Hi Hamdan
DLP is usually not ideal to verify the absense of information, in your case the absence of keywords. So what you need to do, is a match policy that catches "to much" and use the keywords as an exception ****. e.g. ignore all files that contain the correct keywords. That is what I ment with a "negative" policy, e.g. a policy that actually checks for the absense of some information, e.g. keyword.
Like
- FIND *.docx
- INGORE KEYWORD "dlpignore"
This way all docs without "dlpignore" are a match and can be blocked/justified/warned on the endpoint.
Replace those with the file types you need and the keywords that must be in the files.
You can do multiple policies/rules to managed more specific combination.
You can also add additional detect conditions to create things like:
- MATCH *.docx AND CONTAINS EDM-PII
- IGNORE "CONFIDENTIAL"
- BLOCK "Action-X"
This would match all files containing sensitive PII that are not correctly classified with "CONFIDENTIAL". This would be my approach.
In case your use case is just to block based on something like:
this is for several reasons not an optimal idea:
- Difficulties to addess the right people for incident management, because you lack context
- as you already realized, removing such a keyword is not difficult for users. You would need a good protection of such keywords. That can only be realized with RMS or with a keyword/classification system, that blocks the downgrading/removeable of a tag.
- Symantec's DLP is most advanced for content driven DLP policies like the bespoke EDM or as Fernando mentioned, IDM etc.
- It is more complexe to protect data based on information content instead of classification(keyword labels, but it is much saver.
After all, violators are interested in the information and not the keyword.
If your list of keywords is more complex, like a list of "secret protect id's" to protect more specific MCIA's, adding more content detection is probably a good idea. There is a reason for your keywords in those files. Add content matching rules, that address this reason. Users might remove the keywords, but removing the information will not be done by the violators ;-)
Rgds
Thomas
Original Message:
Sent: Aug 31, 2024 02:38 PM
From: hamdan shakeel
Subject: Modification / Deletion of Keywords Restriction
@Thomas Fuerling Thank you for sharing the detailed information. Below is our usecase and problem we're facing and we need solution to fix this issue.
We have policies with rule "Content Matches Keywords" and we're blocking the copy paste or transfer of files but now we can see that some users are removing / modifying the keywords that matches the rule and transfer the files or basically bypass the block rule. Is there any way to mitigate this issue?
Original Message:
Sent: Aug 31, 2024 08:36 AM
From: Thomas Fuerling
Subject: Modification / Deletion of Keywords Restriction
Hi Hamdan
You cannot restrict it, but with what we call a "negative" policy, you might check it. Here what you have to do, that might solve your use case:
- Create a detection policy for the office file types. tune 1 to restrict detection furter
- Use a exception keyword rule with your keywords. tune 2 to handle special combinations of office types and special fields.
- Ensure your endpoint configuration covers save local and network drive
This policy should trigger, if a filed (1) is stored without the keywords (2). Hopefully, this solves your use case.
In case you want to check classification, try to write the classification on save. This would provide automatic classification. Use integration endpoint flex of the classification vendors.
rgds Thomas
Original Message:
Sent: Aug 28, 2024 04:47 AM
From: hamdan shakeel
Subject: Modification / Deletion of Keywords Restriction
Can we restrict End Users not to Modify / delete sensitive keywords in Word documents / Excel with Symantec DLP?