Data Loss Prevention

 View Only

  • 1.  What's a Technical Match?

    Posted May 04, 2017 03:28 PM

    Can someone kindly offer a definition of a Technical Match, with examples.

    Also we are considering of adding the incident status of both "Blocked" and "Quarantined". Is there a need to distinguish between the two or are they the same?

    Thank you for you help/advice.



  • 2.  RE: What's a Technical Match?

    Posted May 05, 2017 02:04 PM

    Maybe I'm missing something, doesn't ring any bell for me for the term - Technical Match.

    On Quarantine & Blocked, yes they're different depending on your Architecture.

    () Like for SMTP - Blocked is 'droppped' & lost vs. Quarantined is 'held for review' which could be later released at will or dropped (blocked) post analysis.

    For other channels, like

    () Endpoint, Web you have the ablity to Block only but not Quarantine

    () Discover on the other hand you have the ablity to Quarantine only but not Block



  • 3.  RE: What's a Technical Match?

    Posted May 10, 2017 11:07 AM

    I believe the Technical Match is one in which the match is accomplished as the policy/rule was configured, but the match data element is not the one intended. For instance, if the policy/rule is configured to match on customer account (bank acct, debit, routing number, etc) but the match was made in and invoice#. So technically the match was successful but the data elements may not constitute sensitive info. 

    Or may be there is another term for this.

     



  • 4.  RE: What's a Technical Match?

    Trusted Advisor
    Posted May 11, 2017 01:48 AM

    i used to call this kind of incident "false positive"....

    From my point of view technical match could be more like radio/tv streaming network flow that will hit your policy because of a keyword or pattern in it, this will raised lot of incident in very short times.