Data Loss Prevention (DLP)- How it works

Owned by Avi J. Levin (Unlicensed)
Last updated: May 02, 2024 by Yoav Crombie
4 min read

SphereShield’s DLP ensures that users can’t send sensitive or critical information outside the corporate network.

From the main Admin Portal menu, select “DLP Rules”. This page contains 10 common predefined rules, and may be used to create your own DLP rules. You must press the [EDIT] button and enable any rule to use it.

For each rule, the Action type field can be one of three choices:

  1. Monitor - logs the message, but does not block or alter it

  2. Block - blocks the entire message

  3. Replace - replaces the text found with a specified alternate text

For each rule, the Admin notification type field can be one of three choices:

  1. Log - log incident as defined in the Log4Net configuration: to a log file, Windows Event Log, or database

  2. Log and mail - logged as above and sent by email to recipient(s) specified in DLP setting

  3. Log, mail and IM - same as above, but also notified in the UC channel

 

Applying DLP rules per group

DLP rules can be applied rules to specific groups or ignored from specific groups,

To enable this capability, enable “Enable DLP Rules for Active Directory Groups” under the advanced section in the DLP settings

 

image-20240502-055007.png

 

Once enabled, you will be able to set groups to apply or ignore in the DLP rules

How often are group memberships updated?

When DLP retrieves user groups, it first checks the in-memory cache. The cache expiration time is set by the value of “Active Directory Users Cache Time (minutes)” in the DLP setting of the portal (in the DB saved as “DlpAdExpirationTimeInMinutes”). By default, it is set to 1 day (1440 min)

If the user is not found in the cache, the procedure differs based on the solution:

For Skype for Business installed on the EDGE it will make an API call to the Admin Portal to retrieve user groups

For Teams/ Webex. It will obtain the user groups from the managed user groups table.

 

Managed user groups table
You can verify the content of the managed user group table under support and maintenance \ user group membership and review the following section

 

image-20240502-060744.png

 

AdSync updates the managed user group table, and the frequency is set in the AD Sync web configuration. By default, it is set to 10 min.

Note:
If the customer has many groups, completing the operation might take more than 10 minutes.
For each group, the ADSync sends an API call that typically takes around 2-3 seconds, so a rough estimation is that 200 groups should take around 10 min to sync.

The setting name is IntervalTimeRefreshEwPoliciesUsersGroups. The location is here: ${ADSyncPath}\Configuration\ApplicationSettings.config

 

How to perform an immediate change?

If you need an immediate change in the system after a change in group membership in your AD, restart the ISA to clean the in-memory cache. If updates are not reflected in the managed user group table - restart ADSync

Predefined Rules

IBAN code

The default trigger for this rule is defined by the following regex:

\b[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}\b

US Social Security Number

Agat DLP Provider (default): searches for a Social Security Number in the message by matching a number in the xxx-xx-xxxx format and verifying its validity using: https://www.ssn-check.org/verify

If you use an external provider the checking should be explained in the documentation of that provider.

Google’s GCP:

Search the “US_SOCIAL_SECURITY_NUMBER” rule in the following link:

https://cloud.google.com/dlp/docs/infotypes-reference

By our testing, the GCP provider matches Social Security Numbers with hyphens or spaces or without any special characters. For example, the GCP provider should block the following Social Security Numbers:

111-55-1348

111 55 1348

111551348

Symantec:

Go to “US Social Security Number” on page 1550 in the following PDF file: https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.5_Admin_Guide.pdf

Credit Card

The default trigger for this rule is defined by the following regex:

\b(?:\d[ -]*?){13,16}\b

Anti-harassment and Workplace Safety - badwords

The trigger for this rule is defined by a regex, which you may modify to match your corporate policy

Anti-harassment and Workplace Safety - inappropriate emojis

The default trigger for this rule is defined by the following regex:

((kiss)|(swear)|:]|<3|(u)|(hug)|;)|(grin)|(devil)|(headbang)|*|)

Block URL

The default trigger for this rule is defined by the following regex:

(\b(http|ftp|https):(//|\\)[\w-]+(.[\w-]+)+([\w-.,@?^=%&:/~+#]*[\w-@?^=%&/~+#])?|\bwww.[^\s])

Patient Record Number

The default trigger for this rule is defined by the following regex:

\b[1-9]{3}-[1-9]{1}-[1-9]{5}\b

Dollars and cents amounts

The default trigger for this rule is defined by the following regex:

\B$(?=.*\d)\d{0,6}(.\d{1,2})?

Dates

The default trigger for this rule is defined by the following regex:

\b(([0][1-9]|[2][0-9]|[3][0-1]|[1-9]|[1][0-9])/([0][1-9]|[1][0-2]|[1-9])/([1-2][0-9][0-9][0-9]|[0-9][0-9]))\b

United Kingdom National Insurance Number

The default trigger for this rule is defined by the following regex:

\b^\s*[a-zA-Z]{2}(?:\s*\d\s*){6}[a-zA-Z]?\s*

Custom Rules

You may define your own rules by pressing the [ADD] button

Note: Changing DLP rules requires an IIS reset and a CASB Adapter service reset