Data Loss Prevention

 View Only

  • 1.  Exact Data Match with Vontu

    Posted Aug 18, 2010 07:46 PM

    Hi,

     I am trying to find answers to following questions around Exact Data Match with Vontu.  Can someone help?

    What is the objective for any corporate to run Exact Data Match for sensitive data in his/her organization?


     

    What problem does it solve? 

     

    How do we know that it’s successful?

     

    Will this decrease false positives?if yes - How?
     

    Will this improve automation? if yes - How?
     

    Will this increase catches of data loss?

    Your help and guidance will be appreciated.

    Thanks,
    Chirag Shah



  • 2.  RE: Exact Data Match with Vontu

    Posted Aug 19, 2010 01:27 AM
    Well, here are some answers to your questions:

    1) EDM (also known as Exact data matching) is a type of data. EDM refers to any type of data that is created in tabular form's for example: oracle,mssql,excel,microsoft access and more. 
    EDM exposure would be serious most of the time. Most organizations keep their most valuable information in tables, for example: list of employees and salaries, list of costumers, list of credit cards and many more. The risk of exposure is major.  It could be that any cell exposed means trouble. you are able able to define which cells are important to the organization, and in which order. For example: first name, last name and credit card are forbidden, but first name and last names is fine.

    2) I don't know how do you define successful, but like any other type of data, if and when it would be blocked you will receive an incident on the enforce that suggests what triggered the incident.

    3) EDM will certainly decrease your false positive level. EDM is the best way to operate since its black/white, in order for an incident to trigger you would have to fir exactly to the data that was in the DB you scanned. I can't and wont say there is not false positives in EDM but for sure it is the best and most efficient way to detect data leakage.


    4) EDM could improve automation. because an EDM Incident is 99% true and not a false positive, you will be able to block the data transfer and faze in the EDM technology faster than other data types (DCM/IDM)

    5) It will increase data loss catches, and most of the time when you catch a data loss with EDM, it is for real!

    If you would like some further reading on the data types and their usage, you could read this article:


    Chapter 2 - The Concept of DLP - Monitoring and Blocking Confidential Data

    Kind Regards,
    Naor Penso


  • 3.  RE: Exact Data Match with Vontu

    Posted Aug 19, 2010 09:17 AM
    Following up to what Naor posted one of the ways in the past I have used an EDM is taking a casino's player card information and creating a policy based on the information on the list.  As he mentions it is very very accurate.  And in the case of the casino if someone had high roller information this could seriously damage the reputation of the casino.  

    Another example is a hospital were we took the patient numbers through an EDM and created a policy based around Last Name and ID# matching.  Since the ID# is not the SSN there is no canned template.  So by using the EDM we matched off Last Name + ID# to generate an incident. Last name would only show the customer was at the hospital and ID# was unique to that institution so if that got out it wasn't as big of a deal, but last name + id = ability to get information about hte patient.

    What do you define as being successful?  Data not leaving?  Tracking exactly what is going out?  Would need more information to answer that question better.

    If you want, feel free to drop me  a note and we can chat about your DLP questions 


  • 4.  RE: Exact Data Match with Vontu

    Posted Aug 19, 2010 01:29 PM

    I have a Symantec Antivirus version 10.0.0.359 I can't install it on Windows 7.Please Help me Thank for an answer.


  • 5.  RE: Exact Data Match with Vontu

    Posted Aug 19, 2010 05:38 PM
    Not that its relevant to the DLP Forum but SAV (Symantec Anti-Virus) version 10.x does not support windows 7.
    You will need to install Symantec Endpoint Protection version RU5 at least.

    Kind Regards,
    Naor Penso


  • 6.  RE: Exact Data Match with Vontu

    Posted Sep 08, 2010 09:41 AM
    Just adding to Jonathan's comment of using EDM with player card information in a casino. This is exactly what we did at a casino. It was very effective. Player card information contains all kinds of valuable information with regards to clients and their spending habits. It's definately information that is "valuable".

    We sought to protect player card information by using a rule based on EDM. We used keywords and DCM to fine tune the policy. Can we qualify this as a success? You have to qualify what success means to your organization. It is based on the scope of your DLP project. For example, does success mean reducing the flow of confidential data via one protocol or several? I used the term "effective" in my statement because it gave the client visibility on data loss in a way that they did not have any metrics on before. The reports that were generated as a result of the incidents provided the client with an opportunity to remediate broken business practices or resolve security issues with regards to the movement of this data.

    Either way, EDM is a good start and plays a very healthy role in most DLP policy setup.

    Cherian Thomas,
    Info. Security Risk Consultant


  • 7.  RE: Exact Data Match with Vontu

    Posted Oct 15, 2010 02:36 PM

    We're beginning to use EDM and have found issues with detection in files larger than 2MB.  We were advised to increase the size of "Lexer.MaximumNumberOfTokens" but not given a recommendation.  What do others set this value to?