Microsoft DLP: Protecting Your Business After Recent Outage

The recent outage that brought down multiple digital infrastructures worldwide became a clear reminder that IT disasters can happen unexpectedly. In a statement to CBS News, Microsoft said that a “CrowdStrike update was responsible for bringing down critical systems”. CrowdStrike is the antivirus software provider for Windows devices, which means that the incident occurred due to an unpredicted error in the supply chain. 

Photo byMilad FakurianonUnsplash

Some of the impacted Microsoft apps include OneDrive, OneNote, Outlook, PowerBI,  Microsoft Fabric, Microsoft Teams, Microsoft Purview, Viva Engage and Microsoft 365 Admin Center. Users experienced issues with synchronization, file access, functionality delays and registration problems. 

Similarly to Microsoft, most organizations rely on complicated supply chains to collect, store, manage and use different forms of sensitive data including financial information, health records and customer data. Such data is itself a prime target for ransomware and malware attacks and can be leaked because of human error or malicious behavior. Vulnerabilities and update failures at third-party domains are nearly unavoidable given that they are beyond the organization’s control. 

Private data loss or exposure can have a detrimental impact on your business. Luckily, you can implement Microsoft 365 Data Loss Prevention (DLP) to protect business-critical information from cyberthreats, data loss and misuse.

This post details the capabilities of Microsoft DLP that allow you to prevent unauthorized access, deletion and sharing of privileged data. Read on to understand the different limitations of DLP and how you can overcome them. 

What Is Data Loss Prevention?

Data Loss Prevention is one of the Microsoft Purview security features designed to help organizations protect sensitive information from leakage or theft. The main purpose of DLP is to detect and prevent the intentional or unintentional disclosure of confidential data to unauthorized personnel.

Administrators can define and apply DLP policies across the network to automatically identify, monitor and manage data at rest, in use or in transit. Using deep content analysis and machine learning algorithms, DLP discovers content that matches your policies and blocks the data from being sent through email, instant messaging, file sharing or cloud storage.

Protective actions of DLP policies 

Depending on the rules you set, DLP policies monitor the activity of users working with sensitive data and take protective actions according to the conditions you configured. When a user attempts to perform a prohibited action, the Microsoft DLP can:

• Display a pop-up policy tip to warn users that they are trying to inappropriately share confidential data
• Block users from sharing the item and provide an option to override the block and add a justification
• Block users from sharing the item without the override option
• Lock and move data at rest to a secure and isolated location
• Hide sensitive information in Teams chat

While DLP policies minimize the risk of data deletion and unauthorized sharing, they do not offer robust protection against other threats. Ransomware attacks, phishing schemes or update failures - which caused the latest outage at CrowdStrike - can render your infrastructures and services, including DLP in Microsoft Purview, inoperable. The resulting downtime and data loss can lead to significant financial and reputational damages in addition to possible legal issues. 

The only way to guarantee the safety of your data is to install Office 365 backup and recovery. This solution allows you to recover your data in any scenario, providing comprehensive protection and peace of mind.

Protected platforms and services

Microsoft data loss prevention policies can be implemented across various locations and platforms, including:

• Office 365 applications (Microsoft Word, Excel and PowerPoint)
• Microsoft 365 services (Exchange Online, SharePoint Online, OneDrive and Teams)
• Windows 10, Windows 11 and macOS (three latest versions) endpoints
• Microsoft Defender for Cloud Apps
• On-premises repositories and file shares
• PowerBI sites

DLP Framework

The DLP life cycle is characterized by two significant phases: planning and deployment. A clear understanding of each phase is necessary to create adequate DLP policies and efficiently protect your organization’s data.

Plan for DLP

Before you institute any protective measure, you need to make sure that it does not disrupt your workflow. You can minimize the impact of a DLP policy on your business processes and streamline its implementation by conducting the following:

• Technology planning: The data you want to monitor and the actions you want to configure can differ based on the Microsoft service or application that you are planning on protecting. Identify the location of the data and whether it is at rest, in use or in motion.
• Business process planning: Some business activities cannot be completed without accessing or using confidential data. This means that certain user behaviors that are typically blocked by DLP policies should be allowed in specific cases.
• Organization culture planning: While DLP monitoring and protection capabilities are native to Microsoft applications, you might need to share data loss prevention best practices with users within your organization. Inform your employees in case a DLP policy is added or changed.

Deploy your DLP policies

Thorough planning allows you to create and deploy efficient DLP policies that are suitable for your organizational needs. The next step is to design the policy by setting your control objectives and defining how they apply across your workloads. Once done, you can implement the controls with a DLP policy in test mode. You can start with one workload and then apply the policy to all workloads to collect comprehensive results. Rest assured that actions that are assigned to a policy are not applied when you are using test mode.

Based on the outcome you receive, you can fine-tune the policy to meet your objectives without affecting your workflow. Finally, turn the policy on and continue to monitor the results just in case your objectives change and you need to edit the policy.

Microsoft 365 DLP Reporting Tools

The data loss prevention feature sends all the information it gathers from monitoring user activity, policy matches and actions to Microsoft Purview. You can rely on this data to enhance your own policies and customize the actions if necessary. The collected information is first processed in the Audit Logs and then sent to three different reporting tools.

DLP Reports

Using this tool, you can view broad trends over time and also receive insights on:

• DLP policy matches: This report displays the number of policy matches over time. It allows you to find the specific rules that match the content and identify the violations that triggered the policy.
• DLP incidents: Similar to DLP Policy Matches, this report focuses on the items rather than the policy rules.
• DLP false positives and overrides: Here you can check the number of times the DLP policy allowed users to override it along with the justifications. You can also view the number of false positives to discover if your DLP policies are affecting your workflow.

All of these reports allow you to fine-tune your policies to ultimately enhance data protection.

DLP Alerts Dashboard

Using the DLP Alerts Management Dashboard, you can configure alerts to get notified in case a DLP policy takes action on a sensitive item. The same dashboard also allows you to view all alerts and check the details of the associated events. In addition, you can edit the previously customized alerts and check if their incidents were resolved.

DLP Activity Explorer

All actions related to labeled content (sensitivity or retention labels) are collected and displayed in the Activity Explorer for up to 30 days. These actions include changing labels, modifying files or matching a rule. You can use this report to verify if the data loss prevention policies and controls you applied are effectively protecting your data.

DLP Limitations

DLP policies are great at reducing the risk of accidental sharing or deletion of sensitive data. However, they do not provide adequate protection when it comes to external threats such as ransomware attacks or phishing schemes. They also have other limitations, such as:

• False positives and false negatives: The DLP tool may generate false positives or false negatives, leading to erroneous data authorization or blocking.
• User resistance: DLP solutions can hinder the free flow of information and obstruct regular business activities which may decrease productivity and cause user resistance.
• Complexity and overhead: Implementing Microsoft DLP without having a significant impact on the workflow and performance of an organization's systems can be complex.
• Data leakages through new channels: DLP policies cannot detect and prevent data leakages through new or emerging communication channels. This means that you need to reconfigure existing policies or create new ones.

Conclusion

There is no doubt that the data loss prevention tool protects sensitive data and minimizes the risk of unauthorized data sharing. However, you need to understand the capabilities and limitations of Microsoft 365 DLP to properly set up and use this feature. DLP allows you to detect data leakages, enhance Office 365 security, and ensure compliance with regulations. You should keep in mind that you need a reliable data protection solution to guarantee the safety of your data against a larger pool of threats such as ransomware attacks or technical problems that can lead to another outage similar to that of CrowdStrike.