I find that the Ironport DLP policies are a bit confusing, maybe even misleading.  Many of them in their description say that it will classify emails with Social Security numbers, or account numbers, but in fact they require more than just those specific matches to be considered part of the policy.


Many of the policies require something the match other than the specific term.  Lets take the policies that match social security numbers, such as Graham Leach Bliley.  This requires not only the social security number, but also some identifying information, such as name and address.   The rational behind this is that a social security number without context is usually not very useful, if you think about it a social security number can easily  derived by just putting 9 numbers together with a “-“ between the third and fourth number and the sixth and seventh.


So, what if you want to use the vast array of dictionaries available to the DLP policy manager, but want to match and take action no matter what?


The easiest thing to do is create a custom policy.  With this you can grab any of the dictionaries in the DLP engine, such as various nationalities social security numbers, or states drivers license numbers.  Put a policy together using just those things and have it hit.  But leaving the policy like that is not good enough, you must also adjust the sliders at the bottom of the DLP policy page.  Normally the ignore is set for 0-9, meaning that a single social security number may not actually trigger an action even though it did match.  My suggestion is to move those sliders so that low starts at 1 and set your actions accordingly.

Author: Alex Jerrold, Cisco CCIE Security

Posted at Geeknick

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Filed under: Network Security

Like this post? Subscribe to my RSS feed and get loads more!