Microsoft 365 Compliance Master Class Day 4 – Discover & Respond Leon Butler June 17th 2020 Discover & Respond eDiscovery Private cloud Remote Structured Platforms Digital transformation Emails Documents Data is created, stored, and shared everywhere Corporate Records Vendors SMS Unstructured SaaS Public Discovering data efficiently is top of mind for many organizations $10B was spent on eDiscovery in 2018 57% of corporate counsel plan to increase their total eDiscovery spend next year 63% expect their company to conduct more investigations over the next three years Poll: “Which eDiscovery platforms do you and your customers use?” Poll: “Do I need another tool to query non-Office 365 content?” eDiscovery in Microsoft 365 Quickly find what’s relevant and reduce risk with intelligent eDiscovery in Microsoft 365 Create a case Create a case, add stakeholders and manage case execution Put holds on users and content Identify relevant content locations and users and place on hold Search for content in place Search by keyword, date range, users, labels and more criteria to get a handle on relevant data Electronic Discovery Reference Model (EDRM) workflow Information Protection and Governance in Microsoft 365 eDiscovery in Microsoft 365 Processing Preservation Information governance Identification Review Production Presentation Collection Analysis VOLUME RELEVANCE Demo: Core eDiscovery Poll: “Who, in your experience, typically conducts data gathering for eDiscovery cases?” Challenges to “collect and export” Advanced eDiscovery design principles Collect and discover data where it is Manage end-to-end workflows in one solution Find relevant data and insights intelligently Cost reduction Lower cost per custodian average Review relevant Office 365 and non-Office 365 content faster Do more, in-place eDiscovery in Microsoft 365 Efficiency Reduce collection activities Export matter-relevant content Security Logging and auditing from one place Include data outside of Microsoft 365 hundreds of other file types supported Electronic Discovery Reference Model (EDRM) workflow Information Protection and Governance in Microsoft 365 Advanced eDiscovery in Microsoft 365 eDiscovery in Microsoft 365 Processing Preservation Information governance Identification Review Production Presentation Collection Analysis VOLUME RELEVANCE Advanced eDiscovery supporting EDRM workflow Identify data Preserve data & hold notices Collect content that might be relevant Process data Review data Analyze data Export data Risk & cost M365 Vendor 2 Vendor 3 Vendor 1 OR All Microsoft 365 Vendor 4 Vendor 5 Vendor 4 Reduce cost per custodian Microsoft’s legal team found 85% reduction in cost/custodian 100 Outsourcing 76 Cost/Custodian % 80 60 44 40 Core eDiscovery 20 4 7 11 27 81 48 30 17 Advanced eDiscovery 0 1 2 3 4 5 6 Years 7 8 9 10 Advanced eDiscovery for Microsoft 365 Custodian management & communications Deep crawling & indexing Review & manage case data Analyze & cull your data intelligently with ML Custodian management and communications Manage holds, data sources & notification workflows Custodian management and communications Deep crawling and indexing Review and manage case data Analyze and cull your data intelligently with ML Manage custodians and legal holds Add and remove custodians, and apply legal holds Custodian notifications Manage legally required workflows around notifications to custodians and their acknowledgments Custodian activity Identify shared data that custodians had access to or were active on and likely custodians based on criteria 22 Deep crawling and indexing Search for and collect content from Office 365 Custodian management and communications Deep crawling and indexing Review and manage case data Analyze and cull your data intelligently with ML Pre-collection analytics Scope content for collection, and tune queries to minimize volumes Deep processing Deep processing (e.g. higher size limits, file types, …) to extract and index text & metadata Increased transparency Static working sets, transparency (e.g. error reporting, item level auditing, …) and additional controls (e.g. error remediation, …) 23 Review and manage case data Manage static sets of documents that can be analyzed, queried, viewed, tagged and exported Custodian management and communications Deep crawling and indexing Review and manage case data Analyze and cull your data intelligently with ML View content in review set content is also displayed in several viewers – e.g. native, text, annotate. Conversation reconstruction Teams chats are reconstructed and threaded for more context Visualize data in dashboard create custom widgets to make analyzing and reporting on your review set intuitive Load non-Office 365 data Collect non-Office 365 data into a review set - supported files also enabled for OCR, viewable in native view and annotate viewer 24 Analyze and cull your data intelligently with ML Quickly explore and analyze unstructured data to identify what’s relevant Custodian management and communications Deep crawling and indexing Review and manage case data Analyze and cull your data intelligently with ML Near duplication Use near duplicate detection to organize Email threading Reconstruct email conversations ML based content classification Use the system to identify potential high value content such as attorney client privilege or offensive language 25 Advanced eDiscovery supporting EDRM workflow Custodian Sources Hold Management Search O365 Enhanced Enhanced Processing Processing (OCR, (OCR, PST,PST, Media) Media) Rich meta-data and full text search Near dups Export natives Case Management Custodian activity Hold Notifications Collect non-O365 data Defensibility Reports/Tools Native, text, and Persistent chat viewer Threads Export with annotations Auditing In place hold Collection into document documentworking review sets sets Deep crawling & indexing Document coding and culling Conceptual clustering Load file generation Security & Permissions Annotations and Redactions Predictive Coding Data visualization to support ECA ML based content-based classification Pre-collection analytics In Product Now Tenant level reporting Poll: “Can eDiscovery query encrypted content in Office 365?” Current Legacy Multiple environments 3rd party Processing Tool O365 Security & Compliance Center Collect from myriad sources Import and process data Search O365 sources in place with deep indexing, add to working set 3rd party Review tool Import Remediate exceptions: Decrypt Crack Passwords OCR Run analytics Batch & review Redact & log Produce Overlay remediated files Collect and import non-O365 data to working set Remediate exceptions and overlay remediated files in O365 case Search, tag, analyze, review, redact in O365 case with outside counsel collaboration Export processed, redacted dataset Search, report, iterate Export 3rd party tool (as required) Import Batched review Redact/ log Produce Legacy 3rd party Legal Hold Tool Create case Past O365 Security & Compliance Center Create SCC Case Current 3rd Party Legal Hold Tool O365 Security & Compliance Center Create case PowerShell Automation M365 Compliance Portal Create Advanced eDiscovery case Create SCC Case hold policy Add appropriate individuals Issue hold notice Generate hold activity report Create SCC case hold policy Add appropriate individuals Look up custodian sources Issue hold notice Add sources to case hold policy Generate hold activity report Look up custodian sources Add sources to case hold policy Add custodians Confirm policy sync status Report daily activity Issue hold notice and apply hold policy Demo: Advanced eDiscovery Compliance boundaries for eDiscovery investigations Compliance boundaries in Office 365 Contoso LTD (Office 365 org) Search permissions filters control access to agencies Admin role groups control access to eDiscovery cases eDiscovery Managers Fourth Coffee (Agency) Coho Winery (Agency) Investigators eDiscovery Managers Investigators DSAR solution spotlight The challenge: “Give me everything you have on me!” With less than seven days’ notice, we were tasked to review and categorize all internal communications referencing a particular data subject. The solution: O365 Advanced eDiscovery 2,611 parent-level items After extraction, the 2,611 items expanded to a total of 9,202 individual reviewable items Review attorney can review 400 items per 8-hour day, so this would have taken 23 days for linear review After threading and deduplication, there were 1,340 unique items to manage Reduction of 89% How did we do this? • AED themes were used to group similar documents based on content. • We had the system distill the top 20 themes, so we could review a sample of each thematic category and provide a simplified description of the types of content represented. • The export list spreadsheet was the only review organization tool necessary to manage the actual review work for the case. Poll: “Which of the following services are NOT discoverable in Office 365?” In Review… eDiscovery is in-place – built-in vs. bolt-on No continuous transfers of data out of Office 365 to a third party hosted eDiscovery service Reduced risk Data stays in-place, protected by Office 365’s stringent security Reduced time to produce eDiscovery results Data indexed in-place, no time spent collecting, exporting, and transferring it to a third party Intelligent Integrated analytics reduce the challenges of sorting through data quickly to find what is relevant Reduced costs Advanced eDiscovery reduces the data sent to review, reducing org eDiscovery costs by 85% Microsoft 365 eDiscovery features by plan E-discovery E3 E5/E5 Compliance/eDis covery and Audit SKU In-Place Preservation ✓ ✓ Custodian management ✓ Case Management ✓ ✓ Custodian communication ✓ Search ✓ ✓ Deep indexing ✓ Export ✓ ✓ Review set ✓ RMS Decryption ✓ ✓ Review, tag and annotate ✓ Native Export ✓ ✓ Conversation reconstruction ✓ Non-Office 365 ingestion ✓ ✓ Dashboard ✓ Advanced Processing ✓ Tenant level reports (Preview) ✓ Email Threading ✓ Smart tags (Preview) ✓ Near Duplicate Identification ✓ Themes ✓ Predictive Coding ✓ Processed Export with Load File ✓ E-discovery E3 E5/E5 Compliance/eDis covery and Audit SKU Audit Enterprise-scale audit is essential to modern organizations 60M User activity searches per day against Microsoft 365 15B Records processed per day 1500+ Unique event types Audit in Microsoft 365: comprehensive and unified logs Comprehensive coverage across Microsoft 365 services Consistent audit log search experience Seamless integration to power investigations and compliance obligations Audit in Microsoft 365: Beyond compliance reporting Comprehensive set of feature with unique intelligence across critical end points CUSTOMER NEEDS Enterprise-Level Identity Need to know who Protection accessedand what, when & Implement manage how across services cloud identityM365 and access. Audit and mitigate use of cloud apps. Control and Protect Get visibility into changes Information to policies, groups & Assess and classify customer sensitive information data. Implement and across M365 manage information policies and procedures. Proactive Attack Detection Need investigation and Prevention capability around breaches Perform security assessment and identified threats analysis, migrate and deploy security solutions and provide managed security services. Regulatory Help organizations prepare Compliance forcustomers audit evidence Help with and compliance reporting increased demands of regulators and legal authorities in every country in which they operate. Audit in the context of investigations User Documents Folders Devices E.g. what did this person do? E.g. who read this confidential document? E.g. who had access to this private folder? E.g. What was accessed on this device? • Tell me all the users that had membership changes • Which users had failed logins • Which users had mailbox permissions changes • What delegate activities did said user carry out on mailboxes • What delegate activities happened on said mailbox • Which users forwarded mails to external domains Common