Data Loss Prevention – Human error, insider threats and the in-between

Published Jan 29 2019 06:00 AM 21.8K Views

Do you remember the first or last time you found a user had shared sensitive information with the wrong people?


Companies dedicate large amounts of resources and money towards establishing an air tight DLP policy to detect and protect company data and prevent it from getting into the wrong hands, whether deliberately or by mistake. But no matter how good the technology, or how vigilant the security team, there is always a wildcard – end users.


“A company can often detect or control when an outsider (non-employee) tries to access company data either physically or electronically, and can mitigate the threat of an outsider stealing company property. However, the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access. That insider may steal solely for personal gain, or that insider may be a “spy”—someone who is stealing company information or products in order to benefit another organization or country.”

                -Introductory guide to identifying malicious insiders, U.S. Federal Bureau of Investigation (FBI)



Figure 1: Statistics from the Insider Threat 2018 Report


From the above data we can see that insider threats are becoming a real concern for most organizations, and that active steps are taken to mitigate the risk inherent to these threats.


In this post we’ll discuss how regular users can expose sensitive data by wrongly classifying documents, how malicious users can take advantage of the encryption to exfiltrate data, and how Microsoft Cloud App Security’s new capability of scanning content in encrypted files, as well as the wider Microsoft Information Protection offering, can help organizations mitigate these risks.


The innocent mistake

While employees in the modern workplace are getting increasingly technologically savvy, and are finding new tools to improve their productivity, they aren’t always aware of the security implications of their actions.


Many of our customers are leveraging Microsoft Information Protection solutions to classify, label and protect their data. To minimize the impact on end users and their ability to be productive, these organizations often choose to empower their users to label documents themselves, by providing automatic suggestions but not auto-labeling or -protecting documents.


A user can inadvertently label a document containing highly confidential information with a low sensitivity label that applies minimal access restrictions. Since the file is already encrypted, it will not be scanned by the DLP solution, but might still be accessible to unauthorized people.


The malicious insider

A bigger threat with a much higher potential for damage, is the malicious insider. A malicious insider who is actively working on exfiltrating sensitive information from the organization, whether for personal gain, corporate espionage or other reasons.


This malicious user might exploit the ability to encrypt files to purposefully classify a file as low sensitivity while inserting highly sensitive data and then sharing it externally. As in the “mistake” scenario this will allow the file to pass the scanning of the DLP solution.


How does Microsoft Cloud App Security handle these risks?

Microsoft Cloud App Security has a wide set of tools targeted at handling insider threats. These include user behavior anomaly detections, cloud discovery anomaly detections, and the newly released ability to scan content of encrypted documents.


User anomaly detection

Microsoft Cloud App Security comes with a wide set of out-of-the-box anomaly detection policies that are activated by default as soon as the product is enabled. These detections look at the activities performed by users in sanctioned apps and define a usage baseline, leveraging UEBA capabilities to automatically identify any anomalous behaviors going forward.


An example of these types of detections, aimed at insider threats, is “Unusual file download activity by user”. This detection will create an alert whenever a user performs file downloads that differ from their usual pattern – a potential indicator of a data exfiltration attempt.


Cloud anomaly detection

In addition to the user anomaly detections for sanctioned apps, Cloud App Security also offers detections aimed at identifying suspicious behavior of users in unsanctioned applications. These detections are based on the data we get and analyze as part of our Cloud Discovery capabilities.


An example for such a detection is “Data exfiltration to unsanctioned apps”, which looks at the amount of data being uploaded by users to unsanctioned applications – one of the most common scenarios of insider threat data exfiltration.


Content inspection of encrypted files

We have recently released the ability for an admin to allow MCAS to scan the content of files that are protected by Azure Information Protection. After enabling this functionality, the admin can define MCAS file policies to inspect the content of encrypted files, and generate an alert, or take an action based on the match.


This functionality ensures that files are handled according to their actual content, even if they are labeled incorrectly; thus, preventing sensitive data from leaving the organization – both by mistake and by design.



Figure 2: Policy setting to allow Microsoft Cloud App Security to scan files protected with AIP


Human error and malicious intent will forever be a part of organizational lifecycles. While we cannot eliminate them completely, it’s our goal to enable IT and Security admins to minimize this risk. With our advanced capabilities and unique set of insights, Microsoft Cloud App Security and the wider Microsoft Information Protection offering help organizations to protect their sensitive information – wherever it lives or travels.


More info and feedback

Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!


As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.


Learn more about Microsoft Information Protection.

Occasional Contributor

@Niv Goldenberg That's a good addition to the product. Nice. Does it apply to Office 365 Cloud App Security as well, or just MCAS? You could say MCAS only, since AIP protection was the condition (and thus an EMS or Microsoft 365 play). Or you could say OCAS as well, since SC&C Sensitivity Labels can apply encryption, making it an Office 365 play as well.

Occasional Contributor

This sounds very interesting. Is the encrypted data decrypted for inspection? Could you give any insights in the process how you scan data that is encrypted?

Occasional Contributor

Good question to ask @Jens Stolle. The details are important. I just assumed it was using something like the decrypt-analyze-reencrypt approach in Exchange Online for encrypted emails.


@Michael Sampson This is for MCAS only as O365 CAS isnt used for DLP / file scanning in general.


@Jens Stolle When enabling the feature you give MCAS permissions to decrypt the file. When a file matches a policy its downloaded, decrypted and scanned in memory. At no point the file is saved to storage and there is no need to re-encrypt since everything is performed on a copy of the file.

Version history
Last update:
‎May 11 2021 02:04 PM
Updated by: