Video: Office Hours | Forcepoint DLP: Getting Started (EMEA/APAC) | Duration: 3628s | Summary: Office Hours | Forcepoint DLP: Getting Started (EMEA/APAC) | Chapters: Introduction to DLP (11.175s), Forcepoint Vision Overview (287.48s), DLP License Types (452.16s), DLP Implementation Details (866.77s), DLP System Architecture (1137.925s), DLP Configuration Details (1570.975s), Common DLP Blockers (2171.13s), Conclusion and Recap (3478.495s)

Transcript for "Office Hours | Forcepoint DLP: Getting Started (EMEA/APAC)": Hello there, everybody. Thank you for very much for joining today's Forcepoint DLP office hours. So this is call one of two. This call is, as you can see, it's focused on setting you up for success from day one. Now that doesn't mean any of you who are past day one won't get value from this session because we'll also be looking at those best best practices with regards to after you've implemented the product. Okay? Right. So this so even if you're at that stage, then so something you haven't done yet that you can get value out of. And then we also will have a second call next week, which I would encourage you to sign up for, and that'll look more as advanced policy tuning and integrations with other products. So before we get started. So the presentation, that'll be available under the docs section. You'll see that in your top right. Beside that, you'll also see there is a q and a box. So if you have any questions throughout the session. I think, Dinesh, is there I think there might be audio coming. If you're able to mute yourself, that would be ideal. Thanks. So, yeah. There's the q and a box there for asking any questions. There will be a brief survey about fifteen minutes before the end. So if you could complete that, we would be very grateful because it really does help us. In addition to that, there'll actually be two polls. There'll be one I'll send out just in a few minutes now at the start of the session and the same poll again at the end just to get a judge of how well we're doing in regards to giving you good helpful information. So once again, if you could fill that out, we'll be very grateful. And then tomorrow, you'll receive an email that will have a link to watch the playback. So let's meet your meet your presenters. Well, first of all, I'm your host. My name is Niall Connell. I'm the manager of strategic programs here in Forest Point's customer success operations division. Your first presenter will be Richard Smith. He is one of our principal customer success architects, he'll be taking you through some of the initial content in this presentation. Next up, Emma Boyle will take you through some of those best practices I talked about that, we really think would be helpful. It's it's getting it's getting good information from field tested folk about the best way to approach some of the key capabilities of our product. And then, Dinesh from our technical support team, senior technical support engineer, he'll walk through some of the blockers. So because he has a he has a good overview of that being from tech support. Some of those common things, those pitfalls that people fall into that can slow them down with regards to getting implemented and getting the best out of the product. And so he'll walk through them. Right. So what's on the agenda for today? So so one thing to note. So we're looking to give you the key information. So we won't delve into every single aspect of the product. We have one error here. The goal here is we we have people here who are field tested. They know the key information about this product. So they'll give you the key info. So DLP at a glance. So that'll be a quick overview of what DLP does, how it protects sensitive data, and the key capable the key capabilities you'll begin using immediately. Then we'll have a look at the deployment components. So that'll be a walk through of the core architecture, what needs to be deployed, where it lives, how some of these components work together. And then the day one install. So that will be guidance on the initial installation tasks required to get your DLP environment up and running. Then we'll move on to policy management. So it'll be an intro to how do DLP policies work, how to configure some of the most important ones, and what baseline protection should be enabled first. And then we'll move on to Emmett. As mentioned, he'll walk through some of the best practices. So they're practical recommendations for achieving quick, meaningful progress by focusing on a minimal set of high impact use cases. So we wanna keep it simple for you and and and get you key information right regards to how to get the best out of the product. As I said, common blockers, Dinesh will take care of them. And then, DSC, that'll be more of a focus in the next call, but Richard will just give you a quick idea of where DLP sits in our in our DSC environment. That's data security everywhere. Okay. Alright. Okay. So, Richard, I can hand it on over to you to to kick off the presentation. Yeah. Sure. Do you wanna start the poll? Should. Absolutely. Go. Okay. So probably give it, like, about thirty thirty seconds to a minute just to say, look look at the poll. And, again, we appreciate your feedback. Obviously, today's today's call is more about the not very comfortable, somewhat comfortable, and should just expand on there. So I think do do you see the the numbers going up now? No. I don't see any numbers going up, actually. So please feel free. Everybody out there, don't hesitate to to vote. We just need one just to to start. to let everyone follow. Okay. We'll just get a second. Just give another thirty seconds, and then we'll move on. Yeah. I think that's a good idea. Okay. I think if you you wanna move on move on to next slide. Okay. Thank you. And thank you everyone for joining. We we really appreciate your your time today. So my name is Richard Smith. I've been at the company over twenty one years. So I've kind of been there from the from the early days, and then I'd say it just the technology has has advanced so much. Obviously, today's call is on prem DLP. But what was in the next slide? We do we just kinda wanna give you all the the force point vision for for the next year. It is an exciting story, so that there's a lot I can go into it. But, obviously, if you you might have that story already or if you kinda do wanna understand it, obviously, reach out to your account team. And so I I work closely with the customer success account managers. I'd say my my role is the technical side of the kind of post sales. I I work closely with CSUMS. So as I say, our vision this year is data security everywhere. Now if you just go on to the next slide. Yeah. Thank you. Yeah. So this is just, again, an overview and that this is a lot of it doesn't touch on what we're talking about today. We just wanted to give you that the visuals are, like, kind of the date data security everywhere, most multiple channel policies in one UI. So that covers, obviously, on prem DLP, cloud DLP, CASB as a wrap risk risk adaptive. And then, obviously, that's controlled with kinda, like, the endpoints, with with the the the proxies, the email gateways. But like I say, this is just our story, and