Forcepoint DLP

SYSTEM ENGINEER COURSE

DATA SHEET
Forcepoint DLP System Engineer Course
COURSE SPECIFICS

Intended audience
Sales Engineers: Forcepoint employees selling or demonstrating the product, providers of technical
support during or after the Forcepoint DLP deployment.
Channel Partners: External Sales Engineers, consultants, systems integrators and implementation
specialists as well as ATC (Authorized Training Center) instructors.

Format
Live classroom training with presentations, labs, classroom discussions.

Duration
5 days, 8 hours per day.

Pre-requisites
Forcepoint DLP Admin Course and basic understanding of other TRITON products (in particular Web
and Email Security, Cloud Web, AP-ENDPOINT). Some background of mathematics, computer science
and Windows and Linux OS administration.

Certification requirements
Completion of all course sessions.

Overview
During the five days, you will create and test an existing deployment (Session 1), integrate Forcepoint DLP
with 3rd party products (Session 2), build simple policies, rules and exceptions (Session 3), leverage script
classifiers and cumulative rules (Session 4), create and use fingerprint and ML classifiers (Session 5),
configure discovery tasks to crawl files (Session 6), set up and manage Data Endpoints (Session 7), use
Data Endpoints for application control, encryption and discovery (Session 8), manage incidents and run
reports (Session 9), deal with failovers, upgrades and some troubleshooting (Session 10).

Course objectives
Deploy Forcepoint DLP in various enterprise environments
Identify the main interactions between the components, the architecture and sizing of the product
Create and use custom classifiers, predefined classifiers, rules and policies
Plan and implement policies for regulatory compliance, the prevention of IP loss and data theft
Configure and use Data Endpoint for real-time and discovery events
Manipulate incidents and reports, configure incident workflows via TRITON GUI or email
Perform the maintenance activities, upgrade, handle failovers, backups, restores and upgrades

