Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
This blog post is part of the Microsoft Intelligence Security Association (MISA) guest blog series. To learn more about MISA, visit the MISA webpage.
Many organizations are undergoing a rapid digital transformation that is challenging their traditional approach to data security. Organizations in highly regulated industries or who partner with organizations in regulated industries are often faced with accelerated timelines and requirements to protect sensitive data such as protected health information, personal identifiable information, and intellectual property. Failure to comply could have significant financial and brand consequences. Even organizations who aren’t yet impacted by regulatory compliance requirements find it imperative to protect their critical data in a changing digital landscape.
Organizations often engage their employees in the data labeling process by providing tools to enable safe data handling practices. This engagement empowers employees to take ownership in the process and reinforces ongoing awareness of how to properly handle sensitive data. This traditional approach can be quite effective. But what if you could enhance it? Humans will make mistakes—whether through neglect or by accident. Augmenting this approach with additional controls, such as automation, can provide greater capabilities and minimize the risk of human error.
That’s where Forcepoint Data Loss Prevention (DLP) and Microsoft Information Protection solutions can help. As a member of Microsoft Intelligent Security Association, Forcepoint has worked closely with Microsoft to develop an integrated solution that makes it easy to discover, classify, label, and protect critical business data.
Microsoft Information Protection simplifies the process by integrating sensitivity labeling capabilities into commonly used Microsoft applications. Users can utilize document and email labeling to properly identify the sensitivity of the data being accessed or created. But user-applied data labeling may not be enough.
For example, let’s assume a user is working on a document that contains sensitive information (perhaps it contains details about an upcoming acquisition that is intended for executive leadership eyes only) and the user labels the document as “Private” instead of “Restricted.” The user may not fully understand which labels designate what information is limited to executive leadership audiences versus all management audiences within the organization. It’s an honest mistake but could lead to sensitive data inadvertently being shared with unauthorized users within the organization.
Proper data protection requires the ability to detect and control how sensitive data moves in and out of an organization without disrupting a user’s ability to do their job. DLP solutions, such as Forcepoint DLP, empower organizations with enhanced visibility and control of their data across all channels where people work and collaborate across networks, endpoints, and the cloud. With single console policy management, organizations can define and deploy policies across their enterprise with ease to detect and respond when incidents of mislabeled documents arise—as described in the previous scenario. With a DLP solution in place, employee coaching (via pop-up windows) could provide addition guidance to users, educating them on what action was done in error and providing guidance on how to remediate the risk in real-time.
When Microsoft Information Protection is utilized with Forcepoint DLP, the combined data protection capabilities enable more accurate detection and protection of critical data. The integration enables three core capabilities: (1) Ability to import label schemas, (2) Ability to create custom classifiers, and (3) Ability to automate document labeling.*
With the Forcepoint Security Manager (FSM), practitioners can seamlessly import label schemas available in Microsoft Information Protection, leveraging pre-define labels to reduce the need for manual label creation. It ensures label taxonomy consistency between the Microsoft 365 Security & Compliance Center and those made available via FSM. Practitioners can apply those labels based on defined policies. For example, encryption of any document sent via email to an internal recipient that is labeled as “Highly confidential.” With FSM, practitioners can control and manage these policies across all channels—endpoints, network, web, email, and the cloud—from a single console, providing a single pane-of-glass view of everywhere users access data.
Practitioners have the flexibility to create user-defined classifiers for the labels appropriate to their business. These classifiers are used in policies to trigger an alert when detected by DLP. By enabling custom classifiers, an organization has the flexibility to create a classification or category for sensitive data that may be unique to their organization. For example, perhaps an organization uses an employee identifier such as an employee badge ID number with non-standard characters or passwords with abnormally long alphanumeric characters. Custom classifiers make it categorize and define which classifiers should be linked to policies that will trigger an alert when this data is detected. Fingerprinting capabilities in Forcepoint DLP would detect the sensitive data (based on the classifier) and would alert the practitioner when data exfiltration attempts are made.
This integration establishes the framework to automate the application of classification labels and validation of Microsoft Information Protection sensitivity labels and rights management at endpoints using Forcepoint DLP. This soon-to-be-released capability will reduce the risk of data exfiltration as a result of user error or neglect associated with document labeling.
So, what do these capabilities look like in a real-life scenario? Let’s assume a user copies partial content from a sensitive document labeled as “Highly confidential” and pastes that content to a new Microsoft Word document (a method commonly used to get around the security policies). They proceed to label that document as “Public” (accidently or intentionally). When the user attempts to save that file to a USB, advanced detection capabilities in Forcepoint DLP (such as fingerprinting) detect the sensitive data (such as keywords or classifications linked to highly confidential content), triggering a rule and alert.
Utilizing the Microsoft Information Protection API, the correct sensitivity label “Highly confidential” is retrieved and enforced on the DLP side via a policy that automatically applies the correct label to the document. The result is protection against data exfiltration and reduced risk of compromised IP or compliance violation.
We recognize one size does not fit all. Organizations want the flexibility to select their preferred data classification and rights management solutions while getting optimal protection from their DLP solution. This integration establishes the framework to enable flexibility for enhanced capabilities with Microsoft Information Protection, as well as other labeling and classification technologies. The result: solutions that keep your critical data protected while helping you gain data handling efficiencies and accuracy.
Regardless of where you are on your security maturity journey, data protection should enable you to reduce risk by giving you control and oversight of your data. Forcepoint solutions can help you get there. To learn more about how Forcepoint DLP can help you on your security maturity journey, visit www.forcepoint.com.
*Automated data labeling for Forcepoint DLP and Microsoft Information Protection will be available later this year.