Monitor files transferred outbound by using the DLP solution to ensure data security - Secure Access Service Edge

To prevent data leaks caused by sensitive files transferred outbound through multiple channels in the workplace, such as instant messaging and emails, we recommend that you use the data loss prevention (DLP) feature provided by Secure Access Service Edge (SASE) to monitor and manage files transferred outbound. This allows you to view the outbound transfer status of sensitive data, monitor data leak risks, and protect your business from major losses. This topic describes how to configure a policy to monitor outbound file transfers and how to collect statistics on outbound transfers.

Prerequisites

Internet Access DLP of SASE is purchased. For more information, see Billing overview.
Information about your employees and departments is added. For more information, see Connect an LDAP IdP to SASE and Configure a user group.

Configure a policy to monitor outbound file transfers

SASE supports the sensitive file monitoring feature. After you enable this feature, the system automatically identifies sensitive data elements in sensitive files and creates data templates based on the data elements, data type, and sensitivity level. Then, you can create monitoring policies based on conditions such as the data template and handling action to determine whether sensitive files are being transferred outbound.

SASE provides various built-in data templates that include common company data, customer data, and personal data. If built-in templates cannot meet your business requirements, you can create custom data templates based on new sensitive data elements.

Step 2: (Optional) Create a data template based on sensitive data elements

On the Sensitive Data Definition tab, click Data Template. On the page that appears, click Create Template.

In the Create Template panel, configure the parameters. The following table describes the parameters. Then, click OK.

Parameter	Description
Template Name	The name of the template. The name must be 2 to 32 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Sensitivity Level	The sensitivity level of the file. Valid values: L4: confidential The following sensitive information is confidential: personal information of customers within the enterprise, macro feature data, forecast data, credit data, and other data aggregated from one or more departments, data related to legal liability, and communication records related to events such as major decision-making, investment, and financing. Discussing or distributing confidential information among non-related personnel is strictly prohibited. Unauthorized distribution of confidential data has major negative impacts on enterprise business and can even cause systematic failures. L3: private Customer information generated from business operations and business data generated at the department level after aggregation and processing. Unauthorized distribution of private data has a direct or indirect negative impact on the enterprise, customers, or employees and can lead to financial or business losses, reputation damage, or legal liability. L2: internal Internal data includes data that only employees or third-party personnel who signed a confidentiality agreement can access, and data that only specific groups of users can access. Unauthorized distribution of internal data has a minor or insignificant negative impact on customers, specific business, or specific employees. L1: public Data that can be publically accessed and does not incur security or legal issues.
Data Type	The type of data that you want to monitor. Valid values: Enterprise Data Business Data Personal Data
Data Elements	Specify sensitive data elements to create monitoring rules. For example, if you specify "Phone number > 5", sensitive file monitoring is triggered when a phone number appears more than five times. We recommend that you configure multiple monitoring rules based on your business requirements to facilitate accurate and comprehensive file monitoring. You can use the AND or OR logical operator among multiple rule conditions.

Step 1: (Optional) Create a sensitive data element

Log on to the SASE console.
In the left-side navigation pane, choose Data Loss Prevention > Detection Policy.
On the Sensitive Data Definition tab, click Data Element. On the page that appears, click Create Data Element.

In the Create Data Element panel, configure the parameters. The following table describes the parameters. Then, click OK.

Parameter	Description
Element Name	The name must be 2 to 32 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Element Type	File Name or File Content If you specify File Name or File Content for the Element Type parameter, you must specify the Element Composition parameter. The following content describes the valid values of Element Composition: Keyword: If you specify Keyword for the Element Composition parameter, the Custom Keyword parameter is required. You can specify that the element must meet all or one of your custom conditions. You can add up to 100 custom conditions. Regular Expression: Specify a valid regular expression. For example, the regular expression ([A-Za-z0-9]+) specifies all strings that contain digits and letters. You must also specify the Applicable File Type parameter. Valid values: All Types All built-in files provided by SASE. Specified Type One or more built-in file types provided by SASE such as office PDF files, images in the BPG format, and emails in the EML format. Data Suffix One or more built-in file types provided by SASE based on the file suffix such as .tsv, .wpd, and .xps. If the built-in file types cannot meet your business requirements, you can click Add Custom Suffix to add a new file suffix. File Attribute If you specify File Attribute for the Element Type parameter, you must specify the Element Composition parameter. The following content describes the valid values of Element Composition: File Type Valid values include All Types, Specified Type, and Data Suffix. The values are described in the preceding content. File Encryption If you specify File Encryption for the Element Composition parameter, you must configure Retain Encrypted File. The file encryption feature is a built-in feature of document applications. The feature can be used to prevent sensitive data of enterprises from being detected. SASE can retain encrypted files for enterprise audit. Specify the File Size parameter. Valid values: 0 KB to 30 MB.

Step 3: Create a monitoring policy and associate it with a data template

On the Detection Policies tab, click Create Policy.

In the Create Policy panel, configure parameters. The following table describes the parameters. Then, click OK.

Parameter		Description
Policy Information	Policy Name	The name of the policy.
	Policy Description	The supplementary description of the policy.
	Action	The following options are supported: Audit Only Block and Notify Block Only If you specify Block and Notify or Block Only, you must also select Block All or Intelligently Block. Block All: The SASE client blocks all outbound file transfers in real time and audits the transfers. Intelligently Block: The SASE client blocks outbound transfers of sensitive files that meet the conditions specified in data templates in real time. To ensure real-time blocking, the SASE client scans files on terminals and marks the sensitivity levels for the files in advance. Before the scan is complete, the SASE client automatically blocks all outbound transfers, and the blocking policy does not take effect. The scan and marking operations are performed only on terminals and are not reported.
	Source File Retention	Specifies whether to retain the source file information.
	Status	The status of the policy. Valid values: If you turn on this switch, SASE monitors files based on the policy that you created. If you turn off this switch, the policy does not take effect.
Data Template Configuration	Data Template	The data template that you want to use.
Data Template Configuration	Transmission Channel	The data transmission channel that you want to use. After you select a data transmission channel, the system automatically monitors sensitive files that are transmitted by using this channel. The following content describes the supported transmission channels. You can select a specific channel or all channels. Instant Messaging Email Channel HTTP Channel FTP Channel Sharing Channel Printer Channel Burning Channel Mobile Storage Other Channels
Effective Scope	User Group	The user group on which the policy takes effect.
Approval Process Configuration		If a file that an employee wants to send outbound is at risk, you can configure an approval workflow to allow the employee to submit an application. If you select Users can submit an application for approval, you must select an appropriate approval workflow. For more information, see Configure an approval workflow.
Prompt Display Configuration		The message that appears when an outbound file transfer is blocked. You can specify a message in Chinese or English.

View sensitive file monitoring statistics

After you enable the DLP feature and configure a monitoring policy, the system automatically monitors file transfers of employees and analyzes outbound sensitive file transfers and abnormal events within the last 30 days, 7 days, or 24 hours based on monitoring results.

You can use this feature to monitor sensitive files transferred outbound that are smaller than or equal to 30 MB, and view top 5 types of sensitive files and their percentages.

The system considers the following events abnormal: a file larger than 30 MB is transferred outbound from an employee, a file is copied to a peripheral, and more than 1 GB of files in total are transferred outbound from an employee. The system does not check the files for sensitive information. You can check the files after an abnormal event is reported. The following table describes the types of abnormal events.

Type	Description
Outbound Transfer of Large File	A file larger than 30 MB is transferred outbound online or offline from an employee. In this case, pay close attention to the employee who transfers such a file outbound offline to protect your business from major losses.
Copy File with Peripheral	A file smaller than or equal to 30 MB is copied to a peripheral online or offline. In this case, pay close attention to the employee who copies such a file to a peripheral offline to protect your business from major losses.
Threshold for Outbound Transfer Exceeded	More than 1 GB of files in total are transferred outbound offline from an employee. In this case, pay close attention to the employee to protect your business from major losses.

In the left-side navigation pane, choose Data Loss Protection > Sensitive Behavior Detection.
In the Sensitive Behavior Identification section, view the sensitive behavior of employees in the specified time range.

View the records of sensitive files transferred outbound

You can use SASE to check for sensitive information in files transferred outbound that are smaller than or equal to 30 MB and record the sensitive information. You can view the content of sensitive files transferred outbound based on these records.

On the Sensitive Behavior Detection page, view the list of sensitive files transferred outbound by employees.

Find the employee whose record you want to view and click Details in the Actions column. On the Outbound Transfers of Sensitive Files tab, you can view the statistics and list of sensitive files transferred by the specified employee.

Section	Description
Time Period (marked 1 in the preceding figure)	The query time range. You can specify a custom time range.
Statistics (marked 2 in the preceding figure)	Statistics such as the number of sensitive files transferred within the specified time range, transfer channel, and file size are displayed in this section.
Sensitive File List (marked 3 in the preceding figure)	Information about sensitive files such as the sensitivity level, data type, data template, and number of hits is displayed in this section. You can also specify query conditions to search for specific data. Click Download in the Actions column to download the sensitive file to your PC. Click Details in the Actions column to view details of the sensitive file in the Details panel. You can view information such as key information, sensitive file preview, screenshot evidence, hit policy, terminal, and outbound transfer channel.

View abnormal event records

SASE considers the following events abnormal: a file larger than 30 MB is transferred outbound from an employee, a file is copied to a peripheral, and more than 1 GB of files in total are transferred outbound from an employee. Pay close attention to the employee to protect your business from major losses. If a file is larger than 30 MB, the system does not check the files for sensitive information. You can check the monitored files after an abnormal event is reported.

On the Sensitive Behavior Detection page, view the abnormal event records.
Find the employee whose record you want to view and click the value in the Abnormal Event column. On the Abnormal Events tab, view the abnormal event records of the specified employee.
You can also click Details in the Actions column to view the records on the Abnormal Events tab.

Configure the retention period of monitoring results

By default, SASE stores monitoring results for 7 days. If you have activated Simple Log Service, you can save your monitoring results for 30 days. For more information, see Billing overview.

Configure sensitive file storage

By default, SASE provides 1 GB of free storage for sensitive files.

If you require larger storage space, click Scale Up in the upper-right corner of the Sensitive Behavior Detection page. For more information, see Billing overview.
If you do not want to store sensitive files, turn off Storage Status in the upper-right corner of the Sensitive Behavior Detection page. If you turn off the switch, the system does not delete existing sensitive files or store new sensitive files.
If you want to clear existing sensitive files, click Clear in the upper-right corner of the Sensitive Behavior Detection page. In the dialog box that appears, specify Clear by Time Range or Clear All.

References

For information about how to view and trace the logs of sensitive files transferred outbound, see Sensitive file detection.
For information about how to manage peripherals of employees to ensure data security, see Manage peripherals to ensure data security.
For more information about how to manage screen watermarks and print watermarks to ensure data security, see Manage watermarks to ensure data security.