Protect sensitive meetings

Digital meetings have only increased recently. We save time and increase collaboration with the right type of skills in meetings regardless of where the participants are located.

When it comes to sensitive topics, there are still some meetings that are conducted physically solely to reduce the risk of sensitive information being leaked. We do have a lot of news within Microsoft Purview Information Protection that helps us to protect sensitive meetings.

This includes for instance protection of Outlook meeting invites where we can protect the invite itself and make sure that the invite and any attachments are protected. For instance, a sensitive internal meeting can be protected and restricted for only internal access that blocks the meeting invite as well as any content/attachments of being forwarded or shared externally.
image

For a sensitive project we can make sure that these meetings invite are restricted only to the project’s members regardless of internal or external members.

Let’s take an example with a use case.

Business Case Project Delta
This is Project Delta with sensitive information restricted only the project members. We need to make sure that all information and access are restricted only to the project members. The project leader is also Team owner and can control access by adding/removing users to the team.
With the sensitivity label encryption configuration based on the same Microsoft 365 group as the team project. The members get automatically:

  • Access to the Team site
  • Access to protected project information (regardless of where these files are stored)
  • and now also the meetings invite

image

When the project leader wants to invite to a confidential meeting regarding the project he applies the sensitivity label for the project and send this to both external and internal members.
image
Sensitive Project meetings are classified (Labeled and Protected) either manually or automatically based on sensitive project information.

The invite and any attachment will be protected only to project members. The company’s internal members are restricted by Exchange Data Loss Prevention (DLP) to send the invites to anyone outside of the project.
If someone within the company by mistake adds a non-project member to the invite the sender is noticed and blocked:
image

The exchange DLP rule looks for both classified/labeled Project Delta emails and invites as well content of the email with detection of sensitive project information based on a sensitive information type. If this is sent to anyone that is not a member of the project this email/invite is blocked and the sender is notified by the following configuration:

image

With the sensitivity label we encrypt the information and define/restrict permissions like print, copy or forwarding. In this use case forwarding is allowed. But we still only allow access to the content for project members.

If the project leader sends this invite to an external project member, the external member has permission to forward the invite to another coworker. With help of the protection the coworker (or anyone outside of the project) can´t open the invite or any attachments that may have been downloaded from the invite.

But lets say that this coworker should be part of the project as well as the planned meeting.
The only thing the project leader needs to do, is to add this member to the project Team.
This user can now open the meeting invite that has been sent to him earlier (as well as any project files that has been shared and stored).

Control Teams meeting settings.
Based on the sensitivity we can also define settings for the meeting. For instance, require end-to-end encryption or prevent copying of chat content for sensitive meetings:

imageSensitivity label settings for Teams meetings and chats

Define meetings settings based on the sensitivity for the Team or channel.

We can predefine what meeting sensitivity that should be set by the sensitivity of the Team or Channel.
In this case we have configure that meetings created from Secret Internal teams and channels get classified as secret with internal restrictions

image

image

For the Project Delta we can configure that meetings created within this team automatically get classified Confidential and labeled for Project Delta with correct permissions.

Notice that enhanced protection settings for Teams require additional license that are explained here

Publicerat i Microsoft Purview Information Protection | Lämna en kommentar

Adaptive protection within Data Loss Prevention

Microsoft has just announced a public preview of adaptive protection within Data Loss Prevention (DLP).

What is this and why is this something important?
The main purpose of DLP is to increase awareness and prevent end-user mistakes. I would definitely not recommend to start a DLP journey by blocking users. The risk of preventing action on our business is not only angry/frustrated users but also that it can result in them finding other ways to do their work. Where so-called shadow IT results in company information being created, stored, and shared outside the companies IT environments.

The question is in what scenarios do we actually want to prevent and stop any possibility of leaking company information?

One example would be an insider risk where an internal user tries to leak internal secrets. Microsoft Purview Insider Risk Management is a great tool to identify these insider risks.

Adaptive protection is a new capability in Microsoft purview that uses AI and machine learning to dynamically protect data. Adaptive protection leverages machine learning analysis in insider risk management to detect risky user actions that may result in a data security incident. It automatically adds that user to a stricter data security policy such as a data loss prevention policy to block specific activity. This is great because the protection policies are adaptive based on user context ensuring that low risk users can maintain productivity and high-risk users have appropriate protection in place. Overall, this will help relieve part of the heavy burden of protecting data in a hybrid and rapidly changing environment.

If we start looking at the end-user experience. Here we see that an internal user attaches company information into a private email account. Be default we notice the user about this kind of action, but the user can proceed and allow the action.
But if there is an identified insider risk with the user, the exact same action is being blocked without any way for the user to proceed.

adaptive protection

How is this done?

If we start looking at Insider Risk Management we have a new menu for Adaptive Protection. Here we can fine tune different risk levels, configure DLP policies and monitor this service.

imageimage

If we look at our DLP rules we see that we now have a new condition that can be added to our DLP rules. User risk level affect today DLP policies for EndPoint and Exchange.



To achieve this scenario, we simple have two different DLP rules. The first one notify and recommend the end user if company information is extracted with Block with override.

image

The second rule include the same conditions and the User Elevated Risk level that simply block all actions.
image

This shows that Adaptive protection in Microsoft purview combines the content centric controls from data loss prevention along with the people centric context from insider risk manager. This helps organizations balance data protection and productivity. Adaptive protection leverages machine learning to gain user context and insights about risky activities that may result in security incidents. It automatically tailors the controls based on risk detected so that organizations can enforce the most effective controls on the highest risk users, while everyone else works as usual.

Adaptive protection enables you to create more proactive and risk adaptive DLP policies so that organizations can contain exfiltration impact. Lastly it helps SecOps teams reduce alerts fatigue and the constant triage to identify the true risk. They can now protect more with less by leveraging the ongoing prioritization adaptive protection provides and it drives both effectiveness and efficiency.

Important: integrity within Insider Risk Management (IRM)

To maintain referential integrity, anonymization of usernames (if turned) isn’t preserved for users from Adaptive Protection who have alerts or activity appear outside insider risk management. Actual usernames will appear in related DLP alerts and the activity explorer.

Protect against external threats
Other actions that we normally use for our own playbooks is to combine DLP alerts with device or user behavior risks from Defender and AAD Identity Protection that isolate devices or block users. This is most common for external threats and in the same way preventing information leakage. In that case the compromised device is isolated, and nothing can be extracted from the device. A hijacked account is blocked, and nothing could be accessed (or shared) from that account.

Publicerat i Microsoft Purview Information Protection | Märkt , , | Lämna en kommentar

Security summary for Microsoft Teams

We live in a new age around how we work. Even though we see that the Covid pandemic is finally starting to decrease we have created a new way of working. Microsoft Teams have become an increasingly critical service for storage, communication, collaboration both internally and externally. We can see how the utilization rate is increasing more and more by all types of organizations around the world.

During 2022 Microsoft Teams have reached 270 million users worldwide and over one million organizations use Microsoft Teams as the default messaging platform.

This also means that the threats increase at the same rate (just as with other services / platforms that take over the market). If there are large numbers of users and sensitive information, the interest of criminal organizations is increased.

With this article I want to enlighten you what services should be used to face this threat.

The Control panel

The Microsoft Purview Compliance portal can be seen like a control panel for the Teams platform. With the help of classifications set by sensitivity labels we can design the different Teams and its channels based on the purpose and sensitivity. Controlling everything from guest access, file access, file sharing, to requirements of what users and devices can access and download information.

The key is to make Teams easy to use and understand. After all, the greatest risk of information leakage is our end users. Make it easy to do the right thing and reduce the risk of user mistakes.

image

Microsoft Purview compliance portal – Microsoft Purview (compliance) | Microsoft Learn

Access and authentication

No one has missed that the identity is the new perimeter and that Zero Trust is an important part of designing access. Based on the Teams design we can and should control access with Azure Active directory Conditional access.

  • We can define requirements for devices, for example that only company managed devices can get full access to upload/download information.
  • We can and should require a strong authentication such as multifactor authentication that has different flavors. We can for example make it easier for the end users with Windows Hello for business or other passwordless solutions.
  • Most important of all within true Zero trust, we should always verify the risk of the sign-in, the user and the device. There is no trusted user, device, or network!
    With help of the signals from Azure AD Identity Protection and M365 Defender we get both behaviors and reputation -based control. We should regardless of user, device, and network block risky sign-ins both externally and internally.

image

One example is to require an internal user to change password directly when it seems to be used by someone else. This automation reduces the time of the breach or completely stops a hijacked account from accessing our information.

Another example is to combine Conditional Access session control with Microsoft Defender for Cloud Apps to monitor and restrict access for non-managed devices. Then we can still allow these devices but prevent sensitive information from being downloaded.


image

What is Conditional Access in Azure Active Directory? – Microsoft Entra | Microsoft Learn
What is Azure Active Directory Identity Protection? – Microsoft Entra | Microsoft Learn

Files and links

In addition to stolen identities, malicious files and links are still the most common attack route for criminal organizations to get in control of our environments. As our communication paths move from email to Teams, we also see the increase in malicious links and files coming this way.
Microsoft Defender for Office 365 and the built-in virus protection in SharePoint Online provides

  • Safe Links protection. URL scanning with rewriting of links and time-of-click verification for URLs within Teams conversations and files. The URL scanning is based on reputation and/or detonation asynchronously in the background. This increases protection against both existing and newly arrived malicious links.
  • Virus scanning of uploaded files and virus control during downloading is done by SharePoint Online (that stores all files for MS Teams). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender for Office 365 provides an additional layer of protection for files that have already been scanned. Safe Attachments for Microsoft Teams help detect and block existing files that are identified as malicious in team sites and document libraries.

image

The files in OneDrive for Business with one detected as malicious

Complete Safe Links overview for Microsoft Defender for Office 365 – Office 365 | Microsoft Learn
Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams – Office 365 | Microsoft Learn

Information Protection

A potential data breach isn’t the only risk companies face when it comes to unstructured data. Noncompliance with regulations can lead to civil or criminal prosecution for business owners or leaders who are found to be negligent or improperly handling sensitive information.

With help of Microsoft Purview Information, we can

  • detect sensitive information
  • classify information with purpose for example to define if its public data meant to be spread or sensitive data that should be limited to authorized users.
  • restrict sharing and access based on the classification/sensitivity
  • encrypt sensitive information. Protection that follows the lifecycle of the information even if it’s allowed to be shared and downloaded. For example, will protected information be monitored even if it´s externally shared and stored outside of Teams and access to the file can be revoked when needed.

image

With the help of Data Loss Prevention and Communication compliance we can increase awareness within chat and conversations. Restrict sharing of sensitive information, harassing/threatening language and sharing of adult content that could cause serious damage to our business.

Another example of DLP is to use EndPoint DLP to control what kind of information is allowed to be uploaded to Teams (and other cloud storage solutions).

Microsoft Purview Information Protection – Microsoft Purview (compliance) | Microsoft Learn
Learn about data loss prevention – Microsoft Purview (compliance) | Microsoft Learn
Learn about communication compliance – Microsoft Purview (compliance) | Microsoft Learn

Insider risks

Not only do we have external threats. We can also have internal threats that we need to protect ourselves against. This could be everything from internal users sending sensitive information to their private email with good intent, to someone exfiltrating data with the purpose of leaking trade secrets using an internal user account. Microsoft Purview Insider Risk Management uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and act on potentially risky activity. Insider risk management allows you to define specific policies to identify risk indicators. After identifying the risks, you can take action to mitigate these risks, and if necessary open investigation cases and take appropriate legal action.

Insider risk management – Microsoft Purview (compliance) | Microsoft Learn

Data lifecycle management

Microsoft Purview Data lifecycle management is used to comply with laws and regulations. Making sure that irrelevant, out-of-date information is deleted, and that business-critical information is preserved. For example, we can retain or delete certain information based on identified content or the location of the file.
We can also use retention policies and/or a group expiration policy to clean up unused inactive teams/channels and make things cleaner. This makes life easier for our end users and makes it easier for us to protect.

Learn about Microsoft Purview Data Lifecycle Management – Microsoft Purview (compliance) | Microsoft Learn

Microsoft 365 group expiration policy | Microsoft Learn

Last words…

Keep in mind that completely blocking external sharing and guests into your organization often leads to increased risk of information leakage. Basically, because sensitive information will be sent by email instead of being stored and shared from your organization. Shadow IT will increase where employees find their own way of cooperation and sharing of information.

Use Microsoft Teams, in a secure and smarter way!

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

New data protection for Windows

Microsoft just announced that they will release another layer of data encryption within the Windows operating system. This is called Personal Data Encryption (PDE) and will be available from Windows 11 22H2. PDE is an extra layer over the BitLocker disk encryption. The purpose of this it to protect personal data to be accessed either remotely (RDP, File share etc) or locally by another user on the same device.

Personal data locations will be able to be customized later on but is normally “My Documents, desktop and pictures folders.

The encryption is like EFS with a randomized unique 256 bits AES key per file that is protected with Windows Hello for business (instead of certificate-based protection that uses for EFS). To be able to decrypt any file the end user needs to sign in with Windows Hello for Business. This means that the data at rest will be protected before the user login into Windows and as soon as the user lock the machine. Personal Data Encrypted data will only be available when the user signs in with Windows Hello For Business.

image

The encryption is not a replacement for BitLocker, it should be used in a combination with PDE to fully protect the device and all data. It can’t be combined with standard EFS or Windows Information Protection (WIP).
I personally recommend organizations that using WIP or EFS to replace this with Microsoft Purview Information Protection to be able to identify, classify and protect sensitive content during the entire data life cycle.

For more information and how to test this out follow these links:

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-personal-data-encryption-securing-user-data-before/ba-p/3691185?WT.mc_id=EM-MVP-4030782

https://learn.microsoft.com/en-us/windows/security/information-protection/personal-data-encryption/overview-pde?WT.mc_id=EM-MVP-4030782

Publicerat i Microsoft Information Protection | Märkt , | Lämna en kommentar

AIP Client: To be or not to be

A lot of new things have been released during Microsoft Ignite and we have several news within the Office products around information security.

Microsoft Purview Information Protection continues to give more insights and abilities to detect sensitive information. All the news within Microsoft Office is integrated within the product and can’t be combined with the classic AIPC Client. This article is meant to explain and show the difference between the AIP client add-in and Office native.

One of the most requested features that the AIP Client add-in have given in Office is the ribbon that provide more visibility and make it easier to choose the correct information classification. Basically, the user doesn’t need to click on the Sensitivity button to know what information classes that are available and choose the correct sensitivity label. This function with a visible ribbon is planned to be integrated in future Office releases but is not jet here.

image

However, we have several functions that maybe make us want to disable AIP client Add-in already now. One example is when sensitive information has been detected, with the AIP Client it notices the end-user about it, but it doesn’t show exactly what and where the information is detected in the document.

When sensitive information is detected with Office version 2208 and above, Word notifies the user where the content is in the document as well as what type of content it is. It’s a big improvement in alerting the user to exactly what information was identified and where in the document. This makes it easier for the user to both discover incorrectly identified information but above all to be able to remove sensitive information that may not be approved in the specific document.

image

Custom Permissions

With the AIP Client and the add-on we have had the possibility to protect information with user defined custom permissions. Here we have the possibility to define what permission (View, Edit, Full Control) to defined users, groups or organizations by their mail domains. Without the add-in (or if we had enabled coauthoring for RMS protected content in the specific tenant) it falls back to the classic RMS function “restrict permissions” that didn’t have the possibility to restrict access to an whole organization.

This has now been resolved in new Office versions (2208) that also include the ability to assign different rights to different users and organizations.

Custom Permission native

Custom Permission with AIP Client

image

clip_image004

Outlook

imageWhen it comes to protect emails to user defined recipients with sensitive labels that uses the rather new “Encrypt-Only” restrictions we had never had this possibility with the AIP add-in enabled in outlook.

Outlook native

Outlook with the AIP add-in

clip_image002

clip_image004

What we still miss in the native Outlook client is the AIP add-in Outlook pop-ups that for instance can be configured to notify and/or block the end-user to send internally protected emails externally.

image

Non-office files

We still need the AIP client to be able to protect non-office files and/or to protect several files/folders at a time from Windows Explorer. This mean that we don’t want to uninstall the AIP Client app, instead we can disable the add-in for per Office apps

Microsoft is planning to disable the AIP add-in by default in office starting with version 2213, read more here around this (and how to prevent it if there is a need for that):

Migrate the Azure Information Protection (AIP) add-in to Microsoft Purview Information Protection built-in labeling for Office apps – Microsoft Purview (compliance) | Microsoft Learn

Activities that should be planned

For organizations that currently have AIP client’s and its add-in enable, it is time to take a decision when and if changes should be done. Many will wait until the bar is available in native office. I recommend that you create communication plans and review whether user instructions need to be updated when the decision have been made. Service desk and other operational departments should of course be informed.

Also make sure that organization-specific (custom) Information Types/Trainable Classifiers are named and described in a good way because they will now be visible to end users.

Publicerat i Microsoft Information Protection | Märkt , | Lämna en kommentar

Kontrollerad datalagring för svenska myndigheter

Flera av våra svenska myndigheter och offentliga verksamheter står idag och vacklar över om de kan spara data i vissa molntjänster. Trots detta ökar konstant behovet att kunna använda Microsoft Teams för att kunna kommunicera med övriga parter med både möten och samarbete. En stor utmaning handlar även om att kunna förvalta en Windowsplattform som idag bygger på molntjänster för att erhålla hög säkerhet med alla dess tjänster. Att idag hantera en Microsoft-infrastruktur utan dessa molntjänster är extremt tidskrävande och kostsam med ett konstant arbete att hänga med i utvecklingen och stänga av de tjänster som har molnkoppling.

Men den här artikeln kommer jag beskriva hur vi kan förhindra datalagring i Microsoft 365 som standard, men även ge möjlighet på ett kontrollerat sätt att lagra viss information i molnet.

Vi kommer tekniskt lösa detta med tjänster inom Microsoft Purview Information Protection och med hjälp av informationsklassificering. image
Vi har precis fått nya funktioner som öppnat helt nya dörrar.

Ett sätt att höja våra användares medveten och stoppa viss typ av information för datalagring i allt ifrån molntjänster, USB minnen och andra lagringsytor är med tekniker inom Data Loss Prevention (DLP). Här kan vi både övervaka, informera och blockera användare när viss typ av information flyttas/lagras utanför organisationens väggar.

I de flesta fallen handlar det här om viss känslig information som har hårdare krav som innebär kryptering och/eller förhindrande av lagring i osanktionerade (moln)tjänster. Det här löser vi tekniskt genom att identifiera viss typ av information baserat på filernas innehåll eller informationsklassificering (sensitivity labels).

För flera av våra myndigheter är behovet något helt annat. Allt ska som standard blockeras, inget får lagras men det finns undantag för viss information godkänd för datalagring. Detta har varit en teknisk utmaning tidigare, men vi har nu fått teknik som fyller det här syftet.

