What is DLP?DLP Investigation process & How it benefits organization

 

                                      DLP TOOL SOP INVESGATION

 

1. Introduction

Force point DLP is the solution, enables organizations to encrypt information and block risky data flows properly in order to monitor and control the flow of data over their networks and to meet administrative compliance. The data visibility and controls managed by DLP network security enable policy based Protections to guarantee that delicate information is only being transmitted to or accessed by approved by beneficiaries. Which help to prevent the organization sensitive data lost, misused, or accessed by unauthorized users through endpoints (USB drive, Endpoint Printing, Endpoint HTTP/HTTPS, etc.) and through SMTP (Network DLP email monitoring) channel.

2. Purpose and Scope of this document

This document broadly outlines Company’s present Information Security and data protection monitoring and applies to all users of Mind tree infrastructure facilities and recipient of Company confidential Information and Information Asset(s).

This document is confidential to Company and may be share with Company Customers under appropriate agreements such as a NDA and / or MCA. Company Customers shall not share and / or publish this document.

3. Incident flowchart


 

 

4. Analyze incident details

After login to DLP console Go to Reporting Select Incident. We have multiple option to filter the incidents. Click on Table Properties to modify the filters/Search options available for incident grouping..

1. Under Report Catalog àSelect 7 days Incidents as shown below


 

 

2. For Incident validationà select under forensic Source àto filter the incident from source. We can also download the forensic files for further investigation as shown below.

 


 

 

5. Incident response Work Flow:

Analysts will monitor the DLP Dashboard 24/7; DLP Incident occurs when a user breach the Data protection policies defined by an organization.

1. Once the Incident created in DLP console, SoC analyst should assign the incident to their MID

2. Analyst should change the Incident status from New to In-Process

3. Based on the incident criticality, analyst will modify the severity of incident to progress further.

4. Validate the incident to understand for further escalations.

5. If the Incidents seems to be suspicious it as to escalate to Reporting manager to understand on the Event legitimacy.

6. Based on the confirmation from reporting manager, if the transaction performed by the violated user is legitimate then the incident status will be changed to False Positive

7. If the Manager confirms the transaction is suspicious then, this will have escalated to the next level to Security PoC Delivery team for further investigation.

8. Incident status should change to escalated and wait for response from IG PoC for closure

9. After the final confirmation from CISO(chief information security officer) team, the incidents will be concluding either False Positive or True Positive.

10. Refer section-10 for Incident escalation timelines.

Below screenshot to filters the incident count based on the status

Note: Filters can be modify based on the requirements as well.


 

 

 

6. DLP Monitoring Channels:

 

SOC team monitors the below SMTP and Endpoint channel for Incident response process.

1. Network Email: To monitor outbound emails send to specified destinations via protector/email security gateway.

2 .WEB Endpoint HTTP/HTTPS: To monitor endpoint devices like laptops and protect them from posting sensitive data to the WEB. This traffic can be monitor when endpoint machines are outside the network.

3. Endpoint Printing: To monitor when data send from an endpoint machine to a local or network printer. The system supports drivers that print to a physical device, not those that print to file or PDF.

4. Endpoint Removable Media: To monitor or prevent sensitive data from being transfer to removable media.

5. Endpoint Application: To monitor and prevent sensitive data from being transfer to Bluetooth

(Fsquirt.exe)

 

7. Incident and Response Escalation Matrix:

For Incident response validation follow the Vertical IRM PoC escalation process.

Level I-Data Policy Violated Source/user- Reportee Manager

Level II-Reporting Managers to Managers

Level III-Security PoC Delivery team 

Level TV-CISO OFFICER

8. TRM Point of Contact Details - Security Delivery PoC

BFSI 

CMT

9. Severity

     Severity                              Response Time                      Resolution Time

      High                                    30 mints                                     24 hours

   Medium                                30 mints                                     48 hours

      Low                                    30 mints                                      72 hours

 

High- This breach is significant and may have a broad impact on the organization

Medium-This breach is moderate and should be reviewed

Low -This breach is in significant

10. Sample Mail Template

 Hi User,

I am John from Cyber Security Team

As part of security monitoring, we found that your reportee "User Name" Company XXXXXXID has copied the below files to Endpoint/ SMTP Channel (Removable media/email attachment/ web/upload/ email).

Investigation details:

"Below forensic details are to be captured while sending the escalation to User's manager"

Event Time: XXXXXYXXXXXXXXXXX

File Path: XXXXXXXXXXXXXXXX

Destination: *****

Request your intervention to check the criticality of the files which has been shared to external device.

Please understand the intent behind doing this act and kindly confirm us to proceed further

Let me know for any clarification/ assistance"

 

 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

Brute force attack investigation

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...
Read more

What is a Dictionary Attack? How the Attack works and How to Prevent the Dictionary Attack

Image
  A Dictionary attack is one of the ways through which the attackers try to gain access to the keys of the reign. Bad actors take advantage of people using common dictionary words as their passwords. A study has proved how the majority of people like to reuse their passwords or use common phrases that are relatively easy to remember.  Databases used in dictionary attack does not only include the common dictionary words, but also the passwords leaked in previous attacks. Dictionary Attack Using Burp Suite Tool: BurpSuite is indeed a great tool for testing vulnerability in web applications. We are here using its free-version which has limited capabilities but works well for learning! Lets began the process to brute force/dictionary attack.  So, we’ll be using VM setup, with Kali and Bee-Box as a Web Server which is the victim. The process for setting up the Burp Suite and proxy in the browser is explained here. Make sure you have set up your proxy to your localhost. STEP1:...
Read more