Scribd Logo
Upload

Welcome to Scribd!

  • Source Code DLP

    Uploaded by

    rahul
    17 views14 pages
    test

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    test

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views14 pages

    Source Code DLP

    Uploaded by

    rahul
    test

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Securing Your Cloud Transformation

    DLP configuration for


    Source Code

    ©2020 Zscaler, Inc. All rights reserved.


    1
    Securing Your Cloud Transformation

    1.1 Currently configured DLP 3


    2 Suggested DLP dictionaries/engines configuration at Zscaler 3
    2.1 Java Source Code 3
    2.1.1 Dictionary 1 3
    2.1.2 Dictionary 2 4
    2.1.3 DLP engine configuration 5
    2.2 VB source code 6
    2.3 C Source code 7
    2.4 Perl Source Code 9
    2.4.1 DLP dictionaries configuration 9
    2.4.2 DLP engine configuration 11
    2.4.3 Possible change once Zscaler supports special characters as a base token 12
    2.5 Source Code Extension 13
    3 DLP policy configuration 14

    ©2020 Zscaler, Inc. All rights reserved.


    2
    Securing Your Cloud Transformation

    1.1 Currently configured DLP

    Source Code dictionaries of interest

    Language Regular Expression


    PERL Source perl AND [#][!] AND \$[a-zA-Z_]\w+
    Code
    Java Source import\s(\w+\.)+(\w+|\*); AND (public|protected|private)?\s*(class|static|
    Code boolean|interface)\s\w+(\s(implements|extends)\s(\w+,\s?)?\w+)*(\s\{)?
    Source Code (Not regexp, but Attachment/FileName):
    Extensions *.bat,*.cxx,*.asm,*.asp,*.java,*.cpp,*.c,*.h,*.c+
    +,*.pl,*.cob,*.cbl,*.for,*.bas,*.cls,*.frm,*.vbp,*.vb,*.sql
    C Source Code #include\s+(<|")[\w.]+(>|")
    VB Source Attribute\sVB_Name
    Code

    2 Suggested DLP dictionaries/engines configuration


    at Zscaler
    2.1 Java Source Code

    Because Zscaler does not support nested repeats, the currently used regex needs to be
    changed and divided into two dictionaries (in order to apply AND logic). The tables below show the
    suggested configuration on Zscaler portal to match the Java source codes.

    2.1.1 Dictionary 1

    Pattern
    import\s\w[\w.]*[\w\*];

    ©2020 Zscaler, Inc. All rights reserved.


    3
    Securing Your Cloud Transformation

    The “number of violation threshold” value should be set to 0 and all patterns should use the
    “trigger” action.
    Because it is not possible to use nested repeat (like “(\w+\.)+”), the regex has been slightly
    changed. The configuration on the portal should look like on the screenshot below.

    2.1.2 Dictionary 2

    Pattern
    public\s*(class|static|boolean|interface)\s\w+(\s(implements|extends))?\s?\w*(,\s)?\w*(\s\{)?\
    {?
    protected\s*(class|static|boolean|interface)\s\w+(\s(implements|extends))?\s?\w*(,\s)?\w*(\s\
    {)?\{?
    private\s*(class|static|boolean|interface)\s\w+(\s(implements|extends))?\s?\w*(,\s)?\w*(\s\{)?\
    {?

    The “number of violation threshold” value should be set to 0 and all patterns should use the
    “trigger” action.
    Because the patterns cannot start with a subexpression, the original regex needs to be split
    into three sub-patterns. The example configuration on the portal is shown below.

    ©2020 Zscaler, Inc. All rights reserved.


    4
    Securing Your Cloud Transformation

    2.1.3 DLP engine configuration


    In order to use the “AND” logic between the two defined dictionaries, both need to
    be a part of a single engine as shown below.

    ©2020 Zscaler, Inc. All rights reserved.


    5
    Securing Your Cloud Transformation

    2.2 VB source code

    The regex used for the VB source code is relatively simple and can be copied to the Zscaler
    portal without any changes. It requires a single dictionary with one pattern and a single engine.

    Pattern
    Attribute\sVB_Name

    The action should be configured as “trigger” and the threshold should be set to 0.
    The below screenshots present the sample dictionary and engine configuration.

    ©2020 Zscaler, Inc. All rights reserved.


    6
    Securing Your Cloud Transformation

    2.3 C Source code


    Zscaler DLP patterns cannot start with a special character (like #), so in the configuration the #
    character needs to be skipped. Additionally, the current pattern can cause some false positives like
    #include "mylib.h> so it’s worth to split the pattern to two sub-patterns.

    Pattern
    include\s+"[\w.]+"
    include\s+<[\w.]+>

    Both patterns should have the action configured as “trigger” and should be part of the same
    DLP engine, as shown on the screenshots below.

    ©2020 Zscaler, Inc. All rights reserved.


    7
    Securing Your Cloud Transformation

    ©2020 Zscaler, Inc. All rights reserved.


    8
    Securing Your Cloud Transformation

    2.4 Perl Source Code


    Zscaler DLP does not support having ‘#’, ‘!’ or ‘$’ configured as a base token. Because of that
    it is not possible to configure a pattern nor phrase on Zscaler side which will match perl source code
    in the same way as the current setup (using only [a-zA-Z_]\w+ will cause a lot of false positives). In
    order to achieve a similar functionality, it is possible to use a few patterns in two dictionaries added
    to a single engine. The suggested configuration requires the Zscaler cloud version 6.0 (which adds
    the Boolean logic inside the dictionaries) in order to avoid false positives.

    2.4.1 DLP dictionaries configuration

    There are two separate dictionaries required, each dictionary with a single pattern. Both
    dictionaries are described in the table below.

    Dictionary Pattern
    Perl Source Code usr(usr|bin|local|\/)*\/perl\W
    bin(usr|bin|local|\/)*\/perl\W
    local(usr|bin|local|\/)*\/perl\W
    not-perl usr(usr|bin|local|\/)*\/perl\S
    bin(usr|bin|local|\/)*\/perl\S
    local(usr|bin|local|\/)*\/perl\S

    The following dictionaries will not check if there is #! at the beginning of the stream, as
    currently it is not supported configuration at Zscaler side (such features will be most probably
    available on summer 2020). However, in most cases the path to the “perl” file uses common
    keywords like “usr”, “bin” or “local”. The “perl” keyword should be the last part of the line. The
    following examples of this line in Perl source code will be matched by the dictionaries above:
     #!/bin/perl
     #!/perl
     #!/usr/local/bin/perl
     #!/usr/perl
     #!/usr/local/perl
     #!/usr/bin/perl
     #!/bin/perl
     #!/perl
     #!/usr/local/bin/perl
     #!/usr/perl
     #!/usr/local/perl

    The configuration of both dictionaries is presented on the screenshots below.

    ©2020 Zscaler, Inc. All rights reserved.


    9
    Securing Your Cloud Transformation

    ©2020 Zscaler, Inc. All rights reserved.


    10
    Securing Your Cloud Transformation

    2.4.2 DLP engine configuration

    In order to avoid false positives, two previously configured dictionaries should use a specific
    Boolean logic inside the engine. The line of the perl source code which the configured
    dictionaries should match is usually the first line in the code (or one of the first lines) and
    there is nothing else in this specific line (except the “new line” character at the end). In order
    to match such lines only if they end with the “new line” character, the following logic in the
    engine should be configured:
    ((perl source code > 0) AND ( NOT ( (not-perl > 0) ) ) ).
    The screenshot below, shows how this configuration should look like on the portal.

    In order to configure a DLP engine in this way, it is required to add the “perl source code” dictionary
    at the beginning of the expression and then add a subexpression with the “not-perl” dictionary and
    changing the logic to “exclude”.

    ©2020 Zscaler, Inc. All rights reserved.


    11
    Securing Your Cloud Transformation

    2.4.3 Possible change once Zscaler supports special characters as a base token
    The suggested perl source code DLP configuration should match most of the perl source
    codes, however it will not work in the exact same way as the currently configured DLP. It is
    related to the current lack of support for special characters configured as a base token. Once
    it is possible to configure new dictionary to use the currently configured pattern which starts
    with the dollar sign. The new dictionary can use then the following pattern:
    \$[a-zA-Z_]\w+
    It should be then added to the engine with “AND” logic, as presented on the screenshot
    below.

    Adding the dictionary will make the engine more specific and help avoiding false positives.

    ©2020 Zscaler, Inc. All rights reserved.


    12
    Securing Your Cloud Transformation

    2.5 Source Code Extension


    At the time when this document is created, Zscaler does not offer a functionality to check the
    file name (neither with DLP nor any other ZIA feature). Currently Zscaler can check the real file
    extensions based on the magic bytes, MIME or HTTP content delivery header. This functionality is
    available under the file type control policy, however from the required file extensions, only “BAT”
    files are listed under the file type control.
    There is a plan to support more file extensions under the filetype control which might help in
    configuring this policy. The two enhancement requests which will add more supported
    filetypes are ER-6479 and ER-6194.

    ©2020 Zscaler, Inc. All rights reserved.


    13
    Securing Your Cloud Transformation

    3 DLP policy configuration


    As per the requirements, there should be just a single DLP policy used for all source codes.
    Because the DLP policy on the Zscaler side uses an “OR” logic between the engines it is possible
    to configure a single “block” policy with all the engines described above. The screenshot below
    shows the sample configuration.

    ©2020 Zscaler, Inc. All rights reserved.


    14

    You might also like