hi my name is Pete KY and I am a senior outbound product manager with service now and today I'm going to talk to you about our data loss prevention incident response product for SE Ops organizations struggle to keep up with data loss prevention incidents that they must manually manage and rectify disparate products across an organization's infrastructure make managing these incidents difficult to track in a timely fashion and can be even more frustrating for end users and their managers data loss prevention incident response otherwise known as dpir is part of service now security operations which gives your organization the power to integrate with data loss prevention products to import incidents from multiple sources including endpoint Network email and Cloud into a single platform then using a remediation workflow we can automatically assign incidents to end users managers and DLP analyst team members with automated incident assignment and escalation all using intuitive easyto use workspaces designed specifically to make managing and Reporting this work easy first by enabling the API integration with thirdparty Solutions like semantic DLP or Microsoft purview service now can import incidents for endpoint Network cloud and email into the platform and then invoke DP assignment ration workflows involving end users or employees managers and analysts DP incident response also allows administrators the ability to Define and filter which DP incidence will be imported into the service now instance based upon the requirements of the organization DLP ad administrators can also configure email templates for coaching and communication with end users and provide comprehensive reporting on incident Trends they can also change what data is visible to end users in their DP incidents so exposure to sensitive data can be controlled and limited where needed and also to the appropriate scope and when it's needed incidents can be escalated up the chain of command DP administrators can Define the escalation criteria for different types of incidents such as by criticality or by the amount of time pass without the DP incident being actioned by the user furthermore analysts can also log into their own workspace to view the state of DLP across their Enterprise and respond to the different incidents directly when needed finally DP incident response reduces the burden on the DP analyst by essentially many DP incidents being generated due to error on end user part now those incidents can be assigned directly to the end users and email templates can be used either as a weekly digest or whenever the incidents are discovered with why the incident was generated and how to resolve it analysts can also attach these assessments to be answered by end users so the analyst has a more granular and knowledgeable view of why the end user took the actions that they did and to rectify those actions that need to be accepted by organizational policies let's start with the DLP analyst workspace first and then we can see what the DN user workspace looks like afterwards the dop analysts workspace is designed to give the people responsible for managing incidents a holistic view of data loss incidents in their environment it shows dop analysts a wealth of information incl including by open incidents by severity top DLP offenders open incidents by DLP policy scan source and more we can even drill into these reports to see additional details for example let's look at critical open incidents this filtered list shows us information about all the critical open incidents including the policy name State severity and more let's look at one of the incidents in specific this shows the specific details about the incident including the scan source type what triggered it and who's it's assigned to this particular incident was assigned to the end user Danny Watson based on assignment rules the DLP admin had set up let's go take a look at those assignment rules now here you can see the assignment rules for end users that the DLP administrator has set up the administrator has decided that low severity DLP incidents should go directly to the end users for Action as they're easier to answer and typically have a high rate of valid use but we don't want to make that assumption for every incident so the ad administrator uses these automated assignment rules to assign low severity incidents immediately to the end user to action conditions allow your organization to build out the assessment rules per the policies that your organization has set by creating conditions to direct DLP incidents to go to the right parties be it your end user managers or even a user group the administrator might also want to limit what the end user can see about these files as they've decided it's not necessary for the end user to have all those details let's look at those Field restrictions administrators know that the data is captured by third party DP software is much more holistic and comprehensive than an end user typically needs to see that data is vital for their analysts to be able to make informed decisions and ensure that DP policies are being followed but would make things far more complicated for end users who may not interact with their D do workspace daily here's the Field restrictions that have been set up for this environment we can see that the administrator has decided to limit these fields to be visible to end users specifically so these end user can only see these fields when they reply to a DP incident but sometimes we need more information from our end users and that's where assessments can be helpful assessments are completely optional but if your organization chooses to use them they can be a powerful tool to get insights from your end users on why they choose to send data out of your controlled environments as well as ensuring that there are following organizational policies when it comes to acceptable reasons for data being sent outside assessments can be built and conf figured using our assessment Builder and your organization can tail them however they see fit be a general assessment that you might always want an end user to reply to as part of the incident process or if needed specialized assessments that are only relevant to specific incidents such as being based upon the criticality of a DP incident these are powerful tools that can help your organizational needs for Audits and other policies that your organization wants more granular detail on we'll want to see how these assessments work later on so we're going to assign an assessment to Danny Watson here so we can see what it looks like from his end later on let's make sure we're not letting anything else s through the cracks as an administrator and look at response due dates next DP administrators and managers of end users want to make sure that if there are any DLP incidents that are pending action by end users that they don't get forgotten in the mix of myriad of daily activities that end users have here we see a rule that will escalate DLP incidents that aren't action within 7 Days of the end user being notified rules like these ensure that if there are delays in assigned tasks to end users that managers via this tool and its ability to Define rules around dates and conditions as you can see here make sure that end users don't ignore DLP incidents that could harm the organization but enough of the administrative side of things let's see what the end user experience is like in DP we're now logged in as the end user Danny Watson as Danny we can see we have a few important details when I log into the end user workspace we have a list of all the incidents that are doing the next 7 days what are critical incidents and also what pending assessments or newest incidents I have this week in these tabs we have a lot of very useful information things like policy name and each incident the contextual based severity assigned to them and the scan Source they can also show a file location if applicable let's look at the same DLP incident that we saw as the analyst note that the end user view is different from the analyst view because the DLP administrators set up Field restrictions for end users limiting the amount of content that they can see remember giving an end user all the information that an analyst has access to about a DLP incident isn't necessarily needed and cating the information space can help end users reply quicker with more speed and accuracy we can add attachments by clicking this attachment button so in this case maybe Dany had a exception from uh management he could attach that email here we also spoke about the need for analysts to gather more information from end users by using assessments we can see here that an assessment has been attached earlier that we did as the administrator to this incident these assessments are completely customizable you can do it by choice by date or list or attachment and a bevy of other options that are available when these are set up these assessments allow organizations to tailor them meeting auditing requirements that might be placed upon them by internal or external bodies with with oversight lastly there's these quick response buttons that we see up here these quick response buttons are customized by the DLP administrator and Danny could tell DP analyst that the incident was a false positive or A wrong owner as seen here once the proper selection is made we can enter detailed notes and that submission will be recorded by the system and replied to back to the analyst this was a brief overview of data loss prevention incident response for service now security operations you can see how dpir can help optimize and speed up your response to data loss incidents by improving employee response and knowledge managing escalated events tracking down repeat offenders and controlling restricted data and more