McAfee DLPe Device Control Best Practices

McAfee Host Data Loss PreventionBest Practices: Protecting against dataloss from external devices

COPYRIGHT

Copyright 2009 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All otherregistered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

Refer to the product Release Notes.

McAfee Host Data Loss Prevention software2

ContentsProtecting against data loss from removable devices and file systems. . . . . . . . . . . . . .4

Device control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Content protection rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Use case: Blocking wireless communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Use case: Making all USB removable storage read-only except authorized devices. . . . . . . . . . . . . . 10

Use case: Blocking files containing personal identity information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Use case: Blocking files created by a GIS application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Use case: Disabling all CD/DVD burners from writing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3McAfee Host Data Loss Prevention software

Protecting against data loss from removabledevices and file systems

The purpose of this document is to provide a brief overview of ways to protect against dataloss and to walk you through several use cases and best practices for data loss protection.

Contents

Device control

Content protection rules

Examples

Device controlMcAfee Host Data Loss Prevention software protects enterprises from the risk associated withunauthorized transfer of data from within or outside the organization. Data loss is defined asconfidential or private information leaving the enterprise as a result of unauthorizedcommunication through channels such as applications, physical devices, or network protocols.

Memory sticks are the smallest, easiest, cheapest, and least-traceable method of downloadinglarge amounts of data, which is why they are often considered the "weapon of choice" forunauthorized data transfer. McAfee Device Control allows monitoring and controlling externaldevice behavior based on the device attributes rather than the content being copied. UsingMcAfee Device Control, devices attached to enterprise computers, such as smart phones,removable storage devices, Bluetooth devices, MP3 players, or Plug and Play devices, can bemonitored, blocked, or configured to be read-only.

There are two types of device control rules available in McAfee Device Control:

Plug and Play device rules

Removable storage device rules

Plug and Play device rules

Plug and Play device rules work on the device driver level, and can be used to block and monitordevices. Whenever a new device is plugged into the computer, McAfee Device Control will matchthe new device attributes against the device attributes defined in the Plug and Play device rule.If a match is found, McAfee Device Control will perform the action (block/monitor/notify user)defined by the device rule. Plug and Play device rules are used to restrict the use of peripheraldevices such as Bluetooth adapters and modems. Although Plug and Play device rules can alsobe applied to removable storage devices, McAfee does not recommend using them for suchdevices.

Pros and cons of Plug and Play device rules

Pros:


Allow for blocking any type of device.

Block devices at a very low level, before the driver has a chance to load.

Allow for easy blocking of entire device classes and bus types (such as "block all USB").

Cons:

The device blocking is based only on the device attributes and does not inspect content.

Can only block or monitor. Cannot make a device read only.

Recommended use cases:

Block all Bluetooth adapters and modems

The enterprise wants to restrict end users from using Bluetooth and modem communicationto transfer data.

Block all Wireless communication

The enterprise wants to restrict end users from using wireless communication while connectedto the corporate network. See Use case: Blocking wireless communication.

Removable storage device rules

Removable storage device rules are used for blocking and monitoring removable storage devicessuch as flash drives, MP3 players, and external hard drives. They can block, monitor, or configurethe removable storage to read-only. Whenever a new removable storage device is plugged intothe computer, McAfee Device Control will match the new device attributes against the deviceattributes defined in the removable storage device rule. If a match is found McAfee DeviceControl will perform the action defined by the device rule.

Removable storage device rules work on the file system level, and allow for more flexibility thanPlug and Play device rules. For example, the removable storage device rule can match a devicebased on its file system type (NTFS, FAT32) or file system volume label. In addition, they providemore accurate device names. For example an iPod is recognized by the Plug and Play mechanismas USB mass storage device, whereas the removable storage rule recognizes it as Apple iPod,which is more meaningful. (This description fits older iPods. The iPod Touch is recognized as aWindows Image Acquisition device.)

McAfee recommends using removable storage device rules, rather than Plug and Play devicerules, to control all devices that provide removable storage, such as USB mass storage devices,Flash Drives ("Disk on Key"), and CD\DVD.

