Video Screencast Help

False Positives -> Policy Modification

Created: 13 Jun 2011 | 5 comments
TLH's picture

Do you know of a way to have policies ignore events that have already been reviewed and marked as false positive?

Here is my situation:

1. DLP is configured to look for something.  PCI is the best example.  It does great at finding a credit card number, then telling me it found it.  If it matters let us just say we are using the DISCOVER agent.

2. I log in and nod my head that, yes, in fact DLP found a number that looks like a credit card.  In some cases I validate that it IS actually a credit card and in other cases I tell it, NO, that is a false positive.  In our environment we've files that could contain a number that looks like a credit card and contains other data like dates so I'm having a hard time reducing the false positives to make the policy worthwhile.

3. The next time the DISCOVER agent rolls along it finds the same file again and tells me, again, that it found a credit card number.

I want to mark the event as a false positive and have DLP check the database and not alert me the next time it finds the same false positive. 

Comments 5 CommentsJump to latest comment

xlloyd's picture

Does this happen for both Network and Endpoint Discover? I can see why this would happen with endpoint as it does all the scanning on the actual computer and since it would have to store a hash of every file ever scanned, the program would start sucking up a LOT more space and memory.

I'd be surprised if that's how Network Discover worked. I don't have extensive experience with any of the storage products though so I really can't comment.

What would be cool is if the Endpoint server could automatically mark them as false positive rather than having the agent do it. That'd take the memory and processing off the endpoint itself and onto the endpoint server (which doesn't do nearly as much processing as any of the other servers come to think of it).

If this post has helped you, please vote up or mark as solution
yang_zhang's picture

In your scenario, if there are 100 credit card incidents found, and you found out that there are 10 false positives under these 100 incidents, then, you want to add these 10 into exception.

But, I don't think the DLP can do this until now. May be you can try to modify the policy.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Lippi's picture

The best you can do right now is just tune the policy.

The credit card default policy have various settings to restrict the detection, maybe this help you



Tim Deese's picture

In your DLP policy, if you set an exclusion that triggeres a match at detection time, detection will stop for that policy on that item (file/email/etc.). Other policies will still be evaluated, and the policy with that exclusion will still be evaluated on future detections, but it won't trigger an Incident for that detection.

So, for example, if you wrote a simple keyword policy looking for 'abc' and then added a keyword exclusion looking for 'def', that policy would not trigger an incident on a file with 'abc def' in the contents.

Tim Deese

Principal Business Critical Engineer

Data Loss Prevention

Bill.Hayes's picture

If a bad guy knows that you use exclusions for the things like false posititves for credit card numbers, then if he or she knows the exclusions then they can exploit the policy to send out valid credit card numbers in a list containing both the valid CCNs and the exclusions.