Cisco Cisco Email Security Appliance C160 Mode D'Emploi
11-21
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 11 Data Loss Prevention
Note
For policies that do not have a classifier, the scanning engine always returns a risk factor value of “75”
when a message violates the policy. You may want to adjust the severity scale for such policies,
depending on the type of DLP violations that may occur. See
when a message violates the policy. You may want to adjust the severity scale for such policies,
depending on the type of DLP violations that may occur. See
for
more information.
Classifier Detection Rules
Classifiers require rules for detecting DLP violations in a message or document. Classifiers can use one
or more of the following detection rules:
or more of the following detection rules:
•
Words or Phrases. A list of words and phrases for which the classifier should look. Separate
multiple entries with a comma or line break.
multiple entries with a comma or line break.
•
Regular Expression. A regular expression to define a search pattern for a message or attachment.
You can also define a pattern to exclude from matching to prevent false positives. See
You can also define a pattern to exclude from matching to prevent false positives. See
for more information.
•
Dictionary. A dictionary of related words and phrases. RSA Email DLP comes with dictionaries
created by RSA, but you can create your own. See the
created by RSA, but you can create your own. See the
for more
information.
•
Entity. Similar to smart identifiers in previous versions of AsyncOS, an entity identifies patterns in
data, such as ABA routing numbers, credit card numbers, addresses, and social security numbers.
data, such as ABA routing numbers, credit card numbers, addresses, and social security numbers.
Classifiers assign a numeric value to the detection rule matches found in a message and calculate a score
for the message. The risk factor used to determine the severity of a message’s DLP violation is a 0 - 100
version of the classifier’s final score. Classifiers use the following values to detect patterns and calculate
the risk factor:
for the message. The risk factor used to determine the severity of a message’s DLP violation is a 0 - 100
version of the classifier’s final score. Classifiers use the following values to detect patterns and calculate
the risk factor:
•
Proximity. How close the rule matches must occur in the message or attachment to count as valid.
For example, if a numeric pattern similar to a social security number appears near the top of a long
message and an address appears in the sender’s signature at the bottom, they are probably not related
and the classifier does not count them as a match.
For example, if a numeric pattern similar to a social security number appears near the top of a long
message and an address appears in the sender’s signature at the bottom, they are probably not related
and the classifier does not count them as a match.
•
Minimum Total Score. The minimum score required for the classifier to return a result. If the score
of a message’s matches does not meet the minimum total score, its data is not considered sensitive.
of a message’s matches does not meet the minimum total score, its data is not considered sensitive.
•
Weight. For each rule, you specify a “weight” to indicate the importance of the rule. The classifier
scores the message by multiplying the number of detection rule matches by the weight of the rule.
Two instances of a rule with a weight of
scores the message by multiplying the number of detection rule matches by the weight of the rule.
Two instances of a rule with a weight of
10
results in a score of
20
. If one rule is more important for
the classifier than the others, it should be assigned a greater weight.
•
Maximum Score. A rule’s maximum score prevents a large number of matches for a low-weight
rule to skew the final score of the scan.
rule to skew the final score of the scan.
To calculate the risk factor, the classifier multiplies the number of matches for a detection rule by the
weight of the rule. If this value exceeds the detection rule’s maximum score, the classifier uses the
maximum score value. If the classifier has more than one detection rule, it adds the scores for all of its
detection rules into a single value. The classifier maps the detection rules score (10 - 10000) on a scale
of 10 -100 using the logarithmic scale shown in
weight of the rule. If this value exceeds the detection rule’s maximum score, the classifier uses the
maximum score value. If the classifier has more than one detection rule, it adds the scores for all of its
detection rules into a single value. The classifier maps the detection rules score (10 - 10000) on a scale
of 10 -100 using the logarithmic scale shown in
to create the risk factor.
Table 11-1
Logarithmic Scale for Calculating the Risk Factor
Rule Scores
Risk Factor
10
10
20
20