Introduction

Security systems can generate a large number of alerts, but only a small number are a genuine risk to the organization. Broken business processes, false positives, and minor breaches can create noise that make the task of identifying data theft activity challenging, not to mention increase operational costs.

To solve this security challenge, Forcepoint has developed an integrated analytics system that:
  1. Correlates related incidents and alerts into meaningful DLP cases
  2. Applies various statistical methods to assess baselines and identify anomalies
  3. Utilizes artificial intelligence to recommend a data loss classification (e.g., data theft, broken business process, and unintentional leak) and provides the business context for each case (who, what, why, and when)
  4. Assigns a data loss risk score to each case

The score represents the actual data loss risk and is designed to enable the security operations team to initiate an appropriate investigative response. The risk score is evaluated by algorithms that combine knowledge about the content, baseline information, and various observables and indicators regarding the data, the source, and the destination. These indicators are fused together using a framework called Bayesian Belief Networks that, eventually, allows the system to accurately assess the likelihood of data theft and other data loss classes.

This integrated security analytics feature provides capabilities that enable Forcepoint DLP customers to gain much better visibility and facilitate fast triage of DLP incidents. It also offers automated identification of broken business processes.

Future releases will build on these capabilities and address additional use cases such as allocating a lower risk score to personal communications and supporting automated policy efficacy tuning.

This paper discusses some of the analytical and statistical techniques used to deliver the security analytics capability within Forcepoint DLP.