Configuring your RiskVision data profile

System Management | TRITON RiskVision | 02-June-2016

Use the System > Data Profile tab in the Local Manager to configure RiskVision to perform data analysis on monitored files.

Data analysis is performed for outbound HTTP and SMTP traffic, and can be used for both data loss and data theft detection.

Data loss detection looks for data that represents specific types of compliance violations For example, an email message containing credit card numbers would violate Payment Card Industry (PCI) rules.

Data theft detection identifies data transfers consistent with malicious third-party attempts to steal sensitive information (such as a collection of network passwords).

You can configure data analysis to focus on specific types of violations, as explained below.

Enable data analysis

Use the toggle at the top of the page to determine whether or not to Analyze data file content (enabled by default).

When data analysis is enabled, you can enable the data loss and data theft protection policies most useful to your organization.

When data analysis finds data loss or data theft violations, the information is added to incident records on the Incidents page. See Working with Incidents for more information.

Select data loss detection policies

Data analysis can use a set of preconfigured policies to detect specific types of information in data sent via monitored traffic.

To enable data loss detection policies:

Specify a Geographical region to ensure that specific types of content are identified correctly.

Select one or more policies to enforce:

A Personally Identifiable Information (PII) policy is used to detect private information, like drivers license or passport numbers.

A Protected Health Information (PHI) policy is used to detect health-related information, like DNA profiles and sensitive drug or disease names.

A Payment Card Industry (PCI) policy is used to detect credit card numbers and magnetic strip data.

A complete list of the characteristics (content classifiers) that make up each regional policy is available in RiskVision Data Analysis Policies.

In most cases, the Sensitivity setting should remain at Default. This setting is most likely to avoid both false positives (matches that do not represent actual data loss) and false negatives (data loss that is not detected).

If you find that you are receiving too many false positives or false negatives, adjust the sensitivity setting in response:

Wide is highly sensitive and detects more potential data loss incidents than the other levels. It is more likely to produce a false positive (creating an incident for a benign transaction).

Narrow is less sensitive. While it may help avoid false positives, it is also more likely that data loss events will not be detected, and therefore not be flagged as incidents.

Configure data theft detection

To enable data theft detection:

Mark the check box next to each type of information that you want data analysis to identify in monitored traffic.

Select Common password information to identify passwords in outbound plain text communication.

Select Encrypted file - known format to identify outbound transactions that use common encrypted file formats.

Select Encrypted file - unknown format to identify outbound files that were encrypted using unknown encryption formats.

Select IT asset information to identify outbound transactions that contain suspicious information, such as information about the network, software license keys, and database files.

Select Malware communication to identify "phone home" traffic based on analysis of traffic patterns from machines known to be infected.

Select Password files to identify outbound password files, including SAM database information and Linux password files.

In most cases, the Sensitivity setting should remain at Default. This setting is most likely to avoid both false positives (matches that do not represent actual data theft) and false negatives (data theft that is not detected).

If you find that you are receiving too many false positives or false negatives, adjust the sensitivity setting in response:

Wide is highly sensitive and detects more potential data theft incidents than the other levels. It is more likely to produce a false positive (creating an incident for a benign transaction).

Narrow is less sensitive. While it may help avoid false positives, it is also more likely that data theft events will not be detected, and therefore not be flagged as incidents.