Express setup

In order to set up DLP for simple keyword filtering, use the following steps. In these steps a filtering pattern will be created and assigned to the global settings, so all domains of the gateway will use the pattern.

Open the “DLP Policy Patterns” page by clicking DLP from the main menu.
To create a new DLP pattern, click Create pattern.
The first field is the name of the pattern. Type “My first pattern”, or any pattern name you find appropriate.
Under “Description” type a description of your pattern, or leave empty.
Under “Regular expression” type the following: confidential|secret or any sequence of words, separated by a vertical bar. The vertical bar is important, it separates the keywords. If you omit the bars, the words will be used as a sentence to filter for.
Set “Validator” to empty value.
Set “Threshold” to 1.
Under “Action”, select “Must Encrypt”. This means that if the pattern matches, the message must be encrypted. The other options will be explained later.
Leave “Delay evaluation” disabled.
Under “Match filter”, select nothing.
Now click Add. What you now have is new entry in the list of patterns, named “My first pattern’’. The red cross indicates that you can delete the pattern. As soon as the pattern is in use, you cannot delete it without first removing all users, domains and patterns that use this pattern.
Now, open the “Global settings” page by clicking Settings from the main menu, click DLP and then click DLP patterns. On the “Patterns for global preferences” page, click Add patterns, select the pattern that you just created (“My first pattern”) and click the Add patterns button.

With the “My first pattern” enabled, if an outgoing email contains the keyword “confidential” or “secret”, the email is flagged as “must encrypt”. If the email cannot be encrypted, the email is not sent and the sender will be notified.

Patterns

In order to filter email, you need to specify what you want to filter on. Typically, there are a number of things you filter on. First, most companies don’t want outgoing email messages to contain credit card numbers, collections of email addresses, bank account numbers, collections of addresses, and information in some other well defined format.

A list of existing patterns can be viewed by clicking DLP from the main menu.

Important

The existence of a DLP pattern in the “DLP Policy Patterns” list does not imply that the DLP pattern is actually used. The “DLP Policy Patterns” contains a list of defined patterns. To actually use a pattern, the pattern has to be assigned to the global settings, a domain or a user.

Pattern

A new pattern can be added by clicking Create pattern from the “DLP Policy Patterns” page. A pattern has the following field:

Name: The name of the pattern. The name is required, should be unique and can only contain the following characters [letters, numbers, spaces and the following characters @._-]

Description: The description should explain in brief terms what this pattern actually does, i.e., what it scans for and what the action is.

Regular expression: The regular expression that will be matched against the content of the email. This should be a valid regular expression. As explained later, the text from the email is converted to lowercase before scanning. The regular expression should therefore only contain lower case characters.

Example

The following regular expression will match if the email contains the word confidential:

confidential

Example

The following regular expression will match if the email contains the word confidential or secret:

confidential|secret

Example

The following regular expression will match if the email contains a master card CC in 4-4-4-4, 4 4 4 4 or 16 format:

\b5[1-5]\d{2}\s?-?\s?(?:\d{4}\s?-?\s?){3}\b

Important

For performance reasons, some words will be removed from the email before scanning (see “skip list”). If a pattern should match a complete sentence, make sure that the pattern does not contain words from the “skip list”.

Validator: Some identifiers contain additional structure which cannot be matched with regular expressions. For example most credit card numbers can be validated using the “Luhn algorithm”. A validator makes it less likely that a regular expression match results in a false positive because the matched pattern is validated against the configured “validator”.

Note

Using a validator will make it less likely to get false positives because the validator can do additional checks which cannot be done using a regular expression alone.

The following validators are supported:

BSN
Checks whether the matched part is a valid “Burgerservicenummer” (see https://nl.wikipedia.org/wiki/Burgerservicenummer for more information about BSN).

DEA
Checks whether the matched part is a DEA Registration Number (see https://en.wikipedia.org/wiki/DEA_number for more information about DEA number).

Luhn
Checks whether the matched part validates against the Luhn checksum (see https://en.wikipedia.org/wiki/Luhn_algorithm for more information about the Luhn algorithm).

NPI
Checks whether the matched part validates against a National Provider Identifier (see https://en.wikipedia.org/wiki/National_Provider_Identifier for more information about NPI).

Note

Additional validators can be added to the system. For example validators that match certain company specific values. Please contact us if additional validators are needed.

Threshold: The “Threshold” will determine how many times the pattern should match before the action is executed. For example if a pattern is added which checks whether there are email addresses in the email, and you want the action to only be executed if more than 5 email addresses are detected, set “Threshold” to 5.

Note

Using a pattern that detects email addresses (?:\b|")[\"a-z0-9!#$%&'*+/=?^_`{|}~.-]{1,64}@[a-z0-9.-]{1,64}\.[a-z]{2,4}\b with a “Threshold” of 10 and a “block” rule, you can prevent the gateway from sending email in case the sender used the Cc field instead of the Bcc field (prevent email address leakage).

Action

If the pattern was matched (and the threshold was reached), the configured action is executed. The following actions are supported:

Warn: The Warn action will send an email containing a warning. Depending on the DLP settings, the warning email will be sent to the sender of the email and/or to the DLP managers.
Must Encrypt: The Must Encrypt action will flag the email to mandatory encryption. When flagged, If the email cannot be encrypted, the email will not be sent and the sender will be notified.
Quarantine: The Quarantine action will put the email into quarantine. Depending on the DLP settings, the sender of the email and/or to the DLP managers will be notified.
Block: The Quarantine action will drop the email, i.e., the email will not be delivered. The sender of the email will be notified.

Delay evaluation

If “Delay evaluation” is enabled, the action will only be executed if the email could not be encrypted.

For example a company policy might dictate that if an email cannot be encrypted, the email should be put into quarantine so a DLP manager can check whether the email can be sent without encryption. But because DLP checking is done before the email is encrypted, a quarantine DLP rule will be executed before the gateway had the opportunity to encrypt the email. By enabling “Delay evaluation”, the quarantine action will only be executed if the email cannot be encrypted.

Match Filter: If a message is blocked or quarantined, the user will receive a notification containing the part that matched the pattern. If the matched part contains sensitive information, for example a credit card number, the matched part can be filtered out using a “Match filter”. Currently only the “Mask” filter is enabled. The “Mask” filter will replace the characters of the matched part with “*” characters.

Notes: This is a free form field to which additional notes about the DLP pattern can be added.

Groups

A pattern group is a named selection of existing patterns. For example you can create an IBAN group containing all the patterns for matching all country specific IBAN numbers. Using a group, it’s easier to assign multiple patterns to the global settings, a domain or a user.

A new group can be added by clicking Create group from the “DLP Policy Patterns” page.

Name: The name of the group. The name is required, should be unique and can only contain the following characters [letters, numbers, spaces and the following characters @._-]

Patterns can be added to the group by clicking Add patterns. Then select the patterns to add and click Add selected patterns.

Import

Patterns can be imported from XML. To import a pattern, click on Import patterns from the left-hand side menu and select the XML file containing the patterns.

Export

Patterns can be exported to XML. From the “DLP Policy Patterns” page, select the patterns that need to be exported and click Export selected.

Text normalization

To make writing patterns easier and improve scanning time, all extracted text is normalized using the following procedure:

All carriage returns and line feeds are replaced with spaces.
Consecutive spaces are trimmed to one space.
All characters are converted to lowercase.
The text is Unicode normalized (NFC).
Words from the skip list are removed.

Note

Because all text is converted to lowercase, any literal text used in one of the patters should be written in lowercase. For example, if the text to match is this is converted to LOWERCASE, the pattern matching the word lowercase should be written in lowercase capitals.

Skip list

To improve scanning time, certain words are removed from the extracted text before scanning. The list of words that are removed can be edited by clicking Skip list from the left-hand side menu. The default skip list is a list of the top 100 mostly used English words. If no word should ever be skipped, set the skip list to an empty value.

Selecting patterns

Existing DPL patterns are not automatically used. Patterns are only used if they are explicitly assigned to the global settings or to a domain or to a user.

Patterns can be inherited just like any other setting. Domains inherit from the global settings and users inherit from the domain settings. A DLP pattern can be assigned by clicking the settings (global or domain or user) and clicking DLP from the settings page`. Then on the “DLP settings for…” page, click DLP patterns. To assign new patterns, click Add patterns, then select the patterns to add and then click Add patterns.

DLP settings

The DLP settings can be configured for the global, domain or user settings.

