The standard DLP solution will have thousands of events per day depending on how many policies are configured. It’s too many for a small team to sift through to identify the riskiest events.
Modeling gives you the opportunity to use different DLP attributes, policies and context to determine whether there’s anomalous activity. This significantly reduces false positives.
DLP is a rules-based solution. You tell it to look for something. You tell it to do something. And, it will. But, there are false positives and DLP solutions tend to generate thousands of alerts per day.
Our customers were constantly trying to sift through thousands of DLP alerts per day. When they started to model specific behavior, it gave them the ability to focus on what was most important. It greatly reduced the amount of time they were spending looking through incidents that may not be risky and gave them the opportunity to focus where they needed to – on risky behavior.
Top DLP Use Case: Departing Users
If users have a future termination date set in your HR system, you can more closely monitor their activity to determine if they are exfiltrating data through email or web proxy. Additionally, you can look at interesting behavior patterns, emailing certain domains or interfacing with domains that would be potentially concerning.
One of the cool things our customers do with Gurucul is they identify a way to block certain emails from leaving the environment. This is if a user’s risk score is considerably high. It is a great example of model driven security: action is then taken on identified risks with no human intervention. So if a user’s risk score goes up, that user can no longer send certain emails outside of the company.
Let us help you implement model driven security in your environment. Contact us to get started.