Wading Through the DLP Incident Swamp
Any company that has toiled through an extensive data loss prevention (DLP) technology implementation will find that the real work is just starting.
Not long after deployment and the configuring of initial policies, solutions often start throwing off more events than designated handlers can reasonably manage. When this happens, DLP vendors point to the need for policy tweaking to “tune out” (or at least tune down) the chatter. While the need to adjust policies is a requirement across many tools, including DLP, fine tuning is easier said than done.
Until recently, the only options were to engage in a serious and extended policy tuning exercise – or learn to live with incident overload. One company is hoping to change that. The Data Exfiltration Intelligence application from Securonix is designed to take DLP incident logs (among data from other solutions) and automatically uncover and rank the most critical incidents. From a recent press release:
The Securonix solution mines DLP events, proxy logs, printer logs and performs automated analytics on them including identity correlation, recipient analysis, sentiment analysis, behavior analysis, peer group analysis and other techniques to identify data exfiltration threats tied to specific or multiple event. The application automatically monitors for users that show flight risk behavior, high privileged access, and any sensitive data access. Each DLP event is dynamically risk ranked as Securonix continuously updates the user-centric threat model based on new user activity or changes in their identity and access risk profiles.
We can’t comment on the effectiveness of the solution, however, it’s an interesting proposition. Our preferred approach would be a well-planned, phased policy creation process that addresses key sensitive data, piece by piece. Still, even after successfully creating well-tuned and accurate policies, the solution by Securonix may prove beneficial.