Data Loss Prevention

Okay, I currently am trying to clean up a bit of our policies at my company. We currently monitor attachments through SMTP and flag multiple attachments that are large (too inspect for HIPPA, acceptable use violations, etc) and I wanted to know if there is a good solution to being able to exclude known pictures that are used as company logos (at the bottom of their emails)? These images come through as a generic attachment it seems so I'm lost at how to do this and it is ineffective to use the file size as method (or it appears so). Anyone have any ideas?

Hi Lithium,

You can use IDM to achieve your objective. You can put the common signature .jpeg in the set and then use it for exclusions. You can't use IDM for exclusions on Endpoint but you can use it for detection. This is from the Admin Guide:

You use Indexed Document Matching (IDM) to protect confidential, proprietary,
or sensitive content and information stored in documents and files. For example,
you can use IDM to protect financial report data stored in Microsoft Office
documents, or merger and acquisition information stored in PDF files, or source
code stored in text-based files. You can also use IDM to protect binary files, such
as JPEG images, CAD designs, and multimedia files. In addition, you can use IDM
to detect partial or derived content, such as text that has been copy/pasted from
one document to another.

Best,

Ryan

What exactly will this do? I appologize, I'm still a bit confused. Each image that comes across has random names and file sizes (and sometimes too common of a name to exclude by name). Does this allow DLP to match the actual image to the one placed in the IDM?

Lithium,

An IDM, will make a hash of each file, and then compare the incoming images to this hash. So if the image is the same, but has a different name, it will match. However, if the image is copied to another document, then the hash will not match. Also, if you have a 50% match rate, it will either match or not. For other content that we can actually do content extraction for, the match rate comes in to play.

I hope this helps.

Best,

Ryan

hello

 it seems to me that IDM for image must match 100% only. DLP is not able to detect partial image matching with IDM.

 So if people are able to change image logo size you should try to exclude image from your monitoring. DLP is not able to analyze image content (there was some test with an OCR module on DLP but not sure it was conclusive).

 Regards.

Thank you guys. I will be attempting to set that up, does anyone have any resources in which kind of describe how to go about setting this up? I know we have to monitor the attachments due to certain things being scanned and emailed that shouldn't be so this should be perfect to help exclude known signatures of companies in their email comms.

The IDM technology is well documented in the Admin Guide, also the "Help" link in the top right of the Enforce UI is context aware and is directly from the Admin Guide. Much of DLP is about tuning and testing to get the results you are looking for. We don't have a Guide of Best Practices that discusses how to go about getting the results you are looking for. We do have Professional Services that can come out and perform an assesment of your environment and help to get you online and working as you expect.

You will probably need to set up an IDM of your commonly used documents and signatures from your company. Once you generate an IDM from your documents, it gets indexed and set out to your servers. Then you can use the IDM as an exclusion in any policy, except endpoint.

I hope this helps.

Best,

Ryan