Cisco Cisco Email Security Appliance C160 Mode D'Emploi
Chapter 11 Data Loss Prevention
11-2
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
•
•
•
Understanding How RSA Email DLP Works
The RSA Email DLP feature uses a three-level policy structure to define your
organization’s data loss prevention rules and the actions that the Cisco IronPort
appliance takes when a message violates those rules:
organization’s data loss prevention rules and the actions that the Cisco IronPort
appliance takes when a message violates those rules:
•
Detection Rules. At the lowest level, DLP content scanning consists of
detection rules used to scan for particular patterns in a block of text. These
detection rules include regular expressions, words and phrases, dictionaries,
and entities, which are similar to smart identifiers.
detection rules used to scan for particular patterns in a block of text. These
detection rules include regular expressions, words and phrases, dictionaries,
and entities, which are similar to smart identifiers.
•
Content Matching Classifier. The next level is the content matching
classifier, which scans an outgoing message and its attachments and headers
for sensitive information, such as credit card data or other personal
information. A classifier contains a number of detection rules along with
context rules that impose additional requirements. As an example, consider
the Credit Card Number classifier developed by RSA. This classifier not only
requires that the message contains a text string that matches a credit card
number pattern, but that it also contains supporting information such as an
expiration date, a credit card company name (Visa, AMEX, etc.), or the name
and address of a person. Requiring this additional information results in more
accurate verdicts of a message’s content, leading to less false positives. A
DLP violation occurs when a classifier detects sensitive information in a
message.
classifier, which scans an outgoing message and its attachments and headers
for sensitive information, such as credit card data or other personal
information. A classifier contains a number of detection rules along with
context rules that impose additional requirements. As an example, consider
the Credit Card Number classifier developed by RSA. This classifier not only
requires that the message contains a text string that matches a credit card
number pattern, but that it also contains supporting information such as an
expiration date, a credit card company name (Visa, AMEX, etc.), or the name
and address of a person. Requiring this additional information results in more
accurate verdicts of a message’s content, leading to less false positives. A
DLP violation occurs when a classifier detects sensitive information in a
message.
•
DLP Policy. At the highest level is a DLP policy, which consists of a set of
conditions and a set of actions. The conditions include classifiers for a
message’s content, as well as tests for message data like the sender, recipient,
or attachment file type. The actions specify both the overall action to take on
messages (deliver, drop, or quarantine) and secondary actions such as
encrypting the message, altering its header, and sending notifications to
someone in your organization.
conditions and a set of actions. The conditions include classifiers for a
message’s content, as well as tests for message data like the sender, recipient,
or attachment file type. The actions specify both the overall action to take on
messages (deliver, drop, or quarantine) and secondary actions such as
encrypting the message, altering its header, and sending notifications to
someone in your organization.
You define your organization’s DLP policies in the DLP Policy Manager and then
enable the policies in your outgoing mail policies. The appliance scans outgoing
messages for DLP policy violations after the Outbreak Filters stage of the “work
enable the policies in your outgoing mail policies. The appliance scans outgoing
messages for DLP policy violations after the Outbreak Filters stage of the “work