NOTE: Since Plug and Play device rules are applied on the device driver level, they are appliedbefore removable storage device rules. The implication is that if a removable storage device isblocked by both types of rule, the removable storage device rule will not be applied.

Pros and cons of removable storage device rules

Pros:

Allow read-only mode for removable storage devices.

Allow for greater flexibility for device matching (file system type, volume label).

Cons:

The device blocking is based only on the device attributes and does not inspect content.


Make all USB removable storage read-only except authorized devices.

An enterprise has purchased a specific brand of encrypted flash drive and would like torestrict the use of any other flash drive. See Use case: Making all USB removable storageread-only except authorized devices.

Protecting against data loss from removable devices and file systemsDevice control


Disable all CD/DVD burners from writing.

The enterprise wants to restrict engineering end users from using CD/DVD burners to writeCDs. McAfee Device Control is not able to analyze the content written to CD/DVD thereforeremovable storage device rules should be used. See Use case: Disabling all CD/DVD burnersfrom writing.

Content protection rulesUnlike device control functionality that blocks the entire device, content protection rules protectindividual files based on their content. When a file is copied to a network shared folder or aremovable storage device McAfee Host Data Loss Prevention performs deep content analysisto classify the content, and performs one (or more) of the following actions:

Block Moves the file to the local quarantine folder and deletes its content from theremovable storage. This action is not available for network shared folders.

Monitor Sends an incident event to the Host DLP ( in version 3.0, the ePolicy Orchestrator)database for monitoring and case management.

Store Evidence Stores the original file that was copied so it can be viewed in the HostDLP Monitor.

Notify user Shows a popup to the end-user as notification of the action that wasperformed.

Encrypt Encrypts the file using McAfee Endpoint Encryption. This action is available inMcAfee Host Data Loss Prevention software version 3.0.

Removable storage protection rules

Removable storage protection rules allow for blocking and monitoring of individual files beingwritten to removable devices according to file attributes and their content classification. Whena file is copied to a removable storage device, the Host DLP Agent inspects, analyzes, andclassifies the file content, and if the file classification matches one or more of the removablestorage protection rules, the agent will apply the action defined in the rule.

Host DLP provides several content classification techniques, including:

Regular expression matching

Keyword

Application that created or edited the file

Current storage location

Where the file is being copied to.

McAfee recommends using removable storage protection rules whenever an enterprise allowsuse of removable storage devices, but wants to restrict (or monitor) the data that is written tothem.

Pros and cons of removable storage protection rules

Pros:

Allow blocking individual files according to their content and attributes, rather than blockthe entire device.

Cons:

McAfee Host Data Loss Prevention software uses CPU resources to analyze every file copiedto removable media.

Protecting against data loss from removable devices and file systemsContent protection rules



Block copying of files containing personal identity information (PII).

There are many forms of PII: Social Security Number (SSN), driver's license number, NationalIdentification Number, and so on. McAfee Host Data Loss Prevention contains pre-definedregular expression patterns (Secured Text Patterns) that can be used to create these rules.See Use case: Blocking files containing personal identity information.

NOTE: McAfee Host Data Loss Prevention software version 3.0 introduces regular expressionvalidators to reduce false positives.

Blocking copying of files created by a Geographic Information System (GIS) application toremovable storage.

Certain applications create files that contain binary information that cannot be contentinspected. McAfee Host Data Loss Prevention software provides a unique technology toclassify content based on the application that creates or edits the file. See Use case: Blockingfiles created by a GIS application.

By creating application-based tagging rules the Host DLP Agent can tag any file that iscreated by a GIS application. This tag can then be used in removable storage protectionrules to block or monitor copying of GIS files to removable storage.

Network file system protection rules

Network file system protection rules are very similar to removable storage protection rules, butthey apply to the Windows network file system (shared folders) rather than devices. Theysupport monitoring files copied to a defined Windows share, but it do not support blocking thecopy operation.

McAfee Host Data Loss Prevention software version 3.0 introduces the ability to encrypt filesthat are copied to the network, to enforce compartmentalization policies, using McAfee EndpointEncryption.


