Microsoft Data Security Updates - 9th May 2024

So, you may have noticed - but there have been some big announcements this week, across the Microsoft stack. I've picked out the ones that I found the most impactful from a Data Security standpoint, but I will cover the rest as we move through the next few weeks.

I also received some feedback on the potential of me highlight community initiatives and posts from that outside of Microsoft in the Data Security space, and I think it's a great idea!

If you are creating or know of someone creating great content in the Data Security space and want to be highlighted in this newsletter please let me know - the more the community comes together the better outcomes we all have!

So, for this week, lets kick off!

Product Updates and Announcements

AI Hub

Now this is something I have wanted to speak about for a long time - AI Hub is now in public preview - it helps organisations discover how AI applications such as Copilot for M365 and third-party AI apps are being used in their organization and provides ready-to-use policies to protect data.

It includes insights like sensitive data shared with AI apps (whether Copilot for M365 or third-party AI apps), total number of users interacting with AI apps and their associated risk level, pulled from Microsoft Purview Insider Risk Management, and can even surface unlabeled files and SharePoint sites referenced by Copilot, helping you prioritize your most critical data risks and prevent potential oversharing of sensitive data.?

Another thing here being moved into public preview is the capability of non-compliant usage insights in the AI Hub to discover unethical use in AI interactions, such as regulatory collusion, money laundering, targeted harassment and more.?

So much good stuff here, and I'll be writing up a dedicated article to it shortly!

Data Loss Prevention

For those that don't know DLP integrates with Insider Risk, and a few others to provide adaptive protection - think of this as dynamically assigning a policy based on a user's risk level. If I am a low-risk user, I may have a less stringent policy assigned to me, but if I move into a medium, or even high-risk user scenario they system will automatically place me into a stricter DLP policy, restricting additional actions - this feature has now moved into GA!

In March, we announced that this is now integrated with Conditional Access, so you can use your policies to automatically add users into policies based on their risk levels.

Now, the big news for this week - you can now Integrate adaptive protection with Data Lifecycle Management! It helps you protect your organisation’s data by integrating dynamic insider risk levels, as determined by data related activities, with various policy engines to automatically move users in and out of policies as their risk levels change over time.

Let's say you're a user and you've just reached an elevated risk level due to a number of different reasons, well - now we can have a policy configured so that we retain a copy of any files deleted by the user that are stored in SharePoint or OneDrive, or emails in Exchange for Microsoft 365. This helps us to protect against data sabotage in the situation where someone may be maliciously attempting to delete data, and we then have a full audit and investigation log, as well as being able to restore that data when we need to.

Keep in mind, that as a user's risk level drops, the dynamically assigned policies will drop with them to - in this example, if the users move to a low risk level over time, we will no longer retain a copy of that data. This is a massive step forward in Data Security and I am really happy to see it come into preview!

Insider Risk Management

We are releasing, into public preview Insider Risk context into the Defender XDR user entry page. With this update, SOC analysts with the required customer-determined permissions can access an insider risk summary of user exfiltration activities that may lead to potential data security incidents, as a part of the user entity investigation experience in Microsoft Defender.

This feature can help SOC analysts gain data security context for a specific user, prioritize incidents, and make more informed decisions on responses to potential incident.

Insider Risk Management is also enhancing the existing email insight alerts to provide additional information for when business-sensitive data is potentially leaked from a work email account to a free public domain or personal email account, potentially leading to a data security incident. This feature will make the triaging experience easy by highlighting, for example, when an insider is sending an attachment to their personal email.

On top of all this, check out the Public Preview of Adaptive Scopes which allows admins to use adaptive scopes created within the Microsoft Purview compliance portal to scope Insider Risk Management policies, to dynamically define membership of users or groups based on Entra ID attributes, like location or department.

Other features that will soon be available:

• Admins can now exclude specific users and groups from Insider Risk Policies and will be able to delete all associated alerts and users in scope when deleting a policy, to help quickly reset and remove inactive policies.
• The policy tuning analysis feature will now take into consideration specific priority content in your policies to predict the number of users matching the policy conditions in a tenant.??

So much good stuff for Insider Risk this month!

Communications Compliance

Coming soon to GA, Communication Compliance policies can analyse Microsoft Teams meeting audio transcripts for potential policy violation matches!

Compliance Manager

There are four new Microsoft Purview Compliance Manager assessment templates to help your organization assess, implement and strengthen its compliance against AI regulations, including EU AI Act, NIST AI RMF, ISO/IEC 23894:2023 and ISO/IEC 42001. These details will be surfaced within the Microsoft Purview AI Hub.?

Blogs and Media

DecipheringUAL

If you use Purview Audit at all, there's a great series hosted in github by Purav D. - DecipheringUAL. This repo aims to help you decipher the UAL from a Digital Forensics & Incident Response (DFIR) perspective. The UAL acronym here is the Microsoft 365 Unified Audit Log :)

It's been built up over time and he continues to add to it, so make sure you check it out.

Check out the repo here!

Purview Deployment Guide

I couldn't help but mention my colleague Ray Reyes on his fantastic Purview Deployment guide - lots of effort goes into creating these, and it provided a comprehensive view, so make sure you go and have a read through it!

Check out his post here!