Data Loss Prevention
Overview
With Data Loss Prevention (DLP), you can search files for sensitive information and block them from being enclosed to the outside world. To find text contents in files, create filters with search patterns (lexical expressions). The patterns can consist of strings or numbers, but also of complex regular expressions. The filters are assigned to users or computers.
DLP is divided into two modules, each module requires a license.
- Data in Use (DIU) for real-time scanning of external storage media (user-based)
- Data at Rest (DAR) for the scheduled scanning of hard drives and network folders (computer-based)
| Module | Scanned devices | Scan start | Measures |
|---|---|---|---|
|
DIU |
Internal and external storage of computer, Network shares, Cloud storage, Hard disks (if they are controlled like external storage media),
|
When accessing a storage medium |
Audited events are displayed under User management/Computer management | DLP | Audit (DIU) tab. |
|
DAR |
Internal and external storage of computer, Network shares, Hard disks (if they are controlled like external storage media) |
At the specified time according to the scheduler (once or weekly) |
|
Preparing DLP: installation and settings
First of all, install the DLP Policy Server and specify common settings for it.
Installing or updating DLP
- Go to Product settings | DLP | Installation settings.
- Click ... in the Policy Server 32-bit/64-bit installation file area depending on the operating system (32-/64-bit).
- Select the location of the DLPPolicyServer (32-/64-bit) MSI file.
- Go to Computer management | DLP.
- In the Computer management – DLP area, select an online computer. To select multiple computers, hold down the Ctrl key.
- Right-click a computer and select Install/Update from the context menu.
- The installation starts. In the Product status column, the current installation status displays.
DLP settings: error behavior, metadata analysis, scan timeout, quarantine
- Go to Product settings | DLP | Settings.
- In the Error behavior area, select whether an access to files must be allowed if the DLP server doesn’t respond due to errors.
- In the Metadata analysis area, check the Enable metadata analysis box to additionally scan the document properties of Microsoft Office files.
- To avoid DLP getting stuck when scanning very large files, set a timeout for scanning one file in the Scan timeout area for the DLP - Data in Use and DLP - Data at Rest products.
- To leave the bread crumb file instead of a quarantined file,
- enable the Leave bread crumb file check box in the Quarantined files area.
- In the text box, enter the user information to include it in a breadcrumb file.
- Once a file, which matches the filter criteria is found and moved to quarantine, the original file name changes from, for example, “License codes.txt” to “License codes.txt.moved”. Once a user opens the file, the message defined by an administrator is displayed.
- Click Save.
Writing log files for DAR scans
- To write detailed log files for scheduled computer scans with DAR, go to Administration | Clients | Log files.
- On the Log file settings by product tab, enable the Write log file for DLP DAR scans check box.
- Once the scan finishes on the client computer, its logfile is saved under ProgramData\EgoSecure\EgoSecureAgent\Log. It contains all search parameters and all search results of the scan.
Specifying controlled storage types for Data in Use
By default, the DLP – Data in Use product scans only external storage media. Additionally, it can scan the following storage types:
| Storage type | Additional configuration required |
|---|---|
|
Network shares |
Enable Allow network shares control option under Computer management | Settings | Client settings. |
|
Cloud storage |
Define which cloud types to control under User management | Settings | Cloud storage tab. |
|
Hard disks |
Enable the Control hard disks like external media option under Computer management | Settings | Client settings. |
Creating and assigning DLP filters
Create filters to assign them to users (DIU) or to use them for computer scans (DAR). You can add any number of lexical expressions to a filter. The conditions of a filter are met when the specified Threshold value of the filter is reached.
Threshold
The Threshold value is calculated from the weighting of individual expressions and the number of findings.
For every expression a value from 1 to 10 (weighting) can be defined. The values of found expressions are calculated throughout the whole scanned file. When using the Multiple occurrence option, an expression can be counted several times if the expression is found more than once in the file. You can also specify for expressions that the threshold is reached immediately for a single finding (without weighting).
Example: personal data
The filter is created to block files that contain a certain number of personal data. A threshold value is 20; multiple occurrence is not enabled.
| Expression | Weight | Findings | Value |
|---|---|---|---|
|
Date of birth |
5 |
1 |
5 |
|
Social security number |
5 |
1 |
5 |
|
Plan number |
5 |
0 |
0 |
|
Address |
5 |
2 |
5 |
The scanned file contained the following expressions: date of birth, social security number and address. The last one was met two times; multiple occurrence is not enabled. The expression plan number was not found, resulting in a total of 15.
The threshold of 20 is not reached. DLP doesn’t block the file.
Example: list of bank data
This filter is created to block files that contain lists of bank data such as, for example, IBAN or credit card numbers. Files that only contain individual IBAN or credit card numbers should not be blocked. As a result, multiple occurrence is enabled and threshold is set to 100.
| Expression | Weight | Findings | Value |
|---|---|---|---|
|
.PATTERN=Credit Card. |
5 |
13 |
65 |
|
IBAN |
5 |
9 |
45 |
|
Bank |
2 |
3 |
6 |
The searched file contained the expression .PATTERN = Credit Card. 13 times. This expression is a (pre-defined) regular expression contained in DLP. This corresponds to one credit card number per occurrence. In addition, the IBAN expression appeared 9 times in the file and the Bank expression appeared 3 times in the file. Since the multiple occurrence is enabled, it counts the weighting of every found expression. It results in 116 total score, which meets the filter conditions.
- The threshold of 100 is reached. DLP blocks the file.
Example: sensitive information
The purpose of this filter is to check whether a file contains sensitive information. A threshold of 20 was set; Multiple occurrence is not enabled.
| Expression | Weight | Findings | Value |
|---|---|---|---|
|
Confidential information |
10 |
1 |
10 |
|
Do not disclose |
5 |
2 |
5 |
|
For employees only |
5 |
0 |
0 |
|
Highly confidential |
detected |
1 |
detected |
The searched file contained the expression confidential information one time and the expression do not disclose two times; the filter doesn’t take multiple occurrences of an expression into account. Together, these expressions would have a threshold value of 15, which would not meet the conditions of the filter. However, the file also contains the expression highly confidential that has the detected weighting and meets the condition of the filter due to a single occurrence.
- The threshold is reached because of the detected value. DLP blocks the file.
Creating filters with lexical expressions
- Go to Product settings | DLP | Lexical expressions definition.
- In the Lexical expressions definition area, the list of predefined expressions displays.
- Click Add on the toolbar.
- A new entry appears in the list.
- Specify a filter name in the Name column.
- Double-click in the Threshold column to define the total score that must be reached so that a match occurs.
- If the weighting of an expression found multiple times in one file should be counted as separate items, enable the Multiple occurrence check box.
- In the Lexical expressions – <filter name> area, create a lexical expression for the filter to search for specific strings. For details, see: Creating a lexical expression
- Click Save.
The filter can now be assigned to user (DIU) or used for computer scanning (DAR).
Creating a lexical expression
- Select a filter in the Lexical expressions definition area.
- In the Lexical expressions – <filter name> area, click Add.
- The Expression editor dialog appears.
- In the If matched drop-down menu, select a weighing for the expression. To reach the threshold with the first finding, select Instant.
- In the Expression field, enter a search pattern. You have the following options:
- Selection of a predefined search pattern in the right column.
- Selection of a user-defined search pattern in the right column. For details, see: User-defined entities
- Manual input: simple or regular expressions. For details, see Appendix: DLP – lexical expression syntax
- Enable the Case-sensitive box if the searched text is case sensitive.
- Click Save.
- The Expression editor dialog closes and the expression is added.
- In the Lexical expressions definition area, click Save.
Assigning DLP filters to directory objects (DIU)
- Under User management | DLP, select a user from the list.
- In the lower area, select the tab with a storage type: External storage, Network shares, Cloud storage. Make sure to additionally configure controlled storage types.
- Enable the Activate individual settings check box to assign only individual filters to the selected user. Clear the check box to assign individual filters in addition to the filters inherited from groups or from default rights.
- Click in the Access column to select which access type is under control:
- Read (only read operations)
- Write (only write operations)
- Read/write (read and write operations)
- In the Action column, select which action is performed with the selected access type:
- No action (audit only) to perform NO action if user accesses a file, which matches filter criteria and just inform about access in the Audit (DIU) tab.
- Deny access to deny access to a file, which matches filter criteria and inform about access in the Audit (DIU) tab.
- Allow and redact to hide sensitive info under *** in a file while access to the file is not restricted and inform about access in the Audit (DIU) tab. This action doesn’t not apply to files in RAR archives. This option is listed in the context menu only if the Data redaction parameter is enabled for a filter under Product settings | DLP | Lexical expressions definition:
- Allow and ask for reason to show a pop-up on a user side once the user accesses a file, which matches filter criteria. User must select the reason from the list or write an explanation by his/her own. The access to the file is blocked till user explains the reason and clicks Submit. If user ignores the pop-up or clicks Cancel, the access remains to be denied. Such an action combined with the access reason is displayed in the Audit (DIU) tab; if user just tries to open the file, but clicks Cancel or ignores the popup, the administrator is not informed about it in audit, because NO file content is accessed.
- Click Save.
- The filter is enabled for a user.
User-defined entities
Custom entities are expressions that you save as a template. You can mark finds on such expressions as sensitive information. Sensitive information is not shown in plain text in the audit data, but hidden via ***.
Creating a used-defined entity
- Go to Product settings | DLP | Lexical expressions definition.
- Click the User-defined entities button.
- The User-defined entities dialog appears.
- Click Add.
- A new entry appears in the list.
- To edit the entity, select it from the list.
- In the Name field, define a name for the entity.
- In the Expression field, enter a search pattern.
- Enable the Case sensitive box if the searched text is case sensitive.
- To mark the expression as sensitive information and display it hidden in the audit data, enable the Sensitive information check box.
- Click Save.
- Add other entities if needed and click Save.
- The created user-defined entities appear in the User-defined tab of the expression editor. You can now use them in lexical expressions. For details, see: Creating a lexical expression
Scheduling scan tasks for computers
Setting up DAR for computers
- Go to Product settings | DLP | Scheduler.
- In the Scheduler area, click Add.
- A new entry appears.
- In the Settings area, enter a name for the action in the Name field.
- In the DLP filters drop-down, select one or several filters. For details, see: Creating filters
- In the Scan mode drop-down, select which scan to perform:
- Full scan: Thorough scan of the entire device except network shares.
- My documents scan: Scans the My documents folder. A user must be logged in to the system to perform this type of scan.
- Custom: Scans selected files, folders or system folders locally on computers or network shares.
- In the Scan performance drop-down, select how DLP scan influences the computer performance:
- Low: the scan takes a lot of time, but requires less resources.
- Medium: balanced use of time and resources during the scan.
- High: the scan takes not so much time, but requires more resources.
- If you are going to add network shares, files or folders to the list of scanned objects, define credentials of a user who has enough rights to access added network directories in the Username and Password fields.
- In the Objects to exclude from scan area, add files, folders or file extensions, which must be excluded from scanning.
- If the Custom scan mode has been selected, in the Objects to scan area, add files, folders or file extensions, which must be scanned locally on computers or on the network shares.
- Define the date and time when to perform the scan.
- Click Save.
- The planned scan can now be assigned to a computer.
Enabling a planned scan for computer
- Go to Computer management | DLP and select a computer.
- If you select Default rights (computer) under Default policies, the action is inherited to all computers with activated DLP and activated inheritance.
- In the lower area, in the Data at Rest tab, select one or more actions.
- To disable inherited actions, enable the Activate individual settings check box.
- Disable the Activate individual settings check box to assign other actions in addition to the inherited ones.
- In the Action column, select what to do if a match occurs:
- No action (audit only) to only write the fact of finding to the Audit (DAR) tab.
- Delete to permanently delete files from their original location and write this event to the Audit (DAR) tab.
- Move to quarantine to move to the Quarantine hidden folder locally and reformat these files so that user cannot open them.
- Click Save.
- Once a scan starts, its progress appears in the Scans tab. The scan results appear in the Audit (DAR) tab.
Analyzing findings
Via the Audit (DIU) tab for Data in Use and the Audit (DAR) tab for Data at Rest you can see the audit data of the scans in the form of tables. Every finding is audited. You can configure the displaying and filter the entries. The Secure Audit product is NOT required to view the logs of DLP events.
Showing findings
- Go to User management/Computer management | DLP | Audit (DIU) and Audit (DAR).
- Configure data displaying and filter the data records, if needed.
- Click in the Matched text column to show findings that do not fit the table column in a separate window.
- A maximum of 4000 characters is displayed. You can see the complete list of findings in the DAR log file (enable the Write log file for DLP DAR scans option under Administration | Clients | Log files.
