电脑的数据泄露防护解决方案
佚名
【期刊名称】《个人电脑》
【年(卷),期】2011(17)12
【摘要】赛门铁克公司宣布，计划推出针对平板电脑的全新数据泄露防护解决方案（Symantec Data Loss Preventionfor Tablet），这是业界首个专门用于监控和保护平板电脑中敏感信息的全面数据泄露防护（DLP）解决方案。

【总页数】1页(P81-81)
【正文语种】中文
【中图分类】TP393.08
【相关文献】
1.赛门铁克推出全新的入侵检测与防护解决方案 [J],
2.赛门铁克为LotusNotes／Domino数据库推出病毒防护综合解决方案 [J],
3.赛门铁克证券行业数据防泄露案例 [J],
4.数据丢失防护:无法回避的信息安全问题——访赛门铁克公司DLP解决方案全球高级主管Ken Kim [J], 李勇
5.赛门铁克推出数据丢失防护全新解决方案DLPv.10 [J], 陈冬雨
因版权原因，仅展示原文概要，查看原文内容请购买。

数据库防火墙：维护数据安全的坚实堡垒

数据库防火墙：维护数据安全的坚实堡垒作者：安华金和“CSDN泄密事件”、“小米用户账号信息曝光”、“Facebook数据泄”和“12306网站用户泄密事件”，“携程网数据库数据恶意删除”……触目惊心的数据泄漏事件一件接一件层出不穷。

由数据库安全原因爆发的安全问题越来越多，引起政企事业单位和社会的极大关注与反思。

当前信息化安全时代，以数据库为基础的信息系统在金融、保险、医疗、通讯等领域的基础设施建设中都得到了非常广泛的应用。

在这一新的网络环境下，因为信息的易获取性，包含在数据库系统中的关乎商业机密、个人隐私等涉密信息将面临更多的安全威胁。

想要保证信息系统的安全，就应该先防御信息系统的服务器漏洞、操作系统漏洞和网络传输入侵数据库。

其中，对于网络非法入侵数据库，就可以通过数据库防火墙来防御。

数据库防火墙作为信息系统安全体系的基础和核心控制设备，贯穿于受控网络通信主干线，它对通过受控干线的任何通信行为进行安全处理，同时也承担着繁重的通信任务。

由于传统边界防御安全产品和解决方案采用的都是被动防御的技术，不能够从根本上解决数据库数据所面临的安全威胁和风险，解决数据库安全需要专用的数据库安全设备从根本上解决数据安全问题。

所以，目前很多企业在选择安全产品的时候，首选的也是数据库防火墙。

一. 数据库防火墙与传统安全防护产品的区别1.1 传统防护模式IDS/IPS的局限IDS和IPS都是基于IP的防护手段。

IDS核心功能在于发现异常行为，而IPS与之对应是阻断异常行为。

无论是IDS还是IPS，核心的部分在于识别入侵。

主流IDS/IPS产品识别的依据通常是特征库。

一些IDS/IPS厂商试图在其产品中增加数据库攻击特征指纹，并声称能保护数据库。

但是事实上这些通用的IDS/IPS无法为数据库提供真正的保护。

主要原因在于数据库服务器与其他类型服务器不同，是高度复杂的服务器，采用丰富的交互式语言和复杂协议。

IDS/IPS如果试图采用同样机制将传统的处理方法照搬到数据库，显然是行不通的。

McAfee Total Protection for Small Business解决方案

McAfee Total Protection for Small Business 解决方案为您的企业提供不间断的、及时更新的单一防护解决方案新的威胁每天层出不穷。

