About Enterprise DLP
Table of Contents
Expand all | Collapse all
- About Enterprise DLP
- Setup Prerequisites for Enterprise DLP
- Supported Enterprise DLP Data Profile Actions
- Supported Features for Enterprise DLP
- Predefined Data Patterns
- Predefined ML-Based Data Patterns
- Predefined Data Filtering Profiles
- Request a New Feature
- Install the Enterprise DLP Plugin on Panorama
- Enable Enterprise DLP for Managed Firewalls
- Uninstall the Enterprise DLP Plugin on Panorama
- Register and Activate Enterprise DLP on Prisma Access (Panorama Managed)
- Edit the Enterprise DLP Snippet Settings on the DLP App
- Enable Role Based Access to Enterprise DLP on Strata Cloud Manager
- Enable Optical Character Recognition on Strata Cloud Manager
- Enable Optical Character Recognition for Enterprise DLP
- Configure Regular Expressions
- Create a Data Pattern on Panorama
- Create a Data Profile on the DLP App
- Create a Data Profile with EDM Data Sets on the DLP App
- Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App
- Create a Data Profile with Nested Data Profiles on the DLP App
- Create a Data Profile on Strata Cloud Manager
- Create a Data Profile with EDM Data Sets on Strata Cloud Manager
- Create a Data Profile with Data Patterns and EDM Data Sets on Strata Cloud Manager
- Create a Data Profile with Nested Data Profiles on Strata Cloud Manager
- Create a Data Filtering Profile on Panorama
- Create a Data Filtering Profile on Panorama for Non-File Detection
- Update a Data Profile on the DLP App
- Update a Data Profile on Strata Cloud Manager
- Update a Data Filtering Profile on Panorama
- Enable Existing Data Patterns and Filtering Profiles
- Reduce False Positive Detections
- Supported EDM Data Set Formats
- Set Up the EDM CLI Application
- Configure Connectivity to the DLP Cloud Service
- Create and Upload an Encrypted EDM Data to the DLP Cloud Service in Interactive Mode
- Update an Existing EDM Data Set on the DLP Cloud Service
- About Enterprise DLP End User Alerting with Cortex XSOAR
- Setup Prerequisites for Enterprise DLP End User Alerting with Cortex XSOAR
- Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR
- View the Enterprise DLP End User Alerting with Cortex XSOAR Response History
- How Does Email DLP Work?
- Activate Email DLP
- Connect Microsoft Exchange and Enterprise DLP
- Create a Microsoft Exchange Outbound Connector
- Create a Microsoft Exchange Inbound Connector
- Create an Email DLP Sender Alert Policy
- Obtain Your Microsoft Exchange Domain and Relay Host
- Add an Enterprise DLP Email Policy
- Review Email DLP Incidents
- Why Are Emails Not Being Blocked?
- Recommendations for Security Policy Rules
- Monitor DLP Status with the DLP Health and Telemetry App
- View Enterprise DLP Log Details on the DLP App
- Manage Enterprise DLP Incidents on the DLP App
- View Enterprise DLP Audit Logs on the DLP App
- View Enterprise DLP Log Details on Strata Cloud Manager
- Manage Enterprise DLP Incidents on Strata Cloud Manager
- View Enterprise DLP Audit Logs on Strata Cloud Manager
- View Enterprise DLP Log Details on Panorama
- Reasons for Inspection Failure
- Set Up SFTP Storage to Save Evidence for Panorama
- Set Up SFTP Storage to Save Evidence for Strata Cloud Manager
- Download Files for Evidence Analysis on Panorama
- Download Files for Evidence Analysis on Strata Cloud Manager
About Enterprise DLP
Enterprise Data Loss Prevention (E-DLP)is a set of tools and processes to protect sensitive information from exfiltration.
Where Can I Use This?
What Do I Need?
Enterprise Data Loss Prevention (E-DLP)is a set of tools and processes that allow you to protect sensitive information against unauthorized access, misuse, extraction, or sharing.
Enterprise DLPis a cloud-based service that uses supervised machine learning algorithms to sort sensitive documents into Financial, Legal, Healthcare, and other categories for document classification to guard against exposures, data loss, and data exfiltration. These patterns can identify the sensitive information in traffic flowing through your network and protect them from exposure.
Enterprise DLPallows you to protect sensitive data in the following ways:
- Prevent file uploads and non-file based traffic from leaking to unsanctioned web application—Discover and conditionally stop sensitive data from being leaked to untrusted web applications.
