IT Expert Roundtable: Information protection at Microsoft (June 2018)

IT Expert Roundtable: Information protection at Microsoft (June 2018)


>>Hello, everyone, and
welcome to today’s roundtable on how we approach information
protection at Microsoft. My name is Sarah Rogers and I will be your host
for today’s session. I’m a Business Program Manager
for IT Showcase and I manage our content
strategy for the security space. Before we get started, I’d like to tell
the audience that you can submit questions through the Q&A window any time
during the conversation. I’ll be on the lookout
for your questions to ask the experts
during the session. In the case that we run out
of time and aren’t able to get to your questions
during this hour, we will stay behind
in the studio, record answers, and post them
with the on-demand webinar. Stay tuned after
the conversation because the experts will share
some key takeaways. With that, I’ll let everyone take a minute to introduce themselves. John, let’s start with you.>>I’m John Cardarelli,
I’m the lead on the Data Loss Prevention Team
here at Microsoft.>>I’m Victoria Warshaw,
I’m the Program Manager with Strategy and Planning.>>Hi, I’m Bill Johnson. I’m the Senior Engineer on the Azure Information
Protection Team.>>And I’m Jake Visser,
Principal Program Manager and Architect for the
Information Protection Program.>>Great, let’s get started. Jake, why don’t you kick
us off and talk about our new data classification
and labeling system.>>Certainly. So it’s
been a long journey. Microsoft started this program in 2016 where we have
reinvented ourselves. We originally had
a labeling scheme that was low business impact, medium business impact,
and high business impact. That scheme wasn’t
very well-understood. We didn’t have a good way for uses to be able to label
and classify their content. The content most of
the time went unclassified, and I’m sure John can tell leaked extensively at
different points in our past.>>Yes, it has.>>So with the advent of Azure Information Protection and Secure Islands before that, we decided to take
the opportunity and redo our entire
classification scheme. It was a big task,
a long journey. I’ve to admit, it was
quite challenging and quite a few months of our lives that we’ll
probably never get back. I have to say that the changing an organization’s
classifications scheme is probably one of
the hardest things that an organization can
do if it’s entrenched, particularly an organization the size of Microsoft where a 127,000 ish full-time
employees globally. We have staff from literally
every country in the world. As such, there is different
regulatory restrictions and requirements. We then had to adapt for that. So after a lot of research
and surveys along the way, we ended up landing on a
classification scheme that is probably not unlike
most other large businesses, thankfully, which is general, confidential, and
highly confidential. They mapped, pretty
much one-to-one to our old classifications scheme
of low-business impact, medium-business impact,
and high-business impact. We also have public for the data that is out in MSDN articles, GitHub content, and
other content that has been earmarked for
public dissemination and approved for that. Since our policy here is that we want all data at
Microsoft to be labeled. By labeling it, we get a lot of advantages, not just protection. Because of that, we
do need to allow folks at Microsoft to
label personal content. We’re a company that
does support its users in that they are allowed to do personal work on a work machine. So if you want to correspond with your accountant or your mother, we still want you to
label your content. So we ended up putting
non-business as a label. Personal, unfortunately,
is taken by GDPR and many other regulations, and the lawyer said we’re
not allowed to use it. So that’s the journey that we’ve went with our
classification scheme. It really does underpin everything that we do within the information
protection program.>>It’s our linchpin.>>It is. A very, very long winded introduction
to how we start this.>>That’s good,
that’s a good base. So how did we come
up with the schema?>>Again, it was, I
guess, a lot of work. So one thing that comes
out of this is IT is generally not
the organization within the company that owns the
classification scheme. Here at Microsoft, we do have the advantage that yes
we work up to the CISO. The CISO being Bret has a lot
of control over this. Here, we have the IRMC. So the Information Risk
Management Council, are ultimately the owner. However, CELA,
our internal legal council has a very significant
part to play, as well. So everybody had to come to
consensus and legal wins. They have the casting vote. When we acquired
Secure Islands and as that was being redeveloped into what we know as Azure
Information Protection today, one of our CVPs
at the time decided that they needed to know what the default classification
standard should be in Azure. We’re going to offer
this to customers, what leg up should
we give customers, and that ended up being something very similar
to what we landed with. But the way they did, they
surveyed over 5,000 companies, and then we also did
an internal survey of Microsoft employees. We needed to find the
classification scheme that really resonated with users that people could
intuitively know that, “Hey, if I see a file on my disk and this
is confidential, I’ve really got to protect that.” Because we’re
an international company, we couldn’t use
two different labels like restricted and confidential. In Europe, people generally
think of them as one way. Go to Australia, they
think of them the other. At New Zealand, they
think of them back the other way again. It gets messy. So having confidential and highly confidential or
restricted and highly restricted really does help differentiate the two
classification labels where we have
our sensitive content. We wanted to avoid
secret and top secret. I come out of the government
personally and we have several contracting arms
in Microsoft and we partner, closely with a lot
of contractors. If somebody happened
to have reused the government label,
it could look bad. So we needed to make sure that this was clearly a Microsoft
classification scheme. Then, we have general which
is everybody’s email. If you just start off content, it’s going to start as general. We didn’t want to impose any roadblocks or hiccups to
the classification process. So at Microsoft, we generally don’t like putting pop-ups in
front of users. So when somebody goes
to a site content, some organizations in
the government circles, you can force a user to
classify content on the site. Here, we don’t want to do that. So users are asked to classify, we recommend to the user on certain content
that they classify, and we’re really doubling
down on our automation around detecting what content
should be classified.>>Excellent. Well, let’s
get into maybe some of the various technologies
and products that we have for information protection because I know there are a few.>>Certainly.>>Yeah. Well, yeah. There’s the Azure Information
Protection plugin, so that’s the labeling
and the protection piece. We have the Azure Information
Protection scanner which is really cool
because it will scan your repositories
On-premise and your SharePoint sites
that are On-premise. So that’s really cool. Then, we have the Office DLP where we can set policy up in O 365 for basically the same
sensitive types that we’re looking
for and the sensitive content that we’re looking for. So wherever we want
to start, it’s good. The AIP labeling, like we said in the beginning,
is our linchpin. So we really do count on that label hook to be able to help people
classify and protect. So in that system, the really neat thing about
that is the recommendations, and Jake kind of alluded to that, where we detect certain content whether it’s a Microsoft
secret or it might be a legal person that is typing in some attorney-client
privilege type thing, and then we can recommend to them that they should protect that content with
highly confidential, and then they can
choose that protection appropriately for that audience
that they’re writing to. So that’s really neat, and that’s just the
combination of doing some looks at the content
and then recommending it. We usually start with- I always
call it the crawl, walk, run type of protection
where first we do the crawl where we’re really just deploying the tool and
asking people to label, and then we start with recommendations and let that go for a while so
people get used to it, and then we’ll start putting
in what we like to call the bigger hammer and then
automatically protect content. That’s where
our journey is going. So we’ll be able to automatically
protect the content. Once we figure out if our logic with the recommendations
is accurate enough.>>Sure.>>So any time that
you do any type of new policy or detection, you always want to
make sure that you’re not having a lot of
false positives. Once we are clear with that, then we can start doing
more automated stuff.>>Through the AIP scanner?>>Through the AIP scanner
and the AIP labeling.>>Okay.>>All right.>>So I’m guessing,
internally here, we do try and use
Microsoft products first.>>Yes.>>We are Microsoft
IT, obviously, we should be using and
leveraging our capabilities that we have, we want to enhance our own products to help to
detect bugs for customers, get their hands-on it,
and have to suffer. Third though, that we do use
some third-party products. The advantage of AIP Scanner process
we did manage to retire several other products
that were not integrated. We have managed to now move to effectively a single
reporting system for when we detect content. So, we have AIP labeling, which provides you
labeling in Word, Excel, PowerPoint, and
Outlook on Windows devices. We have the AIP Scanner
which will provide you labeling an automatic detection
for unlabeled content, On-Premise File Shares, and
On-Premise SharePoint sites. Which we do have a lot of. Still we are a hybrid environment as many organizations are, and our journey to the cloud
is still persisting. Then, I guess on top of that, we then have the Office 365 and SharePoint capabilities that give us- it’s continuing to enhance labeling and protection
services in the cloud. Then we have
third-party services. Microsoft does acquire
companies from time-to-time. Those companies may not be using Microsoft products
when we acquire them. So we do partner quite extensively with
third-party cloud services. So we do leverage. Although We wish we could use
a lot more internally, of Microsoft
Cloud App Security which can provide an automatic labeling and
protection in the cloud. The key thing here
is that those labels are going to be the same, right? Whether you’re
using it On-premise or whether you’re
using it in the cloud. Or as we are in some of our more specialized
Edge protections. We can detect those labels and third-party products as well. So wherever that content goes, we can detect the
label and we have had some very good success in identifying some really bad
business practices.>>That’s our key goal, right? Is to have that protection
follow travel with the data.>>Yeah, so that
the labeling will should always be persistent. Content that needs to be
protected should be protected. Those users who need to
access and use that data, can access it the right
place the right time. Our culture at Microsoft really allows us to take
a soft touch approach. You Gentlemen like to maybe
talk about how we interact with our customers
as we discuss. Get through some of the DLP
and how we detect things.>>So with AIP Scanner, as we have findings for the individuals that may have data stored that
sends us alerts, we’re able to reach
out to those users and find out is that a
bad business practice? Is it just accidentally stored in a place that has
more permissions than it should? But it does find a lot of data out there whether it be
personal information that should be very highly protected or company data
that needs to be protected. We’ve had findings in
both and we’re working on improving the security
of data across Microsoft.>>That’s the one
nice thing about not only the scanner
but all our products. It really does help us detect where there’s
bad business practice. Because let’s face it where there’s bad business practice, that’s where leaks have a
tendency to proliferate, right? Because people are just really
trying to do their job. They’re not doing anything
super bad, right? But they’re just trying
to get their job done on time most efficiently
as possible. Because we’re all kind
of super busy. But this guy actually
allows us to go and work with those units here around Microsoft around the entire world to help better
protect themselves. So we partner with our, we call them internal customers when we on-board them into our services to really get
them to do the best practices, get them to get used to
labeling and protecting. Not only that but doing
all the basic security, stuff that we really
want them to do like locking down their shares
and stuff like that. The findings actually
help us do that, right? Because we can paint
a really good picture, show a nice little
Power BI graph that say, “Here’s how much you’re
exposed right now.”.>>Yeah.>>That really kind of starts the engines going on really
cleaning up this stuff. Bill had a really good example. He found an open file
share and we just sent out a huge email to tell
people to clean it up. Bill, correct me if
I’m wrong. It took about three days for
them to clean that up.>>That’s correct there
were about 5,800 findings and 5,600 were remediated
within three days.>>Yeah, which was really
kind of that was probably our fastest that we’ve ever
done because it was. It was exposed to
everybody at the company. So bad business practice found, bad business practice
solved and that was a really kind of
a nice win for us.>>We have that customer question that’s touching on that too.>>Sure.>>That’s asking if we have a detection tool
utility service that determines how sensitive data
and data types.>>So what was
the question again?>>Do we have a detection
tool or utility or service that determines
sensitive data or data types.>>Yes, and that would
be the AIP scanner. So our journey with all our data loss
prevention is to be able to write policy once, right? This is the really cool thing
with our stuff is, we can go to the Security
and Compliance Center and write a policy for whatever sensitive type that you want and then
that can be used in O 365, in Exchange, in AIP, and in the AIP Scanner. So now, you don’t have to recreate that same logic in all the different
tools, right? Because that’s the one thing
that we’ve seen over the years is that you
can’t do a certain thing. Like there’s a rejex
that the tool won’t allow you to do like
a look back or look forward. Something that’s really
performance-heavy. So you have to tweak that. So logic, the results are kind of different than right
from one system to another. Here we have the one logic for to rule them all basically. That clears up a lot
of misconceptions. It’s more accurate and
is more actionable.>>Yeah, streamlines
the manual work that your team has to do.>>Right.>>From the analysis.>>Exactly.>>Right?>>Yeah. Transcends where
the labels go as well. So, those policies will apply. Can be used in
Cloud App Security, can be used literally everywhere. There’s a bunch of
policies out-of-the-box, so depending on your exposure, the standard HIPPA rules, the U.S. Social Security numbers, the Australian identity numbers, the European identity numbers.>>Credit card numbers.>>Credit card numbers. We have those standard policies
here at Microsoft, if we see more than X
Social Security numbers or credit card numbers in a file. We classify those
highly confidential. It needs to be encrypted and then that detection
logic being the MCE, the Microsoft
Classification Engine is what is used across
all our first-party products. So, as John said, one piece of logic used everywhere including
password detection. Had some good success with that.>>On top of that,
AIP Scanner has the ability to actually force
encryption on those files. So we’re able to take the
file that may have X number of Social Security numbers and force it to be
highly confidential.>>This was a problem
that we had with some of our previous on-premises DLP, Data At Rest systems, where we could detect that there was content that shouldn’t
have been there. We can alert users, we had some real issues with
remediation process like, “Yes, we can remove it, we
can put it in quarantine. Yes we could tell our user but that user may have moved on.” We have a lot of vendors at the company that come and go. You don’t necessarily know who their manager three
levels up was at the time because
they’ve also went on. So by being able to apply
protection in place of the file, the file is protected. But it still in it’s location, it still is the same file and somebody with
the appropriate rights that the company can then still discover and access that content.>>Okay. I’ve got another couple
of questions here from the audience related
to SharePoint Online. So how do we handle
search results and SharePoint Online for
AIP protected content?>>It’s coming. As I’m sure, the customers have
suffered at times, SharePoint does not play nice with Rights
Managed content. If it is Rights Managed, it is a binary blob that the scan engine of
SharePoint cannot access. There is a roadmap in place
that fixes this and fixes across most of the
Office 365 suite. Well, this is come to bite us more times than I care to count. We’re a very PowerPoint
heavy company. A lot of executive
assistants produce PowerPoints right up to the last minute before it
goes in front of executives. Quite often 10 people at a time editing a single
PowerPoint document. Coauthoring is a big thing here. If a file is Rights Managed
with RMS protection, that will not work today. I’m happy to say that we’ve seen what is coming and we’re
quite excited about it. That problem will be fixed and the rights that were
on the file with RMS will be honored in SharePoint along with the rights of the SharePoint’s site. That will be
a major step forward. And also some
of the things that we are talking about here today is what we as MSIT, or most cloud services engineering
teams get to use. So, we do have a bit of an insight into the private
preview room and some of the, as one of the advantages
of that, yes, we’re testing it before
it goes out to the users, but it does give us a bit of an advantage and a leg-up in fixing
some of our internal processes.>>One questions from customers is usually
is when, right? Do you want to talk
about that, the roadmap?>>I don’t think I can,
not with authority.>>That happens.>>We should be seeing things by later of this calendar year. There is certainly a private, public preview happening of
AIP in Mac clients right now. So, while we do have
the AIP plugin for Windows, we’ve always had the issue and it’s been our number one ask
of the product group is, we need to classify label
and protect content on all devices no matter where it’s created or where it goes. Windows devices are great. We have, I think, about 40,000 Macs on our network. It is a huge number of
non-Windows machines. So we need to give
that capability to them as well. So, Office is building the labeling and protection capabilities using
the same engine, the same labeling,
directly into Office, and it’s coming to Mac first, it will be Mobile and
Web and then will be rewritten into the
Windows applications.>>Great. All right. Are we ready for
another question?>>Sure.>>So, occasionally we do acquire other firms
as you’ve mentioned. How do we approach potential labeling conflicts when we do acquire another company?>>We’ve been through
this one as well. Carefully. Every case
is different. Some companies that we
acquire our operators hold independent
subsidiaries which give them some of them their own rights. Some companies that we do acquire come on board on
to the Microsoft Tenant. So, if they’re coming onto
the Microsoft Tenant, we’re one company, we
are one Microsoft. So, it is a case of the Microsoft labeling is
the Microsoft labeling. We can extend the Microsoft
labeling with sub-labels, and we are doing that for one of our subsidiaries
at the moment, for lack of a better term,
where they can then access, or label some of
their own content or protect their own content
independently. The AIP scanner does also have an interesting
capability in it in that it can trans-code labeling. So, if we are in a situation
and we have been with some of our legacy data,
for lack of a better term.>>I was going to actually
mention that too.>>Some previous of
these companies that we used did have
a different labeling tool. The AIP scanner has the ability to go
through those labels, and if you have done
a mapping and said this restricted label or
confidential whatever, equals this new label, it can understand the old
labeling and apply the new.>>Yeah, and we’ve done
that with our old labels. So, when we first
started going out, and I think we still
do have those, it’s under the
recommendations and the Azure Information
Protection plugin. So, if we find the old label, we would recommend to change
that classification to, if its medium business impact, we ask them to map that to
the confidential label, so you can do that
within the AIP label. So, you can find it and
then ask them to change it, or like Jake was saying that you can automatically
change it on them if you’re convinced
that that logic is right.>>Great. Okay. How about we have another question
about Clean-Up. What does that mean in our Org and how is it accomplished?>>Clean-Up. I assume
that’s remediation. So, that’s an interesting one, that’s where the
analysts come in. So, we have, well, a team of three analysts for
the entire company which is kind of overwhelming at times, but what we do is, we work with the employee, the vendor, the employee, the information worker,
to help clean up. So, we can set for
example, in Office 365, if you have a detect on a piece of file that
somebody put up there, you can send a user notice
to them saying, “Hey, by the way, it looks like you
put this document that contains patent information. Can you please go and either
clean that up or write to protect that thing,so
it’s protected better?” So, we do a bunch of
emailing, back and forth, to the information worker
to help them clean up, and it becomes
an education and awareness and a training
opportunity for us. So, that’s really how we do the clean up/
or what we do is, there are certain
groups that also have security minded individuals
that are responsible for making sure that
that particular organization is following either the SDL, the Software Development
Lifecycle and things like that. So, we will actually
use them to help us remediate within
their organization too. So, we’ll push data
to them saying, “Hey, there’s 50 people in
your Org that have some policy violations
on some files in O365, or like on the file shares
that they told us about. Can you help us go
and clean them up?” So, we try to leverage our
internal customers for that as well because it makes it a much better and quicker cleanup.>>We do have some
reporting requirements around this as well. So, as I mentioned at the start, the owners of the labels of the Information Risk
Management Council, so it is effectively
a committee at Microsoft. But as a sub
organization to that, you have the classification
working group. So, every organization at
Microsoft has a Data Steward. The Data Steward is
ultimately responsible for the classification
of all data within their organization, and we can leverage that
if we we’re not getting traction or we’ve detected
bad business practice. Again, yes, we could
automate a lot of this. We could automatically apply
classification on the spot. We could just send emails to the user and
the manager and go, “Hi, fix your stuff,” but we
prefer the soft touch. So, we will reach out and
help the users do it, that’s our company’s way.>>All right. We’ve got
a very similar question about the data rules. You’re talking
about data stewards and the cleanup and whatnot, where do people go, like
say the stewards or a manager gets their
email like you need to clean up these files? How do they know
what things mean? Is there a glossary? How do we educate?>>I will say the education and
awareness campaign that we put forward for when
we changed our labeling, suddenly at the time I
was feeling Microsoft was probably one of the
largest things that I’ve seen, but Victoria got to run the program and
deployment and it was-.>>It was pretty large.>>-it was large.>>But what it was great
is that first we had a lot of pushback but then folks kind of adapted
and they realized that what they were doing is
protecting the company. So, just getting
the surface vulnerabilities minimized by getting
people educated. It wasn’t really the product, it was about changing
the way they work.>>So, we’ve been very clear. So, in our labeling, we always make sure that we have, as part of the hover overs is, we got the description
of what that data means, we have an internal site, MS Protect that everybody at the company knows to or
should at least know to go to, for anything to do
with protection. So, there is
quite a large section of MS Protect devoted to
data classification, with a bunch of
frequently asked questions, with handouts that you can print off and
put on your desk. We even produce cards with
going over what the effect is. Now if it’s an IP address,
what does that map to? If it is code, what
does it map to? To provide guidance, but ultimately the decision maker and the person who can say no, that data can be handled as
public is the data steward, and that is part of that data
classification framework and policy which GRCC owns, which we did have to create
as part of this program.>>And when you’re going
after certain types of secrets or sensitive types, the notices that we send out to people are very specific
to that particular issue. So, and then that’s where
the analysts come in. They can help go, okay, it’s this string that I found. It’s a password. It looks like a default
password is in here. Here is the string
go and remove it. And by the way,
change it if you’re really using it as
a default password. So, it’s the way that we handle certain types of detects is
really right around there, because every sensitive
type is different, so we try to really kind of narrow that down for
the information worker to make sure that it’s
limited in the scope, so they don’t have to
think about everything. So, we really try to specify
the issue that we find.>>How to do it correctly?>>And how to do it correctly, and that’s where
the internal sites for like the MS Protect is. Here’s how you edit the piece of content to flag it as a false
positive for O365, if it was, or if it was a true positive and you really
need that data there, talk to the analyst and figure out the best
practice for that. So, it’s really specific
around that sensitive type.>>For every rule
there’s an exception.>>For every rule there’s
an exception. Yes.>>So, we have an
exception process in place as well to manage
this which, again, normally involves
review at the IRMC level or in a risk management meeting.>>There’s also
really prescriptive guidance on MS Protect as you mentioned, and also you can go through
helpdesk and they’ll contact us if it’s
something they can’t do. So, it’s pretty
much a full circle.>>All right, it makes sense.
So, we’ve talked about how big of a deployment this was, and what a big effort it was. So how long did it take?>>Well, it took about a year.>>A year, a little over a year.>>Again, coming back to
the crawl, walk, run, is we deployed
slowly to organizations. So we started with our own first, to make sure that the deployment went well and that there weren’t any bugs and then we
started introducing it to other organizations. Victoria did a lot
of that working with that senior leadership in
those orgs saying, “Hey, this is about to come and doing that education awareness before it actually hits the
people’s machines.” So we just did it
org by org by org. As you go further, you can see where some of
your recommendations start to falter because the more people and the more different types
of content you have, the more chances you
have for errors. So it was a constant fine-tuning of the policies and
the labeling and that, and that’s why it took so long. Otherwise, we could
have just deployed it out to everybody and then that just would have been
kind of a nightmare.>>But on that point, and Bill can attest to this, our product group
partners are amazing.>>Absolutely.>>A lot of the programs
I’ve worked on, you ask them to fix something for the customer and it
takes a long time. These guys would fix
it overnight and they get right back to
us, ask us to test it. They were the most
wonderful partners. So it just makes a big deal to have someone that really cares about what the
customer is feeling.>>So as to provide a slightly more pointed answer
to some of that as well is, took us about between six and nine months to
complete the policy work.>>That was the longest.>>Once the policy
work was completed, we did take
our time in deploying, between six and 12 months
to deploy it to everybody. We were deploying in waves of about 20,000 users at a time, targeting users and
all their machines. So we deployed through SCCM
for On-premise Corp joined machines and Intune for AAD joined as well as
Workplace Joined machines. Any machine that can
access corporate data, has AIP installed as a tool
to help them classify.>>Okay. I don’t
think we’ve mentioned Windows Information
Protection yet and where that fits in.>>That is a product that we are certainly hoping to
use more at Microsoft. We’re using it in a limited
degree around 30,000 users.>>It’s about 30,000. Yeah, and it has
potential to give us a lot of really good
telemetry in that. So, we’re deploying in
certain orgs that require even more stringent review of how people are
actually using the data. So it’s based off of location. So that’s where we need it to be a little bit more
label aware and it’s not there yet.
That’s coming. So, the current instance
of it it’s location. So, any time anybody pulls
off content, let’s say, from the OneDrive for Business
or SharePoint Online, it automatically protects
it with Corp rights, which is really cool
because then it blocks people from sending
it out to Dropbox or or Gmail or Hotmail or whatever or
OneDrive for Personal. It gives us that kind of telemetry but like we
were saying earlier, that we have
this multiple use here. So there’re sometimes
that’s personal. It could be somebody’s tax returns, and we’re actually- so if
they leave the company, the problem is it’s like
they can’t open that up. So they have to
change it to personal before they can use it. So we’re working with
the product group really closely to get it to the point where we can deploy
it everywhere.>>We’re certainly hoping
that in the next couple of major releases we’ll be
able to go company wide. Our last ask on the product
group on this is that the labeling that we have in AIP and in the Microsoft
Office Suite of products, transcends into into well WIP. So, if it’s already labelled
as highly confidential, it becomes WIP protected
on the machine and users are aware in Windows that it is highly confidential and then they have
the ability to change that if they need to and go through the same workflow and provide that business justification this highly
confidential file is our business and you’re sending it to Dropbox because?>>In some cases, that’s a legit transfer but it does require business
justification on why. Because once it leaves, you don’t know what’s
happening to it and that’s where the protection
actually helps.>>Well, like financial returns. Highly confidential up until the point that they go public and then everybody
can access them. So we need to support
workflows like that doing it.>>Good point. We’ve got
another question here. Are there any tools
available that convert labels when files are
migrated from another tenant.>>So, I know how I would do it. I don’t believe that it’s- we’ll probably need to take that one offline and check. You can search for GUIDs. AIP allows you to- particularly AIP Scanner allows
you to search for GUIDs. So if the content
happens to be local, you have the ability going
through an automatically transcoding that
with AIP Scanner. Where the content is in email or in Word documents and again, yo’re opening with
the AIP plugin locally. Yes, because assuming you’ve had headers and
footers and again, the GUID is in the file, we can provide
either the recommendations or automatically relabel. Doing that automatic relabeling within SharePoint would
require some form of re-crawl and that would
then check where it’s at.>>Yes, and I think
you can at least do a policy for
that particular label, that particular GUID
because you have the ability in O365 to look for content with custom properties within
the Office Suite. So you can look for
that and then set a policy tip on that Word doc or the Office doc to ask them to relabel that. So there’s there’s
ways but there isn’t an automatic way in O365. You have to change that label.>>Okay.>>There’s nothing I know of
that would move everything from tenant A need to tenant
B and change labels. Because that would need to be a full export and
re-import of that. I would need to ask
the product group.>>If they are importing
all that stuff, that’s all brand new content from the DLP system standpoint. So it will actually recrawl all those documents and
then at least you know how many files are
labeled with that old one and then you can
start a campaign to go and reach out to those folks. Again, you can use
the User Notice in O365 to send that notice out and then work with analysts and make sure
that that gets relabeled.>>Okay. Similarly, how do we
deal with false positives?>>Yeah. Yeah. So, my team is really kind of- we don’t mind false positives
up to a point. So, false positives to us, gives us some idea of what other stuff we
have to look for. So, in the beginning, there’s lots of false positives. So, when we set policy, we start again small
and try to get a handle on the
false positive rates and then we just
continually tune. So, it could take depending
on the type of logic, it could take
anywhere from a week to really kind of tune
it to a few months. So the more that you go
out with your policy, the more findings you’re going to have and then the more
learnings you’re going to have. So we’ve run into many instances where we’re looking
for stuff and we have a ton of false positives and then analysts will
come back and go, “Hey, I found this.” So it might have been, I don’t know, an Australian
identification number, and that was a false positive
but what it showed us was that there was a file with case numbers that
looked like that but it had personal information
about everybody. So we’re like, “Oh, we have to look for something like this.” Then we would go and create another policy to look for that. So it’s really
just a fine tuning thing over and over again.>>Office does give
you the ability to- at least that tooling gives you the ability
to get to false positive.>>Yes. It gives the
analysts the ability to ask the end-user to flag
it as a false positive. So that’s where in O365 you
have policy tips that pop up, and on that policy tip, they have the ability to go, “No, you’re wrong,” which is cool, and flag it as a false
positive then that file won’t get picked up
again unless it’s edited again with something
else and then it will say, “Hey, it looks like you
have this in here now.” So we try to work with the information worker
to help us tune that because sometimes
we just don’t know is this really bad or not. It all depends on the logic.>>We did pull some metrics
as well from the AIP plugin. We can determine how many times a recommendation
was dismissed. So that’s something that we have, I know that’s not public, that’s something that we get internally as part
of product preview. But that gives us an idea
of how far off we are. When that number is in
the tens of thousands of dismissals, we know we’ve done something wrong in our recommendations.>>Okay, and then when
we’re rolling out policies, is that in AIP or Office DLP?>>Everything’s done at once. It’s the same set of
policies everywhere, certainly should be. We generally do scope it so
we have a couple of test groups, our organization, small team. We then have the IPRMS Team which includes us as well
as some product group folks.>>Right.>>So that the guys that
actually build the tech, so that they get to experience the recommendations
and the labels. Then, we formally roll
all that out to the company. Depending on what
we’re doing, you can target your labels, scope labels particularly
two small teams. So, if we have somebody
in research says, “I’m working on
a special project called Project Whatever,” we can say, “Well, whenever we see
Project Whatever from your team. Automatically, classify and apply that label and
that stuff is generally, when we test that, it’s
direct to that team, that team tells us
we got it wrong.>>Right.>>Okay. Let’s see, we have another one here about our remediation process
for those flagged items.>>Okay. Well, so
we pull data from O 365 for all the events that
we get from our policy. Then, we display that for
our analysts in Power BI. So, we’re pulling that
data so all that metadata; where the file is, what the sensitive type was, who the last modifier was, is all right there for us
in a nice Power BI report. Then, the analysts
will actually take a particular org at a time and go and
remediate those findings.>>Okay.>>All right. So, it’s
back to their remediation.>>Yeah.>>Where it’s the constant, I’d like to call it the
police on the street when the analysts reach out to that soft touch with
that information worker. There’s a lot more interaction
going on and some of the automated e-mail
notifications that we would send out on that.>>I guess the other thing
with that one is we do only have three
analysts that work on this.>>Yes.>>So, even for a company of
127,000 FTEs plus vendors.>>Yeah.>>We are successfully doing this with a soft touch
approach with that resource.>>Yes.>>Power BI is a magical thing at times when it’s
used correctly.>>Yeah, and if we’re having a hard time getting responses
within a particular org, we just continually
go up the chain. So, we’ll go up to GM level
or even the VP level and go, “Hey, we have this major issue. By the way, here’s
a picture of it.” Then, the pie charts and the graphs really
look really good.>>easy to read dashboards.>>Then all of a sudden, the responses start coming. It’s just amazing.>>Yeah.>>Again, through
the years that I’ve done either leak investigations
and this stuff, the user education
and awareness on a continual basis is really
what we have to get to.>>Yeah.>>Otherwise, people forget. They have other jobs,
they’re not security minded.>>Big cultural change.>>It’s a big cultural change.>>All right. We’ve got
another customer question. So, you talked about
crawl, walk, run. Could you describe a typical
timeline expected to reach maturity from L1 to L5 in a large scale say
Fortune 500 company?>>I guess it depends on what
we’re actually looking for. Unstructured data throws
a lot more false positives so I wouldn’t want to throw.>>Good point.>>There are times
where it will take us a day to push policy out globally because it’s a really easy secret or sensitive type
we are finding. Other times, it might take
a week or two just to get a handle on the number of events
that might be coming in. Because we don’t want
to flood the analysts. Because once you flood them, then the data becomes
inactionable. It’s almost like information
paralysis at that point. It’s like, “What do I do?”>>Yeah.>>From a deployment
tech standpoint.>>Yeah.>>The tech is fairly
easy to deploy.>>Yeah.>>Pulls policies
from Office 365 that you probably already
have in place or if you’re using
SharePoint pool, we have the DLP policies already in place and know
what you need to use.>>Yeah.>>The thing that is
time consuming is making sure you got a labeling and classification scheme
that your users. One, understand, and two, abides by legal and
regulatory policies. That varies company by company. I’ve spoken to a few companies that already had
one that was fairly well-embedded or they
happen to work closely with government and was
leveraging a government standard. In which case, they were set
from a policy standpoint, they just needed the technology
to be able to support them.>>Right.>>So, that is an undefined
length of time depending on how mature your policy
framework is. From a deployment standpoint, our general recommendation is a thousand user pilot group, make sure that you have
your recommendations in touch. Leverage what you
are already using in Office 365 or Exchange, DLP, or anything that
you have in place. Look for the same
stuff initially. Make sure you’re not creating too much churn for your users, and then go whole company. Do not go heavy on protection.>>Yeah. I ran into
that recently.>>Labeling is great. Labeling doesn’t break
any external systems. If you happen to RMS
protect content, depending on where
your RMS content goes, we had a bunch of
legacy on-premise mail servers didn’t quite understand RMS. We had some homegrown
ticketing systems that didn’t understand RMS. If you even start encrypting all content without
understanding what your environment is and whether everything
supports rights management, you will break things. So, be gentle. Protect what needs
to be protected. Even today with SharePoint not understanding RMS correctly, we still push users to
highly confidential. We’d prefer the content encrypted on SharePoint as a binary blob protected than the collaboration
that we’re losing. It is an unfortunate see-saw in this case where security’s
winning over productivity. We’re certainly
hoping to level that out in the next six to 12 months. But there is some toxic data
that companies have that should be
protected wherever it is.>>Right.>>But there have been several Fortune 500
companies that have already been early adopters. So, on average I don’t think it took them as
long as it took us.>>Right.>>Because of
all the testing we did. So, from the product
group’s perspective, it was a couple of months.>>Right.>>>It’s just depending
on how mature they were.>>If we took out all pauses that we had in
our deployment due to, “Oh, we want to fix this. We want to tweak this because we’re the first company
in the world to deploy this tech,” we could have been done
in three months. After the policy was written, we had our classification scheme, we had our education in place.>>Right. Just give em an idea. There are several companies
that are using it already. So, it’s not just us
that’s been testing it. It is going to get better in
the production department, protection is what I’m
excited about. Yeah.>>Cool. All right. Well, we’re almost at
the top of the hour. Before we go, I wanted to
ask each of our experts to share a key takeaway
with our audience. Jake, I was going
to start with you but you were already
providing it there.>>Yeah. I just have
to reiterate that. The tech is good regardless
of which piece of tech, we’ve spoken of a couple of ones, a couple of the huge sweep
that we use here today. But none of that could happen unless we had the policy
and framework behind it. If you don’t have a
classification scheme, you don’t have labeling
where your users don’t know or understand
you’re labeling, then it’s like what we
were two years ago and it takes time to educate users. We are also hamstrung
in that we can’t force a user to classify,
and rightly so.>>Right.>>We don’t put
a pop up. We try to educate the user and
we educate the user heavily and we are investing heavily in the
automation component, that’s where users should focus.>>Yeah.>>The one thing we should
mention is that you do have the ability
to do pop ups.>>You do, you certainly do.>>We just don’t, unfortunately. Yeah.>>All right. Bill, do
you have anything to add?>>So, the tools are in place. The education is key. As long as users are educated and understand the importance
of classification, the tools should start to find fewer and fewer false positives and then we’ll be able to
move forward from there.>>So my key takeaway is just that the industry
threat surface is getting so broad and this is
a great foundation to start to begin getting better
security practices in place, being able to classify, label, and then eventually, what’s coming very
soon, is to protect. So, when O 365 makes
everything native, and it all comes together
very, very soon, you’ll be ready to start
that protection piece and it should be a game changer
for the industry.>>Nice. I think so. I think the one thing
that the key takeaway is having buy-in. So, first off, having
the buy-in from the senior leadership
that this is important. Grass roots from the bottom up, work to a certain extent. At some point, you need
that top-down view. I guess the last piece is all these technologies are coming together where you can have
one council to rule them all. I think that’s the one thing that I’m really excited about, is I don’t have to go
to three different, four different councils to create logic for the same thing that I’m looking for
all over the place. I think that’s one of
the huge things that I’m looking forward to
because it makes my job easier and it makes
it more accurate.>>Getting in that unified
console is going to be huge.>>Getting that unified console, yeah.>>All right. Well, great. Thank you, everyone. The on-demand version
of this session will be posted soon to
microsoft.com/ITShowcase. You can also find our IT showcase content like business and
technical case studies, productivity guides,
and upcoming webinars on microsoft.com/ITShowcase
site as well. Please join us for
future webinars and bring your colleagues
with you. Thanks.

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *