Data security risk is dynamic in today's modern workplace with various constantly changing factors, including types of content, people who interact with data, and the activities around the data*, all of which make it more complex to manage. As 83% of organizations have had more than one data breach, the recurrence of data security incidents is rising and has become a critical vulnerability that organizations must prioritize. Meanwhile, a recent Microsoft study shows that 2 in 5 security leaders feel at extreme risk due to cybersecurity staff shortage**.
Often, attempting to find the sweet spot between data protection and productivity takes much of the security team's bandwidth. If a control is too strict, it could overload the security teams with an overwhelming number of alerts and block legitimate business activities. Most security teams may prefer a less restrictive control since it doesn't impede productivity, but the risk of data loss would increase. And finetuning broad and static policies can often become a never-ending project that overwhelms security teams.
Organizations need a more effective and efficient data protection solution that can automatically protect their data against the most critical risks.
Optimize data protection automatically with Adaptive Protection
To help organizations overcome these challenges and optimize their data protection, we are excited to announce the public preview of Adaptive Protection, a new capability of Microsoft Purview. Adaptive Protection leverages machine learning to identify and mitigate the most critical risks with the most effective protection controls dynamically, saving security teams valuable time while ensuring better data security. The capability is built into the Microsoft platform with no agents required so organizations can get started using this today.
Since risk is dynamic, your data protection solutions should adapt accordingly. Adaptive Protection dynamically assigns appropriate Data Loss Prevention policies to users based on the risk levels analyzed by the machine learning models in Insider Risk Management. With this new capability, static DLP policies become adaptive based on user context, ensuring that the most effective policy, such as blocking data sharing, is applied only to high-risk users while low-risk users can maintain productivity. The policy controls constantly adjust, so when a user’s risk level changes, an appropriate policy is dynamically applied to match the new risk level.
Figure 1 Adaptive Protection combines the breath of intelligence in Insider Risk Management with the depth of protection in Data Loss Prevention
Identify the most critical risks with context-aware detection in Insider Risk Management
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
To enable Adaptive Protection, in Insider Risk Management, admins can configure the risk factors or activities for each risk level – minor, moderate, and elevated – based on the organization's needs. For example, you can define the elevated risk level as users who downloaded an unusual volume of highly sensitive information for more than 3 days and have privileged roles, such as Azure Active Directory admins; while the moderate risk level could be the same activity, but the users don’t have such as an elevated roles. The configuration helps Insider Risk Management learn an organization’s risk priorities so it can leverage the machine learning-driven models to understand user context of potential data security risks and assign risk levels accordingly.
The risk levels for Adaptive Protection update continuously and automatically based on the users’ risk factors, so when users’ data security risks increase or decrease, their risk levels will be adjusted accordingly. On the user scope page, admins can review anonymized users that have been detected at different risk levels.
Figure 2 Admins can configure the risk levels for Adaptive Protection in Insider Risk Management
Enforce the most effective controls dynamically with Data Loss Prevention
Based on the risk levels, DLP automatically applies the right level of preventative controls as configured by admins – such as block, block with override, or warning. At this time, admins can create more sophisticated and adaptive DLP policies across Exchange, Teams, and endpoints, with more to come in the future.
For example, with Adaptive Protection, DLP can allow users in the minor or medium risk level to receive policy tips and education on best practices of handling sensitive data, influencing positive behavior changes over time to reduce organizational data risks. For users in the elevated risk level, admins can use the strictest protection controls, such as blocking users from saving or sharing sensitive data, to minimize the impact of potential data incidents.
Figure 3 Risk levels configured and detected in Insider Risk Management can be used as a condition of DLP policies to enable Adaptive Protection
Mitigate insider risks automatically before full investigations take place
It takes 85 days on average to contain an insider risk incident***. Companies need tools to help accelerate time to action and contain potential data security incidents quickly. With Adaptive Protection, once high-risk users are detected, a strict DLP policy with strong data protection controls, can be automatically enforced to reduce the impact of potential security incidents early on.
Get started with Adaptive Protection today
Many customers are already deeply invested in Microsoft Purview DLP policies, and now they can quickly get started with Adaptive protection by simply adding a new condition, risk levels for Adaptive Protection, to existing DLP policies to make them adaptive. In addition, on the homepage of Microsoft Purview compliance portal, admins can set up Adaptive Protection in one click, which creates policies in test mode based on the aggregated risk insights of your organization.
Figure 4 Admins can set up Adaptive Protection with one click on the homepage of Microsoft Purview compliance portal
The public preview of Adaptive Protection will be rolled out to customer tenants this week. Adaptive Protection is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you are an organization using Microsoft 365 E3 and would like to experience Adaptive Protection for yourself, check out our E5 Purview trial.
You can also learn more about Adaptive Protection in our technical documentation and watch the Mechanics video.
- Talhah Mir, Principal Product Manager, Microsoft Purview Insider Risk Management
- Maithili Dandige, Partner Group Product Manager, Microsoft Purview Information Protection
*Cost of a Data Breach Report 2022, IBM
**“Cyber Resilience”. May 2021, Microsoft Security Insider
***2022 Cost of Insider Threats: Global Report, The Poneman Institute