Monitor all files containing credit card numbers being copied to public folders on a file server.

Many organizations provide public folders for file sharing on the network. Reckless userscan copy sensitive files to these folders. Using McAfee Host Data Loss Prevention you cancreate a network file system protection rule to Monitor, Notify User, and Store Evidence forevery file that contains sensitive information, such as credit card numbers, when copied tothe public folder on the network. Ideally, such files should also be encrypted.

Compartmentalization (available in McAfee Host Data Loss Prevention software version 3.0using McAfee Endpoint Encryption integration)

Assume your organization has an engineering group, a finance group, and a sales group.You can use the McAfee Host Data Loss Prevention software version 3.0 and McAfee EndpointEncryption integration to generate three encryption keys FINANCE_KEY,ENGINEERING_KEY and SALES_KEY. Each key is available only to members of that groupto unlock files. Using these keys in network file system protection rules can ensure thatevery sensitive file that is copied to a network shared folder will be properly encrypted, andvisible only to authorized users.

Protecting against data loss from removable devices and file systemsContent protection rules


ExamplesThe following examples demonstrate the techniques discussed in the text.

Examples

Use case: Blocking wireless communication

Use case: Making all USB removable storage read-only except authorized devices

Use case: Blocking files containing personal identity information

Use case: Blocking files created by a GIS application

Use case: Disabling all CD/DVD burners from writing

Use case: Blocking wireless communicationAssume an organization wants to restrict end users from using wireless communication whileconnected to the corporate network. With McAfee Device Control it is possible to define a policythat differentiates between users who are online (connected to the corporate network) andthose who are offline. The following example shows how to block wireless adapters while auser is connected to the corporate network.

Example

1 In the Navigation Bar under Device Management, select Device Definitions.

2 Right-click in the device definitions panel, and click Add New | Plug and Play DeviceDefinition. Type Wireless Network Adapters to rename, and press Enter.

3 Double-click the device definition to edit it. Select Device Class, then select NetworkAdapters and click OK.

4 Select Device Name. The definition parameter edit dialog box appears.

5 Click Add New and type wireless into the text box. Select the Allow Partial Match option.

6 Click Add New and type wlan into the text box. Select the Allow Partial Match option.

Protecting against data loss from removable devices and file systemsExamples


7 Click Add New and type 802.11 into the text box. Select the Allow Partial Match option.Click OK twice to complete the definition.

8 In the Navigation Bar under Device Management, select Device Rules.

9 Right-click in the device definitions panel, and click Add New | Plug and Play DeviceRule. Type Block wireless network adapters when online to rename, and press Enter.

10 Double-click to edit the rule. SelectWireless Network Adapters in the Include column.Click Next.

11 Select Block, Monitor, and Notify User.



12 For each action, deselect the Offline option. Click Finish.

Use case: Making all USB removable storage read-only exceptauthorized devices

Assume an organization that purchased a specific brand of encrypted flash drives and wouldlike to restrict the use of all other flash drives.

Example


2 Right-click in the device definitions panel, and click Add New | Removable StorageDevice Definition. Type USB Removable Storage to rename, and press Enter.

3 Double-click the device definition to edit it. Select Bus Type, select USB and click OK.

4 Right-click in the device definitions panel again, and click Add New | Removable StorageDevice Definition. Type McAfee Encrypted USB Devices to rename, and press Enter.

5 Double-click the device definition to edit it. Select Bus Type, select USB VendorID/Product ID and click Add New. The definition paramete edit dialog box appears.

6 Click Add New to add each of the following devices:

DescriptionProduct IDVendor ID

McAfee Standard Encrypted USB022A1A4B

McAfee Standard DriverlessEncrypted USB

32201A4B

McAfee Zero-Footprint Bio32001A4B



DescriptionProduct IDVendor ID

McAfee Zero-Footprint Non-Bio35001A4B

McAfee Encrypted USB Hard Disk34001A4B

TIP: Use the mouse to select the Product ID and Description text boxes.


