Skip to main content

Rule Example (Files): Prevent file exfiltration to external drives

Updated this week

Introduction

File Content Sharing rules are a critical component of any comprehensive Data Loss Prevention (DLP) strategy. One of the most common and difficult-to-track methods of exfiltration is the physical transfer of data via removable media. Fortunately, Teramind has you covered!

Rule Walkthrough

This rule example demonstrates how to effectively monitor and control the flow of sensitive files, ensuring they cannot be written to or copied onto unauthorized external storage devices (such as USB drives).

Setting Up the Rule

General Settings

1. Assign a Rule Name. For example, “Block file transfer via USB drives”.

2. Select a Parent Policy. For example, “Admin Policy”.

3. Select “Content Sharing” for Rule Type.

4. Select “Files under Select the type of contents.

Helpful Resources:

Employees

5. Turn on the Inherit targets from Parent Policy option to use the policy’s default targets.

6. Alternatively, turn it off and manually select the employees, departments and/or computers for the rules target from the Assign to field.

7. Optionally, you can exclude targets in the Exclude from rule field.

Helpful Resources:

Content

8. A default definition block, "Definition 1," should already be added to the rule. Configure the definition as follows:

Definition 1

9. Select "Predefined Classified Data" for Type of sensitive data.

10. Select "Financial Data" for Sensitive data category.

11. Select "Credit Card Number" for Sensitive data to detect.

12. Select "Loose" for Detection mode.

13. Enter "5" for Pattern frequency trigger.

Helpful Resources:

Files

14. A default condition block, "Condition 1," should already be added to the rule. Configure the condition as follows:

Condition 1

15. Add the File Operation criterion by clicking the +Add button.

16. Select "Write" from the list of file operations.

17. Add the Drive criterion by clicking the +Add button.

18. Select "All external drives" from the list of drives.

Helpful Resources:

Actions

19. Select the Notify action and then select the user(s) you want to notify about the incident. In this example, we selected "John Smith".

20. Select another action, Lock User.

21. Optionally, add a message. For example, “Your account is locked out. Please contact your admin for assistance.”.

Help Reference:

Rationale for the Rule

External and removable drives are one of the most effective vectors for both accidental and malicious data loss (exfiltration). This rule uses precise detection and enforcement conditions to block sensitive files from being copied to external drives, mitigating a major security risk.

This rule achieves its goal by leveraging three key areas:

  • Detection (Content): The rule uses a Predefined Classified Data definition (e.g., Financial Data) to ensure that only files containing classified, sensitive information trigger a violation.

  • Enforcement (Destination Conditions): The rule employs a dual-condition enforcement mechanism:

    1. File Operation is set to "Write," ensuring the rule is only triggered by an attempt to save or copy data.

    2. Drive is set to "All external drives," which explicitly targets removable media and blocks the write operation to that destination.

  • Action: The combined Lock User and Notify actions provide an immediate, preventative response. The user is instantly locked out of their system, stopping the transfer mid-attempt, and a notification is displayed, directing the user to contact their administrator.

Related Articles
Content Sharing Rules: What Contents Trigger the Rules (Windows)?
Sample Rules Walkthrough
Rule Example (Clipboard): Record clipboard copy/paste outside domain
Rule Example (Emails): Prevent sharing of internal files via emails
Rule Example (Applications): Prevent software installation
Did this answer your question?