6.14 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet

Information

Create a secure Data Filtering profile and apply it to all security policies permitting traffic to or from the Internet. The Data Filtering profile may be applied to security policies directly or through a profile group.

Rationale:

A Data Filtering profile helps prevent certain types of sensitive information from traversing an organization's Internet connection, especially in clear text. Detecting and blocking known sensitive information is a basic protection against a data breach or data loss. Not implementing these defenses can lead to loss of regulatory accreditation (such as PCI, HIPAA etc), or can lead to legal action from injured parties or regulatory bodies.

Before starting, be very aware that Data Filtering will often block data that you didn't anticipate, false positives will definitely occur. Even the prebuilt filters will frequently match on unintended data in files or websites. Work very closely with your user community to ensure that required data is blocked or alerted on, but a minimum of false positive blocks occur. As false positives occur, ensure that your user community has a clear and timely procedure to get the configuration updated.

Solution

Navigate to Objects > Custom Objects > Data Patterns. Add patterns to match the various data that you wish to monitor or make blocking decisions on.
Navigate to Objects > Security Profiles > Data Filtering
Add a Filtering Profile that matches the data you wish to monitor, with appropriate values for Alert Threshold (typically 20), Block Threshold (typically 0) and Log Serverity
Finally, apply the Filtering Profile to a Security Profile.
Navigate to Policies > Security. Edit all appropriate policies, and for each Policy choose the Actions tab, and add the appropriate Data Filtering Policy (either as an individual Profile or as part of a Group Profile)

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/17915

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|13.3

Plugin: Palo_Alto

Control ID: b6c10121466b54b4bf533ae15dd07d37c9025370e84edf933d74f5f5fcf0c735