Data Loss Prevention (DLP)- How it works
- Avi J. Levin (Unlicensed)
- Yoav Crombie
SphereShield’s DLP ensures that users can’t send sensitive or critical information outside the corporate network.
From the main Admin Portal menu, select “DLP Rules”. This page contains 10 common predefined rules, and may be used to create your own DLP rules. You must press the [EDIT] button and enable any rule to use it.
For each rule, the Action type field can be one of three choices:
Monitor - logs the message, but does not block or alter it
Block - blocks the entire message
Replace - replaces the text found with a specified alternate text
For each rule, the Admin notification type field can be one of three choices:
Log - log incident as defined in the Log4Net configuration: to a log file, Windows Event Log, or database
Log and mail - logged as above and sent by email to recipient(s) specified in DLP setting
Log, mail and IM - same as above, but also notified in the UC channel
Applying DLP rules per group
DLP rules can be applied rules to specific groups or ignored from specific groups,
To enable this capability, enable “Enable DLP Rules for Active Directory Groups” under the advanced section in the DLP settings
Once enabled, you will be able to set groups to apply or ignore in the DLP rules
How often are group memberships updated?
When DLP retrieves user groups, it first checks the in-memory cache. The cache expiration time is set by the value of “Active Directory Users Cache Time (minutes)” in the DLP setting of the portal (in the DB saved as “DlpAdExpirationTimeInMinutes”). By default, it is set to 1 day (1440 min)
If the user is not found in the cache, the procedure differs based on the solution:
For Skype for Business installed on the EDGE it will make an API call to the Admin Portal to retrieve user groups
For Teams/ Webex. It will obtain the user groups from the managed user groups table.
Managed user groups table
You can verify the content of the managed user group table under support and maintenance \ user group membership and review the following section
AdSync updates the managed user group table, and the frequency is set in the AD Sync web configuration. By default, it is set to 10 min.
Note:
If the customer has many groups, completing the operation might take more than 10 minutes.
For each group, the ADSync sends an API call that typically takes around 2-3 seconds, so a rough estimation is that 200 groups should take around 10 min to sync.
The setting name is IntervalTimeRefreshEwPoliciesUsersGroups. The location is here: ${ADSyncPath}\Configuration\ApplicationSettings.config
How to perform an immediate change?
If you need an immediate change in the system after a change in group membership in your AD, restart the ISA to clean the in-memory cache. If updates are not reflected in the managed user group table - restart ADSync
Predefined Rules
IBAN code
The default trigger for this rule is defined by the following regex:
\b[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}\b
US Social Security Number
Agat DLP Provider (default): searches for a Social Security Number in the message by matching a number in the xxx-xx-xxxx format and verifying its validity using: https://www.ssn-check.org/verify
If you use an external provider the checking should be explained in the documentation of that provider.
Google’s GCP:
Search the “US_SOCIAL_SECURITY_NUMBER” rule in the following link:
https://cloud.google.com/dlp/docs/infotypes-reference
By our testing, the GCP provider matches Social Security Numbers with hyphens or spaces or without any special characters. For example, the GCP provider should block the following Social Security Numbers:
111-55-1348
111 55 1348
111551348
Symantec:
Go to “US Social Security Number” on page 1550 in the following PDF file: https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/information-security/data-loss-prevention/generated-pdfs/Symantec_DLP_15.5_Admin_Guide.pdf
Credit Card
The default trigger for this rule is defined by the following regex:
\b(?:\d[ -]*?){13,16}\b
Anti-harassment and Workplace Safety - badwords
The trigger for this rule is defined by a regex, which you may modify to match your corporate policy
Anti-harassment and Workplace Safety - inappropriate emojis
The default trigger for this rule is defined by the following regex:
((kiss)|(swear)|:]|<3|(u)|(hug)|;)|(grin)|(devil)|(headbang)|*|)
Block URL
The default trigger for this rule is defined by the following regex:
(\b(http|ftp|https):(//|\\)[\w-]+(.[\w-]+)+([\w-.,@?^=%&:/~+#]*[\w-@?^=%&/~+#])?|\bwww.[^\s])
Patient Record Number
The default trigger for this rule is defined by the following regex:
\b[1-9]{3}-[1-9]{1}-[1-9]{5}\b
Dollars and cents amounts
The default trigger for this rule is defined by the following regex:
\B$(?=.*\d)\d{0,6}(.\d{1,2})?
Dates
The default trigger for this rule is defined by the following regex:
\b(([0][1-9]|[2][0-9]|[3][0-1]|[1-9]|[1][0-9])/([0][1-9]|[1][0-2]|[1-9])/([1-2][0-9][0-9][0-9]|[0-9][0-9]))\b
United Kingdom National Insurance Number
The default trigger for this rule is defined by the following regex:
\b^\s*[a-zA-Z]{2}(?:\s*\d\s*){6}[a-zA-Z]?\s*
Custom Rules
You may define your own rules by pressing the [ADD] button
Note: Changing DLP rules requires an IIS reset and a CASB Adapter service reset