trustwave dlp discover 6.6 getting started...

Trustwave DLP Discover 6.6Getting Started Guide

Trustwave DLP Discover 6.6 Getting Started Guide - December 7, 2017

Legal Notice

Copyright © 2017 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or

decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document

may be reproduced in any form or by any means without the prior written authorization of Trustwave. While

every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility

for errors or omissions. This publication and features described herein are subject to change without

notice.

While the authors have used their best efforts in preparing this book, they make no representation or

warranties with respect to the accuracy or completeness of the contents of this manual and specifically

disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be

created or extended by sales representatives or written sales materials. The advice and strategies

contained herein may not be suitable for your situation. You should consult with a professional where

appropriate. Neither the author or Trustwave shall be liable for any loss of profit or any commercial

damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

The most current version of this document may be obtained by contacting:

Trustwave Technical Support:

Phone: +1.800.363.1621

Email: [email protected]

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used,

copied, or disseminated in any manner without the prior written permission of Trustwave.

Legal NoticeCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. ii


Revision History

VERSION DATE CHANGES

1.4 October 2010 Original version

2.0 August 2011 Updated for version 2.0

2.4 May 2012 Guide for version 2.4

2.5.1 November 2012 Guide for version 2.5.1

3.0 December 2012 Guide for the 3.0 limit release

3.1 May 2013 Guide renamed for the 3.1 release

4.0 February 2014 Rebranded and updated for DLP Discover 4.0

4.1 June 2014 Guide for 4.1 release

5.0 May 2015 Guide for 5.0 release. Includes features from DLP Discover 4.2, 4.3, and 5.0.

6.0 December 2015 Guide for 6.0 release. Updated screen shots and added Validate Protection functionality.

6.1 April 2016 Rebranded and updated guide for 6.1 release. Updated screen shots and added directions for Linux in the remediation example.

6.2 July 2016 Guide for the 6.2 release. Updated instructions for new user interface. Combined the previous two Getting Started Guides into one.

6.3 September 2016 Guide for the 6.3 release. Updated instructions for user interface changes.

6.4 March 2017 Guide for the 6.4 release. Updated instructions and screenshots for user interface changes.

6.6 December 2017 Guide for the 6.6 release. Updated instructions and screenshots for user interface changes.

Revision HistoryCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. iii


DLP Discover vs. DLP Discover for SME

Trustwave DLP Discover for SME is designed to help small and medium enterprises identify cardholder

data within their environments by providing a subset of DLP Discover’s functionality. DLP Discover for

SME operates with the following restrictions:

• Scanning for only two cardholder data (CHD) risk categories: PCI-DSS and Credit Card Number Only.

• Scans target only local drives, network drives, and databases.

• Risk categories cannot be customized.

• Scan policies cannot be created.

• No remediation is available for content risks.

• Scans are limited to fifteen (15) per year. Thus, a two-year term license permits up to 30 scans.

Customer can upgrade to the full version of DLP Discover to access additional content categories,

unlimited scanning, and remediation functionality.

Organizational functionality is not available for Discover for SME.

DLP Discover vs. DLP Discover for SMECopyright © 2017 Trustwave Holdings, Inc. All rights reserved. iv


Chapter Descriptions

This book is the Trustwave DLP Discover 6.6 Getting Started Guide. It leads the reader though a series of

exercises that introduce the basic functionality of DLP Discover and its organizational capabilities. This

book is broken into two sections that contain the following chapters.

Chapter 1: Getting StartedThis chapter introduces Trustwave DLP Discover. It described how to use DLP Discover and how to set up an example environment to learn DLP Discover’s functionality. This chapter introduces the organizational functionality of Trustwave DLP Discover. It described the components and roles involved and provides an overview of how to set up an organization in DLP Discover.

Section 1: Basic Functions

Chapter 2: Content Risks and Scan TargetsThis chapter introduces the concepts of Content Risks and Scan Targets. The chapter demonstrates how to create a scan policy, configure scan targets, and run a scan.

Chapter 3: Review and RemediationReaders learn how to remediate local and remote files for risks. This chapter also describes options for how to handle risky files.

Chapter 4: Protecting Sensitive DataReaders learn how to create protection policies to remediate risks on agents.

Chapter 5: Scan ReportingThis chapter describes how to display the results of a DLP Discover scan, to access and save generated reports, and to view details.

Section 2: DLP Discover in an Organization

Chapter 6: SetupThe chapter describes how to install a small organizational deployment of DLP Discover consisting of a collector with console and one agent. It also provide instructions for deploying mock data that you will use.

Chapter 7: Scan Policies for Data Across An OrganizationReaders learn basic concepts and how to create global scan policies on their collector with console.

Chapter 8: Scan Policies for Data in an Organizational GroupReaders learn to build an organizational hierarchy and how to create scan policies specific to parts of that hierarchy in anticipation of future reports.

Chapter 9: Scheduling ScansReaders schedule the global and group scan policies to scan.

Chapter 10: Viewing Organizational Scan ResultsReaders learn how to use the Dashboard and the Event Explorer in an organizational context.

Chapter DescriptionsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. v


Chapter 11: Creating ReportsReaders generate reports based on the organizational hierarchy and scans provided by agents.

Appendix A: Additional Requirements for Organizational DeploymentsDLP Discover’s organizational features require more from hardware than a stand-alone deployment. These additional

requirements are listed in appendix A for readers who intend to follow instructions in both sections of this guide.

Related Documentation

DLP Discover’s documentation is available to all DLP Discover users through links on the Applications tab

of the Setting tab. An internet connection is required to view these documents. The following

documentation is available:

• Trustwave DLP Discover 6.6 Getting Started Guide

• Trustwave DLP Discover 6.6 User Guide for Organizations

• Trustwave DLP Discover 6.6 User Guide for Stand-Alone Installations

• Trustwave DLP Discover 6.6 Release Notes

• Trustwave DLP Discover Integration Guide for Dropbox Business

• Trustwave DLP Discover Integration Guide for Google G Suite™

• Trustwave DLP Discover Integration Guide for Microsoft Exchange and Azure®

• Trustwave DLP Discover Integration Guide for Microsoft SharePoint®

Other important information can be obtained from Trustwave Support.

Chapter DescriptionsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. vi


Formatting Conventions

This manual uses the following formatting conventions to denote specific information.

Table 1: Formatting Conventions

FORMAT AND SYMBOLS

MEANING

Blue Underline A blue underline indicates a Web site or e-mail address.

Bold Bold text denotes UI control and names such as commands, menu items, tab and field names, button and check box names, window and dialog box names, and areas of windows or dialog boxes.

Code Text in this format indicates computer code or information at a command line.

Italics Italics denotes the name of a published work, the current document, name of another document, text emphasis, or to introduce a new term.

[Square brackets] Square brackets indicate a placeholder for values and expressions.

Note: This symbol indicates information that applies to the task at hand.

Tip: This symbol denotes a suggestion for a better or more productive way to use the product.

Caution: This symbol highlights a warning against using the software in an unintended manner.

Formatting ConventionsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. vii


Table of Contents

Legal Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

DLP Discover vs. DLP Discover for SME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

Chapter Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

List of Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Section 1 Basic Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 Content Risks and Scan Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.1 Creating a Scan Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.2 Configure Content Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3 Configure Scan Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.4 Scanning Local Folders Ad Hoc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.5 Scanning Local Folders on a Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Review and Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.1 Viewing Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.2 Remediating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4 Protecting Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5 Scan Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Section 2 DLP Discover in an Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Components and Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

How to Use This Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

6.1 Configuring a Collector with Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

6.2 Configuring the Agent Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.3 Unpacking the Example Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table of ContentsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. viii


7 Scan Policies for Data Across An Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

8 Scan Policies for Data in an Organizational Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

8.1 Creating an Organizational Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

8.2 Linking People and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

8.3 Create a Group Scan Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

9 Scheduling Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

9.1 Schedule the Global Scan Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

9.2 Schedule the Group Scan Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

10 Viewing Organizational Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

10.1 Viewing Results in the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

10.2 Viewing Results in the Event Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

10.3 Viewing Scan Results by Organizational Group or Member . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

11 Creating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

11.1 Adding Default Information to Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

11.2 Reporting Based on Group and Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

11.3 Reporting Based on Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

11.4 Printing and Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Appendix A Additional Requirements for Organizational Deployments . . . . . . . . . . . . . . . . . . . . . 102

Table of ContentsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. ix


List of TablesTable 1: Formatting Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 2: Standard Content Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Table 3: Scan Start Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 4: Scan End Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 5: Remediation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 6: Possible Types of Entity Nodes in an Organization’s Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . 62

List of TablesCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. x


List of FiguresFigure 1: A Trustwave DLP Discover Stand-Alone Installation Ready to Scan . . . . . . . . . . . . . . . . . . . . . 12

Figure 2: A Large Organizational Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 3: A Small Organizational Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

List of FiguresCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. xi


Getting StartedCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 12

1 Getting Started

DLP Discover utilizes a suite of content analysis technologies that detect confidential information inside

documents stored on desktops, laptops, servers, document repositories, and records in databases. By

detecting stored sensitive information, you can prevent security breaches, compliance violations, and

violations of corporate data governance policies that can result from misuse and improper storage of

controlled content. Trustwave DLP Discover provides you with the tools to properly manage and protect

sensitive or controlled content throughout your organization.

