6 Replies Latest reply on May 20, 2014 10:37 PM by bphang

    Severity based on match frequency in Host DLP


      Hi everyone.



      I am trying to do a Vontu displacement with MFE DLP.

      One of the item that stumbles me is as above.


      In Vontu, one can define action based on severity of the incident .

      And the severity is determined based on the pattern match frequency.


      ie. if a document contain

      11-100 CCN it will trigger a Low Sev incident - which will just Monitor the traffic

      101-500 CCN it will trigger a Med Sev incident - which will notify the user

      501+ CCN it will trigger a High Sev incident which will then block the document from being sent


      Is there any way for MFE to do this ?


      I tried workaround it by creating the CCN pattern to trigger if it reach 100 match threshold.

      However it will only trigger Medium and not High.


      Any way to do this using McAfee DLPe ?

      We will be using DLPe 9.3 patch 2 + EPO 5.1


      Thank you.

        • 2. Re: Severity based on match frequency in Host DLP

          No luck sorry.  I've tried this before, and the closest I got was using combinations of tags to assist.    You could do 'not matches' (such as, content catagory include 10 but not 20, though you have to work backwards in counts since the product doesn't stop counting at the desired reporting threshold)  but that results in redundant scanning and counting, and you still won't get what it seems you want.   


          Vontu has McAfee beat hands down for ease of use, and reporting.   Though I'd argue that McAfee has Vontu/Symantec beat in terms of technical proficiency with their respective products.   It will be 2015 before the HDLP 9.5 is released, with some of the newer capabilities we all want.

          1 of 1 people found this helpful
          • 3. Re: Severity based on match frequency in Host DLP

            Why does the customer even need three different thresholds? Did they conduct a Risk / Impact Assessment to determine these thresholds?

            Even from a User Behavior Shaping perspective there is not a need to use more than 2 different sets of thresholds.


            You can do it. Create 3 Text Patterns with 3 different Content Categories (LowT, MedT and HighT).

            Text Pattern 1: Threshold is set to 11 (Low Threshold, LowT)

            Text Pattern 2: Threshold is set to 100 (Medium Threshold, MedT)

            Text Pattern 3: Threshold is set to 500 (High Threshold, HighT)


            Create 3 different Rules

            Rule 1 has LowT Included. MedT and HighT are Excluded.

            Rule 2 has MedT Included and HighT Excluded.

            Rule 3 has HighT Included and no Exclusions.


            Message was edited by: vimalnavis on 5/14/14 10:30:52 PM CDT
            1 of 1 people found this helpful
            • 4. Re: Severity based on match frequency in Host DLP

              Hi Vimal.


              Unfortunately the text pattern threshold max value is 100 [per my 9.3 p2 test]

              My industry is finance industry and based on the Vontu rollout 6 years ago, that was the best design to do.


              I tried changing that, but lets see.


              @keithdrone : I agree. Both has their strength and weaknesses. Looks like Vontu is geared more towards business and McAfee DLP is more for techies. One day hopefully some balance will be striked

              • 5. Re: Severity based on match frequency in Host DLP

                You are correct. The current version of DLPe does not support a threshold of more than 100.

                You could still use my logic, but instead like this: LowT - 11, MedT - 50 and HighT - 100

                1 of 1 people found this helpful
                • 6. Re: Severity based on match frequency in Host DLP

                  Thanks Vimal.


                  So atm it cant be done. I will try to find some way to do the enforcement then .


                  Per HB, this will be in 9.4 . Lets hope it will arrive soon