You have sensitive data in your environment that you need to keep secure. The framework in this content pack provides easy-to-view metrics that offer a quick status check of sensitive data locations. It also identifies possible data exfiltration information and includes a logical workflow for reviewing user interactions with sensitive information, including who is viewing it, what is being viewed, and to whom the information is being sent. It also provides rapid insight into specific users and activity from possible insider threats to help immediately stop the data exfiltration.
Content Pack Components
Alarms
Focused on specific file or data events that interact with resources containing sensitive data.
- Exfiltration – Possible Exfiltration
Reports
Useful for providing regular summary data to interested parties.
- Exfiltration – Date Leakage Analysis
- Exfiltration – Insider Threat Analysis
Variables
- FTP_SERVERS
Views
Shows activity that stems from system interaction on the network involving sensitive data locations or user-centric events and zone-specific scenarios.
- Exfiltration – High-Value Host Activity
- Exfiltration – Potential Insider Threat Activity
- Exfiltration – DLP Device Activity
- Exfiltration – Zone Exfiltration Summary
Correlation Rules
Focused on data-related events that interact with the high-value hosts, tracking them and determining which users trigger the rules.
- Exfiltration – Abnormal Communication and Exfiltration from High-Value Host – Events and Flows
- Exfiltration - FTP Traffic with High-Value Host
- Exfiltration – High Number of File Status Events on High-Value Hosts
- Exfiltration - IM Client File Transfers with High-Value Hosts
- Exfiltration - P2P Activity with High-Value Hosts
Watchlists
Keep track of resources on the network that contain a degree of sensitive information or specific users that have interacted with these sensitive resources.
- High Value Hosts
- Exfiltration – Possible User Threats
- Exfiltration – User Whitelist
Required Products
- McAfee Enterprise Security Manager (ESM) 11.x, 10.x
- McAfee Advanced Correlation Engine (ACE) 11.x, 10.x
Content pack demo
Content packs are available directly inside the McAfee Enterprise Security Manager user interface. Watch the video to discover how to access your content pack and get started.
Watch Video
Download Content Pack
Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.
Read Article