I say we we don't wanna spend too much time today. But like I say, I just wanna kinda give you that information. Okay. Next slide. Okay. So as I say, in in my role, as I I've been on the company a long time. In the last couple of years, I was originally a technical account manager. So if you've ever worked with that position, but they they they kind of changed it to a CSA. And let's say, again, it's it's where we're kind of technical, helping the CSAMs, say, with with their customers understand the product. And what what one of the deliverables we do is called the maturity assessment. So it's designed for customers that have been a kind of a a customer for over a year, two years, and where they want to understand the the product, what they purchased, what features enabled, what features aren't enabled, and how it applies to them as a business use case. So what we've kind of done from that is, like, reverse engineered it a little bit and kind of gone through what details are important to onboarding customers. So, obviously, hopefully, the the information today, it makes sense and, obviously, just just set you up for success. I'd say in a year, two years, obviously, if you want a maturity assessment, we reach out to to the CSAM. They they can get it scheduled. And, obviously, myself or my team, obviously, will meet with you. But let's say, I just want to kind of explain what where we where we come from and what what we're trying to achieve today. So what's important kind of the the first step is what you have purchased. So, obviously, you've gone through hopefully, you've gone through a lot with sales, with with the CSAM. Well, I say sometimes it's just good to to do a refresher. So at the highest level, there will be two type of core license types. There will be the IP protection, which is kinda covers everything, and then the the compliance. And what that's doing is the compliance is really the same features as IP protection, but you won't have advanced features like structured, unstructured data fingerprinting, or machine learning and and then classifieds that go with that. So, really, I'd say, like, as you as as we go through each slide, I will talk about kind of, I say, some of the context concepts at a higher level, and then later on, we'll go a little bit more detail. So so if you if you do have questions, maybe we'll we'll get to a little bit later. But like I say, the the just wanted to talk about the two license types. And also it's important, I do see if we got some q and a. So Dinesh is gonna be working on it in the background. Obviously, it's a two way street. We we want you to kind of have value from this session. So if you do have questions, please ask away. We would like we would ask that the questions are kind of kept on topic. So it's a basic understanding of of DLP. If you do have advanced questions, yeah, please ask. But we might kind of pass them over or pass it over to your CSUN. We we say we do wanna get them answered, but we just don't wanna confuse the the wider audience. So, yeah, before we start, there's do see q and a. Is there anything good, Dinesh, you might want to? Yep. There is a questions from the, one of the slides you presented. That's, PureCloud DLP. So I answered. So there is no more new questions. I think we can go with the next slide. Okay. Okay. And I think now now a few of them, I think, unable to click, maybe that's into the poll. We'll have to look at that for later. And just as I think someone so, obviously, today is on prem DLP is where you the way you have the physical hardware, software. It's it's on your premise. Cloud DLP is where we it's a new service within the last year where, obviously, we we have everything within the cloud. But as I again, the the focus is isn't there today. Okay. Just moving back to, I say, the the the difference in licenses. So with the IP protection compliance, just to say, the high level. And then the the next level is kind of the important parts, the the kind of what you're allowed to do, the the enablement parts, and this is kind of where what you hear about endpoint, web proxy, email gateway, protector. So there's three three licenses, DLP network. So what that does is that allows you to to inspect data in use on the I'm sorry, data in motion on the network. So that would be as a part of that license you have is the protector. The protector is installed either on a VM or on an older version on, I'd say, hardware appliance. So that there are a couple of different types of protectors, and what we go into a little bit more detail on on later. And then the the other two options are the web security gateway and the email security gateway. So they are kind of the hygiene products. So you've got the the web categorization, doing URL, doing RBI, email, obviously email hygiene for spam, antiviruses. But you could also with that, the DLP network license is the actual DLP integration with with those components. So obviously, like, network, it's looking at data that is in in, say, motion on the the network channels. Then you also have the DLP discover. So this DLP discover is for on on prem repositories. So kinda if you wanna set up the discovery to locate what data. So like I mentioned before, our vision this year is data security everywhere. So if you asked if you if you had a conversation with your team, do you know well where your data sits? What type of data is? Probably the answer will be will be no. So obviously, with with DLP Discover, you can actually set up this task to actually go find that data based on the classifiers that you set up. So that that is on the network. And then the the final license is the DLP endpoint. So this is the one that majority probably customers have. So the endpoint is a client that you install on your own your user machines. Obviously, we also do support Citrix, VDI's, and that endpoint will pretty much will see all the traffic that is that that kind of data leakage that's leaving leaving the machine. The additional thing is that you can also do the with the endpoint license is the endpoint discovery. So instead of where DLP discover is network shares and, like, SMBs set set kind of in data and SQL databases, the endpoint is what what does this user have installed on their machine. And then, again, you can also see kind of, yeah, date data in use. We we have the clipboard monitor, the browser monitoring. So, obviously, manifest version three is the the the big topic that was in 2025, and then, say, additional things with fingerprinting. So before we move on, just wanna confirm any questions about licenses that we we might have. Dinesh, has there anything come up? You are on mute, Dinesh. Yeah. I'm answering the q and a. So just in case anything, like I say, we don't have to add go through everything. And, again, at that at the end, we can review. But just anything that that comes up that could be a good question that will help the wider audience. Yeah. Yes, Richard. Yeah. So sorry. I was in, handing that q and a. Yeah. Please please go on. So I have nothing. to think. that. I did see one question. Someone was asking about incognito mode. So, obviously, there's there's two kind of answers to this. If you have the DLP network