Test the Scan

Objective: Put Your DLP Policies to the Test

So far, we’ve created data classifications using regular expressions, created DLP policies, and configured an on-demand scan. Next, we will run this scan against the data in your S3 bucket and see if we can find the stolen data.

Tasks

Start Your On-Demand Scan

  1. From the main menu bar, select Policy then On-Demand Scan.
  2. Click the (…) symbol to the right of the scan you created, and select Start. Start Scan Start Scan
  3. You’ll be asked if you want to run an estimate before starting the scan. This feature is useful to know how much data will be scanned and how long it will take, particularly when you are applying a filter based on file size, date, etc. (it will tell you the effectiveness of your filter). We have a small amount of data in our lab, so for our purposes, click Run Anyway followed by Start.

Take a Quick Break

Your DLP scan will typically take between 3-5 minutes to complete. Take a moment to stretch or grab a coffee - you’ll have your scan results shortly!

Examine the Results

  1. Once your Last Scan Status changes to the Completed state, click the corresponding number under the Last Scan Incidents column. Because each lab environment’s data is randomly generated and unique, the number of incidents will vary but will typically be between 100 and 150. Start Scan Start Scan

  2. You’ll be taken to a list of all the incidents triggered by your ODS scan against the 100 files in your S3 bucket. Scroll through the list of incidents keeping in mind that:

    • A DLP policy will only trigger once per file scanned, although there may be several matches within the incident.
    • Multiple DLP policies can trigger on each file.
    • If you have 100 files and 3 DLP policies, the maximum number of incidents would be 300.
    • In our dataset, there is only one true positive incident (the rest will be false positives).

  3. Select any incident at random and you’ll be presented with a slider that provides a quick view of the incident’s details. Clicking the expand icon within the panel will open a window allowing you to view the details of match(es) that triggered the incident (on the Content Matches tab). Hint: You can get a closer look at the data by clicking the filename(s) in the Content / Matched Items area of the incident. Incident Details Incident Details

  4. You could inspect every incident in the list to find the true positive, but this would take a long time (and surely much longer in a real environment).