Web Security Cloud

Data Loss Prevention in Forcepoint Web

Security Cloud

Revision A
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Contents

■ Introduction on page 2
■ Create content classifiers on page 3
■ Configure Data Security (DLP Lite) policy settings on page 8
■ Configure privacy settings on page 14
■ Configure reporting permissions on page 15
■ Configure block pages on page 15
■ View the dashboard on page 16
■ View reports on page 17
■ View the audit trail on page 18

Introduction
The Data Security (DLP Lite) feature in Forcepoint Web Security Cloud lets you monitor and prevent the loss of
sensitive data and intellectual property via the web, as well as to easily assess your current level of risk exposure
via reporting. You can protect intellectual property, data that is protected by national legislation or industry
regulation, and data suspected to be stolen by malware or malicious activities. When DLP Lite is used for data
loss prevention, basic data protection is provide by the cloud proxy.

Note
Integration with Data Protect Service is also available for Web Security Cloud customers. With
this integration, enterprise data security is handled by the Data Protection Service. For further
information, please contact your account manager.

This document guides you through the steps required to get started with Data Security (DLP Lite) for your web
product using the Forcepoint Cloud Security Gateway Portal, also referred to as the cloud portal.

Note
DLP Lite is not supported with the Direct Connect endpoint or I Series appliances.

The following steps are required to configure data security for your account.

1) Create content classifiers

Content classifiers are rules you can define to identify sensitive information, using custom phrases,
dictionaries or regular expressions containing business specific terms or labels. This is helpful for monitoring
intellectual property.

2) Configure Data Security (DLP Lite) policy settings

Use the Data Security tab in your policies to define which types of data are protected, and the action to take
when data loss is detected.

2
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

3) Configure reporting permissions

This determines who can see data protection reports.

In addition, you can optionally:

■ Configure privacy settings

■ Configure block pages
■ View the dashboard
■ View reports
■ View the audit trail

Related concepts
Configure privacy settings on page 14
View the dashboard on page 16
View the audit trail on page 18

Related tasks
Create content classifiers on page 3
Configure Data Security (DLP Lite) policy settings on page 8
Configure reporting permissions on page 15
Configure block pages on page 15
View reports on page 17

Create content classifiers

Before you begin
Content classifiers can be used to identify intellectual property and data types that are not covered
by the default Personally Identifiable Information (PII), Payment Card Industry (PCI), and Protected
Health Information (PHI) rules. For example, a key phrase custom classifier can be created to identify a
document marker, such as “Acme Corp - Internal Confidential”.
The content classifiers that you create can then be used on the Data Security tab of your web policies.
If you are concerned only about data loss related to regulatory compliance, you can skip this step.

3
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Steps
1) In the cloud portal, navigate to Web > Policy Management > Content Classifiers.

2) Click Add and select the type of classifier you want to create:
■ Key Phrase: a keyword or phrase that indicates sensitive or proprietary data (such as product code
names or patents).
■ Regular Expression: a pattern used to describe a set of search criteria based on syntax rules.
For example, the pattern “a\d+” detects all strings that start with the letter “a” and are followed by at least
one digit, where “\d” represents any digit and “+” represents “at least one.”
Regular expression patterns are detailed in the Forcepoint Web Security Cloud help: see Regular
expression content classifiers.
■ Dictionary: a container for words and expressions relating to your business.

3) Complete the fields as described in the appropriate section, and then click Save.
■ Key phrase content classifiers
■ Regular expression content classifiers
■ Dictionary content classifiers

4) Repeat steps 2-3 until you’ve added all the classifiers you require.

Related concepts
Regular expression content classifiers on page 5

4
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Related tasks
Key phrase content classifiers on page 6
Dictionary content classifiers on page 7

Regular expression content classifiers

Regular expression (regex) patterns can be detected within content, such as the pattern of an internal account
number, or alphanumeric document code.
When extracted text from a transaction is scanned, the system searches for strings that match regular expression
patterns and may be indicative of confidential information.
To create a regular expression classifier:

1) Enter a unique Name for the pattern.

2) Enter a Description for the pattern.