and that traffic is being seen by the protector or it's being seen by the the web content gateway, and I say the web content gateway and the email gateway is additional licenses because it's the the hygiene piece, and I say runs even on hardware software. But with the DLP integration, yes, I can see it. On the endpoint, it it can work. We can detect it, but, unfortunately, it it's a setting that the end users can disable. That is currently a safer for the in q two of this year for on prem DLP. We are updating the the endpoints of what we're calling the the DSE. So that is something that will be coming in the future. Okay. Okay. Next slide, Neil. Okay. So let's say that this slide kinda just goes a little bit more detail of of those kind of those three three separate licenses. So let's say DLP network, I think the thing that is built in, and you don't have to have that additional web content gateway or email con content gateway is the protector, and there is two flavors to that. So there's the SMTP. So where where where we're actually monitoring the email, obviously, looking for sensitive data, and then we can actually block it. And then on the the website of things, there there are two two items that you have to consider. There is one where we can just monitor. So kind of if you've got it connected to to a port span, we we can just monitor that data, and obviously, that's for auditing if if you need that from clients. And then if you integrate with iCap, and so there are certain kind of proxy firewalls that can do do iCap, then you can actually set that up so it monitors and also blocks the the transaction. Obviously yes. So we're so moving forward with 10 dot four, we do support the protectors on either Red Hat or Oracle. Obviously, they are VMs that you have to set up, and then you actually install the DLP protector. And then the the other two, like I mentioned the web security gateway and the email security gateway. And this content concept is is integration. DLP discover, data at rest, so like we mentioned, discovery focus on finding So data stored on the network, files, databases, SharePoint, and cloud storage. We do obviously have a new product called data security posture management that kind of is the higher advanced level of recovery, but those those who do classification, prioritization, and then with DLP, does does detect. Obviously, if you do want more information about DSPM, you're we'll be able to help you. And then, like I say, the DLP endpoint. So, currently, it is called the force point one endpoint. You might also say, hey, force point DOB endpoint. Well, say, you might hear, say, the different term what you have installed because if you also have the the web product like the the d set, p set, you can definitely have a couple of items on that point. It's it's for Windows and Mac OS. We always do recommend being on the latest version if if possible. Let's say the latest one available is twenty six zero two. Obviously, that that explains the the latest bug fixes and also the, say, manifest version three, which we talked about, which is a Google API and how we integrate with with the browser so we can actually detect on the web channel. And then also you do have the endpoint discovery which focuses on the data stored on the user's device. I think it it's just checking in, Tanesh. Would you mind me using again there? Thanks. Okay. Next slide. Okay. Getting started on day one. Obviously, this is important. So like I mentioned before, when I do maturity assessments and customers already kind of they've been a customer for over a year, two years, and obviously, they've got it installed. But let's say it it's designed to to help with features that maybe not aware of. But let's say, if if you kinda get day one and the the the resulting onboarding, if if you're successful, it it it goes a long way. So you understand that the product, you understand what you purchased, and actually having plans set up, it does go a a long way. So so getting started on day one, we talk about once once you sign the contract and you have the capability to to get the license, to download the product, what what we think is kind of good starting points and seeing that kind of return on investment and protecting your data. Next slide. Okay. So let's say, once the contract's been signed, what what you need to do is we do have the Forcepoint hub. So the Forcepoint hub has a lot of kind of items that will help. So knowledge based articles, download links to to get all the all the packages. But what's important is here is if you if you follow kind of step one to four, this is where you can actually download your x m XML file. So for on prem DLP, it does utilize an XML file that you import into the actual software. I don't think, unfortunately, we don't have a screenshot showing the actual import, but it it's on the general and then subscription. And I say that XML will contain all kind of start date, end date, what licenses are you, IP protection, compliance, and then which, if you have all of them or which ones were ground discovery, endpoints, or network. And then let's say, one once you're kind of on the the force point hope, that's why, like I say, you you go down the DLP installation. And like I say, that the installation does contain a couple of things, and then also you can get the additional ones like the protector, the the endpoint as well. So it's important that you get the the the endpoint package. You get to say, okay, kinda install it, create the package, and then that's when you can even push out manually or let's say, use a GPO jam for sale on your Mac. So but as I this is for the first step once you kind of sign that contract. Okay. Next slide. Okay. So once you've kinda let's say, you've the the the installation package that there are, say, a number of things you kinda have to consider and think about. So the the the first one is the management server. So you might hear us call that Forcepoint Security Manager or FSM for short. Much that is the the brains of the operation. That is the the kind of the GUI where you configure where you set up all the configuration, you you set up the policies, you you have all the the integrations with the protectors, the content gateways. So yeah. So that that is obviously the the the first step, the important one. You install it, you you import the XML, and then that gives you all the features, components that that you can set up. So yeah. So the the FSM is the brains, and then you have what we call DLP supplemental service. So it's the same installation, but what that supplemental server is allows you to install on a separate VM or a machine where you can actually install the endpoint manager. So the endpoint manager is where the your endpoint managers can communicate, get get the latest profile updates. It will send its log information like the instant data, and then those endpoint managers will communicate with the FSM. And then you also have where where you can actually configure the crawlers. So crawlers is what the discovery and the fingerprinting actually allow you to do. So it is so you have the supplemental survey, you configure it as a crawler, and that is the kind of the the the home the