Fastest way to create Content-Aware Data Loss Prevention Policies
That moment when your company acknowledged the need for a Data Loss Prevention solution arrived. If you are a meticulous person, you tested at least two or three DLP solutions before you made your purchasing recommendation. So, you acquired Endpoint Protector DLP. Now, what? Again, if you are a perfectionist, you read the User Manual, but let’s face it; when you have 10 more solutions to manage, the audit is at your doorstep and your boss is waiting for fast reports, reading a manual is the last thing you want to do. We’re not saying you don’t have to read it, but when it comes to making your life easier, we really try to put ourselves in your shoes.
To make Endpoint Protector administration easier, we have put together some tips & tricks and we will start with the Content Aware Protection policies.
As you already know, the Content Aware Protection module can prevent accidental or intentional data loss of files containing confidential data, such as contracts’ details, personally identifiable information, and confidential financial data like IBAN numbers, bank account numbers, and credit card numbers. Let’s say your company is in the law sector.
What is the shortest, easiest way to setup your DLP policy?
1. Start with the predefined policies
As a law company, one of your obligations is to ensure the privacy of the client-attorney privileged communications. Also, your customers rely on your capability of securing their sensitive data like financial records, patent and copyright details, trade secrets, etc. You can start by using the predefined policies, in the Content Aware Policies section. They are divided by specific types of files, HIPAA policies, PCI DSS policies, in different combinations. For example, if you want to prevent the leakage of credit card numbers and social security numbers, you select the policy PCI DSS – Credit Cards and Social Security Numbers. If you want a dedicated policy just for credit card numbers, you select the PCI DSS – Credit Cards. You save the preferred policy and you can further edit it to fit your needs. By default, all destinations are selected: web browsers, e-mail clients, instant messaging applications, the clipboard, printers, etc. If that is too restrictive, you can choose only the ones that present the highest risk in your organization.
The predefined Content Filter Blacklist is also marked by default and besides that blacklist, you can add also the Custom Content Filter Blacklist and the File Type Blacklist. The Custom Content Filter Blacklist is based on keywords which can be added to several dictionaries. What happens is that once those keywords are detected in file transfers or copied, the transfer is blocked and reported or just reported. The File Type Blacklist is a more general one, protecting a wide range of file types, like Office files, graphic files, programming, etc. Make sure the action of the policy is Report only. This is the mode we advise to use for two or three months in order to gather insights and establish the restrictions based on users’ activity in the day to day work scenarios. Based on the changes you want to make to the predefined policies, you can duplicate them and save time instead of doing all the setup from the beginning.
Don’t forget to apply the predefined policy to the relevant departments, groups, computers or users.
2. Use whitelists to avoid interrupting the workflow
You may know from the start which are the exceptions you want to add in your policies, but in case you don’t, the Reports and Analysis section is the tool that will help you. File Tracing and Content Aware Report are the most accessed tabs of this section. They offer the Administrator detailed tracking of the file transfers and uploaded / copied sensitive data through the marked destinations. The frequency of a certain transferred file, as well as the destination and all the other associated data, are a great indicator either of a leakage / theft attempt or the real need of transfer due to the job role.
The real purpose of the transfer can be checked with the management and, in no case you should rely only on technology. That is a premise of any technology / software – it will always require the human intervention to make sure the real-life situations correspond with the software configuration /setup.
Depending on the information you discover in Reports & Analysis, you can create whitelists (add exceptions) based on file types, specific files uploaded to the server, file location, network share, e-mail domain and URL name. How does this work? For example, your colleagues from the accounting department want to send an email with a customer’s contract or bank account to their department manager, but the file is blocked with the Content Aware Protection policy. To assign permission of transfer from the accounting department’s members to the accounting department’s manager, add the manager’s address in the E-mail Domain Whitelist. This will limit the transfer only to authorized people.
An important detail that we notice is that the confusion of what URL whitelists are seldom appears. They do not control the access to a certain URL or web page. Instead, they allow the file upload which normally is blocked by the Content Aware Protection rules. I know you’re tempted to think at the first option because you’re used to the web-filtering solutions, but in a DLP solution, the rule is not applied the same way.
3. Avoid redundant scanning with the threshold
There are three types of thresholds, but the simplest to use is the file size threshold. If the size is a good indicator of a possible data breach in your organization, then set the maximum file size that is allowed and any upload or attachment that exceeds that limit is blocked.
Use the other types of threshold – regular and global when you will have gotten more knowledge concerning data movement – what data is being transferred, which transfers should be authorized and which should be blocked.
Content-Aware Data Loss Prevention policies from Endpoint Protector are very powerful and their effectiveness depends significantly on how they are built and optimized. Starting with the above tips, you can easily start protecting confidential data and preventing data security incidents. Many DLP solutions end up as shelfware due to highly complicated implementations. Endpoint Protector gives you all the premises for successful implementations and with “shortcuts” like the Predefined Policies, time and human resources are reduced.
Are you an Endpoint Protector 4 user? What other features would you like us to talk about?