Security Engines - SmartDLP

Avanan's SmartDLP is a Data Loss Prevention or Data Leak Prevention (DLP) engine. SmartDLP helps Avanan's customers to protect their organization's data from potential data breaches or data ex-filtration transmissions.

SmartDLP can scan emails and text messages posted on collaboration platforms, and detect data patterns  that should not be shared with unauthorized persons or targets. The engine can also extract text from images. More than 3000 file types are supported.

The DLP enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users. DLP identifies and marks files containing confidential, financial, and personally identifiable information, including: credit card numbers, social security numbers, bank routing numbers, or data protected under HIPAA, etc.

Benefits

  • Scan emails and files for sensitive information with ease by using a common solution for all platforms.
  • Stop data leakage by using automated actions.
  • Generate actionable alerts.
  • Use an integrated solution for DLP and other attacks, such as phishing and malware.
  • Built-in DLP detection rules and categories. See DLP Built-in Rules and Categories.

Enforcing the DLP Definitions

The "Configuring SmartDLP" below describes the definitions of the DLP engine. After the DLP engine is configured, a DLP policy needs to be defined for the DLP to be enforced.

For more details, see Data Loss Prevention.

Configuring SmartDLP

To configure SmartDLP follow these steps:

  1. Navigate to Configuration > Security Engines.
  2. Choose SmartDLP and click Configure.
    Configure SmartDLP screen appears.

  3. Configure the different configuration options as described below and click Save.

Configuring DLP Categories

You can configure the DLP policy with DLP categories as the matching criteria. These DLP categories have
several DLP rules.

For example, the PII DLP category includes the Passport Number DLP rule.

To add or remove DLP Rules from DLP Categories:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for DLP.
  3. Scroll down to Detection Types and find the relevant DLP category.
  4. Edit the list of DLP Rules under the category.
    Note - To exclude Universal Air Travel Plan (UATP) card numbers from detecting as credit card numbers, under PCI detection type, enable the Exclude UATP cards from the Credit Card data types checkbox.
  5. Click Save.

For more information about the default DLP rules and their DLP categories, see DLP Built-in Rules and Categories.

Storage of Detected Strings

When the DLP engine matches strings to a DLP rule, Avanan stores these strings and displays them for administrators with sufficient permissions when they investigate the security events. Since these strings are considered sensitive and private end-user data, you can select how they are stored and presented in the system called Detected Text Storage Mode.

To update Detected Text Storage Mode:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for DLP.
  3. Scroll down to Detected Text Storage Mode and select one of these options.
    • Store detected text strings (default): This is the default option, and the detected data is saved and displayed on the security events for the forensic process.
    • Obfuscate detected text prior to storage: Detected data is saved and displayed on the security events obfuscated. The original data is discarded and cannot be accessed.
    • Do not store detected text: No detected data is stored or displayed on the security events.
  4. Click Save.

Minimal Likelihood

DLP detection results are categorized based on how likely they are to represent a match. The likelihood is determined by the number of matching elements a result contains. The likelihood representation is intended to indicate how likely it is that a piece of data matches a given type of information (info type).

Likelihood scale:

  • Very Unlikely: it is very unlikely that the data matches the given Info type.
  • Unlikely: it is unlikely that the data matches the given Info type.
  • Possible: it is possible that the data matches the given Info type.
  • Likely: it is likely that the data matches the given Info type. Depends also on context.
  • Very Likely: it is very likely that the data matches the given Info type. Depends also on context.

Context: SmartDLP checks for additional attributes and the presence of relevant data within the scanned document, depending on the configured level of likelihood. For example, when a Social Security Number (SSN) is discovered the engine can also check for the presence of relevant strings close to the discovered pattern, i.e. "SSN" or "Social Security".

DLP Subject Regular Expression (Regex)

You can add a subject regular expression as the matching criteria to every DLP policy. If an email subject contains a string that matches this regular expression, the policy rule will be matched, regardless of the data
types detected in it.

For more details, see Data Loss Prevention Policy.

