Deep dive into

Microsoft Purview
Data Loss
Prevention

365EduCon Chicago – 2023

Drew Madelung
Drew
Madelung
Associate Director – M365 Cloud Applications
Email : drew.madelung@protiviti.com
Twitter : @dmadelung
Website: drewmadelung.com
 What is Microsoft Purview

Safeguarding your data

Improve risk and compliance

Deep dive into Understand & govern your data

Microsoft Purview Demos on Demos

Data Loss
Prevention
365EduCon Chicago 2023

#365EduCon
Data usage is evolving and
complex, moving outside of the
traditional borders of business

OS
OS
Organizations lack visibility into their data

OS
OS

Year over year, the amount 93% of data within an

of data available doubles organization is dark
The landscape is fragmented, creating
risks

OS
OS
We live in a hybrid technology
environment

80%
of decision makers have

90% 80% purchased multiple

products to meet
compliance and data-
of organizations find it hard to manage
protection needs
are multi-cloud fragmented
compliance and risk
related solutions
Microsoft
Purview
Microsoft Purview is a comprehensive set of solutions which
help organizations govern and protect data across their multi-
cloud, multi-platform data environment, while meeting the
compliance requirements they are subject to.
Purview brings together solutions
Purview branding simplification
Azure Purview portal
Azure Purview Data Map
Azure Purview Data Catalog
Azure Purview Data Insights
Microsoft 365 compliance center
Microsoft Information Governance
Records Management in Microsoft 365
Microsoft Information Protection
Office 365 Data Loss Prevention
Insider Risk Management
Communication Compliance
Compliance Manager
Core eDiscovery in Microsoft 365
Advanced eDiscovery in Microsoft 365
Basic Audit in Microsoft 365
Advanced Audit in Microsoft 365
Microsoft Purview Governance Portal
Microsoft Purview Data Map
Microsoft Purview Data Catalog
Microsoft Purview Data Estate Insights
Microsoft Purview Compliance Portal
Microsoft Purview Data Lifecycle Management
Microsoft Purview Records Management
Microsoft Purview Information Protection
Microsoft Purview Data Loss Prevention
Microsoft Purview Insider Risk Management
Microsoft Purview Communication Compliance
Microsoft Purview Compliance Manager
Microsoft Purview eDiscovery (Standard)
Microsoft Purview eDiscovery (Premium)
Microsoft Purview Audit (Standard)
Microsoft Purview Audit (Premium)
Microsoft Purview

Safeguard data, Improve risk &

Understand & govern data wherever it lives
Manage visibility and governance of data compliance
Protect sensitive data
assets across your environment
across posture
clouds, apps, and devices Identify data risks and manage
regulatory compliance requirements

Microsoft ecosystem
Support for multi-cloud, hybrid, SaaS data | Third-party/partner ecosystem
Safeguarding your
data with DLP

Classification - General
Purview Data Loss Prevention

• Cloud native with built-in protection in

Microsoft 365 apps, services, and windows
endpoints - no on-premise infrastructure or
agents needed

• Balance protection and productivity with

granular policy controls and manage DLP
policies all workloads from a single location

• Leverage classification and user activity

insights to better inform DLP polices and
benefit from an integrated incident
management
What if you don’t?

• Data Breaches • Loss of Intellectual Property

• Financial loss • Employe Errors & Insider Threats

• Reputation Damage • Loss of Customer Data & Trust

• Regulatory Non-Compliance

Implementing effective DLP measures is crucial to safeguard

sensitive data and mitigate these risks.
Do you have a strategy?

Do you know where your business critical

and sensitive data resides and what is being
done with it?

Do you have control of this data as it travels

inside and outside of your organization?

Are you using multiple solutions

to classify, label, and protect this data?
Top data security
risks
Data security of organizations
incidents are
widespread
83% experience more than
one data breach in their
lifetime1

Malicious insiders Average cost of

account for 20% of
data breaches, $4.18 data breach with a
malicious insider2

M
adding to costs

Organizations of decision makers purchased

are struggling with
a fragmented 80% multiple products to meet
compliance and data
solution landscape protection needs3
Demo
DLP lifecycle

• WHY Build • Test mode Tune • Communicate Monitor

• What tech • Services • Metrics • Logs • Deploy • Alerts
• Culture • Policies • Update • False Positives • Validate • Responses
• Actions • False Negatives • Refine

Plan Deploy Enable

Planning Plan
DLP
Identify Stakeholders: Determine who within the organization needs to be involved, including IT, legal,
compliance, and business representatives.

Define Objectives: Clearly outline the goals and objectives of the Purview DLP deployment, including
what types of data you need to protect and WHY.

Regulatory Compliance: Identify and understand relevant data protection regulations and compliance
requirements for your organization or industry.

Data Classification: Develop a data classification scheme to categorize data by sensitivity that can be
used within DLP policies to identify and protect your most sensitive data.

Budget and Resources: Allocate the necessary budget and resources for the Purview DLP
deployment.

Implementation Plan: Map starting state to end state and how to test, train, deploy, and
operationalize.

Policy Framework: Begin outlining the DLP policy framework including key scenarios, such as financial
data exfiltration, which will be developed further in the next phases.
Planning DLP Plan
Policies
A good practice is to describe a policy with intent in words.

"We're a U.S. based organization, and we need to detect Office documents that contain sensitive health
care information covered by HIPPA that are stored in OneDrive/SharePoint and to protect against that
information being shared in Teams chat and channel messages and restrict everyone from sharing them
with unauthorized third parties".

• What: Office documents

• Who: Everyone
• Where: OneDrive, SharePoint, Teams
• Conditions: HIPAA template
• Actions: Restrict access and trigger alert
Planning DLP Plan
Policies

What sensitive items are most Where are your sensitive items and what
important to start your first policy? business process are they in?

• PII/PHI • Exchange email

• SharePoint sites
• PCI • OneDrive accounts
• GDPR • Teams chat and channel
messages
• Windows 10, 11 and macOS
Devices
• Microsoft Defender for Cloud
Apps
• On-premises repositories
Location is a KEY driver for constructing your policy
Building DLP Build
Policies
Location Supports Include/Exclude scope Data state Additional
Admin Units prerequisites
Exchange Yes - Distribution groups data-in-motion No
- Security groups
- Non-mail enabled security groups
- Dynamic distribution lists
- Microsoft 365 groups (Group members only, not the group as an entity)
SharePoint No Sites data-at-rest No
data-in-use
OneDrive Yes -Distribution groups data-at-rest No
-Security groups data-in-use
-Non-mail enabled security groups
-Microsoft 365 groups (Group members only, not the group as an entity)
Teams chat and channel messages Yes -Distribution groups data-in-motion No
-Security groups data-in-use
-Non-mail enabled security groups
-Microsoft 365 groups (Group members only, not the group as an entity)
Microsoft Defender for Cloud Apps No Cloud app instance data-at-rest Yes

Devices Yes -Distribution groups data-in-use Yes

-Security groups data-in-motion
-Non-mail enabled security groups
-Microsoft 365 groups (Group members only, not the group as an entity)
On-premises repositories (file shares No Repository data-at-rest Yes
and SharePoint)

Power BI No Workspaces data-in-use No

Building DLP
Policies
Rules are the key to DLP policies.
A policy contains one or more rules.
Rules are executed sequentially, starting with
the highest-priority rule in each policy.
Build
• Conditions that when matched, trigger the policy
• Actions to take when the policy is triggered
• User notifications to inform your users when they're
doing something that triggers a policy and help educate
• User Overrides when configured by an admin, allow
users to selectively override a blocking action
• Incident reports that notify admins and other key
stakeholders when a rule match occurs
• Additional options which define the priority for rule
evaluation and can stop further rule and policy
processing
Building DLP Build
Policies
DLP Rule Conditions: DLP Rule Actions:
Conditions are where you define what you want Actions occur after conditions are met and depend on
the rule to look for and the context in which the locations that have been selected.
those items are being used.
• EXO/OD/SPO/Teams
• Restrict access or encrypt the content
• Content contains in Microsoft 365 locations
• SITs, Labels, Trainable Classifiers • Block everyone or only external

• Big differences between location • Just email supports more (i.e. encryption)
• Email supports the most
• OD/SPO similar • Audit/Block actions on devices (i.e. print)
• Teams limited
• Device includes service • Power BI limited to alerts/notifications
domains

• Combine conditions with AND/OR

Building DLP Build
Policies
DLP user notifications through emails and in-
context policy tips:
Dependent on location again

• Emails can only be sent to individuals

• Can show up in Outlook, Office clients,

M365 services

• Notifications can use parameters like

%%AppliedActions% and emails can be
HTML based

• Only the policy tip from the highest

priority, most restrictive rule will show

• Not all SITs support policy tips

Building DLP Build
Policies
User overrides
Allow users to bypass, with justification, so they can
continue their work

• Set per rule

• Requires block to be set in policy

• Good when initially rolling out for false

positive identification

• Require business justification is logged

for audit

• Report false positive is also logged for

audit
Demo
Deploying DLP Deploy
Policies
A rushed deployment can negatively impact business processes

• All activity available in activity explorer as long

as it’s not off

• Start in test mode without policy tips

• Move to test with policy tips for a pilot group

• Admin tracks activities and views alerts

• Update policies/rules/user notifications based

on what was found in initial deployment
Tuning DLP Tune
policies
Initial tuning is crucial to ensure you really are identifying and protecting sensitive data

• Utilize the activity explorer to investigate rule matches per policy

• Use CloudAppEvents table if using Sentinel
• Talk to your pilot users and ensure you use real documents with sensitive data to test
Enabling DLP Enable
Policies
Enablement is the pushing of policies to all users/devices requiring the policy

• Send any communications identified notifying users

• Ensure your policy documentation is updated and update the

“Learn more” URL to point to it (EXO)

• Implement plan to operationalize incident management

• RACI & Permissions

• Ensure you monitor activity initially after enablement to

validate
successful conditions
Monitoring DLP Monitor
Policies
DLP policies are never complete!

• Continue to use activity explorer and the audit log or the CloudAppEvents table

• Custom SITs with Regex or EDM can take a lot of monitoring and adjustments

• Build knowledge articles for service desk when users see DLP actions/tips

• Have a plan for exception management with approval process in place

• Setup metrics or workbooks to show successes, overrides, etc by user/location

• Microsoft Purview Advanced Rich Reports (MPARR)
Demo
Endpoint DLP Deeper
Dive
Available for Win 10/11 and macOS once onboarded into Purview. Can be done via defender,
script, GPO, Intune, or SCCM which will start to return data in activity explorer.

Endpoint DLP settings

Advanced classification
Just-in-time
•

protection • File path exclusions for Windows/Mac

• Setup evidence collections

Candidate policy
blocks all egress until • Restricted apps and app groups
policy evaluation
completes • Unallowed Bluetooth apps
successfully which
can be new files or • Browser and domain restrictions
stale files.
• Printer groups
Available in Audit
mode. • Removable USB and Network share groups
Demo
Adaptive protection
Automatically change DLP policies actions

• Utilizes IRM to determine risk of a user

i.e. admin account downloads excess info for a week = high

• Continuously maintained

• Lock down high-risk users while still allowing regular

business

• Allow PII to be sent because we NEED too but if you

are at risk then block
Investigating alerts & incidents

• DLP alerts currently in BOTH

Defender and Purview portal but
Defender is recommended

• Utilize counts to prevent flood

detection

• KQL is your friend with

advanced
hunting

• Grant minimal access – IP Analyst

or View Only DLP Compliance
Management
Demo
Other DLP
stuff
3rd party DLP includes Box/Dropbox/Salesforce/GSuite/Citrix utilizing MDCA

There is a Symantec DLP to Purview DLP converter

EXO/Purview DLP policies work together but EXO takes precedence including policy tips

New DLP analytics are in preview to help with insights for improvement

On-premises DLP requires MIP scanner deployment

Sensitivity labels can be used across services for DLP

New Test-DlpPolicies cmdlet to see specific files per site that would trigger
Purview DLP Lessons from the
field
Build and name
Chrome & Firefox Utilize Information
policies by service and
Purview extension= Protection roles for
they can’t be renamed
good RBAC
- KISS

MDEClientAnalyzer is…
Understand / vs /* for Exact Data Match
awesome for
debugging exclusions (EDM) works!

Policy tips are

Use variables like Ensure URLs open if
COMPLICATED
%%AppliedActions%% using EndPoint DLP
between
web/client
Safeguarding data examples

Block an email or
Utilize Exchange, SharePoint, and
document from being
OneDrive DLP policies
shared externally

Utilize Teams DLP policies,

Stopping sensitive data
Sensitivity labels for
sharing in Teams
containers, and for files with
internally and externally
encryption

Prevent a file from being

copied from an endpoint Utilize Endpoint DLP for `
to a non-approved Windows and macOS
location
It’s all integrated
Utilizing a crawl-walk-run strategy

Allows you to start Allows for

without having it incremental
all figured out improvements

Eases information Some protection

workers into the and retention is
world of protection better than
and retention nothing
Where and how to start

• Learn about the technical capabilities

within the Purview DLP

• Identify REAL scenarios or challenges

that Purview DLP can solve

• Assign Purview ownership by

solution
and get permissions setup

• Identify competing DLP solutions with a

solution rationalization

• Build a Purview DLP roadmap aligned to

your overall product, M365, or security
roadmap
Questions?
Email: drew.madelung@protiviti.com

Twitter: @dmadelung

Website: drewmadelung.com

Slides: http://bit.ly/DrewSlides
Deep dive into
Purview Data
Loss
Prevention