I am trying to do a Vontu displacement with MFE DLP.
One of the item that stumbles me is as above.
In Vontu, one can define action based on severity of the incident .
And the severity is determined based on the pattern match frequency.
ie. if a document contain
11-100 CCN it will trigger a Low Sev incident - which will just Monitor the traffic
101-500 CCN it will trigger a Med Sev incident - which will notify the user
501+ CCN it will trigger a High Sev incident which will then block the document from being sent
Is there any way for MFE to do this ?
I tried workaround it by creating the CCN pattern to trigger if it reach 100 match threshold.
However it will only trigger Medium and not High.
Any way to do this using McAfee DLPe ?
We will be using DLPe 9.3 patch 2 + EPO 5.1
No luck sorry. I've tried this before, and the closest I got was using combinations of tags to assist. You could do 'not matches' (such as, content catagory include 10 but not 20, though you have to work backwards in counts since the product doesn't stop counting at the desired reporting threshold) but that results in redundant scanning and counting, and you still won't get what it seems you want.
Vontu has McAfee beat hands down for ease of use, and reporting. Though I'd argue that McAfee has Vontu/Symantec beat in terms of technical proficiency with their respective products. It will be 2015 before the HDLP 9.5 is released, with some of the newer capabilities we all want.
Why does the customer even need three different thresholds? Did they conduct a Risk / Impact Assessment to determine these thresholds?
Even from a User Behavior Shaping perspective there is not a need to use more than 2 different sets of thresholds.
You can do it. Create 3 Text Patterns with 3 different Content Categories (LowT, MedT and HighT).
Text Pattern 1: Threshold is set to 11 (Low Threshold, LowT)
Text Pattern 2: Threshold is set to 100 (Medium Threshold, MedT)
Text Pattern 3: Threshold is set to 500 (High Threshold, HighT)
Create 3 different Rules
Rule 1 has LowT Included. MedT and HighT are Excluded.
Rule 2 has MedT Included and HighT Excluded.
Rule 3 has HighT Included and no Exclusions.Message was edited by: vimalnavis on 5/14/14 10:30:52 PM CDT
Unfortunately the text pattern threshold max value is 100 [per my 9.3 p2 test]
My industry is finance industry and based on the Vontu rollout 6 years ago, that was the best design to do.
I tried changing that, but lets see.
@keithdrone : I agree. Both has their strength and weaknesses. Looks like Vontu is geared more towards business and McAfee DLP is more for techies. One day hopefully some balance will be striked
You are correct. The current version of DLPe does not support a threshold of more than 100.
You could still use my logic, but instead like this: LowT - 11, MedT - 50 and HighT - 100
So atm it cant be done. I will try to find some way to do the enforcement then .
Per HB, this will be in 9.4 . Lets hope it will arrive soon