False alarms. New technique of catching two birds with one stone. Part 2

So, in the first part of the article we talked about catching two birds with one stone, i.e. It is possible to build filtering with 100% accuracy and completeness only in a “vacuum” - for a finite number of states of the objects being searched for and conditions for their transfer. When leaving this "vacuum" we will get a sharp deterioration in both indicators.

The distribution of valuable information and garbage and the ideal condition in the "vacuum" that separates them:



But what if you try to fight for accuracy and completeness not at the same time, but in turn? For example, first carry out a message with information through a policy of increased accuracy, and then through a rule of increased completeness with the appropriate marking of the message - “Increased accuracy rule” and “Increased completeness rule”. Naturally, if the first rule worked, the second one is automatically ignored. As theory and practice show, such an approach allows to get the best results with a sufficient level of maturity of the use of DLP systems.
')
Thus, the messages go through two stages of filtering. After the first stage, which we call the stage of high accuracy , we immediately get a number of high-critical events with real incidents. In practice, their number varies, based on a figure of 10–20 high-risk events per day per security officer. Accordingly, these incidents are dealt with first.

This is followed by a so-called. the high completeness stage , during which part of the traffic, marked up according to the high completeness policy rules, is processed in the monitoring mode — also with the use of techniques that we will touch upon in part.

Nb . When using single-level filtering, we recommend a compromise between completeness and accuracy with the first priority - the Neumann-Pearson criterion, which is well proven. In short, this criterion requires first of all a high search completeness.

The first level of filtering. Work with increased accuracy.

Recall that each security policy in the DLP determines a condition imposed on the information and the response of the system and the security officer to the fulfillment of this condition. We illustrate such a rule and features of accurate filtering on one common simple example - the leakage of commercial offers.

Imagine this situation as the basic chain “object - subject - action”. In our case, the object will be a “commercial offer”, the subjects will be persons from the “Sales Department” group, and actions will be the transfer of 2 or more commercial offers by outgoing mail. The relevant terms of the DLP system policy will be:

• Description of commercial proposals with the help of tools for working with texts.
• Ownership of the message source to persons from the sales department.
• Send a message through the outgoing mail channel.

The response of the DLP system to this kind of message will be the creation of an information event of a high level of criticality. Such conditions and reactions determine the basic filtering policy. We now turn to its modification to the state of exact filtering.

Accurate filtering should relate to each of these conditions and, of course, reactions to their implementation. For example, in the description of a text template of a quotation, conditions are added that take into account the register, the order of keywords and their number in the document. A condition for exceeding the system level of trust in the DLP, as well as the belonging of subjects to special risk groups, such as “Probation period” or “Under suspicion”, can be added to the condition on the “Sales Department” group. The condition for the communication channel can be narrowed down to webmail. Moreover, as a domain, you can specify a list of domains of competitors. Obviously, with such a detailed set of conditions, the output will fall significantly less than the so-called. "Trash".

As for the reaction to enhanced conditions, the creation of a critical event with an additional blocking or sending a notification to a security officer may be in her role.

Thus, filtering rules corresponding to increased accuracy usually imply prompt response to events. The most severe of them is blocking the message being transmitted or moving information (for example, prohibiting printing or copying to removable media). The less strict notification action is also actively used for filtering rules. Notifications are usually sent to the security officer, or in cases of business information transfer, to the heads of the relevant departments up to the user (usually, this is determined by the company's information security strategy). A reconstruction of the message may not be a trivial but effective means of responding to events.

So, this example demonstrates the principle of accurate filtering - the first of the two stages of our proposed double filtering method, which consists in enhancing conditions for all risk factors and increasing the level of response.

The second level of filtering. Work with increased fullness.

Let us return again to the example with commercial proposals and set up filtering for the second “hare” - completeness. As mentioned earlier, the message is filtered to increase completeness after filtering to increased accuracy.

Now we will weaken the conditions for filtering events related to the leakage of commercial offers. In particular, we will give up the condition that the message source belongs to the “Sales Department” group and remove the restriction on the transfer strictly through the outgoing mail channel. We will respond to such messages by creating events of low severity. Thus, when working with increased completeness, immediate response actions (blocking, sending notifications, creating high criticality events, etc.) are excluded.

At the exit after such filtering, we receive significantly more events of a low level of criticality and without blocking and sending notifications. Of course, among these events there will be much more rubbish. But thanks to the dynamic filtering of events by attributes and types of threats, we, by combining different sets of events, will be able to find among the set of events those that do not fall under the strict conditions of “high accuracy”, but indicate a violation - sometimes even the planned one.

What is garbage from the point of view of a single policy rule can be a real incident when combining several types of events. Suppose, in our case, the security policy for commercial offers is supplemented by a rule that detects Microsoft Word documents with non-applied patches. The combination of these two rules may reveal a conflict of interest, since non-applied commercial proposal corrections may contain signs of collusion or disclosure of trade secrets, even if it is received in one copy by incoming mail.

When working with enhanced completeness filtering results, a security officer is actively involved in identifying incidents, armed with analytical tools available in the DLP. First of all, these are tools for working with multiple samples of events of increased completeness:

• Advanced search by threat types and rules.
• Dossier per person.
• Dynamic filtering by combinations of events of different types, sources, channels.
• Statistical slices.

Let's sum up

The considered technique of two-level filtering of information traffic allows to increase the efficiency of working with DLP. But, as usual, high quality has additional requirements.

First, it is an increase in the cost of developing filtering policies. Although setting up policies is an infrequent measure, you still need to anticipate an increase in the cost of this task.

Secondly, due to the doubling of filtering rules, timely, quick processing of traffic will require more resources than single-layer filtering.

Third, the proposed approach implies a good level of proficiency in modern DLP tools. This is especially true of filtering and advanced search policy makers.

However, in all this there is nothing unattainable, and not the gods burn pots. But in the end, the security officer receives not assurances of a “zero number of false positives”, but a transparent and understandable method of work, which allows increasing the efficiency of using DLP - in terms of both completeness of incident handling and responsiveness to them.

The authors:
Maxim Buzinov, Senior Mathematician, Solar Security Company.
Galina Ryabova, Head of Solar Dozor, Solar Security.