Data Loss Prevention

 View Only

  • 1.  DLP Policy to detect First/Last name

    Posted Feb 13, 2014 04:30 PM
    Hi Everyone, 
     
    I have the following requirement:
     
    To implement a DLP policy to monitor and trigger an incident for the following:
    " First or Last name + Phone Number OR Email address OR Postal Code " 
     
    Unfortunately, there is no database or structured data available for indexing via EDM. This contacts could be exported via Outlook or Salesforce etc.. by users and then sent out via email or webmail... 
    The challenge is that there is no real pattern for detecting First/Last name...
     
    What is the best practice to implement a DLP policy in this situation to avoid many false positives ?
    Creating IDM or DCM (Regular Expressions) ? Is there anything built-in within Symantec DLP solution that can tackle with the problem of detecting First/Last name ?  
     
    Thanks in advance. 


  • 2.  RE: DLP Policy to detect First/Last name

    Trusted Advisor
    Posted Feb 13, 2014 05:00 PM

    Ravish,

    In this situation you are might be SOL, with out using an EDM.

    There is now way to detect Frist Name or last name, unless you just search for the terms "First Name" and "Last Name". With the hope that those terms are in the spreadsheet as a column heading.

    Though you will probably get a ton of False positives.

    As far ar Email addresses go, you can create Regex to look for the email format. Though it will trigger on email address that are in the body of a message, especially when it comes to email conversations that have replies and a ton of email addresses in them.

    In order to reduce the false positive rate of email matching you will need to set the match count pretty high.. 25+ and you will still get some false positives.

    Overall in order to do this you will need an EDM extract to be imported. (First, Last, Email, Zip, phone) Get the extract from Salesforce and use that or an AD extract. Then when you create the EDM policy match it on 3 of the 5 fields. With a match count of 3 or more.

    This will give you the best accuracy and least amount of false positives.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 3.  RE: DLP Policy to detect First/Last name
    Best Answer

    Posted Feb 18, 2014 02:37 PM

    In your first name/last name situation you could look for the phone number as a set of regex expressions and then two words that are capitalized next to each other. It won't be perfect, but it would get you something.

    So somthing like this

     

    [A-Z]\w* [A-Z]\w*

    Would match:

    Bob Smith
    George Todd
    ect.

     

    You would likely have some false positives to deal with, but it may be workable in your environment.

     

     

     



  • 4.  RE: DLP Policy to detect First/Last name

    Trusted Advisor
    Posted Feb 18, 2014 05:22 PM

    If you do anything like this mak sure to use proximiting matching..otherwise it will pick a ton of capitalized words.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 5.  RE: DLP Policy to detect First/Last name

    Posted Feb 28, 2014 06:09 PM

    Thanks.