Data Security tab (DLP Lite)

Click the Data Security tab in the policy to configure options for blocking or monitoring data loss over web channels.

This tab is available when adding a policy if Use DLP Lite is selected on the Web > Settings > Data Protection Settings page or if the Data Protection Service is not licensed.

To enable this tab for an existing policy, navigate to Web > Settings > Data Protection Settings and use the table at the bottom to reset the data security selection for the policy. See Data Protection Settings for details.


	Important Data security features are not compatible with the I Series appliance.

When data security features are enabled, the cloud service searches for sensitive data or files being posted to HTTP, HTTPS, and FTP sites, and reports on any incidents that it discovers. Sensitive data may include intellectual property, data that is protected by national legislation or industry regulation, and data suspected to be stolen by malware or malicious activities. You can configure whether such incidents are blocked or just monitored.

To search for data over HTTPS, be sure SSL decryption is enabled by following the instructions provided in Enabling SSL decryption.

When blocking is enabled for data security incidents, users receive a special block page. To configure this block page, do one of the following:

Click the Data Security block page link at the top of the Data Security tab in a policy.

Go to the Web > Policy Management > Block & Notification Pages page, expand the General section, and then select Data Security.

Regulations

Most countries and certain industries have laws and regulations that protect customers, patients, or staff from the loss of personal information such as credit card numbers, social security numbers, and health information.

To set up rules for the regulations that pertain to you:

Click No region selected. (To edit regions, click the link, "n regions selected.")

Select the regions in which you operate. Forcepoint Security Labs provides a set of predefined policies to cover regions all over the world and maintains those policies as regulations change.

Select the regulations of interest.


Regulation	Description
Personally Identifiable Information (PII)	Detects Personally Identifiable Information—for example, names, birth dates, driver license numbers, and identification numbers. This option is tailored to specific countries.
Protected Health Information (PHI)	Detects Protected Health Information—for example, terms related to medical conditions and drugs—together with identifiable information.
Payment Card Industry (PCI DSS)	Conforms to the Payment Card Industry (PCI) Data Security Standard, a common industry standard that is accepted internationally by all major credit card issuers. The standard is enforced on companies that accept credit card payments, as well as other companies and organization that process, store, or transmit cardholder data.

Select an action to take when matching data is detected. Select Block to prevent the data from being sent through the web channel. Select Monitor to allow it. (Incidents are created either way.)

The Action column now appears in the Incident Manager by default, showing whether each incident was monitored or blocked.

Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result. Select Narrow for tighter detection criteria. This can result in false negatives or undetected matches. Default is a balance between the two.

Severity is automatically calculated for these regulations.

For more information on the detection rules for these regulations, see Data Security Content Classifiers (DLP Lite only).

Data Theft

Use this section to detect when data is being leaked due to malware or malicious transactions. When you select these options, the cloud service searches for and reports on outbound passwords, encrypted files, network data, and other types of information that could be indicative of a malicious act.

To see if your organization is at risk for data theft:

Select the types of data to look for.


Information Type	Description
Common password information	Searches for outbound passwords in plain text
Encrypted files - known format	Searches for outbound transactions comprising common encrypted file formats
Encrypted files - unknown format	Searches for outbound files that were encrypted using unknown encryption formats
IT asset information	Searches for suspicious outbound transactions, such as those containing information about the network, software license keys, and database files.
Suspected malware communication	Identifies traffic that is thought to be malware "phoning home" or attempting to steal information. Detection is based on the analysis of traffic patterns from known infected machines.
Password files	Searches for outbound password files, such as a SAM database and UNIX / Linux passwords files

Select an action to take when matching data is detected. Select Block to prevent the data from being sent through the web channel. Select Monitor to allow it. (Incidents are created either way.) You can filter by action in the Data Security Incident Manager.

Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result and performance may be affected. Select Narrow for tighter detection criteria. This can result in false negatives or undetected matches. Default is a balance between the two.

Some data theft classifiers cannot be changed from their default setting.

Severity is automatically calculated for these types.

Custom

Use this section if you want to detect intellectual property or sensitive data using custom phrases, dictionaries, or regular expressions containing business-specific terms or data.

Define new classifiers on the Web > Policy Management > Content Classifiers page. See Configure Content Classifiers for Data Security (DLP Lite) for instructions.

On the Data Security tab, select the classifiers that you want to enable for the policy. If none are listed, none have been created yet.

Select a severity for each classifier to indicate how severe a breach would be. Select High for the most severe breaches. Severity is used for reporting purposes. It allows you to easily locate High, Medium, or Low severity breaches when viewing reports.

Where applicable, configure a threshold for each classifier. To do so, click a link in the Threshold column, and then indicate how many times this classifier should be matched to trigger an incident. You can indicate a range if desired, such as between 3 and 10. By default, the threshold is 1.

Also indicate if you want the system to count only unique matches when calculating the threshold or all matches, even duplicates. Example: your classifier has the key phrase "top secret" and a threshold of 5. If the key phrase is found 6 times in a single web post, the system would count that as one match if you select Count only unique matches or 6 matches if you select Count all matches even duplicates. In the first case, the threshold is not triggered. In the second case, it is.

Trusted Content

In Trusted domains, enter the domains you do not want to be monitored, one entry per line. For example:

forcepoint.com

cnn.com

The system does not analyze trusted domains. This means users can send them any type of sensitive information via HTTP, HTTPS, or other web channels from your network.

Duplicate domains are not permitted. Wildcards are supported.

You can add up to 100 trusted domains per policy. Each one can have up to 256 characters.

Click Select Categories to select website categories that do not require DLP analysis—for example, office collaboration sites.