Trustwave DLP Discover can be deployed in a stand-alone configuration on a single machine that is

independent of other DLP Discover installations. DLP Discover can also be deployed in an organizational

configuration where several machines are networked to support and enhance their function in your

organization.

This Getting Started Guide teaches you the basics of scanning data, remediating risks, and generating

reports for both stand-alone and organizational deployments. In the first section, you learn DLP Discover’s

fundamental concepts and functions in a stand-alone setting. The second section expands on that

knowledge by adding organizational features. In each section, you work through scenarios that imitate

real-world situations.

No matter if you want to use the stand-alone or organizational features of DLP Discover, start with Section

1 Basic Functions. Section 2 DLP Discover in an Organization builds on what you learn in section 1.

Figure 1: A Trustwave DLP Discover Stand-Alone Installation Ready to Scan


Section 1 Basic FunctionsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 13

Section 1 Basic Functions

This section guides you through the basic functions of DLP Discover. You will learn how to create and run

a scan along with essential concepts and tips for using DLP Discover again and again. In this section, you

need one server to act as a scanner with console - that is DLP Discover’s term for a standalone

configuration.

Start by installing DLP Discover and configuring its role as a scanner with console. See chapter 2 of the

Trustwave DLP Discover User Manual for Stand-Alone Installations for installation instructions and system

requirements. If you plan to go onto section 2, see appendix A before installing DLP Discover.

Run DLP Discover as an administrator. In Microsoft Windows, right click on the DLP Discover icon and

choose Properties. On the Properties window’s Compatibility tab, mark Run this program as an

administrator and click OK.

Next you will need test data to detect during the scan. You can find such data in DLP Discover’s installation

directories. Go to the directory C:\Program Files\Trustwave\Discover\Sensitive Content. Then unzip the file

called Sensitive Content.zip to a directory called C:\Customer Data.

You are now ready to start the exercises in this section. The general sequence you will try is:

1. Create a scan policy which is a set of scan configuration. It contains scanning configuration

information such as what to scan for and where.

2. Specify the categories of sensitive content for which you want to scan.

3. Specify the target folders you want to scan.

4. Schedule the scan to run on a regular basis.

5. Run the scan.

6. Review the scan results.

7. Remediate the risks revealed by the scan.

8. Create reports about the scan.

This might seem complicated at first, but after you create your first scan policy, you will realize how easy it

is to set up different policies to search for a variety of risks in several locations. Also because DLP

Discover is designed to run scans several times over, you will know that - once set up - DLP Discover will

continue to scan your system for threats no matter what comes in.

Let’s get started.

The console, collector with console, and collectors must run DLP Discover as an administrator to successfully initialize their local Rest API server.


2 Content Risks and Scan Targets

DLP Discover is based on a few simple concepts. The first is the scan policy. A scan policy is a named

scan configuration. By using policies, you can create, manage and recall a multitude of DLP Discover

configurations. Policies make it easy for you to build DLP Discover configurations for specific purposes

such as satisfying a PCI-DSS audit or conducting an E-Discovery search.

Next are content risks which are categories of sensitive information, such as personal data or Social

Security Numbers. Trustwave DLP Discover offers several out-of-the-box content risk categories that apply

to most organizations and businesses.

Scan targets are file shares located on desktops, laptops, and servers that are targeted by scans. In

general, a scan target is any file share that can be mounted by the machine’s operating system. A scan

target may also be a connection to a database or document repository. DLP Discover can scan hundreds

of standard file types such as PDF, XML, Microsoft Office formats, and HTML files to name a few. DLP

Discover also supports scanning compounded document types such as PST, ZIP, RAR, 7z, and others to

report on the sub file where the sensitive information is detected. For Personal Storage Table (PST) files,

DLP Discover can report on the email body or attachments.

The Policy Management | Organization tab is where you create scan policies with content risks and scan

targets to scan.

In the following sections and procedures you will create a simple scan policy, configure what risk content

categories to search for, and configure what targets to scan. Then you will run a scan using the policy you

just created and schedule it to run later. Remediation of any discovered risky content and scan scheduling

are covered in a later section.

2.1 Creating a Scan PolicyThe Customer Data policy will create scans that search for PCI DSS data and credit card numbers in the

C:\Customer Data folder. The results of this policy can be used to generate reports in support of a PCI DSS

audit or to verify that customer credit card data is never stored un-encrypted.

Policies are created on the Policy Management | Organization tab.

To create the Customer Data policy:

Content Risks and Scan TargetsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 14


1. On the Policy Management tab, open the Organization tab.

2. Expand the hierarchy.

3. Right click on Audit Policies and choose Add New Audit Policy.

The tabs that create a new scan policy appear. A variety of buttons also appear on the ribbon. You can

ignore those for now.



4. Enter the name of your new policy on the Policy Settings tab. For this example, type the name

Customer Data in the Name: text box.

5. Leave the Settings drop down list alone so that this simple policy can use the default settings.

2.2 Configure Content RisksNow you will specify what content risks to scan for. The Content Risks tab offers one or more standard

content risk categories to be used in a scan. See Table 2 for descriptions of the standard content risks.

Select a unique name for your new policy. The name should reflect the purpose for the policy or the assets the policy addresses (e.g. "Boston Server Farm PCI Scan" or "Denver Office FISMA Audit"). DLP Discover notifies you if the name is not unique.

Table 2: Standard Content Risks

CONTENT RISK CATEGORY

DESCRIPTION

Credit Card Number Only Detects any numerical string that appears to be a credit card number. This category is best used for scanning databases.

Social Security Number Only Detects any numerical string that appears to be a social security number. This category is best used for scanning databases.



To configure the Customer Data policy content risks:

1. Click on the Content Risks tab. This is where you select the content risk categories for your policy.

PCI-DSS Detects numerical strings that could be a credit card numbers while also collecting contextual information and other cardholder data. This category searches for information covered by the Payment Card Industry Data Security Standard (PCI DSS) which applies to any organization that stores, processes, or transmits cardholder data.

Personal Information Detects identification information such as names, addresses, account numbers, dates of birth, Social Security Number and other information that may be regulated by US state and federal privacy laws like California SB-1386 or the Gramm-Leach-Bliley Act of 1999. Use this category to identify information that could be used to commit fraud or other crimes of identity theft.

FERPA Detects personal and education-related information as defined by the US Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) which protects the privacy of student education records. This category is designed to help schools that receive funds under program subject to FERPA.

Finance Detects documents that contain sensitive financial and accounting data such as balance sheets, tax returns, general ledgers and cash flow statements.

Protected Health Information Detects protected health information (PHI) governed by the Health Insurance Portability and Accountability Act of 1996, This category searches for information about health status, provision of health care, and payment for health care that can be linked to an individual.

Proprietary Information Detects confidential files that may be deemed proprietary based on language or topic. These files may contain secret or sensitive communications on a wide range of matters, including the leaking or selling of sensitive or proprietary information, M&A negotiations or covert communications with competitors.

Table 2: Standard Content Risks

CONTENT RISK CATEGORY

DESCRIPTION



2. Select Credit Card Number Only and PCI-DSS.

2.3 Configure Scan TargetsPolicies contain scan targets which allows you to create a group of targets based on specific organizational

structures or operational objectives. It is often useful to build a policy dedicated to scanning a group of

assets (servers, databases, drives, repositories) based on the sensitive data those assets may contain or

based on the compliance regulations which they are subject to. For example, a policy might be created

named “PCI-DSS Audit: Point of Sale Terminal Servers” that scans servers related to a point of sale

environment; these devices and associated network servers are subject to PCI-DSS regulation and

auditing. (PCI DSS are a set of regulations for handling payment card holder data).

