DLP and SSNs

I can't figure out what I'm doing wrong, but our DLP is enabled on our incoming and outgoing SMTP proxies, and the DLP sensors have Social Security Numbers enabled. Yet SSNs (the fake ones I try with the format xxx-xx-xxxx) are getting out. I don't know what I'm missing or what I should be looking for.

Thanks!

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @BrandonH75

    The SSN sensors in DLP require a hit count of 10 in order to trigger that rule.

    (Security Portal - Data Loss Prevention)
    https://www.watchguard.com/wgrd-support/security-portal/dlp-rules
    [the two most commonly used ones are 83 and 84]

    Since SSN is just a random 9 digit number (since 2011) this sensor picks up a lot of false positives. If you're looking for a lower number to trigger, I'd suggest searching for one of the filters that have qualifying terms along with them.

    For most of the sensors, you'll need at least 10 instances of a SSN in a test like you're doing in order for DLP to trigger.

    -James Carson
    WatchGuard Customer Support

  • Gotcha. Thanks for the explanation!

Sign In to comment.