Skip to main content

Policy Tuning – A key step to a successful DLP implementation

January 19, 2012

DLP architecture has been finalized, network configurations have been made, firewall rules are in place, components are deployed, polices are enabled, and incidents have started to appear. Now if you think that your DLP tool has been successfully implemented, you are wrong!

Imagine getting bombarded with hundreds of incidents every day that your security team can’t keep up with. Well, that is usually the case of any DLP tool deployment without proper rules in your policies. Without implementing the right rules within your polices, a new DLP implementation will generate lots of incidents (false positives) that are not relevant to your organization. This is where the most important step in a DLP implementation comes into play – The Policy Tuning. 

Blog Policy

There are multiple ways a policy can be tuned. I will talk about three important items that you could factor in while tuning the polices:

1) Known and relevant factors

2) Multiple data type matches

3) Information from false positives

Known and relevant factors

When a policy is first created, the tendency for most administrators is to enable the policy with the default rules. Keep in mind that the default rules are set to only look for the content that the policy is built for. You might be wondering, what’s wrong it that? Well, a big step to eliminate false positives is to eliminate content matches that you are not interested in. This is where you need to add additional rules to eliminate content matches that are not relevant to your organization.

The most efficient way to start this process is to use information/data that is only relevant to your organization. For example, use fields like source and destination email addresses (* For keyword-based matching, rather than just using a keyword such as “confidential," use keywords that are relevant to your organization – such as project code names, company name, etc. This way, the incidents that are generated will most likely be true positives and will be relevant to your specific organization.

Multiple data type matches

Most of the time, matching on just one data type is far less valuable (and generates more false positives) then matching on a combination of data types. For example, matching on just a credit card number is less valuable or less critical than matching on data that contains credit card number along with first and last name, expiry date, etc. So when creating a policy, add rules that look for more than one data type within the policy scope.

Information from false positives

After going through the above two steps, you will most likely eliminate a significant number of false positives. However, no policy is perfect, and you will always see incidents that are false positives. But the good thing is we could use this information to further tune our policies so we don’t see similar incidents in the future.

Even though you can’t completely eliminate all false positives, by spending time tuning the polices and adding the necessary rules to find content that is relevant to your organization, you could prevent true data loss and simultaneously not mpact your organization’s normal business operations.

Related Blogs

November 04, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 14

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, and systems) according t...

See Details

June 07, 2016

Identity Defined Security Alliance: Making an Identity Centric Approach to Security a Reality

Today, the Identity Defined Security Alliance (IDSA), led by Ping Identity and Optiv, announced a giant step forward in making the next generation of ...

See Details

January 10, 2012

Old Meets New: Microsoft Windows SafeSEH Incompatibility

In recent years, Microsoft has made great strides to improve product security. This momentum can be seen clearly in their investments in security-focu...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.