How to handle the false positives to effectively utilize your DLP policy?

False positives are incidents created when a file that is classified as sensitive by the data classification technique is either a non-sensitive file or the file transfer is initiated on official grounds. A warning message indicating the user is accessing/transferring sensitive data is reverted with a response indicating whether the action is legitimate or the file is non-sensitive, and thus, a false positive. Such false positives can either be resolved or not be considered, based on the nature of the issue.

If it is an event-based trigger (file upload, file transfer, email upload, file printing), the corresponding mediums (applications/devices/websites) should be added to the enterprise list. If it is based on data classification, the corresponding data rule(s) should be analyzed to further reduce false positives. In either case, the sysadmin acts on whether the false positive is qualified for remediation or if it can be ignored altogether.

False positives can be remediated in two ways:

Handle false positives by following the steps explained below

  • Step 1

    On the product console, navigate to the Policy Deployment section in the Policy tab and select Custom Group name.

  • Step 2

    Under False positives, select Enterprise Perimeter to tweak the medium used for sensitive data transfer/access.

  • Step 3

    Select the option Fine Tune if the false positive has to be remediated and add the device/web domain to the organization's boundary. If the false positive request is one that needn’t be considered, you can choose the option Ignore.

  • Step 4

    Under False Positives, select Data Classification to tweak the rule/criteria that has labeled the data as sensitive.

  • Step 5

    Select the option Fine tune if the false positive has to be remediated by increasing the occurrence of the pattern or you can opt for the Remove Rule option. If the false positive request is unjustified/unaccommodating, you can choose the option Ignore.

 

    Note:

  • To fine tune regex criteria, increase the occurrence count of the pattern.

  • To fine tune the document matching criteria, improve the match percentage

  • To fine tune the keyword matching criteria, update the document with more relevant terms

  • If frequent false positives are raised due to a predefined criteria, report the issue to the Endpoint DLP Plus support team.