Processing quarantined files
- Under Computer management | DLP, select a computer.
- In the lower section, click on the Quarantine tab.
- All files quarantined during a computer scan are listed.
- Right-click an entry and select an action:
- Restore: Restores a file to its original location and removes it from the quarantine.
- Download: Saves a file in a defined location.
- Delete: Deletes a file on the scanned computer and removes the entry from the quarantine. The file will be deleted permanently.
Syntax of lexical expressions
You can use simple expressions, predefined and user-defined regular expressions to define search patterns in DLP. These expressions can be connected to each other by operators.
- Simple expressions: A simple expression searches exactly for the entered string. Any number of other characters can appear before or after the character string, but no letters, otherwise the expression will no longer find it. For example, the simple expression credit is found or not found in the following strings:
| String | "Credit" will be found? |
|---|---|
| Credit xy | Yes |
| Credit! | Yes |
| Credit, | Yes |
| Creditcard | No |
| Creditcardnumber | No |
- User-defined expressions: User-defined expressions are regular expressions that you can create in the editor and save for using later. The following sections tell you what syntax you need to use to define regular expressions.
Syntax for regular expressions
Use the .PERL. expression operator with a keyword or phrase to indicate a regular expression:
.PERL.regular_expression
Operators
You can insert operators in the Expression editor using the buttons and don’t have to enter them manually. With operators, you can link several strings together. E.g.:
.PERL.regular_Expression1.AND.regular_Expression2
.PERL.regular_Expression1.OR.regular_Expression2
The following operators are available:
| Operator | Description |
|---|---|
|
AND |
Both keywords or phrases must be present. |
|
OR |
One or both keywords or phrases must be present. |
|
XOR |
One or the other keyword or phrase must be present but not both. |
|
BEFORE |
Both keywords or phrases must be present and the keyword or phrase that precedes the operator must occur before the keyword or phrase that follows the operator. |
|
AFTER |
Both keywords or phrases must be present and the keyword or phrase that precedes the operator must occur after the keyword or phrase that follows the operator. |
|
FOLLOWEDBY |
Both keywords or phrases must be present and the keyword or phrase that follows the operator must be within x words of the one that precedes the operator. |
|
NEAR |
Both keywords or phrases must be present and they must be within ten words of one another. The expressions may occur in either order. |
|
ANDNOT |
The keyword or phrase that precedes the operator must be present and the keyword or phrase that follows the operator must not be present. |
Symbols
With certain placeholders, you can define any single character or combine several characters into sub-expressions within a character string:
| Character | Description | Example |
|---|---|---|
|
. |
Any single character except line breaks. |
.name. matches “1name!”, |
|
() |
Subexpression, substring. |
(ab)+ matches ab, abab, … |
|
| |
Or operator. Matches either the expression preceding or succeeding the operator |
a|b matches either “a” or “b”. |
Anchor characters
Anchor characters indicate a character or a string to appear at the beginning or end of the search string:
| Character | Description | Example |
|---|---|---|
|
^ |
Matches the start of a line. Returns all strings, which start with the expression after ^expression. |
^Beginning finds all strings where line starts with "Beginning" |
|
$ |
Matches the end of a line. |
End$ finds all strings that end with “Ende” |
Character sets
A set of characters specifies a predefined selection of characters and is enclosed in square brackets. To negate a set, insert the ^ character before the string.
| Character | Description | Example |
|---|---|---|
|
[ac] |
a or c |
1[ac] finds 1a or 1c, but not 1b |
|
[a-c] |
a or b or c |
1[a-c] finds 1a, 1b or 1c |
|
[14] |
1 or 4 |
[14]a finds 1a or 4a, but not 2a or 3a |
|
[1-4] |
1 or 2 or 3 or 4 |
[1-4]a finds 1a, 2a, 3a or 4a |
|
[^1-4] |
not 1, 2, 3 or 4 |
[^1-4]a finds 5a, 6a, …, bit not 1a, 2a, 3a or 4a |
|
[a-zA-Z] |
All upper- and lowercase letters from A-Z |
1[a-zA-Z] finds 1a, 1b, 1c, … and also 1A, 1B, 1C, … |
Character classes
Character classes define the type of characters, which are searched (digits, letters, special characters or spaces).
| Character class | Description | Example |
|
\d |
Finds only digits. |
0, 1, … 9 |
|
\D |
Finds all characters except digits. |
A, B, … Z, @, €, … |
|
\l |
Finds all lowercase characters in case sensitive expressions that have uppercase / lowercase letters. When used in a case-insensitive expression, this character set will also match uppercase characters. |
a, b, … z |
|
\L |
Finds all characters that are not lowercase in expressions, which are case sensitive. |
A, B, … Z, 0, 1, … 9, @, €, … |
|
\s |
Finds only whitespace characters (spaces, tabs, line breaks). |
|
|
\S |
Finds all characters that is not whitespace. |
A, B, … Z, 0, 1, … 9, @, €, … |
|
\u |
Finds all uppercase letters in expressions that are case sensitive. |
A, B, … Z |
|
\U |
Finds all characters that are not uppercase in expressions which are case-sensitive. |
a, b, … z, 0, 1, … 9, @, €, … |
|
\w |
Finds only digits or letters. |
A, B, … Z, 0, 1, … 9 |
|
\W |
Finds all characters except digits or letters. |
@, €, … |
Quantifiers
Quantifiers indicate how often certain characters occur in a string. Digits are places in brackets after an atom or expression.
| Quantifiers | Description | Example |
|---|---|---|
|
* |
Zero or more occurrences of the preceding atom |
Zo* finds Z, Zo, Zoo, … |
|
+ |
One or more occurrences of the preceding atom |
Zo+ finds Zo, Zoo, … |
|
? |
Zero or one occurrence of the preceding atom |
Zo? finds Z and Zo |
Quantifiers can also specify precisely how many times a character or a string may appear:
| Quantifiers | Description | Example |
|---|---|---|
|
X{n} |
Bounded repeat. Matches exactly ‘x’ occurrences of the preceding atom. |
A{5} finds AAAAA |
|
X{n,m} |
Matches between ‘x’ and ‘y’ (inclusive) occurrences of the preceding atom. |
A{1,5} finds A, AA, AAA, AAAA, AAAAA |
|
X{n,} |
Matches ‘x’ or more (inclusive) occurrences of the preceding atom |
A{5,} finds AAAAA, AAAAAA, … |
Usually quantifiers are greedy, which means they try to find as many characters as possible. This behavior changes from greedy to hesitant when following the quantifier with a question mark.
- The greedy quantifier searches in a string from left to right and stops only at the first character, where the condition of the search pattern is no longer satisfied. It searches until the pattern matches and provides a minimal search result.
- The hesitant quantifier looks in a string from left to right and stops at the first character where the condition of the search pattern is met. It searches as long as the pattern matches and returns a maximum search result.
Which quantifier to use depends on the result to be achieved. Quantifiers can also specify how often a character or string is allowed to occur.
Example 1: The search pattern or the regular expression in the first example starts with the characters A, B or C, which can appear 1-n times. These characters can be followed by 0-n of any characters. The characters A, B or C are to be output (the contents in the round brackets in the regular expression).
|
Text |
Regular expression with greedy quantifier |
Result with greedy quantifier |
Regular expression with hesitant quantifier |
Result with hesitant quantifier |
|---|---|---|---|---|
|
ACBAXXACA |
([A-C]+).* |
ACBA |
([A-C]+?).* |
A |
|
015A63 |
([0-9]+).* |
015 |
([0-9]+?).* |
0 |
Example 2: The use of multiple quantifiers in an expression can sometimes lead to incorrect results. In the following example, the first numeric value after the M is to be read out of the character string M 14x52:
|
String |
Regular expression with greedy quantifier |
Result with greedy quantifier |
Regular expression with hesitant quantifier |
Result with hesitant quantifier |
|---|---|---|---|---|
|
M 14x52 |
.*([0-9]+)x.* |
4 |
.*?([0-9]+)x.* |
14 |
Masks
Predefined characters, such as brackets, can be recognized as normal characters if the backslash is set before them. The backslash symbol \ turns a predefined character into a normal character and a normal character into a special character (e.g. \s searches for a whitespace character). For details, see Character classes
To search for a character that represents a predefined character within regular expressions, add a backslash before the character:
| String | Searches for |
|---|---|
|
\\ |
Backslash \ |
|
\t |
Tabulator |
|
\{ |
An opened curly brace { |