home brain for for for discovery and fingerprinting. Smaller customers, you can obviously get away with with one FSM. Obviously, it's not recommended. But let's say, it's it's as you as you become a large customer, so if you're over so our recommendation generally for endpoint managers is one endpoint manager per 10,000, 12,000 clients. And also what excuse me. What you can do is you control that with the endpoint profiles as well. So you can have as many endpoint managers as as you need. There is no difference in license cost. But what that does is just splits up your, like, geography or your actual footprint so you can actually have communication, like, maybe one endpoint manager in APAC, one in EMEA, one in Meta, then and one one in America, and kinda similar for crawlers as well. One point I would like to make here is just in case for customers if you've kind of recently installed 10 dot three, you might also have a supplemental server for the OCR, and I did see someone asking about OCR. So in 10 dot three, the OCR is done. I say you need a supplemental server. I say the the the protector and the WCG, ESG will communicate with that OCR server to actually do the optical character recognition. And right now, we we don't have support for endpoint on OCR. What it is coming is part of the road map of 2026. But if you are on 10 Dot 4 or looking to move to 10.four, I'd say the OCR has actually been moved into the policy engine on the actual protector on the w c g e ESG, and that's how we're actually getting it onto the endpoint this year. It's now part of the policy engine. So yeah. So I'd say that that are kind of the the primary management components. And then I'd say the deployment components that we we talked about, you've got the protector for web, HTTP, HTTPS, and FTP. So you can either have it in monitoring or if you've got an eye cap integration, you can obviously do it on or you you can block. And then also you've got the SMTP where we can actually do mail inspection. So web security, email security, we said we talked about that quite a few times. Let's say we're with a network license and the force point one endpoint. And then the final component that you can actually do is the what's the the analytics server. So this will go on additional VMs, so like Red Hat, and it's kind of based on user user behavior analytics. So it's either analytics server or IR, you might you might hear it called. And what that'll do is it will give you into the the Forcepoint security manager a dashboard of just your top top 10, top 20 risky users. It it just gives you a kind of a, say, risk score. So a lot of customers, when I'm doing these maturity assessments, do, like, use it. It it's it's it's a it's a good item to have, and it allows them to kinda see what risky user they have, and then they can kinda create like, investigate a little bit deeper, see what's happening, and then kinda base some of some of their policies rules on on on those users. Obviously, if you want a full blown user behavior analytic is we we do have a sort of called DEP, data use protection. But that let's say that's full blown algorithms, kind of data science, and let's say it it does integrate with DLP for, like, remediation. Before we move on, any Dinesh, anything that any quest any one question that is kind of on topic that might help someone? I'm trying to cover the all the questions posted on the q and a. Oh, no. No. Appreciate it. But, again, it's just let's say, if if one question that, like, can help the wider audience, that that that that'll be beneficial. So if you see see something, that that would be great. Yeah. Yeah. So I do see just one question about sizing. So sizing DLP, as they should have already really been done with the POC and kind of the the well, when you're kinda going through the product, we we don't touch on sizing today. Obviously, if that that's something that's important, you you're still a bit of confusion. You're not too sure. I'd say the the our support hub does have some very good articles that it gives you kind of I'll recommend or, like, minimum recommend minimum specifications, recommendations. So, obviously, if if you follow them, a very good starting point. Obviously, the the the important thing is yeah. I mentioned the FSM. If, like, in a test environment, like, you could just have one FSM. What's important, though, is that we do get asked by customers is can you use the same license that you have in production for your test environment? And one of them said yes. Obviously, we understand having a good test environment is yeah. You need it. Let's say that way, you're testing your rules, you're testing, like, the upgrade endpoints. And we we do get on to kind of best practices for the endpoint later on. But let's say, test environment, you could technically get away with just one FSM. But in production, let's say, the additional supplemental service, like, and then what you're doing with the crawlers, the endpoint managers, sizing is important. So, like, say, the the endpoint having no more than, like, say, 12,000 endpoints per endpoint manager is important. Okay. Think if we wanna move on. Okay. And then these are just a couple of screenshots. So let's say on on the left is let's say you you got the the FSM and then you got the data module. So if you wanna see the system modules, you would just go to deployment and system modules. And what we can see here is we can see the one FSM that has the crawler, has the say, policy engine is the brain. The policy engine is kind of what is it the the rules is based on. It it's got the classifiers. And then here, you can actually see the integration with a web content gateway and an email gateway. But this is where you actually see your full footprint, your additional endpoint managers, your, say, protectors, and let's say, like, each one you can configure it differently. So, like, for protectors is where you would go in and configure it. Is it SMTP? Is it web? Are you monitoring? Are you blocking? And then the the screenshot on the right is just a good example of what a full DLP license oh, sorry. No. This is actually version numbers. Apologies. So, yeah, as you can see on the on the right, this is if you go to on the actual FSM GUI on the top right, you have the question mark, and then it will be about security manager. And this will tell you the actual versions you have installed. So as you can see here, we've got 10 dot four. What yeah. 10 dot four web for web security is eight dot five. The DLP oh, sorry. Actually, take a step back. The security manager build is what we call the EIP. So the EIP is the interface, the infrastructure of, I say, like, DLP web email, the configuration. So gen generally, that is always gonna match what you have for DLP. Obviously, our recommendations always be at the latest version, which which is 10 dot four. And then, let's say, the the other aspect, which we just quickly mentioned, the web and the email, obviously, their versions are little bit different, but they are if you have the the the web appliance, the email appliance, and that hygiene license. Well, I say you you'll see that information there. Okay. Okay. I I'm just seeing a question. So if we