False positives. A new technique for catching two birds with one stone. Part 2



    So, in the first part of the article, we talked about catching two birds with one stone, i.e. filtering can be built with 100% accuracy and completeness, it is possible only in a "vacuum" - for a finite number of states of the desired objects and conditions for their transfer. When we exit this “vacuum” we will get a sharp deterioration in both indicators.

    The distribution of valuable information and garbage and the ideal condition in a "vacuum" that separates them:



    But what if you try to fight for accuracy and completeness not simultaneously, but in turn? For example, first send a message with information through the policy of increased accuracy, and then through the rule of increased completeness with the corresponding marking of the message - "Rule of increased accuracy" and "Rule of increased completeness". Naturally, if the first rule worked, the second is automatically ignored. As theory and practice shows, this approach allows you to get better results with a sufficient level of maturity using DLP systems.

    Thus, messages go through two stages of filtering. After the first stage, which we will call the stage of high accuracy, we immediately get a certain number of high criticality events with real incidents. In practice, their number varies based on the number of 10 to 20 high-risk events per day per security officer. Accordingly, these incidents are dealt with first.

    This is followed by the so-called. the stage of high completeness , during which part of the traffic labeled according to the rules of the high completeness policy is processed in the monitoring mode - also using techniques that we still partially touch upon.
    NB . When using single-level filtering, we recommend a compromise between completeness and accuracy with priority of the first - the Neumann-Pearson test, which has proven itself well. Briefly, this criterion requires, first of all, high completeness of the search.


    The first level of filtering. Work with increased accuracy.


    Recall that each security policy in DLP defines a certain condition imposed on the information and the reaction of the system and the security officer to the fulfillment of this condition. We illustrate this rule and the features of accurate filtering using one common simple example - the leak of commercial offers.

    Let us imagine this situation as the basic chain “object - subject - action”. For our case, the object will be a “commercial offer”, subjects - persons from the “Sales Department” group, and actions - transfer of 2 or more commercial offers by outgoing mail. The relevant policy terms of the DLP system will be:

    • Description of commercial offers using text tools.
    • The source of the message belongs to persons from the sales department.
    • Sending a message through an outgoing mail channel.

    The response of the DLP system to this kind of message will be the creation of a high-criticality information security event. Such conditions and reactions determine the basic filtering policy. Now we proceed to its modification to the state of precise filtering.

    Exact filtration should concern each of these conditions and, of course, the reaction to their fulfillment. For example, conditions that are case-sensitive, the order of the keywords, and their number in the document are added to the description of the text template for the quotation. To the condition for the group "Sales Department" you can add a condition for exceeding the system level of trustin DLP, as well as subjects belonging to special risk groups, such as “Probationary period” or “Under suspicion”. The condition for the communication channel can be narrowed down to webmail. Moreover, as domains, you can specify a list of competitor domains. Obviously, with such a detailed set of conditions, much less so-called production will fall into the issue. "Garbage."

    As for the reaction to the increased conditions, its role may be the creation of an event of a critical level with additional blocking or sending a notification to the security officer.

    Thus, filtering rules corresponding to increased accuracy usually involve prompt response to events. The most severe of them is blocking the transmitted message or moving information (for example, prohibiting printing or copying to removable media). The less stringent action of sending a notification is also actively used for filtering rules. Notifications are usually sent to the security officer, or in the case of the transfer of business information to the heads of the relevant departments up to the user himself (this is usually determined by the company's information security strategy). Not trivial, but effective means of responding to events can be reconstruction of the message .

    So, this example demonstrates the principle of accurate filtering - the first of two stages of our proposed double filtering method, which consists in strengthening the conditions for all risk factors and increasing the level of response.

    The second level of filtering. Work with increased completeness.


    Again, let’s go back to the commercial offer example and set up filtering for the second “hare” - completeness. As mentioned earlier, the message is filtered with increased completeness after filtering for increased accuracy.

    Now we will ease the filtering conditions for events related to the leak of commercial offers. In particular, we will abandon the condition that the source of the message belongs to the Sales Department group and remove the restriction on transmission strictly through the outgoing mail channel. We will respond to such messages by creating events of low criticality. Thus, when working with increased completeness, immediate response actions are blocked (blocking, sending notifications, creating events of high criticality, etc.).

    At the output after such filtering, we get significantly more events of already low criticality level and without blocking and sending notifications. Of course, among these events there will be much more garbage. But thanks to the dynamic filtering of events by attributes and types of threats, we, combining different sets of events, will be able to find among the set of events those that do not fall under the stringent conditions of "high accuracy", but indicate a violation - sometimes still planned.

    What is garbage from the point of view of one policy rule can be a real incident when combining several types of events. Suppose, in our case, the security policy regarding commercial offers is supplemented with a rule that detects Microsoft Word documents with unapplied corrections. The combination of these two rules can reveal a conflict of interest, as unapplied corrections to the offer may contain signs of collusion or disclosure of trade secrets, even if it is received in one copy by incoming mail.

    When working with the results of increased completeness filtering, a security officer, armed with the analytical tools available in DLP, is actively involved in the incident detection work. First of all, these are tools for working with multiple samples of events of increased completeness:

    • Advanced search by types of threats and triggered rules.
    • Dossier per person.
    • Dynamic filtering by combinations of events of different types, sources, channels.
    • Statistical Slices

    To summarize


    The considered technique of two-level filtering of information traffic allows you to increase the efficiency of working with DLP. But, as usual, high quality has additional requirements.

    The first is the increase in the cost of developing filtering policies. Although setting up policies is an infrequent activity, you still need to provide for an increase in costs for this task.

    Secondly, due to the doubling of filtering rules, timely fast processing of traffic will require more resources than single-level filtering.

    Thirdly, the proposed approach implies a good level of ownership of the tools of modern DLP. This is especially true for filtering and advanced search policies.

    However, in all this there is nothing unattainable, and not the gods burn the pots. But in the end, the security officer does not receive assurances of "zero false positives", but a transparent and understandable method of work that can improve the efficiency of using DLP - in terms of both the completeness of incident handling and the speed of response to them.

    Authors:
    Maxim Buzinov, Senior Mathematician, Solar Security.
    Galina Ryabova, Head of Solar Dozor, Solar Security.

    Also popular now: