Data Loss Prevention

I am interested in knowing if anyone has a good idea about how to prioritize DLP incidents. For all incidents received from other tools (such as SIEM) we have created a calculator that asks 5 simple questions that result in a score which translates into a severity (Critical, High, Medium, etc).

Given the unique nature of DLP incidents, the above mentioned quistionnaire will not work effectively. Does anybody have a good, generic mechanism with which to prioritize DLP incidents?

Good question.  This is something that I feel has been challenging within DLP for a long time.  The "built in" feature for assigning a severity of High, Medium, Low, or Info based only on match count is somewhat limiting, in my opinion. 

I dealt with this a while back by creating a more complex "risk model" for DLP based on weighting attributes of an incident differently.  I created weighting based on several attributes:

• Policy
• Protocol
• Match Count
• Custom Attributes (i.e. "Department")
• Correlations (to other incidents, for instance)
• Recipient attributes (number of recipients, number of recipient domains, etc).

In this way, I was able to assign a total risk score for an incident (on a 1 to 100 scale), which would enable you to focus review and remediation efforts based on the overall risk score.  A PCI incident over email from Accounts Payable, for instance, might get a lower ranking than a PCI incident to a removable storage device from the Customer Service department, though the match count is the same.

WIth my model defined, I was then able to create code which I integrated into DLP as a custom plugin so that all incidents would get evaluated against this and assigned a risk score as custom attribute.  Actually, I built this all into an Excel spreadsheet that would create the code based on the answers in my model, so I could adjust it "on the fly" if I wanted to make changes. 

To answer your question, a "generic" model would be just to base severity on match count, such as you already have available to you within DLP.  Anything beyond that is really going to depend on your company's requirements, for which I recommend setting up a weighting algorithm such as I have described above.

Hope that's helpful to you.

Regards,

~Keith

Hi

 I dealt with that specifically for network incident few months ago. And you can also add some end user behaviour in your risk score like date/time when incident happens // sent or copied to personal mailbox/usb key // attempt to bypass DLP (attachment filename extension modified, "suspicious" email subject, ....) // ...

 End user behaviour is really efficient for that but it also depends on type of population your DLP solution are covering (technical, commercial, R&D, ....) and their living country (because people culture is definitely different and the way they "feel" data protection too (not sure "feel" is the right term for that but i hope you understand what  i mean)) 

 regards. 

Keith,

Would you be able to share that model? We are facing the same issues and also understand that a priority model based on match counts only is pretty limited. The weighted model is something that I always liked about RSA DLP and wondered why SYMC never introduced it into thier tool.

Thank you,

Tim -

I suppose that part of the answer to why it has never been introduced into the tool is that there are options with regards to building and integrating modules to do this type of thing, as I descibed in my post.  Biggest limiting factor of this approach, in my opinion, is the fact that you can't base remediation (via response rules) on the outcome of the weighting.

With regards to sharing the model, it's actually a product/service offering I can provide if you would like to engage with us in a project. Would be happy to scope that out with you, just PM me in here with your contact details and we can discuss.

Regards,

~Keith