Effective DLP Strategies: Best Practices and Deployment Tips
School
K J Somaiya College of Engineering**We aren't endorsed by this school
Course
COMP 12
Subject
Information Systems
Date
Dec 10, 2024
Pages
71
Uploaded by BarristerFreedom15554
2022 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)Best Practice and Deployment consideration
2022 © Netskope Confidential. All rights reserved. Agenda•Approach and Methodology•Program Considerations•Industry Verticals•Policy Best Practices and Tuning •DLP Technical Overview•DLP Caveats•Documentation and Resources2
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)DLP - Approach and Methodology
2022 © Netskope Confidential. All rights reserved. Key DLP Concepts4The following DLP Concepts are often overlooked•DLP programs are mainlyconcerned with Egress activities•Risk is onlyreduced via a Block policy (Alert/User Alerts do not reduce risk)•DLP Policies need to be underpinned with corporate policies (mapping)•Executive Sponsorship and enforcement is key to any DLP program•Blocking equates to a bad user experience IF dlp rules result in too many false positives. DLP bock policies ideally equate to a 90+% true positive rate prior to blocking.•The goal of a DLP program is policy enforcement and blocking
2022 © Netskope Confidential. All rights reserved. DLPvs SWG - Concept Differences5A DLP program is different than the SWG due to the handling and visibility of sensitive data.Category and activity level SWG activities (control policies) do not generally capture or deal with sensitive data. Therefore, those policies rarely have to be triaged for breaches and regulatory reporting.DLP incidents typically require Incident Management Team review - for validation, potential breach reporting, and user/business unit coaching. This equates to ensuring (via phased approach) that incidents triggered by a DLP toolset do not exceed the capacity for daily review.Tech Note:A forensics profile must be in place in order to view the sensitive data that triggered a DLP policy as part of incident management.
2022 © Netskope Confidential. All rights reserved. Reduce Surface Area Before Enabling DLPBlock Malware and AUP ContentSaaS InlineWebSaaS APIIaaSREDUCE SURFACE AREABlock the risky cloud activities and/or appsBlock uploads to cloud apps not managed by ITBlock uploads to unmanaged app instancesRestrict sharing activities to certain domainsApply restrictions based on additional context such as user groupEmailGranular ControlsInline Email
2022 © Netskope Confidential. All rights reserved. DLP Program Maturity Lifecycle75OptimizationContinuous Improvement.User security awarenessAutomated ResponseAudit Reporting3Defined ProgramDefined policies and processBusiness Unit participation HR Sanctioned Employee EducationManaged Incident TriageContinuous Policy False Positive reduction1DiscoveryDiscovery / Risk ExposureInitial Policy / Audit PrioritiesManual Triage / Limited or no automationIncomplete channel coverage4Managed Risk ReductionAdvanced Blocking PoliciesDocumented Roles & ResponsibilitiesDepartment Risk ReportingDemonstrated Risk Reduction2ImplementationEstablish Initial ProcessesEmployee CommunicationUser Alerting / Blocking / EducationCompany Policy Enforcement
2022 © Netskope Confidential. All rights reserved. DLP Program Maturity Examples8Audit / DiscoveryDiscovery review & planningNotification & Implementation[risk reduction]Protection Maturity[risk reduction]Discover and understand sanctioned versus unsanctioned exfiltration of company dataMatch DLP controls with company policiesChannel assessmentIdentify sanctioned versus unsanctioned activitiesGain DLP blocking approval for policies matching corporate policiesWork with business units to test policies blocking unsanctioned transmissionsCreate employee communication planCreate Compliance trainingBusiness Unit risk report baselineDLP Incident Triage planning / constraintsEmployee notifications (corporate)Policy notification & blockingProtection against broken business practicesExecute Compliance Training where neededTriage and policy adjustments (triage feedback loop)Measure Risk Reduction against baselineProgram coverage expansionContinued Triage and policy adjustments (triage feedback loop)Policy blocking expansion Audit compliance review
