Data Loss Prevention

We have a use case where we need to update set of keywords daily for a policy. Instead of updating policy want to have keywords added in a database table and update that table ?

Please share your thoughts and options other than manual updating keywords in a policy.

Thanks

Aadi

Hi Aadi,

Have you thought about using IDM? This copuld be the best way for you.

Thanks

EDM.  I think you mean EDM, Alan.

@ Aadi.  How many keywords do you think might be in play here?  Is it a two?  A dozen? Is the size of the list likely to grow over time?  Look into leveraging EDM.

Hi Will,

Yes I did mean EDM! I was looking at my IDM screen as I wrote the reply doh!!!

LOL.  I knew you were better than that!  :)

The use case of having keywords in a table/database is also valid in my environment.

If the use cases require you to block data from leaving the endpoints when detecting the keywords EDM isn't a valid solution (yet). EDM can only detect data when it has already left the endpoint and thus fails on the use cases. I've worked/evaluated both McAfee and Microsoft's solutions for DLP and they both allow the implementation of dictionaries with keywords which you can link to from your policies.

I don't know if Aadi has this same endpoint-like situation, but I do and I am currently having copies of keywords lists that I have to update well over 100 times if only 1 item in the keyword lists has to be changed.... Also every applicable copy of the same list of dictionaries is send over and loaded by the endpoint agent creating unnecessary overhead.

With the implementation of dictionaries my use cases and administration would just have been so much easier.

Some of my clients faced a similar issue, I think the only solution currently available is GTB DLP

Thanks for all your replies guys. EDM is not applicable for my use case too as we want to have a pop-up message (Allow/Cancel) show up each time a detection happened.

@Will regarding how many keywords in the play, We are taking about 25 keywords is the size and list might grow slightly. 

Thanks!

Aditya

Aditya,

Check out this old post. They leveraged a Powershell script to execute against a sender/recipient pattern list.

https://www.symantec.com/connect/forums/dlp-posh-scripting-invoke-webrequest-sample-code?cid=11832921#comment-11832921

While it isn't a keyword list, maybe you could look into seeing if this could work! Warning--this is a bit advanced, but it's the same as executing the command through the browser (more supported) than executing a database update query (not really recommended). Other than that, you're probably stuck adding the keywords daily as they change through a policy modification, as you've already identified that EDM isn't going to work for your endpoint use case. 

-Jake

How about a custom DI?

There's not much difference in editing a policy or editing a DI other than a DI is reusable across many policies.
Edit once, available everywhere.

Just a thought...