use complete SWIG with DLP, we can make sure any bank transaction. So yes. So let's say again, the the web and the email is, say, obviously for those channels. But at the same time, the actual endpoint will also see that as well. So the endpoint does does multiple channels, so web, email, USB, printing, file uploads. So there's a that's quite quite a few channels. So, obviously, that's seeing what's happening on the on the user machine. The web content gateway and the email content gateway is so there's two sides you can you can look at it. It's one, it's looking after part of your network that you can't control with the endpoint. I say, like, a guest network or certain certain services or users that, say, don't have the endpoint. So that traffic that's going through there, you can do the deal integration. And then the the other one is, as I as a as a as a second backup. It's just covering maybe incognito mode, covering all the things that might not be seen by the endpoint. So so hopefully that that worked. Also, hopefully, that answered your question. Okay. Next slide. Okay. Actually, this one, I'm kind of not gonna go over details, but just wanted to give it. So, obviously, you can download the the the slides in the docs. But pretty much, this is just the the setup of the DLP protector. The screenshot on the right is just to say showing kinda how how it works. So, obviously, DLP protector, SMTP, or web, it is additional server. So Red Hat version a is a is a support now. So you you configure that that device and then you install our protector software. In older versions, we did have an ISO with that you can install on hardware appliance. In 10 dot four, we we just say, please speak to your account manager. There is gonna be new information hopefully coming out within the next month or two. But, yeah, as mentioned, protected those HTTP, HTTPS, FTP on the website and then SMTP for the email. Okay. Just next one. As I am looking at time now, because I know what's important is the say, when we have AMA, the the kind of the MVP and also the use cases, that'll be quite. important. Perfect. Yeah. So, like I say, for force point one DLP, the old force point one endpoint, I'd say it's installed on the end user end user machine. It's there for, like, the the web, email, USB printing channel. And they say, well, what it does, obviously, detects, it will block, it will stop that data leakage actually happening, and then it will communicate with, obviously, the the my endpoint manager, the FSM to send over the logs and the the instant data. I'm just quickly looking to see if there's anything in these notes that jump out or might be of use. Okay. No. I think I think that now I said that that that I can do read over the this information. Okay. If you can move on. Okay. There is actually just seen a good question. What is the difference between Forcepoint DLP and for FP data security? There isn't. It's it's just terminology. So Forcepoint DLP, like, data leak data leak prevention. Like I said, we we got the on prem. Also, we got Cloud DLP. But it's, again, it's just Forcepoint offerings to protect protect, detect for for data leakage. Okay. I think we've covered kind of the the this web security, email security quite a lot. Like I said, we're gonna say additional appliance for hygiene or can do the integration with DOP. I think if you move on okay. Policy management. So so the policies can be I'd say if you just move on to next slide. Policies can be advanced as you wanna make it. Obviously, the the concern is, let's say, the more more complex, the the more instance that'd be created. So for, say, the the security, like, say, you if you kind of report on the incident data, it could be a lot of a lot of noise. So let's say rules can be quite advanced, and let's say you can have multiple classifiers. But we're not really gonna be touching on on that today. That is gonna be the kind of session two next week. My colleague is gonna go a little bit more detail. But really, let's say, the the whole point of this session is day one, get getting the the product set up and so you can actually see it working. So we we do have, as I what's called default policies. So as you can see in the screenshot, we've got email, web, and then there is mobile. Just unfortunate when I took the screenshot, I I didn't have that inspiration. So these are actually on the network channel. So if you've got the protector, the the the the SG, the ESG, these are kind of default policies that you can quickly go in, settle, and look looking at that, let's say, that channel, and then you can configure which classifiers you want, and then there is a screenshot that say next. But what's important what is important here is, say, that we give you a default policies, but majority of customers based on compliance, regular items that that that is important to them, then you set up your own policies. And let's say you have that capability of, say, creating a policy, creating rules with exceptions. So it's it's like I say, it's important that when you do create a policy, if you've got your test environment or even if doing it in production, don't make it too advanced straight away. I'd say build it out, and then I'd say initially, if you just kinda set it into monitor mode. So there's there's three options. You've got monitor, you've got kind of education confirm, and then you've also got block. So it's important that you kinda set up initially maybe monitor so you can actually see what data is detecting as a kind of improve it if if you wanna reduce false positives. What is important is is kind of once you're happy that it's it's doing what it should do, quickly change it since it's a block. And then say, Amit does talk about that later on. But like I say, the default level, have email web policy for the network channels. Just kind of a quick overview. For endpoint, you do have to actually just create the the rules manually, unfortunately. And when you actually go through when you create the rule, so you have, like, destination, you have what what what you're trying to detect, like, the classifieds, and then which channels. So, obviously, you you will see, like, endpoint channel, web channel, and endpoint email channel. So there are additional options that that you have. Okay. Next slide. Okay. And then this is just a additional so I just use the email DLP default policy. So once you kinda go into it, you do have the attributes. So this is where you're kinda using classifiers. You can kinda base on message size and attachment types and patterns and phrases. So let's say we're at the rejects. So like I said, you can see on the the the compliance screen, this is where I just selected a couple of information based on a region. I think I did it on EMEA. And then, obviously and then it gives you some options. Okay. What what are compliance within that region? And then I I chose PII. Okay. Okay. Next slide. Okay. And then this is just an example just expanding, like, say, what once you select which region, and I say which classifier, and then it kinda gives you further options of what you're looking to. So, like I say, you can select multiple. And the same rules can be complex, can have multiple attributes, but this is just showing you the the basic high high level. Okay. I'm just moving up. Okay. I think I think that's it for me. I'll I'll keep an eye on the questions as well. So I think onto you, Emmett, to kinda. go through practice MVP. Cool. Thanks, Richard. Can you hear me? Yeah. We can hear you. Cool. Okay. So today, I'm gonna talk about the best practices for working with Forcepoints DLP. Just bear in mind, our DLP is extremely powerful. It's got many, many features that have been built up over years. So today, I'm gonna keep it quite high level. And then in later sessions, I'd love to go a bit deeper on each one of the the main parts of the main parts, main parts of the product. So okay. So, just to introduce, I want to mention the life cycle of setting up a DLP project. And Richard talked a bit about this, but, basically, firstly, it's a phased approach. So depending on your organization size and the data security requirements that you have, your policies are gonna grow over time, and you're gonna tune those policies, and get them really accurate. So we but when you start, you don't want to disrupt your your your workforce, so you want to keep it in monitor mode. So we suggest starting with a permissive approach and then gradually turning on blocking. Remember, it's multichannel. So it's across email, web, endpoint, cloud apps. So when you write a policy, that's across all channels, if you want it to be. But we suggest you start with a single channel. So just maybe pick email, Develop your policy for email, and remember it's a unified policy. So then that can be applied across all the channels. Where where this is slightly different is it's a unified policy, but sometimes channels have different actions. So email can be handled differently from from web. And lastly, the thing you have to remember is the process of building a quality DLP policy to make it accurate and efficient and with the least false positives, it's an iterative process. So you have to tune it and tweak it and you'll gradually build up your policies and grow your policies. So there's no solution out there that provides DLP that doesn't require tuning. Everyone requires tuning because every organization is different. Okay. Sorry. Now next slide. Okay. So as I was talking about permissive monitoring phase, so you don't want to disrupt your workforce. So you can see here in the policy where the arrow is pointing, it says audit only. And what you do is when when you when you when you begin, you you pick the policies that you want. So the ones that you're interested in, like GDPR, PCI, HIPAA, whatever are specific to your industry or your region, you can select these. You do not want to turn everything on. We have over 2,000 classifiers, so you don't want to turn them all on. You want to select the ones that are specific to your organization. Start off in audit only mode. Then you come to incident analysis and refinement. So, basically, as you see the incidents coming in, you're in monitor mode, but it still creates an incident, but it doesn't block. So you're in monitor mode, and then you can look at the classifiers to start tuning them. So, first the first step in tuning is, for most classifiers, and you can see credit card there on the right, you've got credit card default, credit card extra wide, credit card narrow, credit card wide. No. I think we have about maybe 30 credit card classifiers, specifically for American Express, Visa, or there's general ones like this. But the default wide and narrow mean that you can select the classifier and how how you want to pinpoint the data. So for example, if you go wide, you might detect the classifier where where each group of four digits is separated with the carriage return. But in narrow, it might not pick that up. So you have to experiment. You have to decide what accuracy and how how broad you want it to be or how narrow you want it to be and you select the classifier. But for sure, we have a classifier that suits your exact needs. Then set the minimum volume of triggers before an incidence gets generated. So you can see, to the left of that red arrow, you can select the number of incidents. So it does it fire on does it trigger on just one instance of a credit card, or do you want to detect five credit cards or 10 before you trigger that incident? Next, there's, drip DLP. So what we find customers ask for is that they're worried that maybe, if they're only detecting groups of of 10 or 20 or a 100 credit card numbers being exfiltrated, they're worried that users may try and send, write some automated script that sends five credit card numbers every minute. And that's what DLP is for. DLP will watch the incidents come in, and it it'll watch it over time. So if this user sends, x x amount of credit card numbers over x amount of time, then generate an incident. And lastly, one thing that I want to call out is our customizable IDs classifier. So it's a really, really powerful classifier. So we have 2,000 classifiers, but sometimes organizations have their own special, identifiers for things like SKUs or product codes. And, for this, you would use a customizable ID classifier. It's not not just a regular expression. Sorry. It's not just a regular expression. It's got a it's got about 20 or 30 more parameters that you can add on to it, like numbers or proximity and lots more parameters where you can narrow down not just a regular expression, but take different parts of that pattern and check those. Gradual enforcement. So you start with permissive monitoring, audit only, then you start looking at your policy and refining it and refining it. And then when you get it to a place where you're happy, you're not getting many false positives, then you turn it on. And you do this on a policy basis. Take each policy one by one, tune it, and then switch it to blocking mode. So instead of audit mode, switch it to blocking mode. And, again, I'm gonna say this two or three times, it's continuous. So you do it for that policy, and then you move to the next policy, and you repeat the process. Now when you're looking at policy, one thing that's very, very important in policies is the source and the destination. So it's not just a so you can see what what we call a transaction. So it doesn't matter what channel. When we're looking at data in motion, we see we see a a payload, a piece of data, and it's coming from somewhere and it's going to somewhere. And the source and destination are really, really important. And we apply the policy to everything. And you can see it in the in the screenshot there. You've got your condition. So the condition is what applies to the data. That's what you're looking for. That's where the classifier looks. But you've also got your source and your destination. And it's really important that you look at who's sending the data and where the data is going to. And this will really cut down on false positives if if if you tune this correctly. So, so where do the sources come from? That's mostly provisioned from Microsoft AD. It's your users. It's your groups from AD or ENDRA AD. You can have custom users and customs group custom groups. You can, put them in the business units. You can have, computer