Archive for July, 2012

DLP rules - Tips to reduce false postives and false negatives

Monday, July 9th, 2012

For those who are already conversant and comfortable with DLP, the following are some of the tips to avoid false positives and false negatives

a. For new rules you create - apply ‘Deep data’ strategy - most specific to least specific. For example, keyword ‘Company specific’ or ‘Company confidential’ is not enough. Research some more and add more data. Try it with a small team and have him/her send out some emails to summarize confidential type information. See if it is caught by DLP

b. Default rules are recommendations only - customize them to your environment - again ‘ MSLS’ - most specific to least specific’ rule. Do not leave the default rules in the system and expect it to work - it might work but may also generate false positive or false negavite

c. ‘False positives / negatives’ are not a waste of time - use them to focus more on what has worked and what has not worked - fine tune.

d. ‘Comprehensive overview of the risks’ or ‘leak areas’ - Always keep in mind what are the potential leak areas and apply MSLS rule first on these areas and slowly work through the rest. Also, there will be rules that may overlap multiple leak areas - treat them with even more care because the risk of data aggregation will be higher on such.

Hope this helps!