2022 © Netskope Confidential. All rights reserved. 9Visibility into Web Traffic & Usage PatternsVisibility into Web Traffic & Usage PatternsVisibility into Cloud Traffic & Usage Visibility into Cloud Traffic & Usage Visibility into Private AccessVisibility into Private AccessVisibility into Managed App Exposure (API)Visibility into Managed App Exposure (API)Visibility into Cloud App Activities (OPLP)Visibility into Cloud App Activities (OPLP)Vendor AssessmentVendor AssessmentInline Controls for Web (Monitor)Inline Controls for Web (Monitor)Inline Controls for Cloud Apps (Monitor)Inline Controls for Cloud Apps (Monitor)Controls for Private Access (monitor)Controls for Private Access (monitor)Controls for Managed App Activities (Monitor)Controls for Managed App Activities (Monitor)Identify IaaS MisconfigurationsIdentify IaaS MisconfigurationsCompliance & ReportingCompliance & ReportingInline Controls for Web Inline Controls for Web Inline Controls for Cloud AppsInline Controls for Cloud AppsControls for Private AccessControls for Private AccessControls for Managed App Activities (API)Controls for Managed App Activities (API)Remediate IaaS MisconfigurationsRemediate IaaS MisconfigurationsSOC Process Integration (SIEM)SOC Process Integration (SIEM)Advanced DLP/TPAdvanced DLP/TPAdvanced Threat ProtectionAdvanced Threat ProtectionControl Unmanaged DevicesControl Unmanaged DevicesA DLP Program Plugs Into the VRP at each levelCLOUD CONNECTIONSINTEGRATION & BASIC CONTROLSVISIBILITYMONITORCONTROLSADVANCED CONTROLSADOPTION & OPERATIONALIZATIONACTIVATIONCLOUD PROTECTION LEVELFOUNDATION** Integrations may include AD, SSO, IdP, SIEM, Forensics, TP, MDM, RMSPredefined Web PoliciesPredefined Web PoliciesTraffic SteeringTraffic SteeringPredefined DLP PoliciesPredefined DLP PoliciesThreat ProtectionThreat ProtectionIntegrations **Integrations **Iterative Steering / Bypass TrainingIterative Steering / Bypass TrainingNot LicensedNot LicensedNot StartedNot StartedIn ProgressIn ProgressCompletedCompletedIn POCIn POCNextGen Secure Web GatewayNextGen Secure Web GatewayReal-time Protection (CASB)Real-time Protection (CASB)Private AccessPrivate AccessRisk InsightsRisk InsightsAPI-enabled ProtectionAPI-enabled ProtectionIaaS Security AssessmentIaaS Security AssessmentNetskope Advanced AnalyticsNetskope Advanced Analytics
2022 © Netskope Confidential. All rights reserved. DLP Policy Structure 10ThreatBlockScanAllowUtilityCASBCategory Level PoliciesWebRBIDLP (as needed)
2022 © Netskope Confidential. All rights reserved. Real-time DLP Policies - Workflow111.Create a new Real-time Protection “DLP” Policy2.Define the Source (User, Group, OU) including any additional criteria e.g. Access Method if applicable.3.Specify Destination Criteria e.g. Application, Category, App instance (Ex: Box, Cloud Storage, etc.)4.Select Activities of interest e.g. Upload, Download, Post, and/or formPost, etc.5.Select additional constraints such as file type, and/or file size if applicable. Note: A file profile can also be included in the DLP profile allowing exclusions or inclusions based on name, size, hash, etc.6.Add one or more DLP Profile(s). Set Global action for all DLP profiles or local action for each of the DLP profiles.7.Choose an action such as Alert or Block with a default or custom block template where appropriate8.Configure Email Notifications if desired (not recommended due to possibly large number of notifications)9.Give the policy a name (and optional description), Save, Apply.
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)DLP Program Considerations
2022 © Netskope Confidential. All rights reserved. Program Considerations(what/where/who)13●Determine Data Protection Objectives●What are the goals of the program? ●What is being protected? –Intellectual Property–Restricted data over unsanctioned channels●Regulatory Compliance & Audit enforcement●What applications or groups are sanctioned for data handling?●What are the sanctioned methods of sharing sensitive information.
2022 © Netskope Confidential. All rights reserved. Program Considerations(what/where/who)14●Where is the risk?●Where is sensitive data stored externally?●Where is sensitive data egressing or exchanged?●Who has access to (and utilizes) sensitive data?●What applications or groups are sanctioned for data handling?●Which users and groups are currency exchanging sensitive data?●Who is the data exchanged with?
2022 © Netskope Confidential. All rights reserved. Program Considerations(Activities and/or Gaps)15●Sharing & Storage - Activities & Gaps●Discovery of Sanctioned Sensitive Data Sharing ●Utilizing DLP to discover and enforce only sanctioned methods of sensitive data transfer ●Utilizing DLP to discover any Regulatory Compliance & Audit policy gaps●Utilizing DLP to discover user/group access to sensitive data●What are the gaps?–Utilizing DLP to detect when business units share sensitive data over unsanctioned methods due to gaps in security toolsets? –Utilizing DLP to detect the unique sharing & security needs of various business units
2022 © Netskope Confidential. All rights reserved. Program Considerations(Activities and/or Gaps)16●Addressing discovered risk●Utilizing DLP discovery to move or remove sensitive data located within unsanctioned locations●Utilizing DLP to coach users utilizing unsanctioned methods of sharing●Utilizing DLP to detect when unshared data becomes shared
2022 © Netskope Confidential. All rights reserved. Program Considerations (Stakeholders)17●Identify Stakeholders and buy-ins●Is there an approved DLP program with an allocated budget?●Who are the parties with vested interest?●CISO, CFO, CEO, Legal, Privacy, Compliance, etc.●What are their requirements or pain points?●Define Roles and Responsibilities●Individuals and/or Teams●Role-based rights and duties to provide checks and balances throughout the program●Who reviews incidents and remediates?●Who authorizes special needs and use cases?
2022 © Netskope Confidential. All rights reserved. Program Considerations18●Clearly define Quick Wins●Set phased and measurable objectives●Short and Long terms goals•Audit & policy enforcement capabilities•Integration & Visibility (steering)•Determine risk priority via DLP discovery●DLP is a program, not a project/product●Document your processes●Share key metrics and reports with stakeholders●Review and adjust processes as neededControlled RiskManagedRiskDiscovery
2022 © Netskope Confidential. All rights reserved. DLP High Level Program Progression19PhaseCompany Risk StatusAudit / DiscoveryDiscoveryLittle to no risk reductionDiscovery review & planningDiscovery / Business Unit Alignment / CommunicationLittle to no risk reductionNotification & ImplementationUser Alert / Blocking / RefinementInitial Risk ReductionProtection MaturityExtended Protection BlockingExtended Risk ReductionTriage Review for False PositivesContinuous Triage Review for False PositivesContinuous Triage Review for False PositivesTriage Review for False PositivesTriagePolicy FeedbackLoopTriagePolicy FeedbackLoopTriagePolicy FeedbackLoop
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)DLP Best Practices - Industry Verticals
2022 © Netskope Confidential. All rights reserved. Data Protection & Industry VerticalGeneral Data Protection policies apply to most companies regardless of industryHowever, industry verticals often implement additional DLP policies focused on that industry.Since DLP programs and policies can differ per industry, the following slides reflect the typical DLP protection best practices related to the industry shown.Data Protection Policies Common to most companies:●Employee Data Protection (HR)●Customer Data Protection (PCI, PII)●M&A / Legal ●Data Classification Enforcement ●Phishing21
2022 © Netskope Confidential. All rights reserved. HealthcareWith the increasing adoption of cloud and web services by medical professionals, researchers, and administrators, you have less visibility and control over sensitive data such as patient health records, clinical trials research data, and even non-public financials or business plans. To protect healthcare information such as protected health information (PHI) and ensure electronic health records (EHRs) remain secure, you need tools to secure your sensitive data in case of a healthcare data breach, enforce access controls, and restrict risky cloud activities.Healthcare verticals typically have additional focus in the following areas:●Health Insurance Portability and Accountability Act (HIPAA)●Health Information Technology for Economic and Clinical Health (HITECH) regulations●Authorized recipients of Patient and Insurance information●Authorized transmissions of sensitive data between specialty units●Aging stored sensitive data22
2022 © Netskope Confidential. All rights reserved. Financial Services 23Providing financial management services can be a challenging task as business content moves to the cloud, often without IT’s knowledge or authorization. Without visibility and control of the cloud applications and web services, the information security teams may find it challenging to comply with audit requirement to ensure regulatory compliance. Financial Services verticals typically have additional focus in the following areas:●Payment Card Industry (PCI) & Data Security Standard (DSS) compliance●PII utilized to secure loans or open accounts (SSN, Geo-National Identifier)●Security and Exchange Commission Regulations●Application & Form Data Protection●Sanctioned Storage of sensitive data by various business units●Data Classification - Detection and Enforcement●Global requirements (GDPR, Data across borders, utilization of regional Privacy Officers and works councils)
2022 © Netskope Confidential. All rights reserved. Retail Merchant Service ProvidersAreas of concern include customers’ personal information, payment information, and inadvertent disclosure of non-public reports or business plans. Data security for the retail industry can become more challenging as the organization moves to the cloud. Without visibility and control across SaaS, IaaS, web and email, the organization can no longer govern usage to ensure PCI compliance and protect other sensitive data. Security professionals require visibility into what cloud services and websites are in use and how they are being used. The information is utilized to enforce access controls, protect sensitive data, and restrict risky cloud activities.Retail Merchant verticals typically have additional focus in the following areas:●Customer Personal Identifiable Information (PII) data protection●Payment Card Industry (PCI) & Data Security Standard (DSS) compliance●Customer history, personal preference, and payment data protection●Point of Sale (POS) system transmission security24
2022 © Netskope Confidential. All rights reserved. With focus in SaaS, software, and service offerings while representing a growing industry, almost all companies may become involved in software development by necessity or an acquisition. Software and solutions quickly equate to intellectual property. They often include sensitive authentication and internal resource data. Developers take advantage of open source software components to reduce development time and costs by sharing code snippets with other developers or storing them in Git repositories. An accidental or intentional storage of sensitive information might expose intellectual property to external parties, including bad actors. Software verticals typically have additional focus in the following areas:●Code protection as intellectual property●Proprietary software/code sharing protection●Inadvertent sharing of code snippets that contain tokens, secrets, passwords, or other internal information●Intentional code exfiltrationSoftware Development / R&D25
2022 © Netskope Confidential. All rights reserved. Data Protection Common Use CasesAccurateclassification of your IPReduce alert fatigue and protect confidential and sensitive corporate data using state-of-the-art ML data classification and fingerprinting technology.Broad coverage of regulationsComprehensive coverage for regulations for various industries and countries such as PCI-DSS, HIPAA & GDPR. Out-of-the-box reports for quick deployment.Proactive detection of bulk data exfiltrationContent inspection combined with Netskope’s threat intelligence and user behavior analytics to protect from insider threats exfiltrating sensitive data.Build context aware, fine-grained policies Allow personal OneDrive with restriction on corporate data. Allow unmanaged devices with restrictions on sensitive data.Cloud scale for today’s needsContent inspection for billions of transactions with PB of data in real time as well as retroactively scan cloud repositories and public cloud platforms.Intellectual PropertyPrivacy & ComplianceInsider ThreatEnable the BusinessUnlimited Scale
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)DLP Policy Best Practices & Tuning
2022 © Netskope Confidential. All rights reserved. Data transmissions can be very different (from a DLP perspective) from company to company. Therefore, it’s often difficult to apply the same DLP rule configuration across multiple companies. These ‘unique data pieces’ typically equate to necessary (and ongoing) DLP rule and policy tuning.Why Ongoing?Even DLP policies that have been tuned can start triggering undesired results as a result of new business unit interactions or new technology integrations. The following slides walks through some typical DLP policies and best practice configuration or tuning routines that are often utilized in their respected verticals.28Introduction