questions that need answers • What other searches did user do on SharePoint sites in the org • What other search patterns or terms did user go after • Tell me bulk download activities from given location • All users that received emails with said high value attachments? • All users that replied/ forwarded said high value emails • Tell me who attempted bulk exfiltration • How many times was a said email read, by whom and which clients • Give me all logins from external IP and different clients • Which users shared confidential documents internally/ externally • Which users participated in said Teams meetings • Which documents were bulk download to USB or file shares • … etc. Customer pain points What prevents them from performing effective investigations? • Search terms Missing events • Teams chat or call participation and sharing • Mail reads Manual Insights and correlations • Correlations of audit logs across users and content • Correlations of activities across workloads • Time to detect breach: ~200 days Short lived signals • Audit log retention: 90 days • Typical investigations: 6 months to 1 year Introducing Advanced Audit in Microsoft 365: Power fast and effective forensic and investigations High value events to power quicker investigations Processed insights to show context and key patterns Longer-term retention to meet investigation and compliance requirements Near real-time access to data to enable fast access to audit events Advanced Audit in Microsoft 365: High value events High value events to power quicker investigations New high value events such as Mail reads and Search teams New events across key workloads Public preview by end of year Advanced Audit in Microsoft 365: Processed insights Processed insights to show context and key patterns Correlations and prebuilt queries on top of logs Ready answers to key questions Public preview by end of year Advanced Audit in Microsoft 365: Longer-term retention Longer-term retention to meet investigation and compliance requirements Retention option up to 365 days Ability to customize by events or users Public preview ready at Ignite Advanced Audit in Microsoft 365: Near real-time access to data Near real-time access to data to enable fast access to audit events Limits at tenant level with higher bandwidth for advanced tenants Dynamic bandwidth proportional to size of org Public preview ready at Ignite Customer Story High confidential document leaked Data officer identifies documents of interest Iteratively searches document audit logs to identify access and sharing patterns Identifies Jane as person of interest Iteratively searches user activity audit logs to identify usage pattern and potential leak Investigating user activity and content Advanced Audit Advanced eDiscovery Power faster and more effective forensic and compliance investigations Reduce risk and cost with eDiscovery in Microsoft 365 • Access to crucial events (activities) • End-to-end solution built-in Microsoft 365 • Longer-term retention • eDiscovery for collaboration workspaces (e.g. Teams and Yammer) • Increased bandwidth to management activity API • Custodian management 77 Communications Compliance Ensuring a safe work environment Employees suspended after making inappropriate comments in an email In June of 2019, two employees of a major finance institution were suspended for violating company policy for the writing and forwarding of an email that harassed one of their co-workers. Email identified, and two employees suspended. One for writing the email, and another for forwarding it. Sr. executive sends email to team with an inappropriate, named reference regarding one of their colleagues. Data spillage Confidentiality violations IP theft Fraud Workplace violence Insider trading Policy violations Leaks of sensitive data Conflicts of interest Data spillage Workplace harassment Regulatory Compliance Violations Corporate Policies Employees must comply with ethical and other corporate standards ORGANIZATION NEEDS Identifying violations across company communications Risk Management Identify and manage legal and corporate risk Regulatory Compliance SEC, FINRA require communications oversight Typical workflow and customers pain points INCREASED REGULATORY ENFORCEMENT INCREASING DATA DIFFICULT TO FIND SUBJECT MATTER EXPERTS TO REVIEW RESULT Violations slip through Intelligent customizable playbooks Leverage machine learning to detect violations across Teams, Exchange and 3rd party content Flexible remediation workflows Remediation workflows to quickly act on violations Actionable insights Interactive dashboard with policy violations, actions and trends Intelligent customizable playbooks Leverage machine learning to intelligently reduce false positives Customizable pre-configured templates to address common communications risks Build your own machine learning model to detect violations unique to your organization Flexible remediation workflows Conversation threading, keyword highlighting, exact & near duplicates, filters for efficient review Built-in remediation workflows to quickly act on violations Historical user context on past violations and remediation actions Actionable insights Proactive intelligent alerts on policy violations requiring immediate attention Interactive dashboard showing violations, actions and trends by policy Full audit of review activities and tracking of policy implementation CONFIGURE Create & tune policies • Playbooks • Custom policy creation Monitor • Alerts • Productivity reports • Audit INVESTIGATE Identify violations • Tag and comment • Document review • User history REMEDIATE Resolve violations • Resolve • Notify • Escalate • Compliance solution handoff Human Resources INFORMATION TECH/SECURITY Risk/Compliance Legal Corporate Policies Comply with ethical and other corporate standards Risk Management Identify and manage legal and corporate risk Regulatory Compliance SEC, FINRA require communications oversight Demo: Communications Compliance Thank You. © Copyright Microsoft Corporation. All rights reserved. Live Q&A
