Planning a phased approach

Before you begin

As part of the planning process, consider the tactics that can be employed in protecting data, configuring policies, managing incidents, and controlling access.

To assess how to protect data from compromise, Forcepoint recommends a multi- phased approach. One possible approach is outlined here.

Phase 1: Monitoring

Start by monitoring data (auditing without blocking):

Steps

  1. Enable regulatory compliance, regional, and industry-related predefined policies in order to:
    • Deploy solid, first stage DLP.
    • Get a good picture of what information is being sent out, by whom, to where, and via which methods.
  2. If the organization has unique data identification needs that are not covered by a predefined policy, request custom policies from Forcepoint.
    • Data types requiring a custom policy might be items like coupons or catalog numbers.
    • To request a policy, contact Forcepoint Technical Support. They will escalate the request and engage a research team. The usual turnaround is approximately 3 weeks. (The research team can typically provide an estimated time to completion within 3 days of reviewing the request).
  3. Fingerprint data (can be also part of Phase 2):
    • Data fingerprinting allows accurate and efficient data identification
    • Database fingerprinting (PreciseID database technology) allows accurate and efficient detection of fingerprinted records coming from database tables, database views, and CSV files.
    • Content policies can be flexibly defined for data sources, with detection rules based on combinations of columns and thresholds based on number of matches.
    • Database fingerprinting can be used in conjunction with PreciseID patterns. While patterns identify a full range of data (for example, all credit cards), database fingerprinting can narrow down the detection only to credit cards belonging to the organization’s customers.
    • Files, directory, and SharePoint fingerprinting (PreciseID files technology) allow identification of unstructured data (free text).
      • Data can be identified in different formats (e.g., after PDF conversion), different contexts (excerpt of fingerprinted confidential document), and so on.
      • Advanced and efficient algorithms allow detecting fingerprints even on endpoints that have limited resources.

Next steps

Phase 2: Monitoring with notifications

In the second stage, enable email notifications to relevant members of the organization when a policy breach is discovered. The options are:

  • Global security administrator
  • Data owners (specified for each policy)
  • Senders (people that actually leak the information)—some enterprises prefer to use this option to educate users and watch the expected decrease in the amount of incidents over time in the Trends report.
  • Managers—direct managers of people that leak information (based on data in the directory server).

Phase 3: Policy tuning

In this phase, provide tuning to keep the incident volume manageable, and to ensure that only relevant incidents are being reported.

This phase can operate in parallel to Phases 1 and 2.

  • Disable policies that are not showing value.
  • Make sure the channels selected for policy application are relevant.
  • Identify incidents that are authorized transactions and make appropriate changes in the authorization for specific policies (e.g., allowing sending specific information from certain sources to certain destinations).
  • Change thresholds to avoid too many incidents from some policies.

Also use Phase 3 to make sure that proper incident managers are assigned for various types of incidents. Create policy category groups in the Data Security module of the Security Manager and assign them to relevant incident managers.

Phase 4: Enforcing

Begin this phase after all policies have been successfully tuned and business owners, data owners, and incident managers are trained and ready to handle the incidents.

  • Start with the one channel (for example, SMTP), then gradually move to add enforcement for other channels (like HTTP).
  • Continue monitoring incidents to identify whether certain policies should be moved back to auditing only. For example, if all quarantined email is released, it might be better to simply monitor the transactions.
  • It may be desirable to integrate with encryption gateways as part of SMTP enforcement. Forcepoint DLP can automatically route certain email transactions to be encrypted based on email content and/or policy definitions (actions).

Phase 5: Discovery

This phase can start earlier, in parallel with other phases.

Establish discovery tasks on sensitive corporate servers, databases, Exchange servers, and SharePoint sites that are widely accessed. This ensures that administrators know where sensitive information is located, and who is allowed to access it.

Phase 6: Endpoint deployments

This phase can also be instituted earlier in the security process.

Deploy Forcepoint DLP Endpoint to control data in use (removable media, clipboard operations, file access):

  • The endpoint software can control data in use, even if users are disconnected from network.
  • The endpoint software can optionally be installed in stealth (invisible) mode.

Local discovery investigates the drives on a local machine, like a laptop, which can be disconnected from the network. This can help to uncover sensitive files that network discovery doesn’t reach.