Are you protecting your data at rest and in transit?
In this session we will go through all the different types of DLP in Microsoft Purview including endpoint, Exchange, Teams, SharePoint, OneDrive, and more. We will discuss the configuration options, why it is important, and the best practices to get started while going through a collection of demos.
You will leave this sessions with a deeper understanding of the technology and how it can impact your employee's experience
4. What is Microsoft Purview
Safeguarding your data
Improve risk and compliance
Deep dive into
Microsoft Purview
Data Loss Prevention
365EduCon Chicago 2023
#365EduCon
Understand & govern your data
Demos on Demos
5. Data usage is evolving and complex,
moving outside of the traditional
borders of business
OS
OS
6. 93% of data within an
organization is dark
Year over year, the amount
of data available doubles
Organizations lack visibility into their data
OS
OS
8. We live in a hybrid technology environment
of organizations
are multi-cloud
90%
find it hard to manage
fragmented
compliance and risk
related solutions
80%
80%
of decision makers have
purchased multiple
products to meet
compliance and data-
protection needs
9. Microsoft Purview
Microsoft Purview is a comprehensive set of solutions which help
organizations govern and protect data across their multi-cloud,
multi-platform data environment, while meeting the compliance
requirements they are subject to.
11. Purview branding simplification
Azure Purview portal Microsoft Purview Governance Portal
Azure Purview Data Map Microsoft Purview Data Map
Azure Purview Data Catalog Microsoft Purview Data Catalog
Azure Purview Data Insights Microsoft Purview Data Estate Insights
Microsoft 365 compliance center Microsoft Purview Compliance Portal
Microsoft Information Governance Microsoft Purview Data Lifecycle Management
Records Management in Microsoft 365 Microsoft Purview Records Management
Microsoft Information Protection Microsoft Purview Information Protection
Office 365 Data Loss Prevention Microsoft Purview Data Loss Prevention
Insider Risk Management Microsoft Purview Insider Risk Management
Communication Compliance Microsoft Purview Communication Compliance
Compliance Manager Microsoft Purview Compliance Manager
Core eDiscovery in Microsoft 365 Microsoft Purview eDiscovery (Standard)
Advanced eDiscovery in Microsoft 365 Microsoft Purview eDiscovery (Premium)
Basic Audit in Microsoft 365 Microsoft Purview Audit (Standard)
Advanced Audit in Microsoft 365 Microsoft Purview Audit (Premium)
12. Microsoft Purview
Understand & govern data
Manage visibility and governance of data
assets across your environment
Safeguard data,
wherever it lives
Protect sensitive data across
clouds, apps, and devices
Improve risk &
compliance posture
Identify data risks and manage
regulatory compliance requirements
Microsoft ecosystem
Support for multi-cloud, hybrid, SaaS data | Third-party/partner ecosystem
14. Purview Data Loss Prevention
• Cloud native with built-in protection in
Microsoft 365 apps, services, and windows
endpoints - no on-premise infrastructure or
agents needed
• Balance protection and productivity with
granular policy controls and manage DLP
policies all workloads from a single location
• Leverage classification and user activity
insights to better inform DLP polices and
benefit from an integrated incident
management
15. What if you don’t?
• Data Breaches
• Financial loss
• Reputation Damage
• Regulatory Non-Compliance
Implementing effective DLP measures is crucial to safeguard
sensitive data and mitigate these risks.
• Loss of Intellectual Property
• Employe Errors & Insider Threats
• Loss of Customer Data & Trust
16. Do you have a strategy?
Do you know where your business critical
and sensitive data resides and what is being
done with it?
Do you have control of this data as it travels
inside and outside of your organization?
Are you using multiple solutions to classify,
label, and protect this data?
17. Top data security risks
Data security
incidents are
widespread
83%
of organizations
experience more than
one data breach in their
lifetime1
Malicious insiders
account for 20% of
data breaches,
adding to costs
$4.18M
Average cost of
data breach with a
malicious insider2
Organizations
are struggling with
a fragmented
solution landscape
80%
of decision makers purchased
multiple products to meet
compliance and data
protection needs3
20. Planning DLP Plan
Identify Stakeholders: Determine who within the organization needs to be involved, including IT, legal,
compliance, and business representatives.
Define Objectives: Clearly outline the goals and objectives of the Purview DLP deployment, including
what types of data you need to protect and WHY.
Regulatory Compliance: Identify and understand relevant data protection regulations and compliance
requirements for your organization or industry.
