Data Loss Prevention

 View Only

  • 1.  DLP Exception\Exclusion

    Posted Jan 12, 2017 10:53 AM
      |   view attached

    Hi all, 

    We have really well-developed DLP rule: it blocks emails if there is key word ("foo") in email\or special attachment. This rule works for group of hundreds users. 

    But, sometimes, we need to allow some users from this group to send emails with this key word "foo". It means that we need to develop some exclusion\exception procedure when user stays in the same group, but by some email manipulation (add additional keyword, modify CC:\BCC:, etc) it bypasses existing blocking rule. 

    I have an idea (see below) how to realize it, but I already see a lot of disadvantages there. Do you have any ideas how to implement a solution to allow for some users to bypass blocking rule? 

    See attached file: 

    Step#1:

    1. User sends an email with some sensitive data. 

    2. DLP scanner regognizes content, block email and raised DLP incident. 

    3. Non-deliver report (mail backbone) is being send to sender: "You email is blocked. If you still want to send it, please, provide in CC: (or BCC:) the following address: dlp_exception@org.com. bla-bla-bla"

    Step#2

    4. Users sends the same email to the same recipient , but provide in CC: (or BCC:) dlp_exception@org.com address. 

    5. This time DLP scanner just raises an DLP Incident, but doesn't block email. 

    6. Email is being delivered to recipient. 

     

    DISADVANTAGES: 

    1. Exception address misuse: user at the beginning provide dlp_exception@org.com address and bypasses blocking rule. 

    2. Recipient confusion: if CC: field is in use then recipient needs to be informed what dlp_exception address is about and why it is in a copy. 

    3. I am not sure that this conception would work at all since User is still the same in both Steps. 

     

    Do you have more elegant and precise solution for this scenario? I am open for any solution (desirable simple and free). 



  • 2.  RE: DLP Exception\Exclusion

    Posted Jan 15, 2017 12:09 AM

    Do you not want any administrator approval involved at all?

    You're essentially talking about a form of quarantining (though I wouldn't call users releasing their own emails quarantining), which there is a number of ways to achieve depending on your environment.

    If you're using DLP Endpoint Agent to block these (or have it in addition to Network Prevent), you can use the User Cancel to block and notify, which allows them to 'send' if they provide a justification and click 'OK'. This does the same as your example, with the goal being essentially to make users accountable for their actions (if they send it, they're accepting this accountability and it's logged in the DLP console).

    If you're using Network Prevent for Email to do this and have a MTA that enables user releasable quarantining then you can tag via SMTP header and set a rule on the MTA to quarantine and notify the user of the process to release if required.

    If the above methods aren't viable, I'd use a unique subject tag [blah] and then use a rule on your MTA to remove it (after it's been processed by DLP).

    Users abusing it is a concern, however if you make it known in the notificaiton to them - that they're accepting accountability for the DLP bypass (and have some kind of periodic review of emails that have bypassed it), then it shouldn't be a huge issue.