mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,149 @@
|
||||
---
|
||||
name: implementing-endpoint-dlp-controls
|
||||
description: >
|
||||
Implements endpoint Data Loss Prevention (DLP) controls to detect and prevent sensitive data
|
||||
exfiltration through email, USB, cloud storage, and printing. Use when deploying DLP agents,
|
||||
creating content inspection policies, or preventing unauthorized data movement from endpoints.
|
||||
Activates for requests involving DLP, data exfiltration prevention, content inspection, or
|
||||
sensitive data protection on endpoints.
|
||||
domain: cybersecurity
|
||||
subdomain: endpoint-security
|
||||
tags: [endpoint, DLP, data-loss-prevention, data-protection, content-inspection]
|
||||
version: 1.0.0
|
||||
author: mahipal
|
||||
license: MIT
|
||||
---
|
||||
# Implementing Endpoint DLP Controls
|
||||
|
||||
## When to Use
|
||||
|
||||
Use this skill when:
|
||||
- Deploying endpoint DLP to prevent sensitive data (PII, PHI, PCI) from leaving the organization
|
||||
- Configuring content inspection rules for email attachments, USB transfers, and cloud uploads
|
||||
- Implementing Microsoft Purview DLP or Symantec DLP endpoint policies
|
||||
- Meeting compliance requirements for data protection (GDPR, HIPAA, PCI DSS)
|
||||
|
||||
**Do not use** for network DLP (inline proxy-based) or cloud-only DLP (CASB).
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Microsoft 365 E5 or standalone Microsoft Purview DLP license
|
||||
- Microsoft Purview compliance portal access (compliance.microsoft.com)
|
||||
- Sensitive Information Types (SITs) defined for organization data
|
||||
- Endpoint onboarded to Microsoft Purview (via Intune or SCCM)
|
||||
|
||||
## Workflow
|
||||
|
||||
### Step 1: Define Sensitive Information Types
|
||||
|
||||
```
|
||||
Microsoft Purview → Data Classification → Sensitive info types
|
||||
|
||||
Built-in SITs for common data:
|
||||
- Credit card number (PCI)
|
||||
- Social Security Number (PII)
|
||||
- Health records (HIPAA)
|
||||
- Passport number
|
||||
- Bank account number
|
||||
|
||||
Custom SIT example (Employee ID):
|
||||
Pattern: EMP-[0-9]{6}
|
||||
Confidence: High
|
||||
Keywords: "employee id", "emp id", "staff number"
|
||||
```
|
||||
|
||||
### Step 2: Create DLP Policy
|
||||
|
||||
```
|
||||
Microsoft Purview → Data loss prevention → Policies → Create policy
|
||||
|
||||
Policy Configuration:
|
||||
1. Template: Financial / Medical / PII (or custom)
|
||||
2. Locations: Devices (endpoint DLP)
|
||||
3. Conditions:
|
||||
- Content contains: Credit card numbers (min 5 instances)
|
||||
- OR Content contains: SSN (min 1 instance)
|
||||
4. Actions:
|
||||
- Block: Prevent copy to USB, cloud, email
|
||||
- Audit: Log but allow (for initial deployment)
|
||||
- Notify: Show user notification with policy tip
|
||||
5. User notifications:
|
||||
- "This file contains sensitive data and cannot be copied to this location"
|
||||
- Allow override with business justification (optional)
|
||||
```
|
||||
|
||||
### Step 3: Configure Endpoint DLP Activities
|
||||
|
||||
```
|
||||
Monitored endpoint activities:
|
||||
- Upload to cloud service (OneDrive, Dropbox, Google Drive)
|
||||
- Copy to removable media (USB drives)
|
||||
- Copy to network share
|
||||
- Print document
|
||||
- Copy to clipboard
|
||||
- Access by unallowed browser (non-managed browser)
|
||||
- Access by unallowed app
|
||||
- Copy to Remote Desktop session
|
||||
|
||||
For each activity, configure:
|
||||
- Audit only (log the action)
|
||||
- Block with override (user can justify and proceed)
|
||||
- Block (prevent action entirely)
|
||||
```
|
||||
|
||||
### Step 4: Deploy in Audit Mode
|
||||
|
||||
```
|
||||
Deploy DLP policy in "Test mode with notifications" first:
|
||||
1. Policy runs in audit mode for 2-4 weeks
|
||||
2. Review DLP alerts in Activity Explorer
|
||||
3. Identify false positives
|
||||
4. Tune SIT patterns and conditions
|
||||
5. Add exclusions for legitimate workflows
|
||||
6. Switch to "Turn on the policy" (enforcement)
|
||||
```
|
||||
|
||||
### Step 5: Monitor and Respond
|
||||
|
||||
```
|
||||
Purview → Data loss prevention → Activity explorer
|
||||
|
||||
Key metrics:
|
||||
- DLP policy matches per day/week
|
||||
- Top matched sensitive info types
|
||||
- Top users triggering DLP
|
||||
- Top activities blocked (USB, cloud, email)
|
||||
- Override rate (percentage of blocks overridden)
|
||||
|
||||
DLP incident response:
|
||||
1. Review DLP alert with matched content
|
||||
2. Verify sensitivity of detected data
|
||||
3. Assess intent (accidental vs. intentional)
|
||||
4. If intentional exfiltration → escalate to security incident
|
||||
5. If accidental → educate user, refine policy
|
||||
```
|
||||
|
||||
## Key Concepts
|
||||
|
||||
| Term | Definition |
|
||||
|------|-----------|
|
||||
| **DLP** | Data Loss Prevention; technology that detects and prevents unauthorized transmission of sensitive data |
|
||||
| **SIT** | Sensitive Information Type; pattern matching rules for identifying sensitive data (regex, keywords, ML classifiers) |
|
||||
| **Policy Tip** | User-facing notification explaining why an action was blocked and how to request an override |
|
||||
| **Content Inspection** | Deep inspection of file contents to identify sensitive data patterns |
|
||||
| **Exact Data Match (EDM)** | DLP matching against a specific database of known sensitive values (exact SSNs, employee records) |
|
||||
|
||||
## Tools & Systems
|
||||
|
||||
- **Microsoft Purview DLP**: Cloud-managed endpoint DLP included in M365 E5
|
||||
- **Symantec DLP (Broadcom)**: Enterprise DLP with endpoint, network, and cloud modules
|
||||
- **Digital Guardian**: Endpoint DLP with data classification and protection
|
||||
- **Forcepoint DLP**: Unified DLP platform with endpoint agent
|
||||
- **Code42 Incydr**: Insider risk detection with file exfiltration monitoring
|
||||
|
||||
## Common Pitfalls
|
||||
|
||||
- **Over-blocking in enforcement mode**: Deploy DLP in audit mode first. Blocking common workflows without warning causes productivity loss.
|
||||
- **Too many SIT false positives**: Phone numbers, dates, and random number sequences can match PCI/SSN patterns. Tune confidence levels and require corroborating keywords.
|
||||
- **Ignoring user education**: DLP is most effective when users understand why data is protected. Policy tips should explain the restriction and provide approved alternatives.
|
||||
- **Not monitoring overrides**: If users frequently override DLP blocks, the policy is either too restrictive or users are ignoring data protection requirements. Review override reasons.
|
||||
@@ -0,0 +1,20 @@
|
||||
# Endpoint DLP Template
|
||||
|
||||
## Policy Summary
|
||||
| Policy Name | SITs | Action | Scope |
|
||||
|------------|------|--------|-------|
|
||||
| | | Audit / Block | Devices |
|
||||
|
||||
## Monitoring Metrics
|
||||
| Metric | Value |
|
||||
|--------|-------|
|
||||
| Policy matches (weekly) | |
|
||||
| Override rate | % |
|
||||
| Top triggered SIT | |
|
||||
| False positive rate | % |
|
||||
|
||||
## Sign-Off
|
||||
| Role | Name | Date |
|
||||
|------|------|------|
|
||||
| Data Protection Officer | | |
|
||||
| Security | | |
|
||||
@@ -0,0 +1,6 @@
|
||||
# Standards & References
|
||||
- **NIST SP 800-53 SC-7**: Boundary Protection - DLP enforces data boundaries
|
||||
- **PCI DSS 4.0 Req 3**: Protect stored account data
|
||||
- **GDPR Article 32**: Security of processing - preventing unauthorized data transfer
|
||||
- **HIPAA 164.312(e)(1)**: Transmission security for ePHI
|
||||
- **Microsoft Purview DLP**: https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp
|
||||
@@ -0,0 +1,8 @@
|
||||
# Workflows
|
||||
## DLP Deployment
|
||||
```
|
||||
[Identify sensitive data types] → [Create SITs and policies]
|
||||
→ [Deploy in audit mode] → [Review Activity Explorer for 2-4 weeks]
|
||||
→ [Tune rules and exclusions] → [Enable enforcement]
|
||||
→ [Monitor alerts and override rates] → [Quarterly policy review]
|
||||
```
|
||||
@@ -0,0 +1,47 @@
|
||||
#!/usr/bin/env python3
|
||||
"""DLP Policy Analyzer - Analyzes DLP alert exports for policy tuning."""
|
||||
|
||||
import json, csv, sys, os
|
||||
from collections import Counter
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
def parse_dlp_alerts(csv_path: str) -> list:
|
||||
alerts = []
|
||||
with open(csv_path, "r", encoding="utf-8-sig") as f:
|
||||
for row in csv.DictReader(f):
|
||||
alerts.append({
|
||||
"timestamp": row.get("Date", ""),
|
||||
"user": row.get("User", ""),
|
||||
"activity": row.get("Activity", ""),
|
||||
"policy": row.get("Policy", ""),
|
||||
"sit": row.get("Sensitive Info Type", ""),
|
||||
"action": row.get("Action", ""),
|
||||
"location": row.get("Location", ""),
|
||||
"overridden": row.get("Override", "").lower() == "true",
|
||||
})
|
||||
return alerts
|
||||
|
||||
|
||||
def analyze(alerts: list) -> dict:
|
||||
return {
|
||||
"total": len(alerts),
|
||||
"by_policy": dict(Counter(a["policy"] for a in alerts).most_common(20)),
|
||||
"by_user": dict(Counter(a["user"] for a in alerts).most_common(20)),
|
||||
"by_activity": dict(Counter(a["activity"] for a in alerts).most_common(10)),
|
||||
"by_sit": dict(Counter(a["sit"] for a in alerts).most_common(10)),
|
||||
"override_rate": round(sum(1 for a in alerts if a["overridden"]) / max(len(alerts), 1) * 100, 2),
|
||||
"blocked": sum(1 for a in alerts if "block" in a["action"].lower()),
|
||||
}
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) < 2:
|
||||
print("Usage: python process.py <dlp_alerts.csv>")
|
||||
sys.exit(1)
|
||||
alerts = parse_dlp_alerts(sys.argv[1])
|
||||
result = analyze(alerts)
|
||||
out = os.path.join(os.path.dirname(sys.argv[1]) or ".", "dlp_analysis.json")
|
||||
with open(out, "w") as f:
|
||||
json.dump({"report_generated": datetime.utcnow().isoformat() + "Z", **result}, f, indent=2)
|
||||
print(f"Total: {result['total']} | Blocked: {result['blocked']} | Override rate: {result['override_rate']}%")
|
||||
Reference in New Issue
Block a user