3) Enter the Regular expression pattern (regex) that you want the system to search for, using Perl syntax.

For syntax and examples, click Help > Explain This Page within the cloud portal, or view the help page at
the following link: Regular expression content classifiers.

4) Use the Pattern Testing section of the page to test your regular expression.

Because regular expression patterns can be quite complex, it is important that you test the pattern before
saving it. If improperly written, a pattern can create false- positive incidents.

5
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

a) Create a .txt file (less than 1 MB) that contains values that match this regex pattern. The file must be in
plain text UTF8 format.

b) Browse to the file and click Test to test the validity of your pattern syntax. If the pattern you entered is
invalid, you’re given an opportunity to fix it. You cannot proceed until the test succeeds.

You can have up to 100 regular expression classifiers.

Key phrase content classifiers

Before you begin

The presence of a keyword or phrase (such as “Top Secret” or “Project X”) in a web post may indicate
that classified information is being exposed. You can learn about activity like this by defining a key
phrase classifier.

To create a key phrase classifier:

Steps
1) Enter a unique Name for the key phrase classifier.

2) Enter a Description for the key phrase.

3) Enter the key word or phrase that might indicate classified information, up to 255 characters. Key phrases
are case-insensitive.
Leading and trailing white spaces are ignored. If you need to use slashes, tabs, hyphens, underscores, or
carriage returns, define a regular expression classifier rather than a key word classifier.

6
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Next steps
Key phrases also identify partial matches. For example, the key phrase “uri” reports a match for “security”. Note
that wildcards are not supported for key phrases.
You can have up to 100 key phrase classifiers.

Dictionary content classifiers

Before you begin

A dictionary is a container for words and expressions pertaining to your business.

To create a dictionary classifier:

Steps
1) Enter a unique Name for the dictionary classifier.

2) Enter a Description for the dictionary.

7
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

3) Dictionaries can have up to 100 phrases. To add content to the dictionary, click Add under Dictionary
content.

4) Complete the fields on the resulting dialog box as follows:

a) Phrase: Enter a word or phrase to include. This phrase, when found in the content, affects whether the
content is considered suspicious.

b) Weight: Select a weight, from -999 to 999 (excluding 0). When matched with a threshold, weight defines
how many instances of a phrase can be present, in relation to other phrases, before triggering a policy.

5) If you have many phrases to include, create a text file listing the phrases, then click Import and navigate to
the text file.

6) Mark The phrases in this dictionary are case-sensitive if you want the phrases that you entered to be
added to the dictionary with the same case you applied.

Next steps
You can have up to 100 dictionary classifiers. Each is limited to 100 phrases.
For examples and restrictions, click Help > Explain This Page.

Configure Data Security (DLP Lite)

policy settings
To configure options for detecting and preventing data loss over web channels:

Steps
1) In the portal, navigate to Account > Data Protection Settings .

2) In the Web Defaults section, select Use DLP Lite. Save you changes.
When Use DLP Lite is selected, a Data Security tab is available for new policies.

8
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

3) Navigate to the Web > Policy Management > Policies, page, then open the policy you want to configure.

4) Click the Data Security tab in the policy.

5) Complete the fields as described in the following sections:

■ Data security regulations
■ Data theft detection
■ Custom data security classifiers
■ Trusted domains

6) When you are finished, click Save.

The system will search for sensitive data that is being posted to HTTP and HTTPS sites, and report on it in
an incident report available from the Reporting > Report Catalog > Standard Reports > Data Security
page.
This report includes intellectual property, data that is protected by national legislation or industry regulation,
and data suspected to be stolen by malware or malicious activities.
To search for data over HTTPS, be sure SSL decryption is enabled by following the instructions provided on
the SSL Decryption tab.

Related concepts
Trusted domains on page 13

Related tasks
Custom data security classifiers on page 12

Related reference
Data security regulations on page 9
Data theft detection on page 10

Data security regulations

9
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Most countries and certain industries have laws and regulations that protect customers, patients, or staff from the
loss of personal information such as credit card numbers, social security numbers, and health information.
To set up rules for the regulations that pertain to you:

1) Click No region selected.

2) Select the regions in which you operate.

3) Select the regulations of interest:

Field Description

Personally Identifiable Information (PII) Detects Personally Identifiable Information. For

example, names, birth dates, driver license
numbers, and identification numbers. This option is
tailored to specific countries.
Protected Health Information (PHI) Detects Protected Health Information. For example,
terms related to medical conditions and drugs,
together with identifiable information.

Payment Card Industry (PCI DSS) Conforms to the Payment Card Industry (PCI) Data
Security Standard, a common industry standard that
is accepted internationally by all major credit card
issuers. The standard is enforced on companies
that accept credit card payments, as well as other
companies and organization that process, store, or
transmit cardholder data.

4) Select an action to take when matching data is detected. Select Block to prevent the data from being sent
through the web channel. Select Monitor to allow it. (Incidents are created either way.) You can filter by
action in the Data Security Incident Manager.

5) Select a sensitivity to indicate how narrowly or widely to conduct the search. Select Wide for the strictest
security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result and
performance may be affected. Select Narrow for tighter detection criteria. This can result in false negatives
or undetected matches. Default is a balance between the two. Severity is automatically calculated for these
regulations.

Data theft detection

Use this section to detect when data is being exposed due to malware or malicious transactions. When you select
these options, Forcepoint Web Security Cloud searches for and reports on outbound passwords, encrypted files,
network data, and other types of information that could be indicative of a malicious act.

10
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

To see if your organization is at risk for data theft:

1) Select the types of data to look for.

Information Type Description

Common password information Searches for outbound passwords in plain text

Encrypted file - known format Searches for outbound transactions comprising

common encrypted file formats

Encrypted file - unknown format Searches for outbound files that were encrypted
using unknown encryption formats

IT asset information Searches for suspicious outbound transactions,

such as those containing information about the
network, software license keys, and database files.

Malware communication Identifies traffic that is thought to be malware

“phoning home” or attempting to steal information.
Detection is based on the analysis of traffic patterns
from known infected machines.

Password files Searches for outbound password files, such as a

SAM database and UNIX/Linux passwords files

2) Select an action to take when matching data is detected. Select Block to prevent the data from being sent
through the web channel. Select Monitor to allow it. (Incidents are created either way.) You can filter by
action in the Data Security Incident Manager.

3) Select a sensitivity to indicate how narrowly or widely to conduct the search. Select Wide for the strictest
security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result and
performance may be affected. Select Narrow for tighter detection criteria. This can result in false negatives
or undetected matches. Default is a balance between the two. Severity is automatically calculated for these
types.

11
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Custom data security classifiers

Before you begin

Use this section if you want to detect intellectual property or sensitive data using custom phrases,
dictionaries, or regular expressions containing business-specific terms or data.

Steps
1) Select the classifiers that you want to enable for the policy. If you skipped the section Create content
classifiers, go there now to populate the list.

2) Select a severity for each classifier to indicate how severe a breach would be. Select High for the most
severe breaches. Severity is used for reporting purposes. It allows you to easily locate High, Medium, or Low
severity breaches when viewing reports.

12
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

3) Configure a threshold for each classifier.

a) Click the link in the Threshold column.

b) Indicate how many times this classifier should be matched to trigger an incident. You can indicate a
range if desired, such as between 3 and 10. By default, the threshold is 1.

c) Indicate whether you want the system to count each match, even if it is a duplicate, against the
threshold, or whether you’d prefer to only count unique matches.

d) Click OK.

Related tasks
Create content classifiers on page 3

Trusted domains
Select Enable trusted domains if you do not want certain domains to be monitored, then enter URLs for the
trusted domains separated by commas.

13
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

The system does not analyze content passed between trusted domains. This means users can send them any
type of sensitive information via HTTP, HTTPS, or other web channels from your network.
The domains you enter apply only to data security and only to the current web policy.
Duplicate URLs are not permitted. Wildcards and ‘?’ are supported.

Configure privacy settings

Use the Account > Settings > Privacy Protection page to prevent end-user identifying information, data
security incident trigger values, or both from appearing in logs and web reports. If required, you can still collect
this information for security threats.

