Cisco Cisco Email Security Appliance C160 Mode D'Emploi
Chapter 11 Data Loss Prevention
11-376
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
Classifier Detection Rules
Classifiers require rules for detecting DLP violations in a message or document.
Classifiers can use one or more of the following detection rules:
Classifiers can use one or more of the following detection rules:
•
Words or Phrases. A list of words and phrases that the classifier should look
for. Separate multiple entries with a comma or line break.
for. Separate multiple entries with a comma or line break.
•
Regular Expression. A regular expression to define a search pattern for a
message or attachment. You can also define a pattern to exclude from
matching to prevent false positives. See
message or attachment. You can also define a pattern to exclude from
matching to prevent false positives. See
for more information.
•
Dictionary. A dictionary of related words and phrases. RSA Email DLP
comes with dictionaries created by RSA, but you can create your own. See the
comes with dictionaries created by RSA, but you can create your own. See the
for more information.
•
Entity. Similar to smart identifiers, entities identify patterns in data, such as
ABA routing numbers, credit card numbers, addresses, and social security
numbers.
ABA routing numbers, credit card numbers, addresses, and social security
numbers.
Classifiers assign a numeric value to the detection rule matches found in a
message and calculate a score for the message. The risk factor used to determine
the severity of a message’s DLP violation is a 0 - 100 version of the classifier’s
final score. Classifiers use the following values to detect patterns and calculate the
risk factor:
message and calculate a score for the message. The risk factor used to determine
the severity of a message’s DLP violation is a 0 - 100 version of the classifier’s
final score. Classifiers use the following values to detect patterns and calculate the
risk factor:
•
Proximity. Defines how close the rule matches must occur in the message or
attachment to count as valid. For example, if a numeric pattern similar to a
social security number appears near the top of a long message and an address
appears in the sender’s signature at the bottom, they are probably not related
and the classifier does not count them as a match.
attachment to count as valid. For example, if a numeric pattern similar to a
social security number appears near the top of a long message and an address
appears in the sender’s signature at the bottom, they are probably not related
and the classifier does not count them as a match.
•
Minimum Total Score. The minimum score required for the classifier to
return a result. If the score of a message’s matches does not meet the
minimum total score, its data is not considered sensitive.
return a result. If the score of a message’s matches does not meet the
minimum total score, its data is not considered sensitive.
•
Weight. For each rule, you specify a “weight” to indicate the importance of
the rule. The classifier scores the message by multiplying the number of
detection rule matches by the weight of the rule. Two instances of a rule with
a weight of
the rule. The classifier scores the message by multiplying the number of
detection rule matches by the weight of the rule. Two instances of a rule with
a weight of
10
results in a score of
20
. If one rule is more important for the
classifier than the others, it should be assigned a greater weight.
•
Maximum Score. A rule’s maximum score prevents a large number of
matches for a low-weight rule to skew the final score of the scan.
matches for a low-weight rule to skew the final score of the scan.