Deep dive into
Microsoft Purview
Data Loss Prevention
365EduCon Chicago – 2023
Drew Madelung
Drew Madelung
Associate Director – M365 Cloud Applications
Email : drew.madelung@protiviti.com
Twitter : @dmadelung
Website: drewmadelung.com
What is Microsoft Purview
Safeguarding your data
Improve risk and compliance
Deep dive into
Microsoft Purview
Data Loss Prevention
365EduCon Chicago 2023
#365EduCon
Understand & govern your data
Demos on Demos
Data usage is evolving and complex,
moving outside of the traditional
borders of business
OS
OS
Organizations lack visibility into their data
OS
OS
Year over year, the amount
of data available doubles
93% of data within an
organization is dark
The landscape is fragmented, creating risks
OS
OS
We live in a hybrid technology environment
80%
90%
of organizations
are multi-cloud
80%
find it hard to manage
fragmented
compliance and risk
related solutions
of decision makers have
purchased multiple
products to meet
compliance and dataprotection needs
Microsoft Purview
Microsoft Purview is a comprehensive set of solutions which help
organizations govern and protect data across their multi-cloud,
multi-platform data environment, while meeting the compliance
requirements they are subject to.
Purview brings together solutions
Purview branding simplification
Azure Purview portal
Microsoft Purview Governance Portal
Azure Purview Data Map
Microsoft Purview Data Map
Azure Purview Data Catalog
Microsoft Purview Data Catalog
Azure Purview Data Insights
Microsoft Purview Data Estate Insights
Microsoft 365 compliance center
Microsoft Purview Compliance Portal
Microsoft Information Governance
Microsoft Purview Data Lifecycle Management
Records Management in Microsoft 365
Microsoft Purview Records Management
Microsoft Information Protection
Microsoft Purview Information Protection
Office 365 Data Loss Prevention
Microsoft Purview Data Loss Prevention
Insider Risk Management
Microsoft Purview Insider Risk Management
Communication Compliance
Microsoft Purview Communication Compliance
Compliance Manager
Microsoft Purview Compliance Manager
Core eDiscovery in Microsoft 365
Microsoft Purview eDiscovery (Standard)
Advanced eDiscovery in Microsoft 365
Microsoft Purview eDiscovery (Premium)
Basic Audit in Microsoft 365
Microsoft Purview Audit (Standard)
Advanced Audit in Microsoft 365
Microsoft Purview Audit (Premium)
Microsoft Purview
Understand & govern data
Manage visibility and governance of data
assets across your environment
Safeguard data,
wherever it lives
Protect sensitive data across
clouds, apps, and devices
Microsoft ecosystem
Improve risk &
compliance posture
Identify data risks and manage
regulatory compliance requirements
Support for multi-cloud, hybrid, SaaS data | Third-party/partner ecosystem
Safeguarding your data
with DLP
Classification - General
Purview Data Loss Prevention
• Cloud native with built-in protection in
Microsoft 365 apps, services, and windows
endpoints - no on-premise infrastructure or
agents needed
• Balance protection and productivity with
granular policy controls and manage DLP
policies all workloads from a single location
• Leverage classification and user activity
insights to better inform DLP polices and
benefit from an integrated incident
management
What if you don’t?
• Loss of Intellectual Property
• Data Breaches
• Financial loss
• Reputation Damage
• Employe Errors & Insider Threats
• Loss of Customer Data & Trust
• Regulatory Non-Compliance
Implementing effective DLP measures is crucial to safeguard
sensitive data and mitigate these risks.
Do you have a strategy?
Do you know where your business critical
and sensitive data resides and what is being
done with it?
Do you have control of this data as it travels
inside and outside of your organization?
Are you using multiple solutions to classify,
label, and protect this data?
Top data security risks
Data security
incidents are
widespread
Malicious insiders
account for 20% of
data breaches,
adding to costs
Organizations
are struggling with
a fragmented
solution landscape
83%
of organizations
experience more than
one data breach in their
lifetime1
$4.18M
80%
Average cost of
data breach with a
malicious insider2
of decision makers purchased
multiple products to meet
compliance and data
protection needs3
Demo
DLP lifecycle
• WHY
• What tech
• Culture
Plan
Build
• Services
• Policies
• Actions
• Test mode
• Metrics
• Update
Deploy
Tune
• Logs
• False Positives
• False Negatives
• Communicate
• Deploy
• Validate
Enable
Monitor
• Alerts
• Responses
• Refine
Planning DLP
Identify Stakeholders: Determine who within the organization needs to be involved, including IT, legal,
compliance, and business representatives.
Define Objectives: Clearly outline the goals and objectives of the Purview DLP deployment, including
what types of data you need to protect and WHY.
Regulatory Compliance: Identify and understand relevant data protection regulations and compliance
requirements for your organization or industry.
Data Classification: Develop a data classification scheme to categorize data by sensitivity that can be
used within DLP policies to identify and protect your most sensitive data.
Budget and Resources: Allocate the necessary budget and resources for the Purview DLP
deployment.
Implementation Plan: Map starting state to end state and how to test, train, deploy, and
operationalize.
Policy Framework: Begin outlining the DLP policy framework including key scenarios, such as financial
data exfiltration, which will be developed further in the next phases.
Plan
Planning DLP Policies
Plan
A good practice is to describe a policy with intent in words.
"We're a U.S. based organization, and we need to detect Office documents that contain sensitive health
care information covered by HIPPA that are stored in OneDrive/SharePoint and to protect against that
information being shared in Teams chat and channel messages and restrict everyone from sharing them
with unauthorized third parties".
• What: Office documents
• Who: Everyone
• Where: OneDrive, SharePoint, Teams
• Conditions: HIPAA template
• Actions: Restrict access and trigger alert
Plan
Planning DLP Policies
What sensitive items are most
important to start your first policy?
• PII/PHI
• PCI
• GDPR
Where are your sensitive items and what
business process are they in?
•
•
•
•
•
•
•
Exchange email
SharePoint sites
OneDrive accounts
Teams chat and channel messages
Windows 10, 11 and macOS Devices
Microsoft Defender for Cloud Apps
On-premises repositories
Location is a KEY driver for constructing your policy
Build
Building DLP Policies
Location
Supports
Admin Units
Include/Exclude scope
Data state
Additional
prerequisites
Exchange
Yes
- Distribution groups
- Security groups
- Non-mail enabled security groups
- Dynamic distribution lists
- Microsoft 365 groups (Group members only, not the group as an entity)
data-in-motion
No
SharePoint
No
Sites
data-at-rest
data-in-use
No
OneDrive
Yes
- Distribution groups
- Security groups
- Non-mail enabled security groups
- Microsoft 365 groups (Group members only, not the group as an entity)
data-at-rest
data-in-use
No
Teams chat and channel messages
Yes
- Distribution groups
- Security groups
- Non-mail enabled security groups
- Microsoft 365 groups (Group members only, not the group as an entity)
data-in-motion
data-in-use
No
Microsoft Defender for Cloud Apps
No
Cloud app instance
data-at-rest
Yes
Devices
Yes
- Distribution groups
- Security groups
- Non-mail enabled security groups
- Microsoft 365 groups (Group members only, not the group as an entity)
data-in-use
data-in-motion
Yes
On-premises repositories (file shares No
and SharePoint)
Repository
data-at-rest
Yes
Power BI
Workspaces
data-in-use
No
No
Building DLP Policies
Rules are the key to DLP policies.
A policy contains one or more rules.
Rules are executed sequentially, starting with
the highest-priority rule in each policy.
Build
• Conditions that when matched, trigger the policy
• Actions to take when the policy is triggered
• User notifications to inform your users when they're
doing something that triggers a policy and help educate
• User Overrides when configured by an admin, allow
users to selectively override a blocking action
• Incident reports that notify admins and other key
stakeholders when a rule match occurs
• Additional options which define the priority for rule
evaluation and can stop further rule and policy
processing
Build
Building DLP Policies
DLP Rule Conditions:
DLP Rule Actions:
Conditions are where you define what you want
the rule to look for and the context in which
those items are being used.
Actions occur after conditions are met and depend on
the locations that have been selected.
• Content contains
• SITs, Labels, Trainable Classifiers
• Big differences between location
• Email supports the most
• OD/SPO similar
• Teams limited
• Device includes service domains
• Combine conditions with AND/OR
• EXO/OD/SPO/Teams
• Restrict access or encrypt the content
in Microsoft 365 locations
• Block everyone or only external
• Just email supports more (i.e. encryption)
• Audit/Block actions on devices (i.e. print)
• Power BI limited to alerts/notifications
Building DLP Policies
DLP user notifications through emails and incontext policy tips:
Dependent on location again
• Emails can only be sent to individuals
• Can show up in Outlook, Office clients,
M365 services
• Notifications can use parameters like
%%AppliedActions% and emails can be
HTML based
• Only the policy tip from the highest
priority, most restrictive rule will show
• Not all SITs support policy tips
Build
Building DLP Policies
User overrides
Allow users to bypass, with justification, so they can
continue their work
• Set per rule
• Requires block to be set in policy
• Good when initially rolling out for false
positive identification
• Require business justification is logged
for audit
• Report false positive is also logged for
audit
Build
Demo
Deploying DLP Policies
A rushed deployment can negatively impact business processes
• All activity available in activity explorer as long
as it’s not off
• Start in test mode without policy tips
• Move to test with policy tips for a pilot group
• Admin tracks activities and views alerts
• Update policies/rules/user notifications based
on what was found in initial deployment
Deploy
Tuning DLP policies
Initial tuning is crucial to ensure you really are identifying and protecting sensitive data
• Utilize the activity explorer to investigate rule matches per policy
• Use CloudAppEvents table if using Sentinel
• Talk to your pilot users and ensure you use real documents with sensitive data to test
Tune
Enabling DLP Policies
Enablement is the pushing of policies to all users/devices requiring the policy
• Send any communications identified notifying users
• Ensure your policy documentation is updated and update the
“Learn more” URL to point to it (EXO)
• Implement plan to operationalize incident management
• RACI & Permissions
• Ensure you monitor activity initially after enablement to validate
successful conditions
Enable
Monitoring DLP Policies
DLP policies are never complete!
• Continue to use activity explorer and the audit log or the CloudAppEvents table
• Custom SITs with Regex or EDM can take a lot of monitoring and adjustments
• Build knowledge articles for service desk when users see DLP actions/tips
• Have a plan for exception management with approval process in place
• Setup metrics or workbooks to show successes, overrides, etc by user/location
• Microsoft Purview Advanced Rich Reports (MPARR)
Monitor
Demo
Endpoint DLP Deeper Dive
Available for Win 10/11 and macOS once onboarded into Purview. Can be done via defender,
script, GPO, Intune, or SCCM which will start to return data in activity explorer.
Endpoint DLP settings
Just-in-time
protection
Candidate policy
blocks all egress until
policy evaluation
completes
successfully which
can be new files or
stale files.
Available in Audit
mode.
•
Advanced classification
•
File path exclusions for Windows/Mac
•
Setup evidence collections
•
Restricted apps and app groups
•
Unallowed Bluetooth apps
•
Browser and domain restrictions
•
Printer groups
•
Removable USB and Network share groups
Demo
Adaptive protection
Automatically change DLP policies actions
• Utilizes IRM to determine risk of a user
i.e. admin account downloads excess info for a week = high
• Continuously maintained
• Lock down high-risk users while still allowing regular
business
• Allow PII to be sent because we NEED too but if you
are at risk then block
Investigating alerts & incidents
• DLP alerts currently in BOTH
Defender and Purview portal but
Defender is recommended
• Utilize counts to prevent flood
detection
• KQL is your friend with advanced
hunting
• Grant minimal access – IP Analyst
or View Only DLP Compliance
Management
Demo
Other DLP stuff
3rd party DLP includes Box/Dropbox/Salesforce/GSuite/Citrix utilizing MDCA
There is a Symantec DLP to Purview DLP converter
EXO/Purview DLP policies work together but EXO takes precedence including policy tips
New DLP analytics are in preview to help with insights for improvement
On-premises DLP requires MIP scanner deployment
Sensitivity labels can be used across services for DLP
New Test-DlpPolicies cmdlet to see specific files per site that would trigger
Purview DLP Lessons from the field
Chrome & Firefox
Purview extension=
good
Build and name
policies by service and
they can’t be renamed
- KISS
Utilize Information
Protection roles for
RBAC
MDEClientAnalyzer is…
awesome for
debugging
Understand / vs /* for
exclusions
Exact Data Match
(EDM) works!
Policy tips are
COMPLICATED
between web/client
Use variables like
%%AppliedActions%%
Ensure URLs open if
using EndPoint DLP
Safeguarding data examples
Utilize Exchange, SharePoint, and
OneDrive DLP policies
Stopping sensitive data
sharing in Teams
internally and externally
Utilize Teams DLP policies,
Sensitivity labels for
containers, and for files with
encryption
Prevent a file from being
copied from an endpoint
to a non-approved
location
Utilize Endpoint DLP for
Windows and macOS
`
Block an email or
document from being
shared externally
It’s all integrated
Utilizing a crawl-walk-run strategy
Allows you to start
without having it
all figured out
Allows for
incremental
improvements
Eases information
workers into the
world of protection
and retention
Some protection
and retention is
better than
nothing
Where and how to start
•
Learn about the technical capabilities
within the Purview DLP
•
Identify REAL scenarios or challenges
that Purview DLP can solve
•
Assign Purview ownership by solution
and get permissions setup
•
Identify competing DLP solutions with a
solution rationalization
•
Build a Purview DLP roadmap aligned to
your overall product, M365, or security
roadmap
Questions?
Email:
drew.madelung@protiviti.com
Twitter: @dmadelung
Website: drewmadelung.com
Slides:
http://bit.ly/DrewSlides
Deep dive into
Purview Data
Loss Prevention