Synergy Workshop_POC setup guide
- Ashima Agarwal
Contents
- 1 Document Details
- 1.1 Overview
- 1.2 Getvisibility Products
- 1.3 Lab Topology
- 1.4 Lab Components:
- 1.5 LAB Credentials
- 1.6 Lab preparations
- 1.7 3. Configuring Basic Settings
- 1.8 4. Testing MS Office (Word) classification
- 1.9 5. Testing MS Outlook classification
- 1.10 6. Forcepoint Classification (Powered by GV) Integration with Forcepoint DLP
- 1.11 7. Detection of GV tags using Forcepoint Network DLP (Protector)
- 1.12 8. Discovery task with remediation script
Prepared By | Reviewed By | Date | Document Version |
Artem Kalaitan | Artem Kalaitan | 4-July-2022 | V 1 |
Overview
With state-of-the-art machine learning algorithms, Getvisibility combines natural language processing with neural networks. This allows us to classify unstructured data across organisations with unparalleled accuracy and speed.
Using machine learning rather than traditional pattern matching (regular expressions) and dictionary lookup methods allows Getvisibility to understand the context of a document, thereby increasing accuracy. As the neural network does most of the work, organisations no longer must embark on the laborious and expensive task of creating rules and regex hits per department and document type. Getvisibility’s customisable tag set enables users to apply company-specific classification to their unstructured data, which the neural network learns with increasing accuracy. Training of the neural network can be done through our user-friendly interface, eliminating the need for the highly qualified engineers and data scientists associated with traditional methods.
The Getvisibility classification tool is built on sophisticated machine learning algorithms to enable organizations to discover, classify and secure their most sensitive data. The Getvisibility platform combines smart agent technology and machine learning to provide a uniquely powerful solution for data classification and tagging. This is the first solution to enable automated, historical and manual classification with one deployment. This is unique but it also has a very significant value dramatically improving the quality of the manual classification process by leveraging the advanced AI model and understanding of historically created data.
Getvisibility Products
Getvisibility Synergy Pro & Synergy
The Getvisibility Synergy Pro and Synergy are designed to help your organisation classify and project your data in use, new data and data in motion. The solution works for in-cloud an on-prem applications.
Focus (Not yet part of Forcepoint OEM)
Getvisibility Focus enables automated, accurate and timely legacy data discover and classification of both new and legacy data. Getvisibility discover solution gives organisations an overview of all their data, tailored to how they want that data to be displayed and monitored.
Getvisibility offers contextual classification, empowering the data with appropriate metadata and enhancing the usage of that data throughout the organisation.
Lab Topology
This LAB is intended to provide a quick overview and hands-on experience of Get Visibility (GV) platform, and it covers some of the common use cases associated with GV. You will get access to a preconfigured GV tenant in Go4labs environment.
a. GV server: This is GV management server based on Arch Linux OS,
b. FSM (Forcepoint Security Manager): Management Server for Forcepoint Email and DLP components.
c. SQL: DB used for Forcepoint Email and DLP components.
d. ESG DLP Network: Network DLP appliance used for MTA.
e. Webmail Server: Webmail server and client.
f. GetVisibility-Agent: End user machine that we will be using for this lab.
LAB Credentials
GV server:
IP address: 192.168.122.168
Username / Password: admin/admin123
FSM (Forcepoint Security Manager): Management Server for Forcepoint Web/Email and DLP components.
IP address: 192.168.122.21
Username / Password: admin/Forcepoint1!
RDP Username/ Password: administrator/Forcepoint1
DLP Protector: Network DLP appliance used for MTA
IP address: 192.168.122.23 (C) and 192.168.122.24 (P1 Outbound email)
SSH Username / Password: admin/Forcepoint1!
Webmail Server: Webmail server and client.
URL: https://192.168.122.1:5006
Username / Password: any/any
Username / Password: admin/Forcepoint1
Client Machine: End user machine
IP address: dhcp
RDP Username/ Password: student/Forcepoint1
Your lab will be provisioned and assigned to your Go4labs account, in case you don’t see the lab in our account please reach out to one of the CSEs or Go4labs team during the training
On accessing the above lab (either via RDP or Web access) you should be able to reach the landing machine.
Open browser and go to https://192.168.122.30:9999/ui/#/login
2. Use below admin credentials
a. Username: admin
b. Password: admin123
You should be able to see landing page like below
This ensures that you have access to admin portal of Get Visibility admin GUI
4. Open a new tab and go to http://192.168.122.30:8500/ui/customer/services
Please note: You don’t need any username and password to access this page.
This will give you access to Consul dashboard where you can see status of all services w.r.t your GV deployment.
Ensure all services are up and running before moving to other tasks in this lab.
Login to Client machine and ensure both GV agent and FP agent are installed.
a. Open GNS3 (Double-click shortcut of GNS3 present on desktop of landing machine)
b. Double-click Client Machine (Or alternatively right click “Client Machine” and click “Console”) & You should be able to auto login to Client-Machine
c. Please ensure you see GVClient msi installer on Desktop
d. Right click the msi package and Install
e. Check “I accept the terms in the License Agreement” and click Install
f. Click Finish and best to reboot the machine.
Please note, in some cases, after agent installation, it might also prompt you to install additional Microsoft add-ons (if not already present on the system), please continue and install those add-ons as well and then reboot the machine.
g. Once you login back, please ensure you see GV agent and Forcepoint DLP agent in system tray.
a. Open browser on the landing machine and go to https://192.168.122.30:9999/ui/#/login
b. Use below admin credentials
. Username: admin
Password: admin123
You should be able to see below landing page
c. Click on Configuration Wizard
d. Configure Compliance screen with the required Compliance standards:
Getvisibility comes with out of the box compliance standards shown in the agent.
Organisations can customize the classification options which appear on the end-user agent to align with internal policies or already implemented data loss prevention solutions. This is an optional feature, if you do not wish to show compliance standards in the agent, simply tick the ‘Disable Compliance’ option
For this LAB purpose will select GDPR/PII and HIPAA/PHI compliance standard and click NEXT
e. Classification TAGS: Which classification tags will the end user be able to view & select?
For this LAB purpose will select Default Classification option and click NEXT
f. Which Plugins will be active for the end-user?
For this LAB purpose (And usually) will select all available plugin options and click NEXT
g. Enforcement rule related to MS WORD, MS EXCEL, and MS POWERPOINT
Enforcement rules determine the necessity for end-users to classify a document before saving or printing. The enforcement options available are:
1. Enforce (or Force)
2. Warn
3. Log & Ignore
Please review all available options in dropdown (like Force, Warn and Log & Ignore),
However, for this LAB purpose will select Force option for both given settings and click NEXT
Keep the checkbox of “User lowers classification level of a classified document” un-checked - This will not allow end-user to later lower the classification of the document after saving.
h. Visual Tagging and Labelling for MS WORD, MS POWERPOINT and MS EXCEL
Visual labelling refers to the visual changes made to a document once classified. This includes customised:
1. Headers (You can change the text to Forcepoint {classification})
2. Footers: (You can change the text to Forcepoint {classification})
3. Watermarking: (You can change the text to (<span>Forcepoint {classification}</span>))
i. Outlook Policies
The Getvisibility Synergy Pro will sit within the ribbon of your Microsoft Outlook application. Organisations can configure how they want this agent to work within their application, customising enforcement rules and visual markings. You will also notice an option ‘Inherit minimal classification from classified attachment’. This means for example, that if an attached document is classified as Internal, the end-user may classify the email as Internal or Confidential but not as Public.
Same like above for MS Word, Excel and Powerpoint, we follow Enforcement and Visual tagging rule for MS Outlook now
Enforcement Rules
Enforcement rules determine the necessity for end-users to classify an email before sending or printing. The enforcement options available are:
1. Enforce
2. Warn
3. Log & Ignore
For this LAB purpose will select Force & Block option for given settings as shown below, Will also uncheck “Users lowers classification level of a classified email”, and click NEXT
j. Outlook Visual Tagging
Visual labelling refers to the visual changes made to an email once classified. This includes customised:
1. Headers: (You can change the text to Forcepoint {classification} or anything of your choice)
2. Footers: (You can change the text to Forcepoint {classification} or anything of your choice)
k. Sharing restrictions: Configure PUBLIC emails
Sharing restrictions can be configured through the wizard and enforced through Outlook. Sharing rules are configured depending on the classification level of the email.
This enforces sharing rules for end-users, depending on the classification level of the email. These options are
1. Allow
2. Warn
3. Block
Exceptions
This is an optional feature which allows administrators to create a whitelist of email addresses, that will be exempt from the sharing restrictions enforced above. This is a useful feature in ensuring restrictions do not negatively impact daily operations, while still maintaining a least privileges approach to data sharing.
For this LAB purpose will select ALLOW option for given settings as shown below and click NEXT
l. Configure INTERNAL Emails
For this LAB purpose will select BLOCK option and create exception for internal domain under “Allowed” emails. You can add any internal domain like “forcepoint.com” or “forcegv.com”
m. Configure CONFIDENTIAL email
For this LAB purpose will select WARN option and create exception for Internal domains under “Allowed” emails and for non-trusted domain (like gmail.com) under blocked emails
You can add “forcepoint.com” and “forcegv.com” under allowed emails list
You can add “gmail.com” under blocked email list
The expected behaviour for this rule would be
Always “WARN” user when a CONFIDENTIAL classified email is sent out,
except allow when CONFIDENTIAL email is sent to Forcepont.com
& Block when CONFIDENTIAL classified email is sent to “Gmail.com”
n. Click NEXT and FINISH
o. Click RESTART
YOU ARE DONE WITH THE BASIC CONFIGURATION. !! 😊
NOW IT IS TIME TO TEST THE RULES/ POLICIES.
a. Double-Click Folder named “Forcepoint” (Located on Client Machine’s C:\ drive)
b. Create 3 (three) new “Microsoft Word Document” Insider this folder and name them
· Forcepoint Confidential
· Forcepoint Internal
· Forcepoint Public
c. Open “Forcepoint Public Document” and write exactly the command as shown below in the word document (without quotes)
“=rand(10)”
This should auto populate random text in the word file.
Notice in the ribbon bar “Classification option” shown as “Not set”
As you can see the Getvisibility Agent is represented in the application's ribbon by the thumbprint logo. As this is a new document, the classification has not yet been set. Clicking on this icon will allow you to classify this document. HOWEVER, DON’T CLICK ON THIS ICON YET (If YOU DID, you can simply DISMISS for now)
a. First, we will try Printing this document without classification (File Print Print)
You should be seeing an alert as below
Here you can see that without classification, as per the rules configured in the configuration wizard, printing is blocked. To successfully print this document, the end-user will need to click ok and then classify the document.
(CLICK ON DISMISS at this point)
b. Now we will try SAVING this document without classification (File SAVE)
You should be seeing an alert as below
Here you can see that without classification, as per the rules configured in the configuration wizard, saving is blocked. To successfully save this document, the end-user will need to click OK and then classify the document.
On Clicking OK, you should see below Getvisibility pop-up screen –
You can get the same pop-up by clicking on the Classification option in ribbon bar –
You might or might not see SUGGESTIONS option in the pop-up. This option is related to ML/AI auto suggestion model. In above example, we are seeing “FALSE” match to PII information, which suggests that GV system has around 66% confidence of the document content not being PII information.
Select Classification as “PUBLIC” and click on “SET”
Please check the “Header/Footer and Watermark” added to the document.
c. Checking metadata properties
Go to FILE Properties Advanced Properties
Click on “Custom” tab and review the classification metadata information
Once reviewed, save and close the document.
d. Open Forcepoint Internal document you created before and copy paste content from PII.txt (Text file already existing in the same folder).
Please note that the suggestions (AI/ML models) are now showing more confidence on the document content being PII,
Please select “USE SUGGESTED” option.
You will note that GDPR compliance and Internal Classification is already selected.
Click “SET”, review the “Header/Footer and Watermark and metadata properties of the document as done in previous exercise.
Save and close the document.
e. Downgrading document Classification
Re-open Forcepoint Internal Document and try to downgrade Classification to “PUBLIC”
You will note that this action is not allowed. Infact PUBLIC classification option is Greyed out.