垃圾邮件、网络钓鱼诈骗、病毒和黑客能够窃取您的宝贵数据并破坏您的网络。

如果不持续更新，您的病毒防护和安全软件将形同虚设。

要保持您的中小型企业安全防护不断更新，就需要能够防范所有已知和未知威胁的总体防护方法。

总体防护意味着不间断、随时可用和及时更新的全面安全解决方案-不仅在办公室是这样、在远程状况下也同样如此。

McAfee 为中小型企业提供了业界首次推出的真正的集成系统安全解决方案，这些价格合理的解决方案可由单一控制台进行管理。

McAfee Total Protection for Small Business 和Total Protection for Small Business - Advanced 是作为 McAfee托管的单一解决方案提供的。

可以防范各类威胁，从病毒、间谍软件和垃圾邮件到黑客和身份信息盗用等。

成熟的技术借助成熟的技术，McAfee的这两套解决方案可以轻松简化您的安全管理：→通过单一易用、基于Web的管理和报告控制台 - McAfee SecurityCenter 来实现集中管理→除了 Outlook 应用程序提供的基本电子邮件保护功能以外，集成的桌面机和文件服务器病毒防护和反间谍软件功能也可自动保护您的系统免受已知威胁和潜在的恶意程序的侵扰→桌面机防火墙在您的重要数据和恶意入侵之间建立了一道即时的屏障→先进的电子邮件垃圾邮件防护和病毒防护服务可以提供及时的电子邮件防护更新，以提高可用性并确保业务连续性→借助病毒防护和内容过滤功能，先进的电子邮件服务器防护通过一套解决方案实现出色的安全防护Total Protection for Small Business 或Total Protection for Small Business - Advanced是单一的、集成的软件服务。

迈克菲公司推出新一代数据丢失防护(DLP)解决方案

，（
迈克菲数据丢失防护技
、
平台为所有组件
数据库检索和简化工作的支持
，
流提供
一
个通用策略
并提高针对微软活动目录
，
。
凭借盘
、
独特的数据分析技术
迈克菲数据丢失防护技术能够提供全面的数据保护
■
术通过提供行业领先的数据保护能力
，
改变了这种局面
现在
、
，
企业的数据安全需求能
。
同时无须花费巨额成本进行无休止的咨询
测试和错误调试
‘
发布圣天诺的软件安全授权
月
日
，
实现虚拟环境下
正式发布其新
。
涵盖
防火墙及其它多种设备
要企业数据的曰益重视够得到充分满足
不断出合的政府和行业规范
，
，
以及企业对保护产品计划
、
财务记录和知识产权等重
。
使得数据丢失防护
，
市场发展迅速
。
迈克菲数据丢失防护技
綱户在雌
通过对
序列号和虚拟机网卡的双重绑可以为用户提供在虚
。
定
况
，
软件开发商可以有效控制应用程序在虚拟环境下的使用情

