3 Replies Latest reply on Jan 15, 2013 8:52 AM by Chris Boldiston

    Monitoring data leakage activity via email using ADM rules

      We are trying to develop an ADM rule to monitor user activity over email in order to detect leakage of confidential information. The rule should be triggered when;

       

      • A user sends an email to any external domain from his/her official email account and the email contains specific keywords in the email message body or in attached document.

       

                                                   OR

       

      • while inside the corporate network, a user sends an email from e.g. yahoo, hotmail etc to any domain other than the official domain and the email ontains specific keywords in the email message body or in attached document.

       

      Has any one written such types of rules for their environment or can point to the existing ADM rules detecting similar activity?

       

      Regards,
      Nadeem

        • 1. Re: Monitoring data leakage activity via email using ADM rules
          Chris Boldiston

          Hi Nadeem

           

           

          The first scenario looks like it could be handled easily by using an ADM rule and referencing an ADM Dictionary. Note that there is detailed information in the Help for setting up a Dictionary so I wont go into it here.

           

          The first step would be to create the dictionary with specific keywords that you are interested in. Then in the Policy Editor create a new ADM rule. Then using an AND Clause, create an Expression Component using ObjectType Internet Mail Message Header. Then another Expression Component with the Term Object Content referencing the Dictionary. Then another component with Domain != yourdomain.com

           

          The finished rule would look something like this in the Description box underneath the saved rule;

           

          Signature: ((any objtype == [text/rfc822-headers]) && (any myDictionary[objcontent]) && (all smtp.domain != ["yourdomain.com"]))

           

          If you want to add components for a possible attachement to the email you can add that too. For the second scenario you would still use the same ideas I have outlined for the first example. My recommendation with ADM and all Rule development is to progress in steps from a simple one line to more complex rules. This makes errror checking and troubleshooting much easier. Also you may want to check the current ADM rules for some ideas on how to construct your own rules.

           

           


          Chris

          • 2. Re: Monitoring data leakage activity via email using ADM rules

            Hi Chris,

             

            Thanks for the reply. I previously setup a rule with similar conditions but we were getting many false positive due to addition of spam messages. Same goes with the rule with above conditions. Is there any setting where I can specifically mention a condition -> sender domain == our domain or receiver domain != our domain.?

             

            Regards

            • 3. Re: Monitoring data leakage activity via email using ADM rules
              Chris Boldiston

              Hi Nadeem

               

               

              I dont see a way to define that type of condition. You might want to submitt a PER at https://mcafee.acceptondemand.com/index.jsp so that feature can be added to the system.

               

               

              Regards

               

               

              Chris