Do you remember the first or last time you found a user had shared sensitive information with the wrong people?
Companies dedicate large amounts of resources and money towards establishing an
“A company can often detect or control when an outsider (non-employee) tries to access company data either physically or electronically and can mitigate the threat of an outsider stealing company property. However, the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access. That insider may steal solely for personal gain, or that insider may be a “spy”—someone who is stealing company information or products in order to benefit another organization or country.”
In this post we’ll discuss how regular users can expose sensitive data by wrongly classifying documents, how malicious users can take advantage of the encryption to exfiltrate data, and how Microsoft Cloud App Security’s new capability of scanning content in encrypted files, as well as the wider Microsoft Information Protection offering, can help organizations mitigate these risks.
The innocent mistake
While employees in the modern workplace are getting increasingly technologically savvy, and are finding new tools to improve their productivity, they aren’t always aware of the security implications of their actions.
Many of our customers are leveraging Microsoft Information Protection solutions to classify, label and protect their data. To minimize the impact on end users and their ability to be productive, these organizations often choose to empower their users to label documents themselves, by providing automatic suggestions but not auto-labelling or -protecting documents.
A user can inadvertently label a document containing highly confidential information with a low sensitivity label that applies minimal access restrictions. Since the file is already encrypted, it will not be scanned by the DLP solution, but might still be accessible to unauthorized people.
The malicious insider
A bigger threat with a much higher potential for damage is the malicious insider. A malicious insider who is actively working on exfiltrating sensitive information from the organization, whether for personal gain, corporate espionage or other reasons.
This malicious user might exploit the ability to encrypt files to purposefully classify a file as low sensitivity while inserting highly sensitive data and then sharing it externally. As in the “mistake” scenario, this will allow the file to pass the scanning of the DLP solution.
How does Microsoft Cloud App Security handle these risks?
Microsoft Cloud App Security has a wide set of tools targeted at handling insider threats. These include user behaviour anomaly detections, cloud discovery anomaly detections, and the newly released ability to scan
User anomaly detection
Microsoft Cloud App Security comes with a wide set of out-of-the-box anomaly detection policies that are activated by default as soon as the product is enabled. These detections look at the activities performed by users in sanctioned apps and define a usage baseline, leveraging UEBA capabilities to automatically identify any anomalous behaviours going forward.
An example of these types of detections, aimed at insider threats, is “Unusual file download activity by user”. This detection will create an alert whenever a user performs file downloads that differ from their usual pattern – a potential indicator of a data exfiltration attempt.
Cloud anomaly detection
In addition to the user anomaly detections for sanctioned apps, Cloud App Security also offers detections aimed at identifying suspicious behaviour of users in unsanctioned applications. These detections are based on the data we get and analyze as part of our Cloud Discovery capabilities.
An example for such detection is “Data exfiltration to unsanctioned apps”, which looks at the amount of data being uploaded by users to unsanctioned applications – one of the most common scenarios of insider threat data exfiltration.
Content inspection of encrypted files
This functionality ensures that files are handled according to their actual content, even if they are labelled incorrectly; thus, preventing sensitive data from leaving the organization – both by mistake and by design.
Human error and malicious intent will forever be a part of organizational lifecycles. While they cannot be eliminated completely, it’s our goal to enable IT and Security admins to minimize this risk. With its advanced capabilities and unique set of insights, Microsoft Cloud App Security and the wider Microsoft Information Protection offering help organizations to protect their sensitive information – wherever it lives or travels.