Most Consultants are hired in the DLP space these days for several reasons. Improving Detection rate and reducing false positives is one of the most highly fetched reasons in today's market. Improved detection rate means several points here:
(1) Effort saving in terms of the incident management teams
(2) Database Space savings (lesser incidents written to the Database)
(3) Smaller Database means better TTB (Time to backup) & TTR (Time to restore)
(4) Improved performance on Enforce Reporting
Overall, as per mine and by the experience of a few old time consultants in the DLP space - the valid data breach/violation detection rate is between 3-7% in most environments for SMTP Gateway. Additionally, most of these 93-97% unwanted incidents are found to be system and group IDs. In other words, how many times has this happened that you have sorted you incidents by top senders or run the "top 10 or 20 violators report" and found most of them as group or system IDs top the list. Example: retirals_documents@anycompany.com or systemadmin_alert@anycompany.com er even something like vendorname_helpdesk@anycompany.com. Most of the times, these constitute to more than the 5-% of the false detections which are then dismissed after first review by the incident response teams.
Group ID to me = Email addresses with sending rights which is shared & used by two or more members in a team for sending emails
System ID to me = Email address configured into Tools & Systems directly which send preconfigured alerts, traps, texts as per schedule/trigger
Knowing the above information gives us several options. Depending upon the sensitivity of the data involved there would be variations in the below approach however still writing further considering an average case scenario:
(1) List all SMTP events in the database sorted by sender (column sort by total) & export to Excel
(2) Remove all senders wherein total is less than 100
(3) Keep only System & Group IDs like Administrator@abc.com, helpdesk_1@abc.com, etc. & remove all individual users like scott.tiger@abc.com, tom.best@abc.com
Now, the above is our list of System & Group IDs. This needs further filtering and finalization as below:
(1) There are no violations/valid detections previously sent via this Sender
(2) Exception would be added only if the Supervisor/Lead/Team Manager is also part of the Group ID
(3) The system ID is limited to email sending via the tool/system itself and its password is not shared to any users except the custodian/owner
Once the final list is available, we could then create Sender/Recipient Patterns (from v12 onwards) and add them as exceptions to Policies. The choice of policy to apply this exception would also vary depending on the trustworthiness of the custodian, owner, the result of the above filtering parameters we used & overall severity of the data detected & controlled by the policy. An example would be: Do not include any exceptions in a policy which deals with IP or PCI data.
Let me know what you think about this, whether you like it or you don’t. Thank you for reading. Happy Data Protection!!!