Data Loss Prevention

Hello all,

I'm looking for a procedure to how handle incidents reported by DLP. 

For example, for who should i report the alert and when RH and legal should be informed?!!

Is the event analyst have the right to see the content of the alert (body of the email, data of the file)!!

Best regards,

Nadia,

There is no easy answer.. 

This is where you need to develop the Incident Review process. It generally will not be the same for everyone, because there are different people who need to review each different policy.

In many cases there is a First Reviewer that does not see Who ot the actual body, but just the matched data and they change the status for the next person to review. Then the next person can see the whole incident, because they are the data owner or the manger of the person (all depends on what a company wants)

Then if the incident is a sever one and validated as real. then they may get HR or legal involved... though only when it comes to severe events that have a huge impact. If the event was small and did not contain a lot of data or was not a violation of a certain data type, it may only require a discussion with the violator or by their manager.. Again this all depends on what the comapny wants.

For example :

If there are 100 SSN's in a email sent to a personl email account

OR

AN email that sent a lot of Source Code to their personal account

Each one has a different severity and could be handled differently. the SSN policy is aviolation of Regualtory and has fines. While the Source code one is more of a corporate issue and may have less of an issue.

In either case each policy will need to handled differently and you will need to ask the data owner as well as the department heads.

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE

Thank you so much for your message, it's very helpful.

But, i have a question about First reviewer, why he has not the right to view the body of the email or the content of the document? Don't you think that it's his responsability to do the triage and decide if the alert it's a false positive or an incident!!!

Hello Nadia,

Ronak was merely suggesting *ONE* method to perform initial triage of the event; you can certainly set it up in a manner that suits your business' needs.

From an event workflow perspective, there are a couple of different other ways you can implement an effective program. The method that Ronak suggests is similar to a "fan out" method, where an initial First Responder triages the event, and then escalates to the various elevated Business Groups for remediation/Incident Response. If you have dedicated analysts who already triage events from other tools, such as email gateways, web proxies, SIEM, IPS/IDS, etc., these analysts could potentially also triage DLP. Many larger organizations have a Security Operations Center (SOC) with analysts for initial triage, who can establish intial validity (True Positive vs. False Positive), context, and severity. Based off the initial Triage, then the event, which will turn into an actual Incident, can be escalated to next level remediation teams, such as Incident Response. The Incident Response team can establish the best way to remediate, which could include contact with the sender, contact with the sender's leadership, HR, or other.

Another method that can be effective is the "Fan In" method, but this method does require a somewhat mature DLP program. Fan In works by having the data element owners (i.e., the Businesses) perform initial triage and establish validity, context, and severity. If the event needs escalation as an Incident to other groups, these Businesses then will funnel the escalations to an established team like Incident Response.

You do not need to have all these different levels. Smaller programs can be successful by having the First Responder and Incident Response personnel as the same people/group. You simply lose a bit of the "separation of duties" aspect.

I hope this helps. Good luck!

Nick

Nadia,

As Nick has mentioned there is no "RIGHT" way to do this .. you can have the 1st responder do the triage.. it is all up to what the company wants to do and is capable of doing.

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE