What Is It?
Data is the gold rush of this century, and it represents a tremendous amount of value to those that have it and those that want it. Data can be anything from personally identifiable information to intellectual property to a strategic advantage to information about vulnerabilities in systems. In the right hands, it represents incredible strength and advantages. In the wrong hands, it causes significant harm and disadvantage. It makes sense to take reasonable steps in safeguarding your data.
We have a heavily-skewed view on preventing the loss of our data by implementing virtual fortresses around our information, focused on “keeping the bad guys out”. What if the “bad guys” were already inside your network and these “bad guys” were not bad, but well-intended and doing bad things without realising it? A simplistic approach, I know, but bad things can and do happen to good people, accidental or otherwise. To some degree, it’s not always other people, but ourselves as well.
Sometimes we email private data with the best of intentions and without thinking about the consequences. We copy sensitive information onto portable media, keep the only copy of records on our local, unsynchronised storage, and upload data to complete online forms without fully understating where it’s going, who has access to it, and where it could end up. We keep personally identifiable information such as credit card numbers, pictures of our licenses, and passport details stored in easily accessible folders, and we neglect to back up relevant data.
The long and the short of it is that while we are very good at using, storing, and sending data, we are quite lax when securing it. I’m surprised that, for the value Data Loss Prevention (DLP) delivers, it’s only rated by the Australian Cyber Security Centre as “very good” in its Strategies to Mitigate Cyber Security Incidents. Whether you think of it as a nanny-state mentality or genuinely a valuable solution, DLP at least warrants consideration.
Thankfully, for those of us in the Microsoft ecosystem, we have access to a native DLP service available with specific subscriptions, most notable in the E3 and E5 offerings which give access to a wealth of other valuable security tools. If the majority of your data resides in the Microsoft cloud, either via storage or applications, then using the Microsoft 365 DLP offering makes good sense.
Where Do I Start?
I’m not saying that we’re trying to prevent the use of the data; just the loss of it. We must consider any channel that represents outbound data flow, and the two most prominent pathways are web and email. We all interact on websites, and we all send and receive emails. We must make sure we’re not accidentally exposing data, storing it insecurely, or transmitting it unsecured. DLP in your organisation can save you a lot of headaches. If you’re not sure where to begin, don’t be afraid to call in the experts.
Once you understand the type of data you have, where you keep it, and how you use it, it’s time to put together a plan. Consider how that data may leave your premises. Uploaded to websites, sent by email, copied onto a USB drive, shared into cloud storage, printed out in hard copy, cut and pasted into documents, or any way where it leaves the boundaries of secure storage and communications.
One time when performing a vulnerability assessment at a large company, I picked a random page off a printer that had photocopies of driver’s licenses and passports along with names, addresses, phone numbers, dates of birth, and credit card details with expiry and CVV numbers! On my way to the manager’s office, I found an unoccupied cubicle with a logged-in laptop with the same information on the screen. Frightening how this could have gone!
How do I make It Work?
With a rough understanding of your data, it’s time to start putting your Microsoft 365 DLP solution to work, and you have several ways to approach this. I’d suggest with a current state analysis by running a complete and absolute scan of your entire network, including every storage area, server, and workstation to figure out where the data is. You will be surprised at the places it pops up and how many different copies there are. If you’re looking for an excellent tool for this job, then I would suggest Microsoft eDiscovery.
Next, now that you have identified it implement how you plan to be alerted about it and what to do about it. Do you want to be notified when data is about to be “lost” and, to take it a step further, have the system intervene to keep it from happening? When we say lost, we mean letting sensitive data leave your control by any of several means.
For example, this includes credit card details contained in a message like an email, pasted into an uncontrolled document, or even being printed without authorisation. We can also consider data copied to a USB stick, uploaded to personal cloud storage, or yet uploaded to a website. When a selected action occurs, DLP can detect it, notify you, and prevent it. Note it, report it, and save it. It’s your data…protect it!
As for Microsoft 365 DLP, we create/manage DLP policies on the “Data Loss Prevention” page in the Office 365 Security & Compliance Centre. We leverage DLP through policies, and these policies are defined, such as Location (Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams). We then create Rules, consisting of conditions and actions. We define Conditions (match the content, such as a credit card number or passport number) before enforcing a rule. We define Actions when a condition is met (block, notify, etc.).
Let’s say I was worried about someone emailing my customer’s bank account numbers. I would go into the Security & Compliance Centre and define a policy consisting of a location (Exchange). Next, I set a rule with a condition based on Australia Bank Account Number (there are many to choose from, and you can create your own), and an action to block this and notify my management team. I could define multiple locations (say Teams to prevent someone from messaging it) and numerous rules (send an alert to my Azure Sentinel SIEM).
A feature I like in the Microsoft 365 DLP is the Notification/Override setting. Call it a “hold up, wait a minute” policy. Use this setting when you want to notify and educate people about what they’re doing without unduly hindering their work. This way, you can let them know what they’re doing is questioned (instead of slamming on the brakes and having the manager show up in their cubicle). Next, you can allow them the ability to override this stoppage if they have a valid reason to do it. For example, if HR is sending an employee bank account number to payroll, and it gets flagged.
There is a lot more to DLP than I can discuss here, but I would encourage you to get in touch with us to understand how it can benefit your organisation. I see heavy use of DLP now that we’re all suddenly working remotely. Some schools have been deploying it to prevent sensitive information about staff, students, and parents leaking with online classes becoming more commonplace, especially the scale of Microsoft Teams deployments.
Interestingly, Microsoft Teams added DLP capabilities recently (chat and channel messages). This addition applies to the subscriptions “Office 365 Advanced Compliance”, “Office 365 E5”, and “Microsoft 365 E5 Compliance”. Right now, many organisations are adopting Teams as a work-from-home solution, so it is yet another way to exfiltrate data. It was a timely addition by Microsoft if you ask me. As for Office 365 Advanced Compliance, it is included but is also available as a standalone solution.
Getting too over-exuberant with DLP can cause a few headaches and maybe productivity prevention rather than data loss prevention. Be mindful of how the data is used and ensure that is still possible. The more roadblocks you throw up for someone, the more likely they are to find ways around them. People are very creative when they want to get their work done but can’t.
Have DLP as an integral part of your security policy, so it is at least enforceable in the event you need to take it to the next level. Skilled defence lawyers have significant experience in finding loopholes in the way organisations run when it comes to wrongful dismissal or litigation proceedings if you mishandle someone’s data.
Ghosts in the Machine?
I once spoke with a vendor that demonstrated what he called the best DLP solution on the market. Without speaking, I pulled out my phone and took a picture of the “sensitive” data on the screen before him. The reaction was priceless, but so was the lesson learned: DLP is not absolute. Situational awareness and safe computing habits no machine can manage are paramount. Be aware always when handling critical data.
DLP is only a small cog in the bigger machine of your overall security strategy. While I disagree with the “Very Good” rating and think it should be “Excellent”, be sure that all your other layers in your defence-in-depth approach are solid. Thankfully, many of the vendors you use for the different layers also produce DLP solutions, so while you’re talking about the other systems, ask about DLP.
No doubt you have heavily invested in the Microsoft space already. While many of the industry-leading vendors offer compatible products that work exceptionally well, the Microsoft 365 DLP solution may benefit you by being a fully-integrated solution within the Microsoft ecosystem. As part of its suite of Information Protection offerings, the simplicity of integration and ease of operations may allow you to realise the full power of a DLP solution through your existing investments.
One more thing: DLP systems also provide some excellent intelligence for your Security Information and Events Management (SIEM) solution as well, and I have seen the reports used to drive end-user education. I’ve seen some organisations using Microsoft Azure Sentinel as their SIEM to this end and leveraging the robust Security Orchestration Automated Response (SOAR) capabilities Sentinel offers.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; do not rely on it as such. Obtain appropriate legal advice in actual situations. All images, unless otherwise credited, are licensed through Shutterstock