How to Investigate a DLP Alert [Video Series]
Conducting a successful DLP incident investigation depends on if you are using a legacy SIEM or a modern SIEM. Our video shows you how a modern SIEM can help you protect the integrity of your data.
Data loss prevention (DLP) is a set of tools and processes used to protect the integrity of business information. It classifies data then attempts to prevent end users from moving sensitive or high-value information out of the corporate network. The term DLP is most commonly used in reference to the tools that allow a network administrator to monitor data accessed and shared by end users.
DLP solutions monitor interaction with data and secure organizations against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern or cannot be captured by static DLP security rules. A modern SIEM tool built with behavioral analytics technology like Exabeam Advanced Analytics is able to easily detect data exfiltration attempts for known or unknown attacks. This is accomplished by creating baselines for normal user and entity behavior, then identifying high risk and anomalous activity that deviates from normal behavior as a result of the attack techniques adversaries employ.
In this video, we simulate a DLP alert investigation in a legacy SIEM tool using logs collected in Exabeam Data Lake and then compare it with a modern SIEM’s approach by using Exabeam Advanced Analytics to perform the same investigation. Key advantages of DLP investigation with Exabeam Advanced Analytics include:
- Improved analyst productivity using prioritized DLP alerts which zero in on alerts that also exhibit a high degree of anomalous user or machine activity
- Reduced time required to investigate DLP alerts using Exabeam Smart Timelines which automatically stitch together both normal and abnormal behavior into machine built incident timelines
Watch the video below for a step-by-step walkthrough of a DLP incident investigation using a modern SIEM.