Data Classification: Develop a data classification scheme to categorize data by sensitivity that can be
used within DLP policies to identify and protect your most sensitive data.
Budget and Resources: Allocate the necessary budget and resources for the Purview DLP
deployment.
Implementation Plan: Map starting state to end state and how to test, train, deploy, and
operationalize.
Policy Framework: Begin outlining the DLP policy framework including key scenarios, such as financial
data exfiltration, which will be developed further in the next phases.
21. Planning DLP Policies
• What: Office documents
• Who: Everyone
• Where: OneDrive, SharePoint, Teams
• Conditions: HIPAA template
• Actions: Restrict access and trigger alert
"We're a U.S. based organization, and we need to detect Office documents that contain sensitive health
care information covered by HIPPA that are stored in OneDrive/SharePoint and to protect against that
information being shared in Teams chat and channel messages and restrict everyone from sharing them
with unauthorized third parties".
A good practice is to describe a policy with intent in words.
Plan
22. Planning DLP Policies
What sensitive items are most
important to start your first policy?
• PII/PHI
• PCI
• GDPR
Where are your sensitive items and what
business process are they in?
• Exchange email
• SharePoint sites
• OneDrive accounts
• Teams chat and channel messages
• Windows 10, 11 and macOS Devices
• Microsoft Defender for Cloud Apps
• On-premises repositories
Location is a KEY driver for constructing your policy
Plan
23. Building DLP Policies
Location Supports
Admin Units
Include/Exclude scope Data state Additional
prerequisites
Exchange Yes - Distribution groups
- Security groups
- Non-mail enabled security groups
- Dynamic distribution lists
- Microsoft 365 groups (Group members only, not the group as an entity)
data-in-motion No
SharePoint No Sites data-at-rest
data-in-use
No
OneDrive Yes - Distribution groups
- Security groups
- Non-mail enabled security groups
- Microsoft 365 groups (Group members only, not the group as an entity)
data-at-rest
data-in-use
No
Teams chat and channel messages Yes - Distribution groups
- Security groups
- Non-mail enabled security groups
- Microsoft 365 groups (Group members only, not the group as an entity)
data-in-motion
data-in-use
No
Microsoft Defender for Cloud Apps No Cloud app instance data-at-rest Yes
Devices Yes - Distribution groups
- Security groups
- Non-mail enabled security groups
- Microsoft 365 groups (Group members only, not the group as an entity)
data-in-use
data-in-motion
Yes
On-premises repositories (file shares
and SharePoint)
No Repository data-at-rest Yes
Power BI No Workspaces data-in-use No
Build
24. Building DLP Policies
• Conditions that when matched, trigger the policy
• Actions to take when the policy is triggered
• User notifications to inform your users when they're
doing something that triggers a policy and help educate
• User Overrides when configured by an admin, allow
users to selectively override a blocking action
• Incident reports that notify admins and other key
stakeholders when a rule match occurs
• Additional options which define the priority for rule
evaluation and can stop further rule and policy
processing
Rules are the key to DLP policies.
A policy contains one or more rules.
Rules are executed sequentially, starting with
the highest-priority rule in each policy.
Build
25. Building DLP Policies
DLP Rule Conditions:
Conditions are where you define what you want
the rule to look for and the context in which
those items are being used.
• Content contains
• SITs, Labels, Trainable Classifiers
• Big differences between location
• Email supports the most
• OD/SPO similar
• Teams limited
• Device includes service domains
• Combine conditions with AND/OR
DLP Rule Actions:
Actions occur after conditions are met and depend on
the locations that have been selected.
• EXO/OD/SPO/Teams
• Restrict access or encrypt the content
in Microsoft 365 locations
• Block everyone or only external
• Just email supports more (i.e. encryption)
• Audit/Block actions on devices (i.e. print)
• Power BI limited to alerts/notifications
Build
26. Building DLP Policies
DLP user notifications through emails and in-
context policy tips:
Dependent on location again
• Emails can only be sent to individuals
• Can show up in Outlook, Office clients,
M365 services
• Notifications can use parameters like
%%AppliedActions% and emails can be
HTML based
• Only the policy tip from the highest
priority, most restrictive rule will show
• Not all SITs support policy tips
Build
27. Building DLP Policies
User overrides
Allow users to bypass, with justification, so they can
continue their work
• Set per rule
• Requires block to be set in policy
• Good when initially rolling out for false
positive identification
• Require business justification is logged
for audit
• Report false positive is also logged for
audit
Build
29. Deploying DLP Policies
• All activity available in activity explorer as long
as it’s not off
• Start in test mode without policy tips
• Move to test with policy tips for a pilot group
• Admin tracks activities and views alerts
• Update policies/rules/user notifications based
on what was found in initial deployment
A rushed deployment can negatively impact business processes
Deploy
30. Tuning DLP policies Tune
Initial tuning is crucial to ensure you really are identifying and protecting sensitive data
• Utilize the activity explorer to investigate rule matches per policy
• Use CloudAppEvents table if using Sentinel
• Talk to your pilot users and ensure you use real documents with sensitive data to test
31. Enabling DLP Policies Enable
• Send any communications identified notifying users
• Ensure your policy documentation is updated and update the
“Learn more” URL to point to it (EXO)
• Implement plan to operationalize incident management
• RACI & Permissions
• Ensure you monitor activity initially after enablement to validate
successful conditions
Enablement is the pushing of policies to all users/devices requiring the policy
32. Monitoring DLP Policies Monitor
• Continue to use activity explorer and the audit log or the CloudAppEvents table
• Custom SITs with Regex or EDM can take a lot of monitoring and adjustments
• Build knowledge articles for service desk when users see DLP actions/tips
• Have a plan for exception management with approval process in place
• Setup metrics or workbooks to show successes, overrides, etc by user/location
• Microsoft Purview Advanced Rich Reports (MPARR)
DLP policies are never complete!
34. Endpoint DLP Deeper Dive
Available for Win 10/11 and macOS once onboarded into Purview. Can be done via defender,
script, GPO, Intune, or SCCM which will start to return data in activity explorer.
Just-in-time
protection
Candidate policy
blocks all egress until
policy evaluation
completes
successfully which
can be new files or
stale files.
Available in Audit
mode.
Endpoint DLP settings
• Advanced classification
• File path exclusions for Windows/Mac
• Setup evidence collections
• Restricted apps and app groups
• Unallowed Bluetooth apps
• Browser and domain restrictions
• Printer groups
• Removable USB and Network share groups
36. Adaptive protection
• Utilizes IRM to determine risk of a user
i.e. admin account downloads excess info for a week = high
• Continuously maintained
• Lock down high-risk users while still allowing regular
business
• Allow PII to be sent because we NEED too but if you
are at risk then block
Automatically change DLP policies actions
37. Investigating alerts & incidents
• DLP alerts currently in BOTH
Defender and Purview portal but
Defender is recommended
• Utilize counts to prevent flood
detection
• KQL is your friend with advanced
hunting
• Grant minimal access – IP Analyst
or View Only DLP Compliance
Management
39. Other DLP stuff
3rd party DLP includes Box/Dropbox/Salesforce/GSuite/Citrix utilizing MDCA
There is a Symantec DLP to Purview DLP converter
EXO/Purview DLP policies work together but EXO takes precedence including policy tips
New DLP analytics are in preview to help with insights for improvement
On-premises DLP requires MIP scanner deployment
Sensitivity labels can be used across services for DLP
New Test-DlpPolicies cmdlet to see specific files per site that would trigger
40. Purview DLP Lessons from the field
Chrome & Firefox
Purview extension=
good
Build and name
policies by service and
they can’t be renamed
- KISS
Utilize Information
Protection roles for
RBAC
MDEClientAnalyzer is…
awesome for
debugging
Understand / vs /* for
exclusions
Exact Data Match
(EDM) works!
Policy tips are
COMPLICATED
between web/client
Use variables like
%%AppliedActions%%
Ensure URLs open if
using EndPoint DLP
41. Safeguarding data examples
`
Block an email or
document from being
shared externally
Utilize Exchange, SharePoint, and
OneDrive DLP policies
Stopping sensitive data
sharing in Teams
internally and externally
Utilize Teams DLP policies,
Sensitivity labels for
containers, and for files with
encryption
Prevent a file from being
copied from an endpoint
to a non-approved
location
Utilize Endpoint DLP for
Windows and macOS
43. Allows you to start
without having it
all figured out
Allows for
incremental
improvements
Eases information
workers into the
world of protection
and retention
Some protection
and retention is
better than
nothing
Utilizing a crawl-walk-run strategy
44. Where and how to start
• Learn about the technical capabilities
within the Purview DLP
• Identify REAL scenarios or challenges
that Purview DLP can solve
• Assign Purview ownership by solution
and get permissions setup
• Identify competing DLP solutions with a
solution rationalization
• Build a Purview DLP roadmap aligned to
your overall product, M365, or security
roadmap