1. Introduction to Data Loss Prevention
Prevention is all about preventing data leaks and preventing information from being infiltrated. Now, we’ve spent a lot of time talking about Azure Information Protection. What you’re going to find is that the two complement each other. AIP and DLP go together, OK? They work together to provide policies that look for sensitive information and then try to block sensitive information from making its way to the outside world or getting into the hands of unauthorized people. Okay? This is what DLP is all about: stopping data exfiltration. It’s called “data exfiltration” if you’re not familiar with the term. It involves information that’s meant to stay inside somehow making its way to the outside world. So in today’s climate, as security professionals working in the cloud environment and for different organizations around the world, you may find yourself in a situation where you have a lot of compliance regulations that you have to follow. Whether you work in government, the military, medicine, or the merchant service, You’re going to have PII personnel and fable information in just about every organization.
And that information is sensitive. If you’re in the medical world, you may have to deal with HIPAA compliance. If you work in the payment card industry, you deal with merchant services; you deal with the PCI payment card industry, which includes PCI, DSS, and everything else. There are just so many different standards. There’s so much legislation now that we have to think about. And Microsoft has put together a bunch of templates that are going to help us monitor for certain types of information and make sure that information doesn’t find its way to the outside world. Okay, so the number one goal of DLP is to stop data leakage. And working with AIP, Microsoft gives us some very, very powerful tools for doing all that. Here are some examples.
When I say sensitive information, I mean sensitive information that has made its way into the public domain. We have financial information, financial data, which includes credit card numbers, bank account numbers, and other fun stuff. And then we also have PII. This is personally identifiable information. very common. Just about every organization and every company under the sun collects forms of PII from their people. So anytime a customer comes in and purchases something, they might have to have an account if it’s online or find some information. Even simple details like your first name are PII. So of course, companies are collecting that information, and that information could be used to steal somebody’s identity.
So it’s very important that we have policies in place that are watching for that sort of thing and trying to prevent that sort of thing from making its way to the outside world. So we also have phi, which is protected health information. Again, if you work in the medical field, you may be dealing with tax information. And then, of course, there are countless other types of sensitive information. And your company may have certain pieces of sensitive information that you collect that may not pertain to my company or my organization, but you can set up your own policies for watching for that type of sensitive information yourself, so you can create custom policies. In fact, you’ve seen me do that. In one of our previous videos with AIP, we looked at how to do keywords and all that. So again, DLP works in conjunction with AIP. Here are its main policy goals: And the first is to identify sensitive information—to figure out what is considered sensitive and try to identify that. And it uses Reg, Ex, and keywords and things like that to try to determine that. The other would be to prevent accidental sharing of sensitive information.
Again, somebody accidentally shared this with somebody outside our organization, or even shared it with someone who doesn’t quite have the right level of security to be opening that document, viewing the email, or whatever it is. And then, of course, DLP is also going to help us monitor and protect sensitive information even on our desktop app. So this can even work in conjunction with downloadable versions of Office Pro Plus like Word, Excel, PowerPoint, and all that stuff that’s downloaded locally on somebody’s machine. DLP, in conjunction with AIP, Azure Information Protection, can detect and protect things that way as well. Another reason for using this is to try to help your users be compliant and understand compliance; help them understand what they can and cannot do, what they’re allowed to do, and be alerted if they’re doing something that they shouldn’t. Again, it isn’t always that users are stupid; sometimes they’re just ignorant. They don’t know, they didn’t know they’re not supposed to do this, or they forgot. So DLP, in conjunction with AIP, is going to help us with that.
The last thing that DLP really brings to the table is the ability to generate reports, look at assessments, and determine what our environment has in regards to sensitive information. This is really helpful with auditing in certain industries. We periodically have to audit the types of sensitive information that we’re keeping on file and be able to show that auditing information is very important. Here’s a quick look at DLP in Microsoft 365; we’ll dig deeper into this, but one thing I wanted to highlight is that you can see right away that they show DLP policy matches, if any exist. And then it also tries to look for false positives. So false positives were things that it might have matched up with but ended up being something that violated the rules. So there you have it, a couple of quick reports. Microsoft has this thing called the Graph API that works in conjunction with all aspects of the Microsoft 365 services. And this really helps us kind of nail down the things that are going on in the environment. Obviously, from here too, I could create a policy. But we’re going to take a deeper look at that in our next lecture.
2. Demonstration of implementing Data Loss Prevention
In this demonstration, I’ll dive into DLP Data Loss Prevention and show you how to configure a data loss prevention policy that adds support for specific legislation such as the US Patriot Act. So I’m going to click on “Show All.” We’re going to go to Security and Compliance by clicking Security here. And that was just to get started in the Admin Microsoft.com portal. And then here we are in Security and Compliance, and we’re going to go to Data Loss Prevention.
So drop that down. We’re going to click Policy, and we can set our policies right here. As you can see, we have some different policies already in place. I’m going to click “create a policy.” From there, we’ve got different categories of things we can select here, different templates that Microsoft is already configured for, from financial data to medical information. You sort of skim through your financial items; all of these financial-related items that we can scroll through and select. We’ve got medical and health information here that we could select. In our case, we’re going to go with privacy and scroll down, and I’m going to go with the US Patriot Act. Okay? So that would be what I would select.
And again, if I were doing this as a hands-on activity that I was asked to do on the exam, I would select whichever one it was that they wanted. In my case, I am having you select US patriot acts. I’m going to select this one. And the other neat thing about this is that it tells you what information is going to be part of the US Patriot Act. So it gives you a description here, and then you get the information that’s involved there. So this kind of combines these things together. Now keep in mind that you could create a custom one that did the same thing, but in our case, this has everything in it that we want. So we’re going to go ahead and choose Next.
We’d give it a description. All right, we’re going to say I’m just going to put four DLPs, the US Patriot Act, and four DLPs on there and then give it a description. Click Next. All right, from here, if I’m wanting to protect Exchange, email teams, chat messages involving OneDrive and SharePoint, and all that, I could, if I wanted to choose a specific app, let me choose specific locations. So I’m just going to do Exchange in this case because I’m just focusing on email here. So I’m going to click Next, and then at that point, here’s the information that I can choose from. It says, “Find contents that contain this information.” So that’s fine. That’s exactly what we wanted. That’s what the US Patriot Act is focused on. And then, with people outside my organization, I could switch that over to inside. But what I care about is that I don’t want this information going outside my organization. Now, a little bit later, I’m going to look at some of these advanced settings as well. But for now, this is going to meet exactly the criteria that I want.
So I’m going to click next. We’ve seen some of this information before in one of my previous lessons. Show policy tips that pop up on the person’s screen. You can customize those policy tips if you want to detect a specific amount of information. If I wanted to change this to one instance, I could. If that’s not something that’s been requested of me, I’m not going to change that. Okay. But I also could have an incident report email sent to somebody if I wanted to choose how that was going to play out—have an incident report email sent to a certain administrator, whoever is in charge of investigating all of that. And then I can choose to restrict access. Now I am going to want to choose Restrict Access because this is where I’m actually going to say “block.” So block people from sharing and restrict access to shared content. Obviously, I could also use encryption here if I wanted to encrypt the email messages. And I might do that. I might create another policy that would apply to people inside my organization.
And if I were going to do that, this would be a good solution for that. It would protect it all. Okay, so I’m going to click next, and then from there, it says block these people from accessing SharePoint OneDrive teams. I have the option of blocking everyone or only people outside my organization, which is what I’m going to do. Now I could also allow people to override this policy. In my case, I’m not going to do that. I might turn that on if asked to do so, perhaps in an attest environment or something. But if I’m not asked to do it, I’m not going to turn that on. I’ve got a business justification override that allows the user to type a message on why they’re justifying that it’s okay to do this. You can also override the rule automatically if the report is a false positive. So if DLP finds that this is not actually an illegitimate threat, then it can have it overridden automatically. In my case, I’m not turning that on for the same reason.
If I’m not asked to turn it on, it’s not something that’s requested of me. I’m not going to turn it on. So I’m going to go ahead and click next. From there, it asks, “Do you want to turn on the policy right away or test things?” So in the real world, I would test it out. If I were you, I’d say I’d like to test this out first. Okay. From an exam perspective, again, if I were taking the exam and this was a lab scenario I was asked to perform, then I would choose yes and turn it on right away. Okay. So I’m going to go ahead and do that. and I’m going to select next. This gives you a chance to review everything and make sure you’re happy with everything. If you wanted to edit anything, you could keep in mind that you can always go back and edit later if you want. All right, so I’m going to go ahead and click to create.
And it’s going to go through the process of doing that. It can take a little while, especially if the cloud is really busy. But as you can see, I’ve now created my policy there. It’s all set up. Notice there’s an order to the policies, like a priority order. The lower the number, the higher the priority. So if there’s ever a conflict between policies, the policy with the lower number will have a higher priority. And as you can see, this is turned on right now. Okay, this is already ready to go. And sometimes these policies can’t take effect. It can take a while for it to take effect in the environment. just because Microsoft’s cloud is very large. I’ve got a lot of offices, a lot of data centres where replication occurs, and all that. So sometimes it does take a little while to take effect before it actually hits your organization. But as you can see, it’s now officially on. And I’ve now created my iPad US. The Patriot Act is for data loss prevention.
3. Stepping through the first hands on tutorial for creating a DLP policy
I’m going to go show all security clicks. This is going to take you into the Security and Compliance Center. We’re going to drop the data loss prevention. We’re going to go to policy and create the policy. OK. We’re going to choose privacy. And this is where the US Patriot Act is going to show up. So we’re going to select the US Patriot Act. We’ll click Next, give it a name, and then click Next again. You can use the default name, which is what I did there. Alright? Now, if I’m only wanting to allow exchange, I would need to let me choose specific locations. I’m going to choose that option. I’m going to click Next, and then I will turn off everything except Exchange.
I’m going to go ahead and click Next now. All right. From there, I don’t need to change anything here because it’s got everything in it that I want. So I’m going to choose next. All right. I’m going to say restrict access or encrypt the content. And of course, in our case, we’re going to be blocking. So we want to make sure that block is selected. So, from there, we’ll select Next. All right. There is nothing here we need to do. I’m going to choose Next, and I’m going to go ahead and turn it on right away. So the policy is going to go ahead and be enabled. All right, we’re going to click Next, and this would be where you would verify everything. And then I’m going to click Create. And as you can see, it’s pretty straightforward. It’s definitely one that you’re going to want to practise a few times because there are a lot of little things that you can click on and do. You definitely want to familiarise yourself with the different options there and step through that a few times until you get it down.
4. Demonstration for editing an existing DLP Policy to apply an exception rule
You get quite a few options here for what you can do. If the sender’s address matches a pattern, then accept if the document property is a specific property that matches it. Again, in my case, I’m going to go with except if the recipient domain is. So we’re creating an exception. If you remember what we had in our policy, people are not allowed to email out any piece of information that matches the US Patriot Act, and they can’t go outside the organization. However, we’re going to pretend that we have partnered up with a company, and the company we have partnered up with is called Acme Corp. Perhaps Acme Corp. is a company that has partnered with us.
They’ve signed nondisclosure agreements, they’ve proven themselves trustworthy, etc. Although I don’t know if I would trust a company whose acronym means American crap made everywhere, Or the other acronym is “a company that makes everything right.” So we’re going to go ahead and add that. Acmecourt.com has been added. Now that’s our exception. So that was one of the criteria that I wanted here. If I wanted to pursue this further, I could return to Actions. That’s going to auto-scroll. Here are some actions I can perform. You’ve seen some of these before. adding encryption, adding headers, all that. You have user notifications if you want users to be notified as use notifications to inform and educate your users on proper use. So we talked about that previously and how one of the great things about DLP is that it can help educate your users on things and let them know what they should and shouldn’t do by having tool tips and things like that. Policy tips.
So, as you can see, you can do that down here. We’ve seen that before. Okay. From there, I can do user overrides if I want to allow overrides. So this is kind of interesting. You could possibly allow user overrides on the low volume. Maybe because of the high volume, you don’t allow overrides. So again, this is another reason why you would use different settings. Maybe for the low volume of content versus the high volume of content you have incident reports, which you’ll look at later on that you can send out. Other options include halting the processing of additional DLP policies and rules. That means that, hey, if this particular policy gets discovered and gets put in place, meaning somebody tries to send out sensitive information about us or Patriot Act sensitive information, it’s going to immediately stop processing any other policies.
This one would have a priority on it. Okay, we’re going to go ahead and hit save. Now. We’ve configured our rule the way we want. Again, if we wanted to go from there, we could set the bar high. We can edit the header as well. Again, I would not do that unless asked to and would not go through this process. and I could do the same thing. Add an exception for the same name here. The recipient domain is entered into the Acmecorp.com advertisement, and it will function in the same manner. Okay? I can specify whether I want to block or allow traffic and then submit incident reports; I could do the same thing here if I wanted. So maybe I’m not going to allow user overrides for the high volume, but perhaps I will allow user overrides for the low volume. So, for example, I could change that to allow for user overrides while also allowing for business justification. We talked about that previously. So we’ll save and then save again. And we’ve now edited our US Patriot Act rule policy. We’re almost done with that, and we’re done.
5. Stepping through the tutorial for editing an existing DLP Policy
Show all. Click on “Security,” which is going to take you to the Security and Compliance Center. Drop down data loss prevention, go to policy, and choose the US Patriot Act policy that we created. We’re going to edit that policy. Policy. Now, in this case, we’re going to do the low-volume content. Again, if I were asked to do well, I would. Or if it didn’t say either, maybe I would do both. All right? It kind of depends on what was being requested of me.
Again, if I were taking the exam and I was asked to do this, if I was not told to choose one or the other, I would do both. However, if I were told to do low, I would undoubtedly do low. If I was told to do high, I would do high. So I’m going to do low. We’re going to edit the rule. We’re going to move on to exceptions. Because the point is, we’re adding a domain name that’s going to be an exception. So we’ll drop that down. Accept if the recipient domain is; we’re going to select that. We’re going to put in the name Acmecorp.com because that was the name that was asked to be put in there. And then we’re going to click “Add.” Okay? As you can see, the name has now been added. We’re now going to click “Save.” Click Save again, close, and we’re done. We’ve now officially finished the tutorial. Okay, so this is a nice little tutorial for you to go through and get some practise with.
6. Demonstration in editing a DLP Policy to add incident report support for a user
I now want to walk you through our US Patriot Act policy and our DLP policy. And this time, we’ll go through and set up an alert notification for incident reports for a specific user. We’re going to have a user named Aaron Jones who is going to receive an incident report. So we need to enable that and configure it on that policy. So that’s our next little exercise here. So I’m going to click “show.” All I’m on is admin Microsoft.com. I’m going to click “show.” All Click the Security Center, which will take us to security and compliance, and then select Data Loss Prevention. Click Policy.
Okay, we’re going to find our policy here, our Patriot Act policy, and we’re going to edit that policy. Click “edit” again and again. We have low and high, with low being a low-instant account of these items and high being a higher instant count, low being one to nine and then high being above nine, right? So we’re going to drop that down. We’re going to edit our existing rules here. We took a look at these different things before. We didn’t talk too much about incident reports. So we’re going to choose “incident report,” it’s going to auto-scroll us down, and then here we are. We can choose the severity level for admins’ low, medium, and high alerts based on DLP findings.
In this case, though, we need to turn on and send an admin alert. All right, so we’re going to check that little option there and turn it on. It’s going to send our administrator, global administrator, an alert email here, and then we can add a user here. We can also say to use email incident reports to notify you when a policy match occurs. You can do both of these. In our case, we’re just wanting to send alerts to a particular person. In my case, I’ve got the admin here, but I’m also going to add Aaron Jones. So I’m going to click Add, remove the people currently there (just the admins), but I’m going to click Add. Okay? What I’m going to do now is pick this Alex Jones. I think I might have been saying Erin Jones was with Alex Jones.
So we’ll select Alex Jones. We’re going to now go ahead and click Add. And Alex Jones has now been added as our user who is going to receive these incident reports. We’re going to go ahead and have the admin receive incident reports as well. And we’re going to click “Done.” Okay? Again, if we wanted to, we could go through the process here. It says to use email incident reports to notify you when a policy match occurs. So we can do this one as well if we want. Same thing here; add another; add the person if you want. And away we go. So, as you can see down here too, it says that all incident reports include information about the item that was matched, where the match occurred, and the rule and policy that were triggered. So you’re going to get quite a bit of good information from what that little report says.
You can also include the following information in the report: the name of the person who last modified the content, the types of sensitive content that matches the rule, the rule severity level, the content that matches the rule, including the surrounding text, and then the item containing the content that matches the rule. So those are the different options that we have in regards to an incident report. So we go ahead and save that now, and we can do the same thing for High. We can edit the High rule, go in here, select Incident Reports, turn it on, select our users, our admins, ads, and so on and so forth. So it’s basically the same process, just at a higher volume. At that point, we’d save it, our rule, and our policy. And we’ve now officially edited our Patriot Act to set up the incident reports for that user.
7. Stepping through the tutorial for adding incident report support to a DLP Policy
Show all and go to Security, which is going to take us into the Security Compliance Center. We’re going to drop down Data Loss Prevention, click Policy, and we’re going to edit our policy by clicking on it. Edit policy settings. You went from low to high. Again, you could do both.
It just depends on what you’re being asked to do. We’re going to edit the policy now. Click on Incident Reports at the top, turn it on, and then we’re going to add our user. So click Add, add again, and select the user that you’re wanting to add here. In this case, Alex Jones is going to click Add, and we’ve now officially added Alex Jones. We’re going to click “Done.” As you can see, it’s there; if I were not asked to do this right here, I would not do this. I would not use email incident reports to notify you when a policy match occurs.
If that’s not something I was asked to do, then I would not turn that on. Okay? In this case, I was not asked to turn this on. So I’m not going to turn it on. I’m only going to send an alert to the administrators when a rule match occurs. Okay? So I’m going to go ahead and click “Save now.” And if I wanted to do high volume, I would. I’ve already given you my thoughts on that in the previous lecture on that. I’m going to hit Save and then close, and we’re done. We’ve now officially walked through the little hands-on tutorial. This will be something you can try out.
8. Data Governance and Retention using Security and Compliance
I want to look now at the concept of retention as it’s managed through the Security and Compliance Center. So here I am in the Microsoft 365 Admin Center. Admin.Microsoft.com, also known as Portal.Microsoft.com I’m going to drop down Show All, and I’m going to click on the Security blade here, and that’s going to bring me into the Security and Compliance Center. Okay? So when you get into the Security Compliance Center, we’re going to take a look at information governance. So I’m going to drop down where it says Information Governance, and I’m going to click on Retention. Okay? This is going to bring me into retention. And the great thing about dealing with retention here in the Security Appliance Center is that it manages it not just for Exchange but for things like SharePoint, teams, and all that good stuff as well. So I’m going to click on “Create.” And then from there, I can give this policy a name. I’ll just call it test retention. Okay? And then I’ll click next. And then from here it says, “Do you want to retain content?” I can say yes; I want to retain it. For how long? Or retain it; it will say for how long. Seven days. You could say forever. or I’m sorry.
Seven days. Seven years is the default. If I wanted to do seven days, I could, or seven months. And then it says to retain the content based on when it was created or last modified. So you can choose between when it was created and when it was last modified. Do you want us to delete it after this time? I could say yes or I could say no, and if I say no, this is going to change it from yes, I want to retain it, to no, just delete it. Okay? So if I say yes, delete it after the time period, then it is going to get deleted after the seven years. Okay? From there, I can click Next, and this is where I can choose the specific locations I want. If I want to exchange email, SharePoint OneDrive for Office, 365 Skype for Business, public folder teams, and so on, I’m going to add Exchange Public Folders to that also, okay? So I can select all of the things here that I want. This is what’s really nice, again, about the Security Compliance Center with retention: you get to choose these different locations. At that point, I clicked Next, and I would then click to create the policy. And away we go. We’ve now created our self-retention policy. That won’t justify overseeing Exchange, but it will oversee Exchange, SharePoint, Teams, and everything else I chose.