This is a step-by-step guided walkthrough of the Microsoft Purview extended report experience and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber.
Prerequisites
Overview and vision
The vision with this package is that it will allow for faster and more integrated communication between leaders and the cyber operations teams in a context that allows for effective collaboration. The structure can help present the positive result of attacks prevented by measuring distance to corporate secrets. It can also help you provide a view of the impact of an incident by listing the sensitive systems and content the attackers have accessed.
Based on the information you may also identify patterns where you need to improve your security posture based on sensitive content and systems. This makes improvement projects more connected to company value. Cybersecurity is fast pacing so being able to understand the future is just as important as current state. With this data available you should be able to input details about future threats and project their impact. As part of this we are also creating Security Copilot skills to help identify future risks.
Step-by-step guided walkthrough
Principles for the dashboards
When opening the Power BI view whether it is from a web-based version or from Power BI desktop you will find unique users and unique devices. These are user accounts and devices that have had at least one security incident flagged in Microsoft Defender Portal and have accessed sensitive information. Organizations may select to filter these based on incident flags, the type of incident etc. how to achieve this is outlined in the implementation guide.
Let us have a look at the base elements in the CISO, CCO view.
The core rule for what is shown is that sensitive content has been touched by a compromised system or account. A compromised system or account that has not accessed any sensitive content will not be shown. The only exception is the Operational scope pages more detail later.
Board level sample data.
The first version has four risk dimensions,
The KPI diagram should be updated to a target that makes sense to the core security projects run by the organization.
With Security Copilot you can get this type of detail as well. It will help you with the contextual detail. Here is one example of a custom sensitive information type. The sub bullets are departments.
There is also a view included for the use of Sensitivity labels.
Let’s use this sample where we pair the usage with Copilot for Security. Let us say that one of the object names is listall.json. And I want to get all the information surrounding that file.
Or you may have an e-mail subject that you are concerned about.
The information shared is to provide you with an idea of how to get started. Consider adding actual monetized impact on events across the system. Both those that were avoided and those that had a negative impact.
Improvement Project reporting
For data-driven feedback on the impact of improvement projects, we have a few sample dashboards to get you started. They are there to allow you to see the art of the possible. The rich data that is available from the system will in many cases allow you to build your own data-driven dashboards to show progress. The samples that are available is Document KPI, Oversharing SharePoint, Email KPI, Content upload, Operational Scope, and Operational scope classified content.
Below is a sample dashboard that displays the number of protected versus unprotected document operations across the organization. E.g. which ones are sensitivity labeled and which ones are not. Follow the technical guidance for setting this up properly.
This example provides an overview of the suppliers being used to access sensitive content. This is based on the processes, you may select to do something similar based on the IP tags and ranges and access to sensitive content and systems.
This example contains details about how credential data is being processed across the organization. To capture the All Credential Types you need to enable a policy for all workloads including endpoint.
Incident reporting and progress
The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, By DLP Policy and more. You should customize this view to work with your practices.
The package also comes with optimization suggestions per workload. Exchange, SharePoint, OneDrive for Business, Endpoint, Teams, and OCR.
You may select to use Copilot to summarize your incidents and provide next steps. This is a sample of output from Copilot summarizing an incident. The steps for implementing and tuning Security Copilot can be found in the Guidance Playbook for Security Copilot.
Events
As part of the technical documentation, there is guidance to set up additional event collection. If you are a decision-maker, consider if you want to set up alerts based on the views you have in Power BI. It is highly likely that a rule can be set up to trigger flows where you need to be involved. Here is the documentation for Microsoft Defender XDR Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn.
Copilot for security can be used to draw conclusions from all relevant events associated with an incident and provide suggestions for next steps. This is a sample where it uses the corporate policy document from Microsoft Azure AI as well as Microsoft Defender incidents to suggest next steps. You can also use the upload feature Upload a file | Microsoft Learn.
Here is another example where you may want to confirm if content has been touched by a compromised account.
Posts part of this series.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.