Security Engines - SmartDLP

Avanan's SmartDLP is a Data Loss Prevention, or Data Leak Prevention (DLP) engine. SmartDLP helps Avanan's customers to protect their organization's data from potential data breaches or data ex-filtration transmissions.

SmartDLP can scan emails and text messages posted on collaboration platforms, and detect data patterns that should not be shared with unauthorized persons or targets. The engine can also extract text from images. More than 3000 file types are supported.

The DLP enables you to create universal policies across multiple cloud applications to control how files are
shared amongst internal and external users. DLP identifies and marks files containing confidential, financial,
and personally identifiable information, including: credit card numbers, social security numbers, bank
routing numbers, or data protected under HIPAA, etc.

Benefits

  • Scan emails and files for sensitive information with ease, by using a common solution for all
    platforms.
  • Stop data leakage by using automated actions.
  • Generate actionable alerts.
  • Use an integrated solution for DLP and other types of attacks, such as phishing and malware.
  • Built-in DLP detection rules for many verticals and countries.

Configuring SmartDLP

To configure SmartDLP follow these steps:

  1. Navigate to Configuration > Security Engines.

  2. Choose SmartDLP and click Configure.
    Configure SmartDLP screen appears.

  3. (Optional) Enter the Custom regex to be run on the Security tool (sectool) level. This regex is applied
    to both the subject and body of the email.
    Configuring a regex here makes it possible to configure DLP Custom Regex under DLP policy. Then
    adding DLP Custom Regex to the DLP Rules (category) makes its detection generate an event with
    the category it is added to.
    Note - To generate an event for the Custom regex defined here, you have to configure the regex here
    in the DLP engine and then add the Custom regex to one of the categories (PII, PCI, etc.) under DLP
    policy.
  4. Select the required Detected Text Storage Mode. This option controls what scanned data will be
    saved and how.
    • Store detected text strings (default): This is the default option and the detected data is saved
      and displayed on the security events for the forensic process.
    • Obfuscate detected text prior to storage: Detected data is saved and displayed on the
      security events obfuscated. The original data is discarded and cannot be accessed.
    • Do not store detected text: No detected data is stored or displayed on the security events.
  5. . Select the minimum level of detection required for Minimal Likelihood. See Match Likelihood.
  6. To ignore duplicate detections of the same violation, enable the Unique detections only checkbox.
  7. Select the Detection types required for each DLP category. For more details on the built-in detection
    types, see this article.
  8. Click Save.

Minimal Likelihood

DLP detection results are categorized based on how likely they are to represent a match. The likelihood is determined by the number of matching elements a result contains. The likelihood representation is intended to indicate how likely it is that a piece of data matches a given type of information (info type).

Likelihood scale:

  • Very Unlikely: it is very unlikely that the data matches the given Info type.

  • Unlikely: it is unlikely that the data matches the given Info type.

  • Possible: it is possible that the data matches the given Info type.

  • Likely: it is likely that the data matches the given Info type. Depends also on context.

  • Very Likely: it is very likely that the data matches the given Info type. Depends also on context.

Context: SmartDLP checks for additional attributes and the presence of relevant data within the scanned document, depending on the configured level of likelihood. For example, when a Social Security Number (SSN) is discovered the engine can also check for the presence of relevant strings close to the discovered pattern, i.e. "SSN" or "Social Security".

DLP Subject Regular Expression (Regex)

You can add a subject regular expression as the matching criteria to every DLP policy. If an email subject contains a string that matches this regular expression, the policy rule will be matched, regardless of the data
types detected in it.

For more details, see Data Loss Prevention Policy.

Example: The security team sets the pattern as [SECURE] while configuring the DLP Engine. All the emails
sent by the users with the pattern are automatically encrypted, even if no data type is detected in the email.
If the DLP Engine detects a violation, and the subject doesn't contain the pattern, it means the user
unknowingly sent sensitive information. This helps the security team to act on these cases to educate the
users.

Notes:

  • It is recommended to use simple regex control characters to simplify the pattern (“.*)
  • By default, this feature is turned off. To enable this feature, open a support ticket or contact Avanan Support.

Office 365 Footprint

Transport rules:

Additional transport rule is created when enabling Inline DLP.

  • Rule name: Avanan - Protect Outgoing.

  • Verify similar to Avanan - Protect.

  • Rule:

    DLP-three

  • Rule description:

    DLP-four

 

Connectors

Additional connector will be added, Avanan to O365

  • Connector:

DLP-five

Forensics

DLP detections are recorded as events for forensic and auditing purposes. The events include what type of sensitive information was potentially leaked (PII, HIPAA, etc.).

The events can be viewed in the “Events” screen.

DLP-eight