Contents

Introduction

This document list all the features related to Synergy.

Configuration Import Mode

The user can upload an existing configuration from local files using this mode. Please note that only JSON format is accepted. A validity check will be done, and an error message is shown in case the file does not have valid JSON content. This mode is usually used by the GV as a part of their personalized services.

Expert Mode

This mode is useful when the user wants to manually edit the agent configuration at his own risk. Like the previous mode, if the content is no more a valid JSON or no more represents the valid agent configuration structure, a list of errors will be displayed to the user.

Configuration Wizard Mode

This mode is the easiest to use and is as simple as installing a software in the system. When the user chooses this mode, he will be guided through a few steps to set agent configuration fields one by one.

MS Office Plugins

This functionality will allow the user to select which MS Office application the configuration will be applicable to. The various options are:

• Word

• Excel

• PowerPoint

• Outlook

• Windows Explorer Integration

MS Office Policies & Visual Tagging

This functionality will allow the user to set various polies that the user would like to enforce on documents in MS Office applications.The polies that we can set are as below:

Header

This will add a Header to the document. User can leave it empty or customize it as needed

Footer

This will add a Footer to the document. User can leave it empty or customize it as needed

Watermark

This will add a Watermark to the document. User can leave it empty or customize it as needed

TagBeforePrint

Using this option you can Force, Warn or Log & Ignore the user to classify any document before printing.

TagDirtyBufferOnSave

Using this option you can Force, Warn or Log & Ignore the user to classify any document before saving

AllowDescalation

This option allows the user to lower classification level of a classified document.

PowerPointSubtitle

This will add a Subtitle to the PowerPoint. User can leave it empty or customize it as needed

PowerPointTitle

This will add a Subtitle to the PowerPoint. User can leave it empty or customize it as needed.

Auto (default) classification

This optional feature allows to automatically classify with a default label all newly created docs in Word, Excel and Powerpoint. It is possible to individually set the default label for each plugin individually.

Outlook Plugins

This functionality will allow the user to select Outlook application to set the configuration

Outlook Policies & Visual Tagging

This functionality will allow the user to set various polies that the user would like to enforce on documents when using Outlook. The polies that we can set are as below:

Header

This will add a Header to the email. User can leave it empty or customize it as needed

Footer

This will add a Footer to the email. User can leave it empty or customize it as needed

TagOnPrint

Using this option you can Force, Warn or Log & Ignore the user to classify any modified email before printing.

TagOnSend

Using this option you can Force, Warn or Log & Ignore the user to classify any modified email before sending

AllowUnclassifiedAttachments

Using this option you can Block, Warn or Log & Allow the user to send unclassified attachments in email.

MinAttachmentsTag

This option will allow the user to Inherit minimal classification from classified attachment to the email.

AllowDescalation

This option allows the user to lower classification level of a classified email.

WordTextForwardingActive

This option allows to control if we scrape the text from MS Word that is sent for the classification. The options are true or false.

ExcelTextForwardingActive

This option allows to control if we scrape the text from MS Excel that is sent for the classification. The options are true or false.

PowerpointTextForwardingActive

This option allows to control if we scrape the text from MS Powerpoint that is sent for the classification. The options are true or false.

AutoClassifyReplyForwardEmails

This option allows the user to inherit the classification when replying or forwarding an email.

Auto (default) classification

This optional feature allows to automatically classify with a default label all newly created emails in Outlook.

Configure Emails

This feature allows the user to configure the email policy as per requirement. The polies that we can set are as below:

Classification

Here the user can select which type of email he wants to configure. The options are Public/Internal/Confidential/Highly Confidential

DefaultEmailPolicy

Here the user can set if the requirement is to Block/Allow/Warn about the email.

BlockList

The agent gives the option to create a blocklist of specific recipients. User will just have to add the email id of recipient in the list.

WarnList

The agent gives the option to create a warnlist of specific recipients. User will just have to add the email id of recipient in the list.

AllowList

The agent gives the option to create an allowlist of specific recipients. User will just have to add the email id of recipient in the list.

OutlookTextForwardingActive

This option allows to control if we scrape the text from MS Outlook that is sent for the classification. The options are true or false.

WriteMetadataTags

This property will capture the details about the agent in office applications. The location to find these details in the properties section for the application like shown below:

SelectableByWhitelist

Based on the distribution list, the email addressed in this list will be the once that the outlook plugin will allow sending emails to.

AllowInternalToExternal

This property allows the user to change the distribution list from internal to external.

MaxNumberOfRecipients

This property allows to set the maximum number of people the user wants to send the email to.

SuggestionOptions

This tag will allow the user to configure the options user want to show while showing the suggestion box on Ms office or Outlook.

AgentDialogConfiguration

This tag will allow the user to customize the options user want to show while show like compliance, classification etc.

DistributionTags

Additional feature to classify the documents/emails. Few examples are: Internal/Restricted/ External/Limited

Image Classification

By right clicking on the image file, user can now classify an image file as well. After classification the meta data will be saved and based on the outlook policy the classified image file will be attached in email. The supported formats are: ".gif", ".jpg", ".jpeg", ".png", ".tiff", ".tif"

Video Classification

By right clicking on the video file, user can now classify an image file as well. After classification the meta data will be saved and based on the outlook policy the classified video file will be attached in email. The supported formats are: ".avi", ".mp4", ".m4p", ".m4v"

Audio Classification

By right clicking on the audio file, user can now classify an image file as well. After classification the meta data will be saved and based on the outlook policy the classified audio file will be attached in email. The supported formats are: ".wav"

Other Right-Click Classifications

By right clicking on certain files, user can now classify those files. After classification the meta data will be saved. The supported formats are:.pdf, docx, docm, dotm, dotx, xlsx, xlsm, xlst, pptx, potm, potx, ppsm, pptm, ppsx, vsdm, vsdx, vstx, vss, vssm,vst, vstm,vssx, odt, ott, oth, odm, ods, ots, odp, odg, otp, dwg, dxf, zip

Autoupdate

This feature makes sure that the end user does not have to worry about the version of the latest Synergy Agent. This feature will make sure that the latest version is always present on the system.

Additional Properties:

• “blockServerAddressEdit”: true :- This property when set to true will make sure that the user is not allowed to edit the server address in configuration

• “disableConfigurationMenu”: true :- This property when set to true will make disable the configuration option.

• "excelConfiguration": {
  "defaultClassificationValue": "",
  "applyContentFromSheetNo": 1,
  "applyContentToSheetNo": 2
  }, : This property when set to can be used when the user want to apply the visual labels only to any particular sheet in excel file and not the whole workbook. you have to add the property inside excel configuration.

• "autoClassifyUnclassifiedAttachments": true :- This property when set to true will automatically classify attachments attached to as per email classification. It also works when forwarding a set of attachments.

• "prefixClassificationTagForSubject":true: This property when set to true will apply classification tag as prefix on the Subject of email.

• "suffixClassificationTagForSubject":true: This property when set to true will apply classification tag as suffix on the Subject of email.

Contents

Document Details

Overview

With state-of-the-art machine learning algorithms, Getvisibility combines natural language processing with neural networks. This allows us to classify unstructured data across organisations with unparalleled accuracy and speed.

Using machine learning rather than traditional pattern matching (regular expressions) and dictionary lookup methods allows Getvisibility to understand the context of a document, thereby increasing accuracy. As the neural network does most of the work, organisations no longer must embark on the laborious and expensive task of creating rules and regex hits per department and document type. Getvisibility’s customisable tag set enables users to apply company-specific classification to their unstructured data, which the neural network learns with increasing accuracy. Training of the neural network can be done through our user-friendly interface, eliminating the need for the highly qualified engineers and data scientists associated with traditional methods.

The Getvisibility classification tool is built on sophisticated machine learning algorithms to enable organizations to discover, classify and secure their most sensitive data. The Getvisibility platform combines smart agent technology and machine learning to provide a uniquely powerful solution for data classification and tagging. This is the first solution to enable automated, historical and manual classification with one deployment. This is unique but it also has a very significant value dramatically improving the quality of the manual classification process by leveraging the advanced AI model and understanding of historically created data.

Getvisibility Products

Getvisibility Synergy Pro & Synergy

The Getvisibility Synergy Pro and Synergy are designed to help your organisation classify and project your data in use, new data and data in motion. The solution works for in-cloud an on-prem applications.

Focus (Not yet part of Forcepoint OEM)

Getvisibility Focus enables automated, accurate and timely legacy data discover and classification of both new and legacy data. Getvisibility discover solution gives organisations an overview of all their data, tailored to how they want that data to be displayed and monitored.

Getvisibility offers contextual classification, empowering the data with appropriate metadata and enhancing the usage of that data throughout the organisation.

Lab Topology

This LAB is intended to provide a quick overview and hands-on experience of Get Visibility (GV) platform, and it covers some of the common use cases associated with GV. You will get access to a preconfigured GV tenant in Go4labs environment.

Lab Components:

a. GV server: This is GV management server based on Arch Linux OS,

b. FSM (Forcepoint Security Manager): Management Server for Forcepoint Email and DLP components.

c. SQL: DB used for Forcepoint Email and DLP components.

d. ESG DLP Network: Network DLP appliance used for MTA.

e. Webmail Server: Webmail server and client.

f. GetVisibility-Agent: End user machine that we will be using for this lab.

LAB Credentials

GV server:

IP address: 192.168.122.168

URL: https://192.168.122.30:9999/ui/#/login

Username / Password: admin/admin123

FSM (Forcepoint Security Manager): Management Server for Forcepoint Web/Email and DLP components.

IP address: 192.168.122.21

URL: https://192.168.122.21:9443/

Username / Password: admin/Forcepoint1!

RDP Username/ Password: administrator/Forcepoint1

DLP Protector: Network DLP appliance used for MTA

IP address: 192.168.122.23 (C) and 192.168.122.24 (P1 Outbound email)

SSH Username / Password: admin/Forcepoint1!

Webmail Server: Webmail server and client.

URL: https://192.168.122.1:5006

Username / Password: any/any

Admin: https://192.168.122.1:5006/?admin

Username / Password: admin/Forcepoint1

Client Machine: End user machine

IP address: dhcp

RDP Username/ Password: student/Forcepoint1

Lab preparations

1.How to access the lab

Your lab will be provisioned and assigned to your Go4labs account, in case you don’t see the lab in our account please reach out to one of the CSEs or Go4labs team during the training

2.Login to console, ensuring everyone has access.

On accessing the above lab (either via RDP or Web access) you should be able to reach the landing machine.

Open browser and go to https://192.168.122.30:9999/ui/#/login

2. Use below admin credentials

a. Username: admin

b. Password: admin123

You should be able to see landing page like below

This ensures that you have access to admin portal of Get Visibility admin GUI

4. Open a new tab and go to http://192.168.122.30:8500/ui/customer/services

Please note: You don’t need any username and password to access this page.

This will give you access to Consul dashboard where you can see status of all services w.r.t your GV deployment.

Ensure all services are up and running before moving to other tasks in this lab.

Login to Client machine and ensure both GV agent and FP agent are installed.

a. Open GNS3 (Double-click shortcut of GNS3 present on desktop of landing machine)

b. Double-click Client Machine (Or alternatively right click “Client Machine” and click “Console”) & You should be able to auto login to Client-Machine

c. Please ensure you see GVClient msi installer on Desktop

d. Right click the msi package and Install

e. Check “I accept the terms in the License Agreement” and click Install

f. Click Finish and best to reboot the machine.

Please note, in some cases, after agent installation, it might also prompt you to install additional Microsoft add-ons (if not already present on the system), please continue and install those add-ons as well and then reboot the machine.

g. Once you login back, please ensure you see GV agent and Forcepoint DLP agent in system tray.

3. Configuring Basic Settings

a. Open browser on the landing machine and go to https://192.168.122.30:9999/ui/#/login

b. Use below admin credentials

. Username: admin

Password: admin123

You should be able to see below landing page

c. Click on Configuration Wizard

d. Configure Compliance screen with the required Compliance standards:

Getvisibility comes with out of the box compliance standards shown in the agent.

Organisations can customize the classification options which appear on the end-user agent to align with internal policies or already implemented data loss prevention solutions. This is an optional feature, if you do not wish to show compliance standards in the agent, simply tick the ‘Disable Compliance’ option

For this LAB purpose will select GDPR/PII and HIPAA/PHI compliance standard and click NEXT

e. Classification TAGS: Which classification tags will the end user be able to view & select?

For this LAB purpose will select Default Classification option and click NEXT

f. Which Plugins will be active for the end-user?

For this LAB purpose (And usually) will select all available plugin options and click NEXT

g. Enforcement rule related to MS WORD, MS EXCEL, and MS POWERPOINT

Enforcement rules determine the necessity for end-users to classify a document before saving or printing. The enforcement options available are:

1. Enforce (or Force)

2. Warn

3. Log & Ignore

Please review all available options in dropdown (like Force, Warn and Log & Ignore),

However, for this LAB purpose will select Force option for both given settings and click NEXT

Keep the checkbox of “User lowers classification level of a classified document” un-checked - This will not allow end-user to later lower the classification of the document after saving.

h. Visual Tagging and Labelling for MS WORD, MS POWERPOINT and MS EXCEL

Visual labelling refers to the visual changes made to a document once classified. This includes customised:

1. Headers (You can change the text to Forcepoint {classification})

2. Footers: (You can change the text to Forcepoint {classification})

3. Watermarking: (You can change the text to (<span>Forcepoint {classification}</span>))

i. Outlook Policies

The Getvisibility Synergy Pro will sit within the ribbon of your Microsoft Outlook application. Organisations can configure how they want this agent to work within their application, customising enforcement rules and visual markings. You will also notice an option ‘Inherit minimal classification from classified attachment’. This means for example, that if an attached document is classified as Internal, the end-user may classify the email as Internal or Confidential but not as Public.

Same like above for MS Word, Excel and Powerpoint, we follow Enforcement and Visual tagging rule for MS Outlook now

Enforcement Rules

Enforcement rules determine the necessity for end-users to classify an email before sending or printing. The enforcement options available are:

1. Enforce

2. Warn

3. Log & Ignore

For this LAB purpose will select Force & Block option for given settings as shown below, Will also uncheck “Users lowers classification level of a classified email”, and click NEXT

j. Outlook Visual Tagging

Visual labelling refers to the visual changes made to an email once classified. This includes customised:

1. Headers: (You can change the text to Forcepoint {classification} or anything of your choice)

2. Footers: (You can change the text to Forcepoint {classification} or anything of your choice)

k. Sharing restrictions: Configure PUBLIC emails

Sharing restrictions can be configured through the wizard and enforced through Outlook. Sharing rules are configured depending on the classification level of the email.

This enforces sharing rules for end-users, depending on the classification level of the email. These options are

1. Allow

2. Warn

3. Block

Exceptions

This is an optional feature which allows administrators to create a whitelist of email addresses, that will be exempt from the sharing restrictions enforced above. This is a useful feature in ensuring restrictions do not negatively impact daily operations, while still maintaining a least privileges approach to data sharing.

For this LAB purpose will select ALLOW option for given settings as shown below and click NEXT

l. Configure INTERNAL Emails

For this LAB purpose will select BLOCK option and create exception for internal domain under “Allowed” emails. You can add any internal domain like “forcepoint.com” or “forcegv.com”

m. Configure CONFIDENTIAL email

For this LAB purpose will select WARN option and create exception for Internal domains under “Allowed” emails and for non-trusted domain (like gmail.com) under blocked emails

You can add “forcepoint.com” and “forcegv.com” under allowed emails list

You can add “gmail.com” under blocked email list

The expected behaviour for this rule would be

Always “WARN” user when a CONFIDENTIAL classified email is sent out,

except allow when CONFIDENTIAL email is sent to Forcepont.com

& Block when CONFIDENTIAL classified email is sent to “Gmail.com”

n. Click NEXT and FINISH

o. Click RESTART

YOU ARE DONE WITH THE BASIC CONFIGURATION. !! 😊

NOW IT IS TIME TO TEST THE RULES/ POLICIES.

4. Testing MS Office (Word) classification

a. Double-Click Folder named “Forcepoint” (Located on Client Machine’s C:\ drive)

b. Create 3 (three) new “Microsoft Word Document” Insider this folder and name them

· Forcepoint Confidential

· Forcepoint Internal

· Forcepoint Public

c. Open “Forcepoint Public Document” and write exactly the command as shown below in the word document (without quotes)

“=rand(10)”

This should auto populate random text in the word file.

Notice in the ribbon bar “Classification option” shown as “Not set”

As you can see the Getvisibility Agent is represented in the application's ribbon by the thumbprint logo. As this is a new document, the classification has not yet been set. Clicking on this icon will allow you to classify this document. HOWEVER, DON’T CLICK ON THIS ICON YET (If YOU DID, you can simply DISMISS for now)

a. First, we will try Printing this document without classification (File Print Print)

You should be seeing an alert as below

Here you can see that without classification, as per the rules configured in the configuration wizard, printing is blocked. To successfully print this document, the end-user will need to click ok and then classify the document.

(CLICK ON DISMISS at this point)

b. Now we will try SAVING this document without classification (File SAVE)

You should be seeing an alert as below

Here you can see that without classification, as per the rules configured in the configuration wizard, saving is blocked. To successfully save this document, the end-user will need to click OK and then classify the document.

On Clicking OK, you should see below Getvisibility pop-up screen –

You can get the same pop-up by clicking on the Classification option in ribbon bar –

As this is a PUBLIC Document, DON’T SELECT anything under Compliance option.

You might or might not see SUGGESTIONS option in the pop-up. This option is related to ML/AI auto suggestion model. In above example, we are seeing “FALSE” match to PII information, which suggests that GV system has around 66% confidence of the document content not being PII information.

Select Classification as “PUBLIC” and click on “SET”

Please check the “Header/Footer and Watermark” added to the document.

c. Checking metadata properties

Go to FILE Properties Advanced Properties

Click on “Custom” tab and review the classification metadata information

Once reviewed, save and close the document.

d. Open Forcepoint Internal document you created before and copy paste content from PII.txt (Text file already existing in the same folder).

Please note that the suggestions (AI/ML models) are now showing more confidence on the document content being PII,

Please select “USE SUGGESTED” option.

You will note that GDPR compliance and Internal Classification is already selected.

Click “SET”, review the “Header/Footer and Watermark and metadata properties of the document as done in previous exercise.

Save and close the document.

e. Downgrading document Classification

Re-open Forcepoint Internal Document and try to downgrade Classification to “PUBLIC”

You will note that this action is not allowed. Infact PUBLIC classification option is Greyed out.

This behaviour was as per the policy configured before which doesn’t allow users to downgrade classification.

f. Confidential document

Open Forcepoint Confidential.docx document and type “Factorytestkeyword”

Copy and pastes this keyword to appear in the document for more than 5-10 times.

Click Classification option in ribbon bar

Select Classification as “CONFIDENTIAL” and click on “SET”

Please verify the “Header/Footer and Watermark” and metadata added to the document.

g. Applying classification for non-office files (for example PDF)

Please go to C:\Forcepoint and find “Installation.pdf”

To Classify non-office files (like PDF), you can simply right click the document and use GV Classification option to Classify.

Select Confidential Classification and click “SET”

5. Testing MS Outlook classification

1. BASIC TEST

i. Open Outlook

ii. Click on New Email and try to send a test email to any email ID (let’s say websense100@gmail.com) , You can use any subject and any text in body of the email.

You can try using command =rand(10) in the body of email to generate random text for body of the email.

iii. Click Send

iv. Please note: You should be seeing below block message stating “Classification not set”

v. Click OK on the error message and set the classification as PUBLIC (You don’t have to select anything on the compliance option) and click SET

vi. Review the Header/Footer and after review, SEND the email

vii. GO to Sent Items and Open the email you just sent.

viii. Go to FILES Properties

ix. Check in the section “Internet headers”, classification: Public tag

2. Sending Internal classified document / emails via outlook

2.1 Click on New Email and attach “Forcepoint Internal.docx” document.

2.2 Click the classification of email to “INTERNAL”

2.3 Try to send a test email to any “GMAIL.com” email ID (let’s say websense100@gmail.com) , You can use any subject and any text in body of the email.

2.4 Click Send

2.5 Please note: You should be seeing a BLOCK notification (as per the policy set earlier which denies sending internal email to any domain other than forcepoint.com or forcegv.com)

2.6 Now try sending this email to internal domain used during initial configuration within GV wizard (i.e., any email ID on forcepoint.com domain or forcegv.com domain)

2.7 Please note: This time the email should go without any issues

3. Downgrading email classification from that off attachment

SELECTING lower classification of the email than that of the attachment.

3.1 Click on New Email and attach “Forcepoint Internal.docx” document.

3.2 Click the classification of email to “PUBLIC”

3.3 Now try sending this email to internal domain used during initial configuration within GV wizard (i.e., any email ID on forcepoint.com domain or forcegv.com domain)

3.4 Click Send

3.5 Please note: You should be seeing below notification that the attachment has more sensitive than the level you have selected for the email. You need to increase the level of classification to match the attachment.

3.6 Click OK and select the classification to INTERNAL and send the email.

3.7 Please note: You should be able to send the email now.

4. Inherit Classification of Email chain / Block downgrading of email classification

4.1 Go to Sent Items in outlook and open one of the last sent email which had the classification “INTERNAL”

4.2 Click “Forward” option

4.3 Note that the classification of this new email is already selected as “INTERNAL”

4.4 Try downgrading the classification to “PUBLIC”

4.5 You should see that option of “PUBLIC” classification is greyed out.

4.6 Click on DISMISS option and close the email.

5. Sending CONFIDENTIAL classified emails via outlook

5.1 Click on New Email and attach “Forcepoint Confidential.docx” document.

5.2 Click the classification of email to “CONFIDENTIAL”

5.3 Try to send a test email to any “GMAIL.com” email ID (let’s say websense100@gmail.com) , You can use any subject and any text in body of the email.

5.4 Click Send

5.5 You should be blocked with a message popup as below

This is as per the policy set during the initial configuration which BLOCKs confidential classified email to go to GMAIL.com

5.6 Change the recipient from (gmail.com) to any other domain (use any email other than gmail.com or forcegv.com OR forcepoint.com)

5.7 Click Send

5.8 You should still see the warning message,

On clicking Dismiss – the email will be sent

On Clicking OK – You shall get a pop-up to re-classify the message

6. Forcepoint Classification (Powered by GV) Integration with Forcepoint DLP

1. Integration to read Meta-Data Tags

1.1 Open Forcepoint DLP (FSM) console by going to

https://192.168.122.21:9443/

Username: admin

Password: Forcepoint1!

1.2 Go to Main Policy Management Content Classifiers File Labelling

1.3 Click “New”

1.4 Type below entries (Note: You can give any name of your choice)

Name: GV-Internal

Labeling system: Any Labeling System

Under Label type “Internal” and click Add

Click OK

Please note: By default, Classification Tags are not case-sensitive, but if you want to make them case-sensitive you can check the below option of “The detected labels are case-sensitive”

However, for this lab purpose will use the non-case-sensitive labels.

1.5 Click “Cancel” on below pop-up

1.6 Similarly add “Confidential”

Click New

Name: GV-Confidential

Labeling system: Any Labeling System

Under Label type “Confidential” and click Add

Click OK

1.7 Click “Cancel” on below pop-up

1.8 Similarly add “Confidential”

Click New

Name: GV-Public

Labeling system: Any Labeling System

Under Label type “Public” and click Add

Click OK

Click “Cancel” on below pop-up

1.10 Now Go to Policy Management DLP Policies Managed Policies

1.1 Click on Add Custom Policy

1.2 Enter below entries

Policy Name: Block GV-Confidential

(Give the same rule name and description)