2022 © Netskope Confidential. All rights reserved. Company Source Code Protection29●Company / Vertical Typically Utilizing●Software Development / R&D●Purpose & Tuning Considerations:●Customers are generally interested in safeguarding proprietary code●The source code rules need to be augmented with additional detection criteria to decipher between company source code vs generic source code.Expected results if DLP rules are misconfigured:●Generic Code triggering the policy that is not related to a source code transmission●Generic Code triggering the policy that is unrelated to company specific code●Inability to utilize DLP ‘Block’ actions due to volume of false positive detection events●Volume of incidents too large for the DLP Triage team to review on a daily basis
2022 © Netskope Confidential. All rights reserved. Company Source Code Protection30●Recommended Policy Configuration●Rule Identifier 1 = Predefined source code detection●Rule Identifier 2 = company aws secrets, domains, unique authentication pieces, watermarks (unique to the company)●Rule Identifier 1 and 2 combined (AND) to require detection of both source code and unique company identifiers - Identifier 1AND Identifier 2●Review results and tune with the goal of 90+% accuracy ●Consider moving policy to ‘Block’ or ‘User Alert’ action when accuracy verified
2022 © Netskope Confidential. All rights reserved. Data Classification31●Company / Vertical Typically Utilizing●All Verticals●Purpose & Tuning Considerations:●Data classification is generally metadata tagging and can be limited to certain document types. ●Titus, Vera, or MS MIP are examples of enterprise data classification solutions. ●Companies can choose their own classification labels but examples may be Public, Classified, Internal, and Restricted. The below example blocks one classification but there may be a separate DLP block rule for each classification that should never be shared externally.Expected results if DLP rules are misconfigured:●Policy does not appear to trigger (Tag & Value mismatch)●Policy applied to file types that are not compatible with classification tagging●Documents misclassified by users and not validated by DLP sensitive data protection●Inability to utilize DLP ‘Block’ actions due to volume of false positive detection events●Volume of incidents too large for the DLP Triage team to review on a daily basis*Non-Proprietary Tags/Data (Clear Text)
2022 © Netskope Confidential. All rights reserved. Data Classification32●Recommended Policy ConfigurationExample DLP rule to block “ACME Classification: Internal”*●Identifier1 = Detect “ACME Classification:” Identifier2 = Detect “Internal” (Both within the metadata) ●Rule = Identifier 1 NEAR Identifier 2 (NEAR = 50)●Profile may match supported file types only + Rule●Policies to block unsanctioned egress or sharing activities using the related Profile.Example DLP rule to block “ACME Classification: Public”* with Sensitive Data Detected●Identifier1 = Detect “ACME Classification:” Identifier2 = Detect “Public” (Both within the metadata) ●Identifier 3 = SSN●Rule = Identifier 1 NEAR Identifier 2 (NEAR = 50) AND Identifier 3●Profile may match supported file types only + Rule with a suggested ‘Block’ action.●Review results and tune with the goal of 90+% accuracy ●Consider moving policy to ‘Block’ or ‘User Alert’ action when accuracy verified*Non-Proprietary Tags/Data (Clear Text)
2022 © Netskope Confidential. All rights reserved. Exact Data Match (EDM)33●What is EDM?●Advanced Hashing Technique to leverage already validated customer data●One-Way Hash●Architecture●Using a virtual appliance, provided by Netskope, hash and upload data while still in the private space●UI Data Upload/Hashing functionality available and supported for testing/POC●Supports for up to 25 unique data columns●Benefits and Considerations●Precise, Extremely Accurate - 100% Efficacy against pre-validated data●Quality of Data is of an extreme importance for best results●Tools available within the appliance to assess quality of data before hashing and uploading with improvement recommendations if any deemed necessary
2022 © Netskope Confidential. All rights reserved. The PII Challenge34●Netskope can find whateveris needed to be found●Generating thousands of incidentsin a day does not help●Unmanageable●Loss of Value●Understand what is “important” to the customer ●Review predefined PII profile •Is Name-Email_Address valuable information?–Yes? Identify bulk quantities = Define Thresholds–No? Remove the rule from the profile•Does Surname (Last_Name) matter?
2022 © Netskope Confidential. All rights reserved. The PII Challenge35●Understand what is “important” to the customer ●Review predefined PII profile •Does Surname (Last_Name) matter?–Words like Glass, April, May, orJune will be matched–Consider replacing Surname with Full_Name•Date of Birth–Consider replacing default entity with custom dictionary (see notes) eliminating matches like Month of Birth, Day of Birth, etc.•Use Proximity - the NEAR operator–Example: Keyword ‘Birthdate’ and a date are of little value if randomly found in a document/.
