Knowledgebase
Knowledgebase: English > Configuration Guide > DLP
Safetica content detection of sensitive data
Posted by Štěpán Horký, Last modified by Štěpán Horký on 19 June 2019 02:50 PM

Safetica 9.1 brings a more flexible configuration of sensitive data detection, which allows more accurate results and a lower rate of false positive matches.

Starting with version 9.1 you can:

  • create detection rules with custom AND/OR conditions
  • set various detection thresholds for different detection rules

Detection rules

A detection rule is a set of conditions which, when they are met, evaluate the data as sensitive.

Detection example

The example configuration could be used to detect financial documents.

Detection rule #1 is matched when a credit card number AND the word "card" are found in a document within a range of 1,800 characters. Detection rule #2 is matched when the word "invoice" is found. Detection rule #3 is matched when the word "order" if found at least 5 times.

If detection rule #1 OR detection rule #2 OR detection rule #3 are matched anywhere in the file, the document will be evaluated as sensitive.

AND/OR conditions

If you specify several conditions within 1 detection rule, all of these must be matched. In other words, the relationship between conditions within 1 detection rule is "AND". For the example above, detection rule #1 is matched when both a credit card number AND the word "card" are found.

If you specify more detection rules within 1 data category, at least 1 of these must be matched. The relationship between several detection rules is "OR". For the example above, any of the three conditions must be matched to detect the configured data category.

Detection range

The detection range is in place in order to increase the accuracy of results and lower the number of false positive matches.

Detection range in practice means that "AND" rules must be matched within a range of 1,800 characters - roughly the amount of text which fits a single A4 page. This range is applied on a plain text version of files and does not consider actual document pages.

Detection threshold

The threshold setting specifies the number of occurrences of the detection rule which must be reached to evaluate the data as sensitive.

Setting the threshold to "1" will detect every occurrence of the detection rule - this is suitable for covering all files which contain at least a single occurrence of se. Setting the threshold to "100" will only detect data where the detection rule is found 100x times in a single file. This offers flexibility in such way that a threshold at "1" may generate more false positive results but detects every file which fulfills the condition. Threshold at "100", on the other hand, eliminates false positives and only detects files which contain a large amount of sensitive data.

The default threshold value is set to "5" to lower the number of false positive matches.

Backward compatibility

After updating to version 9.1, existing sensitive content configurations will be converted to the new system. Previously, sensitive data detection only used OR conditions, therefore, in order to maintain this logic, existing configurations will be converted into individual detection rules.

Version
Sensitive content configuration
Safetica 9.0 or older credit card numbers OR "card" OR "invoice" OR "order"
Safetica 9.1+ Detection rule #1: credit card numbers
Detection rule #2: "card"
Detection rule #3: "invoice"

The new detection rules are backward compatible with clients of older version to a certain degree:

  • older endpoint clients will only recognize detection rules with a single condition
  • older endpoint clients will apply the highest set value of threshold, in case various threshold settings are used for individual detection rules

For example:

Conditions
Threshold
Detection rule #1 credit card numbers AND "card" 1
Detection rule #2 "invoice" 1
Detection rule #3 "order" 5

On older endpoint clients, detection rule #1 is ignored because it includes multiple conditions. Detection rules #2 and #3 are both applied with threshold at 5, since it is the highest set value. Consequently, this is the applied configuration:

Conditions
Threshold
"invoice" OR "order" 5