Example: The security team sets the pattern as [SECURE] while configuring the DLP Engine. All the emails sent by the users with the pattern are automatically encrypted, even if no data type is detected in the email. If the DLP Engine detects a violation, and the subject doesn't contain the pattern, it means the user unknowingly sent sensitive information. This helps the security team to act on these cases to educate the users.

Notes:

  • It is recommended to use simple regex control characters to simplify the pattern (“.*)
  • By default, this feature is turned off. To enable this feature, open a support ticket or contact Avanan Support.

Customizing DLP Rule Parameters

To refine the definitions of a DLP category or to handle cases of false-positive detections, you can control how to match a DLP rule in an email/file/message.

Match Hit Count Settings

By default, a DLP rule's hit count increases every time a string in the email/file/message matches with the DLP rule’s definitions. If the same matched string appears multiple times in the email/file/message, the hit count increases accordingly.

To configure Avanan to ignore duplications of the same string when calculating the hit count, check the Unique detections only box in the Configure DLP window.

Occurrence Threshold

By default, if a DLP rule is matched X times, the hit count of the DLP Category containing this DLP rule increases by X.

Setting the occurrence threshold for the DLP rule to Y means that:

  • If the DLP rule matches < Y times, the hit count of the containing DLP Category will not be increased at all.
  • If the DLP rule matches >= Y times, the hit count of the containing DLP Category will be increased by the total number of matches.

To configure Occurrence Threshold, open a support ticket or contact Avanan Support.

Likelihood Adjustment

By default, the DLP engine returns a specific likelihood level (Minimal Likelihood) to a DLP Category.

If you want to determine if one of the DLP Rules is matched, the likelihood will automatically increase or decrease. You can configure the Likelihood Adjustment value for every DLP Rule with positive or negative values accordingly.

To configure Likelihood Adjustment, open a support ticket or contact Avanan Support.

Hot/Cold Words

Every DLP Rule is searched across the entire email/file/message by default.

Administrators can define the scope of the search so that it happens in the vicinity of certain words and/or not in the vicinity of others.

To configure Hot/Cold Words, open a support ticket or contact Avanan Support.

Creating Custom DLP Rules

At times, administrators would like to create DLP Rules specific to their organization.

Regular Expression

Avanan allows you to define a custom DLP Rule based on a Regular Expression.

To add a regular expression:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for SmartDLP.
  3. Under Custom regex 1, add the regular expression.
    SmartDLP-Custom-Regex
  4. Add Custom regex 1 to one of the DLP Categories so that it can be used in the DLP policy rules. For more details, see Configuring DLP Categories.
  5. Click Save.

Note - If you need more than one custom Regular Expression DLP rule, open a support ticket or contact Avanan Support.

Compound DLP Rules

Compound DLP Rules are parent DLP rules that contain other child DLP rules, divided into two groups:

  • Triggers – DLP rules that must match otherwise, the parent DLP rule will not match
  • Children – DLP rules that could match and add to the parent DLP rule hit count.

In addition, each Compound DLP Rule has a Minimum Match Type Count of its own so that the number of matches across all contained data types must be above it for the parent DLP Rule to match.

For example, you can create a compound DLP Rule named MyCompany Internal Documents the following way:

  1. Triggers
    1. A string “MyCompany”
    2. A string “Confidential”
  2. Children
    1. Source Code
    2. Bank Swift routing numbers
  3. Minimum Match Type Count = 4

Example scenarios:

Scenario Findings Match? Reason
"My Company" "Confidential" Source Code Bank SWIFT Routing Numbers
Only Triggers 2 3 0 0 Yes All triggers plus match count above the threshold
Some Triggers 3 0 2 2 No One of the triggers not matched
Not enough matches 1 1 1 0 No Match count below the threshold
Triggers and Children 1 1 2 2 Yes All triggers plus match count above the threshold

Creating a Compound DLP Rule

Avanan allows you to define a custom Compound DLP Rule.

To create a compound DLP rule:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for SmartDLP.
  3. Scroll down and find Patient Information below Compound Info Types.
    SmartDLP-Compound-Info-Types
  4. Edit the Triggers, Children, and Minimum Match Type Count.
  5. Add Patient Information to one of the DLP Categories so that it can be used in the DLP policy rules. For more details, see DLP Built-in DLP Rules and Categories.
  6. Click Save.

Note - If you need more than one custom Compound DLP Rule, open a support ticket or contact Avanan Support.

Other Types of Custom DLP Rules

If you need a different custom data type, open a support ticket or contact Avanan Support.

Custom DLP Data Types

Avanan allows you to create custom DLP Data Types. These data types provides organizations the flexibility to add any DLP data type to each of the DLP categories.

Using DLP Data Types screen, you can view, search, and filter the predefined and custom DLP Data Types.

To create a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Click Create Data Type.
    Create Custom DLP Data Type section appears.
  3. Enter the required Name and Description for the Data Type.
  4. Under Match type, select one of these:
    • Dictionary and add the required keywords.
      • To add a keyword to the dictionary, enter the required keyword and click Add Keyword.
      • To import keywords to the dictionary from a CSV file:
        1. Click Import dictionary.
        2. Under Upload Dictionary File, select the required CSV file.
        3. To override the existing keywords, enable the Override all existing words checkbox.
        Note - To export the keywords in the dictionary to a CSV file, click Export dictionary.
    • Regular Expression and enter the required regular expressions.
  5. Click Save.

Note - You must add the custom DLP Data Type to a DLP category before it is enforced. To add the custom DLP Data Type to a DLP category, see Configuring DLP Categories.

To edit a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Select a custom DLP Data Type.
  3. Click on the vertical ellipses icon (in the top right corner of the selected custom DLP Data Type), and
    then select Edit.
  4. Make the required changes to the DLP Data Type and click Save.

To clone a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Select a custom DLP Data Type.
  3. Click on the vertical ellipses icon (in the top right corner of the selected custom DLP Data Type), and
    then select Clone.
  4. Make the required changes to the DLP Data Type and click Save.

Note - You must add the custom DLP Data Type to a DLP category before it is enforced. To add the custom DLP Data Type to a DLP category, see Configuring DLP Categories.

To delete a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Select a custom DLP Data Type.
  3. Click on the vertical ellipses icon (in the top right corner of the selected custom DLP Data Type), and then select Delete.
  4. Click OK.

DLP Allow-List

The SmartDLP engine supports defining Allow-Lists by File MD5 or Strings.

The DLP engine stops scanning emails, messages, and files that match an Allow-List rule. The DLP verdict will automatically be clean for the Allow-List.

Note - Emails, messages, and files in the DLP Allow-List are evaluated by other security engines, such as Anti-Malware and Anti-Phishing.

Adding DLP Allow-List

You can add DLP Allow-List rule from any of these:

  • From the DLP Allow-List
    1. Navigate to Configuration > DLP Allow-List.
    2. Click Create Allow-List.
    3. Select the Allow-List Type (File MD5 or String).
    4. Enter the required File MD5 or Strings.
      Note - When you add multiple strings, each string will be added as a separate exception. Allow-listed Strings will not be flagged as a DLP violation.
    5. If required, enter a comment for the Allow-List rule and click OK.
      Administrators can use the commented text to filter and find the Allow-Lists with a specific text from their comments.
    6. Click OK.
  • From the Entity Profile page
    1. Open the required email profile, message, or file from the Security Events.
    2. Under Security Stack, select Create Allow-List.
    3. Select the Allow-List Type (File MD5 or String).
      The File MD5 or file's detected strings will be displayed automatically.
    4. If required, enter the required strings.
      Note - When you add multiple strings, each string will be added as a separate exception.
      Allow-listed Strings will not be flagged as a DLP violation.
    5. If required, enter a comment for the Allow-List rule and click OK.
      Administrators can use the commented text to filter and find the Allow-Lists with a specific text from their comments.
    6. Click OK.

Forensics

DLP detections are recorded as events for forensic and auditing purposes. The events include what type of sensitive information was potentially leaked (PII, HIPAA, etc.).

The events can be viewed in the “Events” screen.

DLP-eight