Click 'Settings' > 'Data Loss Prevention'
- Data loss prevention (DLP) rules let you scan Windows devices for files that contain sensitive information.
- For example, the scan finds card numbers, social security numbers, bank account numbers, bank routing numbers, and more.
- You can review all files which contain sensitive data from the 'Logs' interface. You can then take action to secure that data where required.
Use the following links to jump to the task you need help with:
- You first create a discovery scan rule at ‘Settings' > 'Data Loss Prevention' > 'Discovery Rules'.
- The rules let you specify the areas you want to scan, and the types of information you want to search for.
- You can also run discovery scans from 'General Tasks' > 'Data Loss Prevention Scan'
- Results – you can view scan results at 'Logs' > 'Data Loss Prevention Events'.
Create a DLP scan rule
- Click 'Settings' > 'Data Loss Prevention' > ‘Discovery Rules’
These rules tell the scanner exactly what type of data to search for. You will define the following items:
- Location - The folders or drives that you want to scan
- File types - The file extensions you want to inspect. For example, .doc, .xls, .txt.
- Search pattern - The type of data you want to search for. For example, card numbers, bank account numbers, social security numbers, dates-of-birth, etc.
You can then run the scan on the device from General Tasks' > 'Data Loss Prevention' > 'DLP Discovery Scan'.
- Click 'Settings' > 'Data Loss Prevention' > 'Discovery Rules'
- Click ‘Add’ at the top
- Rule Name - Enter a label for the rule.
Complete the following steps to create a DLP discovery rule:
Step 1 - Add scan targets
Targets are the folders or drives that you want to scan.
- Click the ‘Targets’ tab if not already open
- 'C:\Users' is included by default.
- Click ‘Add’
- File - Browse to the file location, select it and click ‘Open’
- Folder - Browse to the folder location, select it and click ‘OK’. You can also select a drive if required.
- Repeat the process to add more targets
Step 2 - Add Exclusions (optional)
You can exclude specific locations and/or file types from your discovery scan.
- Click ‘Exclusions’ then ‘Add’
File Groups - Exclude specific file types.
- Filegroups make it easy to exclude an entire class of files – for example, ‘Windows startup files’ or ‘Metro files’.
- CCS ships with a range of preset groups. You can edit these groups or create your own.
- Click 'Settings' > 'File Rating' > ‘File Groups’ for help with this.
- See this help page if you want help with managing file groups.
File – Exclude a particular file
Folder – Exclude a particular file
- Repeat the process to add more exclusions.
Step 3 - Search patterns
Patterns let you tell the scanner what kind of sensitive information you want to find. For example, credit card numbers, social security numbers, bank routing numbers, etc.
- A pattern is a format used by the type of data that you want to find. Each pattern is a combination of an ‘information format’ and a ‘keyword group’.
- For example, the ‘Name with SSN’ pattern consists of:
- Keyword group = ‘Names’ keyword group.
- Information format = 9 digit number arranged in 3-2-4 formation, like '123-45-6789'.
- CCS ships with a number of patterns that you can use to search for sensitive data.
- Click the 'Patterns' tab then 'Add':
- Choose the type of information that you want to search for in scanned locations. For example, credit card numbers, social security numbers, bank routing numbers, etc.
Note – You MUST add keywords to the keyword group or the search will not work. For example, you must add some names to the ‘Names’ group.
The following table shows the information formats and keyword groups contained in each pattern:
Name with 5-8 Digit Account Number
Consists of Keyword Group 'Names' and a bank account number
Name with 9 Digit Account Number
Consists of Keyword Group 'Names' and 9 digit bank account number
Name with 10 Digit Account Number
Consists of Keyword Group 'Names' and 10 digit bank account number
Name with SSN
Consists of Social Security Number and Keyword Group 'Names'
ABA Routing number
Consists of American Bankers Association (ABA) routing number. This is the nine digit bank code printed in negotiable instruments in the US.
Date of birth
Consists of Birth Date
Credit Card Number
Consists of Credit Card Number
Consists of IPv4 and IPv6 IP Addresses
Consists of URLs, and domain names
Bank account number in International Bank Account Number (IBAN) format.
Searches for mac addresses, the unique identifier assigned to network cards.