By default, incident data is not captured, stored, or displayed. Administrators with permission to view incident
data are able to see the number of matches in the report, but not the match values or context.
Select Store and display incident data under Data Security Incident Settings if you want the values that
triggered data security incidents to be captured, stored in the incident database, and displayed in reports.
Credit card numbers, social security numbers, and email addresses are masked when they are stored, as are
passwords in certain instances.
Changing this setting has no impact on incident data that has already been collected.

14
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Configure reporting permissions

Before you begin
You can control which administrators can view data security reports (and potentially sensitive
information). This setting is assigned at the account level.
To give administrators these permissions:

Steps
1) Navigate to Account > Settings > Contacts.

2) Select the contact whose permissions you want to edit.

3) In Contact Details, click the user name (email address) to view the contact login details.

4) On the Login Details screen, click Edit.

5) Under Account Permissions, select View All Reports and Data Security Reports, and then click Save.

Next steps
This enables users to view data security reports, which may or may not contain incident forensics and trigger
data, depending on your privacy protection settings. It does not change their ability to manage data security
configuration settings.

Configure block pages

Before you begin
You have the option to customize the block pages that users receive when they request a web page
that is blocked by a Data Security policy. To do so:

Steps
1) Go to the Web > Policy Management > Block & Notification Pages page.

2) Expand General.

15
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

3) Click Data Security.

4) Click in the title or body to edit the default text. You can replace logos and other images as well.

5) When you’re finished, click OK.

View the dashboard

For a high-level view of activity in your organization, click Dashboard, and then click the Data Security tab. Data
Security charts include:
■ Incident Count Timeline shows a daily incident count for the designated period. With it, you can quickly
identify trends and make policy changes as required.
■ Incidents by Content CategoryTotal Incidents by Content Type shows the number of regulatory incidents,
data theft incidents, and custom classifier incidents in the designated period.
■ Top Sources shows the users, machines, or IP addresses most frequently instigating data security violations
as well as the severity of their incidents.
■ Top Destination Domains shows the Internet domains most frequently targeted with sensitive data.
■ Top Web Categories shows the website categories most frequently targeted with sensitive data. These can
be custom categories or the categories classified by the URL category database.

16
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

View reports
Before you begin
For a more granular view, access the data security reports.

Steps
1) Go to the Reporting > Report Catalog page.

2) Select Standard Reports > Data Security from the left navigation pane, and then select a report category:
Content Type, Incidents, or Sources & Destinations.

3) Select a report from the list. The following table provides descriptions of each report

1) Report Description

Content Type

Compliance Summary Details the compliance rules are most often violated in your organization, and
provides a breakdown of the incident count for each policy or rule.

Custom Classifier Shows which custom classifiers triggered the most incidents during the
Summary designated period.

Data Theft Summary A list of data theft classifiers that triggered the most incidents during the
designated period.

Incidents

17
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

Report Description

Incident List A list or chart of all data loss incidents that were detected during the designated
period, along with incident details such as the destination, severity, and
transaction size.

Sources & Destinations

Destination Summary The destination URLs or IP addresses involved with the most violations, broken
down by severity.

Users Summary The users, machines, or IP addresses most frequently violating data security
policies and the severity of their breaches.

4) After you select a report, select a time period (last 7 days by default) and any required attributes, then click
the Update Report button .

Tip
To view only incidents that meet a certain threshold (not every single match), filter the report
using the Top Matches attribute.
Top Matches indicates the number of matches on the incident's most violated rule. For example,
if rule A in MyPolicy has 2 matches, rule B has 5 matches, and rule C has 10 matches, top
match equals 10.
When you apply the filter, enter the threshold to include in the report, and then select the
operator to use: equal to, greater than, etc.

Refer to the Forcepoint Cloud Security Gateway Portal Help for details on adding attributes to a report.

View the audit trail

Navigate to Account > Settings > Audit Trail, and click View Results to see an audit trail of all policy
configuration changes.

You can search by user, action type, and date range.

18
Forcepoint Web Security Cloud | Data Loss Prevention in Forcepoint Web Security Cloud

19
 © 2024 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Published 08 August 2024