How to configure DLP and not to overlook a leak
30.08.2021Back to blog list
How efficient are DLP systems with preset configurations? Can a system be configured once and for good? Why does a system see violations where there are none? Here we’ll tell you how to teach your DLP discover security threats with minimum errors.
DLP monitors all user actions at their workstations, and that is loads of data. The system should be guided via configured information security policies in order to recognise an incident in such a data flow. But those who have just began working with the system aren’t fully aware of its every setting.
Let’s try to figure out what to do step by step.
Rely on a vendor
Any DLP has a number of preset policies covering the most ubiquitous threats. They allow immediate launch of a system presenting you an out-of-the-box solution. A standard set of policies includes rules scanning data for signs of common violations, for example, kickbacks, spying for a competitor, copying of confidential documents. There are policies discovering users posing a bigger risk to a company than other might: these can be employees with some addictions, debts or extremism propagators.
Vendors develop separate sets of policies for companies in various industries. It is convenient and to a certain extent reliable: experienced developers have accumulated sufficient expertise, they learn something new from every client they work with and know what problems are the most pressing ones.
For example, security policies for banks will exert more control over the circulation of financial documents and customer account data. For retailers - information about product “leftovers”, commercial offers, suppliers. For production workers - technical documentation.
SearchInform solution has over 300 preset security policies that are suitable for different companies. And if a business needs protection against a specific threat, our experts will create a policy cut to fit, tailoring it for a customer having an individual request for free.
If not tailored to suit a customer’s needs, the preset policies do not take into account the specifics of a particular company. Therefore, the system can give a false alarm.
For example: a standard policy for finding gambling addicts would consider it an incident every time someone uses the word "bet". This will work great, for example, in metallurgy - there is no such word in the working slang, so it is more likely that an avid bookmaker’s regular discusses bets. And for a betting website, where this term is part of work, the policy will obviously give too many false alerts.
To prevent this from happening, standard policies need to be adjusted taking into account the intricacies of your company's business processes. Here's what you need to do:
- for policies controlling correspondence with external recipients – add the domain address of corporate email in the exceptions (whitelist it), so that the internal correspondence between employees doesn’t trigger security policies. By default, "@company.com" appears in the settings instead.
- for policies controlling communication with competitors – blacklist domain addresses of corporate email belonging to unwanted organisations. Then the system will automatically notify about all incoming and outgoing emails with these addresses.
- for policies searching for documents with confidentiality stamps – specify the words and abbreviations that are used in the company to denote confidential documents. By default, there is such a list in the system, but you need to make sure that all the tags used in the company are present there.
- for policies controlling a client/employee database forwarding – download the lists that will serve as a base for detecting attempts to leak databases fully or in parts. In the settings of such policies, there are sections where you need to add this data, but by default they are empty. Policies won't work without them.
- for policies monitoring user loyalty, discussion of top management – add the names and nicknames of the management.
- for policies controlling visits to sites/use of programs and applications – set exceptions for different groups of employees. For example, if an employee searches for vacancies on the Internet, the system will consider this an incident. But for HR professionals, visiting job search sites is one of their tasks. In order not to receive a pile of false alarms, you need to whitelist the HR department.
- for policies searching for correspondence touching upon a certain subject – to correct the dictionaries of "red flag" words to exclude coincidence with professional terms and slang.
Policies that you don't need can be disabled or removed.
Finally, you need to set up a schedule for running security policies check and configure the alerts. Critical policies should be reviewed frequently to ensure that no incident is overlooked.
Get rid of false positives and blind spots
After the initial configuration, observe how the policy works: how effectively it discovers incidents and what the percentage of false alarm is. If the result is not satisfactory, it’s worth adjusting the policy criteria or creating new rules for finding violations.
To narrow down the scope of work for security policies, you need to register additional conditions and ways to search for incidents in its settings. The criteria should answer the questions of what, where and how to look for a potential violation. For example, we are looking for commercial offers in the personal email of employees through the "search for similar".
Search methods are chosen depending on what you need to find:
• Search by phrase – allows you to search for both individual words and phrases. And not only by an exact match, but also taking into account the morphology and the distance between words within the phrase.
• Search by dictionary – allows you to search for documents and correspondence with a mention of a specific subject. It takes into account not only the searched word, but also its synonyms within a given topic. You can use preset dictionaries or create your own.
• Search by attribute – searches for information by parameters such as a name of an account, computer name, IP address of the document/message author, file format, recipient or sender name, etc., depending via which channel this information is transferred.
• Search by regular expression – allows you to search for information that is always written in accordance with certain rules. Such a tool is useful when looking for personal data, phone numbers, credit card numbers, etc. Combined regular expression search allows you to find complex datasets such as customer databases or employee lists. To do this, you need to set several regular expressions, for example, full name + phone number + email.
• Search by similar – allows you to find documents that are similar to the original, not only in format, but also in meaning. It is taken into account that the text may have been changed, some words have been replaced, and some are spelled differently. When searching, you need to set a "standard" – a document with which all others will be compared, and a percentage of similarity (relevance), which will filter the results.
To make your security policy more precise, create a complex query. The system will analyse the detected information based on several conditions at once. For example, in SearchInform solution it looks like this:
For example: the information security department or a specialist looks for documents similar to a shareholder's questionnaire (Search by similar) in attachments in all email, except for corporate email, Skype, instant messengers and social networks, as well as among documents larger than 3 pages that are sent to print (6 different searches by attributes). Query logic is specified using the “and”, “or”, “not” operators.
The more subtleties a policy takes into account, the "narrower" its focus is: the number of false positives will tend to be zero, but the "dropout" can become too selective. Therefore, it is important not to overdo it.
For example: at a factory which supplies parts to the defense industry, DLP was configured to control the forwarding of documents. The drawings were top secret, so we looked for all cases when .dwg files were sent to personal email boxes. With these parameters, the security policy became more accurate and detected all corresponding incidents without any problems. But leaks would happen, as soon as employees would save drawings in .pdf – the system did not "see" them.
At the same time, it is clear that there are many pdf-documents in the company, and only few drawings were among them. If the security policy was configured to detect .pdf, an information security specialist would be drowning in notifications. Instead, the security department decided to accept the risks and continued to use "narrow" policies. If a low number of false alarms is the priority, then it’s the right choice.
Only those security policies which look for unambiguous incidents will definitely not be false positives. For example, a policy controlling copying to removable media will always give a clear result: a user either downloaded the files to a flash drive or didn’t. When they look for incidents that only indicate a violation, mistakes are possible: both an employee accepting kickbacks and a respectable employee simply having a birthday can discuss gifts on social media.
Analyse the results
Even when you achieve the optimal level of false positives that are comfortable for you, it won’t be efficient to never ever check and configure the system. The information security agenda is constantly changing, new fraud schemes and new channels of information leaks may appear. Finally, employees can find workarounds: for example, they will understand that the security specialists can even view deleted Skype messages with the help of DLP, and correspond via another messenger. Therefore, you will have to keep your finger on the pulse - to adapt and create new security policies.
For example: the security department manually reviewed DLP reports on emails sent by employees. It was discovered that one of the managers had sent himself an email with confidential documents. At the same time, he had access to corporate email from a mobile phone. That is, at any time outside the office, he could access the email with confidential attachments - and this is a potentially dangerous situation. To control such risks, the security department decided to create a special "emails to myself" policy.
Unfortunately, it is impossible to achieve complete elimination of false alarms and autonomous operation of DLP systems, because threats are constantly changing. At the same time, you can create an optimal level that will provide complete control over the situation in the organisation.