Endpoint data loss prevention comprises a set of cybersecurity strategies that aid in preventing the theft or disclosure of sensitive data contained within endpoint computers.
Within the endpoints, there will be large volumes of unfiltered information. Data classification is the process of containerizing corporate data in order to determine which information is sensitive and to gain a better understanding of what type of security measures needs to be implemented.
Data rules are a set of criteria that is configured by the admin to find specific types of sensitive data. The data rules can be created using pre-defined templates or customizable templates using mechanism such as RegEx, fingerprinting, keyword search. During the data discovery process, the agent will comb through the endpoint and find any sensitive data that matches the data rule deployed for that policy.
For common types of sensitive documents such as PII, Health, Finance, Source Code etc. you can browse and select a template according to countries.
To find sensitive documents specific to your organization or circumstance, you can use custom templates to determine the criteria that a document would have to match to be considered as sensitive. Endpoint DLP supports custom rules using RegEx, keyword matching, document matching, fingerprinting and file extensions.
When sensitive data can be detected by the presence of a specific pattern/string in a file, RegEx patterns are utilized. These patterns can be predicted and then searched for in order to identify a match.
Keyword search is used to seek for specific keywords in a document that could make it sensitive and thus inappropriate for transfer outside the organization.
Fingerprinting is a preferred technique over RegEx in cases where sensitive data cannot by identified by an exact match but may be detected by identifying similar templates and analyzing their match percentage.
Boundary definition refers to restrictions that the admin can configure which dictate the boundaries within which a particular type of sensitive data can be processed. The boundaries include email, miscellaneous cloud web applications, peripheral devices etc.
In a DLP solution, a false positive occurs when the solution indicates that a DLP policy has been violated even when it hasn't. A false positive can happen as a result of a data detection error or because the file's destination is not approved for sensitive file transfer.
End users may be required to send sensitive files outside the enterprise perimeter for official purposes. In such cases, they may allowed to override the policy citing a suitable justification and proceed to transfer the files.
Override refers to the ability to carry through a DLP action despite the event of a false positive. Override permission should be granted to privileged users and users who frequently contact outside the organization.
Occurrence count in a RegEx rule refers to the minimum number of times a pattern has to occur for it to be considered sensitive. For example, if a pattern's occurrence count is 2, the file can be considered sensitive if the pattern appears two or more times.
While keyword matching focuses on identifying specific keywords that are considered sensitive in the document, document matching compares the overall similarity of the provided document to the format that is considered sensitive.
The percentage of accuracy at which the submitted document can be considered comparable to the sensitive template is referred to as the match percentage in fingerprinting. Increasing the match percentage required to classify a document as sensitive can help improve detection accuracy and reduce false positives.
Endpoint DLP Plus focuses on preventing data loss from the source by identifying sensitive information and monitoring its transfer via cloud, email, and other sources, whereas Device Control focuses on regulating access to data present on endpoints, particularly via peripheral devices and other physical channels.
In "Audit mode", the sensitive files will be allowed to be transferred within and outside the enterprise perimeter. The enterprise perimeter defines the restrictions that the admin can configure to dictate the boundaries within which the sensitive data can be processed. However, only the files transferred outside the enterprise perimeter will be audited and can be viewed in the "DLP Sensitive Events Report". The report will give you insights on how to add/remove entries to your DLP Policy without affecting productivity. This applies to the policies of File Access, Email Client, File Upload, Removable Storage Devices, and Printing.
Configuring data leakage prevention policies depends on the type of classification opted to classify a file as sensitive. They are: content-based and context-based classification.
Marking a file as sensitive when the file contents matches a RegEx pattern or a keyword/document is content-based classification.
Context-based classification classifies a file as sensitive, based on the file properties (password-protected or file extension-based) and the nature of the file origin (a file downloaded from an enterprise-marked application).
Since the content given on screen cannot be scanned, they cannot be classified as sensitive data.
So the data handled by "Trusted Applications" will be classified as sensitive and the "Block within Trusted Applications" option will restrict screen capture functionality within those applications.
The agent will scan embedded files within .docx, .xlsx, and .pptx formats for sensitive data.