Data Loss Prevention Part 2: Working with DLP

00:00

Welcome back to the M s. 3. 65 Security Administration. Course.

00:05

I'm your instructor, Jim Danes.

00:07

We're a module for industry 65 3rd protection less than three. Data loss prevention,

00:14

part two. Working with deal t

00:18

This lesson. We're going to go over how deal? P integrates with the foul classification and thanks F c I.

00:24

We're gonna look more at deal P policy creation, configuration and customization.

00:29

And how does Cindy lp alert Stewed administrators

00:33

in this 3 65 can use a deal p policy to identify, monitor and protect sensitive information.

00:40

The deal P policy can be created in Mystery 65 that recognizes properties that Windows server FC I has applied the documents.

00:50

Oh, wait.

00:52

This kind of blurs on prim and in the clown, doesn't it? Yes, it does

00:59

deal P policies or not retroactive.

01:02

When you create a policy doesn't automatically go out and do everything.

01:06

Only new content edit. The content will be detected automatically after policies enabled.

01:11

A manual re index is needed to detect existing content.

01:18

If you create a new deal P policy and you have 1000 documents sitting on your file server

01:23

isn't me like OK, well, I don't care about this.

01:26

However,

01:27

if a new documents created after the policies created is gonna check it out

01:33

to get those 1000 documents that pretty existed that policy,

01:36

you have to do a manual re index. Then that policy will go through those 1000 documents.

01:42

That's an important key to remember

01:47

before Policy can be enforced

01:49

course as to be created.

01:51

So let's look at creating the policy from a building policy template.

01:57

We go into the security compliance center, go to data loss prevention, got a policy

02:00

creative policy

02:02

for this one must do financial and US financial data. So US financial data is one of the built in pre defined, sensitive information types.

02:14

We're gonna name it US financial data

02:16

and choose locations.

02:19

You can have it unified, which is the first radio button toe where you protect content in exchange teams.

02:25

One drop in SharePoint

02:28

or, if you want, you have a deal P policy for one specific service. If you just want for exchange, for example,

02:36

if you go into customized of locations,

02:38

it was just like a content search. Like it, he discovered search

02:43

so you can go then exclude accounts

02:46

there's tons of capabilities. If you want a policy that just applies to starting members within the department, you could do that

02:53

if you want to just applies to

02:55

three SharePoint sites. Yeah, you can do that. It's very granular and very flexible.

03:01

So now since we define the location, we're gonna look at

03:07

customization settings.

03:09

We're going to detect the content when it's shared. You can do people outside

03:15

or only on the inside.

03:16

If something's shared externally, you can have a different policy than if something shared internally.

03:23

So here's some of the advanced settings we can do. We could have multiple rules in the same policies. You can have your internal and external sharing

03:31

within the same policy.

03:34

Do you detect your volume

03:36

if it's a low volume with high volume, so you can go say at there's five

03:43

financial records within undocumented triggers. What there's 10 with was one was theirs, too.

03:47

If all these different thresholds that you can set

03:53

next, we're going to choose what happens when the policy triggers this is the action

03:59

because some policy tips and you know notifications can be set up here

04:02

for restrictions and encryption. Weaken block the content from being shared. Or we can force encryption and exchange FX a email message.

04:12

We can

04:13

test out the policy

04:15

or turn it on right away.

04:18

You can even restrict the scope of your testing

04:20

if you choose the locations

04:24

and do your test base from that,

04:27

the policy is ready to go off. Then you can go back,

04:30

open the scope up,

04:31

widens, go

04:33

and enable it.

04:35

That's always best practice.

04:38

Usually, we test things in I T.

04:40

Or his financial made will be test and auto department purchasing.

04:44

H or for P I.

04:46

You can never just go down, even to a couple of users.

04:49

Test them, see how it works.

04:51

Make sure everything's correct. Feedback is good. Expanded Tesco.

04:57

The back is good, then expanded out to your whole organization.

05:00

Remember, you don't have to turn it one for everybody. All lost testing is a good thing.

05:05

Helps eliminate user frustration, which increases adoption.

05:11

Once everything was good. We just review our settings and click on create

05:17

to edit an existing DLP policy.

05:20

We sign in the n 3 65 admin and go to the security compliance. Seven.

05:25

Get a policy that most prevention policy then we select the policy we want to edit.

05:30

We pull it up and we got at it.

05:33

This is a

05:34

closer view of the volume thresholds

05:39

within those policies, and within those rules,

05:42

accuracy tweaking can help decrease false positives.

05:46

Always tweet during testing.

05:48

Testing is your time to determine efficacy

05:51

and determined false positives

05:54

that match your policies. Risk

06:00

instance. Count one to any there's could be customized accuracy. Men Max. There's going to customize as well.

06:08

Additional rule settings conclude user over US Exceptions Actions User notification incident Report Options.

06:15

You can require a user to provide a business justification to overrun,

06:20

or you can Voronin automatically if they reported as a false positives.

06:26

Incident Reports admits. Configure inaction to generate incident reports f an event occurs.

06:32

Here's an example of the incident report

06:35

to where the service was exchanged.

06:38

It goes through

06:40

all of these different informations person sharing to from severity. If it's a false positive or over Ron that the user did those that we just saw in the previous frame that will be long as well.

06:54

It will tell you how it mass

06:55

the rule that amassed

06:57

the action Taken one. It's a very good

07:00

mechanism when you start to develop the LP policies,

07:06

quis the quickest way to start using Deal P policies is to create a new policy from any existing template. True or false.

07:15

Of course, the answer to that is true.

07:17

Same place where, therefore, reason the template makes something harder.

07:21

It shouldn't be a template

07:26

to create a custom DLP policy. The first couple steps you upload a document with the need of property into industry. 65.

07:32

You create a manage property insert 0.1 on

07:38

this

07:39

crawls the property within industry. 65.

07:44

Step three. We created the LP policy. It's a condition document. Contains Values are not available in the U on. We gotta east ourselves

07:53

ourselves to the rescue.

07:54

We have new set. Get those with the verbs.

07:58

National Command

07:59

GOP Compliance policy

08:01

So new GOP compliance policy said

08:05

deal. Be compliance policy. Get DLP components policy

08:11

to recap The lesson. A deal P policy can be created in Mystery. 65 recognizes properties that Windows Server FC I has applied the documents

08:20

before Deal P can be enforced. A GOP policy isn't heated.

08:26

Administrators can configure inaction to generate incident reports

08:30

F A DLP event occurs.

08:33

Thank you for joining me on this lesson. All about GOP.