Protecting your business-critical data is of the utmost importance in today’s digital landscape. Within the last 12 months, 74% of organizations have had business data exposed during a data security incident, 65% saw operational data compromised, and 58% experienced personal data being made vulnerable [1]. However, protecting that data can seem like a daunting charter for many security teams. Between the boundless volumes of data created and transformed daily by modern organizations and the difficulty of scaling legacy data loss prevention (DLP) strategies, proper prevention, investigation, and remediation of data security incidents can be an uphill climb. Simultaneously, the breakneck adoption of Generative AI is not only an exponential multiplier of organizational data, but also a new frontier of risk that we must learn to secure. Now is the time for organizations to take a comprehensive approach to data security that supports the pace of work today and adapts as your business transforms for the future.
Microsoft Purview Data Loss Prevention (Microsoft Purview DLP) provides a unified and cloud-native DLP that prevents sensitive data loss with minimal impact to business continuity. As part of our commitment to helping security teams build resilient and adaptable data security, we are excited to announce several new Microsoft Purview DLP capabilities that enable:
As the volume of data created, processed, and transmitted by modern business proliferates, so do the risks. In 2023, organizations experienced an average of 59 data security incidents over the previous 12 months [2]. With data security incidents growing more frequent and costly, it's critical to contain these incidents as quickly as they arise, mitigating downstream financial and infrastructural impact.
One way Microsoft Purview DLP is streamlining investigations for admins is by enriching email alerts with more robust metadata. These email alerts will inform the admin when a policy has been violated and provide more actionable context and evidence, including severity level, user, policy details, device details, and more. This insight enables you to understand and take appropriate action on a potential incident as soon as it occurs — from both your inbox and the Microsoft Purview Portal. This capability is now in general availability.
Figure 1: New context-rich email alerts for Microsoft Purview DLP admins.
Microsoft Purview DLP admins can now also leverage customizable email templates to notify users or teams of DLP policy matches. These custom emails, available in public preview, can be added as an action when configuring policy rules. For example, your organization may consider automating emails to notify managers of policy violations, or to kick off remediation workflows from a DLP alert. When creating policy rules, you can add a new custom template or choose from existing custom templates.
Figure 2: Create and manage custom email templates for DLP policy actions in Settings.
In addition to enriched email alerts and custom policy actions, we’re enhancing the DLP alert investigation experience within Microsoft Defender XDR. We previously added the capability to filter the DLP alerts queue in Microsoft Defender XDR by File Name or File Path for more efficient and flexible triage. We are now extending this public preview capability to filter by alerts stemming from external user risk. Learn more here.
This filter can be particularly useful in aiding investigations of threats external to your organization that may be attempting to exfiltrate company data. From Microsoft Defender XDR, you can easily visualize how a DLP policy violation was connected to an attack story associated with such external user activity. In the example below, you can see how a DLP alert tagged with “External user risk” in Microsoft Defender XDR indicates the transmission of sensitive company data to a user outside of the organization.
Figure 3: DLP alerts filtered by the External user risk tag in Microsoft Defender XDR.
Figure 4: Visualization of a DLP alert tagged with External user risk in a Microsoft Defender XDR attack story.
You may also notice that DLP alerts in Microsoft Defender XDR can now be further contextualized with insider risk summaries from Microsoft Purview Insider Risk Management. From the Incidents view, SOC analysts with the required customer-determined permissions can understand and make informed decisions on user exfiltration activities that may be connected to a larger data security incident. Learn more about this feature, now in public preview, here.
Not only are we introducing the above new capabilities to improve your day-to-day triage and investigation, but also announcing the general availability of:
When it comes to securing modern business, every second and every device counts. That’s why we’re continuing to invest in comprehensive protection for all of your users and assets, minus the business disruption, tedious troubleshooting, or finicky fine tuning.
One step we’re taking to minimize disruption to business as usual is the new pause and resume capability, in public preview. Previously, users who could override policy tips would have to repeat the action that originally triggered a DLP policy, such as printing a document with sensitive information. With pause and resume, a user can provide business justification to override a policy, and the task will resume automatically without requiring the user to resubmit the print job. This same principle can be applied to functions such as copy and paste and copy to storage. Automatic pause and resume minimize end user disruption while ensuring proper policy enforcement.
Figure 5: Following a policy tip override, user activity such as printing and copying to storage will now be automatically paused and resumed on Windows devices.
We’ve also improved the Devices onboarding dashboard in the Purview Portal. The Devices' onboarding page has been enhanced to help you quickly understand the status of onboarded endpoint devices, and easily troubleshoot common onboarding issues. Easily dive into detail on any of your devices and see relevant remediation guidance if there are detected issues. The following capabilities are now available through the Devices onboarding page:
Figure 6: The improved Devices onboarding dashboard provides rich device metadata and helps troubleshoot common issues.
Lastly, we’re happy to announce the addition of application allowlists in Microsoft Purview DLP in public preview. Application allowlists enable exceptions to DLP rules for specified business apps, helping admins both enforce sufficient security controls and accommodate for normal, expected business activity. For example, you may choose to add applications used by the Finance team to an allowlist, knowing the frequency with which they work with sensitive financial data, and adjust how policies are enforced accordingly.
Shown below, you can see how admins can now tailor DLP rules and actions for restricted app groups and allowed app groups.
Figure 7: DLP policies can now be configured with unique rules and actions for specified business applications.
We understand that today’s businesses rely on a diverse range of technologies and workloads, all of which require sufficient data protection measures. That is why we’re also excited to share the expansion of several Microsoft Purview DLP capabilities to macOS devices:
Not to mention, Microsoft Purview DLP is now generally available for the increasing volume of Windows endpoints running on ARM (ARM64) chipsets. Learn more here.
Get started today with Microsoft Purview DLP by turning on endpoint DLP as it is built into Windows 10 and 11 and does not require an on-premises infrastructure setup or agents on endpoint devices. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial!
And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.
We look forward to your feedback.
Thank you,
The Microsoft Purview Data Loss Prevention Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.