Hi all
I am implementing EMDI for Endpoint Prevent on a customer. While creating the required Data Identifiers and testing those against my EMDI Indexes I realized a "feature" I was not really aware, and in my opinion is actually rather a strange implementation of EMDI, not to say a bug:
It looks like that the policy is testing the key only against the Data Identifier and NOT against the index column plus the additional in the rule defined numbers of optional columns in the index, where it does an exact match.
Example
Index contains CustomerNr (Optional) 12345678 and IBAN (Key) LI123456789012345678901 – neglecting here in the example that the mentioned IBAN is not a valid one (would not pass MOD-97)
My Data Identifier checks for valid LI IBAN, so prefix LI and 19 digits (I have not added any validators on purpose, as I was expecting the value to be checked against the EMDI index!).
The policy will now create an incident if there is Key found for LI123456789012345678901 (True / Positive) BUT also for LI123456789012345678909 (which is a false / positive!) as it is NOT a valid index ROW
I just wanted to make sure, that this is really the way EMDI is implemented? I repeat, IMHO, that's rather a BUG than a feature, in Exact Match the engine should always test a row EXACTLY, which with the most accurate Data Identifier is not possible and will always lead to false positives in such an implementation. I can make sure that the Identifier in this case checks for MOD-97 and maybe other validators, but still it is not 100% accurate and never will be, as the actual check against the index row.
I cannot, however, do this in another case, where I want to test an e-mail address column as key, which I also implement for this customer. There the string validation of the e-mail address is not accurate at all and the only option I was thinking of, to make that EMDI get to run, was to check for a simple pattern match, like more or less just check if the string contains an @ and let the rest do the exact match (as I thought that the row was additionally tested against the index row). Also for those tests I got false / positives, which have proven, that my assumption of the key being tested against the DI only is right.
Does anyone in the community have implemented EMDI already and come up with the same result?
Thanks,
René Guido
e3 Cyber Security Brasil