Data loss prevention (DLP) contain a set of policies to enable company to protect sensitive data of the organization. By monitoring email traffic, web protocols, digital media, network traffic, printer, cloud traffic, company can detect, investigate, and block suspicious data leakage either caused by insider threat or external threat.

Due to the complexity of IT environment and the challenges of managing DLP rules, companies may receive hundreds and thousands of DLP alerts per day especially for large organizations. It is very common to see security analyst spending hours triaging and analyzing those alerts. Any DLP alerts that are not properly triaged and responded could cause potential loss to the companies. Here are a few common steps for security analysts to once receiving DLP alerts:

  • Send email to relevant accounts for confirmation
  • Once confirmed, fine-tune DLP policies

Here is an example of a sample confirmation email.

Hi __, 

The DLP team routinely monitors our environment for possible risk of unwanted data loss. During this process, we noticed sensitive data was sent from your account to external parties via email. Would you please let us know if it was sent for business purposes or briefly explain what the purpose is.  

Thanks,

Once the account is confirmed, the security analyst will record the feedback and update the ever-growing DLP policies. Typically, you do want to communicate with the manager first before sending it to the account directly.  

The investigation of DLP alerts become challenging when security analysts are facing hundreds of alerts per day. It took time and cost to investigate each one and it poses a higher risk to miss the important ones.   

Solution:  More intelligence to prioritize, correlate, and more automation to standardize the investigation and response process.  

Developed by security analyst for a security analyst, DTonomy provides an AI-based solution to help you better analyze and respond to DLP alerts:  

  1. Consolidate DLP alerts:

Clients are using different tools for DLP tools such as Symantec or McAfee for endpoint/cloud DLP monitoring and Mimecast for email DLP monitoring or built-in DLP solutions provided by Google or Microsoft for cloud monitoring. The information scattered in different places made it hard to triage DLP alerts. Consolidating them in one place to enable analysts to manage insights across the board saves you time navigating across the different dashboards. 

McAfee, Symantec, mimecast

 

2. Correlate DLP alerts:

Once consolidated, it discovers patterns among alerts to reveal the relationship between different entities. For example, you do not want to send your employees emails 10 times separately regarding similar DLP alerts but arriving at different times from different monitoring systems. Moreover, the pattern helps you build the context for communication.  

DLP Alerts Pattern

 

3. Leverage historical investigation to optimize your security operation process:

Peers’ insights and historical investigation results are great resources for you to optimize your response process. 

DTonomy provides an adaptive risk score that incorporates the historical investigations to dynamically adjust the risk score so that you can focus on important DLP alerts with more accurate risk scores. The ones that we have never seen before will likely have a larger risk score.  

DTonomy adds augmented intelligence such as is this the first time you see this type of alert, how prevalent is this type of threat is. This type of intelligence saves your time conducting an investigation and enables faster conclusions on threat investigation. 

Start measuring the false-positive rates of your DLP alerts and evaluate the common false positives and use that to tune your detection logic. DTonomy brings augmented intelligence to discover patterns in your false positives alerts and suggest how to optimize your detection logic. 

 

4. More automation:

Automations are added along the line of the investigation and response process.  For example, you want to enrich your DLP with information of IP, machine from assets management platform; you want automation to send notifications to users in an automated way, etc. 

One important part of automation is the communication to the right person with the right content.  For example: 

  • If it is PHI, mention to them PHI is in compliance.
  • If it looks like a false positive, send an email to confirm.
  • If you see a trend in the DLP alerts, find the managers and communicate if it is a global issue.

All these communications should be done automatically. 

When you are ready, here are three ways we can help:

  1. Schedule a free consultation here, we can find the best solutions for you
  2. Leverage DTonomy’s AIR platform to manage DLP alerts and start automating today (sign up here)
  3. Too many DLP issues? Manage DLP investigation and response for you with DTonomy’s managed service here

 

DTonomy’s AIR platform

DTonomy’s AIR platform, with built-in automation and AI, enables the security team to handle DLP alerts with best industry practices. To see it in action, check out our demo videos or sign up here for free. Start resolving your DLP alerts 10X faster from today!

We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!

X