Hello and welcome to the let's Talk.

Azure podcast with your host Sam Foote and Anne Armstrong.

If you're new here, we're a pair of Azure Microsoft 365 focused IT security professionals.

It's episode 23 of season six.

Sam and I had a discussion around the capability of Microsoft Purview dlp, one of Purview's capabilities that provides data loss prevention across Microsoft 365 and more.

Here are a few things that we covered.

What is data loss prevention and why is it important?

What are the capabilities that Purview has around dlp?

How do you get started and how do you license it?

We've noticed that a large number of you aren't subscribed.

If you do enjoy our podcast, please do consider subscribing.

It would mean a lot to us for you to show your support to the show.

It's a really great episode, so let's dive in.

Hello, Mr.

Purview.

Oh, sorry, Alan.

How are you this week?

I'm all right, how are you?

You were, you didn't expect that one, did you?

I'm good, thank you.

Sorry, Sorry about that.

I just, I couldn't help myself to.

Be, to be fair.

So you said Mr.

I, I think it triggered me that what you were going to say.

But yeah.

Anyway, anything, anything new and exciting on.

Your radar this weekend?

I think there's been a data breach with Land Jaguar Land Rover, hasn't there recently?

Oh yeah, I, I, I, I haven't seen any specific.

I saw a LinkedIn post of somebody like posting a grayed out Range Rover that they should have had delivered recently.

I don't know any specifics.

Do you know anything about it?

Think it was done by.

Is it, is it Lapras?

Is that one of the attacking groups?

Okay.

And I think it's a mixture of that and Scatter spider in effect like a combo.

I think it, I think it might have been around Again, I've not had full thing but might have been social engineering similar to the, the MNS and things like that.

Yeah.

So.

But yeah, I think everything's down.

Yeah.

Like you said, no orders, no deliveries.

Yeah.

So yeah, but no not had seen anything else.

Been pretty head down in, in work and stuff.

So did you see the thing about the Entra ID act?

Sorry, Actor tokens today?

No, a researcher, I'm following him on, on X, I can't remember his name, was preparing for a, I think a DEFCON talk and he, he's got a load of tools around Entra ID like reconnaissance and, and security.

And he, he, he, he basically, he's, he's got knowledge of like underlying like tokens that are used under the behind the scenes basically between things like SharePoint and Entra 365 and stuff like that.

They call them actor tokens.

They essentially impersonate users.

And he found a vulnerability where he could manipulate a JWT token that wasn't signed properly to impersonate another tenant essentially.

So as long as he knew the underlying ID for a user in another tenant, he could masquerade as that user, even global admins essentially and then just use Graph API to pull data.

And he had read and write access because he was global admin.

He did disclose it to Microsoft and they fixed it I believe within 48 or 72 hours, stuff like that.

And then he disclosed it afterwards.

But yeah, if you search for, I think it's like Enter ID actor token theft or something like that.

It's quite insane.

And when a lot of these like, I'll call them like vulnerabilities with Entra ID come out, they require you know, like, or you know, somebody's abusing like the you know, primary refresh token or you know, enrollment or something like that.

They have to jump through all of these like mental hoops, do you know what I mean?

Like you have to be like an admin on the device and have X, Y or Z.

But yeah, but this was like all I needed to know was their ID basically, which I could, I could get from like a B2B invite or something like that, you know, so, so essentially as a B2B guest, you could impersonate a global admin on the other side basically, which is just like crazy.

And then I saw a bulletin about Sonic Wall firewalls tonight going out that some people had been brute forcing passwords for Sonic Wall firewalls and it requires like the fix is to essentially refresh.

I think it's refresh like the, the primary secret or certificate, I can't remember.

Which means you have to refresh like everything downstream of that like MFA and session tokens, etc.

So I saw that happening in our sort of security news chat.

So yeah, some pretty, some pretty big things actually in the security world I would say.

Yeah, definitely seeing a lot of like firewalls and things like that getting in VPN solutions, definitely getting you know, vulnerability seen.