groups. That's the source, and that that's really important to get that right. And additional to that, departmental data variations. What our customers find and when we look at policies that our customers set up, mature policies, most of it's based around departments. So this department can send works with this type of data and can send this type of data. This department can't. So it's a great way to get started. Look at the departments. When it comes to testing, so, there's a couple of ways that you can test. Structured pilot testing. Well, I suppose a lot of our customers would have a development environment and a a production environment. So in the development environment, they can play around with the policies, test the policies, and we can give them new releases. They can test new releases of the of the FSM, and they can test new functionality. And we work with a lot of customers very, very closely and say and we can give them early access to builds and say, what do you think of this feature? And they will give us feedback. But that always happens in the development environment. If you have a development environment, it's really good. And then you can move your policies from your once you test them and get them working, can move them from your development environment to your production environment using our export import functionality. Other customers, if you don't have a development environment, when it comes to testing, what we what they would normally do is they would pick a small group of users and apply policy just to that group. So when you construct your policy, you would just have the source of those as those users or just have it applied to those users. I'm gonna say it again. It's an iterative approach. It's always, look at your policy, test it, learn from it, adapt the policy, and adjust it. And as your organization grows, as different types of data come into your organization, you're always gonna have to go back and adjust the policies for different types of users, different departments, different types of data. Multi channel validation. So when you're when you're working across multiple channels so when you create a policy, remember, the policy applies applies across all channels, but it's best to test each channel individually. So while the basic rule is a block, when you've got data in motion, usability can be very different across channels. Email is different from web, so the feedback is different for when when you're with email, if you get blocked, you get a bounce back email explaining what happened. With web, you don't get so much information. It might be a straight block. So the actions can be very different, and it's better that when you're testing your policy, you test across each one of the channels. Post deployment verification, and I haven't talked too much about this. I've talked mostly about policy, but what's very, very important is the incident workflow. So the policy triggers, it creates an incident, and you want to test what happens with that incident, who has access to that incident, who looks at the information, what's the process for it being handled, progressing through moving from status new to in progress to actioned, what whatever statuses that that you define, and you can define as many statuses as you want. So, yeah. That's always test the incident handling. Now just the last thing I want to talk about is I've sort of gone over, very quickly, best practices. That gets you up and running with with an MVP. It gets your policy up and running. You're tuning your policy. You're looking at your incidents. But there's much, much more that you can do to make the experience better. So for example, we've got policy levels. Quite often so not all policy matches are equal. Quite often, if you have data that's not so sensitive, you can put it in monitor only mode. You can also add coaching. So, for example, if somebody tries to, copy a sensitive document to a USB file, you can, we have a customizable pop up that will say, whatever text you want in there. You can't copy this because and if you want more information, click on this link. So what you're trying to do is you're trying to educate your customers, your users through that coaching dialogue. And then level three could be a straight block for your really, really sensitive data. There's no coaching involved. It's just block. Don't let this data out. And there's multiple policy levels that you can have. Talking about that very, very sensitive data, this is where you use fingerprinting. So Forcepoint provides fingerprinting, which is a way, so it scans your really most sensitive data, and that can be in the form of files or it can be, in databases. And it'll take that data, and it'll fingerprint it. And it's not just fingerprinting I shouldn't have failed. It's actually fingerprinting the content so that if somebody tries, to copy, a paragraph out of that document and send it in an email, we'll detect it. So it'll detect partial exfiltration of a document. So that's fingerprinting is really, really important and really useful for your most sensitive data. RBAC, of course. So if you want to provision your admins from AD or enter AD, set them up with customizable rules, we have a very, very powerful RBAC process RBAC functionality. And you can set permissions for all the different types of functionality for changing policy, for viewing policy, for viewing forensics, everything. Analytics engine. So Richard talked a bit about the analytics engine. The analytics engine uses AI to group together related incidents. So if you're getting a lot of incidents, maybe too many to handle, think about the analytics engine. So it'll look it'll use AI to go through your incidents and pull out groups of incidents that are similar, and then you can handle those as, with a bulk operation. So it might be, recognize false positives or it might be, per person. So here's all the incidents from this person in the last week, and then it makes it much easier to handle all those incidents when they're organized. Notifications. Always set up your notifications to tell the end user and tell the admins, what to have what's happening. Machine learning classifiers. We have machine learning classifiers so you can train your classifier on a set of data. For example, a CV. Give it 20 CVs. It now knows what a CV is and it can recognize it. MIP integration, we work very, very closely with Microsoft. Risk adaptive protection, dynamically adjusting a user's risk score, which will adjust the policy depending on their behavior. And lastly, some export incident policy and protector APIs. We have a lot of ways to integrate and automate. So I ran through it very, very fast there, but I want to leave some time at the end for questions. Thanks, Emmett. Yeah. We'll let we'll let Dinesh go through the common blockers. And just FYI, everybody, I'm gonna go ahead and launch the survey. As noted at the start, if you are able to fill that out, it would be really helpful for us. So, Dinesh, you can go ahead and run through the common blockers that we see. Yeah. I was. just gonna say sorry. Sorry, Dinesh. I think what we expect is at the at the hour that this session will just automatically end. So I do apologize. And we we do have a lot of questions, and we've answered quite a lot. So appreciate it. So I'll we will be able to kind of take these questions and say anything that we can try and get on a knowledge base, we will do. Well, keep keep on asking. Really appreciate it. But I think the main thing is if there's something that you're still not sure on or advanced, like I said, we do have the the session two next week, what what were your what were your customer success account manager, CSAM? They'll either be they'll leave a note and help you, or they'll reach out to myself. I might say the team, or say if it's a a bulk issue, then, like, Dinesh with with technical support. So sorry, Dinesh. Just wanted to kinda get that in. Yeah. This is Zinesh here. I'm working as senior technical support engineer. So today, I'm going to cover the some common blockers, which we have seen on the customer environment. So probably that, this is going to be really help, if you have seen that those kind of the issues. Yeah. Next slide, please. So, yeah, these are all the common blockers. Okay. So, although this is a very list, but we try to cover the as much, the the majority of one. So the first one is that the s q I mean, server and the SQL permission not fully in place. I hope you know that, we have that, we need the, syslog permissions at the time of the installations, the EAP Infranche DLP. So we need the syslog permission. So if you don't have the syslog permission for the SQL account, then probably that you won't I mean, you will not be able to pause that step. So it will just give that, data. So please make sure that, the permission has been defined at the time of the upgrade or the installation of the AAP In front data security module. But once this has been, installed, and then you can, remove that syslog permission. So if, customer security policies defend that, then, yes, you can remove that syslog permissions. Second one is that, insufficient drive space provision. Okay. So I have seen that. Okay. So, if customer has been installing that data applications and the SQL on the same servers, then probably that this will, got occupy the space on the local drive. And even if they have managed with the different servers, on that therefore, I mean, for I mean, DLP application on the server one and, SQL on the server two. And if you're still, handling that foreign secret repository and then archive storage on the where you have installed the Forcepoint applications, and if the local drive has got full, then you will not be able to log into that Forcepoint applications. So it will be just keep loading and you'll not get a consult response. At the same time, you lose that, incident as well. So if that user end user has been sending that incidents, so this will not be accepted by the service. So this will be got rejected by the service because there is no space in the local drive to accept by that applications. So please make sure as a best practice, please make sure that you're managing that, foreign secret repository on the remote storage. And, if you have that archive storage, please manage it separately, also the DLP backup. So let's not save it, foreign secret repository, archive storage, and backup, back I mean, backup that DLP backup all in the same drive where you install the Forcepoint application. So this would be immediately full the size, and you will end up with the, space occupied on the drive, then the console access has been totally lost, and your incident also, it will be get lost. So please manage with the separate drive on the same servers or manage with any network drives. And firewall rules. So, yes, you we have that, what all the ports need to be enabled between these servers, and please make sure that ports has been enabled on the firewall into the IPS or SSL inspection. Because the reason because we are pushing that policy through that secure channel, okay, on that specific port, if there is that IPS or SSL inspection has been enabled, if the firewall has find that something is wrong with that that database, then probably prevent the traffic. So in such cases, the configuration has not been completely deployed to that secondary service, and you might see that the end of the deployment issues, that configuration is not updated with the servers. So please make sure that you follow that port list and without the any IPS or SSL inspection between the servers. So was AEP servers and email and all secondary servers. The endpoint build issues. Okay. So once you download the package from the down, from the support portal, so there is the steps we need to replace it. Replace that, epi dot msi file as well as that web sense package builder. But I have seen that, peoples are just replacing that web sense package builder, but they are not replacing that epa file because in the epa file where we give the fits and it using the policy engine version. So please make sure that you are replacing that. You are following that k b article step and replacing that files accordingly on the client locations and then build that package so that it avoids that, having the policy engine versions on the latest build. So you'll always have that latest version of that policy engine in the latest builds. Thanks, So. And, oh, you know, that's just I'm just thinking we have about we have just, over one minute left. So if you can go. super high level on the rest of them just to make sure we get it in before the end because it did cut off. Yeah. Sure. So the next one is the, antivirus escalation. So, we we do have the KB article. So so just follow that, the KB articles to make sure that the exclusion has been perfectly fine. So we don't want the soft scan as well. So if the exclusion in place, yes, it should not scan that data security directly perfectly. So, I mean, we don't want the soft scan because if that AV has been trying to hold the file, it will cause that our service issues and service to stop not responding. Yeah. And then, yeah. So hardening. So if you are performing any hardening, please raise a case with us because we don't want to cause any issues with the service level. So if you're performing hardening, if the service has not being stopped, then, yes, you might end up with the service issues. And last one is that, ensure the service account has a full permissions. Yes. So you need to have that top service which have that access to that, the install directory. It should have the full permissions. Otherwise, you'll end up with the issue with the deployment failure because the service cannot access that any files and you will end up with that the deployment issues. Please make sure that you'll have the full permissions for the data security directories. So I hope covered, I mean, soon. Yeah. Yeah. Any questions? We do have some questions. Yeah. I I I can I can jump in there, Dinesh? We're I think we're we're just coming up to the end. Nice job there getting it in just just in the nick nick of time. I just wanna say thank you very much everybody for joining. Please do finish that survey if you can and we will answer any questions that were missed after the time. But thank you so much. Okay. Thank you, Ruth. Yeah. Thank you. Okay.