8 Right-click in the device definitions panel, and click Add New | Removable StorageDevice Rule. Type Block all USB except McAfee to rename, and press Enter.

9 Double-click to edit the rule. Select USB Removable Storage in the Include column,and select McAfee Encrypted USB Devices in the Exclude column. Click Next.

10 Select Monitor, Notify User and Read Only. Click Finish.

Use case: Blocking files containing personal identity informationThe following example shows how to create a content-based tagging rule that will tag any filecontaining a social security number, and how to create a removable storage protection rulethat will prevent copying these files to removable storage.

Example

1 In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rulespanel, click Add New | Content Based Tagging Rule, and type SSN Tagging Rule torename the rule.



2 Double-click the rule to edit it. From the pre-defined list of secured text patterns, checkSocial Security Number. Click Next.



3 On the tags page, click Add New, type SSN Tag in the Name text box, click OK, thenFinish.

4 In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, clickAdd New | Removable Storage Protection Rule, and rename it Block PII copied toremovable storage.

5 Double-click the rule to open the wizard. You can skip all of the steps except the following:

a On the tags page, select the SSN tag created in step 4.

b On the actions page, select Block, Monitor, Notify User, and Store Evidence.

Use case: Blocking files created by a GIS applicationThe following example shows how to create an application-based tagging rule that will tag anyfile that is created or edited by a Geographic Information System (GIS) application, and howto create a removable storage protection rule that will prevent copying GIS files to removablestorage.

Example

1 In the Navigation Bar under Applications, select Enterprise Applications List.

2 Right-click in the application list panel, and click Add. Browse to the GIS applicationexecutable, then click Open. Note the exact executable name. You will need it in the nextstep. Click Add, then Close.

3 In the Navigation Bar under Applications, select Application Groups. Right-click in thepanel, and click Add New | Application Group. Type GIS Applications in the Name textbox and press Enter.



4 Double-click the GIS Applications group. Browse to the name of the vendor and selectit. Click the plus sign next to the name to view the details. If there are other products bythe same vendor you don't want to include in the rule, deselect them.

5 In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rulespanel, click Add New | Application Based Tagging Rule, and type GIS Tagging Rule torename the rule.

6 Double-click the rule, select GIS Applications, then click Next.

7 (Optional) Click Select from list, select Graphic files, then click Next three times toreach the Tags page.

8 Click Add New, name the tag GIS Tag, click OK, then Finish.

9 In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, clickAdd New | Removable Storage Protection Rule, and rename it Block GIS files copiedto removable storage.

10 Double-click the rule to open the wizard. You can skip all of the steps except the following:

a On the tags page, select the GIS Tag created in step 6.

b On the actions page, select Block, Monitor, Notify User, and Store Evidence.

Use case: Disabling all CD/DVD burners from writingAssume an organization wants to restrict engineering end users from using CD/DVD burnersto write CDs. McAfee Host Data Loss Prevention is not able to analyze the content written toCD/DVD, therefore removable storage device rules should be used.

Limitation: The following CD/DVD burners are not protected in McAfee Host Data LossPrevention v2.2:



Alcohol 120%

Iomega Hotburn

Example


2 Right-click in the device definitions panel, and click Add New | Removable StorageDevice Definition. Type CD/DVD Devices to rename, and press Enter.

3 Double-click the device definition to edit it. Select CD/DVD Drives and click OK to closethe definition dialog.


5 Right-click in the device definitions panel, and click Add New | Removable StorageDevice Rule. Type Block all CD-R burning to rename, and press Enter.

6 Double-click to edit the rule. Select CD/DVD Devices in the Include column. Click Next.

7 Select Notify User and Read Only. Click Finish.


ContentsProtecting against data loss from removable devices and file systemsDevice controlContent protection rulesExamplesUse case: Blocking wireless communicationUse case: Making all USB removable storage read-only except authorized devicesUse case: Blocking files containing personal identity informationUse case: Blocking files created by a GIS applicationUse case: Disabling all CD/DVD burners from writing

Documents

McAfee DLPe Device Control Best Practices