Data Loss Prevention (DLP)- How it works
SphereShield’s DLP ensures that users can’t send sensitive or critical information outside the corporate network.
From the main Admin Portal menu, select “DLP Rules”. This page contains 10 common predefined rules, and may be used to create your own DLP rules. You must press the [EDIT] button and enable any rule to use it.
For each rule, the Action type field can be one of three choices:
Monitor - logs the message, but does not block or alter it
Block - blocks the entire message
Replace - replaces the text found with a specified alternate text
For each rule, the Admin notification type field can be one of three choices:
Log - log incident as defined in the Log4Net configuration: to a log file, Windows Event Log, or database
Log and mail - logged as above and sent by email to recipient(s) specified in DLP setting
Log, mail and IM - same as above, but also notified in the UC channel
Predefined Rules
IBAN code
The default trigger for this rule is defined by the following regex:
\b[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}\b
US Social Security Number
Agat DLP Provider (default): searches for a Social Security Number in the message by matching a number in the xxx-xx-xxxx format and verifying its validity using: https://www.ssn-check.org/verify
If you use an external provider the checking should be explained in the documentation of that provider.
Google’s GCP:
Search the “US_SOCIAL_SECURITY_NUMBER” rule in the following link:
https://cloud.google.com/dlp/docs/infotypes-reference
By our testing, the GCP provider matches Social Security Numbers with hyphens or spaces or without any special characters. For example, the GCP provider should block the following Social Security Numbers:
111-55-1348
111 55 1348
111551348
Symantec:
Go to “US Social Security Number” on page 1550 in the following PDF file: https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.5_Admin_Guide.pdf
Credit Card
The default trigger for this rule is defined by the following regex:
\b(?:\d[ -]*?){13,16}\b
Anti-harassment and Workplace Safety - badwords
The trigger for this rule is defined by a regex, which you may modify to match your corporate policy
Anti-harassment and Workplace Safety - inappropriate emojis
The default trigger for this rule is defined by the following regex:
((kiss)|(swear)|:]|<3|(u)|(hug)|;)|(grin)|(devil)|(headbang)|*|)
Block URL
The default trigger for this rule is defined by the following regex:
(\b(http|ftp|https):(//|\\)[\w-]+(.[\w-]+)+([\w-.,@?^=%&:/~+#]*[\w-@?^=%&/~+#])?|\bwww.[^\s])
Patient Record Number
The default trigger for this rule is defined by the following regex:
\b[1-9]{3}-[1-9]{1}-[1-9]{5}\b
Dollars and cents amounts
The default trigger for this rule is defined by the following regex:
\B$(?=.*\d)\d{0,6}(.\d{1,2})?
Dates
The default trigger for this rule is defined by the following regex:
\b(([0][1-9]|[2][0-9]|[3][0-1]|[1-9]|[1][0-9])/([0][1-9]|[1][0-2]|[1-9])/([1-2][0-9][0-9][0-9]|[0-9][0-9]))\b
United Kingdom National Insurance Number
The default trigger for this rule is defined by the following regex:
\b^\s*[a-zA-Z]{2}(?:\s*\d\s*){6}[a-zA-Z]?\s*
Custom Rules
You may define your own rules by pressing the [ADD] button
Note: Changing DLP rules requires an IIS reset and a CASB Adapter service reset