What we have seen is that organizations are often good at verifying permissions and access to their IT (security) systems, but what most organizations miss is to restrict and protect extracted data such as logs and reports from these systems. Information that contains both system information and user data that in the wrong hands can be used by criminals to map our IT environment and identify vulnerabilities or violate laws and regulations regarding sensitive user information.
We need to support our analysts and IT staff to identify sensitive IT / System information, get the information correctly classified and protected. This has just become much easier! Since last week, we have new built-in trainable classifiers, where we have a classifier just for IT information. Trainable classifier is there to help us identify information based on analyzing existing information and using AI to find similarities with new information. You can read more about how trainable classifiers works and how to create your own classifiers in this blog post
The trainable classifier IT refers to information technology and cybersecurity topics such as network settings, information security, hardware and software issues. If we compare this trainable classifier with the Sensitivity info type “IP Address”, it only identifies IP addresses while this identifies the combination of network, hardware, software and user information.
Here is a list of all the new predefined trainable classifiers that meet several common business needs.
Trainable Classifiers can be used in combination with several services such as
- Sensitivity Labels to detect, classify and protect information
- Retention Policies to determine whether information should be deleted or retained for a defined period
- Microsoft Defender for Cloud Apps (formerly known as MCAS) which can scan connected cloud services to identify and (for certain services such as M365) automatically classify / protect data-at-rest information.
I have configured a sensitivity label to support the organization to classify and restrict sensitive IT information such as incident reports and forensic reports. The label is set to automatically detect the information and recommend the end user to classify with this label.
For example, if someone download alerts reports including sensitive security/compliance incidents from the Defender portals and open them in M365 apps, the user will be prompted to use this label.
In this example I download threat analytics information around the Log4j exploitation including exposed devices.
The limitation with recommended and auto labeling is that csv files are not supported, the reports / logs need to be in xlsx or docx format.
However, we can both identify and restrict the rights of these files.
Identify sensitive IT information at rest.
As I mentioned earlier, we can use Microsoft Defender for Cloud Apps (MCAS) to identify and act on information found by trainable classifiers.
By creating an information protection policy, we can retrieve Trainable classifiers as conditions. The result is that we will identify all files located in SharePoint / Teams / OneDrive that contain this type of information. Here we can identify data that is also in other formats, such as csv files.
Since we have support to use the trainable classifier with Microsoft Defender for Cloud Apps we can also create session policies to define rules with Conditional access for this information. We can for instance block download or access from unmanaged devices. In this session policy I require MFA to be able to download files including sensitive IT information
The result looks like this where files including sensitive IT data require higher security verification to be downloaded