I think like 40, is it 48 or 40 gate sort of firewalls or VPN solutions seem to be, I think there's some memes around.

Isn't There around it.

Just saying, you know, which, which vulnerability you want about kind of thing.

Yeah, yeah, exactly like what you say, like it was at one point like one a week, you know, for Fortinet and now it, you know, to your point, it's like, you know, it seems like every other day I don't know whether we're just seeing, I don't know whether companies are just disclosing more than they did before, you know, but we're seeing so many more, you know, high profile vulnerabilities, if that makes sense from these like I would call large vendors because I would say even Sonic Wall is like a large vendor.

Right.

You know, in the space that they operate, you know, and it's like, I don't know, I don't know what it is, but I just feel like more recently it's all been like, I'll call it like infrastructure.

Does that make sense?

Like, you know.

Yeah.

Identity providers, firewalls, you know.

Yeah.

And it's not that, it's not like, it's things that are like new.

No, no.

Yeah.

It seems like, you know, when, when Deep Seek got compromised and chat GPT when they first sort of.

Yeah.

Came out.

It's not something new that's been forgotten about.

You know, these been running for, you know, 10, 20, 30 years.

And don't get me wrong, world's changed since then.

But yeah, you know, they've been.

Their, their sole purpose is to be that, that security, you know.

But the thing is, I wonder if it's you know, like, you know, like that vulnerability that I just mentioned about like entrance.

Right.

You know, you know, was that JWT token previously signed and now it's somebody's like, you know, pushed an update and they've just missed a line of code out or something like that and they've become unsigned.

Right.

You know, is, is it just a case of like just you know, newer platforms have, you know, a higher frequency of bugs because they're new and older platforms have high frequency of bugs because you know, they're maintained over a long period of time and their code bases are absolutely huge.

Their attack surface just grows by the day essentially.

You know, I don't, I don't know.

You know, but one thing's for sure that cyber security is like, we'll call it cybercrime is, it's, it's never been busier, has it?

No, you know, like, it's like it's, it's, it's, it's, it's almost, you know, know like every other day that we have a, like a high profile breach, you know, and not just a breach of.

Because we had breaches of data, didn't we?

You know, like, you know, ransomware or you know, literally breaches of credit card or PII data.

But now we're also seeing like massive, you know, targeted ransomware that is there to disrupt manufacturing or retail lines, aren't we?

You know, I feel like that has become more, I'll call it quotes popular, you know, but I suppose that was always there.

Maybe it's just more like mainstream now and, and public and known about, you know.

Yeah, maybe it's that.

And like you said, it's not, it's not now maybe, you know, you have got data theft which is obviously key, but if you can take down an organization for a couple of days.

I mean actually in the news, I think recent even today, I think it was G.

I think GCXQ or you know our, our side of it is.

Is arrested to.

To teenagers for the attack on the underground.

Yeah, that was, you know, today that they've, you know, rested them from London and somewhere up north.

Well, yeah, and, and to your point, I don't think just a couple of days.

I was in like Marks and Spencer's the other day and I, I overheard this conversation of you know, like a worker behind like the bakery counter talking to somebody about you know, it was like a product coming in or something.

And they literally quoted like we're still recovering from the cyber attacks basically.

And I like I just walked on by basically.

I was like, this isn't the conversation for me.

Right.

But it's just like, you know, and when was mns?

Three months ago, you know, maybe I can't remember exactly but it was, you know, it wasn't yesterday, you know.

So.

Again, yeah, it might be their systems are up but they're now checking supply chain and you know, broken all, you know, orders might be manual temporarily.

Or you know, cut the hard lines.

Yeah, yeah, exactly.

Anyway, talking about, you know, exfiltration of data, what are we talking about this week?

Just like that.

That, that wasn't bad, was it?

You know, it's all right.

I think you gave it away with Mr.

Purview, but hey, yeah, so we're talking about debtless prevention in Purview.

But it's probably going to be.

There's probably again within Purview there's multiple solutions.

DLP is part of, does integrate with various other parts of Purview.

Um, but also Purview has multiple areas within it as well around you know, what, what you can protect and where you can protect.

So I'm going to say it's probably like a little bit of a whistle stop tour or, you know, medium, medium depth into, into it.

Because I think we could probably talk about one or two of the topics in an episode itself.

Yeah, yeah, for sure.

Right.

Should we, should we get started then?

So, Alan, what is data loss prevention?

And I suppose.

Say that again, wouldn't it?

Sorry, say that again.

It says it on the tin, doesn't it?

Prevents loss of data.

Right.

Episode over.

Thanks ever so much for listening if you made it this far.

Thanks.

Anyway, what is data loss prevention and why is it important for organizations and why should we care about it?

Yeah, okay.

So, you know, with, within organizations, you know, data is transitioning various location stores through email, through SharePoint, through File Shares, on prem, through SaaS services.

And Daedalus prevention is there to either prevent, you know, prevent oversharing or the accidental sharing of sensitive data to an organization.

Now sensitive data to an organization could be very different, you know, per organization depending on what the data they're sort of, you know, using.

They may have something that's not necessarily standard, you know, like intellectual property, things like that, that maybe they don't want to be exposed to the public or exposed out onto the Internet or to, you know, other, you know, companies, organizations, etc, that.

Yeah, they just don't want it to be out there.

And that could be, you know, accidental, could be competitors and this could be, you know, like I said, accidental from users.

So, you know, just send an email accidentally adding the wrong Allen onto it and it's an external user, you know, and sending something that's maybe damaging or critical, you know, sensitive to, to the organization.

So Daedalus Prevention, DLP is the sort of technology part or the.

Yeah, the technology part of preventing or attempting to prevent, you know, data leaving the organization in the various ways it can to prevent, you know, to prevent that data loss in effect.

And I said it was the technology side because there is, you know, maybe a people process side where it's the check who you're sent into, you know, the policies in place about how, you know, data should be handled in the organization and things like that.

What should be, you know, what's allowed to leave the organization, what shouldn't be left.

You know, we then get down to, you know, classifications, you know, what types of data should be let, you know, leave and what shouldn't, etc.

And again, we could go down another rabbit hole, you know, you know, around that part.

But yeah, so and it's important as it kind of sounds, you know, to, you know, reduce the risk of date day data leaving accidentally or when, you know, when potentially compromise, you know, a bad actor, you know, trying to exfiltrate that data in the various, you know, ways they, they can, they're going to try for that.

How kind of, how is it done?

It's in various sort of areas.

So that could be an email security gateway, you know, it could be exchange online Purview dlp, but can also be appliances that look at the network traffic that's going, you know, that's running on your network, could be through proxies, through, you know, SASE solutions, you know, that kind of thing.

So depending on where you want to protect, depends on what technology or functionality you need to put in place.

So I think that's.

Yeah, so you can protect as much as you can.

There may be some gaps that you can't protect.

But again, using multiple tools might be the answer.

Or trying to consolidate into a unified DLP solution.

Okay, cool.

Yeah, I suppose that, you know, that's, that's in essence, you know, we're stopping data, you know, leaving via avenues that, you know, we don't want it to and to control those avenues.

Right, yeah.

And I think it's from two, two parts to it as well.

There is the prevention so, you know, blocking it itself, but there also might just be monitoring.

So whilst you might allow data to leave to a certain organization, maybe a partner, etc.

You might still want to be alerted about the amount of data going that way, but still be okay with it leaving, if that makes sense.

So more of a monitoring and alerting rather than prevention as well.

Again, it depends if you want to highlight when something is happening and then maybe trigger some more investigations with something like inside of risk management, etc.

You know, other tooling.

Okay, yeah.

So can you tell us how, you know, Purview sort of caters for, for dlp?

Yeah.

So Purview has, I would say grown.

Well, Purview itself has grown quite large from a solution perspective, but from a DLP perspective there's now been a lot more, I would say coverage of various.

It's not read, I suppose it is data sources, but other way, I suppose how data is transitioned, they've added additional coverage of where they can, you know, help protect from that.

So Perry dlp, as I said, it kind of Microsoft's now pushing towards having like a unified kind of what they're doing with, you know, Defender XDR and things like that.

But, you know, a unified DLP platform.

Where originally, you know, DLP was really just for, you know, Exchange and SharePoint and OneDrive, I think it's fair to say, probably two, three years ago, maybe a little bit further.

And you know, it was just Microsoft only, you know, like I said, SharePoint, OneDrive, Exchange be able to do, you know, checks on data, things like that.

And I'll go through some of the functionality within DLP itself, but I talk about sort of the locations, I suppose that we can cover.

So Microsoft kind of break it down into kind of three areas.

So Data at Rest, Data in Use and now Data in Motion, which is the new sort of functionality they sort of brought in recently.

As I said, Data Rest and Data in Use.

This sort of covers 365 services.

You know, Exchange, SharePoint, OneDrive teams as well.

It also includes the accounts as part of that.

So, you know, rest and you know, in Motion within those services.

It comes down to the Office applications as well.

So Word, Excel, PowerPoint, Endpoint, DLP, so Windows 10, Windows 11 and Mac OS to be able to track, you know, Data in Motion and Data at Rest on those endpoints.

That's probably a very nice sort of functionality, isn't it Sam?

The endpoint dlp?

Yeah, definitely.

Yeah.

Yeah.

So we'll dive into a bit more about that later.

Non Microsoft Cloud Apps On Premise File Shares and on premise SharePoint Fabric and Power BI Workspaces and Microsoft 365 Copilot.

So that is sort of Data at rest there in use now.

Some of the new capability they've brought in very recently is around generative AI.

So being able to see shadow AI.

I think I talked about this about two, three, four weeks ago around some of this sort of shadow AI stuff.

But being able to do DLP in the browser and network data security is kind of the two capabilities.

So OpenAI ChatGPT, Google, Gemini, Deepseek, Microsoft Copilot, as well as the Microsoft Defender Cloud Apps app catalog.

So anything within there being able to track, you know, activity data, things like that as well, which is very new from that part.

So.

So yeah, that's the kind of data sources and I think it's quite a lot.

I mean, again, like I said, I think you'd be able to cover, you know, a couple.

Well, I say we'd be able to cover a couple of them.

If we think about two, three weeks ago I was talking about Gen AI security and I think that would have included the, you know, DLP capability.

So that's an episode in itself already.

But yeah, so within all of these they then have different controls and, and you're able to use the, the Microsoft, you know, built in sensitive information types, the SITs, which could be credit cards, IP addresses, you know, bits of, you know, sensitive information that you might have, swift codes, etc.

Plus any custom ones you might have or the tradable classifiers.

Again we could probably talk about all of that part as another episode, but using those to detect the types of sensitive information as well as being able to say, you know, whilst, you know, you might be able to, you know, use some of that sense information internally.

You can then specify where it's leaving the organization, if it's going to specific domains, your email domains, how it's being shared, whether, if you are using sensitive sensitivity labels, classifying the data, whether it, you know, the classification or document or the email is that, you know, at a certain sort of classification you can then use those conditions and again you can build those conditions to be, you know, quite simple, quite complex.

Depending on what you need.

You can then apply, you can apply actions and, and policy tips.

So within actions it depends on what data source or I guess control that you're using.

So things like exchange, you can say, require approval, you know, block, you know, encrypt it, block it from going out, the email going out, etc.

Or you could just do tool tips or policy tips that come up and say hey, this has got sensitive information.

Should you be sending it?

Can you create a prompt prompt box to come up, an over sharing prompt box to come up in Outlook Classic, that kind of thing.

So you can start to build it in two phases.

And that's kind of what I was saying around sort of alerting and it may be trying to prevent over sharing by accident and not prevent it from being blocked.

So maybe tool tips is like the first stage of deployment so you can get users to understand where they should or shouldn't be doing it and then put in some of the protections in place.

If we talk about Endpoint DLP integrated in effect into Defender for Endpoint.

So if you've already got MD rolled out, it's just a check, sort of a checkbox.

It's two button clicks to then then onboard all Defender for Endpoint agents into Endpoint DLP to start collecting some of that data, which I think is really easy and you can manually on board if you haven't got mde, you know, rolled out as well in a similar way.

But yeah, that gets it all, you know, all out there and then covering those endpoints.

But some of the controls allows you to be able to block, copy, paste, upload to a cloud service, prevent data leaving to a USB drive or encrypt it as it goes to the USB drive on the fly kind of thing.

So almost just in time.

Prevention there with potential to override as well and to capture that override information.

And I think that's really key because not only I think you've seen it, Sam, not only is it just, you know, doing this preventative stuff, but also you've got the monitoring side.

So in Activity Explorer you can see the activity going to, you know, USB pens.

You know, it might be, you know, you've got USB pens locked down or you believe you've got USB pens locked down or nobody uses USB pens anymore.

Example, Endpoint DLP is able to capture that activity and you can realize that you need to maybe add some more controls in place because you thought it was locked down and actually it's not.

But I think you've had that, Sam, haven't you, recently?

Yeah, I think the, Yeah, I think the activity that.

The one thing when I, if I'm talking to, if I'm talking to an organization that's maybe, you know, Maybe they've got MD today.

Yeah.

Maybe they're E5 with MDE and they haven't really, you know, they haven't really adopted like perview dlp.

Right.

You know, one of the first things I really like to talk to them about is monitoring and data because what, what a lot of times I see organizations struggle with is like how to start with dlp because it's, it's very customizable and very flexible and it's almost too flexible in some respects.

Right.

Because every organization is different.

They have their own, you know, regulatory frameworks they've got to follow.

They've got their own sources of sensitive data, PII financial.

Yeah.

And processes, how data leaves the organization, etc.

Yeah, yeah.

And even internal like processing, you know, governance and lineage of data.

Right.

It's all, it's all different for everybody.

That's why it's so flexible.

But with that, you know, comes.

I don't think the interface is hard to use.

But in order to understand what you should put, you know, what you should configure is it can be quite complicated to get started.

But my roundabout point is, is that there is a treasure trove of data there that a lot of organizations aren't looking at.

You know, you use the example of device control with removable media.

Okay.

You know, if I'm having a conversation, you know, with an organization that does have device control in place, they'll simply say something like, well, we know it, we know it's blocked because we've set, you know, corporate policy.

You know, but what this is, is this is a layer above that policy.

This is actually looking at like another stream of data to, you know, to attest to verify that that control is in place and it's effective as well.

You know, one thing I really like to do is look at, you know, removable media usage and removable drive usage, you know, and to suggest, you know, a group of like approved devices with a DLP policy that alerts or, you know, creates some activity which, you know, when a non approved device is utilized, it might not ever get hit in a really sophisticated organization.

But for organizations that don't have any device control today, you know, those conversations are usually quite eye opening because they're like, I didn't know Sam over in accounting was using, you know, a portable SSD to copy files back home so that he can print on his personal printer.

You know, like those types of like, you know, risky, you know, insider actions.

It's not malicious at that point.

It's just somebody trying to, you know, do their job whilst they're working from home.

But they might not be following like, you know, proper IT policy and process there.

Do you see what I mean?

And I think a lot of people are missing that today that they've got the data, they're just not actively monitoring it because it's, it's quotes, data security and it is data security.

But it's, it's also the same, you know, because the activity that it, there's two types of activity that it tracks.

One is like exfiltration type activity which is like, you know, you said it like uploading to cloud file sticks, removable media, sorry, copying via Bluetooth and all sorts of nonsense.

Right.

But the, you know, the other part of that is like what I call like benign activity.

You know, archives created, files created, files renamed, files deleted.

You know, it's not exfiltration, is it?

That's like, you know, data manipulation internally.

And I think those exfiltration activity types are really important and I think a lot of people are missing them even if they're licensed for them because they're not looking at them today.

Yeah, absolutely.

And like you said, you know, you may have some approved like USB pens that, you know, or users that are, you know, maybe it is full lockdown, but you know, certain devices or certain users are able to use USB pens, that's all.

Okay.

And then you're just, it is just on the trust of the user at that point, isn't it?

Yeah, yeah.

DLP can at least identify sensitive information maybe leaving through those users or you know, ip, et cetera.

And it's not necessarily to again, you might not necessarily need to block that activity, but maybe you're encrypting those, you know, where supported, at least encrypting those files with a sensitive label.

So at least then it's protected, it can leave, you know, and if it ever, you know, no one else can open unless you're part of the organization kind of thing.

You know, there's other ways to be secure and still use that same process.

But, but yeah, so yeah, it definitely covers some of those areas and like you said, having monitoring and that is key.

Even with, and again we're probably diving into a little bit around how you get started with it.

But you know, with most of this sort of capability, you don't want to break business straight away with it because again, you don't know what process are taking place because you know, uses a block from doing something to do their job and they have to take another route.

It's almost like it is shadow it in effect, you know, shadow actions, I suppose kind of thing with, with data to, you know, to do their job.

Yeah, you don't want to break that straight away.

You need to resolve it.

But you need to have a solution to resolve rather than going, well no, you can't do that now.

And now, you know, you now can't, you know, run payroll or something like that because you'll say you can't send data to xyz.

Do you have to jump to full prevention straight away?

Could you not, could you not start with user awareness?

You know, if Sam, if Sam's using a.

I use my name so I'm not blaming anybody else.

Right.

If, if Sam's using a us, you know, USB stick or he's copying files via Bluetooth when he like kind of shouldn't be right.

Before you go and put like a block in place, is it not just worth like sending like a global awareness email, you know, and then waiting like another week and then seeing, oh, Sam's still using it.

Let's just go and have like a, you know, just a guided chat with Sam just to show, to talk about policy.

And then you know, at that point if you see sort of rampant usage like you know, people keep using I Don't know, generative AI solutions because they just, they just can't get enough of them.

Right.

Then at that point you've got the justification to say, you know, look, you know, we've tried this, you know, let's, let's go for a full on block, you know, and then quotes break business at that point, you know, once, once you've got all that ammunition, you know, at that point, you know.

Yeah, definitely.

It's, it's.

And, and again I kind of alluded to.

It's not just the technology that is, it's not just purview that's doing that, that prevention per se is going to be user education about what they shouldn't be doing against those policies, you know, corporate policies.

Yeah.

Because that's the only thing I will say is, you know, I have conversations with like mainly you know, it folk, right.

Who you know, are really concerned about like breaking business, which I am, I am also in a massive agreement because I do believe the, the approach has always been to go to prevention, you know, whereas you know, like not all journeys like end with prevention.

You know, I've worked with some organizations who are like, we'll just run the report every two weeks, you know, and we'll, we'll, we'll monitor and then once we've got enough data then we'll look to prevent, you know, but we don't need to put these walls up like tomorrow if that makes sense.

You know, this has been happening in our environment for decades, like at this point.

Right.

You know, you know, we've just got to work to better user.

User awareness.

Yeah, yeah, definitely.

And I think, I think a lot of organizations are, yeah.

Concerned, worried about putting DLP in place because of that, you know, going to prevention, stopping something from, you know, not working or it being trying to understand how you put it in place.

That makes sense because of, you don't know how you, how some of your parts, your business, you know, the data flows, how it should, where it should go and where it shouldn't go kind.

Of thing, you know, and we know how easy it is to prevent or to not prevent.

Right.

Yeah, it's like literally like it's not a checkbox, but it's, it's basically like a single action that you can put on a policy.

Right.

So you know, if you did want to rush prevention in, it is certainly possible.

Yeah.

But you, but it is so flexible that you can decide when you get to that point by yourself.

Yeah.

And I suppose if we, if we do talk about, you Know how we get, how does, you know, how do we get started with, with some of this.

One part might be like you said, is to, to put DLP policies in place, but you're just looking at the reports, you know, enable it, but there's no actions, no user notification or anything like that.

Maybe that's how you start.

So again, build that knowledge of how data is flowing and who's triggering because it might be that, yeah, you need to send out new comms out to say hey, you know, don't, you know, we shouldn't be, you know, showing data this way, you know, globally.

We're not, you know, single out users at this point but like you said, then maybe go to that individual if it continues to happen to say, not let's say to tell them off but to understand why they're doing it.

You know, why, why are you doing this?

Because you seem to do it, you know, you know, daily to this, you know, xyz and it's, you know, because you know, we're not able to access their, their SharePoint site because it's blocked, et cetera.

So we have to send it via email, you know, or we can't hit their, this organization's Dropbox.

That's secure.

You know, what, you know, whatever mechanism they might have, you know, try and work out, you know, why, you know, users are using alternative routes for the data.

But I think there's probably a third stage or second stage is actually doing the tool tips and the, the maybe the override side of things where it's like a soft, you know, soft block if that makes sense.

You know, be able to tell a user, hey, you know, that you're sending sensitive data in this attachments to these external users or to this person personal email address.

Please make sure you're complying with our data governance policy internally or communication policy at least then they've had to click OK to it and they've had to make a conscious decision per se to it which might then help reduce the accidental sending or start to detect, deter, to deter that sort of activity.

And then yeah, like you said then with all that data then understanding what, how you block and what exclusions you might put in place, you know, maybe you are able to send to, you know, to you know, ex part, you know, partner organizations, you know, this types of data and, but everyone else should be, you know, should be blocked.

You know, that's when you start building that policy up from there.

So yeah, I think it's a, I think a lot of it is A journey, definitely email out through, you know, Exchange and potentially SharePoint are probably the, not the hardest, but probably the long running because that's the, the where the most transactional transitional data is happening.

Endpoint DLP again, that's probably quite similar.

But whether you've got a policy that says no USB pen should be used, then that's quite sort of clear cut, if that makes sense per se.

But yeah, comms out to users notifications and that's.

And then, yeah, for removable media, I prefer a approved device list and with just user comms for anything you detect that's not on that list to start off with, that's a really good way to start because usually when you then talk to the user and ask them, you know, why are you using a, you know, personal removable pen?

Oh, because my print has been broken in my office for three months.

You know what I mean?

I've been taking these files home to print.

You know what I mean?

It's like, that's a really stupid example.

But that will happen.

You'll find those real weird edge cases, you know, or, you know, you know, when I'm at home, I can't print with my own printer because, you know, X, Y and Z.

So the only other bit that you did mention was policy tips.

The other part of that I've seen work really well is when you monitor for the DLP undo activity because you see, that's a really good feedback mechanism where you allow users to undo DLP activity.

So it doesn't block the user experience, but you get that feedback in the portal about what's happened.

So I do really like to see how many hits you've had for a DLP policy versus how many times they've been undone as a percentage of activity.

And you can then highlight those specific, like, data, you know, data activities and then you can really form a hypothesis of why they did it without having to go and ask them about, you know, hey, Sam, why did you undo this DLP three weeks ago?

Oh, I'm really sorry.

No, no, no, we just want to know, you know, why it didn't work for you, if that makes sense.

So that's a really, really powerful tool.

Yeah, yeah, exactly.

So.

But yeah, it's, it's, it's like you said, it's very powerful.

It covers a lot of areas.