The following DLP settings can be configured:

Enable pattern scanning 

If enabled, DLP checking is enabled for email sent to external domains.

Note

Enabling DLP checking only enables the DLP engine. By default no DLP rules are enabled. DLP rules should be added to make DLP scanning check the DLP rules.

Quarantine URL 

The URL for the quarantine service. If a DLP quarantine rule is activated, the email is placed in the DLP quarantine. The recipient, if “Quarantine to originator” is enabled and/or the DLP manager, if “Quarantine to DLP managers” is enabled, will receive a notification email containing a link to a page on which the quarantined email can be managed. The URL contained in the notification email will be set to the “Quarantine URL”.

Note

The default “Quarantine URL” is based on the portal “Base URL”. It is therefore advised to change the “Base URL” of the portal and not change the “Quarantine URL” unless there is a good reason to change it.

DLP managers

A comma separated list of email addresses for the DLP managers. Depending on certain settings, for example “Warning to DLP managers” and “Quarantine to DLP managers”, the DLP managers will receive notifications if DLP rules are violated.

Quarantine on failed encryption 

If enabled and and an email cannot be encrypted, the email will be quarantined.

Quarantine on error 

If the DLP scanning resulted in an error, for example because the email is not valid, the email will be be quarantined.

Warning to originator 

If enabled and a DLP warning rule was activated, a warning notification email will be sent back to the sender.

Warning to DLP managers 

If enabled and a DLP warning rule was activated, a warning notification email will be sent to the DLP managers.

Quarantine to originator 

If enabled and a DLP quarantine rule was activated, a quarantine notification email will be sent back to the sender.

Note

With “Quarantine to originator”, the quarantine becomes “self managed”. The sender of the message can check whether the detected violation is really a violation and not just a false positive. The sender can then select different actions (depending on whether those actions are allowed) like for example “release”, “delete” etc.

Quarantine to DLP managers 

If enabled and a DLP quarantine rule was activated, a quarantine notification email will be sent to the DLP managers.

Block to originator 

If enabled and a DLP block rule was activated, a block notification email will be sent back to the sender.

Block to DLP managers 

If enabled and a DLP block rule was activated, a block notification email will be sent to the DLP managers.

Error to originator 

If enabled and a DLP error occurred, an error notification email will be sent back to the sender.

Error to DLP managers 

If enabled and a DLP error occurred, an error notification email will be sent to the DLP managers.

Release to originator 

If enabled and a quarantined email was released from quarantine, a release from quarantine notification email will be sent back to the sender.

Release to DLP managers 

If enabled and a quarantined email was released from quarantine, a release from quarantine notification email will be sent to the DLP managers.

Delete to originator 

If enabled and a quarantined email was deleted from quarantine, a delete from quarantine notification email will be sent back to the sender.

Delete to DLP managers 

If enabled and a quarantined email was deleted from quarantine, a delete from quarantine notification email will be sent to the DLP managers.

Expire to originator 

If enabled and a quarantined email was expired, an expire notification email will be sent back to the sender.

Expire to DLP managers 

If enabled and a quarantined email was expired, an expire notification email will be sent to the DLP managers.

Allow download 

If enabled, a user is allowed to download the email from the quarantine self-service page.

Allow release 

If enabled, a user is allowed to release the email from the quarantine self-service page. If the email is released from quarantine, the email is handled in a normal way, i.e., it follows the default gateway rules for outgoing email.

Allow release encrypt 

If enabled, a user is allowed to release the email, with encryption set to mandatory, from the quarantine self-service page. The difference between “release” and “release encrypted” is that with “release encrypted” the email flagged for mandatory encryption.

Allow release as-is 

If enabled, a user is allowed to release the email without further processing. from the quarantine self-service page. With “release as-is”, the email will immediately be delivered as-is to the final recipient.

Allow delete 

If enabled, a user is allowed to delete the email from the quarantine self-service page.

Quarantine

If a quarantine DLP action rule is activated, the email is put into quarantine and a notification email will be sent to the sender of the email and/or the DLP managers. Depending on the DLP settings, the notification message can contain a link with which the quarantined email can be managed. For example the quarantined email can be deleted, released etc.

Example of quarantine “self manage” page

Expiration

If an email from quarantine is not deleted or released within 5 days, the message will expire and a notification will be sent.