Vi kan nu låta installera både Microsoft Teams applikationen och OneDrive klienten på våra Windows-enheter inom organisationen. Med hjälp av inbyggt DLP teknik i Windows styr vi så inga filer kan flyttas eller skapas i dessa tjänster. Där emot kan användaren göra ett aktivt val att klassificera en fil manuellt med en viss informationsklassificering som är tillåten att lagras i Microsoft 365. Där efter kan filen flyttas och sparas både i Teams och/eller OneDrive för att synkas till respektive molntjänst.

Tekniskt används ett nytt krav i DLP som handlar om att identifiera om Office filen saknar en sensitivity label. På det sättet kan vi blockera oklassificerade Office filer och övriga klassificerad data som inte är tillåten för molnlagring. Med hjälp av samma DLP-teknik blockerar vi andra filtyper som kan innehålla information för att säkerställa att inte denna lagras i molnet.

Några exempel på hur det här kan se ut.

Användaren försöker skapa ett Word dokument i OneDrive, vilket blockas av EndPoint DLP i Windows. Användaren tar istället en excel-fil som är klassificerad (med en definierad label) som är godkänd för datalagring som kopieras till OneDrive (och synkas till molnet).

DLPUnlabeled

I nästa exempel visar vi hur ett publikt dokument kan flyttas till Teams medans ett dokument utan klassificering (sensitivity label) blir blockerat för uppladdning.

DLPUnlabeledTeams

Blockera enheter som saknar DLP stöd

Med hjälp av Conditional Access säkerställer vi att det enbart är managerade klienter med denna DLP teknik som når M365 tjänster. Med hjälp av Defender for Cloud Apps kan vi ge en begränsad behörighet att enbart använda webb access för övriga enheter där vi blockerar upp/nedladdning baserat på likvärdigt regelverk.

MDADLPUnlabeled1

Befintlig data

Finns det redan data lagrad i molnet som kan innefattas av dessa eller nya krav kan vi få logik i EndPoint DLP som helt enkelt flyttar information och lagrar den lokalt. Filen byts då ut av en text fil där vi kan/bör förklara VARFÖR den har flyttats och var användaren nu kan hitta informationen.

Som med all DLP funktionalitet bör det här användas med försiktighet. Blockerar vi våra användare/verksamheter utan att motivera varför och ger dom ett fungerande alternativ att utföra sina arbetsuppgifter ökar risken att de nyttjar helt andra tjänster att utföra sitt arbete och vi tappar kontrollen helt.

Rikets/Sveriges Säkerhet

Flera av våra myndigheter har information som innefattas av informationsklassificeringen ”Rikets säkerhet”. Det här är information som hanteras i helt slutna system (eller i pappersform) utan någon form av internetanslutning. Den här typen av information ska/kan inte klassificeras med hjälp av sensitivity labels. Där emot är det viktigt att ha någon form av detektering OM den skulle förekomma i verksamhetens molntjänster.

Här finns det möjligheter att definiera upp standarder som används i dessa slutna system. Med hjälp av något som är identifierbart kan den här informationen detekteras och på samma sätt både förhindra att den laddas upp till molntjänster, flyttas till lokal lagring och larma om den identifieras på internetanslutna enheter.

Publicerat i Microsoft Information Protection | Märkt , | Lämna en kommentar

Problem sending or receiving protected emails externally?

Last week was the tenth time I helped an organization that couldn’t send protected emails externally.

In other words, it’s worth a blog article.

It’s all about a very common misconfiguration of Conditional Access.

The scenario is that (RMS) protected emails can be opened internally but if they are either sent or received externally, they can’t be opened in Outlook.

image

In all cases the issue have been that the sender’s organization has required MFA for all users to all cloud apps.

Multifactor Authentication (MFA) is in most cases what we want to enforce to increase the security but in this case it simply doesn’t work.

Let me start to explain how to solve this issue.

If your MFA Conditional Access rule looks like the following you simply need to exclude the app Microsoft Azure Information Protection from the specific rule.

