L1 Data Security Monitoring - DLP

This package detects data issues in Data Loss Prevention (DLP).

Authors:

–Ashwin Aruldas

–Geneva Capos

–Oswaldo Dimas

–Francisco Leto Mera

–Kris Machnicki

–Dat Ngyuen

Main Use Cases

Use Case 1 - DLP Exfiltration

File and Confidential Information Printing

Confidential File Transferred on Suspicious Network Port

Information and Confidential Information Sent over Email

Information and Confidential Information Copy/Paste

Information and Confidential Information over the Network

Information and Confidential Information transferred to Web Services

Information and Confidential Information transferred to Removable devices

Information and Confidential Information Screenshot

Large Information Transfer

Removable Device Block Tracking

DLP Incident from a Watched User

DLP Statistics - DLP Events per User in the last 48 hours

DLP Statistics - DLP Events per User in the last 7 days

DLP Statistics - DLP Events per Event Type in the last 48 hours

Use Case 2 - DLP Modification

Policy Modification on DLP Software

Supported Log Sources (not for Product Packages)

Here are the log source types available in the marketplace:

Vendor Product Version(s) Comments
McAfee Endpoint DLP    

Download Instructions

The latest package can be downloaded from the ArcSight Marketplace.

Prerequisites

Ensure the following is complete:
  • Miminum Activate Base Package 2.5.0.0 has been installed

Package Installation Procedure

Follow the next steps to import the L1 Data Security DLP - Indicators and Warnings package:

1. Copy L1DataSecurityDLPIndicatorsAndWarnings1001 bat file as well as the L1-Data_Security_DLP_-_Indicators_and_Warnings.arb file to the current directory on the path where the ArcSight Console is installed, i.e. c:\arcsight\console\current\  
2. Execute the L1DataSecurityDLPIndicatorsAndWarnings1001.bat file install-1.jpg
3. Provide ESM host and port information as well as user and password. install-2.jpg

4. Installation will import and install contained packages.

Imported and Installed packages:

L1-Data Security DLP - Indicators and Warnings

L1-Data Security DLP - Indicators and Warnings - Active Lists

L1-Data Security DLP - Indicators and Warnings - Customizations

install-3.jpg

Package Configuration

After L1 Data Security - DLP Indicators and Warnings package have been installed, Active Lists may need to be populated according the Corporate Requirements:

1. In the Navigator panel select "Lists" from the Drop-down list, and go to /All Active Lists/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention to configure L1 Active Lists ALs.jpg
2. If specific confidential files want to be tracked they have to be added to the Confidential Files Active List. This active list is used by any "Confidential" L1 Data Security DLP rule. Confidential_File_AL.jpg
3. If Data classification is being used and also information tagged with it, specific Data Classifications have to be added to the Data Classification active list. This active list is used by any "Confidential" L1 Data Security DLP rule. By default deviceCustomString5 event field is used to map this value. If building a flexconnector this setting must be taken in count. 2 data classifications are added by default. Data_Classification_AL.jpg
4. If DLP incident activity for specific users is to be tracked down, these users have to be added to the User Watched List active list. Users have to be added in the exact case and structure they appear in DLP events. TTL for this list is 30 days by default. L1_User_Watch_List.jpg

Content Hooks for Product Packages

Below filters needs to be configured for L1-Data Security DLP - Indicators and Warnings rules to trigger. Product Package Filters need to be hooked into these filters for L1 (and L2) Content to trigger
Filter URI in L1 Data Security DLP Description
All Data Loss Prevention Events /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/All Data Loss Prevention Events This filter tracks down every single event coming from the Data Loss Prevention Device. This filter includes security and operations events.
DLP Information Leak Events /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/DLP Information Leak Events This filter tracks any Data Loss Prevention information leak event. This filter only has to include security Information Leak events, such as Information Copy-Paste, Printing, information sent over email, the network, etc.
DLP Policy Modification /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/DLP Policy Modification This filter tracks DLP policy modifications on the DLP Server.
Information Copy-Paste /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Copy-Paste This filter tracks local clipboard copy/paste activities.
Information Printing /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Printing This filter tracks information printing actions.
Information Screenshot /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Screenshot This filter tracks information screenshot actions.
Information Sent over Email /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Sent over Email This filter tracks information sent over email.
Information Transfer over the Network /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Transfer over the Network This filter tracks information sent over the network.
Information Transfer to Removable Device /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Transfer to Removable Device This filter tracks any information transfer to a removable storage device.
Information Transfer to Web Services /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Information Transfer to Web Services This filter tracks information transfer to web sites.
Removable Storage Device Blocked /All Filters/ArcSight Activate/Solutions/Data Security/Indicators and Warnings/Data Loss Prevention/Removable Storage Device Blocked This filter tracks any removable storage device being blocked.

Test Plan

L1DataSecurityMonitoringDLPTestPlan provides methodology for testing this package.

Resources

The link below contains a table of all resources included in this package:
Topic revision: r10 - 16 May 2018, EstebanHerrera


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback