Best Practices – Using Data Loss Prevention Filters
As a general rule, when using Data Loss Prevention (DLP) tools we suggest creating several smaller individual filters rather than one large one. In other words, instead of creating a single filter that looks for SSN and Date of Birth and Drivers License and Credit Card and . . . , best practice is to have one filter looking for SSN, another one looking for Credit Cards, another for Birth Dates, and so on. This makes it much easier to identify which filter is triggering and to make any necessary modifications.
In addition, when possible we suggest using Smart Identifier Scans in conjunction with the associated Dictionary Scan – so instead of just looking for Driver License numbers, best practice is looking for emails that contain Driver License numbers AND Drivers License terms. That type of filter is going to be much less likely to trigger an invoice number or telephone number that just happens to match the driver’s license numbers used Alabama, for example.
Note – Smart Identifier scans, the SSN filter can be prone to false positives. You should use the restrictive SSN filter instead.
Implementation and Testing
Implementing DLP should be viewed similarly to the implementation of DMARC (protection against fraudulent spoofing of your domain). Both require monitoring and tuning.
Here’s an example of how one might set up DLP
1 – Soft Implementation
2 – Monitor
3 – Adjust
4 – Monitor
5 – Hard Implementation
6 – Monitor
7 – Adjust
8 – Repeat 6-7
A soft implementation for DLP might be a rule of “alert” rather than “encrypt”.
Note – It is important to keep the filtering rule with a lower priority than the manual triggers. If an employee manually triggers the encryption (ie. plugin, subject line tag) then you can have the action be Encrypt from the get-go.
A soft implementation for DMARC would be a p=none policy
In both cases, the intent would be to monitor the potential impact.
Then adjust the policies as needed.
Adjustments for DLP could mean adding exclusions to the policy in the filtering rule.
Adjustments for DMARC might mean updating your SPF record.
Once ready you can move to a stricter policy.
For DLP that would be flipping to an “encrypt” policy.
For DMARC that would be flipping to a p=quarantine or eventually p=reject
As you can see, though DLP and DMARC are very different – the implementation methodology is actually quite similar.