The pattern is added to the rule:
- Threshold – Specify the number of times that data matching the pattern must be found in a document. For example, if you set a threshold of 2 then the scan must find 2 instances of the pattern in a document before it flags the document.
- Repeat the process to add more patterns
- Click the 'X' icon on the right if you want to remove a pattern from the rule
This tab lets you choose which file extensions you want the scan to inspect. For example, if you select ‘.doc’, then the scan will check ALL .doc files in the target locations.
- Click the 'Document Types' tab
- Use the switches in the status column to choose which types of files you want to scan.
- Click 'OK' to save your settings.
- Repeat the process to add more rules.
You can now run a DLP scan with the rule. If your pattern contains the ‘Name’ group, please make sure you have added keywords to the group.
Add keywords to keyword groups
Click 'Settings' > 'Data Loss Prevention' > 'Keywords Groups'
- Keyword groups are used by DLP rules to identify sensitive data. They are a list of specific items that the scan searches for. For example, the 'Names' group is a list of common first names and surnames.
- Keyword groups are paired with an ‘information format’ to form a 'pattern'.
- An information format is a notation used by the type of data you want to find. For example, the information format of a social security number is a nine digit number in 3-2-4 formation, like '123-45-6789'.
- So a search for the SSN ‘pattern’ will identify all instances of ‘Name + SSN’ in target documents.
- You MUST add some names to the ‘Names’ group or the search will not work. Patterns that have an empty keyword group will not produce any results.
Add names to the ‘Names’ keyword group
- Click 'Settings' > 'Data Loss Prevention' > 'Keywords Groups'
By default, there are two keyword groups – Network terms and names. These groups cannot be removed.
- Network Terms – This keyword group is under development. Will be available in a future release.
- Names – Add the names that you want to search for. The names group is paired with a variety of information formats to form many of the patterns used in DLP rules. For example, the names group + nine digit number is used for the social security number pattern.
- The scan searches for an exact match on the keywords you add.
- Because of this, we advise you to add only surnames to the ‘Names’ group at first. This will detect the most variants of the subject’s name.
- For example, the keyword ‘Bowman’ will catch the following variants in an SSN pattern search:
Robert T Bowman 123-45-6789
Rob Bowman 123-45-6789
Robert Bowman 123-45-6789
R. Bowman 123-45-6789
Bowman Robert 123-45-6789
Add keywords to a group
There are two ways to add keywords:
Manually add keywords to a group
- Select a group then click ‘Add’:
- Add Keyword – Enter the keyword (e.g. name) you want to search for. Click ‘OK’
Repeat the process to add more keywords to the group
Click ‘OK’ then ‘OK’ again
Import keywords to a group
You can import keywords from a text file to a group. Each keyword should be in a separate line
- Select a group and click ‘Import’ above
- Navigate to the file, select it and click ‘Open’
- The keywords are imported into the group
Manually run a DLP scan
You can run DLP scans on-demand from the 'General Tasks' interface:
- Click 'Tasks' on the CCS home screen
- Click 'General Tasks' > 'Data Loss Prevention Scan'
The scan interface shows all the rules you added in the DLP section.
- Start button - Run a scan with all rules at once
- Use the start buttons on the left to run a scan with a specific rule.
View scan results
The ‘Logs’ screen lets you view all files upon which sensitive data was found:
- Click ‘Logs’ at the top of the CCS home screen
- Click ‘Tasks’ > ‘Advanced Tasks’ > ‘View Logs’
- Select ‘Data Loss Prevention Events’ from the first drop-down:
Each event is an instance where sensitive data was found:
- Date Time - Date and time the file was discovered.
- Path - The location of the document.
- Rule - The name of the DLP rule that discovered the file.
- Action - How the DLP event was handled by CCS. The only action available at the moment is ‘Ignore’. We will add file operations in future versions, but for now, you must manually review target files.
- Details - The specifics of the items found. See View details of a file for more info.
You can use the filter options at the top to search the logs by time, location of the file, rule or action.
View file details
- Click the ‘Show details’ link in a DLP log row:
- The screen shows the name of the file and the rule/pattern which discovered sensitive data in the file.
- Click ‘Jump to Folder’ to view the document itself.