Certain DLP policies are likely to generate a huge extent of False Positives. The below described approach shall be helpful for Implementing such policies. This approach has been considered keeping three factors in mind:
Define a policy for Monitoring
The Initially created policy may be leveraged for Monitoring purposes (eg. “<Policy name>-Monitor”). The incidents generated from this policy may be analyzed for identifying keyword sets of ‘False Positive’ and ‘False Negative’ keywords.
The identified keyword sets may then be added to the exception list of the “-Monitor” policy.
Validate the keyword sets
The keyword sets identified in the Monitor phase, may be leveraged for creating a Validation policy, (eg. “<Policy name>-Validate”), with two rules.
- “<Policy name>-False Positive Keywords rule”
- “<Policy name>-False Negative Keywords rule”
The Incidents generated from these rules may be analyzed for validating the keywords, ie:
- “<Policy name>-False Positive Keywords rule” must generate False Positives
- “<Policy name>-False Negative Keywords rule” must generate False Negatives
Note: The Validation policies may be deleted at a later stage along with its associated incidents.
Implement the Validated keyword sets
Once Validated, the ‘False Negative’ keyword sets may be leveraged as rules for creation of the Final policy (in Prevent mode).
The ‘False Positive’ keyword sets may be leveraged as exceptions, if required.