SBN

Microsoft 365 Data Loss Prevention (DLP): Capabilities, Limitations & Solution

Organizations today hold sensitive information such as financial data, proprietary data, trade secrets, credit card numbers, customer information, employee data and protected health information (PHI). As such, your valuable data is constantly at risk from threats such as phishing, ransomware and malware attacks, human error, malicious behavior, and configuration and sync errors. A recent IDC survey shows that a staggering 79% of companies have experienced at least one cloud data breach in the past 18 months. And the Code42 2021 Data Exposure Report reveals that employees today are 85% more likely to leak files than they were pre-pandemic.

The consequences of failing to protect confidential data can be catastrophic to your business. Therefore, having a comprehensive data protection strategy, such as for data loss prevention (DLP), is crucial to guard your company’s sensitive information against loss, theft, misuse and exposure.

Microsoft data loss prevention imagery.

What Is Data Loss Prevention (DLP)?

Data loss prevention, also known as data leak prevention, is a program that combines technologies, strategies and processes to prevent unauthorized personnel from accessing an organization’s sensitive information. DLP also refers to tools and techniques that help network administrators monitor and manage the data being transmitted. This helps prevent employees from sending confidential data outside an organization. DLP technologies help protect your data while it is in use, in motion and at rest.

SaaS apps like Microsoft 365 allow you to create, test and apply DLP policies to help protect your sensitive information and reduce the risk of intentional or accidental data disclosure.

Is DLP Included in Microsoft 365?

Microsoft 365 DLP is one of the Microsoft 365 Compliance tools that helps protect your sensitive information in use, in motion and at rest. Microsoft 365 Compliance includes Microsoft Information Protection (MIP) capabilities and tools that help you to know your data, protect your data and prevent data loss.

Know Your Data: Leverage MIP capabilities like sensitive information types, trainable classifiers and data classification to learn about your data landscape and discover critical data across your environment.

Protect Your Data: MIP capabilities like sensitivity labels, double key encryption, Office 365 Message Encryption (OME), service encryption with Customer Key, SharePoint Information Rights Management (IRM), Microsoft Cloud App Security, etc., allow you to apply protection measures including encryption, access restrictions and visual markings.

Prevent Data Loss: Use MIP capabilities, like data loss prevention, endpoint data loss prevention, Microsoft Compliance Extension and Microsoft 365 data loss prevention on-premises scanner (preview), to prevent accidental dissemination of sensitive information.

How Does Microsoft 365 DLP Work?

Microsoft 365 allows you to create rules and policies to categorize data based on its type, such as confidential, critical or sensitive. Microsoft 365 includes several integrated sensitive information types and allows you to create custom types to protect specific information based on your company’s requirements. By implementing DLP policies, you can control what actions need to be taken when sensitive information is detected. For instance, depending on the policies you defined, Microsoft 365 will send notifications or block unauthorized access to sensitive data when someone tries to violate the set rules. This enables you to protect your data from malicious actors and accidental dissemination of information, and helps you comply with industry regulations.

What Are Microsoft 365 DLP Policies?

Microsoft 365 DLP policies are preconfigured or customized conditions that allow you to monitor user activities and take appropriate actions with regard to sensitive information depending on the rules and policies set by your organization. The goal of implementing these policies and applying protective actions is to prevent inadvertent sharing of critical files and data loss.

Microsoft 365 DLP allows you to:

  • Warn users by displaying a pop-up policy tip when they try to share sensitive information inappropriately
  • Block users from sharing sensitive items, or, through customization, allow access and override permissions and record justification
  • Block sharing without the “override permissions” option
  • Lock and move sensitive items (for data at rest) to a secure isolated location
  • Hide sensitive information (for Teams chat)

What Can Microsoft 365 DLP Policies Be Applied To?

With Microsoft 365 DLP, you can access several built-in templates to detect sensitive items like credit card numbers, social security numbers, bank account information, health records, passport numbers and other personally identifiable information (PII). It also allows you to customize conditions and rules to identify and detect information that you deem sensitive, thereby protecting that information.

Microsoft 365 DLP policies allow you to identify, monitor and protect critical data across:

  • Microsoft 365 services such as Teams, Exchange, SharePoint and OneDrive
  • Office applications such as Microsoft Word, Excel and PowerPoint
  • Windows 10 endpoints
  • Non-Microsoft cloud apps
  • On-premises file shares and on-premises SharePoint

Where Are the Microsoft 365 DLP Reporting Tools?

Data loss prevention tools gather and report massive volumes of information into Microsoft 365 through monitoring, matching policies, applying protective actions and recording user activities. You can use this information to refine your policies and assign appropriate actions to be taken on sensitive items. This information is stored in the Microsoft 365 Compliance center Audit Logs first. After it is processed, it advances to different reporting tools. Each reporting tool has a different purpose.

Microsoft DLP Alerts Dashboard

When the DLP policies you have set take protective action on a sensitive item, you will receive a notification through a configurable alert. To prevent these alerts from piling up in your mailbox, the Microsoft 365 Compliance center allows you to view them in the DLP Alerts Management Dashboard. The DLP Alerts dashboard allows you to configure alerts, review and triage them and track resolution of DLP Alerts.

An example of alerts generated by policy matches and user activities is shown below.

A Microsfot DLP alert screen for a policy match.

Source: Microsoft

Microsoft DLP Alerts dashboard also allows you to view details of the associated event with rich metadata. An example is shown below.

Event details in the Microsoft DLP alert dashboard.

Source: Microsoft

Microsoft DLP Reports

Once you have defined and created DLP policies, you must make sure they work as expected. The DLP reports in the Security & Compliance Center allow you to view:

  • DLP Policy Matches: This report shows the number of policy matches over time. You can filter the report by date range, location, policy or action. With this report, you can fine-tune your DLP policies, view the specific rule that matched the content, identify business processes that violate your organization’s DLP policies and more.
  • DLP Incidents: Similar to DLP Policy Matches, this report also shows policy matches over time, but at an item level. The DLP Incidents report is ideal for detecting specific pieces of content that violate your DLP policies.
  • DLP False Positives and Overrides: This report shows a count of instances where your DLP policy allowed users to override it or report a false positive. You can filter the report by date, location or policy. You can use this report to refine your DLP policies, view user justifications and identify where your DLP policies conflict with valid business processes.

Microsoft DLP Activity Explorer

The Microsoft DLP Activity Explorer allows you to monitor the actions that have been taken on your labeled content (information with sensitivity labels or retention labels) by providing a historical view of activities. The activity information is collected from the Microsoft 365 unified audit logs and contains up to 30 days worth of data. Activity Explorer also gathers DLP policy matches events from Exchange Online, SharePoint Online, OneDrive, Teams Chat, on-premises SharePoint folders and libraries, on-premises file shares and Windows 10 devices via Endpoint DLP.

You can sort the report using more than 30 different filters including date range, activity type, location, user, sensitivity label, DLP policy, etc. Understanding the actions that have been taken on your labeled content helps to verify if the controls you have applied are effective.

Limitations of Microsoft 365 DLP

Implementing Microsoft 365 data loss protection is a good first step towards minimizing the risk of accidental deletion and information disclosure. However, creating DLP policies cannot protect you from accidental deletion or sharing of information (not labeled as sensitive), malicious behavior, viruses, malware and ransomware attacks, phishing and misconfiguration.

If you are operating with a limited budget or without qualified personnel on staff, an enterprise DLP solution may not be accessible. In such situations, Microsoft 365 DLP can provide some level of DLP coverage, which can reduce the probability of data loss and help maintain compliance to a certain extent. You must leverage Microsoft 365 DLP capabilities and practice how to respond to a simulated DLP incident for maximum efficiency. You must invest time to customize and appropriately configure policies, test them for accuracy and effectiveness, and refine your DLP policies to generate the desired results.

Complete Microsoft 365 Data Protection With Spanning Backup

Microsoft takes extensive measures to alleviate the risks of data loss within Microsoft 365 and has safeguards in place to ensure your data’s safety from any fault on their behalf. However, they cannot protect you from the actions of your users and threats beyond their control that constitute the majority of data loss events.

Spanning Backup for Microsoft 365 helps prevent data loss by providing reliable backup and recovery for Exchange Online, SharePoint Online, OneDrive and Microsoft Teams. Spanning keeps your Microsoft 365 data safe and secure with industry-leading privacy, security and compliance. With unlimited storage space and an unrestricted retention policy guarantee, you can rest easy knowing that your valuable Microsoft 365 data is fully backed up and recoverable at all times.

Learn more about Spanning Backup for Microsoft 365

*** This is a Security Bloggers Network syndicated blog from Spanning authored by Matt McDermott. Read the original post at: https://spanning.com/blog/microsoft-365-data-loss-prevention-dlp/