All users All Cloud apps Require MFA
image image

image

image

If you have other Conditional Access rules that require MFA against the app Microsoft Azure Information Protection, you need to exclude this for external users.

As soon as the exclusion has been done, protected emails will be able to be opened (decrypted) in Outlook.

CA-MFA-Outlook-Error-1

Let me explain why

Outlook as an App supports MFA. For example, if MFA is required internally, you can sign-in to Outlook to your own organization with MFA. The problem comes when you need to decrypt a rights protected message (rpmsg). One of the best things with RMS encryption is that is works seamless with Office files both internally and externally. During decryption, the authentication of your signed-in account in Office is used to verify your permissions against the organization that encrypted the content, both internally and externally (without any additional password/certificate that most 3-party solutions use).
The problem when you need to authenticate to decrypt a protected message that comes from an external organization is that Outlook uses the signed in account and its token to authenticate to the sender’s tenant. If MFA is required Outlook doesn’t support  re-authenticating to the sender’s organization with MFA against this tenant.

Publicerat i Conditional Access, Microsoft Information Protection | Märkt , , | Lämna en kommentar

Protect your environment by reviewing your applications!

To be able to protect our organization as well as preventing information leakage we not only need to secure our own environment we also need to identify what kind of apps and services that are in use by our users.

Microsoft Defender for Cloud Apps, formerly known as MCAS is a great tool to both get to know what kind of apps that are in use, get more knowledge about the apps as well as blocking unwanted application.

There is two different kind of apps that we can identify with Microsoft Defender for Cloud Apps.

  • Cloud Apps used from our network (based on FW/proxy logs) and/or devices (via Defender for Endpoint).
  • OAuth apps that integrate with our Azure AD, for instance, to sign in a user and/or access a user’s Microsoft 365 information such as calendar, email, and files.

There are a lot of news coming around OAuth apps, lets save that for a coming blog post and focus on the other type of apps, discovered cloud apps.

image

The risk of not knowing what 3-party apps that are being used is everything from information leakage to identity theft.

It’s called Shadow IT when users start using unsanctioned services to perform their work. With this tool we can easily identify if this is the case either by identify that large number of users accessing the same unsanctioned app or that a lot of data are transferred to a specific unknown app.

Another security risk that it common is that users reuse their work email adress as well as their password for 3-party solutions. We have seen several cases where a web service has been hacked and credentials stolen from this application have been used to get access to the company.

Microsoft Defender for Cloud Apps have built in alerts that reports both new apps that are being identified for high usage as well as new breaches with apps that are in use by our business. We can also create our own alerts and use Power Automate to get the alert into any destination we want and even take automatic actions.

image

A major challenge with Microsoft Defender for Cloud Apps is to identify ownership within the organization because this is such a broad product.

If we identify Shadow IT, we need to involve several parts of the organization to review what actions we need to take.

Examples include:

  • Make sure that we provide our business with the services they need to do their job.
  • Inform and educate how to use sanctioned apps and services
  • Once we have identified and informed about a sanctioned solution, we can block the unsanctioned solution.

However, it can be more critical in some cases where we need to act as quickly as possible to prevent information leakage. This assumes that we have a playbook with actions for this type of alerts.

For example, an alarm occurs that large amount of data are uploaded to an unsanctioned cloud app with a low score that turns out to be a service for anonymously sharing information.

A first step that our security operation can take is to start monitoring the service. This results in users being informed that their activities are being logged. If it turns out to be something that is approved by the business, the user can still move on.

image

MonitorFreenet

A prerequisite to be able to monitor and block the app is that Microsoft Defender for Endpoint is running on the device.

How to get started

If you are working in IT and don’t have the business and its management involved, start by giving them information that Microsoft Defender for Cloud Apps has identified.

One good example as a first introduction for the management is to generate a Cloud Discovery executive report.

image

Today this is done from the Microsoft Defender for Cloud Apps -portal and the Cloud Discovery part. In a few months this will integrated as a coherent part of the Microsoft 365 Defender portal. Stay tuned for more information around news within Microsoft Defender for Cloud Apps.

More information about Microsoft Defender for Cloud Apps

Publicerat i Microsoft Defender | Märkt | Lämna en kommentar

Restrict information sharing based on sensitivity

Both Teams and SharePoint are good solutions for sharing and collaborating with sensitive information internally as well as externally.

With help of Sensitivity labels, we can define rules and permissions for everything from allow/block external guests, sharing of files, as well as conditions for accessing different Teams and SharePoint sites.

In the most cases a certain team or project often includes different kinds of files with different sensitivity. Everything from public non-sensitive information to more confidential information that all have different rules and regulations.

All settings around “Groups & Sites” that we can define in Sensitivity Labels are based on existing Teams/SharePoint settings.

The biggest challenge is most often when we use Teams or restricted channels in Teams to restrict access to certain information. Even if we set a Team or a Teams channel as private, the default setting for sharing is that files can be shared to anyone within your organization.

image

In the most cases we have specific private Team and/or private channel to restrict access to only the members. But…

Regardless of the private setting of the team and channel that restrict access to the specific location, files within this team can be shared to users outside of the Team/Channel.

image

This is due to the following global setting in SharePoint

image

Within information security, it is of course most advantageous to change the global settings for Shares to ”Specific people”. This does not allow files to be shared to anyone other than those who have access to the Team or channel.

However, it is often difficult to change the global setting as there is uncertainty about the need for information sharing. After all, it is usually a small part of our information that is actually more sensitive.

This week we have got new functionality within Microsoft Information Protection that solves this challenge.

We can now, based on the sensitivity of both the team and specific documents, control just sharing settings. This applies both to who we can share files with, and to control whether we allow edit or view only access to the shared document.

Some examples, if we have Team sites including private channels where we need to restrict sharing to only members of the Team/Channel, we can define this setting on the sensitivity label of the site.

image image

If sensitive information is located in a nonrestrictive team we can restrict the sharing setting only on these files.

TeamShareBasedOnSensitity

For more information how to configure sensitivity labels with default sharing link type in SharePoint and OneDrive:

Use sensitivity labels to configure the default sharing link type for sites and documents in SharePoint and OneDrive – Microsoft 365 Compliance | Microsoft Docs

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar

Classify information based on Teams location

Information classification is used to separate information into different categories. Everything from legal cases to sensitive projects often includes different kinds of information. It could contain both public information meant to be spread/shared officially and more sensitive highly confidential information restricted to certain users.

However, a common business request is the ability to classify information based on a certain location such as Team sites or SharePoint sites. Today the classification/Sensitivity label of the site only control how information can be accessed and shared and doesn’t affect the sensitivity label of the files within the team.

Notice that this picture has been customized to visualize that sensitivity label of the Team and the files doesn’t reflect.
Notice that this picture has been customized to visualize that sensitivity label of the Team and the files doesn’t reflect.

Default label per SharePoint/Team site

What’s in roadmap and currently in private preview is that a default sensitivity label can be configured per site. A site with configured default sensitivity label will automatically apply this label to all documents created or uploaded to this site. The exception is documents that already have been manually or automatically classified with a sensitivity label.
Documents with another default label will be relabeled with the default label configured for the Team/SharePoint Site.

In this example two different files are uploaded to Confidential team for Project Beta.

· The excel file is already manually labeled as Public.

· The document is just created with a default label (Business).

Within 2 minutes Teams shows that the Excel file remains classified as Public while the document has been relabeled as Confidential \ Project Beta

DefaultLabelSPUpload

When a new document (excel workbook in this example) is created from this site it is labeled by default as Confidential \ Project Beta

DefaultSPCreate

If you want to try this out, the product owner at Microsoft have written an article with guidelines

Publicerat i Microsoft Information Protection | Märkt | Lämna en kommentar