Security Engines - DLP (SmartDLP)

Avanan's SmartDLP is a Data Loss Prevention or Data Leak Prevention (DLP) engine. SmartDLP helps Avanan's customers to protect their organization's data from potential data breaches or data ex-filtration transmissions.

DLP engine (SmartDLP) can scan emails and text messages posted on collaboration platforms, and detect data patterns  that should not be shared with unauthorized persons or targets. The engine can also extract text from images. More than 3000 file types are supported.

The DLP enables you to create universal policies across multiple cloud applications to control how files are shared amongst internal and external users. DLP identifies and marks files containing confidential, financial, and personally identifiable information, including credit card numbers, social security numbers, bank routing numbers, or data protected under HIPAA, etc.

DLP Policies

This chapter discusses defining the DLP categories, Data Types, and other DLP security engine settings.

To enforce your organization’s DLP standards, you need to define DLP policies for different protected SaaS applications.

To configure the DLP policy, see the relevant SaaS application:

  • Email Data Loss Prevention (DLP) Policy
  • File Storage SaaS applications
  • Messaging SaaS applications

DLP Categories

DLP categories are containers of multiple data types used in different DLP policies to describe data sharing that can be considered as a DLP violation and should trigger a DLP workflow.

For example, the PII DLP category includes the Passport Number DLP Data Type.

Managing DLP Categories

You can configure all the available DLP categories and manage them under Configuration > Security Engines > SmartDLP >  Configure.

Editing DLP Categories

To edit the list of DLP Data Types each category contains:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for DLP.
  3. Scroll down to Detection Types and find the relevant DLP category.
  4. Add or remove data types from the category.
    Note - To exclude Universal Air Travel Plan (UATP) card numbers from detecting as credit card numbers, under PCI detection type, enable the Exclude UATP cards from the Credit Card data types checkbox.
  5. Click Save.

For more information about the default DLP Data Types and their DLP categories, see DLP Built-in Daya Types and Categories.

DLP Data Types

DLP Data Types describe the content the DLP engine tries to detect. Every time the engine detects a data type, it adds 1 to the hit count of every DLP category containing this data type.

Managing DLP Data Types

To view and manage the available Data Types, go to Configuration > DLP Data Types.

Custom DLP Data Types

Avanan allows you to create custom DLP Data Types. These Data Types provide organizations the flexibility to add any DLP data type to each of the DLP categories.

Note - You must add the custom DLP Data Type to a DLP category before it is enforced. To add the custom DLP Data Type to a DLP category, see .

Creating Custom DLP Data Types

Regular Expression DLP Data Types

Data Types based on regular expressions are data types that will add a hit count to their parent category every time a string in the inspected email/file/message is matched against the defined Regular Expression.

To create a regular expression Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Click Create Data Type.
    Create Custom DLP Data Type section appears.
  3. Enter the required Name and Description for the Data Type.
  4. Under Match type, select Regular Expression and enter the required regular expressions.
  5. Click Save.

Dictionary DLP Data Types

A dictionary is a list of custom strings. These Data Types add a hit count to their parent category every time a string in the inspected email/file/message matches one of the strings in the dictionary.

To create a Dictionary DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.
  2. Click Create Data Type.
    Create Custom DLP Data Type section appears.
  3. Enter the required Name and Description for the Data Type.

  4. Under Match type, select Dictionary and add the required keywords:

    • To add a keyword to the dictionary, enter the required keyword and click Add Keyword.

    •  

      To import keywords to the dictionary from a CSV file:

      1. Click Import dictionary.

      2. Under Upload Dictionary File, select the required CSV file.

      3. To override the existing keywords, enable the Override all existing words checkbox.

      Note - To export the keywords in the dictionary to a CSV file, click Export dictionary.

       

     

  1.  
  2. Click Save.

Compound DLP Rules

Compound DLP Rules are parent DLP rules that contain other child DLP rules, divided into two groups:

  • Triggers – DLP rules that must match otherwise, the parent DLP rule will not match
  • Children – DLP rules that could match and add to the parent DLP rule hit count.

In addition, each Compound DLP Rule has a Minimum Match Type Count of its own so that the number of matches across all contained data types must be above it for the parent DLP Rule to match.

For example, you can create a compound DLP Rule named MyCompany Internal Documents the following way:

  1. Triggers
    1. A string “MyCompany”
    2. A string “Confidential”
  2. Children
    1. Source Code
    2. Bank Swift routing numbers
  3. Minimum Match Type Count = 4

Example scenarios:

Scenario Findings Match? Reason
"My Company" "Confidential" Source Code Bank SWIFT Routing Numbers
Only Triggers 2 3 0 0 Yes All triggers plus match count above the threshold
Some Triggers 3 0 2 2 No One of the triggers not matched
Not enough matches 1 1 1 0 No Match count below the threshold
Triggers and Children 1 1 2 2 Yes All triggers plus match count above the threshold


Creating a Compound DLP Rule

Avanan allows you to define a custom Compound DLP Rule.

To create a compound DLP rule:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for SmartDLP.
  3. Scroll down and find Patient Information below Compound Info Types.
    SmartDLP-Compound-Info-Types
  4. Edit the Triggers, Children, and Minimum Match Type Count.
  5. Add Patient Information to one of the DLP Categories so that it can be used in the DLP policy rules. For more details, see DLP Built-in DLP Rules and Categories.
  6. Click Save.

Note - If you need more than one custom Compound DLP Rule, open a support ticket or contact Avanan Support.

Other Custom DLP Data Types

If you need a different custom data type, open a support ticket or contact Avanan Support.

Edit, Clone, or Delete Custom DLP Data Types

To edit a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.

  2. Select a custom DLP Data Type.

  3. Click on the vertical ellipses icon (in the top right corner of the selected custom DLP Data Type), and then select Edit.

  4. Make the required changes to the DLP Data Type and click Save.

To clone a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.

  2. Select a custom DLP Data Type.

  3. Click on the vertical ellipses icon (in the top right corner of the selected custom DLP Data Type), and then select Clone.

  4. Make the required changes to the DLP Data Type and click Save.

To delete a custom DLP Data Type:

  1. Navigate to Configuration > DLP Data Types.

  2. Select a custom DLP Data Type.

  3. Click on the vertical ellipses icon (in the top right corner of the selected custom DLP Data Type), and then select Delete.

  4. Click OK.

Configuring Advanced Data Type Parameters

To refine the definitions of a DLP category or to handle cases of false-positive detections, you can control how to match a DLP Data Type in an email/file/message.

Match Hit Count Settings

By default, a DLP rule's hit count increases every time a string in the email/file/message matches with the DLP rule’s definitions. If the same matched string appears multiple times in the email/file/message, the hit count increases accordingly.

To configure Avanan to ignore duplications of the same string when calculating the hit count, check the Unique detections only box in the Configure DLP window.

Occurrence Threshold

By default, if a DLP rule is matched X times, the hit count of the DLP Category containing this DLP rule increases by X.

Setting the occurrence threshold for the DLP rule to Y means that:

  • If the DLP rule matches < Y times, the hit count of the containing DLP Category will not be increased at all.
  • If the DLP rule matches >= Y times, the hit count of the containing DLP Category will be increased by the total number of matches.

To configure Occurrence Threshold, open a support ticket or contact Avanan Support.

Likelihood Adjustment

By default, the DLP engine returns a specific likelihood level (Minimal Likelihood) to a DLP Category.

If you want to determine if one of the DLP Rules is matched, the likelihood will automatically increase or decrease. You can configure the Likelihood Adjustment value for every DLP Rule with positive or negative values accordingly.

To configure Likelihood Adjustment, open a support ticket or contact Avanan Support.

Hot/Cold Words

Every DLP Rule is searched across the entire email/file/message by default.

