Risk-based automatic DLP policy adjustment with Adaptive Protection | Microsoft Purview
Published Feb 06 2023 12:48 PM 4,776 Views
Bronze Contributor

Adjust the strength of your data protection automatically based on the calculated data security risk levels of users. Stringent controls are applied to high risk users, while low risk users continue to work productively with the right controls in place — all done automatically. Alleviate your security team’s burden from manually fine tuning policies. Elevate your existing Data Loss Prevention controls for content.


Main pic Adaptive.png


Talhah Mir, Principal PM for Insider Risk Solutions, shares how to use Adaptive Protection to address the most critical risks, while saving time. Balance data security and productivity with the Adaptive Protection capability in Microsoft Purview.


Notify to warn, override, or block.

1- Risk Levels.png

Get automated DLP policies adjustment based on data security risk levels with Adaptive Protection in...


Prevent data exfiltration and theft — one click.

2- One click.png

Assess insider risks and turn on Adaptive Protection in Microsoft Purview.


Take existing DLP policies from static to dynamic.


Address critical risks, save valuable time. See how to get Adaptive Protection in Microsoft Purview.


Watch our video.



00:45 — How Adaptive Protection works

01:57 — Cumulative Exfiltration Anomaly Detection Model

02:58 — Data Security Risk Level

04:17 — Admin views

05:09 — Enable Adaptive Protection

05:55 — Customization

06:59 — DLP Policies

07:56 — Wrap up


Link References:

More on Adaptive Protection at https://aka.ms/adaptiveprotection


Unfamiliar with Microsoft Mechanics?


Keep getting this insider knowledge, join us on social:

Video Transcript:


-For example, let’s say we have two users in the same team that have access to the exact same information, scoped to the same user policy. Let’s see what happens when user one Alex goes to print this information. They hit print, and you can see they’ve been blocked with an override. User 2, Megan, does the same thing but is blocked outright. So why did this happen? Behind the scenes, Adaptive Protection takes a privacy first approach to analyze data activities across the users, scoped to a policy.


-It assesses users’ data activity across both Microsoft and non-Microsoft services in aggregate using built-in machine learning models from our Insider Risk Management solution in Microsoft Purview to parse through it at scale. And it algorithmically reasons over activity signals to sequence anomalous activity patterns that accrue to user data security risk around three tiers with Elevated as the highest tier, followed by Moderate and Minor.


-Data security risk levels are then mapped to the appropriate level of content protection and DLP, with actions like notify to warn, override with optional business justifications, or outright restrict access by blocking and even encrypting the content. In fact, various machine learning models can be applied automatically based on your selections to tailor the right DLP protection from one user to the next. This takes significant burden off you and your security teams.


-In this case, let’s take a look at the risk factors that identified user two, Megan, that warranted an outright block without the option to override. First, the cumulative exfiltration anomaly detection model was able to assess their risk level by building a statistical baseline of their activity compared to the activity of their peers. In this case, user two recently shared a large volume of files externally. Second, she was identified as a potentially high impact user and the model also assessed a change in the pattern of how they interact with sensitive information. And by the way, these risk factors were unique to user two, and did not apply to user one.


-That said, this is Adaptive Protection. Because risk changes dynamically, your policies should also automatically adapt to changing risk. But what happens if user one changes their activity pattern? Well, each action will feed into a calculated data security risk level. For example, if we see them going to SharePoint sites, downgrading sensitivity labels on content, and then downloading an unusual volume of files, then their data security risk level will raise accordingly. And of course, if they submit their resignation, and then they attempt to share this information externally, they can be blocked outright.


-Conversely, if user two, on the other hand, modifies their activities, heeding data protection best practices, her data security risk level can reduce over time and DLP content protections will adapt accordingly. This is a huge time saver for you as security admin as it reduces the number of policies and scopes you need to build and manage manually to get the balance between security and productivity right for your organization. If you over-index on productivity, you can invite more data loss. Or conversely, if you over-index on data protection, you end up blocking people from getting their work done while overloading yourself with alerts.


-Adaptive Protection continuously balances the right controls for each user independently, according to their data security risk level, helping security teams do more with less by prioritizing mitigations on high risk users. And the system provides complete transparency so you know exactly how data security risk levels are calculated. The solution is built with privacy by design In admin views, usernames are pseudonymized by default, and with the right permission, as an investigator or analyst, you have direct visibility into what went into determining a user’s specific data security risk level, as you can see here with the potential high impact user model. Or with the peer aware cumulative exfiltration anomaly detection model, you can see a user’s activity over the last 30 days compared to the norms of their teammates.


-And these are just two of the dozens of models and detectors available in Insider Risk Management, including sequencing, all of which can contribute towards the user’s data security risk level. To take advantage of Adaptive Protection, in the Microsoft Purview compliance portal, all you need to do is enable it. We’ve made it super easy to get started with Adaptive Protection with one click. With the right permissions, this one click can start you on your Adaptive Protection journey. This runs an analytics scan on your organizational activities, like data exfiltration, events leading to potential data theft, and other top exfiltration activities that may lead to a data security incident. And then using that information, it defines the distinct conditions per risk level against which each user’s evaluated independently. So you don’t get too many or too few users detected in each risk level.


-The system also automatically sets up the DLP policies with the right risk level conditions to enable Adaptive Protection. These policies are set to run in test mode initially so you can fine tune as needed. Speaking of which, you can can also customize your entire setup. You may want to focus on specific risk factors or activities for each risk level, and you can do that as you can see here, using alert severity, high, medium or low, alert status, whether the alert has been confirmed or not, or user’s activity.


-For activity, you can choose any of the detectors or indicators in the system used to identify the user’s daily activity and create a condition based on the severity or occurrence of that activity over a period of time defined by you. For example, you can choose to let the system detect a three state sequence of someone downloading, obfuscating by renaming, and then exfiltrating content as being part of a moderate risk level, or specifically define a condition under which more than three days of large volume downloading activity puts the user in the same moderate risk level.


-On the user’s page, you can review the anonymized users that have been identified at varying levels of risk, and you can even click into each user to see which policies are in scope for them. And you can also take your existing DLP policies and enlighten them to be dynamic. Let’s go to DLP policies. We’ll select the Project Copperfield policy and click on edit. I’ll go to the advanced DLP rules, click on Edit. In this policy, there are existing static conditions configured to look for certain sensitive information types and also a specified sender domain.


-Under add condition, we can see an option to add user’s risk level for Adaptive Protection is. Now we can select the risk level we want to add to this policy. I’ll choose Elevated and Moderate in this case, and just like that, we’ve made your existing static policy adaptive. This means that you can quickly and simply build on all the investment in DLP you’ve made over the years. The ideal use case here is to take any policies that may be noisy and add the adaptive condition to them, so you can focus on addressing the most critical risk while saving valuable time.


-So that was a quick overview of Adaptive Protection, which leverages the breadth of detections from Insider Risk Management and the depth of protection in DLP to efficiently balance between security and productivity. You can try it out today at aka.ms/PurviewTrial. And to learn more, check out aka.ms/adaptiveprotection. Of course, subscribe to Microsoft Mechanics for the latest in tech updates. And thank you for watching.

Version history
Last update:
‎Feb 06 2023 12:48 PM
Updated by: