Cisco Cisco Email Security Appliance C160 Mode D'Emploi
Chapter 11 Data Loss Prevention
11-354
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
•
•
•
Understanding How Email DLP Works
The RSA Email DLP feature uses a three-level policy structure to define your
organization’s data loss prevention rules and the actions that the IronPort
appliance takes when a message violates those rules:
organization’s data loss prevention rules and the actions that the IronPort
appliance takes when a message violates those rules:
•
Detection Rules. At the lowest level, DLP content scanning consists of
detection rules used to scan for particular patterns in a block of text. These
detection rules include regular expressions, words and phrases, dictionaries,
and entities, which are similar to smart identifiers.
detection rules used to scan for particular patterns in a block of text. These
detection rules include regular expressions, words and phrases, dictionaries,
and entities, which are similar to smart identifiers.
•
Content Matching Classifier. The next level is the content matching
classifier, which scans an outgoing message and its attachments for sensitive
information, such as credit card data or other personal information. A
classifier contains a number of detection rules along with context rules that
impose additional requirements. As an example, consider the Credit Card
Number classifier developed by RSA. This classifier not only requires that the
message contains a text string that matches a credit card number pattern, but
that it also contains supporting information such as an expiration date, credit
card company (Visa, AMEX, etc.), or name and address. Requiring this
additional information results in more accurate verdicts of a message’s
content, leading to less false positives. A DLP violation occurs when a
classifier detects sensitive information in a message that violates your
organization’s DLP rules.
classifier, which scans an outgoing message and its attachments for sensitive
information, such as credit card data or other personal information. A
classifier contains a number of detection rules along with context rules that
impose additional requirements. As an example, consider the Credit Card
Number classifier developed by RSA. This classifier not only requires that the
message contains a text string that matches a credit card number pattern, but
that it also contains supporting information such as an expiration date, credit
card company (Visa, AMEX, etc.), or name and address. Requiring this
additional information results in more accurate verdicts of a message’s
content, leading to less false positives. A DLP violation occurs when a
classifier detects sensitive information in a message that violates your
organization’s DLP rules.
•
DLP Policy. At the highest level is a DLP policy, which consists of a set of
conditions and a set of actions. The conditions include classifiers for a
message’s content and tests for message metadata, such as sender, recipient,
or attachment file type. The actions specify both the overall action to take on
messages (deliver, drop, or quarantine) and secondary actions such as
encrypting the message, copying it, altering its header, and sending
notifications.
conditions and a set of actions. The conditions include classifiers for a
message’s content and tests for message metadata, such as sender, recipient,
or attachment file type. The actions specify both the overall action to take on
messages (deliver, drop, or quarantine) and secondary actions such as
encrypting the message, copying it, altering its header, and sending
notifications.
You define your organization’s DLP policies in DLP Policy Manager and then
enable the policies in your outgoing mail policies. The appliance scans outgoing
messages for DLP policy violations after the virus outbreak filters stage of the
enable the policies in your outgoing mail policies. The appliance scans outgoing
messages for DLP policy violations after the virus outbreak filters stage of the