Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides an overview on the use of Microsoft Purview Data Loss Prevention (DLP) for the marking and protection of Australian Government information. Its purpose is to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
DLP scenarios for Australian Government
Within the context of Australian Government requirements, the Microsoft Purview DLP can be used to:
- To apply required metadata (x-protective-marking x-headers) or subject markings to email (explored in Marking Strategies).
- To block transmission or prevent inappropriate distribution of security classified information (explored in Protecting classified information).
- To implement operational controls to prevent loss of information that could result in damage to an individual, organization, or government, including ensuring need-to-know (explored in Protecting sensitive information)
- To block transmission of inappropriately labeled email (explored in Preventing inappropriate classifications).
DLP deployment strategy
In this guide, we cover approaches for protecting both security classified and otherwise sensitive information. Approaches protecting classified items are largely based on either sensitivity label or an applied marking. Approaches for detecting sensitive information are more concerned with enclosed content and use either Sensitive Information Types (SITs) or Trainable Classifiers to determine what an item contains. By deploying policies to cover both approaches (context and content), we can achieve a robust DLP configuration that is superior to approaches that target one method of content identification alone.
Australian Government organizations are complex and the policies included in the following guide sections won't address all required scenarios. Nuances that affect the DLP strategy include:
- Organizational specific legislative instruments.
- Type of Australian Government Body and associated legislative requirements.
- Other frequently contacted organizations.
- The organization's tenants and maximum level of security for each tenant.
- Non-Australian Public Servant (APS), guest, and contractor requirements.
Organizations should consider the label-based DLP policies discussed in Protecting classified information and content based DLP policies discussed in Protecting sensitive information as a starting point. These policies should be overlaid with extra policies to provide for any organization specific requirements.
Tip
Well configured DLP policies won't trigger due to Business as Usual (BAU) processes. This should be factored into DLP configuration. If, for example, a particular business unit regularly needs to transmit sensitive information, this should ideally be factored into DLP design to prevent unnessacary noise. Such exceptions won't be included in the policy examples provided in this guide. Policies need to be tuned to reduce false positive alerting.
DLP deployment considerations
The following subjects are relevant to approach across all Microsoft Purview DLP configurations. Government organizations, in particularly data security teams, should discuss and decide on a strategy for each of the following.
Decisions regarding user feedback for DLP policy violation
Providing that organizations align with the guidance provided in this guide, when a user attempts to send information, there are four reasons why a DLP policy is triggered:
- The user has the wrong recipient for their email (accidental).
- The configuration is incorrect, and another domain needs to be added to the exception list.
- The external organization in question could be appropriate for receiving the information but the business process to establish formal agreements and associated configuration is yet to be completed.
- The user is attempting to exfiltrate classified or otherwise sensitive information (malicious).
When DLP policies are triggered due to action aligning with one of the first three scenarios, feedback to the user is valuable. Feedback allows the user to correct their mistake, your organization to fix the configuration, or to enact the required business process. If the policy is triggered due to malicious activities, then user feedback alerts the user that their action was noticed. Organizations need to consider the risk versus benefit of user feedback and decide on the best approach for their situation.
DLP policy tips ahead of violation
If opting to provide user feedback, policy tips are a great way of helping users as they trigger directly in Outlook clients. They alert users to issues before sending an email and triggering a policy violation, potentially avoiding discipline, or an embarrassing situation. Policy tips are configured via the policy tips option in DLP rule configuration. When applied to email scenarios, the end user experience of this configuration is that they receive a warning tip at the top of the email that they're drafting:
When users ignore the policy tip, other DLP policy actions trigger, such as a block action. A range of notification options are also available, including notifications that display in real-time, advising the user that their email was blocked.
The benefit of policy tips to DLP event management workload should also be considered. The number of DLP alerts can be reduced via the use of policy tips. This benefits security teams who then have fewer incidents to manage.
For more information about DLP notifications and policy tips, see send email notifications and show policy tips for DLP policies.
DLP event management
Organizations implementing DLP should consider their approach to the management of DLP events, including:
- What tool to use for the management of DLP events?
- What DLP event severities warrant administrator action and what is the desired time to resolution?
- Which team is responsible for the management of DLP events (for example, security, data, or privacy teams)?
- What resourcing is required?
There are four Microsoft solutions available to assist with the monitoring and management of DLP events:
- Microsoft Defender XDR
- DLP alerts dashboard
- Activity explorer
- Microsoft Sentinel
Microsoft Defender XDR
Microsoft Defender XDR is a comprehensive security solution that provides cross-domain threat protection and response across endpoints, email, identities, cloud apps, and infrastructure. It offers simplified and efficient defense against advanced attacks by providing security teams with a complete view of the threat landscape, enabling more effective investigations and automated remediation. Microsoft Defender XDR is the recommended method for DLP incident management within Microsoft 365.
For more information on DLP incident management with Microsoft Defender XDR, see investigate data loss prevention alerts with Microsoft Defender XDR.
DLP alerts dashboard
The Microsoft Purview alerts dashboard is visible from within the Microsoft Purview portal. While not as detailed as the Defender XDR option, the alerts dashboard provides administrators with visibility of alerts and includes alert management capabilities. The alerts dashboard is typically utilized by organizations that deploy Purview DLP solutions but are lacking Defender XDR licensing.
For more information on the DLP alert management dashboard, see getting started with DLP alerts dashboard.
Activity explorer
Activity Explorer is a dashboard available from within the Microsoft Purview portal and offers a different view into DLP events. This tool is intended not for the management of DLP events but instead to provide administrators with deeper insights on Purview usage and longitudinal behavior. Activity explorer also provides insight into labeling activity, including label application and removal, and provides many filters that can be used to target specific users or event categories.
For more information on Activity Explorer, see Activity Explorer.
Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Connectors can be configured to import DLP incident information from Microsoft Defender XDR into Microsoft Sentinel. Establishing this connectivity allows for Microsoft Sentinel's more advanced investigation and automation capabilities to be utilized for DLP incident management.
For more information on using Microsoft Sentinel for DLP event management, see investigate data loss prevention alerts with Microsoft Sentinel.