To add a local scan target:

1. Click on the Scan Targets tab. This is where you add scan targets for your policy.

2. Click Add Local Folder.

See the Trustwave DLP Discover User Guide for Stand-Alone Installations for how to create all types of scan targets.



3. On the Select Directories dialog, browse to C:\Customer Data folder and mark its check box. This is the

directory that you created earlier on your local drive and populated with the test data provided.

4. Optionally, mark the Skip Without Error check box and click OK.

5. On the Scan Targets tab, notice that the C:\Customer Data folder is listed there.

Folders appear when you browse local folders. If you were entering a folder on a remote machine, no folders would be listed in this dialog. You would then need to type the path to the folder you want in the Folder text box.



6. Click OK to save your scan policy.

The Customer Data policy appears in the Organization hierarchy.

2.4 Scanning Local Folders Ad HocScans can be run ad hoc or on a schedule. For an ad hoc scan, you have the choice of running a quick

scan or a full scan. A quick scan is faster than a full scan because it is optimized for time, scanning the first

3 megabytes of the file. In contrast, a full scan is more comprehensive and uses advanced scoring logic.

Full scans scan the first 10 megabytes. So think carefully when choosing a quick or full scan.

You can run a quick scan in two ways:

1. On the Scan tab:

a. Expand the hierarchy.



b. Select Customer Data. It is under Agents and Scanners and the name of your computer.

c. On the ribbon, mark the Quick Scan check box.



d. Click the Start Scan button.

As the scan runs, the progress bar indicates the percentage of scan completed. When the scan is

finished, Done! will appear in the progress bar.

e. Click on the Edit Policy button to return to the Policy Management tab with the policy pre-loaded.

2. Alternatively on the Event Explorer tab, click the policy you want in the hierarchy and click on the Start

Scan button.

A scan starts using its default scan settings: Quick Scan and Scan all.

During a scan DLP Discover connects to the scan target and then opens every file in the directory path,

starting in the directory indicated by the scan target name. DLP Discover then recursively descends into



every directory in the hierarchy looking for files to open and scan. Each file it encounters is transferred over

the network (if the file share is remote) or opened locally and subject to content analysis based on the risk

categories that have been selected for the scan.

2.5 Scanning Local Folders on a ScheduleGood guards do not look for danger once and give up. They keep a constant vigil, checking again and

again for new risks. Likewise, DLP Discover scan policies are not designed to be run once but rather

periodically on a regular basis. You can automate your scans to run at regular intervals to check for risks

as new data comes into a scan target.

DLP Discover provides a calendar where you can schedule series of scans that run on a daily, weekly,

monthly, or yearly basis. Each scan policy can have a unique schedule. Of course, the DLP Discover

application must be running on the intended machine in order for the scheduled scan to take place.

The schedule calendar offers you many ways to view and schedule scans: by day, week, work week,

month, as a time line, by policy, or by date. Every scheduled instance of a scan is called a “policy scan

period”. These periods are color coded to indicate how the period starts and stops. They are also labeled

for easy identification. The Start type is indicated by a side bar on the Day and Work Week views. The End

type is denoted by the color of the policy scan period on all calendar views.

Scheduled scans can take up to a minute to start and cannot overlap, not even if the second scan is for the

same scan policy.

To schedule your scan policy:

Table 3: Scan Start Types

SCAN START TYPE

SIDE BAR COLOR

DESCRIPTION

Run or Resume Scan

For scanners, the scheduled scan period will initiate a new scan OR will resume the scan if the previous scan for the same policy has been suspended.

For agents, the scheduled scan period will initiate a new scan.

Resume Previous Scan

The scheduled scan period will only resume the previous scan if the previous scan was suspended. Not available for agents.

Disabled The scheduled scan period will not initiate. Not available for agents.

Table 4: Scan End Types

SCAN END TYPE

BOX COLOR

DESCRIPTION

Run to Completion The scheduled scan period will run to completion regardless of scan end time.

Suspend Scan The scheduled scan period will be suspended at the scheduled scan end time. The scan may take several minutes to suspend itself. Not available for agents.



1. Open the Policy Management | Schedule tab.

2. Click the Go to Today button.

3. Select the Work Week View button.

The calendar displays the Work Week View.



4. Double click on a period 15 minutes from now.

The Policy Scan Period window opens.

a. In the Select a policy drop down list, double click Customer Data.

b. Select Start or Resume Scan from the Start drop down list.

c. Select Run to Completion from the End drop down list.

d. In both of the Scan Settings, choose Use policy default.

e. Choose Recurrence.

The Scan Period Recurrence window opens.



5. In the Scan Period Recurrence window:

a. In the Period times section, confirm and if necessary adjust the Start and End times.

b. Set the Duration drop down list to 30 minutes.

The other field may adjust.

c. In the Recurrence pattern section, select the Daily radio button.

d. Select Every weekday to make the scan run on only work days.

e. In the Range of recurrence area, set the Start field to today.

f. Choose No end date.

g. Click OK.

The Scan Period Recurrence window closes.

Recurring scans have a range of recurrence which is the span of time over which they can occur. You must specify the date when the scans can begin to occur. After that, you choose whether the scan will reoccur forever, until a specified date, or until it has occurred a set number of times.

When the End type is Run To Completion, this time duration will be ignored.



6. Click OK.

The Policy Scan Period window closes. The new scan schedule appears on the calendar.

Notice that the scan period is labelled with the name of your policy.

7. Wait about 15 minutes and you will see the scan run.

A percentage appears in the scan period label.



3 Review and Remediation

After a scan, you can review results in the Event Explorer. The Event Explorer allows you to analyze

results to identify issues and create reports. The Event Explorer also allows you to remediate any risks that

DLP Discover finds during a scan.

3.1 Viewing Scan Results1. Open the Event Explorer tab.

A hierarchy on the left shows both scans that you ran. Notice that each scan lists the number of risk

sources found.

2. Double click on the most recent scan in the Scans hierarchy.

The scan’s information appears on the Scan Summary tab in the middle of the Event Explorer. If it does

not, right click in the Scans pane and choose Refresh.

If you want to see the results from multiple scans, wait until after Customer Data policy has completed its first scheduled scan before you continue.

Review and RemediationCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 28


Much of the same information that appeared on the Scan tab also appears on the Scan Summary tab. You

can view the results in multiple ways: in a grid, as a tree map. or as a chart. You can also organize the

results by category, target, or severity.

a. Click through the Show Tree Map, Show Bar Chart, and Show Pie Chart buttons to see the different

ways DLP Discover display trends in the information. .

b. Select one view and then click through the By Category, By Target, and By Severity buttons to see

the different ways DLP Discover organizes the information. .

c. Click Show Pie Chart and By Severity when you are ready to continue.



d. Click the dark red slice of the pie chart to drill down into the data.

DLP Discover opens the Events tab.The Events tab displays a list of targets that DLP Discover

determined to contain risky content. The icon to the right of each file name represents the severity

of its risk.

e. Note the filter overlay on the label of the Events tab. This indicates that the events listed are

filtered. In this particular case, what you see is the event represented by the dark slice on the pie

chart.

3. Click View Scan Events to remove the filter and view all of the events in the scan.

All of the events appear in the tab.



4. Click Settings.

The Event Explorer Settings window opens. This shows the default settings. Any change updates the

Settings button icon and its mouse-over tool tip to indicate that a change from default is in effect.

5. Enable Show Matches and click OK.

The window closes while the Event Explorer displays the matches directly below each file.

6. Notice that a check mark appears on the Settings icon. Hover the mouse over the icon to see a quick

preview for which settings are enabled.

7. Open the Event Explorer Settings window and disable Show Matches.

8. Click each result in the Events tab.

A preview pane below the events list shows a partial set of highlighted matches found in this file target.

The panel on the far right displays additional information including the number of content risk detected,



which risk content category, and the file's properties. Click on the down arrows to view more. Snippets

of actual extracted data at risk appears in the lower panel of the tab. (You can adjust the panel height

to see more.)

DLP Discover displays extracted text that it determined to be significant during the content analysis

process in red..

Some highlighted snippets may appear more than once. This happens when multiple risk categories identify that same data as at risk; for example, Credit Card Number only and PCI-DSS both detect credit card numbers. When this occurs, the data in question can appear multiple times.



9. On the Events tab, right click the first file to display a popup menu offering the following options:

• Open File: Opens the selected file in its native application associated by extension. You can also dou-

ble click on the file name to open the file.

• Open Target Directory: Opens the directory containing the file selected in the scan result source list.

• File Properties: Opens the Windows file properties dialog for the selected file.

• Show Detailed Match Information: Rescans the selected file using the Policy’s currently configured con-

tent risks and settings and then displays the detailed match information window. See below for more

information on the detailed match information.

• Show Remediation History: Opens the Remediation History dialog displaying remediation actions taken

on the selected file. This also shows any reviewer notes that were created for this file.

• Show Item Scan Report: Generates a detail scan report for the selected item. This item can be a data-

base or file source. The detail scan report includes all information associated with this file such as risks

detected and how many (if any) protection or remediation action taken, file access control information,

file properties, sample sensitive content matches, and scan histories on this file.

• Add Reviewer Note: Opens the Reviewer Note dialog so user can create a note associated with the

selected file. This note will persist across policies and future scans.

• Zip File and Item Scan Report: Allows user to create a password protected zip file to include the

selected file along with its detail item scan report. There is an option to delete the selected source file

when this protected zip file is created.

The detailed match information window displays multiple tabs. Each tab displays different highlighted data.

• The Match Summary tab shows all extracted snippet data at risk which includes results from all

decoded data formats.

Any actions you make in the Event Explorer are only applied to the results that you selected and filtered.

If the policy's configuration changed since this last scan, the rescan will use the current policy configuration. Therefore the results may be different.



• The Fully Normalized View tab displays the full document text that has been processed through our

decoder to remove formatting, case, and other binary characters that do not provide any useful data as

part of its full normalization.

• The Partially Normalized View tab also displays the full document text that has been processed through

our decoder but only to remove some formatting and binary characters that do not provide any useful

data as part of its partial normalization.

Sensitive information in both of these views will be highlighted in-line. You may see the same text

highlighted in the fully normalized view that is not marked in the partially normalized view or vice versa.

This is because DLP Discover's content risk categories were designed with unique logic and rules

specifically for each type of normalization.

3.2 Remediating EventsWhen you select a scan result in the Events tab, DLP Discover offers you several remediation actions in

the tab’s ribbon that you can apply to the file.

You can even apply the same action to multiple files by selecting all of the files at once. To do this, hold

down the Control key when you click on each file or use the Shift key to select files sequentially.

Table 5: Remediation Actions

ACTION BUTTON DESCRIPTION

Copy Copy the selected file(s) to a target directory that you specify.

Delete Delete the selected file(s). Choosing this option permanently erases the file from disk - the item is not placed in the Recycle Bin.

Ignore Ignore the selected file(s) during subsequent DLP Discover scans.



As an example, the following procedure demonstrates how to take an action with a file that has been

identified as containing risky content. In this scenario you will move a file to a target directory.

1. On the Events tab, mark the check box in the header row of the list on the Events tab.

All items in the list are selected.

2. Click Move.

You will be prompted to confirm the move.

Move Move the selected file(s) to a target directory that you specify.

Protect Applies protection policies to selected files. If a policy includes an email notifications, it will not send any email because the policy is manually applied. This icon only appears when protection policies exist.

Quarantine Move the selected file(s) to an encrypted zip file placed under Quarantine. Files inside quarantine can be reinstated using the DLP Discover Quarantine manager.

Validate Protection

Determines the state of the selected files if the protection policies were applied, then compares that to the current state of the files, and notifies you of any differences.

Table 5: Remediation Actions

ACTION BUTTON DESCRIPTION



3. To move the files to a location other than the default location:

a. For Windows, click Browse to select a destination folder or enter the full path name to the new

location in the On Windows to: field.

b. For Linux, enter the full path name to the new location in the on Linux to: field.

4. To replace the risky file(s) with a Windows file shortcut that points to the file’s new location, check

Create Shortcut.

5. To maintain the original source file’s directory structure in the destination folder, select Maintain File

Structure. If this option is not selected, the files are places in the destination folder without any

directory structure.

6. Click OK.

When the file move operation is complete, you will be prompted to acknowledge the move.

7. Click Close.

The items are moved even though they still appear in the list. The item's name cell is highlighted

yellow to indicate that file does not exist in this location.

The Linux path only applies to DLP Discover agents that are installed on a Linux system in an organization deployment.

Right-click on any remediated item and select context menu to view its remediation history



4 Protecting Sensitive Data

DLP Discover allows you to create rules to automatically remediate events that DLP Discover finds during

a scan. These rules are called protection policies. With protection policies, you can automatically

remediate your sensitive data and make your organization compliant with internal policies and external

standards, which enhanced both your organization’s security and reputation.

DLP Discover applies all protection policies that you create to the results of every scan. Protection policies

can copy, move, encrypt, or quarantine files. They can also configure the file's Access Control List (ACL),

gather file properties and ACL information, and/or send an email notification. In this scenario, you create a

simple protection policy that automatically encrypts files with sensitive data and gives you full access to

those files.

To create a simple protection policy:

1. On the Policy Management tab, open the Protection Policy tab.

DLP Discover applies protection policies to all scans except for scan from scan policies that have their own remediation settings. To learn more about scan policies’ remediation setting, the Trustwave DLP Discover User Guide for Stand-Alone Installations.

Protection policies can slow down scans that target encrypted files. DLP Discover uses the encryption solution Windows' Encrypting File System (EFS). To improve scan performance, you can set DLP Discover to not scan encrypted files. See the Trustwave DLP Discover User Guide for Stand-Alone Installations for more information.

Protecting Sensitive DataCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 37


2. Click the Rule Wizard button.

The Policy Wizard dialog displays in a separate window. This is a simple interface for convenient, easy

creation of policy rules.

3. On the Select Risks page:

a. Enter Example Protection Policy in the Title field.

b. Check all of the category risks.

c. Leave the Require All To Match checkbox unmarked.

d. Check Apply Automatically. This option applies this rule automatically during the scan.

e. Click Next.

4. On the Select Permission Type dialog, select Domain User and Group and click Next. This allows the

rule to configure domain users as opposed to Windows’ pre-configured users and groups.

The domain users are loaded.

5. Select yourself and click Next.

6. On the Set Permission dialog, select FullControl. This is the permission you will receive when a file

containing sensitive data is remediated.



7. Mark Encrypt File and click Next.

8. On the final dialog, click Finish to apply this rule definition.



After policy rule is defined, it appears in the Protection Policy editor. The rule has two child nodes: con-

ditions and actions. The conditions node, Any of, lists the category risks that this rule can match. The

Actions nodes lists what happens when a condition is matched.

9. Click Save to save all rule definitions and generate the protection policy.

DLP Discover evaluates all rules prior to applying the actions to remedy redundant, duplicate, or contradicting actions for consolidation. For example, if you create two rules with contradicting actions such as setting permissions for the same group where the permission for one rule is ReadWrite and the other rule is ReadOnly, the most restrictive action (ReadOnly) is applied. Or if you have two rules where one has an action to copy file and the other rule has an action to move the same file. In that case, the move action takes precedence.



5 Scan Reporting

Open the Event Explorer. The last scan you remediated is still displayed. Click the Reports | Summary tab to

display a report for that scan. This tab displays system information, risk scan details, and a remediation

summary.

The Saved Reports tab contains a list of shortcuts to scan reports which are created if a scan report path is

configured in the Settings | Reports tab. You can double click on any report name to open the report.

The Advanced Reports tab provides a menu containing groups of reports by type. When selected, a report

will be generated and displayed in the current report viewer. The display size can be customized using the

percentage drop down options. The displaying report can be sent to a printer or saved in one of three file

formats, Excel, Word, or PDF. See the Trustwave DLP Discover User Guide for Stand-Alone Installations

for more information.

If you want to create a typical tabular scan report, click Save Scan XLS Report on the tab’s ribbon. This will

save the data as a Microsoft Excel® - compatible spreadsheet. The data shown on the Summary tab, a list

of event items, and any system messages will be present in the spreadsheet.

Scan ReportingCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 41


You can configure DLP Discover to automatically generate a scan summary report at the completion of

each scan in the Settings | Reports tab. You can also configure DLP Discover to email the scan summary

report to one or more recipients. See the Trustwave DLP Discover User Guide for Stand-Alone Installations

for details.

For a simpler comma-delimited list of events with details, click Save Scan CSV Report on the tab's ribbon.

Scan ReportingCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 42


Section 2 DLP Discover in an Organization

You can deploy multiple installations of DLP Discover to work together to scan and report data from

throughout your organizations. In such a deployment, each installation takes on a role which determines

what that installation can do. Agents and scanners scan machines for events. They are registered to a

console which administrates DLP Discover. Collectors collect and aggregate scans from scanners and

agents. A DLP Discover user monitors scans on the console and constructs organization-level reports

based on the aggregated data..

Organizational deployments are scalable and so can easily grow with your organization. At a minimum you

must install a console, a collector, and a scanner or agent. For small organizations, the collector and

Figure 2: A Large Organizational Deployment

Figure 3: A Small Organizational Deployment

Section 2 DLP Discover in an OrganizationCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 43


console can be combined onto one machine. In larger organizations, you will want to dedicated machine

for each of those roles.

This section guides you through a mock organizational deployment. It teaches you how to configure a

collector with console and install an agent. You will deploy fake data and build a simple organizational

hierarchy. You will then create two scan policies designed to scan in an organization. After running the

scans, you will learn a new way to read the results. Finally this section teaches you how to consolidate

scan results into a variety of reports. By following the instructions in this section, you will learn how to use

Trustwave DLP Discover’s powerful organizational tool to root out and protect the sensitive data in your

organization.

Before you start, it helps to know a little more about the different components and roles used in an

organizational deployment.

Components and RolesTrustwave DLP Discover's architecture is based on the idea that each installation (called a node) has a

role in your overall DLP Discover system. Nodes are assigned roles during their installation which

determine their functionality. Some roles can be combined with others. The larger the deployment, the

more important it is for each node to have a single role.

The most common role in DLP Discover is the scanner. Scanners can scan all possible targets. They also

have a user interface that shows what policies and scans they have run. Use this role where you scan

databases or on any other targets that an agent cannot scan. Scanners are only available on supported

versions of Microsoft Windows.

An agent is a lightweight type of node that can be deployed on both Microsoft Windows and Linux

operating systems. Agents are managed through the console. They are more limited in what they can scan

and which settings their policies support. For instance, agents can only scan local and removable drives

that are attached to its machine. Agents are intended to be silently deployed through specialized installers

to remote machines across a network. They are configured via and registered with the console before

being left to operate as instructed. Agent scan results are stored locally before being uploaded to a

collector. Use agents to scan Linux or Windows machines that do not require a user interface for DLP

Discover.

A collector aggregates scan results from scanners and agents. When a scanner or agent finishes a scan,

the node uploaded its event and summary data in a ZIP file to its collector. The collector reads the data and

sends it to a central database, TrustwaveDiscoverEvents, to store the aggregated events. In a large

organization, you can install a load balancer in front of a set of collectors for better performance. In a small

deployment, a collector can be combined with the console. Collectors are only available on supported

versions of Microsoft Windows.

A console is where you configure the scan policies that run on scanners and agents, view the results from

those scans, and create reports based on those results. While you control a DLP Discover deployment

through the console, a console cannot scan anything by itself. Only configure one node as the console in

any deployment of DLP Discover. A console is only available on supported versions of Microsoft Windows.

The console role can be combined with either the scanner or collector role. In each case, the console

expands the scanner or collector's user interface so that you can configure and control your DLP Discover



system on that installation. Combining roles can conserve hardware and reduce the number of DLP

Discover nodes that you must install. However, combining roles also has consequences. A scanner with

console creates a single, stand-alone instance of DLP Discover which cannot be used in an organizational

deployment. A collector with console is ideal for a small organizational deployment but it limits how large

you can scale your deployment

For more information about each role and what it can do, see the Trustwave DLP Discover 6.6 User Guide

for Organizations.

How to Use This SectionThis section expands on what you learned in section 1. It guides you through a extended scenario that will

teach you the essential organizational features of DLP Discover. After working through the scenario in this

section, you will know DLP Discover’s workflow and howe to realize DLP Discover’s full potential in your

organization.

For this scenario, you must have two servers: one to act as the collector with console and the other to act

as an agent. Use the installation from section 1 to be the collector with console.

1. Prepare the installation from section 1 to be a collector with console and install an agent on the second

server. See chapter 6.

2. Create a global scan policy to search for and protect data across your organization. See chapter 7.

3. Create a simple group in DLP Discover’s organizational hierarchy in anticipation of reporting. See

chapter 8.

4. Create a group scan policy to search for sensitive data across that group. See section 8.3.

5. Schedule and run scans for both policies. See chapter 9.

6. View scan results. See chapter 10.

7. Create reports on those results. See chapter 11.

Only configure one node of DLP Discover with console abilities in any deployment of DLP Discover.

At this point in an organizational deployment, you normally create protection policies. In this scenario, you are going to use the protection policy that you created in section 1.

After this scenario and before you deploy DLP Discover to your organization, take time to identify specific content risk categories to scan for, where to scan, what target files to scan, and what to do with the sensitive data that you will discover. Once you identify this information along with any variations that occur within different parts of your organization, you will be able to use DLP Discover’s organizational functionality to your greatest benefit.



6 Setup

In organizational deployments, scanners and agents gather data by scanning file systems and uploading

their results to their collector. To perform the exercises in this section, you must configure the DLP

Discover installation from section 1 to be a collector with console, then configure and install an agent on a

different machine, and install sample data on each machine.

To setup your DLP Discover system:

• Configure the collector with console. See section 6.1.

• Configure the agent installer. See section 6.2.

• Install the agent on the second server. See chapter 4, sections 2 or 3 of Trustwave DLP Discover 6.6

User Guide for Organizations for installation instructions, depending on the operating system of your

second server.

• Unpack the example sample data. See section 6.3.

6.1 Configuring a Collector with ConsoleSince DLP Discover is already installed, all you have to do is configure it to be a collector with console on

the Settings | Role tab. To ensure proper communication between the collector with console and its agent,

you must also ensure that both machines have identical port information, SSL enablement, and

credentials.

To configure the collector with console:

1. Open the Settings | Role tab.

SetupCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 46


2. Select Collector with Console.

3. Ignore the Load Balancer text box. .

4. In the Receiving Port field, enter the communication port that will be used to send and receive

messages to the collector with console.

5. Ignore the Enable SSL check box. This option adds a secure socket layer (encryption) while

transmitting between the collector with console and the scanners and agents.

Load balancers are only used when an organizational deployment has more than one collector.

You may need to ask your IT administrator to add or update the network switch firewall rule to allow this port access.

The communication message payload is always encrypted regardless of SSL option, which requires a certificate installed on the console.



6. Enter authentication credentials for the console with collector. These credentials should be the same

across your deployment.

a. In the Username field, enter the username needed to access the console and all collectors.

b. In the Password field, enter the password needed to access the console and all collectors.

c. In the Confirm Password field, re-enter the password needed to access the console and all

collectors..

7. Click Save.

8. Create a local firewall rule on this installation and other DLP Discover collector installations (for large

organizational deployments) to allow incoming communication traffic to flow to them from other DLP

Discover installations, such as scanners and agents.

a. Open the Windows Start menu and search for Windows Firewall with Advanced Security.

b. Click on Inbound Rules.

c. When the rules appear, right-click on Inbound Rules and select New Rule...

The New Inbound Rule Wizard opens.

i. On the Rule Type page, select Port and click Next.

ii. On the Protocol and Ports page, select TCP.

iii. In the Specific local ports text box, enter the communication port specified above and click

Next.

iv. On the Action page, select Allow the connection and click Next.

v. On the Profile page, select the appropriate domain or network location and click Next.

vi. On the Name page, enter a name for this rule, for example TW DLP Discover, and click Finish.

The rule appears in the Inbound Rules list.

These credentials are determined by what you enter now on this collector with console. All other installations must use the same credentials for registration and other communications. For agent installation, these credentials are included in their installation packages. See the agent Readme file for more details.

To see what you typed, click and hold the buttons at the end of the Password and Confirm Password fields.

Did you notice a new Dashboard tab along the top? Do not worry about it for now. It will be discussed in a later chapter.

The console, collector with console, and collectors must run DLP Discover as an administrator to successfully initialize their local Rest API server.



6.2 Configuring the Agent InstallerIn organizational deployments, agents gather data by scanning file systems and uploading their results to

their collectors. For this scenario, you configure a DLP Discover agent installer before installing it on the

second server to become an agent to the collector with console you already created.

To configure an agent installer:

1. On the Settings | Role tab of your collector with console, click Download Agent Installers.

A ZIP file that contains all of the unconfigured installers downloads to your computer.

2. When the download is complete, extract the installers.

3. In DLP Discover, click the Create Agent Installation Package button.

a. In the Select Discover Agent Installer window, select the installer type that you want for this

installation zip package. Look for:

• discover-agent-[version number]_x64.exe for 64-bit Windows systems

• discover-agent-[version number]_x86.exe for 32-bit Windows systems

• discover-agent-[version number and OS version].x86_64.rpmz for 64-bit Linux systems

• discover-agent-[version number and OS version].i686.rpmz for 32-bit Linux systems

4. Click Open.

The Select Discover Agent Installer window closes as a Browse For Folder window opens.



5. In the Browse For Folder window, select where you want to save the installer zip package and click OK.

The Browse For Folder window closes, while the Installer Settings window opens.

6. In the Installer Settings window, confirm the parameters and click OK.

A confirmation opens that states where the file was saved. The installer zip package includes a win-

agent-readme.txt file for the Windows installer or linux-agent-readme.txt for the Linux installer. The

win-agent-readme.txt file describes how to use the installer on Windows systems and linux-agent-

readme.txt describes how to use the installer on Linux systems.

7. Click OK.

8. Install the agent on the second server. See chapter 4, sections 2 or 3 of Trustwave DLP Discover 6.6

User Guide for Organizations for installation instructions, depending on the operating system of your

second server.

6.3 Unpacking the Example DataTo continue with this scenario, you must once more unpack the set of fake data that you unpacked at the

beginning of section 1. This time the data will be detected by two different scan policies. To use the data,

you need to extract it to specific directories on both servers. Use the following procedure to set up the

example data.

1. On the local hard drives of both the collector with console and the agent, create two directories:

C:\Customer Data2 and C:\Sensitive Content\

2. Extract the contents from the sample Sensitive Content.zip file located in %Program

Files%\Trustwave\DLP Discover\sensitive content to each of the directories you created.



7 Scan Policies for Data Across An Organization

In a stand-alone deployment, all scan policies are applied to your one instance of DLP Discover. In an

organizational deployment where there are many instances of DLP Discover, scan policies can be applied

to every DLP Discover scanner and agent. These policies are called global scan policies.

Global scan policies are a powerful tool. In the simplest organizational deployment of DLP Discover, you

(or some other central administrator) install a collector with console and agents. You then create global

scan policies which are sent to all agents and scanners in your organization. After the policies scan their

targets, you view and report on the scans’ findings without ever touching an agent. This is how global scan

policies can give you consistent and thorough information across an organization.

Global scan policies appear on agents and scanners as local instances of that policy. These instances are

linked to the global policy through something called inheritance. Inheritance means that any change made

to the global policy is applied to the local instance.

Now you will create a global scan policy called Example Global Policy. It will search for all types of DLP

Discover-defined risks in the C:\Customer Data2 folder that you unpacked in last chapter and in your My

Documents folder. Later you will schedule this policy to run and will generate a report from its scan results.

To create a global policy:

1. On the Policy Management tab, open the Organization tab.

The Organization editor opens.

There are also scan policies that are applied to only some scanners and agents. Those are discussed in the next chapter.

When new scanners or agents join, they inherit all global scan policies.

Scan Policies for Data Across An OrganizationCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 51


2. In the Organization editor, expand the hierarchy. Notice that the Customer Data policy from section 1 is

still under the local scanner on your collector with console. It is a local scan policy.



a. Right click on Customer Data and select Disable.

The policy’s icon changes to indicate that it is disabled.

b. Click Commit Changes to apply the changes.



3. Right click on Global Audit Policy and choose Add New Audit Policy from the context menu.

The Edit Policy- New - Global panel opens.

4. On the Policy Settings tab:

a. Enter Example Global Policy in the Name: text box.

A policy’s name cannot be changed once it is created.



b. In the Settings drop down list, choose Use Override.

The policy’s settings are inherited from the Organization’s settings. Now you can modify any of

these settings.

c. Under Scheduled Scan Control, choose Scan modified since last scan.

This option speeds up scans after a policy runs its first scan.

Each scan policy scans all of its targets in the same way. Scans can be quick or full. A quick scan is faster because it is optimized for time. A full scan is more comprehensive and uses advanced scoring logic. Quick Scans scans the first 3 Megabytes of each target file, while Full Scan scans the first 10 Megabytes.

Scan policies are intended to scan the same targets multiple times. Typically, the first scan scans every target. You can speed up subsequent scans by only scanning file targets that have been modified since the last scan or since a particular date.



5. On the Content Risks tab, click the checkbox in the title bar above the content risks to select all.

6. Add scan targets:

a. Click the Add Local Folder button.

The Select Directories window opens. Notice that no folder hierarchy appears.

Policies contain scan targets, allowing you to create a group of scan targets based on specific organizational structures or operational objectives. It is useful to build a policy dedicated to scanning a group of assets (servers, databases, drives) based on the sensitive data the assets may contain or based on the compliance regulations to which they are subject.



i. In the Folder: text box enter C:\Customer Data2

ii. Click OK.

iii. Go to the Scan Targets tab to see that Customer Data2 has been added as a scan target.

b. Click the Add Dynamic Targets button.

The Add Dynamic Scan Targets window opens.



i. Choose both Dynamic: Folder - My Documents folders.

ii. Click OK.

As the Add Dynamic Scan Targets window closes, your selections appear in the Scan Targets

tab.

7. On the Remediation tab, click Auto Remediation Enable.

Depending on the operating system version, one folder applies to Windows 7 and older while the other folder applies to Windows 8 and newer.



a. Under File Action, click Copy.

b. Under Copy/Move Paths:

i. Enter C:\For Review in the Windows: field.

ii. Enter /etc/users/quarantine in the Linux: field.

8. Click OK.

The policy appears under the Global Audit Policies node.

All policies under the root Global Audit Policies node are global policies that are applied to all scanners and agents.



9. Click Commit Changes.

The policy is transmitted to all agents and scanners on their next contact with the collector with

console.

This chapter briefly described how to create a global scan policy. For a more information on global scan

policies, see the Trustwave DLP Discover 6.6 User Guide for Organizations.



8 Scan Policies for Data in an Organizational Group

DLP Discover understands that organizations are made of groups. They can be functional groups (such as

Legal or Accounting), regional groups (such as the Midwest), offices (such as one in Boston), or some

other type of division. Each group has data that is specific to itself. To scan these groups and their unique

collection of data, DLP Discover offers group scan policies, policies that scan and report on specific groups

within your organization.

To create a scan policy for a group, you must first create the group in DLP Discover or rather a

representation of your organization. You do this by building a virtual hierarchy of your organization in the

Organization Editor. This hierarchy must map out the groups, employees, and agents that you want to scan

and report on.

While that sounds like a lot of work, it is not. DLP Discover has already started the hierarchy for you.

Expand the Organization hierarchy on the Policy Management | Organization tab. (If the picture below does

not match what you see, click Refresh and expand the hierarchy.)

Notice that DLP Discover has automatically added the two installations of DLP Discover that you installed,

along with their local instances of the global scan policies. DLP Discover does this for all of its scanners

and agents. What you need to do is add the people and groups that use those machines.

DP Discover provides two ways to add people and groups to its Organization hierarchy. They can be

imported from Active Directory or added manually. In the upcoming scenario, you are going to add a group

manually. (See the Trustwave DLP Discover 6.6 User Guide for Organizations for how to import from

Active Directory.)

The Organization Editor is available on the console, collector with console, scanner with console, and on

the scanner; but the editor is disabled on the scanner. You can only view the audit policies on the scanner.

Also, agents do not have a user interface.

Scan Policies for Data in an Organizational GroupCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 61


8.1 Creating an Organizational HierarchyObjects and people in the Organization Editor are represented as nodes in the hierarchy. Each node is

either an organization entity (people, agents, scan histories, or scan policies) or a linking node (relationship

or area of responsibility). Linking nodes must be added manually to the hierarchy. You will learn about

linking nodes in section 8.2.

You can add groups, people, and scan policies to the hierarchy. Groups can be organizational units,

regions, offices or more. DLP Discover adds scanners and agents as they come online. Scan policies are

added as they are created.

The following instructions teach you how to add a group and people to the Organization hierarchy.

DLP Discover uses the term “node” to describe both objects in the Organization hierarchy and as a generic term for installations of DLP Discover.

Table 6: Possible Types of Entity Nodes in an Organization’s Hierarchy

ICON TYPE OF NODE DESCRIPTION

Agent A DLP Discover agent. Hover over an agent to see its details. Agents are automatically added to the hierarchy.These nodes exist in a separate branch of the hierarchy under Agents and Scanners but can be associated to other branches though linking nodes.

Agents and Scanners Parent node for agents and scanners in the hierarchy.

Group A collection of people, agents, audit policies, and/or other groups. A group has a name and often some sort of defining characteristic. This type of entity can be reported upon.

Members Parent node under a group for person nodes.

Organization Top node for the organization hierarchy. Its name and icon can be customized to your organization.

Person A person in the organization. This entity can have an email address, role, title and/or location. This type of entity can be reported upon and can have linking nodes.

Scanner A DLP Discover scanner. Hover over the scanner to see its details. Scanners are automatically added to the hierarchy.These nodes exist in a separate branch of the hierarchy under Agents and Scanners but can be associated to other branches though linking nodes.

Optionally, you can import your current Active Directory's group and user information.



1. On the Policy Management | Organization tab of the collector with console, add a group:

a. Right click on the Organization node and select Add New Group from the context menu.

The Edit Group form opens to the right.

b. In the Name field, enter Accounting.

c. Mark the Enable Reporting check box if it isn’t already.



d. Choose OK.

The Accounting group is added to the hierarchy.

2. Add a person to the Accounting group:



a. Right click on Accounting node and select Add New Person from the context menu.

The Edit Person form opens to the right.

b. In the Name field, enter Maddox.

c. In the Role field, enter Manager.

d. Mark the Enable Reporting check box, if it is not already.



e. Choose OK.

Maddox appears under Members within the Accounting group.

3. Add Aubrey the Auditor and Jackie the Accountant to the group. Both should be enabled for reporting

8.2 Linking People and GroupsOrganizations are built on relationships and responsibilities. You can represent those relationships and

areas of responsibilities in the Organization Editor by linking people, agents, groups, and policies to other

persons or groups. These connections appear in the Organization hierarchy as nodes called linking nodes.

They specify whether a person or group is the owner, manager, principal, auditor, or interested party of

another entity in the organization.

Linking nodes appear as child nodes under the person or group’s node that they are attached to. They are

separate and independent of the entities they represent. Thus each person, group, etc. can have several

linking nodes and be represented by several other linking nodes. Imagine a middle manager who has a

team of people reporting to her and who is audited regularly. In DLP Discover, this person’s node would

have a linking node under it for each person on her team, while she herself would be represented by

linking nodes under both her auditor and her manager.

Linking nodes enable you to run organizational reports which you will learn about in chapter 11. For now,

you will create several linking nodes in preparation of those reports.



To add relationships and responsibilities to a hierarchy:

1. On the Policy Management | Organization tab in the Organization Editor, drag and drop Accounting onto

Maddox. If necessary, open Maddox’s node.

A linking node for Accounting appears under Maddox. Note that the original Accounting node has not

moved. Maddox is now the manager of the Accounting group.

2. Drag and drop Jackie onto Aubrey.

A linking node for Jackie appears.



3. Right click on Jackie’s linking node and choose Set as Auditor.

Aubrey is now Jackie’s auditor.

4. Drag and drop the Audit Policy Example Global Policy onto Jackie.

A linking node for the policy appears under Jackie.

5. Set Aubrey to be Maddox’s auditor too.



6. Open the Agents and Scanners node.

7. Drag and drop an online agent or scanner onto Accounting. That is choose an agent or scanner with a

green square.

The agent is now part of the Accounting group.



8.3 Create a Group Scan PolicyNow that you have people and groups in your hierarchy, you can create a scan policy specifically for that

group. DLP Discover applies group scan policies to every agent and scanner within its group, just like

global scan policies are applied to all agents and scanners in an organization. Group scan policies appear

as linked local instances on the group’s agents and scanners. In this state, changes to the group policy are

automatically inherited by the local instances.

For this scenario, you will create a simple group scan policy that inherits its settings from the collector with

console’s global settings.

To create a group policy:

1. On the Organization tab of the Policy Management tab, open the Accounting group in the Organization

editor.

2. Right click on Accounting‘s Group Audit Policies branch.



3. Choose Add New Audit Policy from the context menu.

The Edit Policy- New - Group panel opens.

4. On the Policy Settings tab, enter Example Group Policy in the Name: text box.

5. On the Policy Settings tab, choose Use Inherited from the Settings drop down list.

A policy’s name cannot be changed once it is created.



6. On the Content Risks tab, select Credit Card Number Only.

7. Open the Scan Targets tab.



8. Click the Add Local Folder button.

The Select Directories window opens.

a. Enter C:\Sensitive Content2\ into the Folder: field.

b. Mark the Skip Without Error check box for that target. This feature silences and conceals “directory

missing” errors during scans if the target is not present.



c. Click OK.

As the Select Directories window closes, your selections appear in the Scan Targets tab.

9. Click OK.

The policy appears under the Group Audit Policies node.



10. Click Commit Changes.

The policy is transmitted to all agents on their next contact with the collector with console.



9 Scheduling Scans

Scheduling in an organizational deployment is very similar to scheduling in a stand-alone deployment.

Each policy has its own schedule complete with recurrence settings. The one difference is that you can

choose whether a scan will run on a specific agent or scanner, on all agents and scanners, or only on

agents and scanners that belong to a specific group.

You schedule global and group policy scans on the collector with console. When an agent or scanner

download their updated policies, they also receive DLP Discover’s entire schedule, custom categories, and

protection policies.

Scheduled scans can take up to a minute to initiate. Scan schedules may not overlap on any given agent

or scanner, even if the second scan is for the same scan policy. Scans on different agents and scanners

can overlap.

For this scenario, you will schedule the global and group policies you just made.

9.1 Schedule the Global Scan Policy1. On the Policy Management | Schedule tab, click the Work Week View button.

The calendar displays the Work Week View. It also has the disabled Customer Data policy.

Scheduling ScansCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 76


2. Double click on a period 15 minutes from now.


a. In the Select a policy list, double click on Example Global Policy under Global Audit Policies.









a. In the Period times section, confirm and if necessary adjust the Start and End times.

b. Set the Duration drop down list to 30 minutes.


c. In the Recurrence pattern section, select the Daily radio button.

d. Select Every weekday to make the scan run on only work days.

e. In the Range of recurrence area, set the Start field to today.

f. Choose End after and enter 3 for the number of occurrences.

g. Click OK.


Recurring scans have a range of recurrence which is the span of time over which they can occur. You must specify the date when the scans can begin to occur. After that, you choose whether the scan will reoccur forever, until a specified date, or until it has occurred a set number of times.

When the End type is Run To Completion, this time duration will be ignored.



4. Click OK.


Notice that the scan period is labelled Global Audit Policies/ and with the name of the policy. You can

also hover the cursor over scheduled period to see the full description.



9.2 Schedule the Group Scan Policy1. On the Policy Management | Schedule tab, click the New Scan Period icon on the far left of the ribbon.


a. In the Select a policy list, double click on Example Group Policy under Accounting | Group Audit

Policies.









a. In the Period times section, set the Start time to 35 minutes from now.

b. Set the Duration drop down list to 1 hour.


c. In the Recurrence pattern section, select the Weekly radio button.

d. Set Recur every to 1 and select today and one other weekday.

e. Choose End after and enter 3 for the number of occurrences.

f. Click OK.




3. Click OK.


Notice that the new scan period is labelled with the group’s and group policy’s name.

4. Click the Org button on the far left of the ribbon and then click Commit Changes.

The calendar is transmitted to all agents on their next contact with the collector with console.

Now that both your policies are scheduled and download to all agents, take a break to let their scans run. Alternatively you can return to the Organization editor, right click on each of the scan policies in the hierarchy and choose Start scan on all agents/scanners. Just remember that you have to let one scan complete before you start the next one.



10 Viewing Organizational Scan Results

After scanning files and databases, you can review results in the Dashboard and Event Explorer. The

Dashboard is an organizational tool that presents a heatmap-style view of scan results for a ten-day

period. You can easily identify problematic nodes and groups (hotspots) before opening the Event Explorer

for a more detailed analysis. Use these tools in conjunction to identify issues, analyze results, and create

reports.

In this chapter, you will view scan results in the Dashboard and filter them on a single scan. You will then

examine those results in the Event Explorer and view them based on a group and a person. Along the way

you will see how the protection policy remediated the scan results.

10.1 Viewing Results in the DashboardClick the Dashboard tab to open it. If you do not see your results, check the End Date and click Refresh.

The Dashboard presents results in the same organizational hierarchy that is created in the Organization

Editor. Agents and scanners list their results in rows with each column representing a single day. The cells

display the total number of events from all of the scans run on an individual node on that specific day. If

Do not proceed until after Example Global Policy and Example Group Policy have completed at least one scan. If one of these policies has not yet done so, either wait for the scan to complete or go to the Organization editor, right click on the policy that has not run and choose Start scan on all agents/scanners. Let the scan finish before you continue.

Viewing Organizational Scan ResultsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 83


multiple scans are run for the same scan policy, only the results of the final scan are shown. If no scans

were run on a DLP Discover node on that day, a “no data” symbol appears. The Dashboard is only

available on machines with the console only or collector with console roles because they have access to

scan results from all Agents and scanners.

This display is highly configurable.You can filter the data for specific risk categories or scan policies,

groups, nodes and values. You can also modify colors and scale of the heatmap to suit your organization’s

needs.

1. Click on End Date and choose today.

2. Click the Policy/Category Filter button.

The Policy and Category Filter opens.

3. Under Policies, unmark All.



4. Select Example Global Policy.

5. Click OK.

The Dashboard adjusts to display only the results from that scan policy. If all of the scan results come

from Example Global Policy, the Dashboard appears the same as before.

6. Hover your mouse over the Policy/Category Filter button.

A tool tip opens that lists which filters are active.

7. Click on the results from today.

DLP Discover opens the Event Explorer and displays those scan results.

10.2 Viewing Results in the Event ExplorerIn an organizational deployment, the Event Explorer’s abilities on a console are extended to display results

from any agent or scanner in the organization so long as those results are stored in the console or collector

with console. You can view scans individually, grouped by agent, or grouped by policy through the

standard Scans hierarchy. There is also an Organization hierarchy that allows you to view results by

organizational groups and members. As in a stand-alone deployment, you can still review multiple scans,

remediate some risks, and generate reports.



You can re-run a scan from the Scans hierarchy. The Scans hierarchy displays scans organized by agent or

scanner and by policy. Scans are listed by date and time and include the number of risk sources found.

Only scans that are stored in the collector with console are available.

1. On the Event Explorer tab, select both Example Global Policy scans in the Scans hierarchy and choose

View Scans.

Scan results appear on the center tabs of the Event Explorer.

2. Click Show Grid and By Category too.



3. Open the Events tab.



4. Click Settings.

The Event Explorer Settings dialog opens.

5. Mark Show Protected and Validate Protection for Scans by this Machine and choose OK.

6. Click View Scans.

When the scan results appear, you may need to scroll down a bit in the Events tab. Any events which



are protected (for example by a protection policy) have a lock icon. Events that are not protected have

a warning icon.

7. Hold your mouse over a specific event to see on which agent the event occurred.

On the collector with console, you can see the remediation history and Item Scan Report for events on

agents and scanners. You can also add a reviewer’s note to the events on all agents and scanners.



8. Right click on an event with a warning icon and choose Show Remediation History.

A window open that lists all remediation actions that have occurred on that file. In other words that the

file was copied to the folder C:\For Review.

9. Click Cancel.

10.3 Viewing Scan Results by Organizational Group or MemberYou can use the organizational structure to view scan results according to groups and people. You can

also filter according to member’s roles. In this scenario, you use the organizational hierarchy that you built



in chapter 8.

To view and filter scan results according to the organizational structure:

1. Open the Organization hierarchy.

2. Click the By Group button on the Event Explorer tab’s ribbon to view the scan results that belong to

groups.

The hierarchy displays only groups in the organization.

3. Select Accounting in the hierarchy on the left.



4. Click View Organization Events.

The events appear in the center tabs.



5. Click the By Member button on the Event Explorer tab’s ribbon to view the results of scans assigned to

individual members:

The hierarchy displays groups and members in the organization.

6. In the Filter by Relationship drop down list, choose Owner.

Only members who own policies appear in the hierarchy.



7. Select Jackie in the hierarchy and click View Organization Events.

The events appear in the center tabs.



11 Creating Reports

You can create reports that span your entire organization on the console or collector with console. These

reports are similar to single scan reports that are available on a stand-alone deployment. DLP Discover

also provides organizational reports that depend on the organization hierarchy you create in the

Organization Editor. You can craft organizational reports around groups, individuals, regions, policies,

managers and violations. However if an organizational report’s corresponding structure does not exist, the

report cannot be run.

In this chapter, you create boilerplate information that goes at the top of each report and then two

examples of how to report information from a group policy. These exercises demonstrate what a few of the

reports look like and how they can be used in an organization.

11.1 Adding Default Information to ReportsYou can create broiler plate text that appears at the top of each organizational report. This text may include

a reviewer’s name, department, and instructions. Creating these defaults saves you time when you create

several reports at once. Each default piece of information can be added, removed, or changed

independently of other information. All text is automatically saved as it is entered.

1. On the Settings tab, open the Reviewer tab.

Creating ReportsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 95


2. In the Reviewer Full Name text field, enter Hannah.

Hannah will be automatically populated in the Analyst and Reviewer fields in the organizational reports.

3. In the Organization Name field, enter Acme Financial.

Acme Financial replaces the label Organization in the Organization Editor. It also appears on every

organizational report.

4. In the Department text field, enter Audits.

5. In the Instructions field, enter Remediate the violations listed below.

These instructions appear on the Violations Report by Organization Member when it is generated

All of the information is automatically saved for future use.

11.2 Reporting Based on Group and MemberThe Summary Report by Organization Group and Member provides a summary of violations for each

group selected. Each table row details the number of violations by category and scan of an individual

group member. A time frame and total number of violations appear for each group.

1. In the Event Explorer tab, open the Scans hierarchy.

To use this report, each selected group must have at least one member and the member must be linked to at least one scan policy.



2. Mark the two top nodes in the Scans hierarchy.

3. Choose View Scans.

Scan results for all scans in your organization appear on the center tabs of the Event Explorer.

4. Open the Reports | Advanced Reports tab.

The Advanced Reports tab provides a menu containing groups of reports by type. When selected, a

report will be generated and displayed in the current report viewer. The displaying report can be sent to

a printer or saved in one of three file formats, Excel, Word, or PDF.



5. Select Choose and Run Report | Organizational Reports | Summary Report by Organizational Group and

Member.

6. In the hierarchy, select Acme Financial to create a report that contains all groups. Note that the Analyst

field is already populated.



7. Choose OK.

A report is generated that describes violations that occur in the Accounting group.

11.3 Reporting Based on RelationshipsThe Summary Report for Managers by Organization Member provides a table of violations for each person

in the specified relationship to the person selected, for example everyone that the selected person audits.

Table rows are divided by assets associated with the person in question and detail the number of violations

by category and scan found.

1. In the Advanced Reports tab, select Choose and Run Report | Organizational Reports | Summary Report

for Manager by Organizational Member.

To use this report, the person selected must be in the specified relationship with at least one person or group and those entities must be linked to at least one scan policy each, either directly or though subunits.



2. In the Relationship drop down list, choose Auditor.

The hierarchy updates to display all auditors or in this case, Aubrey.

3. Highlight Aubrey.

4. Choose OK.

A report is generated that shows what type of violations are occurring for each person Aubrey audits.



11.4 Printing and Exporting ReportsYou can print each report directly from the console by clicking the printer button. Organizational reports can

also be exported directly into Microsoft Excel, Microsoft Word, and Adobe PDF. Just click the Export button

and select a format.

Use the Print Preview button to customize the report's print format and other settings.



A Additional Requirements for Organizational

Deployments

If you plan to try the scenario in section 2, then you must install DLP Discover on a machine that meet the

system requirements for an organizational deployments. Organizational deployments require their

collectors to execute and store hundreds or more scans per month on a consistent bases. Trustwave

recommends the collector system to have the following configurations in addition to the requirements from

a stand-alone deployment

• 2.6 GHz or higher processor clock speed; Intel® Xeon™ CPU (8 cores) or compatible processor

• 16 GB of RAM or higher

• 100 GB or more of available hard disk space

• Licensed Microsoft® SQL Server 2012

Additional Requirements for Organizational DeploymentsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 102

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and

managed security services, integrated technologies and a team of security experts, ethical hackers and

researchers, Trustwave enables businesses to transform the way they manage their information security

and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper®

cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat,

vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96

countries. For more information about Trustwave, visit https://www.trustwave.com.

https://www.trustwave.com