- Monitor uploads to sanctioned web applications—Discover and monitor sensitive data when it’s uploaded to sanctioned corporate applications.
To help you inspect content and analyze the data in the correct context so that you can accurately identify sensitive data and secure it to prevent incidents,
Enterprise DLPis enabled through a cloud service.
Enterprise DLPsupports over 1,000 predefined data patterns and 20 predefined data profiles.
Enterprise DLPis designed to automatically make new patterns and profiles available to you for use in Security policy rules as soon they’re added to the cloud service.
Use the following tools to configure
- Data Patterns—Help you detect sensitive content and how that content is being shared or accessed on your network.Predefined data patterns and built-in settings make it easy for you to protect data that contain certain properties (such as document title or author), credit card numbers, regulated information from different countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for sensitive data in your organization, you can supplement predefined data patterns by creating custom data patterns that are specific to your content inspection and data protection requirements. In a custom data pattern, you can also define regular expressions and data properties to look for metadata or attributes in the file’s custom or extended properties and use it in a data profile.
- Data Profiles—Power the data classification and monitor capabilities available on your managed firewalls to prevent data loss and mitigate business risk.Data profiles are a collection of data patterns that re grouped together to scan for a specific object or type of content. To perform content analysis, the predefined data filtering profiles have data patterns that include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning, regular expressions, and checksums for legal and financial data patterns. When you use the data profile in a Security policy rule, the firewall can inspect the traffic for a match and take action.After you use the data patterns (either predefined or custom), you manage the data profiles from thePanorama™ management serverorStrata Cloud Manager. You can use a predefined data profile, or create a new profile, and add data patterns to it. You then create security policies and apply the profiles you added to the policy rules you create. For example, if a user uploads a file and data in the file matches the criteria in the policy rules, the managed firewall either creates an alert notification or blocks the file upload.
When traffic matches a data profile that a security rule is using, a data filtering log is generated. The log entry contains detailed information regarding the traffic that match one or more data pattern in the data profile. The log details enable forensics by allowing you to verify when a matched data generated an alert notification or was blocked.
You view the snippets in the data filtering logs. By default, data masking partially masks the snippets to prevent the sensitive data from being exposed. You can completely mask the sensitive information, unmask snippets, or disable snippet extraction and viewing.
To improve detection accuracy and reduce false positives, you can also specify:
- Proximity keywords—An asset is assigned a higher accuracy probability when a keyword is within a 200-character distance of the expression. If a document has a 16-digit number immediately followed byVisa, that's more likely to be a credit card number. But if Visa is the title of the text and the 16-digit number is on the last page of the 22-page document, that's less likely to be a credit card number.Proximity keywords aren’t case-sensitive. Multiple proximity keywords for a single data pattern are supported.
- Confidence levels—The confidence level reflects how confidentEnterprise DLPis when detecting matched traffic.Enterprise DLPdetermines confidence level by inspecting the distance of regular expressions to proximity keywords.
Additionally, custom data patterns that don't include any proximity keywords to identify a match always have both Low and High confidence level detections.
- Low—Proximity keyword included in the custom or predefined regex data pattern isn’t found within 200 characters of the regular expression match, or if a proximity keyword is included but is not present in the inspected traffic.When the match criteria specifies a Low confidence level match criteria,Enterprise DLPstill inspects for up to 3 matches with a High confidence level.
- High—Proximity keyword included in the custom or predefined regex data pattern is within 200 characters of the regular expression match.When the match criteria specifies a High confidence level match criteria,Enterprise DLPstill inspects for up to 3 matches with a Low confidence level.
- Basic and weighted regular expressions—A regular expression (regex for short) describes how to search for a specific text pattern and then display the match occurrences when a pattern match is found. There are two types of regular expressions—basicandweighted.
- Abasic regular expressionsearches for a specific text pattern. When a pattern match is found, the service displays the match occurrences.
- Aweighted regular expressionassigns a score to a text entry. When the score threshold is exceeded, the service returns a match for the pattern.To reduce false-positives and maximize the search performance of your regular expressions, you can assign scores using the weighted regular expression builder when you create data patterns to find and calculate scores for the information that is important to you. Scoring applies a match threshold, and when a score threshold is exceeded, such as enough expressions from a pattern match an asset, the asset will be indicated as a match for the pattern.For more information, including a use case and best practices, see Configure Regular Expressions.