Endpoint data loss prevention comprises a set of cybersecurity strategies that aid in preventing the theft or disclosure of sensitive data contained within endpoint computers.
Within the endpoints, there will be large volumes of unfiltered information. Data classification is the process of containerizing corporate data in order to determine which information is sensitive and to gain a better understanding of what type of security measures needs to be implemented.
Data rules are a set of criteria that is configured by the admin to find specific types of sensitive data. The data rules can be created using pre-defined templates or customizable templates using mechanism such as RegEx, fingerprinting, keyword search. During the data discovery process, the agent will comb through the endpoint and find any sensitive data that matches the data rule deployed for that policy.
For common types of sensitive documents such as PII, Health, Finance, Source Code etc. you can browse and select a template according to countries.
To find sensitive documents specific to your organization or circumstance, you can use custom templates to determine the criteria that a document would have to match to be considered as sensitive. Endpoint DLP supports custom rules using RegEx, keyword matching, document matching, fingerprinting and file extensions.
When sensitive data can be detected by the presence of a specific pattern/string in a file, RegEx patterns are utilized. These patterns can be predicted and then searched for in order to identify a match.
Keyword search is used to seek for specific keywords in a document that could make it sensitive and thus inappropriate for transfer outside the organization.
Fingerprinting is a preferred technique over RegEx in cases where sensitive data cannot by identified by an exact match but may be detected by identifying similar templates and analyzing their match percentage.
Boundary definition refers to restrictions that the admin can configure which dictate the boundaries within which a particular type of sensitive data can be processed. The boundaries include email, miscellaneous cloud web applications, peripheral devices etc.
In a DLP solution, a false positive occurs when the solution indicates that a DLP policy has been violated even when it hasn't. A false positive can happen as a result of a data detection error or because the file's destination is not approved for sensitive file transfer.
End users may be required to send sensitive files outside the enterprise perimeter for official purposes. In such cases, they may allowed to override the policy citing a suitable justification and proceed to transfer the files.
Override refers to the ability to carry through a DLP action despite the event of a false positive. Override permission should be granted to privileged users and users who frequently contact outside the organization.
Occurrence count in a RegEx rule refers to the minimum number of times a pattern has to occur for it to be considered sensitive. For example, if a pattern's occurrence count is 2, the file can be considered sensitive if the pattern appears two or more times.
While keyword matching focuses on identifying specific keywords that are considered sensitive in the document, document matching compares the overall similarity of the provided document to the format that is considered sensitive.
The percentage of accuracy at which the submitted document can be considered comparable to the sensitive template is referred to as the match percentage in fingerprinting. Increasing the match percentage required to classify a document as sensitive can help improve detection accuracy and reduce false positives.
Endpoint DLP Plus focuses on preventing data loss from the source by identifying sensitive information and monitoring its transfer via cloud, email, and other sources, whereas Device Control focuses on regulating access to data present on endpoints, particularly via peripheral devices and other physical channels.
In "Audit mode", the sensitive files will be allowed to be transferred within and outside the corporate boundary. However, they will be audited and can be viewed in the "DLP Sensitive Events Report". The report will give you insights on how to add/remove entries to your DLP Policy without affecting productivity.