Administrators can define the scope of the search so that it happens in the vicinity of certain words and/or not in the vicinity of others.

To configure Hot/Cold Words, open a support ticket or contact Avanan Support.

Configuring SmartDLP Engine Settings

To configure SmartDLP follow these steps:

  1. Navigate to Configuration > Security Engines.
  2. Choose SmartDLP and click Configure.
    Configure SmartDLP screen appears.

  3. Configure the different configuration options and click Save.

Storage of Detected Strings

When the DLP engine matches strings to a DLP rule, Avanan stores these strings and displays them for administrators with sufficient permissions when they investigate the security events. Since these strings are considered sensitive and private end-user data, you can select how they are stored and presented in the system called Detected Text Storage Mode.

To update Detected Text Storage Mode:

  1. Navigate to Configuration > Security Engines.
  2. Click Configure for DLP.
  3. Scroll down to Detected Text Storage Mode and select one of these options.
    • Store detected text strings (default): This is the default option, and the detected data is saved and displayed on the security events for the forensic process.
    • Obfuscate detected text prior to storage: Detected data is saved and displayed on the security events obfuscated. The original data is discarded and cannot be accessed.
    • Do not store detected text: No detected data is stored or displayed on the security events.
  4. Click Save.

Minimal Likelihood

DLP detection results are categorized based on how likely they are to represent a match. The likelihood is determined by the number of matching elements a result contains. The likelihood representation is intended to indicate how likely it is that a piece of data matches a given type of information (info type).

Likelihood scale:

  • Very Unlikely: it is very unlikely that the data matches the given Info type.
  • Unlikely: it is unlikely that the data matches the given Info type.
  • Possible: it is possible that the data matches the given Info type.
  • Likely: it is likely that the data matches the given Info type. Depends also on context.
  • Very Likely: it is very likely that the data matches the given Info type. Depends also on context.

Context: SmartDLP checks for additional attributes and the presence of relevant data within the scanned document, depending on the configured level of likelihood. For example, when a Social Security Number (SSN) is discovered the engine can also check for the presence of relevant strings close to the discovered pattern, i.e. "SSN" or "Social Security".

DLP Allow-List

The SmartDLP engine supports defining Allow-Lists by File MD5 or Strings.

The DLP engine stops scanning emails, messages, and files that match an Allow-List rule. The DLP verdict will automatically be clean for the Allow-List.

Note - Emails, messages, and files in the DLP Allow-List are evaluated by other security engines, such as Anti-Malware and Anti-Phishing.

Adding DLP Allow-List

You can add DLP Allow-List rule from any of these:

  • From the DLP Allow-List
    1. Navigate to Configuration > DLP Allow-List.
    2. Click Create Allow-List.
    3. Select the Allow-List Type (File MD5 or String).
    4. Enter the required File MD5 or Strings.
      Note - When you add multiple strings, each string will be added as a separate exception. Allow-listed Strings will not be flagged as a DLP violation.
    5. If required, enter a comment for the Allow-List rule and click OK.
      Administrators can use the commented text to filter and find the Allow-Lists with a specific text from their comments.
    6. Click OK.
  • From the Entity Profile page
    1. Open the required email profile, message, or file from the Security Events.
    2. Under Security Stack, select Create Allow-List.
    3. Select the Allow-List Type (File MD5 or String).
      The File MD5 or file's detected strings will be displayed automatically.
    4. If required, enter the required strings.
      Note - When you add multiple strings, each string will be added as a separate exception.
      Allow-listed Strings will not be flagged as a DLP violation.
    5. If required, enter a comment for the Allow-List rule and click OK.
      Administrators can use the commented text to filter and find the Allow-Lists with a specific text from their comments.
    6. Click OK.

Forensics

DLP detections are recorded as events for forensic and auditing purposes. The events include what type of sensitive information was potentially leaked (PII, HIPAA, etc.).

The events can be viewed in the “Events” screen.

DLP-eight