Data Loss Prevention

 View Only

  • 1.  Only Fire Incident When Matching Multiple Rules in Policy?

    Posted Apr 04, 2013 06:40 AM

    Hi,

    I have a policy that contains a number of detection rules. This is working fine, but we would really like it to trigger an incident only if more than one of the rules is matched (for example, in a single email).

    Is there a way to do this? My rules list inside the policy shows "or" in between each rule, and I can see no way to change this.

    Ideally, we would set it to trigger an incident only if two or more of the six rules inside the policy are matched.

    Thanks for any advice!



  • 2.  RE: Only Fire Incident When Matching Multiple Rules in Policy?

    Trusted Advisor
    Posted Apr 04, 2013 09:42 AM

    Hi

     depends of the detection type used in your rules but you can try to use number of match to define a response rule which will set a specific status under a certain number of match and exclude this status to be seen by incidetn response team.



  • 3.  RE: Only Fire Incident When Matching Multiple Rules in Policy?

    Posted Apr 09, 2013 03:37 PM

    You can use your rules to setup compound rules.  For example we have a rule that matches SSNs and certain keywords alongside a rule that matches other personal information with the a set of keywords.  This can be done using a data identifier, or by adding additional matching parameters from the "Also match" dropdown at the bottom of the policy.



  • 4.  RE: Only Fire Incident When Matching Multiple Rules in Policy?

    Posted Apr 10, 2013 04:40 AM

    Thanks, Guys - I'll give these suggestions a try today and come back with the results.



  • 5.  RE: Only Fire Incident When Matching Multiple Rules in Policy?

    Posted Apr 10, 2013 05:51 AM

    Thanks again for these suggestions. I've been going through this, but it looks like the only way I could do it would be by following Jsneed's suggestion to put the combination logic in separate rules.

    For example, inside the policy I would need a separate rule for each combination of data I want to match (one rule to match passport number and drivers licence in one email, another rule to match passport number and SS number, etc, and so on). This seems quite arduous considering the amount of combinations you would need to detect significant PII leakage.

    I looked into creating a special data identifier but I couldn't see where I could put the logic in for either/or matches.

    Stephane - Sorry, I got a bit lost when looking into your suggestion. I wonder if you could elaborate? 

    The main problem I have is that the individual rules are triggering hundreds of real matches (i.e. people sending passport numbers to travel brokers), and I have no remit to tell them not to. Therefore, I'm mainly interested in detecting major leakage such as combinations of PII to start with.   

     



  • 6.  RE: Only Fire Incident When Matching Multiple Rules in Policy?

    Posted May 13, 2013 06:32 AM
    See if the individual rules are triggering many real matches then you will ave to further apply some more conditions to reduce the number of matches you get. Here you will have to keep trying n number of times by considering different conditions each time until you are satisfied with the result. Florida insurance claims


  • 7.  RE: Only Fire Incident When Matching Multiple Rules in Policy?

    Posted May 14, 2013 12:49 PM

    Please chcek your policy rule and detection parameter.