This behaviour was as per the policy configured before which doesn’t allow users to downgrade classification.
f. Confidential document
Open Forcepoint Confidential.docx document and type “Factorytestkeyword”
Copy and pastes this keyword to appear in the document for more than 5-10 times.
Click Classification option in ribbon bar
Select Classification as “CONFIDENTIAL” and click on “SET”
Please verify the “Header/Footer and Watermark” and metadata added to the document.
g. Applying classification for non-office files (for example PDF)
Please go to C:\Forcepoint and find “Installation.pdf”
To Classify non-office files (like PDF), you can simply right click the document and use GV Classification option to Classify.
Select Confidential Classification and click “SET”
1. BASIC TEST
i. Open Outlook
ii. Click on New Email and try to send a test email to any email ID (let’s say websense100@gmail.com) , You can use any subject and any text in body of the email.
You can try using command =rand(10) in the body of email to generate random text for body of the email.
iii. Click Send
iv. Please note: You should be seeing below block message stating “Classification not set”
v. Click OK on the error message and set the classification as PUBLIC (You don’t have to select anything on the compliance option) and click SET
vi. Review the Header/Footer and after review, SEND the email
vii. GO to Sent Items and Open the email you just sent.
viii. Go to FILES Properties
ix. Check in the section “Internet headers”, classification: Public tag
2. Sending Internal classified document / emails via outlook
2.1 Click on New Email and attach “Forcepoint Internal.docx” document.
2.2 Click the classification of email to “INTERNAL”
2.3 Try to send a test email to any “GMAIL.com” email ID (let’s say websense100@gmail.com) , You can use any subject and any text in body of the email.
2.4 Click Send
2.5 Please note: You should be seeing a BLOCK notification (as per the policy set earlier which denies sending internal email to any domain other than forcepoint.com or forcegv.com)
2.6 Now try sending this email to internal domain used during initial configuration within GV wizard (i.e., any email ID on forcepoint.com domain or forcegv.com domain)
2.7 Please note: This time the email should go without any issues
3. Downgrading email classification from that off attachment
SELECTING lower classification of the email than that of the attachment.
3.1 Click on New Email and attach “Forcepoint Internal.docx” document.
3.2 Click the classification of email to “PUBLIC”
3.3 Now try sending this email to internal domain used during initial configuration within GV wizard (i.e., any email ID on forcepoint.com domain or forcegv.com domain)
3.4 Click Send
3.5 Please note: You should be seeing below notification that the attachment has more sensitive than the level you have selected for the email. You need to increase the level of classification to match the attachment.
3.6 Click OK and select the classification to INTERNAL and send the email.
3.7 Please note: You should be able to send the email now.
4. Inherit Classification of Email chain / Block downgrading of email classification
4.1 Go to Sent Items in outlook and open one of the last sent email which had the classification “INTERNAL”
4.2 Click “Forward” option
4.3 Note that the classification of this new email is already selected as “INTERNAL”
4.4 Try downgrading the classification to “PUBLIC”
4.5 You should see that option of “PUBLIC” classification is greyed out.
4.6 Click on DISMISS option and close the email.
5. Sending CONFIDENTIAL classified emails via outlook
5.1 Click on New Email and attach “Forcepoint Confidential.docx” document.
5.2 Click the classification of email to “CONFIDENTIAL”
5.3 Try to send a test email to any “GMAIL.com” email ID (let’s say websense100@gmail.com) , You can use any subject and any text in body of the email.
5.4 Click Send
5.5 You should be blocked with a message popup as below
This is as per the policy set during the initial configuration which BLOCKs confidential classified email to go to GMAIL.com
5.6 Change the recipient from (gmail.com) to any other domain (use any email other than gmail.com or forcegv.com OR forcepoint.com)
5.7 Click Send
5.8 You should still see the warning message,
On clicking Dismiss – the email will be sent
On Clicking OK – You shall get a pop-up to re-classify the message
1. Integration to read Meta-Data Tags
1.1 Open Forcepoint DLP (FSM) console by going to
Username: admin
Password: Forcepoint1!
