News

Microsoft Previews Automatic Blocking of Sensitive Info Leak Attempts

• By Kurt Mackie
• 02/07/2023

Microsoft this week announced a preview of an automated way to block employees from spilling sensitive company information.

This new information-sharing blocking capability, available in preview, is called "Adaptive Protection." It's part of Microsoft Purview, Microsoft's data governance solution. It leverages the machine learning capabilities of the Microsoft Insider Risk Management service.

Adaptive Protection in Microsoft Purview will automatically adjust how employees can access and share data. It's based on a risk scoring system that checks the sensitivity of the data and compares it with an employee's past actions. The risk scores also are based on comparing an employee's past actions with the past actions of their peers. If the employee has done certain actions, like downgrading document classifications and sharing information, then Adaptive Protection could automatically take certain actions, such as blocking the ability of that employee to share the data.

Adaptive Protection will block data sharing when an employee is scored as being at "elevated risk." It'll block data sharing with an option to override the block for employees assessed at "moderate risk." There's also a "minor risk" category where employees aren't blocked, but they get "policy tips."

The use of Adaptive Protection will reduce the workloads of security teams concerned with data loss prevention (DLP), Microsoft contended. Security teams won't have to fiddle with policy changes.

"With Adaptive Protection, DLP policies become dynamic, ensuring that the most effective policy -- such as blocking data sharing -- is applied only to high-risk users, while low-risk users can maintain their productivity," the announcement stated.

Adaptive Protection works across Microsoft services and non-Microsoft services. "It [Adaptive Protection] assesses users' data activity across both Microsoft and non-Microsoft services in aggregate using built-in machine learning models from our Insider Risk Management solution in Microsoft Purview to parse through it at scale," Microsoft explained, in a Microsoft Mechanics video transcript.

Organizations can use their existing DLP policies with Adaptive Protection, which will make those policies "dynamic." The policies initially run in a "test mode," which allows administrators to fine tune them before going live with them in a production environment.

Employee names get anonymized for administrator views by using pseudonyms, which happens by default. However, "the system provides complete transparency so you know exactly how data security risk levels are calculated," Microsoft's video indicated.

Other Microsoft Purview News
In addition to the preview of Adaptive Protection, Microsoft this week offered other Microsoft Purview news.

For instance, Microsoft has released a preview that lets administrators simulate the effects of automated retention label classifications before implementing them in a production environment. A "public preview of simulation mode for Microsoft Purview auto-applied retention labels" is now starting to become available to commercial tenants, Microsoft announced.

Also, Microsoft announced a few previews for the Information Protection service of Microsoft Purview. There's a preview of an "enhanced trainable classifier for detecting source code," which supports more than 70 extensions and 23 programming languages. It's slated to replace "the existing source code classifier," which will happen automatically, Microsoft indicated. Microsoft also added previews of "13 new additional trainable classifiers" for identifying sensitive information. Additionally, "23 new purpose-built trainable classifiers" that previewed back in September for Exchange, SharePoint, OneDrive and Teams are now at the "general availability" commercial-release stage.

Insider Risk Management Additions
Microsoft shared some news this week about its Insider Risk Management service, noting that an update to the service now lets it work with "third-party cloud environments."

"With the update, admins can configure data leak or data theft policies to detect a series of connected user actions that start with downloading files from non-Microsoft domains," Microsoft's announcement explained regarding the Insider Risk Management service. For example, Microsoft's service can detect if users are downgrading the classifications of files downloaded from Dropbox.com.

Insider Risk Management users additionally are getting new charts that show user data exfiltration activities. There's also a new option for alerts, allowing administrators to filter out activities that have been reviewed previously. An option to reduce noisy alerts by specifying less impactful file types is getting extended to e-mail attachments, too.

FAQ on Endpoint Data Loss Prevention
Microsoft also this week published a "Frequently Asked Questions" guide on Microsoft Purview "Endpoint DLP." Endpoint DLP is described by Microsoft as extending activity monitoring to sensitive items "that are physically stored on Windows 10, Windows 11 and macOS" systems, per this Microsoft document description.

The new FAQ addresses licensing requirements (E5/A5), browser and operating system support, sync time for policies, and multiple other questions. It also includes tips for troubleshooting the setup of Endpoint DLP.