Protection Policies
A policy provides the framework for controlling the movement of your data by linking specific datasets to defined rules. When data matches a linked dataset, Cyberhaven automatically applies the corresponding policy to the event.
Policies are enforced at the data destination. This means that whenever a user performs an action—such as copy-pasting, uploading, downloading, attaching files to emails, or transferring data to cloud storage or removable media—the relevant policy is triggered.
For instance, if your organization stores critical business data in SharePoint, you can configure a policy to enforce your security guidelines. This policy can alert or educate users when they attempt to move data to unauthorized locations.
You can create a new policy either by using the “Search by destination” live search feature or by selecting the “New Policy” option. Based on the conditions specified in the “Search by destination” field or, according to the policy you define Cyberhaven can respond to events in real-time, taking actions that align with your policy settings.
Creating a Policy
You can create a policy on the Risks Overview page of the Cyberhaven UI using one of the following ways.
Using the New Policy option.
1. Click on New Policy in the Search By Destination panel on the right. 2. In the Policy Libraries and Templates pop-up window, select the libraries or template you want to include in your policy. You can define a new policy, select from the list of policy templates, or import an existing policy file.
NOTE
You can only import policy files that are exported from the
Cyberhaven UI.
3. After you select the policy library, the right panel provides you the option to specify additional search criteria. You can select various fields under
Location, User, Event, and Content to define your policy based on context, content, and tags. Depending on the field you select, you can select from a list of attributes or provide text inputs.
4. Under Policy Settings, specify a name for your policy and select the datasets you want to apply
5. Then follow the detailed instructions to set the values for each field under Policy Settings and click Save. See, Policy Settings.
Using live search.
1. Click onSearch By Destination in the right panel and specify the search criteria. You can select various fields under Location, User, Event, and
Content to define your policy based on context, content, and tags.
Depending on the field you select, you can select from a list of attributes or provide text inputs.
2. Click Convert to Policy to save the search criteria as a policy.
3. Under Policy Settings, specify a name for your policy and select the datasets you want to apply.
4. Then follow the detailed instructions to set the values for each field under Policy Settings and click Save. See, Policy Settings.
You can change the policy search conditions and their associated names at any time.
Policy Settings
Cyberhaven Sensors provide real-time response capabilities to warn or block users from carrying out particular actions on data.
When you configure a new policy, the "Create an incident" option is enabled by default, as shown below. An incident will be created for all response actions.
The "Create an incident" option can only be disabled for the "Monitor" response action. If you select the "Warn" or "Block" actions, then the "Create an incident" option is enabled.
When choosing to warn or block, you can also customize a response message specific to the policy. The message will be presented on the endpoint, educating end users on exactly what action they performed that violated the policy. Feedback from the user can also be captured at the endpoint at the time of the violation.
Severity
When setting up a policy you can set the severity depending on the criticality and impact of the policy violation. Each severity rating has an associated value which will be used to calculate the risk score for user risk analysis.
| Severity Rating | Value |
|---|---|
| Critical | 8 |
| High | 4 |
| Medium | 2 |
| Low | 1 |
| Informational | 0 |
Response Actions
When Monitor is selected, you cannot set up a response message. The user will be allowed to proceed with their actions. You can choose to create an incident, record screenshots, and receive email notifications for a policy match.
Selecting the Warn action as the Response allows a user to carry out the action but be warned of the violation. Selecting the Block action prevents data movement to the destination. If you wish to allow a user to directly override a blocking action, you can configure that option under the "Setup response message" settings. See, Response Message.
Blocking-related messages presented to the end-user device are throttled to once per 5 seconds (by default). Subsequent violations that occur within this window will still be captured in the Cyberhaven console and will be displayed
with a "Response skipped: throttled" status in the User Reaction column on the Incidents page.
If a user creates a self-service exception, it is applied to the dataset, policy, username, event type, and sensor that triggered the block. Policy violations outside of this scope will continue to generate incidents and be responded to as defined by the policy. By default, the override duration is one minute (60 seconds).
Record Screenshots (EA)
This feature is available for Windows and macOS Endpoint Sensors. For macOS Sensors, this feature is in Early Access (EA).
NOTE
Screenshot recording functionality comes pre-enabled on Windows;
however, on macOS, Cyberhaven Support needs to enable this feature through a remote configuration setting.
The Record screenshots option relies on Cyberhaven's Content Capture feature. These combined capabilities aid you in the investigation and prevention of incidents related to data loss by a specific user or user group. When enabled, policies can be configured to retain information on user actions.
Applying screenshot recording in a policy
For example, you can create a single policy to monitor the traffic of an Active Directory user group of departing users that has access to cloud apps, printers, USB devices, cloud storage, etc., and can use these channels to access, copy, move, or delete data.
The "Record screenshots" option is available for warning and blocking policy response actions.
If the user has configured multiple monitors on their host machine, then the Endpoint Sensor takes a screenshot of each monitor. The screenshots are captured in 1080p resolution and stored in .jpeg format. You can reduce the image resolution to save storage space. Customizations can only be made
through the backend. Contact support@cyberhaven.io to customize your screenshot settings.
Screenshot recording on Windows devices
When you enable Record screenshots in a policy, the Windows Endpoint Sensor continuously captures screenshots of the user's screen at a specific time interval. The time interval to take a screenshot is customizable. By default, the Sensor takes one screenshot per monitor per second.
If the policy is violated, an incident is created on the Incidents page and screenshots from the last 30 seconds are attached to the incident details. The Sensor only retains screenshots captured during the last 30 seconds in memory and discards all screenshots that are older than 30 seconds.
Screenshot recording on macOS devices
This feature is disabled by default on macOS devices. Due to Apple's restrictions, system admins cannot remotely enable screenshot recording on macOS devices. Therefore, it is the responsibility of the end users to grant permission to Cyberhaven for screen recording.
The Sensor is set to silent which means screenshots are not recorded. The macOS Endpoint Sensor requires permission from the user to record screenshots. To enable screenshot recording, the Endpoint configuration for this feature must be set to ask_user by Cyberhaven Customer Support.
Note
Cyberhaven recommends that you enable this feature on a limited set of endpoints to test it. Cyberhaven Customer Support can enable this feature on a specific endpoint group for testing.
When this setting is enabled, a pop-up message is displayed on the user's screen.