Data Loss Prevention

 View Only

  • 1.  how do we categorize blocking policy?

    Posted Jan 07, 2023 06:29 PM
    when the blocking policy in DLP block the incident, how do we categorize the incident ? should we change the status to false positive or something else? please advise.


  • 2.  RE: how do we categorize blocking policy?

    Posted Jan 08, 2023 06:05 AM
    There are two block status:
    • A soft block can be released after incident mgmt. Primarily for DiM-Mail events and in case of some cloud events
    • A hard block takes the original permanently out of the game

    Soft Block after blocking action - proposed status - "in remediation" or similar.
    In case it was a false/positive after remedition, you can to release the original or make sure, the same situation will not be blocked again. In this case "closed/false-positive" or similar is probably what you want.

    Hard block after blocking action - DLP activity is done - proposed status - "closed/true-positive" or similar.
    In case it was a false/positive anyway, The status can be changed to "closed/false-positive" or similar. In this case policy tuning is requried.

    In general you should create a "final state machine". I hope this was the answer you were looking for.

    Original Message


  • 3.  RE: how do we categorize blocking policy?

    Posted Jan 20, 2023 09:05 AM
    we configure the response rule to set the Status to "Blocked". We also configure it to send an email to the user to let them know what happened, why and their options.  This assists with fine tuning the policy if it should be a false positive.
    Original Message


  • 4.  RE: how do we categorize blocking policy?

    Posted Jan 20, 2023 09:21 AM
    Here an example of standard state model. "Blocked" described the status of the original. It does not defined, whether it has been blocked correctly (true/positive) or wrongly (false/positive). So the next step is now, to find out if the block was correct or not. If correct, any impact on the original is done (correctly blocked). In not correct, you want to release the mail. 
    DLP Status Final State MachineTry to keep the number of states as little as possible. More states => exponential complexity of your state machine.

    Original Message