Data Loss Prevention

 View Only
  • 1.  DLP Policy Workaround

    Posted May 06, 2014 10:12 AM

    Any suggestions as to how to configure DLP to create a workaround for the following item?  My DLP team seems to be taking an awfully long time to try to figure it out...

    We have the word “confidential” as a keyword/policy.  We are getting at ton of false positives on this because the word confidential is present in the standard language of our email footers that are generated when we send an email.  Any thoughts as to how to put some rules around this in the tool so that it doesn’t generate events as a result of the footer?  The footer is below.  Is there a way to put an exclusion that says return the events that have the word "confidential," but don't return the events if they are present in the phrase  below?  

    This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information.

     



  • 2.  RE: DLP Policy Workaround

    Trusted Advisor
    Posted May 07, 2014 01:53 AM

    hello,

     this is a common issue with DLP as you cannot use exclusion rule to do this, because they are excluding all document or all message from detection. I hope one day symantec will add an operator in rule definition so we will be able to strictly define i want this keyword but not this one.

     Whatever, you can do what you want in different way, from my point of view the simplest one is to define your detection rule as a regexp which will look for confidential but not with otherwise in front or information after. I did this sometimes to look for customer email address to exclude common internet email domain from detection rule. May be you can use a data identifier too looking for your pattern and excluding other patterns.

     Contact me via MP or email if you need more information.

     

     Regards.