Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2837
Views
0
Helpful
4
Replies

IronPort DLP Policy Help

Wargot360
Level 1
Level 1

‎10-08-2010 05:54 AM

Hello Everyone.

I am after some advice, we are currently implementing the DLP Policy engine for all of our Outbound messages, and have had very good success with some of the policies, but there there is one that is not producing the results that we would have expected.

The Transmission of Contact Information policy based on the description "Identifies email transmissions that contain contact information, such as employee or customer names, addresses or email addresses."

However we are finding that it is not picking up customer data, it is just picking up email signatures.  We have made changes to which severities it blocks (Critical only) but it doesn't seem to make a difference.

We have it as the last Polciy to be applied, so it may be that other polcies are picking things up before this, but we can't turn it to block if it is going to stop emails based purly on the signature.

Has anyone esle out there had similar issues or advise for this?

Labels:
0 Helpful
4 Replies 4

Andreas Mueller
Level 4
Level 4

‎10-11-2010 06:07 AM

Hello Ben,

what surprises me a bit is that you write the classifier only matches on signatures, indeed the Contact Information classifier looks for data that appears to contain names, addresses, etc. But since many emails contain this information in the signature, the classifier requires *more than one* contact in the text before it triggers. Maybe in your case of positive matches those were messages replied back and forward and therefore containing multiple addresses? In any way, if you want to test that policy/classifier,  please use a message that contains at least three addresses. It does not matter if these addresses are valid or use national/international formatting, I have tested with addresses from US/UK/Germany/Australia/Russia etc. and they all were detected without problems.

Regards,

Andreas

0 Helpful

Wargot360
Level 1
Level 1
In response to Andreas Mueller

‎10-15-2010 04:32 AM

Thanks for that I will do some more testing.

On another note, we have configured the Contact Policy to only action on Critical Severities, all the other severities it does nothing with.

I just want to run thgouh a scenario, if I were to have the Contact policies as the 3rd policy and to only action on the Critical Severities.  One of our user's sends an email with enough contact details to trigger the medium severtieis and also some DVLA numbers.

As the message has already triggered the Contact Policy all be it that no action has been taken with the message, then would the message still be passed to the DLVA policy further down the list, or would the message be delivered?

Thanks

Ben

0 Helpful

Andreas Mueller
Level 4
Level 4
In response to Wargot360

‎10-21-2010 12:49 AM

Ben,

DLP will allways check all DLP policies that you have enabled for a certain mail policy  the sender/recipient hits. Reason behind that is that every DLP policy can be configured for a specific action, i.e. deliver,quarantine, or drop. Using "Deliver" can have multiple reasons, i.e. enabling Encryption of a message, redirecting to an alternate host,  sending a notification, etc...  However, delivery will not skip the other policies (unlike you know that from content filters), and if another match occurs on these other policies, the actions will be used accordingly. Also means if you have one policy set to deliver on a positive match, and all other policies to quarantine or drop, the most restrictive action will be used, so even if a positive match occurs on that policy where you deliver, a second match on the other policies would mean that the message gets quarantined or dropped.

Hope that helps,

Regards Andreas

0 Helpful

Wargot360
Level 1
Level 1
In response to Andreas Mueller

‎10-22-2010 04:00 AM

Andreas

Thanks for that, I was hoping this ewas the case.  However I am now confussed.

When we setup the DLP Policies originally, we want to ensure that emails that were being sent securly were excluded from any DLP scanning.  To that end we setup a content rule that inserts a Message Tag.

We then setup a DLP Rule called DLP Ignore that Filters Messages if the tag is present and looks for the message tag we added in the rule.  Based on what the support engineer was telling us this had to be the first rule as DLP works on a first match only.

Based on what you have told me I would therefore expect that if a messaeg contained a Credit Card number and relevent details and therefore triggers the PCI-DSS policy that then bounces the message, even if it was marked as being send securely and had the Message Tag added, then the message should be bounced as "Bounce" in more restrictive than "Deliver".

Unless of course the "Filter Message Tags" option does something that overrides the fact that the message should be scanned by the other policies.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents