IT Expert Roundtable Information protection at Microsoft June 2018

Show video

Hello. Everyone and welcome to today's roundtable, on how we approach information. Protection at Microsoft, my, name is Sarah Rodgers and I will be your host for today's session I'm, a business, program manager, for IT showcase, and I manage our content strategy for the security, space. Before. We get started I'd like to tell the audience that, you can submit questions through, the Q&A window any time during the conversation, I'll be on the lookout for your questions to ask the experts during, the session, in. The case that we run out of time and aren't able to get to your questions during this hour we, will stay behind in the studio record, answers and post them with the on-demand webinar, stay. Tuned after the conversation because, the experts will share, some key takeaways. With. That I'll let everyone take a minute to introduce themselves, John. With, you I'm John Carter Ellie I'm the lead on the data loss prevention team here at Microsoft, and. Victoria Warshaw I'm the program manager with strategy, and planning hi. I'm Bill Johnson, and the senior engineer on the azure information, protection team Tom, Jake vissa principal, program manager and Architect for the information protection, program, great. Let's. Get started, Jake, why don't you kick us off and talk about our new data classification and, labeling. System. Certainly, so. It's been a long journey, Microsoft. Started, this this. Program in about 2016, where. We have, reinvented. Ourselves we, originally. Had a labeling. Scheme that was low. Business impact medium business impact and high business impact that. Scheme wasn't. Very well understood, we. Didn't have a, good. Way for users to be able to label and classify their content, the. Content, most. Of the time when when unclassified. And, as. I'm sure Jon can tell us leaked, extensively. At different, points in our past. So. With, the advent. Of Azure, information protection and secure Islands before that. We. Decided to take the opportunity, and redo. Our entire, classification. Scheme. It. Was a big. Task a long journey. And I. Have. To admit it was quite challenging and, quite. A few months of our lives that we'll probably never get back. It. I. I. Have, to say that the changing an organization's. Classification, scheme is it's probably one of the hardest, things that the organization can do if it's entrenched, particularly. An organization. The size of Microsoft, were. 127,000. Ich full-time, employees, globally, we. Have staff, from, literally. Every country, in the world. And. There's such there's different regulatory restrictions. And, requirements. And. We. Then have to you. Know be able to adapt, for that. So. After, after, a lot of research and surveys, along the way we we ended up landing on a classification, scheme that is. Probably not unlike most, most. Other large large, businesses, thankfully. Which. Is general, confidential. And highly confidential. They, mapped pretty. Much one to one to our old classification. Scheme of a business, impact meeting business impact on our business impact we, also have public for. The data that is. Our, MSDN. Articles, github. Github. Content, and other other, content, that has been earmarked. For, public dissemination. It. Approved for that we. Also since. Our policy, here, is that. We want all data, at Microsoft, to be labeled. And. By, labeling, it we we get a lot of advantages, it's not just protection. Because. Of that we do, need to allow, folks, at Microsoft to. Label. Personal, content, we're a company that does support, its. Users, in in. That they're allowed to do personal, work on their on work machine, so. If you want to correspond. With your your. Accountant, or or, your mother. We. Still want you to label your content so we ended up putting non-business, as. A, label personal, unfortunately, is taken by gdpr and many of the regulations, the. Lawyers said we're not allowed to use it. So. That's. The the journey that, we've we've, went with our classification, scheme and it really does underpin. Everything that. We do within the information, protection program. It's. Our linchpin it is. Very. Very long-winded introduction. To -, you, know how we start, this but it's, um that's. Good that's a good base, how. Do we come up with the schema. Again. It was I guess, a lot. Of work so. So. One thing one thing that comes out of this is IT is, generally. Not the organization, within a company that, that. Owns the classification, scheme here. At Microsoft, we. Do have the. Advantage that yes we work up to the Caesar this is I think Brett has. A. Lot, of control over this but, here we have the IR MC so the information or risk management council, ultimately. The owner. However. Seola, no internal legal counsel, have. Has, a very. Significant, part to play as well so everybody had to come to consensus. And, legal weeds they, have the casting vote. When. We acquired, secure Islands and as.

That, Was being redeveloped, into, what. We know as as, your information, protection today. One. Of our CVPs. At the time. Decided. That you know they. Need to know what the default classification. Standard, should be sure we're. Going to offer this to customers. What. Leg up should we give customers, and. That ended. Up being something. Very similar to what what, we landed with but the way they did they surveyed. Over 5,000, companies and then, we also did an internal, survey. Microsoft. Employees, we, needed to find a classification scheme, that. There. Really resonated. With users. That. People could intuitively. Know that hey if I see if I see a file on my distance there's confidential, I've really got to protect that. Because. We're an international company, we couldn't, use. Two. Different labels. Like restricted. And confidential, in Europe, people will generally think of them as one way go. To Australia, and they think of the other New. Zealander they think of it in fact the other way again it's. It, gets messy. So having. Confidential. And highly confidential, or restricted, and highly restricted. Really. Does help. Differentiate. The two classification. Levels where we have. Our sensitive content. We. Wanted, to avoid secret, in top secret I come, out of the government personally. And, we. Have, several. Contracting. Arms Microsoft, Partner closely with a lot of a lot of contractors, and if. Somebody. Happened to have you reused, a government label. It. Could look bad so, we, needed to need to make sure that there. Was this. Was clearly Microsoft. Microsoft, classification. Scheme then. We have general which is everybody's. Email. That. If you just start off start, off content, it's going to start as general we, didn't. Want to impose. Any. Roadblocks. Or hiccups to the classification, process so. Microsoft. We we. Generally, don't like putting, pop-ups in front of users so. When somebody goes to save content, some. Organizations, and government circles you, can force a user to classify content on something, here. We, don't. Want to do that so, users, are asked to classify we, recommend, to the user on certain content that they classify. And. We're. Really doubling, down on our autumn. Around, detecting. What content should be classified. Excellent. Well let's get into you who maybe some of the various. Technologies and. Products that we have for. Information.

Protection Because I know there are a few, certainly. Isn't yeah, well. Yeah. There's the azure, information, protection, plug-in all right so that's our labeling. And, the protection, piece and, we have the azure. Information, protection scanner which, is really, kind of cool because it will scan your repositories. On-premise and your and, your SharePoint sites. That are on-premise, all right so that's, really cool and then we have the office DLP. Where. We can set policy, up in. 365. For. Basically. The same sensitive. Types that we're looking for in the sensitive content that we're looking for so wherever, we want to start that, is good, the AAP. Labeling. Like we said in the beginning is our lynchpin so we really do count on. That. Type of that, that. Hook that that. Label hook to be able to help people classify. And protect right, so in that system the. The really neat thing about that is the recommendations, and Jake kind of alluded to that, where. We, detect. Certain content. Whether. It's a, Microsoft. Secret, or it. Might be a. Legal. Person that, is, typing. In some, attorney-client. Privilege type thing and then we can recommend to them that they should protect that content. With. Highly confidential, and then they can choose that protection appropriately. For. That audience that they're writing to so, that's really neat and. That's just a combination of, doings, looks. At the content, and then. Recommending, it and, we, usually start with I, always call it the crawl, walk run type, of. Protection. Where first. We do the crawl where we're really just deploying. The tool and asking, people to label, and then we with recommendations, right. And let that go for a while so people get used to it. And then, we'll start putting in what, we'd like to call the bigger, hammer right, and then automatically. Protect content, and. That's where our June journey is going as well be able to automatically. Protect, the content, once, once. We figure out if our, logic, with the recommendations. Is accurate. Enough so, anytime, that you do any type of new policy, or detection.

You. Always want to make sure that you're not having a lot of false positives all, right and, once we are clear, with that then, we can start doing more. Automated. Stuff. Through. The through, the AIP scanner, and the AAP labeling okay all right so. I guess you internally. Here. We. Do try and use Microsoft products first nice yeah, Microsoft, idea obviously we should be using and, leveraging our, capabilities. That. We have one to enhance. Our own products to help, detect bugs before customers, get, their hands on it and have, to suffer and. And. And third. Third. Though that we do use some third-party products. The. Advantage. Of ARP scanner for us is we did manage to retire several several other products that were not integrated, and we have, managed, to now move to effectively. A single reporting, system for for, when, we detect content, so. We. Have ARP labeling, which provides, you labeling, in. Word. Excel PowerPoint and, outlook, on on Windows devices. We. Have, the ARP scanner which will provide you labeling. And automatic. Detection for unlabeled, content, on. On-premise. File shares and on-premise, shared websites, which. We do, have a lot of still where we're. A hybrid environment as, many organizations, are and abjure. Near the cloud is is is, still persisting. And then. You, know I guess on top, of that we then have the the, office365, and shaping capabilities. That give, us you, know and. It's, continuing, to enhance. Labeling, protection services in the cloud and. Then we have our third-party services. Microsoft. Does. Acquire companies from time to time those those companies may. Not be, using microsoft products when we acquire them. So. You know we, do partner, quite extensively, with, with you, know third-party, cloud services, so. We we do leverage, although, we wish we could use a lot more internally. Like so Microsoft cloud app security which. Can provide automatic labeling. Protection, in the cloud the. Key thing here is that those labels are going to be the same. Whether. Whether. You were using it on premise or whether you're using in a cloud or. As. We are in in some of our more. Specialized. You, know edge protections. We. Can detect those labels, into the party products as well so. Wherever. That content, goes we. Can detect the label and we. Have had some very, good success in you, know identifying, some really bad business, practices. And, that's our key goal right is to have the protection follow, travel. With the data yeah. So then the labeling will should always be persistent, content. That needs to be protected should, be protected, those, users, who need to access and use that data can access at the right place at the right time. We. We, also, you. Know our culture at, Microsoft, really. Allows us to take a soft-touch approach. You. Gentlemen like to maybe, talk about how we interact. With you know our customers, as we we discuss. Some. Of the DLP and how we detect things, so. With. A IP scanner as we have findings. For. The. Individuals. That may have. Data. Stored that sends us alerts we're able to reach out to those users and find. Out is that a bad business, practice, is it, just. Accidentally. Stored in a place, that has, more permissions. Than it should. But. It does find a lot of data out there whether, it be personal information. That should. Be very highly, protected, or company. Data that needs to be protected and we've, had findings. In both and we're working on improving the security of data across Microsoft, right, that's that's the one nice thing about the, about, not only the scanner but all our products, is that it really, does help us detect, where, there's, bad business practice because let's face it where there's, bad. Business practice that's where leaks have a tendency, to. Proliferate. Right because people are just really trying to do their job they're not doing, anything super, bad, right, but they're just trying to get their job done on time most. Efficiently as possible because we're all kind of super busy but. This actually allows us to go and work with those those, units here around Microsoft, from the entire world to. Help better protect themselves right. So it's a we. Partner, with with. Our we call on internal, customers, when we onboard, them into our services, to. Really get them to do the best practices. Get. Them to get used to labeling. Protecting, and. Not. Only that but doing all the basic. Security. Stuff. That we really want them to do like locking down their shares and stuff like that and the findings actually help us do that right because we can paint, a really good picture show, a nice little power. You, know power bi graph, to say here's, how much you're exposed right now and and that really kind of starts the. The. Engine's going on, really, cleaning up this stuff bill. Had a really good example where you found a open, file share and we. Just sent out a huge, email.

To. Tell, people to clean it up and they'll, correct me if I'm wrong it took about three days for them to clean. That up that's correct there were about. 5,800, findings, and 5,600. Were remediated. Within three days yeah which was really kinda that was probably our fastest, that we've ever done because it was it, was it was just a it. Was exposed to, everybody. At the company so, that. Business, practice found that. That's practice, solved and that was that was really kind of a nice win for us and we have a customer, question that's touching, on that too sure. That's. Asking. If we have a detection, tool utility, service, that, determines, the sensitive, data and data. Types. Do. We have a detection, tool or, utility, or service, that, determines, sensitive, data or data types yes, and that would be the AAP scanner and. So, the, our. Journey. With. All, our data loss prevention is to be able to write policy, once right. And this is the really cool thing with our with our stuff is we can go to the security compliance center and write. A policy, for, you, know, whatever. Sensitive, type that you want and. Then that can be used in o365, in exchange. In AIP and in the AAP scanner so now you don't have to. Recreate. That same logic and all the different tools right, because, that's the one thing that we've seen over the years is that you can't do a certain thing there's. A regex, that that. The tool won't allow you to do look back or look for where it's something that's really performance. Heavy and, in here and so you have to tweak that and so the logic, the. Results, are kind of different then right from one system to another and, here we have the. 1:1. Logic, for to rule them all basically, and that clears. Up a lot of misconceptions. It's it's. More accurate and, it's more actionable it streamlines that, it's a manual work that your team has to do is write analysis, exactly, yeah, and transcends. Away the libels go as well so yeah. Those. Policies, will apply can, be used in cloud. Security can be can, be used literally. Everyone there. Is a bunch of policies, out of the box so depending on your exposure. Step. The standard HIPAA rules the, US. Social Security numbers the Australian, identity numbers, the European. Identity. Numbers. Credit. Card numbers and, and we have those. Standard, policies, you, know here at Microsoft if we see more than X social security numbers or credit card numbers in a file made, a classifier that is highly confidential it, needs to be encrypted. And. Then. That. That. Detection. Logic being, the MCA the Microsoft classification, engine is what is used across all a party, products so, one billet one as. John. Said one piece of logic used everywhere including, possibly detection. And. Then on top of that a IP scanner, has the ability, to actually.

Force Encryption, on those files so. We're able to take, a file that may have X, number of social security numbers and force, it to be highly confidential, and, this was a this was a problem that we had with with. Some of our previous. On-premise. DLP. Data, at rest systems. While, we could detect that there, was you know content. The. Tune of being down we can alert users we, had some real issues with the remediation process like. Yes. We can remit we can put it in a quarantine yes, we could tell, a user but that user may have moved on. They. Have a lot of you know a lot of vendors at the company, the come. And go. Don't. Necessarily, know who their manager three levels up was at the time because, they've, also went on. So. By, being able to apply protection. In place the file the file is protected. But. It's still in its location, and still is the same file and somebody, with the appropriate rights that, the company can, then still discover, and access that content. Okay. We've, got another couple of questions here from the audience. Related. To sharepoint. Online so. How do we handle search, results, and sharepoint, online for, a IP protected. Content. It's. Coming. This. As, I'm. Sure the customers, have have. Suffered. At times, sharepoint. Does. Not play. Nice with rights managed content if. It is rights managed, it is a binary. Blob. That. The, the, scan engine of sharepoint, cannot access. There. Is there. Is a roadmap in place, that. That, fixes, this and fixes across across most of the most of the. The. Office 365, suite. We. Have when. This is came to come, to bite us more. Times that, what hums the nut than I care to count, we're. A very powerpoint, heavy company. And. A lot of executive, assistants produce. Powerpoints, right, up to the last minute before it goes in for executives, quite. Often ten, people at a time editing, a single PowerPoint, document, you know co-authoring. Is a big thing here if. File, is rights managed. With. RMS protection, that, will not work today. I'm, happy to say that we've seen. Seen. What is coming and we're we're quite excited about it that, that, problem will be fixed and the the rights that will on the file with, RMS, will, be honored in SharePoint. Along. Along, with the rights of the the SharePoint site, it'll. Be a major step forward. And. Also some of the things that we are talking about about here today is. What we as MS, IT or, most cloud services engineering dear Sarah get to use so, we are do. Have a bit of an insight into the private preview realm and some, of the it's, one of the advantages, of that yes we're testing it before it goes out to the users but, you. Know it. Does. Give us a. Leg. Up in in fixing some of our internal processes what are the questions from customers usually as win right so. You want to talk about that the. Roadmap I don't think I can I'm not, not with authority, Authority. Its, we. Should be seeing things by by. Later. Than later this calendar year there. Is certainly, a, private. Public preview happening, of of. You. Know I like here, in, in. Mac, clients, right now so while we while, we do have the. ARP plug-in for Windows we've, always had the issue and, been. Our number one ask of the product group is we need to classify label, and protect content on all, devices no. Matter where, it's created, or where it or where it goes Windows. Devices are great we have I think about, 40,000. Mac's on on our network. It, has a huge, number of non, Windows machines. So. We need to give, that capability, of it to them as well so, office. Is building. The the labeling, and protection, capabilities, using the same engine the same labeling, directly. In the office and it's coming to Mac first don't. Be mobile, and web and then will be rewritten into the into. The Windows applications. Great. All. Right are we ready for another question sure. So. Right equate occasionally, we do acquire. Other firms as you mentioned.

How. Do we approach, potential. Labeling, conflicts. We do. With. Anything, through this one this one as well. Carefully. Every. Every cases is different. Some. Companies that we you, know that we acquire our operators, hold independent, and some surgeries, which we should give them some of their own rights. Some. Companies, that we that, we do acquire come, on board onto a Microsoft tenant so. If they're coming on to the Microsoft, tenant we are one company, we are one Microsoft. So. It is, a case of you. Know the Microsoft, labeling, is the Microsoft, labeling, we, can extend the Microsoft labeling with sub labels and we we are doing that for for one one. One, of our subsidiaries. At, the moment lack of a better term. Where. Where, they can then access you. Know label. Some of their own content to protect their own content independently. The. ARP scanner does also have an interesting, capability. In it in that it can transcoder. Labeling. So. If if. We are in a situation and, we have been with some of our. Legacy. Data lack of ability to us then I actually mention. That to ya, is. Some. Parodies companies that we used it did have a different labeling tool the. RP scanner has the ability to go through those labels, and if you have done a mapping, and said, this, restricted. Label, or confidential. Whatever, equals. This new label it, can go on it can understand, the old labeling, and apply than you yeah, we've done that with our old labels right so when, we were when we first started, going out and I think we still do have those it's. Under the recommendations. And the information. Protection plug-in. Right so if we look if we find, the old label we, would recommend to change, that, that. Classification to, if it's medium, business, impact, we map. That to we asked them to map, that to the. Confidential, label, so, it's really you can do that with him. The, AIP label, so you can find it and then ask them to change it or like, Jake was saying that you can automatically, change it on them if you're.

Convinced. That that logic is right. Okay. How. About we, have another question about cleanup. And. What does that mean in our org and how, is it accomplished, you. Know I'm gonna, I assume. That's. Remediation. Right, so. If we, yeah. So that's uh that's. An interesting one that's where the analysts come in right so we, have, well. A team of three. Analysts, for the entire company which is you know kind of. Overwhelming. At times but. What we do is we work with. The. Employee right, the the vendor of the employee and the information, worker to help clean up right so we. Can set, off for. Example in office, 365 if. You have a detect. On a piece, of file that somebody put it up there you, can send a user notice to them saying hey by, the way it looks like you put this document, that contains. You. Know patent information I can. You please go and either, clean that up or write to protect that thing so it's. Protected, better, so. We do a bunch of emailing. Back and forth to, the information. Worker. To. Help them clean up and it's a really, good it becomes an education, and awareness right, and, a training opportunity, for us so. That's really how we and, then we do. The cleanup or what we do is we there. Are certain, groups that also have. Security. Minded individuals, right, that are responsible, for making, sure that that, particular organization is. Following. Either, the you, know the SDL. The software. Development lifecycle and, things like that so we will actually use them to, help us remediate, within their organization. Too so, we'll push data to them saying hey we, there's 50. People. In your. Organization. On. Some files and. Oh 365. Or, like. On the file. Shares that they told us about can you help us go and clean them up so, we try to leverage our, internal, customers for that as well because. It makes it a much better and. Quick, or cleanup and. We do have some reporting, requirements, around it around this as well so as, I mentioned at the start the. Owners, of the labels of the information, risk management counselor so is effectively. A committee at Microsoft. But. As a sub organization. To that you, have the classification, working group so we, every, organization, of Microsoft has a data steward the data steward is ultimately, responsible for the classification of all the data within their organization, and. We can leverage. That if we're not getting traction or we've, you, know detected, value business business, practice, again. Yes we could automate a lot of this yeah we could automatically. Apply classification. On the spot. We. Could just send emails to the user and the manager going hey fix your stuff. But. We. Prefer the soft touch so. We, reach, out and help, the users, do, it that's, our, companies, all. Right we've got a very similar question about like. The ad atom rules. You. Know you're talking about data stewards, and, I, got to clean up and whatnot. Where. Do people go, like. Saying those two words or you know a manager, gets the email like you need to. Clean up these files how, do they know what things mean is, there a glossary or, how, do we educate. And. I will, say the education, and awareness campaign. That we that, we put forward for when we changed our labeling. Certainly. At. The time I was fairly new to Microsoft, was probably, one of the, largest things that I'd seen that Victoria. Got. To run the program a deployment and it was a, yeah. That's pretty much it, what. What it was great is that first we had a lot of pushback but. Then folks. Kind. Of adapted, and they realized that what, they were doing is protecting the company so I mean. Just getting the. Surface. Vulnerabilities. Minimized. By getting people educated, it. Wasn't really the product it was about changing the way they work so, we've. Been very care. So we're now labeling, we always make sure that we have as part of the hover over the description, what the when that data means we. Have an internal site ms protect, that. That, everybody. The company knows. To or should at least know to go to for anything to do with with. With protection so, there's, quite a large section of ms protect devoted. To data classification, with, bunch, of frequently asked questions, with, handouts. That you can you can print off and put on your desk we, even produce cards. With kind of the role are going if it is you know if it's an IP address well, what does that map to if this code what does it map to to. Provide guidance but, ultimately. The the the, decision-maker and the. Person, who can say no that data can. Be handled, as public is. Is the data steward that is that is part of our data classification framework. And policy, which. GRC. Owns which we, did have to create as as part of, this program right. Yeah, and when you're going after certain, types, of secrets, or. You. Know sensitive types, the.

The, The, notices, that we send out to people are. Very specific, to that particular issue, right, so and then that's where the analysts come in they can help go okay it's this string, that have found right it's a. Password. It looks like a default passwords in here here's the string go and remove it and by. The way change it if you're really using it as an equal password so. It's a, the. Way that the, way that we handle certain types of. Attacks. Is really read, around there because every, sensitive. Type is different all, right so. The so. We try to really, kind of narrow that down for the information work or does it make sure that they that, it's it's limited in the endoscope so they don't have to think everything, so we really try to, specify. The issue that we find alright how to do it correctly and how to do it correctly and that's where the internal, sites for like the MS protect is here's how you. You. Know edit. The piece. Of content to flag, it as a false positive for o365, that if it was or, if it was a true positive and you really need that data there you, know talk to the analyst, and figure out the best practice for that. So. It's really specific around that sensitive type now every, room is an exception, for, every role is an exception so we, have an exception process and in place as well to manage, this which again normally involves. Management. Ok, there's also really prescriptive, guidance on ms protect as you mentioned, and also. You can go through helpdesk and they'll contact us if it's, something they can't do so. It's. It's. Pretty much a full circle, it. Makes sense, so. We've we've talked about how big. Of a deployment. This was and what a big effort it was so. How long did it take. Well. Took. About a year. So. And again come, back to the crawl walk run as. We deployed, slowly. Right. To. Organization. So we started with our own first right to make sure that the, deployment went well and. That there weren't any bugs and then we started introducing it, to, two. Other organizations. Right and, Victoria. Did a lot of that working. With that senior, leadership in those orgs, saying hey this is about to come, and. Doing. That that. Education awareness before it actually hits, the people's machines all, right so then we just did it or by, or by org and. Then, you know as you, go further, you can see where some of your recommendations start. To. Falter. Right because you know the more the more people and the more different types of content you have the more chances you have for errors, right, so it was a constant, like. Fine-tuning. Of the, policies, and the labeling, and that and that's that's why it took so long. Otherwise, we could have just deployed it out to everybody and then that just would have been, kind. Of a nightmare. But. On that point and Bill can attest to this our product group partners are amazing, yeah a lot, of programs, I've worked on you, asked them to fix something for the customer and it takes a long time these, guys would fix it overnight and they. Get right back to us ask us to test it I mean they were, the most wonderful partners. And so, I just makes. A big deal to, have someone, that really cares about what the customers feelings so it's to provide slightly. More pointed, answer to some of that as well this, took us about between, six and nine months to complete the policy, work, policy. Work was completed, we we. Did take our time in deploying. Between. Six and twelve months to deploy, everybody, we. Were deploying in waves of about twenty thousand users at a time targeting. Users and all. Their machines so we deployed through SCCM.

For. On-premise. Corp drilling machines and in tune for. IAD. Joined as well as workplace joint machines any machine that can access corporate data has, a harpy installed, as. A tool to help them classify. I don't, think we've mentioned Windows, Information protection yet, and, where that fits in that. Is. A product. That we're certainly hoping, to use more Microsoft, we're. Using it in a limited degree, around. 30,000. It's. About 30,000. Yeah. And it's it, it. Has potential to give, us a lot of really good telemetry. And in, that and, so, we're deploying and, in, certain orgs, that, require. Even, more stringent. Review. Of how, people are actually using the data so. It's. Based, off of, location. Right, so that's where it kind of we. Need it to be a little bit more label aware and it's not there yet that's coming, right so so, the, current instance of its, location, so anytime. Anybody pulls, content. Let's say from the onedrive for business or, SharePoint. Online it. Automatically. Protects it with court rights but just really cool because then it blocks people from sending it out to Dropbox, or or. Gmail or hotmail or. Whatever or onedrive, for personal, right. And. It gives us that kind of telemetry of it you know but but. Like we were saying earlier that, we have this multiple multiple use. Here right so there's sometimes it's personal. It could be somebody's tax returns, right, and we're, actually you, know so if they leave the company the, problem is is like they can't open that up right, so, they. Have to change it to personal, before they can, before. They can use it so we're, we're working with the product group really closely to get it to the point where we, can deploy it everywhere, we're. Certainly hoping in the next couple of major releases we will be able to go company-wide you, know I'll, I'll. Ask on the product group on this is. The labeling, that we have in. AIP and in in the Microsoft, Office suite of products transcends. Into, into, whip so, somebody. If it is already label is highly confidential it. Becomes whip protected, on the machine and, users, are aware in. Windows that it is that, it is highly confidential and. Then they have the ability to change that if if they need to and go through the same workflow errs provide. That business justification while this highly confidential file is now on business and you're sending it to Dropbox because. And. In some cases that's a. Legit. Transfer. Right but it doesn't require business, justification on, why. Right. Because once you once. You you know once. That leaves you, don't know what's happening to it and that's where the protection actually helps financial. Returns are highly confidential up until the point that they go public yep and then everybody, can access them so we, need. To support workflows, like that good. Point. We've got another question here, are. There any tools available, that. Convert labels, when files are migrated. From another. Tenant. So. I. Know. How I would do it I don't. Believe that it's. Probably. Take that one one offline and check. You. Can search for goods right. IOP allows, you to particularly. ARP scanner allows. You to search, for good so if the content happens to be local. You have the ability going, through and automatically transcoding, that with with, ARP scanner. Where. The where the content, is you know in email or in in, Word documents, and again you're opening in you know without the plugin locally, yes, because, if you assuming. You've had headers and footers and again. The good is in the file we, can provide other recommendations. Or. You. Know automatically, reliable. Doing. That automatic, relabeling, within SharePoint would require some form of recrawl. Yes. And I think you can at least do, a. Policy. For, that particular, label that particular, do it because that's you, have the ability, you know 365, to look. For content with. Custom. Properties, within the office, week right, so you can look for that and then, set. A. Policy. Tip, on that word doc to or the office, doc to ask. Them to real able that so. There's there's there's ways but there is an automatic.

Way And o365, yet to. Change that label okay. It's not nothing I know, of that would go move everything from tenant a lieutenant. B and change labels yeah that would need to be a full export report, oh god right, I would need to ask the product group and. If they are importing, all that stuff right that's all brand-new content. From. The DLP, systems standpoint, right so it will actually, recrawl. All those documents, and then, at least at, least you know how. Many how. Many files are labeled, with that old one right and then you can start a campaign to go and, reach, out to those folks again you can use the the, user notice and o365 to send that notice out and. Then, work with analysts, and make sure that that gets relabeled, okay. Similarly. How. Do we deal with false. Positives. Yeah. Yeah. So. My. Team is really. Kind of we we, don't mind false positives, up, to a point right so false, positives, to us gives, us some idea of what, other stuff we have to look for right, so in the beginning there's, lots of false positives, right so we, will. When. We set policy, we start, again small right, and, try to get a handle. On the. False positive, rates and then we just continually. Tune right and so it, could take depending, on the type of logic it could take anywhere from a week you, know to really kind of tune it to, a few months right so the more that you go out with your policy, the more, findings. Are going to have and then the more learnings are going to have so we've run into many instances, where we're. Looking. For stuff when we have a ton of false, positives, and then. Analysts. Would come back and go hey I found this all, right so it might have been in. I. I, don't. Know a. Australian. Identification. Number right, but it as, a and that was a false positive but, what it showed us was that there was a. File. With, case, numbers that look like that but it had personal. Information about everybody, right so we're like oh we have to look for something like this so then we'll go in create, another policy to look for that so. It's really just a fine-tuning, thing over and over again. Office. Does give you the ability to. At. Least. Yes. It does give the yes. It. Gives the it, gives the analyst the ability to ask the end-user, to, to. Flag it as a false positive so that's where we in o365, you have policy, tips that pop up and. On that policy tip. They have, the ability to go no you're, wrong which, is cool right and. Flag. It as a false positive then, that file won't get picked up again unless, it's edited again with something else and then I'll say hey it looks like you have this in here now. So, we try to work with the information, worker to help us tune that because. Sometimes we just don't know, is, this really bad or not right it all depends on the logic and, we. Did pull some metrics, as well from that from the IRP I mean we, can we can determine, how many times a recommendation, was dismissed. So. That's something that we we have a I know that's not public and, that's that's something that we get in get internally, as, part of private preview. But. That gives us an idea of how, far off we are that, you know and that numbers in the you. Know you, know tens of thousands, of dismiss. And dismissals, we, know we've done something wrong in our recommendations. Okay. And then when we're rolling out policy, uses that and. A IP or, office, DLP. Everything's. Done done at once the same set of policies every week certainly, should be we. Do we generally, do scope it so we have a couple of test groups you, know our organization. Small. Team. We, then have the the. IP RMS team which includes us, as, well as some product group trucks so. That the guys that actually, build the build, the tech so. That they get to experience the, recommendations. And. The labels and, then we normally either roll out to a fall or company. That. Depending. What we're doing like you can target. Labels. Scope, labels, particularly, to small teams, so. If we have, a, somebody. In research says I'm working on a special project called, project whatever we. Can say well whenever we see project, whatever from, your team, automatically. Classify, and apply that label and that stuff is generally. You, know we test that it's direct.

To That team that team tells us we go, right. Okay. Let's. See we have another one here. About. Our. Remediation. Process for. Any flame for those playing items. Okay. Well so from. What. We the. We. Pull. Data from oh, three sixty five right, for. All the events that we get from. From. Our policy and then, we display that for, our analyst, in power VI right so we're pulling that data so all that metadata and, where the file is what, the what, the sensitive type was who the last modifier, was is all, right there for us in a nice power bi report, and then. The. Analyst. Will actually take a particular org at a time and go, and remediate those findings, all, right so it's it's, one of those it's that Rebecca that remediation, where it's just it's, a the constant, I like to call it the police on the street right, when, people when, the analysts reach out to that. Soft touch with that information worker, there's, a lot more interaction going on and the some, of the automated email. Notifications. That we would send I. Guess the other the other thing with that one is we, do only have three analysts, yes, so. For even for a company of 120, you have 7,000, ft years plus vendors we, we. Are successfully. Doing this, with. A soft touch approach with. That resource. Yes, yes. Somebody. We how, the eye is a magical, thing at times when it sits right yeah yeah yeah and if we're having if we're having a hard time getting responses. With a particular, org we just continually go up the chain right so we'll go to G I'm level or even the VP level though hey we have this major, issue, by, the way here's a picture of it right and, then the pie charts, and the graphs really looks really good and, then, all of a sudden the. Responses, start coming it's it's just amazing right and, it's, you know again, throughout the years that I've done either leak investigations. And, this. Stuff, user. Education and awareness on a continual, basis is. Really, what we have to get to otherwise, people forget right they have other jobs or not security minded. Change. It's a big cultural change all. Right we've got another customer question. So. You, talked about crawl, walk run could. You describe a typical timeline. Expected. To reach maturity. From. L1 to l5 in a large scale say. Fortune 500 company. I. Guess I did like timeline, I guess it depends on what we're actually looking for right. Unstructured. Data. There, was a lot more false positives so I wouldn't, want to. Throw. Yeah so it would take us that. There are times where it, will take us like a day. To you, know push. Some push policy, out globally right. Because. It was it's a really easy. You. Know secret or a sensitive type that we're finding other, times it might take a week or two just. To, get a handle. On the the, number of events that might be coming in because. We don't want to flood the analysts right because once you flood them then, the. Data becomes a in actionable, right there's this it's almost like information. Paralysis. At that point it's like what do i do. From. A. The, appointment tech standpoint. The. The. Tech is fairly easy to get, Paul's force policies, from office 365 that you, know you probably, already have in place or, if you've got using. SharePoint you probably have into the DLP policies, already in place and know what you need to use yeah the, thing. That is time-consuming is, making sure you go to labeling, a classification scheme that. Your users, one understand, and two abides by you know all legal and regulatory policies. That. Barry's company by company I don't speaking to spoken to a few companies that already had one that was fairly well embedded. Or they happen. To work closely with government, and was leveraging. A government standard. In, which case they. Were set from a policy standpoint they just needed the technology. To be able to support. So. That that is of an undefined. Length of time depending, on on how, mature you or your, policy, framework. Is.

From. A deployment standpoint, our general. Recommendation. Is thousand. Use a pilot, group make sure that you have your recommendations. You know in touch leverage. What you're already using, in office, 365. Or exchange, deal theory or anything. That you you have in place look, for the same stuff initially. Make. Sure you're not not creating too much churn, for your users, and then. You, know you can go whole company, do, not go heavy. On protection. Yeah. I. Ran there recently. Labeling. Is great, labeling. Doesn't. Break any external, systems, if, you happen to RMS, protect content, depending. On where your RMS content, goes we had a bunch of legacy, on-premise mail servers, and, quite understand, RMS we had some, homegrown, ticketing. Systems, that didn't understand RMS if, you if you start encrypting, all, content, without, understanding what your environment. Is. Whether everything, supports, you no rights management you. Will break things so be gentle protect. What needs to be protected. Even today with SharePoint. Not understanding. RMS correctly, we still push users to highly confidential we prefer that the. Further content, encrypted, on SharePoint is a binary block, protected. Then. The you know the collaboration. That we're, losing it. Isn't unfortunate, you know seesaw in this in this case where security. Is winning over productivity. And. We're certainly hoping to level that out in the next six to 12 months but. There is some toxic, data that companies have that, should be protected. Wherever it is right, but, there have been several, fortune, 500, companies that have already had been early adopters and so on the average I don't think it took, them as. Long as it took us because. Of all the testing we did so I mean. You're. On the product groups perspective, it was a couple months right where it was just, depending. On how mature they were yeah. We if we took out all all, pauses. That we had in out employment, due to well, we want to fix this or we want to tweak this because we're the first company, in the world to deploy this tech we. Could have been done in three months, after. The policy was written you know we had our classification, scheme we had our education, in place right. Yeah. Just give them an idea what. Yeah there, are several, companies that are using it already and. So. It's not just us they've been testing, it but it's gonna get better in the production department protection.

Is What, I'm excited about. All. Right well we're almost at the top of the hour, and. Before we go I wanted to ask each of our experts, to share. A key takeaway with our audience, Jake. I was gonna start with you but you were already head, of providing it there. Yeah. I thought I'd just have to reiterate that like it's. The. The, tech is good. Regardless. Or which you know which piece of tech was spoken of a couple would you, know a couple of the huge suite that we use here today. But. None. Of that could happen unless, we had the policy and framework behind it if. You don't have a classification scheme, you don't have labeling, or your users don't know or understand, your labeling then it's kind of like what we were two years ago and, it, takes. Time, to educate, users. And. We. Guess. We're also hamstrung, in that we can't force, a user to to, classify, and, rightly so we, don't put a pop-up we try, to educate the user and we educate the user heavily, and we, are investing, heavily in in the automation components that's. Where users should focus and. The one thing we should mention is that you, do have the ability to do pop-ups you do certainly, do we just don't yes we just don't unfortunately. Yeah. So. The tools are in place, the. Education, is key as long as users are educated. And understand. The importance, of classification. The. Tools should. Start to find fewer and fewer false positives, and then. We'll be able to move forward from there. So, my key takeaway is just. The the industry threat, surface, is getting so, broad and this is a great foundation to start to begin, getting. Better. Security practices in place being able to classify, label, and then eventually, what's, coming very soon is to protect so when it when oh three sixty five makes everything. Native, and it all comes together very, very soon you'll. Be ready to start, that protection piece and it, it, should be a. Game-changer, for the industry. I. Think the one thing that the. Key, takeaway, is. Having. Buy-in so first off having the buy-in from the senior leadership that this is important, right otherwise, you, know grass roots from the bottom up work to a certain extent at. Some point you need that top-down, view. And. And. I guess the last. Piece is the. All. These technologies. Are coming. Together where, you can have one council, to rule them all and I think that's the one thing that I'm really excited, about is, I don't have to go to three different four different councils, to create logic, for, the same thing I'm looking for all over the place I think.

It's Going to be I think that's one. Of the huge things that I'm. Looking forward to alright, because it makes my job easier, and it, makes it more accurate. Getting. That unified, Council, is yeah. All. Right well great thank, you everyone, the, on-demand version of this session will be posted soon to Microsoft, com slash, IT showcase. You. Can also find our other IT showcase, content, like business, and technical case studies productivity. Guides and upcoming. Webinars, on microsoft.com. And slash IT showcase, site as well please. Join us for future webinars and bring your colleagues with you thanks. You.

2018-06-27

Show video