1.2 Go to Main Policy Management Content Classifiers File Labelling
1.3 Click “New”
1.4 Type below entries (Note: You can give any name of your choice)
Name: GV-Internal
Labeling system: Any Labeling System
Under Label type “Internal” and click Add
Click OK
Please note: By default, Classification Tags are not case-sensitive, but if you want to make them case-sensitive you can check the below option of “The detected labels are case-sensitive”
However, for this lab purpose will use the non-case-sensitive labels.
1.5 Click “Cancel” on below pop-up
1.6 Similarly add “Confidential”
Click New
Name: GV-Confidential
Labeling system: Any Labeling System
Under Label type “Confidential” and click Add
Click OK
1.7 Click “Cancel” on below pop-up
1.8 Similarly add “Confidential”
Click New
Name: GV-Public
Labeling system: Any Labeling System
Under Label type “Public” and click Add
Click OK
Click “Cancel” on below pop-up
1.10 Now Go to Policy Management DLP Policies Managed Policies
1.1 Click on Add Custom Policy
1.2 Enter below entries
Policy Name: Block GV-Confidential
(Give the same rule name and description)
1.3 Click Next
1.4 Click “Add File Labeling” and select “GV-Confidential” and click “OK”
1.5 Click Next
1.6 Select “Block All” Action Plan and click Next
1.7 Click “Next” on Source tab
1.8 Click “Next” on Destination tab
1.9 Click Finish
1.10 Deploy Policy and Ensure policy is pushed to all components (green tick on all components)
2.1 Repeat the same steps for GV-Internal Policy
2.2 Go to Policy Management DLP Policies Managed Policies
Enter below entries
Policy Name: Block GV-Internal
(Give the same rule name and description)
2.3 Click Next
2.4 Click “Add File Labeling” and select “GV-Internal” and click “OK”
2.5 Click Next
2.6 Select “Block All” Action Plan and click Next
2.7 Click “Next” on Source tab
2.8 Click “Next” on Destination tab
2.9 Click Finish
2.10 Deploy Policy and Ensure policy is pushed to all components (green tick on all components)
2. Detection of GV tags using Forcepoint DLP Endpoint
2.1 Go to Client Machine
2.2 Update DLP endpoint agent
Find Forcepoint DLP agent in system tray, right click and click on “Open Forcepoint DLP endpoint”
Click on Update and OK
Close the dialog box.
2.3 Open outlook and draft a new email
2.4 Add recipient Websense100@yahoo.com
2.5 Attach “Forcepoint Confidential.docx” (file found in desktop folder Forcepoint)
2.6 Classify this email as “CONFIDENTIAL”
2.7 Write any subject and body
2.8 Click SEND
Note Forcepoint DLP Endpoint blocks this message from going out
2.9 Let’s look at the Incident detail in FSM
Go to FSM (https://192.168.122.21:9443)
Go to Reporting Data Loss Prevention Incident (last 3 days)
2.10 Look at the incident detail
7.1 Firstly, lets disable the above created policies to ensure emails are not blocked at the endpoint itself.
Go-to Policy Management DLP Policies Managed Policies
Select Policies one by one and click Edit
Un-check Enabled option and click OK
Click Deploy and save changes
Follow the same for other policies.
Update the agent on client machine to ensure it gets the new policy changes.
a. Right click Forcepoint agent on system tray
b. Click on “Open Forcepoint DLP endpoint”
c. Click Update and check the policy getting updated.
7.2 Now Go to client machine – open Outlook to check the X-header information inserted by Forcepoint Classification.
Go-to Client Machine
Open Outlook Go to Sent Items Open one of the last sent emails
Click on File Click on Properties
Copy the X-Header Tag to a text file, will use it later (name it Xheader.txt)
It should look like below line (note it can be different for different installations)
tagset_e16409a7_1700_4153_9090_3955bc2f0ae8_classification: Internal
7.3 Go back to FSM and
Go to Policy Management Content Classifier Patterns & Phrases
Click on New Key Phrases
Name: GV Internal – Header
Phrase to search: Internal
Click OK
Cancel the pop-up
Go to Policy Management DLP policies Managed Policies
Add custom Policies
Give below details
Name: GV Internal Network Email
Rule Name: GV Internal Network Email
Click Next
Click Add Patterns & Phrases
Search for “GV Internal – Header” and click OK
Once the Content Classifier is added, click on Threshold option under Properties
Scroll down and select “Other header (may be user-defined)” and click OK and click Next
Under “Severity & Action” select “Block All”
Under Source – keep it “All”
Under Destination – Select Network Email
Save and deploy the policy
7.4 Let’s test by sending an email to <any email id> let’s say seu2022@gmail.com and select classification “Internal”,
Please note the incident in DLP
Reporting Data Loss Prevention Incident (last 3 days)
You should see incident with channel “Network Email”
Note the incident trigger details
If you want to trigger alert only on X-header and not Header/Footer of email.
You can change the policy to only include specific X-header within the email.
Simply go back to the policy Edit go to Condition
Click on Threshold under “Properties”
Change the header to
“User-defined header” option and paste the header details copied from before (from Xheader.txt)
tagset_e16409a7_1700_4153_9090_3955bc2f0ae8_classification
Click OK and save and deploy the policy
Test by sending an email again (with classification set to Internal) and see the incident details.
It should trigger an alert just based on X-Header information.
For this exercise we will use the default remediation script of moving “Confidential” tagged document to a quarantine location on Endpoint (via Endpoint DLP)
8.1. Login to Client Machine
8.2. Create a new folder in C:\ drive and name “MOVE”
8.3. Right click on this folder and click on Properties Sharing Share
8.4. Search Everyone in the dropdown and click on ADD
8.5. Change the Permission level for everyone to “Read/Write” and click Share
8.6. Note down the Network path
8.7. Now access (run) \\192.168.122.21\ForcepointSEU\GetVisibility - Remediation Script and find “MoveFilesnew.py”
8.8. Right-click “MoveFiles.py” and edit it using WordPad
8.9. Replace the path as shown below, save and close the file.
8.10 Now open FSM by going to https://192.168.122.21:9443
Goto Policy Management Resources Remediation script
Click New Endpoint Script
Name it “Auto Move”
Under Windows Executable and Additional Files Click Choose File
Select the file you had modified “MoveFilesnew.py”
Click OK, Save and Deploy
8.11 Now create Discovery Policy and Discovery Task
Go to Policy Management Discovery Policies Manage Policies
Add Custom Policy …
Set the Policy and rule name to GV Confidential and click Next
Under Condition tab, Click Add File Labeling Select “GV-Confidential” and click OK
Click Next
Under Action Plan, click on “New Icon”
Name the new Action Plan as “Auto Move”
Select Discovery Tab Check “Run Endpoint remediation script” checkbox under Endpoint Discovery and select the remediation script you created in above task “Auto Move”, Click OK and Click Next and Finish
Save and deploy the changes
Now let’s create Endpoint Discovery Task
Click New and Name: Auto Move and Click Next
Under Endpoint Hosts Keep it “All” and click Next
Under Scheduler Select “Continuously” from dropdown and change the Wait time to 1 min
Also uncheck “Scan only when computer is idle” and “Pause scanning while computer is running on batteries” options and CLICK NEXT
Select the Policy GV Confidential and Click next
Under File Filtering option, limit your discovery scope to Folder “C:\Forcepoint\*”
Click Next and Save the Task,
Save and deploy the changes
8.12 Now let’s test the discovery task and Move action on the Endpoint
Go to Client machine and go to C:\Forcepoint
Create a new document and classify it “Forcepoint Confidential”
Now Update your Forcepoint DLP agent (by right clicking the DLP agent Open Forcepoint DLP endpoint)
Click on Update and note the Next scan time under Discovery section,
Wait till that time and note the File under C:\Forcepoint you had created.
You should see below note
Now Go to the Folder \\DESKTOP-67UMBUF\Move to see if the file has been moved file.
Now Login to FSM Reporting Discovery Discovery Incidents (Last 7 days)
Look for Endpoint discovery incident and have a close look into the History tab to see the remediation script ran status
End of Document
Related content
Classified as Getvisibility - Partner/Customer Confidential