Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About ML-driven Potential False Positives

  1. Last updated
  2. Save as PDF

Limited Availability: ML-driven Potential False Positives (an advanced DLP capability) is a Limited Availability feature that requires additional entitlement. Contact Skyhigh Support or your account manager for assistance.

False positives in DLP occur when legitimate actions are mistakenly identified as potential data leaks. This leads to unnecessary alerts and disruptions. As a result, security teams often spend excessive time investigating these false alarms instead of concentrating on real incidents, which can cause inefficiencies. To reduce false alerts, Skyhigh Security provides an advanced capability in DLP called ML-driven Potential False Positives. This capability leverages advanced Artificial Intelligence (AI) and Machine Learning (ML) algorithms to reduce false positives in Data Loss Prevention (DLP) incidents. Intelligently distinguishing between legitimate and non-legitimate violations improves detection accuracy and enhances the overall effectiveness of DLP policies. It minimizes alert fatigue, allowing security teams to focus on critical risks and streamline remediation efforts.

You can effectively identify incidents likely to be false positives with this capability, enabling your organization to enhance its incident management processes and focus on genuine threats. It simplifies the identification and categorization of incidents as potential false positives, significantly reducing administrator's manual review efforts. You can streamline the incident remediation process and refine your Data Loss Prevention (DLP) policies, ensuring fewer disruptions caused by irrelevant alerts.

IMPORTANT: Skyhigh Security does not use your confidential data to train its AI-ML models for false positive detection and only uses incident metadata. For further details, refer to the Skyhigh SSE Privacy Data Sheet document.

► Advantages of ML-driven Potential False Positives
  • AI-ML Powered Automatic Incident Categorization. Automatically discovers and categorizes incidents with recurring patterns based on rule, service, severity, file type, username, and activity as potential false positives using AI and ML models. 
  • Streamlined DLP Administration. Streamlines DLP management by minimizing fatigue, investigation time, and costs in SOC operations.
  • Confidence. Improves confidence to mark incidents as false positives, including those marked as false positives manually. 
  • Rapid Incident Response. Quicker response time to resolve potential false positive incidents.
  • Reduced Noise. Minimizes the volume of false positive incidents in the incident list.
  • Enhanced User Experience. Provides insights into the number of potential false positives generated over the past 30 days and highlights the increase or decrease in such incidents compared to the previous 30-day period. 
  • Trends and Analytics. Includes visualizations of potential false positive incidents to monitor trends or patterns over time.

How ML Model Detects Potential False Positives

The Potential False Positives utilizes a machine learning-based statistical model. This means that the model learns from data based on labeled examples of false positives. Some of the techniques used to identify potential false positives are:

  • Pattern Detection and Historical Data Analysis. The ML model identifies patterns and characteristics from historical data on false positive incidents managed by Security Operations Center (SOC) analysts. 

  • Incident Categorization. When new policy incidents arise, the ML model assesses them against the learned patterns. If an incident closely resembles previously identified false positives, it is categorized as a potential false positive.

The detected and categorized policy incidents are displayed with detailed insights and statistics on the Policy Incidents page. You can view and validate these incidents for further investigation to improve your organization's incident management process. For details, see ML-driven Potential False Positive Detection.

Example for Basic DLP False Positive Behaviour vs ML-driven Potential False Positive Behaviour 

A financial institution uses a DLP system to monitor sensitive data transfers. If an employee attempts to share a sensitive customer document via cloud storage, the system triggers an alert due to the potential risk of violating data protection policies. Let's compare how Basic and Advanced DLP systems would respond to this scenario.

          Basic DLP: False Positive Behaviour Advanced DLP: ML-driven Potential False Positive Behaviour

The DLP system identifies the employee's action as a potential violation and generates an alert for the Security Operations Center (SOC) team to investigate. The SOC team must then manually assess the incident to determine if it is a false positive. This verification process can be time-consuming, diverting their focus from more critical security tasks and potentially resulting in alert fatigue.

An Advanced DLP system leverages machine learning to analyze past incidents and identify patterns. It can automatically categorize similar actions as potential false positives based on historical data, reducing the need for manual intervention. Allowing the SOC team to prioritize their investigations more effectively and focus on real security risks.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. ML False Positives
    2. ML Potential
    3. MLFP