Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring the Web Data Loss Prevention Policy > Configuring Web attributes
Configuring Web attributes
Administrator Help | TRITON AP-DATA | Version 8.3.x
Related topics:
*
Configuring the Web Data Loss Prevention Policy
*
Selecting Web destinations
*
Defining policy owners
Select one or more Web attributes to include in the policy. For each, highlight the attribute and click Enabled in the right pane. Define properties for each attribute in the right pane as well.
When the system detects a match for an attribute, it triggers the policy.
If you want to send notifications when there is a violation of a particular attribute setting, select the Send the following notification check box. You can configure who receives the notifications by clicking the name of the notification, "Web policy violation." Click this option to define the mail server, email subject, and message body, as well as other required properties. Policy owners receive notifications by default. See Configuring the Web Data Loss Prevention Policy for instructions.
For each attribute, indicate how severe a breach would be (low, medium, or high severity), and what action should be taken if a breach is detected. The default severity levels and available actions are shown below for each attribute.
Field
Description
Post size
Disabled by default.
Select the size of Web posts to monitor. For example, choose 100 KB if you want the system to analyze posts equal to or exceeding 100 KB and enforce the policy, but you're not concerned about posts smaller than 100 KB, even if there is a match. The default is 10 KB.
Default severity: low.
Available actions: block (default), permit.
Regulatory & compliance
Enabled by default.
Select the regulatory and compliance rules you need to enforce. These are applied to the regions you selected with the regulatory & compliance option.
*
Personally Identifiable Information (PII)
*
Protected Health Information (PHI)
*
Payment Card Industry (PCI DSS)
If you have not selected regions, an error pops up. Click Select regions to fix this.
Once you've selected a category, click its name to view or edit the specific policies to enforce.
Applying only the policies you need improves performance and reduces resource consumption.
Select a sensitivity for each policy.
*
Wide is highly sensitive and errs on the restrictive side; it detects more data than the other levels. It is more likely to produce a false positive (unintended match) than a false negative (content that is not detected).
*
Default balances the number of false positives and false negatives and is recommended for most customers.
*
Narrow is the least restrictive. It is more likely to let content through than to produce an unintended match. For best practice, use this level when you first start using the block action. You might also use it if the system is detecting too many false positives.
Default severity: high.
Available actions: block (default), permit.
Data theft
Disabled by default.
The system protects against content being posted to the Web after your computer is infected. This complements the TRITON AP-WEB module which protects against infected content downloaded from the Web.
Select the type of data to search for in outbound transactions. When sent outside your network, this data can indicate a serious vulnerability.
*
Suspected malware communication - Identifies transactions that are suspected to be malicious, based on analysis of traffic of known infected machines. This includes traffic thought to be malware phoning home or attempting to steal data. To use this feature, you must have TRITON AP-WEB installed and the Linking Service enabled. Because Linking Service is required, malware is not detected on endpoints.
*
Encrypted files - unknown format - Searches for outbound files that were encrypted using unknown encryption formats, based on advanced pattern and statistical analysis of the data.
*
Encrypted files - known format - Searches for outbound transactions comprising common encrypted file formats, such as password-protected Microsoft Word files.
*
Password files - Searches for password files, such as a SAM database and UNIX/Linux password files.
*
Common password information - Searches for password information in plain text by looking for common password patterns and using various heuristics.
*
IT asset information - Searches for electronic data containing suspicious content, such as network data, software license keys, and database files.
*
Suspicious behavior over time - Searches for activity considered to be potentially malicious, such as numerous posts in a designated period or numerous transactions containing encrypted data.
Select a sensitivity for each policy.
*
Wide is highly sensitive and errs on the restrictive side; it detects more data than the other levels. It is more likely to produce a false positive (unintended match) than a false negative (content that is not detected).
*
Default balances the number of false positives and false negatives and is recommended for most customers.
*
Narrow is the least restrictive. It is more likely to let content through than to produce an unintended match. For best practice, use this level when you first start using the block action. You might also use it if the system is detecting too many false positives.
Note:
The number of policies and sensitivity you select affects performance.
Default severity: high.
Available actions: block (default), permit.
Name of uploaded file
Disabled by default.
One by one, enter the names of the exact files that should be monitored when they're posted or uploaded to the Web. Include the filename and extension. Click Add after each entry.
For example, add the file named confidential.docx. When that file is being posted, the system will detect it and either permit or block the post.
The system can detect files even when they've been compressed into an archive, such as a .zip file.
Default severity: low.
Available actions: block (default), permit.
Type of uploaded file
Disabled by default.
Click Add to specify the types of files that should be monitored when posted or uploaded to the Web, for example Microsoft Excel files.
From the resulting dialog box, select the type or types of files to monitor. If there are more file types than can appear on the page, you can sort columns or enter search criteria for find the type of file you want.
If the file type does not exist, specify exact files of this type using the Name of uploaded file attribute instead.
Default severity: low.
Available actions: block (default), permit.
Patterns & phrases
Enabled by default.
Click Add to define key phrases or regular expression (RegEx) patterns that should be monitored.
On the resulting dialog box, enter the precise phrase (for example "Internal Only") or RegEx pattern (for example ~ m/H.?e/) to include.
Select how many phrase matches must be made for the policy to trigger. The default number of matches is 1.
Default severity: medium.
Available actions: block (default), permit.
Note:
Although you do not define whether to search only for unique strings, the system will use the following defaults:
Key phrase: non-unique - all matches will be reported.
Regular expression: unique - only unique matches will be reported as triggered values.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring the Web Data Loss Prevention Policy > Configuring Web attributes
Copyright 2016 Forcepoint LLC. All rights reserved.