http://www.trendmicro.com/download
Trend Micro, TrendLabs, and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Copyright© 2010 Trend Micro Incorporated. All rights reserved. Document Part No.: LPEM54473/100607
Release Date: November 2010
Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at the Trend Micro website. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:
iii
Preface
Data Loss Prevention Documentation ...viii Audience ...viii Document Conventions ...ix
Chapter 1:
Welcome
What Is Data Loss Prevention ... 1-2 Data Loss Prevention Endpoint 5.5 ... 1-2 Data Loss Prevention Network Monitor 2.0 ... 1-2 Content-Aware Mechanisms ... 1-3 DLP Endpoint Features ... 1-4 DLP Network Monitor Features ... 1-5 What’s New in this Release ... 1-6 Overall Infrastructure ... 1-7 About this Guide ... 1-9 Browser Prerequisites ... 1-9 Internet Explorer Security Settings ... 1-10 Mozilla Firefox Security Settings ... 1-11 Key Terminology ... 1-11 About Trend Micro ... 1-12 TrendLabs ... 1-13
Chapter 2:
Summary
Accessing the Web Console ... 2-2 Navigating the Web Console ... 2-3 Navigating the Summary Tabs ... 2-6 Executive Summary Tab ... 2-6 Violations Tab ... 2-8 Printing Summary Reports ... 2-10 Refreshing Summary Data ... 2-10
Chapter 3:
Data Protection
Data Protection ...3-2 Getting Started Workflow ...3-3 Digital Assets ...3-4 Fingerprints ...3-4 Scheduling an Acquisition ...3-11 Deleting Fingerprints ...3-14 Patterns ...3-15 DLP Pattern Validation Methods ...3-20 Deleting Patterns ...3-23 Keywords ...3-24 Importing Sub-keywords ...3-28 Deleting Keywords ...3-32 File Attributes ...3-33 Deleting File Attributes ...3-36 Compliance Templates ...3-37 Deleting Compliance Templates ...3-42 Company Policies ...3-43 Adding Endpoint Agent Policies ...3-44 Adding Network Agent Policies ...3-56 Data Discovery ...3-65 Scheduling Data Discovery Scans ...3-73 Device Control ...3-76
Chapter 4:
Reports
Generating Reports ...4-2 Viewing Archived Reports ...4-6
Chapter 5:
Logs
Querying Logs ...5-2 Cleaning Up Logs ...5-4 Restoring Logs ...5-6
v Configuring Active Updates ... 6-8 Configuring Silent Reboot ... 6-9
Chapter 7:
Administration
Server Configuration ... 7-3 Fingerprint Settings ... 7-3 Application Settings ... 7-6 Agent Configuration ... 7-7 Agent Settings ... 7-7 Advanced Settings ... 7-10 Global Exceptions ... 7-15 Managing the Remote Crawler ... 7-17 Installing the Remote Crawler ... 7-18 Deleting a Remote Crawler ... 7-27 Data Management ... 7-29 Agent Management ... 7-32 Managing Agents ... 7-32 Managing Agent Groups ... 7-34 Changing Web Console Password ... 7-36 Management Console ... 7-37 Managing User Accounts ... 7-37 Managing Roles ... 7-39 Configuring LDAP ... 7-41 Product License ... 7-43 About Licenses ... 7-43 Activating DLP Products ... 7-45 System Monitoring ... 7-47Chapter 8:
Command Line Interface Commands
DLP Endpoint CLI Command Overview ... 8-2 Accessing the Privileged CLI Mode ... 8-3 Accessing the OS Shell ... 8-4 DLP Endpoint CLI Commands ... 8-5 DLP Network Monitor CLI Commands ... 8-16
Index
vii
Preface
Welcome to the Trend Micro™ Data Loss Prevention Administrator’s Guide. This guide contains information about product settings and service levels.
This preface discusses the following topics: • Data Loss Prevention Documentation on page viii • Audience on page viii
Data Loss Prevention Documentation
The Data Loss Prevention (DLP) documentation consists of the following:
Trend Micro™ Data Loss Prevention Administrator’s Guide: Helps you plan for deployment and configure all product settings.
Online Help: Helps you configure all features through the user interface. You can access the online Help by opening the Web console and then clicking the Help icon ( ).
Installation Guide: Helps you plan for deployment and configure product settings. Quick Start Guide: Helps you plan for deployment and configure all product settings. Readme File: Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history.
The readme is available at:
http://www.trendmicro.com/download
TrendEdge: The TrendEdge program works with Trend Micro employees, partners, and other interested parties to provide information on unsupported innovative techniques, tools, and best practices for Trend Micro products.
TrendEdge is available at:
http://trendedge.trendmicro.com
Audience
This document is intended for new users of the DLP Server Administrator Console, including system administrators, operators, sensitive content contributors, information security staff, executives, and other users with other specific roles.
ix
Document Conventions
To help you locate and interpret information easily, the DLP documentation uses the following conventions.
Note:
Tip:
WARNING!
CONVENTION DESCRIPTION
ALL CAPITALS Acronyms, abbreviations, and names of certain com-mands and keys on the keyboard
Bold Menus and menu commands, command buttons, tabs, options, and ScanMail tasks
Italics References to other documentation
Monospace Examples, sample command lines, program code, Web URL, file name, and program output
Configuration notes
Recommendations
Reminders on actions or configurations that should be avoided
1-1
Welcome
Trend Micro™ Data Loss Prevention is an enterprise-class information loss prevention solution. Depending on your implementation, Trend Micro Data Loss Prevention includes Data Loss Prevention Endpoint and Data Loss Prevention Network Monitor. This chapter discusses the following topics:
• What Is Data Loss Prevention on page 1-2 • DLP Endpoint Features on page 1-4 • DLP Network Monitor Features on page 1-5 • What’s New in this Release on page 1-6 • Overall Infrastructure on page 1-7 • Browser Prerequisites on page 1-9 • About this Guide on page 1-9 • Key Terminology on page 1-11 • About Trend Micro on page 1-12 • TrendLabs on page 1-13
What Is Data Loss Prevention
Data Loss Prevention Endpoint 5.5
Trend Micro™ Data Loss Prevention (DLP) Endpoint is a comprehensive software solution that helps organizations protect sensitive information from accidental disclosure and intentional theft. DLP Endpoint prevents sensitive data loss with a unique approach that combines endpoint-based enforcement with highly accurate fingerprinting and content matching technology. DLP Endpoint detects digital assets and automatically takes actions specified in your company policies, from blocking and logging to encrypting and alerting.
Data Loss Prevention Network Monitor 2.0
Trend Micro Data Loss Prevention Network Monitor is a network-based, data loss monitoring solution that monitors network traffic across the following threat vectors: • Sensitive data
• IP address
• Regulatory compliance • Data stealing malware
DLP Network Monitor integrates with the DLP management server for management purposes. DLP Network monitor leverages the DLP web console to define and deploy network agent policies, download patterns, perform upgrades, and view and generate reports. However, DLP Network Monitor is purchased separately.
Note: DLP Network Monitor must be registered with the DLP management server before DLP Network Monitor can monitor network traffic.
1-3
Content-Aware Mechanisms
Trend Micro Data Loss Prevention uses five content-aware mechanisms to discover sensitive content on laptops, desktops, servers, and (with Network Monitor) in network traffic.
TABLE 1-1. DLP Content-Aware Mechanisms
CONTENT AWARE
MECHANISM DESCRIPTION
Fingerprint match-ing
Fingerprint matching works best with unstructured intel-lectual content. DLP extracts and stores fingerprints from sensitive documents that you register with the DLP server. Later, if someone transfers a file, DLP extracts fingerprints from the transferring file and compares those fingerprints with the stored fingerprints. If both files (the transferring file and the sensitive document) have prints in common, DLP counts how many common finger-prints that both documents have.
Depending on the number of fingerprints that the files have in common, DLP assigns a matching level of high, medium, or low. The more fingerprints in common, the higher the matching level. If the matching level is the same as the level you set in the compliance template, DLP confirms that the transferring file is indeed sensi-tive.
DLP extracts fingerprints by first converting a document format (such as Microsoft™ Word and PDF) to plain text with UTF-8 encoding. DLP uses an algorithm to create multiple fingerprints from the plain text document. The number of fingerprints that DLP stores for a registered document depends on the size of the document. This way, DLP can detect sensitive documents even that have undergone moderate change.
Pattern matching DLP detects sensitive content by user-defined patterns, such as a credit card pattern of “nnnn-nnnn-nnnn-nnnn”. Pattern matching is best used with structured content, such as credit card numbers, national ID numbers or phone numbers. DLP enables you to define patterns using regular expressions.
DLP Endpoint Features
• Easy, intuitive setup with push-button compliance templates for regulatory compliance, such as GLBA, PCI-DSS, SB-1386, and US PII
• Active Directory integration and delegated administration
• End user device access control, including USB, CD/DVD, COM, and LPT ports, removable disks, floppy, infrared and imaging devices, print screen, modems, and PCMCIA
• Expanded privacy protection that includes filters for:
• Skype, P2P, Windows™ File Share, ActiveSync, clipboard, and local/network printers
Keyword matching DLP identifies sensitive content by category-based key-words.
File attribute matching
DLP detects sensitive content by file attributes, such as file type and file size. DLP performs true file type detec-tion to detect the correct file type even if the extension is altered.
Compliance tem-plate matching
DLP tags and detects sensitive content by a set combi-nation of digital assets (fingerprint, pattern, keyword, file attribute). Compliance templates combine digital assets with Booleanoperators (such as AND and OR) in match rules that serve as IF condition statements. If conditions are met, DLP takes actions based on your company pol-icy. DLP contains out-of-the-box templates for regulatory compliance initiatives, such as GLBA, PCI-DSS, SB-1386, US PII, and HIPAA. Or, you can create your own templates.
TABLE 1-1. DLP Content-Aware Mechanisms (Continued)
CONTENT AWARE
1-5 • Multiple policy enforcement actions, such as block, allow, alert, encrypt, justify, and
log
• Multiple matching engines to detect structured and unstructured sensitive content • Continuous data monitoring
• File type recognition including 300+ file types, such as Microsoft™ Office files, Outlook™ email; Lotus™ 1-2-3, OpenOffice, RTF, WordPad, and text • Graphic file recognition, such as Visio, Postscript, PDF, and TIFF
• Software engineering file recognition, such as C/C++, JAVA, and AutoCAD • Archived/compressed file and decompression, such as Win ZIP, RAR, TAR, ARJ,
7-Zip, RPM, CPIO, GZIP, BZIP2, and Unix/Linux ZIP
• Web-based management console for policy configuration and deployment, consolidated endpoint reporting, fingerprint extraction from content sources, and updates
DLP Network Monitor Features
Note: DLP Network Monitor is sold separately. DLP Network Monitor features are not included with DLP Endpoint-only implementations.
• Fast, easy deployment with software appliance-based delivery on Dell R710 and no third-party applications
• Little to no load or performance impact on the network device to which it is attached
• Monitors and detects sensitive content in network traffic, including: • Content whose loss might violate compliance regulations • Company confidential information or intellectual property • Data stealing malware (DSM)
• Easy, regular updates for detecting new malware
• Data filtering across the most common protocols for internal to external network data transfer: SMTP, HTTP, FTP, IM (AIM/AOL, MSN, Yahoo Messenger), and Webmail (Hotmail, Gmail, Yahoo)
• Data filtering across the most common protocol for transmitting inter-departmental traffic: Server Message Block (SMB)
• Centrally managed from the DLP management server with a simple command line interface (CLI) console for basic network configuration and troubleshooting
What’s New in this Release
DLP Endpoint 5.5
• Data Loss Prevention Network Monitor integration for management purposes and fingerprint enabling
Note: DLP Network Monitor is purchased separately.
• Crawler enhancement:
• Support for 64-bit Windows OS for remote crawler • Support for SAMBA/SMB file system for remote crawler
• More flexible and granular filter criteria for crawler fingerprint acquisition • More comprehensive error messaging
• New dashboard and report support
• Enhanced policy-based approved and blocked list support • Enhanced data discovery
• Advanced log management
• Data Stealing Malware (DSM)/botnet detection by customized Network Content Correlation Pattern (NCCP)
• Encryption / forensic data encryption
1-7
Overall Infrastructure
Data Loss Prevention Endpoint
The complete Data Loss Prevention Endpoint solution is a client-server architecture with a software agent, server appliance, remote crawler, and central web console.
WAN DLP Remote Crawler
Online DLP Agent (Online Policy)
DLP Agent
(Online Policy) Online DLP Agent(Online Policy)
Offline DLP Agent (Offline Policy) DLP Management Server+ DLP Local Crawler File Server MS iShare Server DLP Network Monitor MS AD/LDAP WAN Trend AU/PR Server
TABLE 1-2. Data Loss Prevention Endpoint Components
DLP Network Monitor 2.0
Trend Micro™ DLP Network Monitor is an optional component delivered in appliance mode on a Dell R710 for fast and easy implementation. It serves as a new type of DLP agent, configured and managed from the DLP Endpoint web console. Network Monitor captures network traffic and matches the intercepted content to fingerprint data and DLP security policies.
COMPONENT DESCRIPTION
DLP Agent Nonintrusive, powerful monitoring and enforcement soft-ware for the endpoint. The agent communicates with the DLP management server to receive policy and fingerprint updates and to send back violation details.
DLP Server An appliance that provides a central point for visibility, policy configuration, updates, and fingerprint extraction from content sources.
Remote Crawler Scans for confidential data stored on desktops and lap-tops even if users are not connected to the company net-work. The Remote Crawler can acquire fingerprints for files stored on systems other than the DLP server and forwards generated fingerprints to the DLP server. This protects files stored locally (on computers where the Remote Crawler is installed) or in a SharePoint server environment that the DLP server may or may have access to.
Web console Supports an administrative workflow for defining digital assets, creating confidential rules, deploying policies to agents, performing data discovery scans, monitoring, and reporting.
1-9
About this Guide
The DLP Administrator’s Web Console (hereafter referred to as the DLP web console) provides an easy and intuitive interface into the various Data Loss Prevention systems. The purpose of this document is to introduce DLP administrators to the major features presented by the DLP web console and enough information to get started.
Browser Prerequisites
Note: In order to access all features provided by the UI, cookie support is required.
The supported browsers for the DLP web console are: • Microsoft Internet Explorer™ 6 SP2/SP3 • Microsoft Internet Explorer™ 7
• Microsoft Internet Explorer™ 8 • Mozilla Firefox™ 3.0
• Mozilla Firefox™ 3.6
Note: The DLP Server Administrator console does not support multiple sessions on a single machine at any given time.
Internet Explorer Security Settings
Configure the browser to work with the DLP web console. To configure Internet Explorer:
1. On Internet Explorer, select Tools > Internet Options >Security. The Internet Options Security tab appears.
FIGURE 1-2. Internet Options screen
2. Set the zone security level to Medium-low.
3. Click the Privacy tab and set privacy settings to Medium. 4. Click Apply and click OK.
1-11
Mozilla Firefox Security Settings
Configure the Firefox browser to work with the DLP web console. To configure Mozilla Firefox:
1. On the Tools > Options > Content screen, select Enable JavaScript.
2. On the Tools > Options > Privacy screen, select Firefox will: Remember history.
Key Terminology
• Acquisition: Acquisition refers to the process of creating and storing document fingerprints. An acquisition is an execution instance that the Remote Crawler or the DLP Management server invokes to acquire fingerprints.
• Compliance Template: Sensitive data classification and detection templates. Compliance templates combine digital assets (fingerprints, keywords, attributes, patterns) with Boolean operators in an IF condition statement. If the conditions are met, the information is tagged as sensitive. Preconfigured templates include regulatory compliance templates such as PCI, GLBA, SB-1386, and HIPAA. • Company Policy: A set of rules that define what actions Data Loss Prevention
should take after detecting sensitive data.
• Data Discovery: An automated scan that locates sensitive data on laptops, desktops, and servers.
• Digital Assets: Fingerprints, keywords, file attributes, and patterns are classes of objects that help define sensitive data. These definitions are building blocks for templates. They are matched against existing data to determine if it is sensitive data that requires action.
• DSM: Data stealing malware.
• File Attribute: File metadata, such as file size and file type.
• Fingerprint: DLP-generated document pattern that can survive a moderate content change. Data Loss Prevention uses a mathematical algorithm to generate multiple fingerprints per document. Then DLP analyzes documents for fingerprints to detect potential sensitive information leaks.
• Keyword: Word or phrase that can identify sensitive data sets. • LDAP: Lightweight Directory Access Protocol.
• NCCE: Network Content Correlation Engine that analyzes network packages for threat/malware-related network traffic.
• NCCP: Network Content Correlation Pattern that works with NCCE.
• Pattern: Any sensitive data unit that can be presented by a regular expression, such as social security numbers (SSNs), credit card numbers, bank routing numbers, and national ID numbers.
• Remote Crawler: Software module that fetches and generates document fingerprints from document repositories.
About Trend Micro
Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customer needs, stops new threats faster, and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro Smart Protection Network infrastructure, our
industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe.
Trend Micro is headquartered in Tokyo, Japan, with business units in North and South America, Europe, Asia, and Australia. Trend Micro is a global organization with more than 3,000 employees in 25 countries. For more information, or to download evaluation copies of Trend Micro products, visit our award-winning website:
1-13
TrendLabs
TrendLabs is Trend Micro’s global infrastructure of antivirus research and product support centers that provide up-to-the minute security information to Trend Micro customers.
TrendLabs monitors potential security risks around the world to ensure that Trend Micro products remain secure against emerging threats. The daily culmination of these efforts are shared with customers through frequent virus pattern file updates and scan engine refinements.
TrendLabs is staffed by a team of several hundred engineers and certified support personnel that provide a wide range of product and technical support services.
Dedicated service centers and rapid-response teams are located in Tokyo, Manila, Taipei, Munich, Paris, and Lake Forest, CA, to mitigate virus outbreaks and provide urgent support 24x7.
TrendLabs’ modern headquarters, in a major Metro Manila IT park, has earned ISO 9002 certification for its quality management procedures in 2000, one of the first antivirus research and support facilities to be so accredited. Trend Micro believes TrendLabs is the leading service and support team in the antivirus industry.
2-1
Summary
The Trend Micro™ Data Loss Prevention Summary screen is a robust dashboard for viewing executive summaries of violation and Data Loss Prevention system reports. This chapter discusses the following topics:
• Accessing the Web Console on page 2-2 • Navigating the Web Console on page 2-3 • Navigating the Summary Tabs on page 2-6
Accessing the Web Console
Access the DLP web console at: http://{serverMachineName}:8080/dsc/ Note: Set the {serverMachineName} to the machine name or IP address of the
machine running the DLP Server.
FIGURE 2-1. DLP Logon screen
These are the default users:
• admin
• root, enable, dgate (for Linux command usage)
If you installed the DLP Virtual Application (VA), use the password that you set up during installation. If the DLP server came pre-installed, use the default password. Be sure to change the default password after logging on.
Tip: It is strongly recommended that you log off the system when you are not using it. An idle user session automatically times out after 30 minutes.
2-3
Navigating the Web Console
Data Loss Prevention displays a Welcome screen after log on. Clicking the arrow button provides a quick tour for setting up a policy.
The DLP web console defaults to the Summary screen.
2-5 The left navigation bar accesses six functional areas:
TABLE 2-1. Navigation Bar Options
NAVIGATION BAR
OPTION DESCRIPTION
Summary Displays summaries of security violations over a range of time (seven days by default) plus system statuses. Data Protection Enables you to define digital assets, compliance tem-plates, company policies, data discovery scans, and device control.
Reports Enables you to define and generate reports.
Logs Enables you to query and view various logs for specific dates or a range of dates.
Updates Enables you to test and deploy new versions of patches, plug-ins and fingerprints.
Administration Enables you to configure and/or manage the server con-figuration, agents, crawlers, data, endpoints, user accounts and roles.
Navigating the Summary Tabs
The Executive Summary and Violations tabs display customized UIs based on your role and account permissions. Report data is pulled from logs uploaded from agents to the DLP management server. DLP summarizes data in near real-time (10 minutes by default) on the Executive Summary tab and in real-time on the Violations tab.
Note: If an agent is disconnected from the network, such as a laptop working offline, agents continue to monitor and protect the disconnected machine. After the machine reconnects, the agent uploads violation logs of offline events to the DLP management server. Offline events are then counted in the Violations summary charts and reports. If an offline agent log uploads after a Summary report runs, you can go to Reports > Generate Reports to run a one-time report for the latest information.
Executive Summary Tab
Executive summary charts display the number of violations per channel. Channels are color-coded for easy viewing. DLP summarizes data in near real-time (10 minutes by default).
Note: “This Week” on the x-axis of the executive summary charts refers to data gathered since Monday of the current week.
An account with full permissions displays the following executive summary charts: TABLE 2-2. Executive Summary Charts
CHART TIME RANGE
Violation Summary Trend by Channel
Includes data from this week and the previous seven weeks. This week starts on Monday.
2-7 Violation Distribution by policy,
channel, compliance template and department
Includes data from Monday of the current week.
Top 5 Department Violations Includes data for the last 4 weeks plus this week.
Top 5 Policy Violations Includes data for the last 4 weeks up to the current week. The current week starts on Mon-day.
Top 5 High Risk Users Includes data from last week and the current week. The current week starts on Monday. Note: High risk users have more violations
occurring than other users.
Top 5 Users infected by Data Stealing Malware
Includes data from Monday to the current week. The current week starts on Monday. Top 5 IPs infected by Data
Steal-ing Malware
Includes data from Monday of the current week. The current week starts on Monday. Top 5 Email Account Violations Includes data from Monday of the current
week.
TABLE 2-2. Executive Summary Charts (Continued)
Violations Tab
The Violations tab summarizes violations over time, by channel and agent. The time span is seven days by default. Unlike the Executive Summary tab, the Violations tab summarizes data in real-time instead of near real-time. If your implementation includes DLP Network Monitor, you can view summaries on both network agents and endpoint agents. Otherwise, DLP sets network agent values to zero (0).
TABLE 2-3. Violations Tab Charts
2-9
CHART NOTES
Top Agents and
Violations Summary • For the Violations SummaryEndpoint Agents report displays the top 5 tab, the Top Agents and endpoints with the most violation logs reported in the past 90 days. The report is color-coded by online/offline violations.
• For the Network Agents tab, the Top Agents and
Violations Summary report displays the top 5 IP sources with the most violation logs reported in the past 90 days.
Security Violations Over Time
This chart is color-coded by agent type: Endpoint Agent and Network Agent. If you are not running DLP Network Monitor, only one line displays. You can select to view this chart by 1 week or 1 month.
Security Events This table displays information about the last 10 viola-tions.
Security Violations This table displays the total number of security violations by channel over the last 90 days. “Total” is the total num-ber of violations found by both endpoint and network agents (if your implementation includes DLP Network Monitor).
Agent Status This table displays the number of agents that are discon-nected or online.
Top Violators This table displays information about the top 5 violators over the last 90 days.
Printing Summary Reports
You can click Print on the Summary screen to print the Summary reports. However, the Summary print function directly calls the browser print function. Therefore, to maintain the web page formatting style, you must set up the print background and layout settings in your browser.
To set Mozilla FirefoxTM for printing:
1. Open your browser and click File > Page Setup. 2. Select Print Background (color & images). 3. Select Shrink to Fit Page Width.
To set Microsoft Internet ExplorerTM for printing:
1. Open your browser and click Tools > Internet Options > Advanced. 2. Scroll down to Printing and select Print background colors and images.
Note: If you are using Microsoft Internet ExplorerTM 6, select Landscape in File > Page Setup > Orientation.
Refreshing Summary Data
Click Refresh on the Summary screen to update report data. See the Executive Summary Charts table to view the time periods for the reports.
Note: Summary report data is pulled from agent logs. If agents upload logs to the server while you are on the Summary page, there may be a 10-minute delay before they are counted in the Executive Summary tab.
3-1
Data Protection
This chapter describes how to define sensitive digital assets, compliance templates and company policies. It also describes how to configure data discovery and device controls. This chapter discusses the following topics:
• Data Protection on page 3-2
• Getting Started Workflow on page 3-3 • Digital Assets on page 3-4
• Fingerprints on page 3-4 • Patterns on page 3-15 • Keywords on page 3-24 • File Attributes on page 3-33 • Compliance Templates on page 3-37 • Company Policies on page 3-43 • Data Discovery on page 3-65 • Device Control on page 3-76
Data Protection
Before you can monitor sensitive data for potential loss, you must be able to answer the following questions:
• What data needs protection from unauthorized users? • Where does the sensitive data reside?
• How is the sensitive data transmitted?
• What users are authorized to access or transmit the sensitive data? • What action should be taken if a security violation occurs?
This important audit typically involves multiple departments and personnel familiar with the sensitive information in your organization.
If you already defined your sensitive information and security policies, you can begin to define digital assets and company policies in the Data Loss Prevention (DLP) system. Note: For assistance in performing a sensitive data assessment, contact your Trend Micro
3-3
Getting Started Workflow
Clicking Data Protection from the web console left navigation bar displays the Getting Started workflow diagram. Follow the workflow to understand how to create digital asset definitions, compliance templates, and company polices. Use the links to quickly access the associated topics.
Digital Assets
Digital assets are sensitive content definitions. Data Loss Prevention uses these definitions to detect sensitive content. Digital assets combine with enforcement actions in company polices. Based on the company policy, asset detection triggers DLP actions, such as block, log, encrypt, justify, and notify.
Digital asset definitions are fingerprints, keywords, patterns, file attributes, or any combination of asset types.
Note: You can define or modify any type of digital asset at any time. However, new or modified asset definitions do not take effect until you manually deploy them through the company policy screen.
Fingerprints
Use the Fingerprints screen to register sensitive content for fingerprinting, acquire fingerprints, or schedule fingerprint acquisitions. Fingerprints can be acquired by both the local crawler and the remote crawler.
Fingerprint definitions specify the location and types of sensitive information for DLP to fingerprint. After you register and schedule sensitive content for document
fingerprinting, DLP uses a mathematical algorithm to extract multiple fingerprint patterns per document. Fingerprints help identify the document later even if the document is partially altered. Fingerprinting works best with unstructured content, such as reports, email, and articles. For a description of fingerprint matching, see
3-5 Access the Fingerprints screen at Data Protection > Digital Assets > Fingerprints.
FIGURE 3-2. Fingerprints Source List
Fingerprinting documents is a two-step process: 1. Create a fingerprint definition.
2. Acquire the fingerprints. To create a fingerprint definition:
1. On the left navigation bar, click Data Protection > Digital Assets > Fingerprints.
A list of fingerprint definitions appears. These definitions specify the locations of the source content to fingerprint.
2. On the Fingerprints toolbar, click Add. The Adding Fingerprints screen appears.
FIGURE 3-3. Adding Fingerprints screen
3. Enter the Source information. The source information describes the content to fingerprint and tells the system where to locate the content.
TABLE 3-1. Source Information Fields and Options
FIELD/OPTION DESCRIPTION
Name Name accepts up to 100 alphanumeric characters. Spe-cial characters are not allowed.
Description Description accepts up to 256 alphanumeric characters. Special characters are not allowed.
3-7 Repository Type:
Local or NFS
Local is the local file system on the DLP server. If the repository is part of the local file system or a mounted file system on the DLP server, you must set the Path (for example, /home/dgate/tmp). Host is not required when files to be acquired are located in the local file directory on the DLP server.
NFS: If the repository is part of an exported directory on an NFS server, you must set the following parameters:
• Host • Path
The Local/NFS folder must have execution permission. Otherwise, the DLP server cannot acquire fingerprints for files in local/NFS folder. This is due to the fact that a Linux system requires execution permissions of a folder in order to list files in the folder. The DLP server needs to list the files to acquire the fingerprints.
Windows™ Share If the repository is a shared drive or directory on a remote machine that is running Windows™, you must set the following parameters:
• Host (for example, myHostName or myHostIP) • Path (for example, /path1/path2)
• UserID • Password
TABLE 3-1. Source Information Fields and Options (Continued)
Tip: “Windows™ Share” and “Sharepoint” using the “Remote Crawler” is preferred because it is more dependable and private. DLP does not need a password to access the source configured on the remote crawler but requires a separate Remote Crawler download and configuration. See the Managing the Remote Crawler procedure.
4. Click Test Connection to ensure that DLP can access the repository.
Note: If you selected a Remote Crawler repository type, skip step 4 since DLP hides
SharePoint If the repository is Microsoft SharePoint™, you must set the following parameters:
• Repository Type: SharePoint • Host (for example,
http://ishare.example.com/eng/dlp/) • Path (for example, shared documents/path) • UserId
• Password
Note: DLP Endpoint supports SharePoint™ 2003 and 2007.
Remote Crawler If the repository type is Remote Crawler, a drop-down list field appears so that you can select the Host (the remote crawler registered to the DLP server). Machines names where your remote crawlers are installed can be viewed at Administration > Crawler Management.
TABLE 3-1. Source Information Fields and Options (Continued)
3-9 5. Enter Filter criteria to apply limits to the content being fingerprinted. This
prevents unnecessary acquisitions that could affect crawler performance or cause you to exceed the fingerprints storage limit of 2GB.
TABLE 3-2. Filter Criteria Description
FILTER CRITERIA DESCRIPTION
Include Includes specific files or file extensions for the finger-print acquisition. For example, you could specify one file or multiple files.
• DLP does not support folders since you specify the path/folder in the Path field.
• Separate multiple entries with a comma but do not place a space after the comma.
• You can use up to 200 characters. Example: example.doc,*.docx
Exclude Excludes specific folders, files, or file types during the acquisition.
• You can use up to 200 characters.
• Separate multiple entries with a comma but do not place a space after the comma.
Date Restriction Restricts the acquisition to files that have a last modified date within the specified date range.
Source File Size Specifies that fingerprints should only be acquired for files within a file size range (in bytes, KB or MB). By default, the minimum file size is 61 bytes and the maxi-mum file size is as follows:
• Binary file: 32M • Archive file: 32M
• Document: 75M but only the first 6MB of extracted text is fingerprinted
However, you can reconfigure the default minimum and maximum fingerprint settings at Administration > Server Configuration > Fingerprint Settings.
Note: The maximum file size can be up to 512 MB depending on your configuration. See Fingerprint Settings on page 7-3.
6. Click Save. Or, click Save & Acquire to immediately acquire the fingerprints. The fingerprint definition appears in the Fingerprints Source list along with the acquisition status.
FIGURE 3-4. Fingerprints Source List
Note: The Last Acquisition column displays the last date that DLP acquired fingerprints for the content defined in the fingerprint definition.
If you have not yet acquired the fingerprint, the next step is to schedule the fingerprint acquisition.
3-11
Scheduling an Acquisition
The procedure for scheduling a fingerprint acquisition differs slightly depending on whether or not the source for the fingerprint acquisition is the remote crawler. To schedule a fingerprint acquisition (non-remote crawler source): 1. On the left navigation bar, click Data Protection > Digital Assets >
Fingerprints.
The Fingerprints Source list appears.
2. Select the fingerprint and click Schedule Acquisition. The Scheduling Fingerprint Acquisition screen appears.
FIGURE 3-5. Scheduling Fingerprint Acquisition screen
3. Select the schedule for the fingerprint and click Save. The fingerprint is acquired at the scheduled time.
Note: To immediately acquire a fingerprint, select the fingerprint from the list and click
4. On the Fingerprints Source list, click the icon in the History column to view the acquisition status.
The Acquisition History Detail screen appears.
FIGURE 3-6. Acquisition History Detail
Not only can you view the acquisition status, you can view the Failure Reason if the acquisition fails.
3-13 To schedule a fingerprint acquisition (remote crawler source):
1. On the left navigation bar, click Data Protection > Digital Assets > Fingerprints.
The Fingerprints Source list appears.
2. Select the fingerprint and click Schedule Acquisition. The Scheduling Fingerprint Acquisition screen appears.
FIGURE 3-7. Scheduling Fingerprint Acquisition screen
3. Select the schedule for the fingerprint.
4. Specify which repositories on the remote crawler to acquire, and click Save. The fingerprints are acquired at the scheduled time.
Deleting Fingerprints
Note: You cannot delete a digital asset definition that is associated with a compliance template or company policy. Remove the definition from the template or policy first before deleting the definition.
To delete a fingerprint definition:
1. On the left navigation bar, click Data Protection > Digital Assets > Fingerprints.
A list of fingerprint definitions appears.
2. Select the fingerprint definition from the list and click Delete (on the toolbar). The system asks if you are sure that you want to permanently delete the selected items.
3-15
Patterns
Use the Patterns screen to add, copy, or delete pattern definitions. DLP uses content patterns (defined using regular expressions) to detect sensitive data units in a document or data stream. Patterns are best used with structured content, such as social security numbers (SSN), credit card numbers (CCN) or phone numbers. For example, credit card numbers are typically 16 digits in the format, “nnnn-nnnn-nnnn-nnnn”, making them good candidates for pattern-based detection.
