19
Trustwave DLP Discover Integration Guide For Dropbox Business

Trustwave DLP Discover Integration Guide For Dropbox Businessdiscoverservice.vericept.com › Discover › TrustwaveDLPDiscoverInte… · This book is the Trustwave DLP Discover Integration

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

  • Trustwave DLP Discover Integration Guide For Dropbox Business

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    Legal Notice

    Copyright © 2018 Trustwave Holdings, Inc.

    All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

    While the authors have used their best efforts in preparing this book, they make no representation or warranties with respect to the accuracy or completeness of the contents of this manual and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author or Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

    The most current version of this document may be obtained by contacting:

    Trustwave Technical Support:Phone: +1.800.363.1621Email: [email protected]

    Trademarks

    Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

    Revision History

    VERSION DATE CHANGES

    6.4 March 2017 • Initial release of guide

    6.6 January 2018 • Update for version 6.6

    Legal NoticeCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. ii

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    Chapter Descriptions

    This book is the Trustwave DLP Discover Integration Guide for Dropbox Business. It contains all the information necessary for installation of DLP Discover to target a Dropbox Business repository. This manual is broken into the following chapters.

    Chapter 1: IntroductionThis chapter introduces Trustwave DLP Discover and how it works with repositories.

    Chapter 2: Dropbox Business Scan TargetsDLP Discover can scan Dropbox Business repositories when it is targeted by a scan policy. This chapter explains how to configure a scan policy.

    Chapter 3: RemediationThis chapter describes how to configure remediation and notification settings for repository targets.

    Related Documentation

    DLP Discover’s documentation is available to all DLP Discover users through links on the Application tab of the Setting tab. An internet connection is required to view these documents. The following documentation is available:

    • Trustwave DLP Discover 6.6 Getting Started Guide

    • Trustwave DLP Discover 6.6 User Guide for Organizations

    • Trustwave DLP Discover 6.6 User Guide for Stand-Alone Installations

    • Trustwave DLP Discover 6.6 Release Notes

    • Trustwave DLP Discover Integration Guide for Dropbox Business

    • Trustwave DLP Discover Integration Guide for Google G Suite™

    • Trustwave DLP Discover Integration Guide for Microsoft Exchange and Azure®

    • Trustwave DLP Discover Integration Guide for Microsoft SharePoint®

    Other important information can be obtained from Trustwave Support.

    Chapter DescriptionsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. iii

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    Formatting Conventions

    This manual uses the following formatting conventions to denote specific information.

    Table 1: Formatting Conventions

    FORMAT AND SYMBOLS

    MEANING

    Blue Underline A blue underline indicates a Web site or e-mail address.

    Bold Bold text denotes UI control and names such as commands, menu items, tab and field names, button and check box names, window and dialog box names, and areas of windows or dialog boxes.

    Code Text in this format indicates computer code or information at a command line.Italics Italics denotes the name of a published work, the current document, name of another

    document, text emphasis, or to introduce a new term.

    [Square brackets] Square brackets indicate a placeholder for values and expressions.

    Note: This symbol indicates information that applies to the task at hand.

    Tip: This symbol denotes a suggestion for a better or more productive way to use the product.

    Caution: This symbol highlights a warning against using the software in an unintended manner.

    Formatting ConventionsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. iv

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    Table of Contents

    Legal Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

    Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

    Chapter Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

    Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

    Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

    List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

    1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    1.1 Repository Scan Targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2 Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    2 Dropbox Business Scan Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    3 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Table of ContentsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. v

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    List of TablesTable 1: Formatting Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivTable 2: Remediation Actions in Different Repository Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    List of TablesCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. vi

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    1 Introduction

    Trustwave DLP Discover™ is a Microsoft Windows®-based application that investigates data at rest to find and protect sensitive information using the Trustwave suite of detection and classification methods. In DLP Discover, user define policies - called scan policies - to scan files and databases for this information. When a scan is complete, users remediate the results before generating reports on the scan and its outcome.

    Scan policies define what type of sensitive data DLP Discover will search for. They also define where to search for the data: laptops or servers, databases, removable drives, and data repositories to name a few. DLP Discover supports scanning of document repositories in several on-site deployments including Dropbox for Business, Google Gmail™, and Microsoft SharePoint® servers. This guide describes how to target Dropbox Business API v2 in DLP Discover.

