Examine how data exfiltration moves data out of your tenant
Once attackers compromise an organization's network, they can use various techniques to move data out of the company's Microsoft 365 tenant. Data exfiltration is the unauthorized retrieval of data from a computer or service. Attackers can steal data in any number of ways. One of the most common methods is through a breach of an account that has access to the data. Another method is through system and infrastructure attacks that give the attacker local or system administrator privileges to computers that store the data outside of Microsoft 365.
Various goals motivate attackers, including:
- Theft of intellectual property.
- The intent to blackmail you.
- Selling your data on the black market.
- Using the data to further entrench themselves in your systems.
The basic fact that data comes in various forms complicates the task of protecting it. Email, documents, instant messaging conversations, Yammer threads, even identifying your directory information is useful to an attacker.
Preventing data exfiltration
An organization should pursue different strategies to prevent attackers from compromising its data. It should focus not only on the data itself, but also on the things needed to access the data, such as accounts. The first step an organization should take to protect its data is protecting its service from account breaches and elevation of privilege attacks.
There are many strategies an organization can pursue to protect its data, including:
- Access control lists. Establish standards to determine who can access specific kinds of data. Then create processes to monitor and maintain those access controls. For example, if you have sensitive financials data in a SharePoint Online site, ensure that:
- Only named individuals can access the site and document libraries.
- The named individuals have just the minimum privileges needed to access site and document libraries.
- You regularly review the access control list.
- External sharing policies. Prevent data leakage to external endpoints by configuring your tenant to restrict certain types of sharing. For example, an organization can prevent its users from sharing documents with external people by configuring its tenant accordingly. These types of policies can be restrictive, so you might need to strike a balance between risk and productivity.
- Least privilege. Users often grant permissions to documents and document libraries that exceed the necessary access. For example, View permission versus Edit permission. Only grant the required minimum privilege to the smallest group of users that you can.
- Data classification schemes. Another key strategy is to use data classification metadata. This strategy is important when organizations share data on SharePoint sites and OneDrive for Business. This process requires that you first determine a set of risk tiers (such as high business impact, medium business impact, low business impact). You must then require sites and documents to tag data in your systems with the appropriate classification. This strategy enables you to monitor sensitive data and use specific technologies to further protect high business impact data.
- Data loss prevention (DLP). A data classification scheme based on risk tiers (high business impact, medium business impact, low business impact) is most effective when used in combination with Microsoft Purview DLP. This technology enables you to configure rules about how to handle data moving in and out of your tenant. It can prevent users from emailing sensitive document content to external parties. It can also prevent users from sending personal information in email, such as credit card numbers, social security numbers, bank numbers, and so on.
Along with these recommendations, Microsoft 365 administrators can enable auditing, alerts, and Advanced Security Management to detect suspicious behaviors or activities in the tenant.