A look at dynamic data protection
details from that talk in my thoughts below.
The partnership between CIO, Ciso, General Counsel and chief human resources officer is paramount and became the foundation for this programme. Once we had organisational buy-in, we made sure to openly communicate the changes to our user would help inform decision making.
For example, for our removable media policy, we can leverage risk-adaptive action plans based on the user risk score, with enforcement options ranging from Audit, to Audit/Encrypt to Encrypt/Notify to Block.
At this point we will have established our programme and start to create policies we want to enforce. The next step is to establish the baseline – to ensure that the system best understands the users’ “normal” behaviour, so it can appropriately identify the anomalies. To do this, we are running the system in audit mode, allowing the analytics engine to learn for 30 days to ensure we minimise false positives and that appropriate calibration is performed.
Then we will increase the notification for when any of these new risk policies get invoked. We want to do a deeper inspection to verify the triggers were behaving the way we intended. We know we will need to end up tweaking a few of the thresholds to get the results we are expecting. In some cases, this will involve increasing or decreasing the strictness of enforcement.
Often, the role of the security team dealing with alerts is to find the needle in the haystack. What we learnt is that there are two ways to achieve this goal. The first is to build a better needle-finding algorithm, while the second is to just get rid of the hay. After implementing Dynamic Data Protection, we can do both.
The aggregate number of alerts that hit my analysts have gone down, because of the flexibility afforded with the automated policy enforcement.
My user community is now more productive, because I’ve relaxed some of the more rigid data loss prevention policies that were impacting the ease of doing business. We’re still pretty early on in our deployment, but indicators show that we’re scratching the surface of unlocking the potential of this capability.
Our plan is to stay in lock-step with our HR and legal teams and roll out Dynamic Data Protection on a country-by-country basis following the privacy restrictions imposed by each of the countries in which we do business. Our goal with this programme is to remove the security friction without losing security control, to stop the bad and free the good.