This article contains information on using Fuzzy Hash and content reference dictionaries in Mimecast Content Examination definitions to detect and prevent sensitive information leakage, including configuration steps, hash types, match examples, and usage considerations for enhanced email security.
Below are examples of using Fuzzy Hashes as part of a Content Examination definition. This information should be utilized after reading the following pages:
Fuzzy Hashing can be used to limit the flow of sensitive information from leaving your organization by matching text content similarities between a Control Document and email attachments passing through your Mimecast service.
Activation score = 1
Fuzzy Hashes are generated via the Generate Fuzzy Hash button found on the Content Definitions page, and inserted using the Insert menu in Content Examination definitions.
There are two types of Fuzzy Hashes that can be used within Content Examination policies:
-
-
- SSDEEP: This hash type uses the binary information of the document to generate the hash.
- MFH: This hash type uses the text contained within the control file to generate the hash.
-
| Word / Phrase Match List | Email Content Required to Trigger Definition |
|---|---|
| 1 mfh 1.WBF37rr18toZBKcQ1nxmaM9wBWlAPVtUpWOTL5FLLT+cEmnKw.... | An email attachment containing similar content.
The content must at least be 75% similar for a match to be found. |
See the linked article for further information relating to the configuration and usage of Fuzzy Hashes.
Content Reference Dictionaries Match List Examples
Below are examples of using content reference dictionaries as part of a Content Examination definition.
Content reference dictionaries are added from the Insert menu inside a Content Examination Definition. See Using the Insert Menu and Reference Dictionaries.
| Word / Phrase Match List | Email Content Required to Trigger a Definition |
|---|---|
| #ref 545 Social Security Number #ref 276 Common Medical Terms |
Words and phrases contained in the ‘Social Security Number’ OR ‘Common Medical Terms’ reference dictionaries must be present so that their aggregate scores add up to 3 or more. Entries in the dictionaries are individually weighted or have a default weighting of 1.
These reference dictionaries must be pre-created. The word/phrase match list does not auto-populate the entire list of criteria in the dictionary. You have to refer to the original reference dictionary to examine its contents. Mimecast provides Managed Reference Dictionaries for only credit card numbers and profanity lists by default.
|
Ignoring Terms in a Custom Reference Dictionary
It's possible to use custom reference dictionaries with the ignore operator. This allows you to create a single list of terms that you do not want to find content matches for rather than entering each term separately. Here's an example syntax:
1 (detect Names) IGNORE (ref 879 Ignored Names)
Comments
Please sign in to leave a comment.