Access the Patterns screen at Data Protection > Digital Assets > Patterns.
To define a pattern:
Note: This procedure assumes that you are already familiar with regular expressions.
1. On the left navigation bar, click Data Protection > Digital Assets > Patterns. The Patterns screen appears.
2. On the Patterns toolbar, click Add. The Adding Patterns screen appears.
3-17 3. Type the Name for the pattern, up to 100 alphanumeric characters. Special
characters are not allowed.
4. Type the Description for the pattern, up to 256 alphanumeric characters. Special characters are not allowed.
5. Select the pattern Type to guide the pattern matching engine to the type of pattern to search for. Different fields appear depending on your selection:
• Generic: enables you to type any regular expression information in the Pattern field. This is the recommended setting.
This is the Generic pattern for an American name:
• Pattern with small alphabet/char set: enables you to type the set of characters and the minimum and maximum character string length. This is the small alphabet/char set pattern for an ABA Routing Number:
• Pattern with fixed length suffix: enables you to type the set of characters for the suffix, the suffix length, and the minimum and maximum string length. This is a pattern for a California ID with a fixed length suffix:
• Pattern with single-char separator: enables you to type the separator, the minimum and maximum length of the left side of the separator, and the maximum length of the right side of the separator.
This is a pattern for an email address (a pattern with single-char separator):
WARNING! Pattern type is for performance tuning, and if not set correctly, could actually slow performance. Consequently, it is recom-mended that you select “Generic only” and set the regular expression in Pattern. Or, contact Trend Micro for assistance in correctly setting the pattern and pattern expression.
6. Type the Pattern. Pattern is the regular expression that represents the pattern to detect. DLP supports Perl Compatible Regular Express (PCRE) patterns. A pair of parentheses must exist at least once for the pattern to be matched.
For example, this is a pattern for a credit card number:
[^\d-](\d{15,16}|\d{4}-\d{4}-\d{4}-\d{4}|\d{4}-\d{6}-\d{5})[ ^\d-]
The credit card regular expression tells the system to look for a 15 or 16-digit number, a 16-digit number with a pattern of nnnn-nnnn-nnnn-nnnn, or a 15-digit number with a pattern of nnnn-nnnnnn-nnnnn.
3-19 Note: For performance tuning, DLP limits the matched maximum string for one
pattern to 89.
To reduce false alarms, you can configure the hit count for the pattern when you define the compliance template. Also, when matching patterns, DLP groups all duplicated match strings and considers them as matched once. For example, suppose the pattern is an email pattern. If DLP detects the string,
“[email protected] [email protected] [email protected],” DLP views this as two hits rather than three hits. DLP counts [email protected] once.
7. Type the Pattern for display, such as nnnn-nnnn-nnnn-nnnn for a credit card mask.
8. Type some real world Examples of the sensitive content that your pattern defines. For example, U.S. dollar amounts include these examples: $1, $11.20, $4,123,345.67, $0.23.
9. Select a pattern validation method, if applicable. This field is not required. For a detailed explanation of pattern validators, see DLP Pattern Validation Methods on page 3-20.
10. Click Save.
After saving your pattern, you can add it to a compliance template that you can select in your company policy.
DLP Pattern Validation Methods
Data units, such as social security numbers (SSNs) and credit card numbers (CCNs), have their own internal semantic rules. Not every 9-digit number is a valid SSN and not every 15 or 16-digit number is a valid CCN. To reduce the false positives, pattern validation methods can verify (or validate) whether the extracted data units follows these rules.
Different types of data have different validation rules. There is no single generic rule for all. Currently, Trend Micro DLP supports 28 validation rules. Some rules are based on checksum algorithms, while others are more complex.
TABLE 3-3. DLP Pattern Validation Methods
VALIDATION RULE DESCRIPTION
LUHN Checksum DLP verifies data based on the LUHN checksum algo-rithm. Many types of data units follow this rule, such as CCN and Canadian Social Insurance Numbers. Social Security
Number Validation
DLP verifies if a 9-digit number is a valid SSN by check-ing its area code and group number and matchcheck-ing it against invalid SSNs identified by the U.S. Social Secu-rity Administration (SSA).
Credit Card Num-ber Validation
DLP checks the prefix and further verifies it with the LUHN checksum.
US Phone Number Validation
DLP checks the area code against a dictionary of col-lected area codes.
US Date Validation DLP validates date presentation of Month-Day-Year. DLP checks the range of the month and day for the specified month. DLP ensures that the year is less than 2051. PRC National ID
Validation
DLP verifies the national ID card number used in the People’s Republic of China. DLP checks the birth date
3-21 Taiwan ID Number DLP verifies the national ID card number used in Taiwan.
DLP verifies the gender digit and the pattern’s own checksum.
ROK Registration Number
DLP verifies the registration number of a citizen from the Republic of Korea (South Korea). DLP verifies the birth date included in the data and gender digit.
Canadian Social Insurance Number
DLP verifies the prefix and the LUHN checksum.
Norwegian Birth Number
DLP verifies the birth date and the 3-digit personal num-ber embedded in the data. DLP also verifies the pattern’s two checksums.
American Name DLP verifies names with two name dictionaries of first and last names from the US Census Bureau, up to the year 1990. These are not comprehensive name diction-aries that customers would be aware of.
ABA Routing Num-ber
DLP verifies the first two digits of the data and the pat-tern’s own checksum.
UK Date For date presentation of Day-Month-Year, DLP checks the range of month and day for a specified month. DLP also checks that the year is less than 2051.
UK NHS DLP verifies the national health service number in the UK and the pattern’s own checksum.
German Tax ID DLP verifies the German Tax ID (eTIN) by checking both birth month and day defined in the eTIN. DLP also veri-fies the pattern’s checksum.
IBAN DLP verifies the International Bank Account Number. It has several different formats depending on the country of origin. The first two letters define the country code. DLP verifies the format for the specific country code. TABLE 3-3. DLP Pattern Validation Methods (Continued)
NPI DLP verifies the National Provider Identifier (NPI). It has its own checksum based on the LUHN algorithm. DLP verifies the pattern’s checksum.
HIC DLP verifies a valid Health Insurance Claim (HIC) suffix letter. The HIC number has one or two suffix letters. ISO Date For date presentation of Year-Month-Day, DLP checks
the range of month and day for a specified month. DLP also checks that the year is less than 2051.
Swift BIC DLP verifies the Society for Worldwide Interbank Finan-cial Telecommunication (SWIFT) Bank Identifier Code (BIC). Swift-BIC is also known as the BIC code, SWIFT ID, or SWIFT code. Swift-BIC consists of a bank code, a country code, and a location code. DLP verifies the country code against a list of country codes that DLP believes are significant to the business. (Some country codes are not included in the list.)
France INSEE Code
DLP verifies the INSEE code, a numerical indexing code used by the French National Institute for Statistics and Economic Studies (INSEE). INSEE identifies various entities and is used as the National Identification Num-bers given to people. DLP verifies the pattern’s own checksum.
Spanish NIF Code DLP verifies the Spanish Fiscal Identification Number. DLP verifies the pattern’s own checksum.
Irish PPSN DLP verifies the Irish Personal Public Service Number. DLP verifies its own checksum.
Polish ID DLP verifies the PESEL, the national identification num-ber used in Poland. DLP verifies the pattern’s own TABLE 3-3. DLP Pattern Validation Methods (Continued)
3-23
Deleting Patterns
Note: You cannot delete a digital asset definition that is associated with a compliance template or company policy. Remove the definition from the template or policy first before deleting the definition.
To delete a pattern definition:
1. On the left navigation bar, click Data Protection > Digital Assets > Patterns. A list of pattern definitions appears.
2. Select the pattern definition from the list and click Delete (on the toolbar). The system asks if you are sure that you want to permanently delete the selected items.
3. Click OK.
Austria SSN DLP verifies the social security number used in Austria and the pattern’s own checksum.
Danish Personal ID DLP verifies the personal identification number used in Danish and the pattern’s own checksum.
RAMQ: Quebec Healthcare Medical Number
DLP verifies the Quebec health insurance card number in Canada and the pattern’s own checksum.
TABLE 3-3. DLP Pattern Validation Methods (Continued)
Keywords
Use the Keywords screen to add, copy, or delete keywords. Keywords establish sensitive topic categories with which to filter and detect files. The keyword, “namespace,” could help identify source code. However, keywords alone may create false positives. Combine keywords with other digital assets in a compliance template to reduce false positives. Access the Keywords screen at Data Protection > Digital Assets > Keywords.
3-25 To define keywords manually:
1. On the left navigation bar, click Data Protection > Digital Assets > Keywords. The Keywords screen appears.
2. On the Keywords toolbar, click Add. The Adding Keyword screen appears.
FIGURE 3-11. Adding Keyword screen
3. Enter the following Keywords fields: TABLE 3-4. Keyword Fields
FIELD / BUTTON DESCRIPTION
Name Type the main keyword, from 3 to 100 alphanumeric char-acters. Special characters are not allowed.
Description Type a description of the keyword, up to 256 alphanumeric characters. Special characters are not allowed.
Condition Select the condition that must occur for DLP to consider the content sensitive. The condition is based on sub-key-words that you set up in the Sub-keysub-key-words list. Different fields appear depending on your selection:
Match any sub-keywords detects sensitive content if DLP detects any sub-keyword.
Match all sub-keywords detects sensitive content only if DLP detects all sub-keywords.
Match all sub-keywords with x number of characters detects sensitive content if these two situations occur:
• DLP detects all keywords with the specified number of characters.
• The distance from the first character of a matched sub-keyword to the first character of a second matched sub-keyword is equal to or less than the value you set for “x number of characters.”
For example, you set two sub-keywords: “abc” and “test.” You set x number of characters to 5. When DLP matches the sub-keywords, “abc” and “test” in the word “abcxxtest,” DLP counts 5 characters from “a” to find the second key-word “test.” If DLP finds the first letter of second matched sub-keyword, DLP triggers a policy action. The match could be switched to “testxabc” and still match, since there are 5 characters from the first letter of the first matched word, “test,” to the first letter of the second matched word “abc.” However, “abcxxxtest” does not match since there are 6 characters from “a” to “test.” In other words, the number of characters between a matched sub-keyword and the second sub-keyword cannot be greater than the x number of char-acters setting (which is 5 in the above example).
• Only when combined score exceeds threshold sets a threshold or weight to sub-keywords detected in TABLE 3-4. Keyword Fields (Continued)
3-27 4. Enter the Sub-keyword fields:
TABLE 3-5. Sub-Keyword Fields Add / Update
Sub-keywords
Select Add / Update Sub-keywords to add sub-keywords one at a time.
FIELD / BUTTON DESCRIPTION
Name Type the sub-keyword. For single byte character sets, such as English letters and numbers, type 3 to 40 characters. For double byte character sets, such as Japanese/Chinese characters and numbers, type 1 to 40 characters.
Case-sensitive Select Case-sensitive if you want DLP to match the case of the sub-keyword.
Description Type a Description of the sub-keyword, if need. This field is optional.
Score If you selected Only when combined score exceeds threshold in the condition field, type the Score. TABLE 3-4. Keyword Fields (Continued)
5. Click Add.
DLP adds the sub-keyword to the Sub-keyword list below the form.
FIGURE 3-12. Sample C/C++ Source Code keyword definition
6. Repeat steps 4-5 until all sub-keywords are added. 7. Click Save.
The system adds the keyword definition to the Keywords screen.
3-29 To prepare the sub-keyword import file:
1. Prepare the import file.
Use the JavaScript Object Notation (JSON) format:
[{“description”:“description0”,“caseSensi”:“1”,“name”:“key0”,“score”:1}, {“description”:“1:description”,“caseSensi”:“0”,“name”:“key1”,“score”:2}, {“description”:“2:description”,“caseSensi”:“1”,“name”:“key2”,“score”:3}] These are the corresponding fields on the Sub-keywords list:
• description is optional.
• caseSensi sets the case-sensitive indicators. Set 1 to indicate the sub-keyword is case-sensitive (for example, “caseSensi”:“1”). That is, content is sensitive only if the content matches the case of the specified sub-keyword. If case is not important, set caseSensi to 0.
• name is the sub-keyword. For single byte character sets, such as English letters and numbers, type 3 to 40 characters. For double byte character sets, such as Japanese/Chinese characters and numbers, type 1 to 40 characters.
• score is optional and can be a value from 1 to 10. It is used when the Condition is “Only when combined score exceeds threshold.”
To import sub-keywords:
1. On the DLP web console left navigation bar, click Data Protection > Digital Assets > Keywords.
The Keywords screen appears. 2. On the Keywords toolbar, click Add.
The Adding Keyword screen appears.
FIGURE 3-13. Adding Keyword screen
3. In the Name field, type the main keyword. This can be from 3 to 100 alphanumeric characters. Special characters are not allowed.
3-31 5. In the Condition field, select the condition that must occur for DLP to consider
that the content is sensitive. The condition is based on the sub-keywords that you are importing.
• Match any sub-keyword • Match all sub-keywords
• Match all sub-keywords with x number of characters • Only when combined score exceeds threshold
Note: Only when combined score exceeds threshold sets a threshold or weight to sub-keywords detected in content. That is, if you specify that sub-keyword 1 has a score of 5, sub-keyword 2 has a score of 7, and the score threshold is 10, DLP would have to detect both keywords (with a combined score of 12) before determining that the content is sensitive.