2022 © Netskope Confidential. All rights reserved. Reducing False Positives36●There is a difference between False Positive and an UndesiredTrue Positive!●Depending on the nature of the false positive, consider using:●Weighted Dictionaries•Example: Bank, -1Bank of America, 2•Pros–Can help improve overall quality of the matched data•Cons–RegEx-based dictionaries not supported–Require custom effort = challenging if not impossible (Netskope does not expose its IP)
2022 © Netskope Confidential. All rights reserved. Reducing False Positives37●Depending on the nature of the false positive, consider using:●Exact Data Match (EDM 1.0) Negative Matching functionality●Pros•Highly Effective - Exact Matching●Cons•Requires Identification and maintenance of the undesired data in need of being excluded
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)DLP Technical Overview
2022 © Netskope Confidential. All rights reserved. 39DLP Feature Highlights●3500+ predefined data identifiers●550+ supported true file types●Detects encrypted/password protected files●Container extraction (zip, tar, …) up to 8 levels by default●Embedded content detection (excel table in a word file)●Text and Metadata extraction (classification tags, watermarks, etc.)●Custom data identifiers based on Regular Expressions●Custom data identifiers based on Dictionary (Weighted / Unweighted)●Custom data identifiers based on Keywords / Phrases●Proximity Detection (Near Parameter)●EDM : Exact Data Match●Data Fingerprinting●ML : Machine Learning●OCR : Optical Character Recognition
2022 © Netskope Confidential. All rights reserved. DLP – Standard vs Advanced40Standard Data Protection (DLP)•Data-at-rest and in-motion DLP analysis for managed cloud services and apps, in-motion for all cloud apps •40+ regulatory compliance templates including GDPR, PII, PCI, PHI, source code, etc … •Includes 3,000+ data identifiers for 1,400+ file types, plus custom regex, patterns, and dictionaries •AI/ML standard document classifiers (i.e. source code + resumes) •Incident management and remediationAdvanced Data Protection (DLP)•Standard Data Protection capabilities included•File Fingerprinting with degree of similarity, Exact Data Matching and API mode Optical Character Recognition (OCR) •AI/ML classification for patent and M&A documents, tax forms, source code, plus imagesincluding desktop screenshots, passports, IDs, etc. New Data SheetApril28th
2022 © Netskope Confidential. All rights reserved. 41DLP - Rules & Profiles●A DLP Rule defines what data to look for●Many predefined rules exist in the system – 334●A DLP Profile is assigned to a policy (inline or introspection)●Can contain several DLP Rules (Logical OR)●37 predefined profiles in the systemPolicies > Profiles > DLP > Edit Rules
2022 © Netskope Confidential. All rights reserved. 42DLP - Predefined Identifiers●Create rules using the 3500+ predefined data identifiers●NumbersSSN, CCN, Driver License●NamesPerson, Banks, medical (Drugs, Conditions, ICD9/10),…●AddressesAcross different countries●Data validation●LUHN-10 for CCN●Prefix Check for SSNPolicies > Profiles > DLP > Edit Rules > DLP Rules > New Rule
2022 © Netskope Confidential. All rights reserved. 43DLP - Custom Data Identifiers - Regular Expressions●If you can’t find the identifier you need, construct your own custom data identifier●Using Regular Expression●Tip: Click “Learn More…” to gain insight into custom data identifiers. Regular expression examples are provided.●Add multiple identifiersPolicies > Profiles > DLP > Edit Rules > DLP Rules > New RuleExample: Bank of America a/c 8748384783
2022 © Netskope Confidential. All rights reserved. 44DLP - Dictionary Based Identifiers●Imported dictionary files can be used as identifiers ●Ideal for a long list of keyword termsPolicies > Profiles > DLP > Edit Rules > DLP Rules > New Rule
2022 © Netskope Confidential. All rights reserved. 45DLP - Dictionary Based Identifiers●Improve accuracy with Weighted Dictionaries●Improve True Positives while reducing false positives●Influence the rule to trigger when high confidence dictionary terms are found
2022 © Netskope Confidential. All rights reserved. 46Weighted Dictionaries - Reducing False Positives(P0) – Source Code (Any)(D0) – Public_DomainsDictionary – D0“GNU General Public License”, -1“Apache License”, -1“Confidential Code, Netskope Inc.”, 2Note: Spaces and Special Characters need to be encapsulated in double quotesNot company IP
2022 © Netskope Confidential. All rights reserved. 47Fingerprinting and Exact Data MatchOrganize sensitive data in a CSVGenerate an Exact Match hashFingerprintingExact Data Match (EDM)Identify sensitive documentsFingerprint the assetsApply Document fingerprintingApply Binary fingerprinting (MD5)Validate DLP Rule with Exact matchUse Auto dictionaries in DLP ruleBenefits:●Full coverage – Apply policies for data in motion or data-at-rest●Improved accuracy – Detect excerpts of the sensitive data with minimal misclassifications ●Easy policy enforcement – No policy tuning needed, use the original content to translate into the policy
2022 © Netskope Confidential. All rights reserved. 48Fingerprinting of Unstructured DataIntroduction●Netskope Noise Cancelling DLP can be trained by fingerprinting documents●Feed the system a document and it will be able to detect;●The Full document (MD5)●Fragments of that document●Variations of that document (Similarity)
2022 © Netskope Confidential. All rights reserved. 49DLP FingerprintingClassifications●The Netskope Virtual Appliance will download the newly created Fingerprinting Classifications●Link a file location to a Fingerprint Classification using CLI commandrequest dlpfingerprint generate classification <classification_name> path <file/directory_path>●The fingerprint process now generates the fingerprint(s) for the file(s) in the directory path and pushes it to the cloud instance. ●The Classifications content will be created/updated by the Virtual Appliance with the actual fingerprints●Classifications can be managed individually: Policies > Profiles > DLP > Edit Rules > Fingerprint Classification●Or created via the FC rules:●Create New●Select Existing
2022 © Netskope Confidential. All rights reserved. 5050DLP Fingerprinting – Similarity Thresholds
2022 © Netskope Confidential. All rights reserved. Virtual Appliance – DLP Exact MatchInternet1Virtual Appliance231.Copy the file to Netskope Virtual Appliance2.Run the DLP command to perform one-way non-reversible hash *3.Hash gets uploaded to NS Cloud in memory * Process can be automated by running a cronjob11HashOn-Prem FileHash
2022 © Netskope Confidential. All rights reserved. Exact Data Match – EDM 1.0●A company might have a customer and/or an employee database with sensitive information or PII. You would index this data and protect the unique combinations of the fields in each, unique row. ●This might be something like a person’s First Name, Last Name and SSN/CCN/MRN. To use Exact Match, you must first upload a data set to your On-Prem Virtual Appliance or the Netskope tenant UI.
2022 © Netskope Confidential. All rights reserved. Exact Data Match – EDM 2.0To use Exact Match in EDM 2.0, you must first upload a data set followed by creating Column Groups for the uploaded data in the Netskope Tenant UI before creating rule(s).
2022 © Netskope Confidential. All rights reserved. Exact Data Match – EDM 2.0Create a rule utilizing previously created EDM groups and mapping custom or predefined identifiers to the EDM data.
2022 © Netskope Confidential. All rights reserved. DLP Advanced Options55●Support for Global Identifiers●An identifier that must occur once e.g. Table Header●Support for custom rule expressions●Point and Click●Operators: And, Or, Not, Near, ( )●Expression will be used in combination of the severity thresholdsPolicies > Profiles > DLP > Edit Rules > DLP Rules > New Rule
2022 © Netskope Confidential. All rights reserved. DLP Content & Metadata56●Netskope DLP will, by default, inspect Metadata & Content for all text extractable objects.●Optionally configure•Metadata or Content Scanning of an ObjectPolicies > Profiles > DLP > Edit Rules > DLP Rules > New Rule
2022 © Netskope Confidential. All rights reserved. DLP Severity ThresholdInstruct the DLP how often the Identifier / Expression should be matched to match a severity1.Select either Record or Aggregated Score.2.Enter a number of occurrences for each severity level, or simply keep the defaults.3.Change or keep the severity level that triggers a policy action from the dropdown list. Note: An alert will be createdwhen the severity level matches/exceeds the Low threshold while a policy action will be taken based on the threshold select for the policy action.Policies > Profiles > DLP > Edit Rules > DLP Rules > New Rule
2022 © Netskope Confidential. All rights reserved. DLP - File Profile58●File Profile may contain one or more of the following:●Name or Extension●File Type●File Hash●Object ID●File Size●Protected/Encrypted Content●File Profile can be added to a DLP Profile as an inclusion or exclusion with or without a DLP/ML/Fingerprint rule(s).
2022 © Netskope Confidential. All rights reserved. 59●Only available in API-enabled Data Protection●Advanced DLP Feature●Maximum file size support: 32 MB○Large File Support for up to 128 MB●OCR supports the following file types○png, jpeg, gif, bmp●Supported images embedded in PDF, MS Office, and Archives are extracted and scanned●No Explicit OCR Policy required. The OCR scanning is an automatic functionalityOptical Character Recognition - OCR
2022 © Netskope Confidential. All rights reserved. 60DLP – ML Image Classification●Detect and classify PII in images or documents with a higher degree of accuracy●Based on a 88-layer convolutional neural network (CNN) model. No need to extract text using OCR.●Highly Accurate Detection●26 Image and text ML Classifiers
2022 © Netskope Confidential. All rights reserved. 61●Machine Learning (ML) based classification for text and image documents●Currently available Classifiers include:●Financial:Bank Statement, Checks, Loan Agreement, Loan Application, Payment Card (Credit, Debit), Stock Purchase Agreement, and Tax Forms (US)●Legal:Consulting Agreement, Mergers and Acquisitions (M&A), NDA (English), Partner Agreement, and Patent●Personal Identifiers:Drivers License (All), Drivers License (US), Healthcare ID Card, Passport Book, Photo ID, Social Security Card (US)●Medical: Medical Form Medical Image, Medical Power of Attorney●HR:Offer Letter, Resume●Miscellaneous: Screenshot, Whiteboard●Source Code: Source Code (All)●We are working on additional classifiers such as RFPs, NDAs, etc.DLP – ML Document Classification
2022 © Netskope Confidential. All rights reserved. 62DLP – Machine Learning (ML) Classification●Create a DLP profile to include ML Classifiers with or without a DLP, File Profile, or Fingerprinting Rule(s).
2022 © Netskope Confidential. All rights reserved. 63Entity Modifier - R91Use Case●Fine tune custom DLP entities for greater control in identifying dataCapabilities●Ability to create exceptions for DLP entities using: –Begins-with and does-not-begin-with construct.–Ends-with and does-not-end-with construct.–But-not construct.Value to the customer ●Customers will be able to to tweak predefined entities to easily extend the type of data that DLP can detect●This would also serve as an alternative to building complex look-around regular expressions.
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)DLP Caveats
2022 © Netskope Confidential. All rights reserved. ●DLP Timeouts–Default timeout value:10 Seconds–Proxy timeouts may occur when DLP engine takes longer resulting into slippage–Fix: Open support case to confirm timeouts within Sumo Logic and request engineering to increase timeout value up to 55 seconds●DLP File Size Limitations–Real-Time: 16 MB (Default)–API: 32 MB (Default)–Large File Support for up to 128 MB for Real-Time and API (URSA) –Files larger than the specified size are not scanned–Archives larger than the specified size are not scanned65Caveats
2022 © Netskope Confidential. All rights reserved. ●EDM Sync (MP → DP) Intervals/Time●When using tenant UI for EDM, it may take long time for the EDM data to be synchronized across all DPs●Problem Symptoms: Policy does not match for the EDM data●Test using RegEx only that matches the EDM data. If the DLP engine successfully matches data using RegEx, then the lack of matching of the EDM data is due to the sync delay. Engage support for help.●For larger customers using an on-premise virtual appliance for EDM, consult Engineering via DLP SME Team for the sync time estimation, which is typically 24 hours for a very large Tier-1 customer like Kaiser Permanente.66Caveats
2022 © Netskope Confidential. All rights reserved. ●Limited functionality for the ‘NOT’ rule operator●Does not function as expected. For example:•( P0 AND P1 ) AND NOT P2•The engine will scan for the entire expression for the entire document (not individual records) and not as was the intention to exclude data matching P2. End Results: False Negatives●Ability to use EDM to reduce false positives aka negative matching not available in EDM 2.0, alternative functionality being released in R90/91●RegEx: No support for Lookarounds, alternative functionality being release in R90/91 offering ways to negatively match●Zip Files: Scannable up to 8 levels67Caveats
2022 © Netskope Confidential. All rights reserved. ●The DLP Engine does NOT look back for matches●This can become an issue when unstructured data is oddly formatted●Example:●P0 = Social Security Number Numbers (us;all)●P1 = Social Security Number Terms (us)●P2 = Medical Conditions (english)●P3 = Full Names (us)●Rule = P0 AND P1 AND P2 AND P3●Expectation: ●The above rule will count all matches for each combination found. 68CaveatsThe Example to the right will result in a single detection. Why?Since the example data is oddly formatted, all identifiers iterated through the top and middle sections until finally reaching the full names and completing a rule trigger.Workaround Example: If we want to detect the example formatting with a more accurate record count result, we would consider a rule for P0 AND P1 with Global Identifier Detection set for P2 and P3
2021 © Netskope Confidential. All rights reserved. Netskope Data Loss Prevention (DLP)Documentation & Resources
2022 © Netskope Confidential. All rights reserved. ●The DLP Program approach and prioritizations may differ from company to company. The following is intended to facilitate the conversation of staffing and reflects some typical program members:○Program Manager/Coordinator (not always included)●Tracks Quarterly Program Progress and reporting●Tracks and coordinates Business Unit education and requirements○Integration Engineering●Initial tool integration and policy setup●Reviews remediated incidents for ‘false positives’ and tunes DLP policies accordingly○Incident Management team (incident review and workflow)○Cyber Security Forensics/Escalation (Escalated events and system of record)○Data Privacy Officer (by region)●Typically a remediation team escalation point●Provides guidance based on known company requirements○Business Unit Security Representatives●Represents their individual business unit needs/requirements○Works Council members (where needed)70DLPProgram Staffing
Thank You!71