DLP rant, the alert is rarely the problem. The lack of context is.
Posted by Thr04w4yFinance@reddit | sysadmin | View on Reddit | 16 comments
I swear, people love hating on DLP, but the real nightmare is the lack of context. Sensitive data moved could be totally normal or a legit problem and there’s no way to tell without digging. You either go full block mode and everyone hates you or ignore it because nobody can keep up. For anyone stuck managing DLP/email/security tooling, what info would actually make these alerts not completely useless? File owner, type, workflow, user history, destination?
Curious_Morning_9609@reddit
A recurring issue in complex environments is that operational systems often detect events without understanding the organizational context surrounding them.
As complexity grows, teams end up compensating manually for that missing context through investigation, meetings, tribal knowledge and exception handling.
The alert itself is usually visible.
The operational meaning behind it often is not.
frAgileIT@reddit
The alert needs context and it needs explanation by the sender. Automation should attach the sent email in its entirety to the alert and automation should ping the user to let them know that an alert has been generated and that they need to explain what they sent, why, and why they think it’s not a policy violation.
Also, there needs to be some tuning capability where the SOC can create alerting exceptions so that when a few people in finance have to send something that looks like a bank account number, it doesn’t trigger an alert.
zed0K@reddit
I hate DLP because it slows down endpoints. Specifically client side DLP.
-Me, an Endpoint Engineer.
ScoobyGDSTi@reddit
What dlp tools are you using? As our policies inspect the document type and size, document markings and sensitivity labels, OCR, regex, file origins, and a couple more things. So false alerts weren't exactly that common.
derango@reddit
They’re using whatver tool they’re trying to sell you in the next post.
PAXICHEN@reddit
I rot13 everything. When I’m feeling paranoid…I double-ROT13 it!
QuesoMagician@reddit
I pipe alerts into an agentic SOAR and the agent has tool calls to the SIEM / other tools to automate investigations and is able to provide almost all necessary context. It helps cut down on a lot of noise. It’s not 100% perfect but saves a lot of time on investigations and tuning.
Some tool calls require human in the loop approval.
TheCyberThor@reddit
We use incident informed rules. Start with no rules, create rules as incidents occur.
An example is when we an attempted theft of data from a terminated user, we now have a rule to monitor exfiltration for people who resigned. We monitor things leading up to it, and during their notice period.
_-pablo-_@reddit
A good insider risk tool would have this detection out of the box - other than that DLP should be informed by a company’s risk threshold.
Do we care enough about sensitive data leaving that we’d undergo the effort to have labels exist to first Tag that data?
Then, do we care enough to add restrictions to what users can do with that sensitive data? Based on the restrictions on the label?
Thereafter, DLP exists to sort out the possible exfil of sensitive info that can’t hold a label or can’t be scanned etc.
OneSeaworthiness7768@reddit
This isn’t a rant so much as market research.
fdeyso@reddit
It is always the context with everything; DLP and even just generic security alerts, just because a DC that has DNS role resolved a malicious DNS it doesn’t mean that the DC is compromised…
GraybeardDevOps@reddit
Tbh you have to actually look at what’s normal for the user. Is Bob in sales always exporting lead lists on Fridays or is this the first time he’s touching that database. And where is the data even going a legit partner or some random free email account.
You also need to know who else has poked at it recently. Most tools just scream keyword alert and call it a day which is why everyone ignores them. The smarter move is risk based policies that actually get context. Cyera does that automatically by mapping flows and user behavior over time. Way fewer false alerts than static rules that just spam you for no reason.
Thr04w4yFinance@reddit (OP)
This is exactly what I have been banging my head against. Most DLP setups just spam alerts with no context and expect you to magically know what is legit. Seeing the user history and knowing where the data is going changes everything.
Opposite-Lion-5176@reddit
The dream is fewer please investigate alerts and more this specific thing is risky for this specific reason.
Thr04w4yFinance@reddit (OP)
Exactly. If one alert actually explained why something is risky, I wouldn’t be this close to throwing my laptop out the window.
smartyladyphd@reddit
DLP only becomes actionable when the alert includes enough business context to answer “was this expected behavior for this user, workflow, and destination?” in under 30 seconds.