How to apply Data Filtering effectively

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to apply Data Filtering effectively

L2 Linker

It seems obvious to me that you can't simply apply the built in CC and SS filters in a Security Profile with an "any any". In my testing it really fouls up general web surfing.

Why is there no detailed documentation (at least any I can find in KnowledgePoint or elsewhere) about how to craft an effective data filtering profile. Should it be applied to applications like hotmail or ftp or file types like .doc or .xls? Should it be on upload only since we are trying to prevent outbound data leakage? When I tried crafting regular expressions and saving them I was knocked out of the GUI and had literally reboot Panorama  - instead of just rejecting them with an error message.

I need better guidance on this important feature.

9 REPLIES 9

L4 Transporter

It seems obvious to me that you can't simply apply the built in CC and SS filters in a Security Profile with an "any any". In my testing it really fouls up general web surfing.

Correct, applying any filter to an "Any, Any....." rule is a bad Idea!

Why is there no detailed documentation (at least any I can find in KnowledgePoint or elsewhere) about how to craft an effective data filtering profile. Should it be applied to applications like hotmail or ftp or file types like .doc or .xls? Should it be on upload only since we are trying to prevent outbound data leakage?

The greater majority of content on the KB is a result of a question or request, we are in most cases responding to threads though we have tried to be proactive clearly we havent covered every possible need. That said we are forever working to improve our offering.

When I tried crafting regular expressions and saving them I was knocked out of the GUI and had literally reboot Panorama  - instead of just rejecting them with an error message.

There is nothing that should cause this, if you are able to reproduce it please contact support imediately and provide details so that it can be fixed in a future version.

I need better guidance on this important feature.

Please see the attached document

Hi, the attached guidance is quite short and inclomplete, i prefer better documentation.

For example Checkpoint has a quite long list of best practices, example and data pattern implemente in default configuration and should be interesting see the Palo Alto thought and tips.

I have been testing data filtering functionality and meeting with mixed results. Using some of the (limited) documentation I've found here I have been able to get SSN and a custom credit card pattern to work, but blocking by file type is failing.

I've attached a file with the filter/policy w/ my results. Can anyone tell if I'm doing something wrong? I really need this to work. Thanks in advance!!!

Message was edited by: cwillms@tcfbank.com

Crickets

Hi,

I'm doing same tests using IBAN codes and your results are similar to mine. I've also opened a case of 2 months but no real solution was found over DLP.

In my opinion DLP lacks some capabilities:

  • 7-bytes error doesn't permit to have short & composite pattern. Without the keyword it's impossible to verify the real information (eg the pure IBAN number in the various variants)
  • There is a limit in pattern length and after that the commit phase can't be accomplished (no response from engine)

I've tried also with the new 4.0.3 but nothing changed.

I hope in future improvement. Other vendors DLP is better.

Just found this thread as I was considering turning on data filtering for SSN's and CC's and maybe specific record number we use at my company.

Have you guys gotten any further ? Still stuck ?

To be honest this feature is a bust in my opinion. We were primarily interested in applying it to web-based e-mail both in the body and for attachments. Using documentation from this forum I created a custom regex pattern for Credit Cards- such as - .*((Credit Card)|(VISA card)|(Visa card)|(Debit Card)).*([0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9].[0-9][0-9][0-9][0-9]) then applied it to my rule that allowed web-based e-mail and it sort-of, kind-of worked. It worked for attachments for some applications but not others - I never got it to work for FTP at all.

Be warned: we have since completely removed the Custom Pattern above when it blew up our upgrade from 3.x to 4.x. The escalation engineer said it was crap and that we should not use a Custom Filter like that (remember, I found it in this forum.)

We never expected it to be DLP, but we were really counting on it for policing web-based e-mail - so we've had to blocked web-based e-mail for 99% of our employees

Craig W

Searching around can get you the inside scoop on how these numbers are constructed which will help cut down on false positives. A couple of sample credit card regexes:

Regular Expression Library

Finding or Verifying Credit Card Numbers

If your looking for DLP get Vontu.......DLP "lite" is what you have here similiar to checkpoint......if you like being flooded with false positives, by all means.....

I do have a question though on file content....I am writing some Arcsight use cases and tracking which file names are transfered over which application protocol by user. I do not seem to be able to find a document which outlines the signature matches for the various documents. (such as File microsoft MSOFFICE(52033) or a File Microsoft Office 2007 xls document 52024) etc etc.....

I built some nice use cases with fireeye to pickup on the .jar files coming in but since this client doesnt have a dlp solution (yet) I do want to give an idea of what type of file names are leaving the perimeter to give them a little "boost" in acquiring DLP capability.

Thanks


  • 10594 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!