6. Select Import sub-keywords. Browse to and select the sub-keyword file to import. DLP adds the sub-keywords from the import file to the Sub-keyword list below the form.
7. Click Save.
The keyword definitions is added to the list on the Keywords screen.
Note: For performance turning, when editing an existing Keyword definition (not sub-keyword) in the Keyword screen, DLP saves the changes immediately even if you do not click Save. DLP saves the changes immediately even if you add or update a sub-keyword.
Deleting Keywords
Note: You cannot delete a digital asset definition that is associated with a compliance template or company policy. Remove the definition from the template or policy first before deleting the definition.
To delete a keyword definition:
1. On the left navigation bar, click Data Protection > Digital Assets > Keywords. A list of keyword definitions appears.
2. Select the keyword definition from the list and click Delete (on the toolbar). The system asks if you are sure that you want to permanently delete the selected items.
3-33
File Attributes
Use the File Attributes screen to add, copy, and delete file attribute definitions. File attribute definitions use file metadata, such as file type and file size, to match and detect sensitive data. By themselves, file attribute rules for most files and all activities is too loose. It is recommended that you combine file attributes with other digital assets in a compliance template.
Access the File Attributes screen at Data Protection > Digital Assets > File Attributes.
To create a file attributes definition:
1. On the left navigation bar, click Data Protection > Digital Assets > File Attributes.
The File Attributes screen appears with a list of file attributes definitions. 2. On the File Attributes toolbar, click Add.
The Adding File Attributes screen appears.
FIGURE 3-15. Adding File Attributes screen
3. Define the File Attribute Information:
• Name accepts up to 100 alphanumeric characters. Special characters are not allowed.
• Description accepts up to 256 alphanumeric characters. Special characters are not allowed.
3-35 4. Define the file File Attributes: File type and / or File size.
TABLE 3-6. File Attributes
FILE ATTRIBUTE DESCRIPTION
File type For File type, click Edit and select a Select option: Selected types detects sensitive content by matching the selected file types. This is the default.
Not the selected types detects sensitive content by matching all file types except the selected file type. Note: File type refers to true file type recognition
rather than file extension. So if you select Document > Microsoft Word, DLP identifies any MicrosoftTM Word file, even if the file extension was changed from *.doc to *.abc. Therefore, Trend Micro recommends selecting the file type from the list rather than defining a file type by its extension in the "Others" field.
Select one or more file types. Or, click the drop-down arrows to select or clear file types.
Others enables you to type file extensions that are not listed. Separate multiple types using a semi-colon(;).
5. Click Save.
The file attributes definition appears in the File Attributes list.
Deleting File Attributes
Note: You cannot delete a digital asset definition that is associated with a compliance template or company policy. Remove the definition from the template or policy first before deleting the definition.
To delete a file attributes definition:
1. On the left navigation bar, click Data Protection > Digital Assets > File Attributes.
A list of file attribute definitions appears.
2. Select the file attribute definition from the list and click Delete (on the toolbar). The system asks if you are sure that you want to permanently delete the selected items.
3. Click OK.
File size Type the file size range, if applicable.
TABLE 3-6. File Attributes (Continued)
3-37
Compliance Templates
Use compliance templates to tag and detect sensitive content by a set combination of digital asset definitions. A compliance template combines digital assets and operators (And, Or, Except) in condition statements. If the conditions are met, DLP triggers a policy action. For example, a file containing an American name keyword AND common medical terms triggers the HIPAA policy.
Use DLP out-of-the-box templates for regulatory compliance initiatives, such as GLBA, PCI-DSS, SB-1386, US PII, and HIPAA. Or, create your own compliance template. Access the Compliance Templates screen at Data Protection > Compliance Templates.
To define a compliance template:
1. On the left navigation bar, click Data Protection >Compliance Templates. A list of compliance templates appears.
2. On the Compliance Templates toolbar, click Add. The Add Compliance Templates screen appears.
3-39 4. For each match rule, define a Match Rule Building Block. You can add multiple
match rules.
Select the type of digital asset for DLP to detect: fingerprint, pattern, keyword, or file attribute.
Select the object for the digital asset type. The object is the actual defined fingerprint, pattern, keyword, or file attribute that you want DLP to detect. If you selected a pattern or fingerprint-based match rule, additional fields appear. TABLE 3-7. Additional Match Rule Building Block Fields
5. Click + to add building blocks if the match rule contains more than one condition.
ASSET TYPE ADDITIONAL FIELD
Patterns The Hits field displays if you select Patterns. Type how many times DLP must detect the pattern in the document before identifying the document as sensitive. Hit counts help prevent false alarms.
Fingerprints A drop-down list with match levels displays if you select Fingerprints. Since DLP creates multiple fingerprints from both registered sensitive documents and docu-ments being transferred, sensitive content can be deter-mined by the number of fingerprints that match. In other words, DLP compares the fingerprints of regis-tered documents (fingerprints stored in the fingerprint database) with fingerprints of a transferred document. DLP counts the number of fingerprints that match and uses a formula to determine the match level. To confirm sensitive file detection, DLP then compares the match level with the value is this drop-down field.
• Low-level Match - If the number of matched fingerprints are > 0 and < 12.5%, the document is sensitive.
• Medium Match - If the number of matched fingerprints are >= 8 or >= 12.5%, the document is sensitive.
• High-Level Match - If the number of matched fingerprints are >= 20 or over 33.3%, the document is sensitive.
A new row is added.
6. Select the operator (AND, OR, or EXCEPT) to specify whether one or more match rule building blocks must be met to trigger a detection or specify an exception. 7. Repeat step 4 to add a second match rule building block.
Note: One compliance template can contain multiple match rules, which in turn each contain one or more building blocks. For example, for rule number 1 in the HIPAA match rule building block sample, DLP must detect two patterns (SSN AND credit card number) to trigger an action.
8. After defining the building blocks for the first match rule, click Add. The new match rule is displayed in the Match Rules list.
9. Click the drop-down list next to each match rule and select the operators.
Note: In the HIPAA example, each match rule uses the OR operator to indicate that if DLP finds any one of the match rules, DLP triggers the company policy action.
3-41 10. Click Save.
DLP adds the compliance template to the list. Mouse over the compliance template to view a snapshot of its match rules.
Deleting Compliance Templates
Note: You cannot delete a compliance template that is associated with a company policy. Remove the template from the policy first before deleting the definition.
To delete a compliance template:
1. On the left navigation bar, click Data Protection > Compliance Templates. A list of compliance templates appears.
2. Select the compliance template from the list and click Delete (on the toolbar). The system asks if you are sure that you want to permanently delete the selected items.