McAfee的DLP数据防泄漏最佳实践

McAfee Host Data Loss Prevention Best Practices:Protecting against data loss from external devicesCOPYRIGHTCopyright©2009McAfee,Inc.All Rights Reserved.No part of this publication may be reproduced,transmitted,transcribed,stored in a retrieval system,or translated into any language in any form or by any means without the written permission of McAfee,Inc.,or its suppliers or affiliate companies.TRADEMARK ATTRIBUTIONSAVERT,EPO,EPOLICY ORCHESTRATOR,FLASHBOX,FOUNDSTONE,GROUPSHIELD,HERCULES,INTRUSHIELD,INTRUSION INTELLIGENCE, LINUXSHIELD,MANAGED MAIL PROTECTION,MAX(MCAFEE SECURITYALLIANCE EXCHANGE),MCAFEE,,NETSHIELD, PORTALSHIELD,PREVENTSYS,PROTECTION-IN-DEPTH STRATEGY,PROTECTIONPILOT,SECURE MESSAGING SERVICE,SECURITYALLIANCE, SITEADVISOR,THREATSCAN,TOTAL PROTECTION,VIREX,VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee,Inc. and/or its affiliates in the US and/or other countries.McAfee Red in connection with security is distinctive of McAfee brand products.All other registered and unregistered trademarks herein are the sole property of their respective owners.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS:CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE.IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE(AS A BOOKLET, A FILE ON THE PRODUCT CD,OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE).IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT,DO NOT INSTALL THE SOFTWARE.IF APPLICABLE,YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.License AttributionsRefer to the product Release Notes.ContentsProtecting against data loss from removable devices and file systems (4)Device control (4)Content protection rules (6)Examples (8)Use case:Blocking wireless communication (8)Use case:Making all USB removable storage read-only except authorized devices (10)Use case:Blocking files containing personal identity information (11)Use case:Blocking files created by a GIS application (13)Use case:Disabling all CD/DVD burners from writing (14)Protecting against data loss from removable devices and file systemsThe purpose of this document is to provide a brief overview of ways to protect against dataloss and to walk you through several use cases and best practices for data loss protection.ContentsDevice controlContent protection rulesExamplesDevice controlMcAfee Host Data Loss Prevention software protects enterprises from the risk associated withunauthorized transfer of data from within or outside the organization.Data loss is defined asconfidential or private information leaving the enterprise as a result of unauthorizedcommunication through channels such as applications,physical devices,or network protocols.Memory sticks are the smallest,easiest,cheapest,and least-traceable method of downloadinglarge amounts of data,which is why they are often considered the"weapon of choice"forunauthorized data transfer.McAfee Device Control allows monitoring and controlling externaldevice behavior based on the device attributes rather than the content being ingMcAfee Device Control,devices attached to enterprise computers,such as smart phones,removable storage devices,Bluetooth devices,MP3players,or Plug and Play devices,can bemonitored,blocked,or configured to be read-only.There are two types of device control rules available in McAfee Device Control:•Plug and Play device rules•Removable storage device rulesPlug and Play device rulesPlug and Play device rules work on the device driver level,and can be used to block and monitordevices.Whenever a new device is plugged into the computer,McAfee Device Control will matchthe new device attributes against the device attributes defined in the Plug and Play device rule.If a match is found,McAfee Device Control will perform the action(block/monitor/notify user)defined by the device rule.Plug and Play device rules are used to restrict the use of peripheraldevices such as Bluetooth adapters and modems.Although Plug and Play device rules can alsobe applied to removable storage devices,McAfee does not recommend using them for suchdevices.Pros and cons of Plug and Play device rulesPros:Device control•Allow for blocking any type of device.•Block devices at a very low level,before the driver has a chance to load.•Allow for easy blocking of entire device classes and bus types(such as"block all USB"). Cons:•The device blocking is based only on the device attributes and does not inspect content.•Can only block or monitor.Cannot make a device read only.Recommended use cases:•Block all Bluetooth adapters and modemsThe enterprise wants to restrict end users from using Bluetooth and modem communication to transfer data.