Video Screencast Help

fingerprint

Created: 21 Aug 2013 | 5 comments
R@mj0's picture

Hi all,

pleaseadvise regards on this

 

Fingerprinting Feature

 

-They want to have a fingerprint feature enabled so that they will not create many policies for just one document that they want to protect.

 

-Or is it possible to have a storage (repository of their documents) so that the created policies will just check the fingerprinted documents from the storage?

 

 

thank you,

marj

Operating Systems:

Comments 5 CommentsJump to latest comment

S_A_M's picture

 

Hello Marj,

You may achieve this through Indexed Document Matching (IDM). This helps to create a hash of your documents and then this index will be loaded in the physical memory. The documents will be analyzed as per the exposure i.e % of data matched with the indexed data.

You may also use EDM (Exact Document Match) for structured data.

Please read the DLP Admin guide for more information on the same.

stephane.fichet's picture

hello

 if you dont need to use this policy for detection on endpoint, you can use IDM.

You cant have a repository which is checked live by DLP but you can define a share drive where people can put very sensitive document (of course this one need to be secured and not all people have access to it, you can also create more than one). Then regularly you can create a zip file (or doing this automatically) and then index it in DLP (or doing this regularly using internal DLP scheduler to update your index). Juts be sure that people who are allowed to add some documents are aware that if they add a very common one this can lead to a lot of DLP incidents.

 regards

R@mj0's picture

H all,

thank you for all the advice.

i just wondering why it cant take no action. i mean creating response rule does not recognize.

please give me example on how to detect and have an incidents.

 

 

thank you

S_A_M's picture

Hello Marj,

I believe you are talking about EDM\IDM for endpoint where there cannot be any Blocking\User cancel response rule.

For DLP using EDM\IDM is a two tier detection system. i.e the EDM\IDM policies gets loaded on the Endpoint Server instead of the agent system. 

When we detect some data in motion (trying to transfer some information through Mail \ USB etc. ) or at rest (Performing Endpoint Discover Scan) a copy of the reported file gets transferred to the "Endpoint Server". As we cannot wait for the action taken by the Endpoint Server and then block the transfer at the agent level we cannot have blocking feature. Also many times the agent is not connected to the endpoint server so in that case also this is not a feasible function. 

Please let me know if you need any further clerification. The provided explanation is only associated with the endpoint part of DLP . EDM\IDM should block in case of other detections .