1.3 Click Next

1.4 Click “Add File Labeling” and select “GV-Confidential” and click “OK”

1.5 Click Next

1.6 Select “Block All” Action Plan and click Next

1.7 Click “Next” on Source tab

1.8 Click “Next” on Destination tab

1.9 Click Finish

1.10 Deploy Policy and Ensure policy is pushed to all components (green tick on all components)

2.1 Repeat the same steps for GV-Internal Policy

2.2 Go to Policy Management DLP Policies Managed Policies

Enter below entries

Policy Name: Block GV-Internal

(Give the same rule name and description)

2.3 Click Next

2.4 Click “Add File Labeling” and select “GV-Internal” and click “OK”

2.5 Click Next

2.6 Select “Block All” Action Plan and click Next

2.7 Click “Next” on Source tab

2.8 Click “Next” on Destination tab

2.9 Click Finish

2.10 Deploy Policy and Ensure policy is pushed to all components (green tick on all components)

2. Detection of GV tags using Forcepoint DLP Endpoint

2.1 Go to Client Machine

2.2 Update DLP endpoint agent

Find Forcepoint DLP agent in system tray, right click and click on “Open Forcepoint DLP endpoint”

Click on Update and OK

Close the dialog box.

2.3 Open outlook and draft a new email

2.4 Add recipient Websense100@yahoo.com

2.5 Attach “Forcepoint Confidential.docx” (file found in desktop folder Forcepoint)

2.6 Classify this email as “CONFIDENTIAL”

2.7 Write any subject and body

2.8 Click SEND

Note Forcepoint DLP Endpoint blocks this message from going out

2.9 Let’s look at the Incident detail in FSM

Go to FSM (https://192.168.122.21:9443)

Go to Reporting Data Loss Prevention Incident (last 3 days)

2.10 Look at the incident detail

7. Detection of GV tags using Forcepoint Network DLP (Protector)

7.1 Firstly, lets disable the above created policies to ensure emails are not blocked at the endpoint itself.

Go-to Policy Management DLP Policies Managed Policies

Select Policies one by one and click Edit

Un-check Enabled option and click OK

Click Deploy and save changes

Follow the same for other policies.

Update the agent on client machine to ensure it gets the new policy changes.

a. Right click Forcepoint agent on system tray

b. Click on “Open Forcepoint DLP endpoint”

c. Click Update and check the policy getting updated.

7.2 Now Go to client machine – open Outlook to check the X-header information inserted by Forcepoint Classification.

Go-to Client Machine

Open Outlook Go to Sent Items Open one of the last sent emails

Click on File Click on Properties

Copy the X-Header Tag to a text file, will use it later (name it Xheader.txt)

It should look like below line (note it can be different for different installations)

tagset_e16409a7_1700_4153_9090_3955bc2f0ae8_classification: Internal

7.3 Go back to FSM and

Go to Policy Management Content Classifier Patterns & Phrases

Click on New Key Phrases

Name: GV Internal – Header

Phrase to search: Internal

Click OK

Cancel the pop-up

Go to Policy Management DLP policies Managed Policies

Add custom Policies

Give below details

Name: GV Internal Network Email

Rule Name: GV Internal Network Email

Click Next

Click Add Patterns & Phrases

Search for “GV Internal – Header” and click OK

Once the Content Classifier is added, click on Threshold option under Properties

Scroll down and select “Other header (may be user-defined)” and click OK and click Next

Under “Severity & Action” select “Block All”

Under Source – keep it “All”

Under Destination – Select Network Email

Save and deploy the policy

7.4 Let’s test by sending an email to <any email id> let’s say seu2022@gmail.com and select classification “Internal”,

Please note the incident in DLP

Reporting Data Loss Prevention Incident (last 3 days)

You should see incident with channel “Network Email”

Note the incident trigger details

If you want to trigger alert only on X-header and not Header/Footer of email.

You can change the policy to only include specific X-header within the email.

Simply go back to the policy Edit go to Condition

Click on Threshold under “Properties”

Change the header to

“User-defined header” option and paste the header details copied from before (from Xheader.txt)

tagset_e16409a7_1700_4153_9090_3955bc2f0ae8_classification

Click OK and save and deploy the policy

Test by sending an email again (with classification set to Internal) and see the incident details.

It should trigger an alert just based on X-Header information.

8. Discovery task with remediation script

For this exercise we will use the default remediation script of moving “Confidential” tagged document to a quarantine location on Endpoint (via Endpoint DLP)

8.1. Login to Client Machine

8.2. Create a new folder in C:\ drive and name “MOVE”

8.3. Right click on this folder and click on Properties Sharing Share

8.4. Search Everyone in the dropdown and click on ADD

8.5. Change the Permission level for everyone to “Read/Write” and click Share

8.6. Note down the Network path

8.7. Now access (run) \\192.168.122.21\ForcepointSEU\GetVisibility - Remediation Script and find “MoveFilesnew.py”

8.8. Right-click “MoveFiles.py” and edit it using WordPad

8.9. Replace the path as shown below, save and close the file.

8.10 Now open FSM by going to https://192.168.122.21:9443

Goto Policy Management Resources Remediation script

Click New Endpoint Script

Name it “Auto Move”

Under Windows Executable and Additional Files Click Choose File

Select the file you had modified “MoveFilesnew.py”

Click OK, Save and Deploy

8.11 Now create Discovery Policy and Discovery Task

Go to Policy Management Discovery Policies Manage Policies

Add Custom Policy …

Set the Policy and rule name to GV Confidential and click Next

Under Condition tab, Click Add File Labeling Select “GV-Confidential” and click OK

Click Next

Under Action Plan, click on “New Icon”

Name the new Action Plan as “Auto Move”

Select Discovery Tab Check “Run Endpoint remediation script” checkbox under Endpoint Discovery and select the remediation script you created in above task “Auto Move”, Click OK and Click Next and Finish

Save and deploy the changes

Now let’s create Endpoint Discovery Task

Click New and Name: Auto Move and Click Next

Under Endpoint Hosts Keep it “All” and click Next

Under Scheduler Select “Continuously” from dropdown and change the Wait time to 1 min

Also uncheck “Scan only when computer is idle” and “Pause scanning while computer is running on batteries” options and CLICK NEXT

Select the Policy GV Confidential and Click next

Under File Filtering option, limit your discovery scope to Folder “C:\Forcepoint\*”

Click Next and Save the Task,

Save and deploy the changes

8.12 Now let’s test the discovery task and Move action on the Endpoint

Go to Client machine and go to C:\Forcepoint

Create a new document and classify it “Forcepoint Confidential”

Now Update your Forcepoint DLP agent (by right clicking the DLP agent Open Forcepoint DLP endpoint)

Click on Update and note the Next scan time under Discovery section,

Wait till that time and note the File under C:\Forcepoint you had created.

You should see below note

Now Go to the Folder \\DESKTOP-67UMBUF\Move to see if the file has been moved file.

Now Login to FSM Reporting Discovery Discovery Incidents (Last 7 days)

Look for Endpoint discovery incident and have a close look into the History tab to see the remediation script ran status

End of Document

Contents

Introduction

This document gives a high-level overview of how the license management process works.

License Management Process

The steps involved in the License management Process is as follows:

• Getvisibility(GV) will register its resellers in the customer management system.

• The success code of registration and URL will be sent to ForcePoint (FP)

• FP will use GV customer management API to register a new customer (Check the open API specification for more details)

  • New Customer Name

  • License Type

  • Region

  • Number of Users

  • Expiration Time

• Based on the information received GV will return via API response the registration command for the customer in the specific region like:

  • EMEA

  • US

  • India

• On the clusters GV will perform:

  • Deploy Essential Services

  • Deploy Monitoring Tools

  • Deploy GV Services

• After the basic deployment, GV tools are ready for use.

Hold/Revoke License

The steps involved in revoking the license are as follows:

• Using the Monitoring tools enabled, GV will receive various statistics related to user usage.

• The statistics are stored in the GV databases.

• As soon as the number of users exceeds the specified customer limit as per the license, a trigger is generated in GV.

• The FP sales engineer can make a decision to disable the UI and plugins.