•Block all Wireless communicationThe enterprise wants to restrict end users from using wireless communication while connected to the corporate network.See Use case:Blocking wireless communication.Removable storage device rulesRemovable storage device rules are used for blocking and monitoring removable storage devices such as flash drives,MP3players,and external hard drives.They can block,monitor,or configure the removable storage to read-only.Whenever a new removable storage device is plugged into the computer,McAfee Device Control will match the new device attributes against the device attributes defined in the removable storage device rule.If a match is found McAfee Device Control will perform the action defined by the device rule.Removable storage device rules work on the file system level,and allow for more flexibility than Plug and Play device rules.For example,the removable storage device rule can match a device based on its file system type(NTFS,FAT32)or file system volume label.In addition,they provide more accurate device names.For example an iPod is recognized by the Plug and Play mechanism as USB mass storage device,whereas the removable storage rule recognizes it as Apple iPod, which is more meaningful.(This description fits older iPods.The iPod Touch is recognized as a Windows Image Acquisition device.)McAfee recommends using removable storage device rules,rather than Plug and Play device rules,to control all devices that provide removable storage,such as USB mass storage devices, Flash Drives("Disk on Key"),and CD\DVD.NOTE:Since Plug and Play device rules are applied on the device driver level,they are applied before removable storage device rules.The implication is that if a removable storage device is blocked by both types of rule,the removable storage device rule will not be applied.Pros and cons of removable storage device rulesPros:•Allow read-only mode for removable storage devices.•Allow for greater flexibility for device matching(file system type,volume label).Cons:•The device blocking is based only on the device attributes and does not inspect content. Recommended use cases:•Make all USB removable storage read-only except authorized devices.An enterprise has purchased a specific brand of encrypted flash drive and would like to restrict the use of any other flash drive.See Use case:Making all USB removable storage read-only except authorized devices.•Disable all CD/DVD burners from writing.The enterprise wants to restrict engineering end users from using CD/DVD burners to writeCDs.McAfee Device Control is not able to analyze the content written to CD/DVD thereforeremovable storage device rules should be used.See Use case:Disabling all CD/DVD burnersfrom writing.Content protection rulesUnlike device control functionality that blocks the entire device,content protection rules protectindividual files based on their content.When a file is copied to a network shared folder or aremovable storage device McAfee Host Data Loss Prevention performs deep content analysisto classify the content,and performs one(or more)of the following actions:•Block—Moves the file to the local quarantine folder and deletes its content from the removable storage.This action is not available for network shared folders.•Monitor—Sends an incident event to the Host DLP(in version3.0,the ePolicy Orchestrator) database for monitoring and case management.•Store Evidence—Stores the original file that was copied so it can be viewed in the Host DLP Monitor.•Notify user—Shows a popup to the end-user as notification of the action that was performed.•Encrypt—Encrypts the file using McAfee Endpoint Encryption.This action is available in McAfee Host Data Loss Prevention software version3.0.Removable storage protection rulesRemovable storage protection rules allow for blocking and monitoring of individual files beingwritten to removable devices according to file attributes and their content classification.Whena file is copied to a removable storage device,the Host DLP Agent inspects,analyzes,andclassifies the file content,and if the file classification matches one or more of the removablestorage protection rules,the agent will apply the action defined in the rule.Host DLP provides several content classification techniques,including:•Regular expression matching•Keyword•Application that created or edited the file•Current storage location•Where the file is being copied to.McAfee recommends using removable storage protection rules whenever an enterprise allowsuse of removable storage devices,but wants to restrict(or monitor)the data that is written tothem.Pros and cons of removable storage protection rulesPros:•Allow blocking individual files according to their content and attributes,rather than block the entire device.Cons:•McAfee Host Data Loss Prevention software uses CPU resources to analyze every file copied to removable media.Recommended use cases:•Block copying of files containing personal identity information(PII).There are many forms of PII:Social Security Number(SSN),driver's license number,National Identification Number,and so on.McAfee Host Data Loss Prevention contains pre-defined regular expression patterns(Secured Text Patterns)that can be used to create these rules.See Use case:Blocking files containing personal identity information.NOTE:McAfee Host Data Loss Prevention software version3.0introduces regular expression validators to reduce false positives.