Considering today’s increasingly sophisticated cyber threats, we need enhanced visibility to detect anomalies. We observe targeted attacks increasingly relying on infiltrating internal accounts and utilizing existing services to operate discreetly, evading security solutions. By leveraging Microsoft Defender’s various services, we can identify anomalies such as new login types and risky behaviors from devices, thereby increasing our ability to detect whether an account or device has been compromised and is being used by someone else. When it comes to early-stage detection of both data exfiltration by external actors and internal risks, we also need to identify anomalies in our information management. Similar to how Defender monitors logins, devices, and our services, Purview can offer equivalent functionality to identify anomalies in our information management.

Let me provide a two examples:

1. Utilizing Purview’s Information Protection suite, we can identify and safeguard sensitive information. Almost all sensitive information is normally protected by encryption accessible only to internal employees, ensuring that, regardless of where the file is stored, it is restricted and monitored for internal use only. In cases where this file needs to be shared with a partner, supplier, or customer, the employee needs to decrypt the file before sharing. This common practice, in itself, poses no risk.
2. Purview’s Data Loss Prevention (DLP) primarily aims to support our users and raise awareness of the handling of sensitive data. Here, we can identify sensitive data and alert the user if this information is about to be stored on an unknown service, device, or shared externally. Again, in this scenario, the user might need to store or share certain sensitive information with an external partner or customer, which is a common practice.

Contrasting these two examples, if we have a risky user or login that deviates from the norm when files are decrypted by the same user, we can early on detect abnormal behavior that may indicate a compromised account or an internal user on the verge of leaking sensitive information.

Supplementing both these actions and DLP with risky or malicious behavior on clients, such as the presence of malicious code or the utilization of scripts/PowerShell during information decryption or movement from the organization, as detected by DLP, enables us to identify attempts to exfiltrate data via malicious code/script. This approach provides us with a valuable opportunity to discern whether it involves a compromised device where a script is orchestrating the decryption/exfiltration, rather than the user themselves.

While many organizations may not prioritize responding to low-risk alerts, such as a new type of login or abnormal behavior on an endpoint, and tend to focus on medium and high-risk alerts, we enhance our detection capabilities by combining various alerts and activities that identify different anomalies. This approach significantly boosts the likelihood of validating even low-risk alerts, enabling us to promptly identify both compromised accounts/devices (intrusions) and potential information leakage.

Techniques used to identify risky users/sign-ins come from Entra ID Protection and Defender for Identity, monitoring both Entra ID (Azure AD) and local Active Directory.

To identify malicious code or risky behavior on devices, Defender for Endpoint is used.

Activities for risky behavior, such as information decryption, come from Purview Information Protection.

Alerts for data exfiltration come from Purview Data Loss Prevention.

Techniques for combining these alerts/activities are done by connecting the services with Microsoft Sentinel’s various connectors and using KQL queries.

Here’s an example of how a KQL query can look to identify if a user has an identified risk within the last 24 hours and starts decrypting information:

There are several examples of unique use cases with higher sensitivity where we also want to automatically take action to prevent further exfiltration. Examples include disabling the user account, preventing the compromised account or insider from logging into any service to continue exfiltration, or isolate the device to prevent further information leakage.

In these cases, we can further state that if the document contains critical corporate information (detected through a custom Sensitive Information Type) or the sensitive label for board materials/critical projects, we automatically act by disabling the account and/or isolating the device.

In the past, it was said not to put all your eggs in one basket with security products; today, it’s exactly the opposite. We need security features that communicate with each other and techniques that can be combined to have a fighting chance of identifying and stopping sophisticated attacks and exfiltration attempts.

Thank you, Microsoft!