The Skyhigh Security DLP/Skyhigh CASB integration has two parts. Skyhigh Security DLP synchronizes classification definitions with Skyhigh CASB. This operation takes place automatically when a Skyhigh Security DLP classification definition is added or changed if synchronization is enabled in the DLP Settings. Users working in the cloud can use the Skyhigh Security DLP classifications to manually classify Microsoft Office 365 documents.
Cloud-based files with classifications that trigger incidents due to Skyhigh CASB protection rules are pulled into the Trellix ePO database with a regularly scheduled server task and appear in DLP Incident Manager.
The incidents can be used for analysis and reporting in DLP Incident Manager and can be assigned to cases. However, they can only be resolved or updated in Skyhigh CASB.
1. Customers A and B create classification definitions and synchronize them with the Skyhigh CASB server.
2. Skyhigh CASB applies the classifications to protection rules and applies them to content for users working in the cloud.
3. Incidents are synchronized with Trellix ePO and displayed in DLP Incident Manager.
Configure Skyhigh CASB
Before you begin: Enable the Skyhigh CASB integration feature by configuring the Skyhigh CASB Server page in DLP Settings and enabling the Connect to Skyhigh CASB service handler.
To configure Skyhigh CASB in ePO:
Skyhigh Security DLP can synchronize Classification definitions with Skyhigh CASB and incidents from the cloud with DLP Incident Manager. The two functions can be enabled separately.
- From the Trellix ePO menu, select Data Protection > DLP Settings.
- On the Skyhigh CASB Server tab, do the following:
- Select the Connect to Skyhigh CASB service checkbox.
- Enter the server path, user name, and password. Click Test Connectivity. The Connection status indicator displays success or failure.
- To synchronize McAfee DLP classifications and policy, activate Push DLP policy to the Skyhigh CASB and select the DLP policy name.
- To enable reporting Skyhigh CASB incidents in DLP Incident Manager, select the Pull incidents from Skyhigh CASB checkbox. Incidents are only pulled when the server task is enabled (steps 3 and 4).
- Click Save.
- From the Trellix ePO menu, select Automation | Server Tasks.
- Locate the task DLP Import Skyhigh CASB Events and click Edit.
- On the Description page, in the Schedule status section, select Enabled.
- On the Actions page, verify that the checkbox is selected.
- On the Schedule page, accept the default settings or edit as needed.
- On the Summary page, verify the settings, then click Save.
- Go to Data Protection > DLP policy manager > Policy Assignment. Click Actions > Apply Selected Policies, and select the DLP policy Name.
- Go to Data Protection > DLP settings.
- On the Skyhigh CASB Server tab, the Status section displays information on the synchronization. The synchronization time and number of classifications are updated.
Create a Policy in Skyhigh CASB
Once you've enabled Trellix ePO-Skyhigh CASB integration within Trellix ePO, and allowed classifications to be synced with the cloud, a new option called Skyhigh Security Classification appears under Classification selection in the Rules section. You can select an option from the list of Classifications when creating or updating a DLP policy.
To create a Classifications DLP Policy in Skyhigh CASB:
- Choose Policy > DLP Policies.
- Click Actions > Sanctioned Policy > Create New Policy.
- Enter a name for the policy, and an optional description.
- Select the 'Content Type' as 'Unified Cloud Edge'
- Under Rules, click Classification, and then Service > McAfee Classification.
- For Classification, choose the Classification you'd like to include in the policy.
- Choose the rest of the settings in the policy, and then click Save.
Disable the Skyhigh CASB and Trellix ePO Integration
If you need to disable the Skyhigh CASB and ePO integration:
- Log into Trellix ePO
- Go to the Skyhigh CASB Server tab.
- Deselect the checkbox Connect to Skyhigh CASB.
- Click Save.
This will remove the integration.
NOTE: If the UI still shows a red status, it is safe to ignore it. Trellix ePO does not push any new classifications. It disables all existing policies.