This guide provides instructions how to refine both Cisco Secure Access and Umbrella Data Loss Prevention (DLP) policies, specifically focusing on optimizing DLP policies that are based on built-in data classifications. By using the HIPAA classification as an example below, we demonstrate how to adjust these classifications to enhance data protection while reducing unnecessary alerts. These strategies can be applied to any built-in classification, allowing you to tailor your DLP settings for improved accuracy and effectiveness.

Understanding Built-In Classifications

Built-in classifications, such as HIPAA, are designed to be highly sensitive. They trigger alerts when any single type of sensitive data is detected, providing robust protection but sometimes leading to unnecessary alerts.

Goals and Process Overview

Stage 1: Customizing built-in classifications

Stage 2: Developing advanced DLP rules

* Proceed to Stage 2 if adjustments in Stage 1 still result in excessive unnecessary alerts.

Stage 1: Duplicate and Fine-Tune a Built-in Classification

Goal: Adjust the classification to reduce unnecessary alerts while maintaining effective protection.

1. Review Current Identifiers:
   1. Examine the data types monitored under your chosen classification. For HIPAA, this includes a wide range of identifiers—some that combine multiple pieces of information (like a combination of drug name and social security number) and some that are single-point identifiers (like social security numbers or dates of birth).
   2. Use DLP Reports: Analyze DLP reports to identify which specific identifiers are causing the most unnecessary alerts. This will help you focus on the identifiers that need adjustment.
2. Modify or Remove Noisy Identifiers:
   1. Duplicate the existing Built-in Classification (Built-in HIPPA for example) to customize the built-in classification. You use this custom classification as the criteria within the DLP rule.
   2. Retain identifiers that require multiple data points for alerts. This approach enhances detection accuracy by minimizing unnecessary alerts. For example, use "ICD Code and Person Name (US)" instead of just "ICD Code."
   3. Identify and remove data identifiers that cause alerts based solely on a single data point if they frequently lead to unnecessary alerts. For example, unselect “ICD code” to remove it from the custom classification you created.
      Alternatively, choose to increase the threshold for noisy identifiers instead of removing them altogether. This adjustment reduces the likelihood of unnecessary alerts by requiring a stronger match before triggering an alert.
3. Evaluate and Decide:
   1. Test the adjusted classification for some period of time. If unnecessary alerts persist, continue with suggestion above or proceed to Stage 2.

Stage 2: Develop Advanced DLP Rules

Goal: Create custom classifications using “AND” logical composition to enhance precision and reduce unnecessary alerts.

1. Create Multiple Custom Classifications:
   • Develop several custom classifications according to your needs where each classification uses the “AND” logic between the selected data identifiers. This approach ensures that alerts are only triggered when multiple related pieces of information are detected, reducing unnecessary alerts.
2. Set Up DLP Rules:
   • Create DLP rules that can match against any of the selected custom classifications. This flexibility allows for comprehensive monitoring while focusing on the combination of data points.
3. Implement and Test:
   • Deploy the new classifications and rules in a test environment to evaluate their effectiveness. Monitor alert patterns and adjust the logic or identifiers as needed to achieve the desired balance between sensitivity and specificity.

Additional Tips

• Periodically review classifications and rules to adapt to evolving threats and data practices.