How to Investigate a DLP Alert

What is DLP

Data loss prevention (DLP) is a set of tools and processes used to protect the integrity of business information. It classifies data then attempts to prevent end users from moving sensitive or high-value information out of the corporate network. The term DLP is most commonly used in reference to the tools that allow a network administrator to monitor data accessed and shared by end users.

DLP solutions monitor interaction with data and secure organizations against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern or cannot be captured by static DLP security rules. A modern SIEM tool built with behavioral analytics technology like Exabeam Advanced Analytics is able to easily detect data exfiltration attempts for known or unknown attacks. This is accomplished by creating baselines for normal user and entity behavior, then identifying high risk and anomalous activity that deviates from normal behavior as a result of the attack techniques adversaries employ.

Step-by-step walkthrough

In this video, we simulate a DLP alert investigation in a legacy SIEM tool using logs collected in Exabeam Data Lake and then compare it with a modern SIEM’s approach by using Exabeam Advanced Analytics to perform the same investigation. Key advantages of DLP investigation with Exabeam Advanced Analytics include:

• Improved analyst productivity using prioritized DLP alerts which zero in on alerts that also exhibit a high degree of anomalous user or machine activity
• Reduced time required to investigate DLP alerts using Exabeam Smart Timelines which automatically stitch together both normal and abnormal behavior into machine built incident timelines

Watch the video below for a step-by-step walkthrough of a DLP incident investigation using a modern SIEM.