Cisco Cisco Firepower Management Center 4000
28-19
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Sensitive Data
Detecting Sensitive Data
License:
Protection
Sensitive data such as Social Security numbers, credit card numbers, driver’s license numbers, and so on
may be leaked onto the Internet, intentionally or accidentally. The system provides a sensitive data
preprocessor that can detect and generate events on sensitive data in ASCII text, which can be
particularly useful in detecting accidental data leaks.
may be leaked onto the Internet, intentionally or accidentally. The system provides a sensitive data
preprocessor that can detect and generate events on sensitive data in ASCII text, which can be
particularly useful in detecting accidental data leaks.
The system does not detect encrypted or obfuscated sensitive data, or sensitive data in a compressed or
encoded format such as a Base64-encoded email attachment. For example, the system would detect the
phone number (555)123-4567, but not an obfuscated version where each number is separated by spaces,
as in (5 5 5) 1 2 3 - 4 5 6 7, or by intervening HTML code, such as <b>(555)</b>-<i>123-4567</i>.
However, the system would detect, for example, the HTML coded number <b>(555)-123-4567</b>
where no intervening codes interrupt the numbering pattern.
encoded format such as a Base64-encoded email attachment. For example, the system would detect the
phone number (555)123-4567, but not an obfuscated version where each number is separated by spaces,
as in (5 5 5) 1 2 3 - 4 5 6 7, or by intervening HTML code, such as <b>(555)</b>-<i>123-4567</i>.
However, the system would detect, for example, the HTML coded number <b>(555)-123-4567</b>
where no intervening codes interrupt the numbering pattern.
Tip
The sensitive data preprocessor can detect sensitive data in unencrypted Microsoft Word files that are
uploaded and downloaded using FTP or HTTP; this is possible because of the way Word files group
ASCII text and formatting commands separately.
uploaded and downloaded using FTP or HTTP; this is possible because of the way Word files group
ASCII text and formatting commands separately.
The system detects sensitive data per TCP session by matching individual data types against traffic. You
can modify the default settings for each data type and for global options that apply to all data types in
your intrusion policy. Cisco provides predefined, commonly used data types. You can also create custom
data types.
can modify the default settings for each data type and for global options that apply to all data types in
your intrusion policy. Cisco provides predefined, commonly used data types. You can also create custom
data types.
A sensitive data preprocessor rule is associated with each data type. You enable sensitive data detection
and event generation for each data type by enabling the corresponding preprocessor rule for the data
type. A link on the configuration page takes you to a filtered view of sensitive data rules on the Rules
page, where you can enable and disable rules and configure other rule attributes. When you save changes
to your intrusion policy, you are given the option to automatically enable the sensitive data preprocessor
if the rule associated with a data type is enabled and sensitive data detection is disabled. See
and event generation for each data type by enabling the corresponding preprocessor rule for the data
type. A link on the configuration page takes you to a filtered view of sensitive data rules on the Rules
page, where you can enable and disable rules and configure other rule attributes. When you save changes
to your intrusion policy, you are given the option to automatically enable the sensitive data preprocessor
if the rule associated with a data type is enabled and sensitive data detection is disabled. See
for more information.
Because the system uses TCP stream preprocessing to establish monitored sessions, TCP stream
preprocessing must be enabled to use sensitive data detection in your policy. When you save changes to
your policy, you are given the option to automatically enable TCP stream preprocessing if sensitive data
detection is enabled and TCP stream preprocessing is disabled. See
preprocessing must be enabled to use sensitive data detection in your policy. When you save changes to
your policy, you are given the option to automatically enable TCP stream preprocessing if sensitive data
detection is enabled and TCP stream preprocessing is disabled. See
for more information.
See the following sections for more information:
•
•
•
•
•
•
•
•