    1.1 Repository Scan TargetsWhen a repository is targeted by a scan policy, that repository is called a scan target. When DLP Discover scans a repository, it makes a connection to a repository, looks for a specific portion of that repository, and scans specific files and folders within that portion based on the repository scan target’s configurations. Thus when repository scan target is created, it must specify where the scan will occur and what DLP Discover will scan.

    DLP Discover connects to each repository using a reusable set of configurations called a connection. When scanning a repository target, DLP Discover elevates its permission so that it can scan sensitive files and folders. This access is only available during scans in order to protect the information. As such, some event details may not be available after the scan.

    Most scan policy settings can be applied to a repository scan target. However some Scan Settings are not supported for file-based repositories. For instance, DLP Discover does not record permissions and file properties for file-based repository files. Because these file attributes are unavailable, the Scan Since information for a file in a repository targets is also unavailable. However DLP Discover can record all skipped items and files without risks.

    Also when scanning a repository target, DLP Discover does not count the number of items in the repository that it will scan or skip at the beginning of the scan. DLP Discover does not update the status bar on the Scan tab while scanning a repository. However, the Items Scanned and Items Skipped still increment; also the number of items is their sum. With repositories, items describe the total number of items that were scanned or skipped during a scan.Scanners (the DLP Discover installations that run scans) create files in temporary directories while scanning attachments. These files are deleted after the scan. DLP Discover offers a secure way to delete the files which is time intensive. If a scanner that contains the repository is secure, disable this feature to improve performance.

    Events found in repositories can be remediated automatically during or manually after the scan. You can configure DLP Discover to notify your repository user who owns the risky item when remediation occurs.

    This guide assumes you are familiar with DLP Discover. Review the Trustwave DLP Discover User Guide for Stand-Alone Installations for how to create and run a scan policy and for what to do with its scan results.

    IntroductionCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 7

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    For email-based repositories such as Microsoft Exchange or Google Gmail, you can also configure DLP Discover to notify your repository administrator when remediation occurs as well as warn the user before remediation.

    1.2 Deployment OptionsTrustwave DLP Discover offers two types of deployments: stand-alone or organizational. Stand-alone deployments features very few (often one) instances of DLP Discover, while organizational deployments have installations of DLP Discover throughout an enterprise. In a stand-alone configuration, DLP Discover can target repositories in any of its scan policies. Organizational deployment only allow repository targets in local scan policies. See Trustwave DLP Discover User Guide for Organizations for more information about local scan policies.

    IntroductionCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 8

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    2 Dropbox Business Scan Targets

    DLP Discover can scan Dropbox Business accounts. It initiates each scan by logging in with account credentials provided in the scan target's connection. It then scans the target indicated provided it has permission to access the data that is there. DLP Discover assumes that the account it has will have permissions to the containers that DLP Discover should scan. If DLP Discover cannot access a file or container, DLP Discover assumes it should not scan that area and skips ahead without error.

    To target a Dropbox Business account for scanning:

    1. On the Policy Management tab, open the Organization tab.

    DLP Discover requires no special configurations to Dropbox Business except for credentials to a Dropbox Business team admin account that has permission to access the targeted app and the app’s Access Token.

    Dropbox Business Scan TargetsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 9

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    2. In the Organization editor, open [DLP Discover machine].Copies of any existing audit polices appear under this node.

    3. Create or edit an audit policy.

    4. On the Scan Targets tab, click Add Repository.

    The Select Repository Type dialog box opens.

    In an organizational deployment, select a scan policy under the Agents and Scanners node. Repository scan targets are not available to scan policies anywhere else in the hierarchy.

    Dropbox Business Scan TargetsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 10

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    5. Select Dropbox for business and click OK.The DropBox Target dialog box opens.

    Dropbox Business Scan TargetsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 11

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    6. If necessary, add a connection or select a connection from the Connection drop down list. Click the image below to watch a video on how to create a connection.

    7. Select a connection in the Connection drop down list.

    Each connection targets a specific app in Dropbox Business. Connections allow you to build targets inorder to scan different items within the same app. For instance, you can have two scan policies: onethat scans all users within the Dropbox app and another that only scans specific users in your DropboxBusiness account. Both policies can use the same connection. When you create a repository scan tar-get, you select a connection to use. The list of available connections that you may choose from isbased on the connections you have already created. If you edit a connection, DLP Discover appliesthat change to all scan targets that use that connection.

    8. Enter a name for the target in the Name field. This name will appear on the scan policy's Scan Targets tab.

    9. Specify which users to scan:

    a. To scan all files, select Team Admin only from the Scan user from drop down list.

    b. To scan all files except those of specific users:

    The administrator account is the team admin account that you used in the connection. DLP Discover scans all files available to all team members unless you specify which files or directories to scan.

    Dropbox Business Scan TargetsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 12

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    i. From the Scan user from drop down list, select Dropbox Business user directory.

    ii. In the Exclude users field, enter the email addresses of the users whose accounts should not be scanned.

    c. To only scan files of specific users:

    i. From the Scan user from drop down list, select Included list.

    ii. Enter the users’ email addresses that you want to scan in the Includes field.

    iii. If there are duplicate files shared or common amongst those listed in the Includes field, you can prevent them from being scanned multiple times by enabling Prevent scanning of files more than once.

    10. To delete temporary files created while scanning in a way that the files cannot be recovered, select Secure delete temporary files. This is selected by default.

    11. To suppress errors if scan targets are not present or accessible, mark Skip without error.

    12. Continue setting the target in the next chapter.

    Dropbox Business Scan TargetsCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 13

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    3 Remediation

    DLP Discover allows you to automatically and manually remediate events found in repositories. You can also configure DLP Discover to email notices and warnings when a risk is found.

    DLP Discover can automatically move risky events to a secure location, delete risks, quarantine events, or warn the user in whose account events exist. Exactly what these actions mean depends on the type of repository that DLP Discover is scanning:

    Quarantining an event is the same as moving it. DLP Discover’s automatic remediation is available for both Scanner with Console in standalone deployments and Collector with Console and Scanners for organizational deployments. You must configure the repository target and the scan policy as described in steps 1 and 5 below.

    To manually remediate an event in a repository, you must first configure the repository target before the scan. After the scan, the manual remediation is identical to any other scan target. Step 1 below for how to configure the repository target. See the Trustwave DLP DiscoverUser Guide for Stand-Alone Installations for how to perform manual remediation.

    DLP Discover also allows you to notify repository administrators and affected users over email when a remediation occurs. You may also configure DLP Discover to issue warning emails to affected users so that they can fix the situation themselves. Warning emails can be issued once or once a day up to a configurable number of days. Administrators and users are only notified once if a remediation occurs.

    To configure remediation and notifications for a repository target:

    Table 2: Remediation Actions in Different Repository Types

    Action File-Based Repository Email-Based Repository

    Move Move a risky file to a new location. Forward the email with its attachments to the repository administrator and remove the email from the Sent folder.

    Copy Not supported Not supported

    Delete Delete the file from the repository. Purge the email with its attachments from the Delete and Sent folders.

    Quarantine Move the file to a new location. Forward the email with its attachments to the repository administrator and remove the email from the Sent folder.

    RemediationCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 14

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    1. On the Remediation tab of the DropBox Target:

    a. In the Remediation Email User field, enter the email address of the person who should be notified when a remediation occurs in this repository.

    b. In the Remediation Folder field, specify where remediated items should be moved for Move and Quarantine remediations.

    c. To allow manual remediation of this repository, mark these check boxes:

    • Allow manual move remediation: This permission allows you to manually move or quarantine a risk in the repository.

    • Allow manual delete remediation: This permission allows you to manually delete a risk in the repository.

    d. To perform automatic remediations, mark the check boxes that correspond to the actions you want to automatically perform in the repository:

    • Allow automatic move remediation: This permission allows DLP Discover to automatically move or quarantine any risks that are discovered in the repository during a scan.

    You must grant one or more of these permission to automatically remediate risks in the repository.

    RemediationCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 15

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    • Allow automatic delete remediation: This permission allows DLP Discover to automatically delete any files in the repository that are determined to be risks during a scan.

    e. In the Admin notify subject, enter the subject of the notification email.

    f. In the Admin notify body prefix, enter the text of the notification email. A sample text is provided.

    2. To notify a user when a remediation occurs in their account:

    a. Open the User Notification tab.

    b. Mark the Notify user upon remediation check box.

    c. In the User notify subject, enter the subject of the notification email.

    Right click the Admin notify subject and Admin notify body prefix fields to insert dynamic text such as:• %Discover.Item.Name%: Target name, policy name, and file name of item scanned

    • %Discover.Action%: Action taken on the item

    • %Discover.Item.Key%: Unique key that DLP Discover assigned to the item

    • %Discover.Item.WarningExpiration%: When the item’s warning emails will expire

    • %Dropbox.Administrator.Email%: Email address set in the connection

    • %DropBox.Remediation.Email%: Email of the Remediation Email User

    • %DropBox.Item.Subject%: Item’s file name)

    • %DropBox.Item.Info%: Target name, policy name, and file name of item scanned along with the file size.

    RemediationCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 16

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    d. In the User notify body, enter the text of the notification email. A sample text is provided.

    3. To notify a user before a remediation occurs in their account:

    a. Open the User Warning tab.

    b. To warn the user once, select Warn Once from the User warning type drop down list.

    c. To warn the user multiple times:

    i. Select Warn with repeats from the User warning type drop down list.

    ii. In the Warning duration field, enter the number of days for which the user should receive a warning before remediation occurs. A warning will be sent out each day.

    Right click the User notify subject and User notify body prefix fields to insert dynamic text such as:• %Discover.Item.Name%: Target name, policy name, and file name of item scanned

    • %Discover.Action%: Action taken on the item

    • %Discover.Item.Key%: Unique key that DLP Discover assigned to the item

    • %Discover.Item.WarningExpiration%: When the item’s warning emails will expire

    • %Dropbox.Administrator.Email%: Email address set in the connection

    • %DropBox.Remediation.Email%: Email of the Remediation Email User

    • %DropBox.Item.Subject%: Item’s file name)

    • %DropBox.Item.Info%: Target name, policy name, and file name of item scanned along with the file size.

    RemediationCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 17

  • Trustwave DLP Discover Integration Guide for Dropbox Business - January 25, 2018

    d. In the User warning subject, enter the subject of the warning email.

    4. Click OK.

    5. To perform automatic remediation on the repository, when you return to the Edit Policy form in the Policy Management tab:

    a. Open the Remediation tab,

    b. Mark Auto Remediation Enable.

    c. Select a File Action.

    d. If you choose Move, enter the Copy/Move Paths.

    e. Finish configuring the scan policy and click OK.

    Right click the User warning subject field to insert dynamic text such as:• %Discover.Item.Name%: Target name, policy name, and file name of item scanned

    • %Discover.Action%: Action taken on the item

    • %Discover.Item.Key%: Unique key that DLP Discover assigned to the item

    • %Discover.Item.WarningExpiration%: When the item’s warning emails will expire

    • %Dropbox.Administrator.Email%: Email address set in the connection

    • %DropBox.Remediation.Email%: Email of the Remediation Email User

    • %DropBox.Item.Subject%: Item’s file name)

    • %DropBox.Item.Info%: Target name, policy name, and file name of item scanned along with the file size.

    Copy is not supported for repository scan targets.

    These paths are required even though you already specified a path in the Remediation Folder field. These paths will be ignored for the repository targets.

    RemediationCopyright © 2018 Trustwave Holdings, Inc. All rights reserved. 18

  • About Trustwave®Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.

    https://www.trustwave.com

    Trustwave DLP Discover Integration Guide For Dropbox BusinessLegal NoticeRevision HistoryChapter DescriptionsFormatting ConventionsTable 1: Formatting Conventions

    Table of ContentsList of Tables

    1 Introduction1.1 Repository Scan Targets1.2 Deployment Options

    2 Dropbox Business Scan Targets3 RemediationTable 2: Remediation Actions in Different Repository Types