cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 7

Severity based on match frequency in Host DLP

Hi everyone.

I am trying to do a Vontu displacement with MFE DLP.

One of the item that stumbles me is as above.

In Vontu, one can define action based on severity of the incident .

And the severity is determined based on the pattern match frequency.

ie. if a document contain

11-100 CCN it will trigger a Low Sev incident - which will just Monitor the traffic

101-500 CCN it will trigger a Med Sev incident - which will notify the user

501+ CCN it will trigger a High Sev incident which will then block the document from being sent

Is there any way for MFE to do this ?

I tried workaround it by creating the CCN pattern to trigger if it reach 100 match threshold.

However it will only trigger Medium and not High.

Any way to do this using McAfee DLPe ?

We will be using DLPe 9.3 patch 2 + EPO 5.1

Thank you.

6 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 7

Re: Severity based on match frequency in Host DLP

Anyone ?

Highlighted

Re: Severity based on match frequency in Host DLP

No luck sorry.  I've tried this before, and the closest I got was using combinations of tags to assist.    You could do 'not matches' (such as, content catagory include 10 but not 20, though you have to work backwards in counts since the product doesn't stop counting at the desired reporting threshold)  but that results in redundant scanning and counting, and you still won't get what it seems you want.   

Vontu has McAfee beat hands down for ease of use, and reporting.   Though I'd argue that McAfee has Vontu/Symantec beat in terms of technical proficiency with their respective products.   It will be 2015 before the HDLP 9.5 is released, with some of the newer capabilities we all want.

Re: Severity based on match frequency in Host DLP

Why does the customer even need three different thresholds? Did they conduct a Risk / Impact Assessment to determine these thresholds?

Even from a User Behavior Shaping perspective there is not a need to use more than 2 different sets of thresholds.

You can do it. Create 3 Text Patterns with 3 different Content Categories (LowT, MedT and HighT).

Text Pattern 1: Threshold is set to 11 (Low Threshold, LowT)

Text Pattern 2: Threshold is set to 100 (Medium Threshold, MedT)

Text Pattern 3: Threshold is set to 500 (High Threshold, HighT)

Create 3 different Rules

Rule 1 has LowT Included. MedT and HighT are Excluded.

Rule 2 has MedT Included and HighT Excluded.

Rule 3 has HighT Included and no Exclusions.

Message was edited by: vimalnavis on 5/14/14 10:30:52 PM CDT
Highlighted
Level 10
Report Inappropriate Content
Message 5 of 7

Re: Severity based on match frequency in Host DLP

Hi Vimal.

Unfortunately the text pattern threshold max value is 100 [per my 9.3 p2 test]

My industry is finance industry and based on the Vontu rollout 6 years ago, that was the best design to do.

I tried changing that, but lets see.

@keithdrone : I agree. Both has their strength and weaknesses. Looks like Vontu is geared more towards business and McAfee DLP is more for techies. One day hopefully some balance will be striked

Highlighted

Re: Severity based on match frequency in Host DLP

You are correct. The current version of DLPe does not support a threshold of more than 100.

You could still use my logic, but instead like this: LowT - 11, MedT - 50 and HighT - 100

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Severity based on match frequency in Host DLP

Thanks Vimal.

So atm it cant be done. I will try to find some way to do the enforcement then .

Per HB, this will be in 9.4 . Lets hope it will arrive soon

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community