Adding Data Types to Rules

The data types are the building blocks of the Data Loss Prevention rule base, and the basis of the DLP policy that you install on DLP gateways - the basis of DLP functionality. Each data type defines a data asset that you want to protect.

Data Owners should be aware of the types of data that are under their responsibility and be able to tell you what type of data must be able to move outside of the organization and what data must be protected.

For example, a team leader of a programming team should know that lines of code should not be allowed to move outside the organization, and require that it be protected. A hospital administrator should have an example of a court order releasing patient records to authorized domains.

Focusing on Data

• Focus on the Data Types, not on the full rules. Enable and customize Data Types to recognize data to match.
• Start with the obvious - with the data that you know by experience should be kept inside the organization - lines of code, employee contact information, passwords, price lists, and so on.
• Then create more complex Data Types according to the organization confidentiality and integrity procedures, after communicating with Data Owners.
• After you have a Data Type, add it to a rule, and install the policy rule base on the DLP Gateways.

The Compliance Data Category

In the Data Loss Prevention Data Types window, data types are sorted according to category. An important category is the compliance category. The Data Types window lets you create data types that enforce compliance in accordance with regulatory standards.

The compliance category contains built-in data types that represent accepted standards and regulatory requirements. For example, according to Payment Card Industry (PCI) compliance standards, credit card numbers of customers must not be sent to outside sources in clear text.

The Data Loss Prevention Overview window > DLP Featured Data types toolbox lists the data types for:

• Compliance

  Clicking the Compliance button shows the data types in this category and how many are activated.

• Business information
• Personally identifiable information
• Best Practice
• Intellectual Property.
• Human Resources
• Financial

In the Featured Data Types area of the toolbox, two actions are available:

Action	Use
View rule	Click View rule to see how the compliance data type is used in the DLP policy.
Add to policy	Click Add to policy to add the compliance data type to the DLP policy.

Clicking Compliance on the tool bar in the Data Types window filters out those data types which do not belong to the Compliance category. Check Point regularly adds to the number of built-in data types, but if none of the types is applicable to your needs - you can create a new data type and add it to the compliance category.

Built-in data types exist for:

• EU Data Protection Directive
• FERPA - Confidential Educational Records
• GLBA - Personal Financial Information
• HIPAA - Protected Health Information
• ITAR - International Traffic in Arms Regulations
• PCI DSS - Cardholder Data
• PCI - Credit Card Numbers
• PCI - Sensitive Authentication Data
• U.S. State Laws - Personally Identifiable Information
• UK Data Protection Act

To add a new data type to the compliance category

1. In the Data Loss Prevention Data Types window, click New.

   The Data Type Wizard opens.

2. Select criteria such as keywords or a corporate template
3. On the last page of the wizard open, select Configure additional Data Type properties after clicking Finish.
4. Click Finish.
5. The data type properties window opens on the General Properties page.
6. Set the category to Compliance.

   Note - You cannot change the category of a built-in data type, only add new data types to one of the pre-existing categories.

Editing Data Types

After you define Data Types with the Data Type Wizard, you can fine-tune them if necessary.

Each Data Type in the General Properties window shows only its applicable fields. You only see the options that apply to the currently selected data type.

Section	Description
General Properties	Name - Name of the data type representation. Comment - Optional comments and notes. Categories - Optional assigned category tags, for grouping data types. Flag - Optional custom flag to help management of a large Data Types list. Follow Up - Use this flag as a reminder to check the tracking logs SmartView Tracker and analysis in SmartEvent to see if your changes are catching the expected incidents and otherwise to follow up on maintenance and fine-tuning. Improve Accuracy - After enabling a built-in data type, use this flag as a reminder to replace placeholder data types with real dictionary files or lists or to otherwise make built-in data types more relevant to your organization. After replacing the file with real data, remember to set this flag to Follow Up, to monitor its related incidents, or to No Flag. Description - For built-in data types, the description explains the purpose of this type of data representation. For custom-made data types, you can use this field to provide more details.
Custom CPcode	Add - Click to add CPcode scripts. The default file type is cpc. See the R77 versions CPcode DLP Reference Guide. View - Click to view a CPcode script in a text editor. Remove - Click to remove CPcode scripts.
Compound	Each one of these data types must be matched - All items in this list must be matched in the data, for the compound data type to match. None of these data types must be matched - If the data matches any item in this list, the compound data type does not match. Add items to a list. Edit selected item. (Changes made from here affect all compound data types and rules that use the edited data type). Remove items from a list.
Dictionary	Replace - Click to browse to a different file. View- Click to view the file. Note that any changes you make here do not affect the file that is used by the data type. Save a Copy- Click to save the file under another name. This data will be matched only if it contains at least - Set the threshold to an integer between 1 and the number of entries in the dictionary. Traffic that contains at least this many names from the dictionary will be matched. Note - If the items in the dictionary are in a language other than English, use a Word document as the dictionary file. Any text file must be in UTF-8 format.
Documents Based on a Corporate Template	Replace - Click to browse to a different file. View- Click to view the file. Note that any changes you make here do not affect the file that is used by the data type. Save a Copy- Click to save the file under another name. Match empty templates - Select this option if you want DLP to match the data type on an empty template. An empty template is a template that is identical to the uploaded corporate template. If the option is not selected, an empty template is detected but the data type is not matched. The template is not considered confidential until it contains inserted private data. Note the rule is bypassed for this document, but the document may still be matched by another DLP rule in the policy. Consider templates images - Incorporates a template's graphic images into the matching process. Including template images increases the similarity score calculated between the template and the examined document. The higher the score, the more accurate the match. Select this option if the graphic images used in a template document suggest that the document is confidential. Similarity - Move the slider to determine how closely a document must match the given template or form to be recognized as matching the data type. This will match header and footer content, as well as boiler-plate text.
File	Select the conditions that should be checked on files in data transmissions (including zipped email attachments, as well as other transmissions). A transmitted file must match all selected conditions for the File data type to be matched. The file belongs to one of these file groups - Click +, and select a files type from the list. The file name contains - Enter a string or regular expression to match against file names. The file size is larger than - Enter the threshold size in KB.
Group Members	Add - Add data types to the group. If any of the members are matched, the data is recognized as matching the group data type. In the list that opens, you can click New to create a new data type. Edit - Open the properties window of the selected data type. When you click OK or Cancel, the Data Type Group window is still open. Remove - Remove the selected data type from the group. The data type is not deleted.
Keywords or Phrases	Specify keywords or phrases to search for - Enter the words to match data content. Add - Click to add the keywords to the data type. Search List - Keywords in the data type. Edit - Modify the selected word or phrase in the list. Remove - Remove the selected word or phrase from the list. All keywords and phrases must appear - Select to match data only if all the items in the Search List are found. At least number words must appear - Enter an integer to indicate number of items in Search List to match the Keyword data type.
Pattern	Type a pattern (regular expression) - Enter the regular expression to match data content. Add - Click to add the regular expression to the data type. Pattern List - Regular expressions in the data type. Edit - Modify the selected regular expression in the list. Remove - Remove the selected regular expression from the list. Number of occurrences - Enter an integer to set how many matches between any of the patterns and the data are needed to recognize the data as matching the data type.
Similarity	Similarity - Move the slider to determine how closely a document must match the given template or form to be recognized as matching the data type. This will match header and footer content, as well as boiler-plate text.
Threshold (dictionary)	This data will be matched only if it contains at least - Enter an integer to set how many matches in the data are needed to recognize the data as matching the data type.
Threshold (occurrences)	Number of occurrences - Enter an integer to set how many matches in the data are needed to recognize the data as matching the data type.
Threshold (keywords)	This data will be matched only if it contains: All keywords and phrases - Select to match data only if all the items in the Search List are found. At least number keywords or phrases - Enter an integer to indicate number of items in Search List to match the Keyword data type.
Threshold (recipients)	This data will be matched only if the email contains: At least number internal recipients - Enter the minimum number of email addresses that are defined inside of My Organization that, along with external addresses, should cause the email to be regarded as suspicious of containing confidential information. and no more than number external recipients - If an email is sent to a large distribution list, even if it contains numerous internal recipients, it should be recognized as an email meant for people outside the organization. In this field, enter maximum number of email addresses external to My Organization, that if more external recipients are included, the email will match a rule.
Threshold (External BCC)	This data will be matched only if the email contains at least: Internal recipients - Enter the minimum number of email addresses that are defined inside of My Organization that, along with external addresses, should cause the email to be regarded as suspicious of containing confidential information. External recipients - Enter the minimum number of email addresses external to My Organization, that would cause such an email to be suspicious.
Weighted Keywords or Phrases	Keyword Text - List of current keywords or regular expressions in the list of weighted keywords. To add more, click New. To change the selected keyword or regular expression, click Edit. The Edit Word window opens. Weight - The number that represents the importance of this item in recognizing a transmission that should be matched. The higher the number, the more weight/importance the item has. Max. Weight - The number that represents the ceiling for this item. If content of a transmission matches the item (by keyword or by regular expression) to a total of this weight, no more counts of the item are added to the total weight of the transmission. (Zero means there is no maximum weight.) RegEx? - Whether the item is a regular expression. Threshold - When the weights of all items in the list are added together, if they pass this threshold, the transmission is matched.

To edit a Data Type:

1. On the SmartConsole, open the Data Loss Prevention tab.
2. Open Data Types, select a Data Type and click Edit.
3. In the General Properties window, edit/fill-in the fields that apply to the Data Type.
4. Click Finish.

Defining Data Type Groups

You can create a Data Type representation that is a group of existing Data Types.

To create a Data Type group:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Policy.
3. Click New > Data Type Group.

   The Group Data Type window opens.

4. Enter a Name for the group.
5. In the Group Members section, click Add.
6. Select the Data Types that are included in this Data Type group.
7. If necessary, add Data Owners to the group.
8. Click OK.
9. Click Save and then close SmartDashboard.
10. From SmartConsole, Install Policy.

Defining Advanced Matching for Keyword Data Types

You can add CPcode script files for more advanced match criteria to improve accuracy after a keyword, pattern, weighted keyword, or words from a dictionary are matched. If the CPcode script file has a corresponding value file (for constants values) or CSV file, add it here.

To add advanced matching Data Type CPcode script:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Data Types.
3. Select a Data Type and click Edit.

   The Data Type window opens.

4. Click the Advanced Matching node.
5. In Run these CPcode for each matched keyword to apply additional match criteria, add the CPcode scripts to run on each of the Data Type matches.
   • Add - Click to add CPcode scripts. The default file type is cpc. See the R77 versions CPcode DLP Reference Guide.
   • View - Click to view a CPcode script in a text editor.
   • Remove - Click to remove CPcode scripts.
6. Click OK.
7. Click Save and then close SmartDashboard.
8. From SmartConsole, Install Policy.

Defining Post Match CPcode for a Data Type

For all Data Type representations, you can add CPcode scripts that run after a data type is matched.

To add a post match Data Type CPcode script:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Data Types.
3. Select a Data Type and click Edit.

   The Data Type window opens.

4. Click the Advanced Matching node.
5. In Run these CPcode scripts after this Data Type is matched to apply additional match criteria, add the CPcode scripts to run on each of the Data Type matches.
   • Add - Click to add CPcode scripts. The default file type is CPC.
   • View - Click to view a CPcode script in a text editor.
   • Remove - Click to remove CPcode scripts.
6. Click OK.
7. Click Save and then close SmartDashboard.
8. From SmartConsole, Install Policy.

Recommendation - Testing Data Types

Before installing a policy that contains new Data Types, you can test them in a lab environment.

Recommendation for testing procedure:

1. Create a Data Type.
2. Create a user called Tester, with your email address.
3. Create a rule:
   • Data = this Data Type
   • Action = Detect
   • Source = Tester
   • Destination = Outside
4. Send an email (or other data transmission according to the protocols of the rule) that should be matched to the rule.
5. Open the Logs & Monitor Logs view and check that the incident was tracked with the Event Type value being the name of the Data Type.
   • If the transmission was not caught, change the parameters of the Data Type. For example, if the Data Type is Document by Template, move the slider to a lower match-value.
   • If the transmission was caught, change the parameters of the Data Type to be stricter, to ensure greater accuracy. For example, in a Document by Template Data Type, move the slider to a higher match-value.
6. After fine-tuning the parameters of the Data Type, re-send a data transmission that should be caught and check that it is.

   Important - If you change the action of the rule to Ask User, to test the notifications, you must change the subject of the email if you send it a second time. If Learning mode is active, DLP recognizes email threads. If a user answers an Ask User notification with Send, DLP will not ask again about any email in the same thread.

7. Send another transmission, as similar as possible, but that should be passed; check that it is passed.

   For example, for a Document by Template Data Type, try to send a document that is somewhat similar to the template but contains no sensitive data.

   If the acceptable transmission is not passed, adjust the Data Type parameters to increase accuracy.

Exporting Data Types

You can export to a file the Data Types that you have created or that are built-in. This allows you to share Data Types between DLP Gateways, when each is managed by a different Security Management Server.

To export a Data Type:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Data Types.
3. Select the Data Type to export.
4. Click Actions > Export.
5. Save it as a file with the dlp_dt extension.
6. Click Save and then close SmartDashboard.

Importing Data Types

You can share Data Types with another Security Management Server or recover a Data Type that was deleted but previously exported. You can also obtain new Data Types from your value-added reseller or from Check Point and use this procedure to add the new Data Types to your local system.

To import Data Types:

1. In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

   SmartDashboard opens and shows the DLP tab.

2. From the navigation tree, click Data Types.
3. Click Actions > Import.
4. Select the dlp_dt file holding the Data Type that you want.
5. Click Save and then close SmartDashboard.
6. From SmartConsole, Install Policy.