I am working with DLP V14.6. The program is reading emails leaving a workstation at the workstation. (before exchange). I am looking for a specific keyword that appears in the subject line of the email [encrypt]. This keyword, if it appears in the first subject line, will trigger rules to encrypt the email later in the email message path at the encryption appliance.
The second and third subject lines that contain the keyword would not be picked up by the encryption appliance.
If someone edits a reply and removes the keyword from the sending subject line, the message wont encrypt at the encryption appliance.
The goal is to detect email messages with SSN/CCN data and block it at the sender (before exchange) unless the message is going to be encrypted.
Today we block at our encryption device, but its not 100% accurate. We believe we will get better SSN/CCN detection at the workstation using DLP 14.6. DLP 14.6 can also check to see if the user is in an AD group allowing encryption.
Our goal is to block messages at the workstation before it gets to Exchange or the encryption appliance. We have not deployed DLP E-mail prevent. We are trying to use the endpoint agent.
My current regular expression will still allow the message to be sent when [encrypt] appears in the second or third Subject line. It just has to appear in the email. (?i)(Subject\:\s).*(\[|\{)encrypt(\]|\]\}). The (?i) makes it case insensitive.
For this to work, the [encrypt] can be anywhere in the first subject line and encryption will apply. We also allow for {encrypt}, or [encrypt].
The example below, if it contained SSN/CCN data would leave the workstation and be passed to our exchange, and encryption appliance. Today the encryption appliance would block the message, but we want defense in depth.
We want to stop this message with a regular expression and rules at the endpoint. It has to read only the first subject line and look for the [encrypt].
I appreciate any feedback.
Below is sample text.
From: Doe.John
Sent: Friday, March 16, 2018 9:27 AM
To: 'john.doe@gmail.com'
Subject: TESTING
TESTING
[encrypt]
John Doe
Company
From: Doe.John
Sent: Friday, March 16, 2018 9:27 AM
To: 'john.doe@gmail.com'
Subject: re: [encrypt] TESTING [encrypt]
TESTING
John Doe
Company