•Blocking copying of files created by a Geographic Information System(GIS)application to removable storage.Certain applications create files that contain binary information that cannot be content inspected.McAfee Host Data Loss Prevention software provides a unique technology to classify content based on the application that creates or edits the file.See Use case:Blocking files created by a GIS application.By creating application-based tagging rules the Host DLP Agent can tag any file that is created by a GIS application.This tag can then be used in removable storage protection rules to block or monitor copying of GIS files to removable storage.Network file system protection rulesNetwork file system protection rules are very similar to removable storage protection rules,but they apply to the Windows network file system(shared folders)rather than devices.They support monitoring files copied to a defined Windows share,but it do not support blocking the copy operation.McAfee Host Data Loss Prevention software version3.0introduces the ability to encrypt files that are copied to the network,to enforce compartmentalization policies,using McAfee Endpoint Encryption.Recommended use cases:•Monitor all files containing credit card numbers being copied to public folders on a file server.Many organizations provide public folders for file sharing on the network.Reckless users can copy sensitive files to these ing McAfee Host Data Loss Prevention you can create a network file system protection rule to Monitor,Notify User,and Store Evidence for every file that contains sensitive information,such as credit card numbers,when copied to the public folder on the network.Ideally,such files should also be encrypted.•Compartmentalization(available in McAfee Host Data Loss Prevention software version3.0 using McAfee Endpoint Encryption integration)Assume your organization has an engineering group,a finance group,and a sales group.You can use the McAfee Host Data Loss Prevention software version3.0and McAfee Endpoint Encryption integration to generate three encryption keys—FINANCE_KEY,ENGINEERING_KEY and SALES_KEY.Each key is available only to members of that group to unlock ing these keys in network file system protection rules can ensure that every sensitive file that is copied to a network shared folder will be properly encrypted,and visible only to authorized users.ExamplesThe following examples demonstrate the techniques discussed in the text.ExamplesUse case:Blocking wireless communicationUse case:Making all USB removable storage read-only except authorized devicesUse case:Blocking files containing personal identity informationUse case:Blocking files created by a GIS applicationUse case:Disabling all CD/DVD burners from writingUse case:Blocking wireless communicationAssume an organization wants to restrict end users from using wireless communication whileconnected to the corporate network.With McAfee Device Control it is possible to define a policythat differentiates between users who are online(connected to the corporate network)andthose who are offline.The following example shows how to block wireless adapters while auser is connected to the corporate network.Example1In the Navigation Bar under Device Management,select Device Definitions.2Right-click in the device definitions panel,and click Add New|Plug and Play Device Definition.Type Wireless Network Adapters to rename,and press Enter.3Double-click the device definition to edit it.Select Device Class,then select Network Adapters and click OK.4Select Device Name.The definition parameter edit dialog box appears.5Click Add New and type wireless into the text box.Select the Allow Partial Match option.6Click Add New and type wlan into the text box.Select the Allow Partial Match option.7Click Add New and type802.11into the text box.Select the Allow Partial Match option.Click OK twice to complete the definition.8In the Navigation Bar under Device Management,select Device Rules.9Right-click in the device definitions panel,and click Add New|Plug and Play Device Rule.Type Block wireless network adapters when online to rename,and press Enter.10Double-click to edit the rule.Select Wireless Network Adapters in the Include column.Click Next.11Select Block,Monitor,and Notify User.12For each action,deselect the Offline option.Click Finish .Use case:Making all USB removable storage read-only except authorized devicesAssume an organization that purchased a specific brand of encrypted flash drives and wouldlike to restrict the use of all other flash drives.Example1In the Navigation Bar under Device Management ,select Device Definitions .2Right-click in the device definitions panel,and click Add New |Removable Storage Device Definition .Type USB Removable Storage to rename,and press Enter .3Double-click the device definition to edit it.Select Bus Type ,select USB and click OK .4Right-click in the device definitions panel again,and click Add New |Removable Storage Device Definition .Type McAfee Encrypted USB Devices to rename,and press Enter .5Double-click the device definition to edit it.Select Bus Type ,select USB Vendor ID/Product ID and click Add New .The definition paramete edit dialog box appears.6Click Add New to add each of the following devices:Description Product ID Vendor IDMcAfee Standard Encrypted USB 022A 1A4BMcAfee Standard Driverless Encrypted USB 32201A4BMcAfee Zero-Footprint Bio32001A4BDescriptionVendor IDProduct ID35001A4BMcAfee Zero-Footprint Non-Bio34001A4BMcAfee Encrypted USB Hard Disk TIP:Use the mouse to select the Product ID and Description text boxes.7In the Navigation Bar under Device Management,select Device Rules.8Right-click in the device definitions panel,and click Add New|Removable Storage Device Rule.Type Block all USB except McAfee to rename,and press Enter.9Double-click to edit the rule.Select USB Removable Storage in the Include column, and select McAfee Encrypted USB Devices in the Exclude column.Click Next.10Select Monitor,Notify User and Read Only.Click Finish.Use case:Blocking files containing personal identity informationThe following example shows how to create a content-based tagging rule that will tag any filecontaining a social security number,and how to create a removable storage protection rulethat will prevent copying these files to removable storage.Example1In the Navigation Bar under Rules,select Tagging Rules.Right-click in the tagging rules panel,click Add New|Content Based Tagging Rule,and type SSN Tagging Rule torename the rule.2Double-click the rule to edit it.From the pre-defined list of secured text patterns,check Social Security Number.Click Next.3On the tags page,click Add New,type SSN Tag in the Name text box,click OK,then Finish.4In the Navigation Bar under Rules,select Reaction Rules.Right-click in the panel,click Add New|Removable Storage Protection Rule,and rename it Block PII copied toremovable storage.5Double-click the rule to open the wizard.You can skip all of the steps except the following:a On the tags page,select the SSN tag created in step4.b On the actions page,select Block,Monitor,Notify User,and Store Evidence.Use case:Blocking files created by a GIS application The following example shows how to create an application-based tagging rule that will tag anyfile that is created or edited by a Geographic Information System(GIS)application,and howto create a removable storage protection rule that will prevent copying GIS files to removablestorage.Example1In the Navigation Bar under Applications,select Enterprise Applications List.2Right-click in the application list panel,and click Add.Browse to the GIS application executable,then click Open.Note the exact executable name.You will need it in the nextstep.Click Add,then Close.3In the Navigation Bar under Applications,select Application Groups.Right-click in the panel,and click Add New|Application Group.Type GIS Applications in the Name textbox and press Enter.4Double-click the GIS Applications group.Browse to the name of the vendor and select it.Click the plus sign next to the name to view the details.If there are other products bythe same vendor you don't want to include in the rule,deselect them.5In the Navigation Bar under Rules,select Tagging Rules.Right-click in the tagging rules panel,click Add New|Application Based Tagging Rule,and type GIS Tagging Rule torename the rule.6Double-click the rule,select GIS Applications,then click Next.7(Optional)Click Select from list,select Graphic files,then click Next three times to reach the Tags page.8Click Add New,name the tag GIS Tag,click OK,then Finish.9In the Navigation Bar under Rules,select Reaction Rules.Right-click in the panel,click Add New|Removable Storage Protection Rule,and rename it Block GIS files copiedto removable storage.10Double-click the rule to open the wizard.You can skip all of the steps except the following:a On the tags page,select the GIS Tag created in step6.b On the actions page,select Block,Monitor,Notify User,and Store Evidence.Use case:Disabling all CD/DVD burners from writing Assume an organization wants to restrict engineering end users from using CD/DVD burnersto write CDs.McAfee Host Data Loss Prevention is not able to analyze the content written toCD/DVD,therefore removable storage device rules should be used.Limitation:The following CD/DVD burners are not protected in McAfee Host Data LossPrevention v2.2:•Alcohol120%•Iomega HotburnExample1In the Navigation Bar under Device Management,select Device Definitions.2Right-click in the device definitions panel,and click Add New|Removable Storage Device Definition.Type CD/DVD Devices to rename,and press Enter.3Double-click the device definition to edit it.Select CD/DVD Drives and click OK to close the definition dialog.4In the Navigation Bar under Device Management,select Device Rules.5Right-click in the device definitions panel,and click Add New|Removable Storage Device Rule.Type Block all CD-R burning to rename,and press Enter.6Double-click to edit the rule.Select CD/DVD Devices in the Include column.Click Next. 7Select Notify User and Read Only.Click Finish.。