Overview
Exact Match Data Identifier (EMDI) detection is a powerful exact matching detection technology that enables you to detect structured data, especially personally-identifiable information (PII),with a high degree of accuracy. You can use EMDI to exactly match indexed records across all Data Loss Prevention channels. Fast performing and secure, EMDI can help you reduce false positives when compared to data identifiers and regular expressions. EMDI provides better matching performance and greater memory efficiency than Exact Data Matching (EDM).
Source: https://support.symantec.com/en_US/article.DOC9261...
This guide will demonstrate visually how to get this feature working in your environment.
- The Exact Match Data Identifier (EMDI) feature is new to Symantec DLP 15.5.
- This finally brings EDM (...or close) to the Endpoint Agents!
- You can run this detection technology on more than just the agents.
Prerequisites:
- Your Enforce server, Endpoint Prevent server, and Endpoint Agent must ALL be 15.5 or later for this feature to work.
- EMDI is disabled by default on the endpoint, so you must configure the Protect.Properties file on the Detection server
- Change EMDI.EnabledOnAgents=false to EMDI.EnabledOnAgents=true.
1. Prepare your data source file. Please follow all the recommendations from the admin guide for best practices and tips and tricks for preparing the data. For this guide, we'll use the data source file from the example data file below (example data comes from https://dlptest.com).
Note: your data source must have a minimum of two columns--one for the required data, and one for the optional data.
2. Navigate to the Manage->Data Profiles->Exact Data.
3. Click Add Exact Match Data Identifier Profile.
4. You will be brought to the general screen.
Upload your data source file to the server, and select to read the first row as column names.
Best practice says not to use commas as separators since commas frequently appear in the data values themselves. Use pipe delimiters instead.
Click Next when complete.
5. You will be brought to the second portion of the general pane, where you'll specify which data source files you wish to be optional and required.
In this example, we'll choose SSN to be required, and make lname and fname optionals.
You'll also need to map your required value to a data identifier. In this example, we chose the Randomized US Social Security Number (SSN) data identifier.
6. Our new EMDI profile appears in the Exact Data window with a profile type of EMDI.
7. Now, we're ready to add this to a EMDI to a Data Identifier.
Navigate to Manage->Policies->Data Identifiers.
8. Select and open the Randomized US Social Security Number (SSN) Data Identifier.
Scroll down to the Validation Checks and select Exact Match Data Identifier Check (1).
Select your desired profile from the left (2).
Choose the number of columns you'd like to include matches against (3).
Click update validator (4).
Save the changes (5).
9. Now we're ready to put this Data Identifier to work in a policy. Navigate to Manage->Policies->Policy List (1) and then click +New to create a new policy (2).
10. For this example, we'll create a new black policy.
11. Give the new blank policy a name, assign it to a policy group (we chose endpoint for this example), and create a new rule.
12. Select Content Matches Data Identifier, and choose the Randomized US Social Security (SSN) data identifier. Click next.
13. Give your rule a name, and then select a breadth. We chose narrow, since that's what we applied our EMDI validator against.
Click OK to save your changes.
14. We'll add a response rule of the Endpoint Notify condition, so that we can know when our policy creates incidents in our test. Click save when finished.
15. We're now ready to test the policy (be sure to give your agents at least 5 minutes to get the new policy update).
Go to dlptest dot com and click HTTP/HTTPS post (this test assumes you have enabled the HTTP/HTTPS Channels in your agent configuration).
Enter some data (1) from your EMDI profile. Remember, we chose narrow breath, which also requires the presence of a social security related keyword ("SSN" in this case).
Click submit (2).
An incident is generated since the EMDI and DI matched valid content.
16. View the incident in Enforce by navigating to Incidents->Endpoint (it may take some time for the endpoint agent to push the incident up to the endpoint server, and then the Enforce server, so be patient).
In the incident snapshot, our EMDI data is matched, as well as the data identifier data.
17. Web posts containing content not in our EMDI profile will not be detected as an incident.
