Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Fine Tuning DLP - Is this possible?

Created: 03 Sep 2013 | 2 comments

Hello

Id like to look into fine tuning our DLP (11.1) discover policy to reduce false positives.

What Id like to acheive seems simple, apply the Luhn algorithm to number strings greater than 13 digits, just to rule out phone numbers and most case #s. 

Currently I am using the CCN data identifier with Medium settings: Exclude exaxt match/Luhn Check/Number Delimiter.

I read AR Sharmas post for beginners and he says (loose quote) we can add an "expression for digits". What kind of expression would limit the discovery to numeric strings greater than x? Would it just be \d(>13)? Or an IF statement? Im no programmer but a hint would help me a lot. 

Looking at the easiest options I could add an "Exclude Prefix" validator for area codes that dont conflict with a BIN #. But I see there is also a custom Script option, would that be where I could limit the # of digits?

Thanks in advance

Rob

Operating Systems:

Comments 2 CommentsJump to latest comment

stephane.fichet's picture

Hi

 can we remind us (at least me) what are the valdiators available by default in CCN data identifier ? In 11.6.2 there is a validator named "number delimiter" (never tested it but sounds to do exactly what you need).

 You can try to update all patterns adding a \b (dont know if it works for data identifier as it is not exactly regexp) at the beginning and at the end in order to specify that you want to have word delimiter before and after. so like that you will only detect string of exact number of digits.

 regards.

DLPscanner's picture

Hello and thanks Stephanie

Here are the validators available to me under Credit card:

Checksum
No Validation
Australian Tax File validation check
Burgerservicenummer Check
China ID checksum validator
Codice Fiscale Control Key Check
Cusip Validation
DNI control key check
Exclude exact match
Exclude beginning characters
Exclude ending characters
Hong Kong ID
INSEE Control Key
Exclude prefix
Exclude suffix
IP Basic Check
IP Octet Check
IP Reserved Range Check
Mod 97 Validator
Advanced KRRN Validation
Luhn Check
Singapore NRIC
Number Delimiter
Require beginning characters
Exact Match
Duplicate digits
Advanced SSN
Basic SSN
SSN Area-Group number
Require ending characters
Swiss AHV
Taiwan ID
UK Drivers License
UK NHS
Find keywords
Custom Script

The description for Number Delimiter is "Validates a match by checking the surrounding characters"

This sounds like what I would use for my area code option (pr prefix) but even better would be to add the expression do not scan unless over 13 digits. Im going to take a look at the custom script option this weekend and if I find anything that works I'll report back.