What is Enterprise DLP?

Provides more information about the tools you use with DLP on Prisma Access.
DLP on Prisma Access allows you to protect sensitive file data in the following ways:
  • Prevent file uploads from leaking to unsanctioned web applications
    —Discover and conditionally stop sensitive data from being leaked to untrusted web applications.
  • Monitor uploads to sanctioned web applications
    —Discover and monitor sensitive data when it is uploaded to sanctioned corporate apps.
To help you inspect content and analyze the data in the correct context so that you can accurately identify what is sensitive data and secure it to prevent incidents, Enterprise DLP is enabled through a cloud service. Enterprise DLP offers over 250 data patterns and many predefined data filtering profiles, and it is designed to automatically make new patterns and profiles available to you for use in Data Filtering policies, as soon as they are added to the cloud service. Use the following tools to configure DLP on Prisma Access:
  • Data Patterns—Help you detect sensitive content and how that content is being shared or accessed on your network.
    Predefined data patterns and built-in settings make it easy for you to protect files that contain certain file properties (such as a document title or author), credit card numbers, regulated information from different countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for the sensitive data in your organization supplement the predefined data patterns, you can define custom data patterns that are specific to your content inspection and data protection requirements. In a custom data pattern, you can also define regular expressions and file properties to look for metadata or attributes in the file's custom or extended properties and use it in a data filtering profile.
  • Data Filtering Profiles—Power the data classification and monitoring capabilities available on Prisma Access to prevent data loss and mitigate business risk.
    Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific object or type of content. To perform content analysis, the predefined data profiles have data patterns that include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning, regular expressions, and checksums for legal and financial data patterns. When you use the data filtering profile in a Data Filtering policy rule, the firewall can inspect the content for a match and take action.
    After you utilize the data patterns (either predefined or custom), you manage data filtering profiles in Panorama. You can use a predefined data filtering profile, or create a new profile and add data patterns to it. You then create security policies and apply the profiles you added to the policies you create. If a user uploads a file, and data in that file matches the criteria in the policies, Prisma Access either creates an alert notification or blocks the file upload.
When you apply the profile to a policy, and a data pattern was matched that caused an alert or block notification for a file, Prisma Access extracts a snippet of the sensitive data that caused the alert or block notification. A snippets enables forensics by allowing you to verify why an uploaded file generated an alert notification or was blocked. You view the snippets in the Data Filtering logs. By default, Prisma Access uses data masking to partially mask the snippets to prevent the sensitive data from being exposed. You can configure Prisma Access to completely mask the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
The data patterns and data filtering profiles are designed to work across Prisma SaaS and Prisma Access to provide consistent data security at all locations—either in the cloud or across various enforcement points in the SaaS applications, remote networks, and mobile users. When you create a new data pattern or data filtering profile on Prisma Access, it becomes available for enforcement on Prisma SaaS so that you can identify and protect data uniformly across connected applications.
To improve detection accuracy and reduce false positives, you can also specify:
  • Proximity keywords
    —An asset is assigned a higher accuracy probability when a keyword is within a 200-character distance of the expression. If a document has a 16-digit number immediately followed by
    Visa
    , that's more likely to be a credit card number. But if Visa is the title of the text and the 16-digit number is on the last page of the 22-page document, that's less likely to be a credit card number.
    You can also use more than one keyword in a keyword group and include or exclude keywords to find when occurrences of specific words appear or do not appear within 200 characters of the expression.
  • Confidence levels
    —Along with proximity keywords, confidence levels allow you to specify the probability of the occurrence of proximity keywords in a pattern match. With a
    Low
    confidence Prisma Access does not use proximity keywords to identify a match; with a
    High
    confidence Prisma Access looks for the proximity keywords within 200 characters of the regular expressions in the pattern before it considers the data pattern in a file to be a match.
  • Basic and weighted regular expressions
    —A regular expression (regex for short) describes how to search for a specific text pattern and then display the match occurrences when a pattern match is found. There are two types of regular expressions—
    basic
    and
    weighted
    .
    • A
      basic regular expression
      searches for a specific text pattern. When a pattern match is found, the service displays the match occurrences.
    • A
      weighted regular expression
      assigns a score to a text entry. When the score threshold is exceeded, the service returns a match for the pattern.
      To reduce false-positives and maximize the search performance of your regular expressions, you can assign scores using the weighted regular expression builder when you create data patterns to find and calculate scores for the information that is important to you. Scoring applies a match threshold, and when a score threshold is exceeded, such as enough expressions from a pattern match an asset, the asset will be indicated as a match for the pattern.
      For more information, including a use case and best practices, see Configure Regular Expressions in the Prisma SaaS Administrator’s Guide.

List of Predefined Data Filtering Profiles

The following table describes the predefined data filtering profiles provided with DLP on Prisma Access:
Predefined Data Filtering Profile
Scans For
Bulk CCN
Credit card numbers or Voyager Credit card numbers (more than 100).
CCPA
California Consumer Privacy Act compliance.
Corporate financial docs
Financial accounting and generic financial information.
Financial Information
Bank statements, bank routing numbers, credit card numbers (strict checking), bankruptcy filings.
GDPR
Driver's License numbers, Tax IDs, National IDs, Passport numbers.
Gramm-Leach-Bliley Act (GLBA)
Credit card numbers, Voyager credit card numbers, Magnetic stripe information, Tax Id-US (TIN), National ID-US, Social Security Number (SSN).
Healthcare
Clinical Laboratory Improvement Amendments (CLIA) numbers, Drug Enforcement Administration (DEA) numbers, and other healthcare documents.
Intellectual Property
Source code, AWS secret keys, access keys, company confidential.
There are two types of intellectual property. The
Intellectual Property - Basic
data filtering profile contains a subset of the data patterns that are included in the
Intellectual Property
data filtering profile.
Legal
Legal documents including lawsuits, M&A, standard business agreements, patents, bankruptcy filings.
Malware
All Microsoft Office documents, PDF, and portable executable files, and known threats against WildFire. The verdict is based on a hash, which is a unique fingerprint of a file.
Personally-Identifiable Information (PII)
Tax IDs, National IDs, Passport numbers, and Driver’s License numbers.
Profanity
Censored, personal, includes/excludes, homophobic, sexual.
Self Harm
Suicidal intentions.
Sensitive content
National ID, Bank information, AWS Secret keys or access keys, company confidential, CCN.
U.K. PIOCP
Tax IDs or National IDs.

Recommended For You