1
Session 1: Components and
Architecture
1. Plan a new Forcepoint DLP
deployment depending on the scale
(Demo, Single Datacenter, Multiple
Datacenters).
2. Identify components (PEI, PE, Crawler,
OCR, EP Servers, EP Agents) and
hardware items of Forcepoint DLP
3. Size HW and map software
components to HW
4. Integrate with pre-existing environment
5. Set up various protector modes
6. Use CLI tools and configure debugging
modes
1) Component and Sizing Demos
a) DLP Manager setup options
b) Initial Setup of V10000
c) Using Sizing Guide
2) Protector Demos
a) Protector as ICAP server (Squid
proxy)
b) Protector on the mirror port
c) Protector as MTA
d) Mobile Agent
3) Product Architecture Demos
a) Load Balancing
b) PE Logging
c) CLI tools to extract plaintext and test
policies
d) Limits of file sizes, ZIPs and
timeouts
e) Resource resolver and user
directories
Session 2: Advanced Deployments
1. Online SharePoint and Exchange,
OneDrive for Business
2. DLP in other cloud platforms
3. Integrations with TRITON Web
Security
4. Integrations with TRITON Email
Security
5. Risk Ranking feature; deployment and
use of the DLP Analytics Server
1) Cloud Demos
a) Crawl Online SharePoint
b) Crawl Online Exchange
c) Control file upload and sharing to
the Office365
2) Web and Email Security
Integration Demos
a) URL categories and geolocation
b) CG to authenticate for Protector
c) Action plans involving Email Security
(queues, quarantines, encryption)
3) Risk Ranking Demos
a) Creating test traffic
b) Inspecting the analytics
2
Session 3: Simple Classifiers
1. Keyphrases, dictionaries, regex w.r.t.
capitalization, word boundaries, space
normalization, Unicode.
2. Regex flags in Python, regex performance
3. Thresholds, duplicates, “all parts of the
transaction” vs. “each part of the
transaction”
4. Boolean logic and evaluation order;
exception precedence
5. Specifying Source and Destination, LDAP
Search Expressions
1) Keyphrase, Dictionary, Regex
Demos
a) Keywords and dictionaries in
borderline cases.
b) Regexes: syntax errors,
performance, backtracking.
2) Filetype, Filename, Filesize Demos
a) File classifiers in borderline cases
b) Handling archives and encrypted
filetypes
3) Boolean Logic and Exception
Demos
a) Exceptions for LDAP search results
(by name, location in directory,
group(s), manager)
b) Exception ranking; policy levels
c) Running regression test for an AUP
using PolicyEngineClient
Session 4: Scripts and Cumulative
Rules
1. Compare script classifier alternatives (e.g.
credit cards)
2. Predefined policies and their fine-tuning
3. Malware detection classifiers, HTTP GET vs
HTTP POST
4. Script performance and mega breaches
5. Cumulative rules (Drip DLP) – configuration
and testing
1) PRECISE_ID_NLP Classifier Demos
a) Many ways to identify Credit Cards
b) Unhiding “Customizable ID”
c) Simulating a mega-breach
2) Malware Detection Demos
a) Configure “Malware Detection” on a CG
proxy. Trigger as many rules as possible.
b) Data Theft using HTTP GET
3) Cumulative Rules
a) Cumulative Rule lab with two time windows
b) Source based and Destination based load
balancing, creating too many counters
3
Session 5: Fingerprinting and
Machine Learning
1. Recognize the modes of file
fingerprinting
2. Understand the implications of N-gram
(5-word sliding window) algorithm
3. Apply the best practices of file/DB
fingerprinting
4. Export, backup and restore fingerprint
repositories, including PreciseID and
FPNE
5. Understand the Support Vector
Machine (SVM) algorithm
6. Use Machine Learning for source
code and other data types
1) File Fingerprinting Demos
a) Fingerprinting with Ignore sections
b) Adjusting FPR sensitivity;
canonizer.xml
2) Database Fingerprinting Demos
a) DB Fingerprinting on a CSV
b) Lab: DB Fingerprinting with SQL and
ODBC.
3) Fingerprint Maintenance Demos
a) Running fingerprint export and
import.
b) Fingerprints in the backup
procedures. Manually restoring from
the backup.
4) Machine Learning Demos
a) ML with predefined negatives
(source code)
b) ML with custom negatives
Session 6: Discovery and OCR
1. Components used for discovery
(TRITON Manager vs. Supplementary
Server vs. Endpoint)
2. Endpoint in discovery-only mode,
inside and outside the corporate
network
3. Discovery policies, tasks, features;
access rights.
4. Integration with file classifiers,
document tags
5. Remediation scripts for discovery
6. OCR feature for crawlers and network
gateways.
1) Discovery Deployment
a) Lab: Server Discovery: Manual vs.
Scheduled, Incremental vs. Full
b) Endpoint Discovery: Company
network vs. outside the network
2) Discovery Integration
a) Discovery in SharePoint Online
b) Discovery in Exchange Online
c) Discovery in databases
3) Discovery Functionality
a) Remediation scripts and options;
what can be changed; what
permissions are needed.
b) Reporting on incidents and
discovery task execution, sending
notifications.
4) Crawlers and OCR Feature
a) Testing OCR via CG (or Email
Security); experimenting with OCR
Server/Client
b) Discovery OCR tasks with load
balancing.
4
Session 7: Endpoint Deployments
1. Deploy Endpoints manually, using
SCCM or GPO
2. Network throttle on EP Server
3. Configure and use Endpoints on
XenApp and XenDesktop
4. Locally manage Endpoints, inspect
their configuration and logs; also
stealth-mode endpoints
5. Centrally manage and upgrade
endpoints
6. Endpoint HTTP and Endpoint Email
incidents
1) Data Endpoint Setup Demos
a) Manual install, stop, uninstall
b) Endpoint minimum configuration;
disablement and profile setup
c) Endpoint auto-upgrade URL
2) Configuration Management Demos
a) GPO and SCCP deployments.
b) Stealth mode deployments
c) XenDesktop and XenApp
deployments
3) Endpoint Email, HTTP Channels
a) Email incidents in MS Outlook and
other clients.
b) Email incidents in browsers; AJAX
applications, manipulating registry
Session 8: Endpoint Functionality
1. Configure and run Endpoint Discovery
tasks
2. Understand Endpoint architecture w.r.t.
applications and file access
3. Emulated USB Removable Media and
Endpoint Encryption
1) Application Control
a) Lab: Modifying clipboard behavior for
Application Groups
b) Lab: Trusted Apps w.r.t. file saving and
copying to LAN
c) Lab: Unhooking applications
2) Endpoint Discovery
a) Lab: Simple EP scan (full vs.
incremental)
b) Lab: Remediation script for EP discovery
3) Endpoint Encryption
a) Lab: Encryption with User Password (on
ImDisk-mapped letter drive)
b) Lab: Encryption with Profile Key (on
ImDisk-mapped letter drive)
5
 Session 9: Incidents and Reports
1. Use Incident Workflows: TRITON-
based and Email-based
2. Configure manual remediation scripts
3. Understand the role of SIEM, integrate
Forcepoint DLP with some SIEM
product
4. Configure and use dashboards and
alerts
5. Generate reports of traffic and
incidents (including SQL-based)
1) Incident Management
a) Releasing, escalating, assigning,
tagging, deleting incidents.
b) Force-release feature
c) Email Notifications with action links.
d) Manual remediation scripts
2) Incident processing
a) Integration with Splunk
b) SQL dump for a large number of
incidents
c) Testing the alerts for HD overflow.
3) Reporting
a) Reports from the TRITON system
b) Reports from the incident dump
c) Scheduled and customized incident
reports
d) Configuring Delegated
Administrators; hiding forensics
(also src and dest). Looking up the
users from 6-digit IDs.
Session 10: Maintenance and
Troubleshooting
1. Configure health and service monitoring
tools and automated alerts
2. Schedule tasks for backups and
housekeeping
3. Plan and implement high availability
4. Run upgrades, restore policies, FPR
and other elements
5. Manipulate MS SQL database
1) Running Routine Backups
a) Run/schedule a backup and a restore on
another machine.
b) Scripts to backup old incident partitions
and forensics.
c) Run semi-automatic failover
2) Upgrade
a) Run a TRITON upgrade script (8.2 to 8.3
or 8.2.5 to 8.3).
b) Comparing the incident SQL schemas for
various versions of the product.

For more information about other Forcepoint training offerings, please visit our Customer or Partner training page.

Questions about Forcepoint training? Contact Forcepoint Technical Readiness and Training at salestraining@forcepoint.com