Definition

Described Content Matching (DCM) is the most basic DLP detection technique: pattern-based matching using regular expressions, keyword dictionaries, and structured-format rules. DCM catches credit card numbers (with Luhn validation), SSN-formatted strings, IBAN, and fixed-format identifiers. It's fast to deploy and useful for compliance check-box requirements. The downside is precision: any 9-digit number looks like an SSN, any 16-digit number formatted with spaces looks like a credit card. False-positive rates of 70-95% are typical for DCM-only deployments. The full value of Symantec DLP comes from layering DCM with EDM (exact data matching) and IDM (indexed document matching) to reduce false positives by an order of magnitude.

Symantec products that implement this

  • Symantec Data Loss Prevention - Discover, monitor, and protect sensitive data across endpoints, network, storage, cloud, and email - the most comprehensive enterprise DLP platform on the market.

Related terms

  • DLP (Data Loss Prevention) - Security capability that discovers, monitors, and protects sensitive data across endpoints, networks, storage, cloud, and email.
  • EDM (Exact Data Matching) - DLP detection technique that fingerprints structured data sources (databases, CSV exports) and detects exact matches in outbound content.
  • IDM (Indexed Document Matching) - DLP detection technique that fingerprints unstructured documents and detects when copies or substantial portions appear elsewhere.

Deep-dives on DCM