Data Loss Prevention

Hi DLP Community,

We are facing the following problem:

We have an EDM that is structured the following way (simplified):

Account Number | Authorized Recipient | Company

72482 |  Person1@mail.com | Company XY

72482 | Person2@mail.com | Company XY

Important to note here is that the same account ID can have multiple authorized recipients as shown above. We have a EDM prevention policy that is checking the content of the message for the account number but allows it if the recipient is the authorized person. From our observations, Symantec cannot handle the case if there are multiple lines in the EDM for the same account number.

 So based on the example above:

Symantec detects 72482 in the message, checks the recipient and identifies Person1@mail.com and allows the message. But if it proceeds with checking the second line, it detects 72482 but since the recipient is still Person1, it created a false positive incident because for the ignore rule it would expect Person2, although both recipients are allowed for this specific account number.

We have been searching for a solution to this since a while now but were not able to. Do we just have to accept this as a technical limitation based on how Symantec is performing EDM scans or did someone else face this issue and found an acceptable solution to this? Changing the EDM/database structure would require a lot of effort and is not a preferred solution. 

Many thanks in advance,

Armando

Hi Armando,

This one is slightly tricky - because among the best practice for EDMs one should avoid the following: blank cells, cells or rows with duplicate data:

Remove Blank Columns and Duplicate Rows from the Data Source File

Thus, the trick for you is to try a method whereby the Source Data File (aka, the original CSV from which the EDM is indexed) doesn't include that type of data. I realize this is not straightforward, because the "Account Number" as such seems to be the key identifier for an account, so if an account (but not all) can have multiple email addresses associated, it would not necessarily be better to try different column/row format:

e.g., having each Account Number in ONE ROW only, but having multiple columns for "extra" email addresses - because for accounts with only one contact, the extra email columns would be blank.

What I wonder if whether EDM is fully the best method for doing this. What about authoring a policy that has your EDM data which is unique:

Account Number, Company

And pairing that with a condition using a Reusable Recipient Pattern - that includes ALL recipient emails?

I know that isn't as fully accurate, because the EDM data might create False Positives when detected alongside a recipient in the list but from a different company, but that might be less common than the issue you are reporting now.

Hope this proves helpful - again, it might take some other permutations of what you are after to get best results.

Thanks,

------------------------------
Stephen Heider

DLP Sr Prn Info Writer | Symantec Enterprise Division | DLP Support
Broadcom

stephen.heider@broadcom.com | broadcom.com
------------------------------

Hi Armando

Since detection works per record, either one of the EDM lines will match. This is the nature of Symantec DLP and from all other solutions.
Stephen's approach with recipient list, won't the job either, because a very granular whitelisting must be possible. One would have to do an EDM index per customer and a recipient white list for every customer as well. That is not feasible.

If we have to accept, that policies and detection can not handle that granular whitelisting.

Therefore this must be handle in incident management. Where all data found create a match and then a special functions checks out the granular acceptable "whitelists". e3 has implemented such a function (can be purchased as an extension to Symantec DLP). This function "WAIVER" does handle exactly this. When all matches are "allowed", waiver will release the soft blocked action.
However there is a catch. If is must be handled in incident management in a post detection method, only asynchronous channels like Mail and Storage can profit from this. Web and Endpoint are by nature synchronous channels, waiver will only work for remediation but can not release a blocked action anymore. Endpoint Storage might be possible soon.

Anyone having the same challenge, please contact me for more details.

Rgds

Thomas Fürling   |   www.e3ag.com

-------------------------------------------