I think with the, the covering all the SaaS services that Defender cloud apps can cover, it's going to be very strong.

That's quite new at the moment.

And yeah, generative AI preventing You know, data going to those, as I said, you know, a couple, two or three, four weeks ago now that's key as well from a DLP perspective.

Yeah.

Because file uploaded to cloud wasn't that great.

Like really.

Because it's, it hasn't got that catalog.

So I'll definitely be looking, I haven't, I haven't, I haven't used that yet.

So I'll definitely be looking at, at that.

Because you really want a more generic like you know, block or alert me to generative AI apps versus, you know, chatgpt.com, gemini.google.com, blah blah, blah, blah, blah.

You know, you don't need it to be that granular.

You want that, you know, that catalog basically.

Which would be amazing.

Yeah, I mean part of the DLP settings is that you can set service domains and groups of service domains so you can specify what is allowed, you know, cloud services.

That is based on domains rather than.

Yeah, but you don't want to set that up though, do you?

Like if you've got Defender for cloud apps.

Right.

That's the whole point of it that that catalog, isn't it?

You know, because if, because like I only really use it for the AI example because typically organizations will just use like one or two AI solutions.

So if you're just like a co pilot place, you just want to block everything else, don't you?

Or at least alert on other things being used.

Right, you know.

Yeah, yeah.

So yeah, there's lots there.

Again, we could dive into the various other areas and we probably touched some of them, you know, on premise, you know, using the file scanner, the Permian Information detection file scanner to be able to check the file shares and check permissions there and whether it should or shouldn't have access there as well.

So you can change the permissions there.

Rather it's not necessarily, it'll be data arrest at that point and just preventing it from, you know, certain users or certain groups from having access to it.

So just changing the permissions locally for you to prevent XYZ from having access, that kind of thing.

So yeah, I think again we could talk about this for hours.

I think We've talked for 30 minutes on top of our 11 minute intro.

Right.

So yeah, so what about licensing, Alan, who can get access to, to dlb?

So there is some, there is some capability that is part of E3, I believe that's mainly around Office 365, you know, Microsoft 365, you know, data sources.

So you can start, you know, start There, but for Endpoint dlp plus some more of the advanced sort of side of things you're looking at in effect M365E5 capability, which breaks down to.

Let me just find it for all our combinations.

So you've got the M365 E5 compliance add on.

If you're E3, if you're got F3 licenses, your frontline workers, there is a security and compliance add on.

F5 security compliance add on which includes some of it.

If you want to break it down not by the full compliance add on, you can do information detection and governance, which gives you Endpoint DLP as well as some of the other parts that we've been talking about, teams DLP and things like that on top of the normal stuff.

Don't think you can break it down any more than that.

I don't believe the only other cool.

Thing you can do now is Business Premium E5 add on as well, can't you?

True, yes.

Yeah.

You can add the E5 onto it and it's a reduced price, isn't it?

From what I remember, if you combine.

It with security, it's reduced, isn't it?

Or something like that.

It's like.

Yeah, it's quite a good combo deal if I remember rightly.

On top of Business Premium and if you can stay under that 300 user user count.

Yeah.

And as I said, you don't have to have Defender for Endpoint rolled out for Endpoint dlp.

It's just a lot easier to roll out if you already got it out there.

So.

It just shows the power of that connected ecosystem, isn't it?

It's just like literally a singular button or two or something like that.

You know what I mean?

It's crazy.

Yeah.

And they on board within 5, 10 minutes, start to onboard when they check in.

So.

So yeah.

Cool.

I don't think I had anything else.

Like I said, there's.

There's probably a lot more we could talk about.

But.

Yeah, my only other call out was, is that I think Microsoft's stance on it is they call it crawl, walk, run in terms of like the different stages of like DLP and well, data security, like adoption really.

Yeah, I, I'm not the hugest fan of that description because especially when you're working with a client, it seems like, you know, nobody really wants to crawl, do they?

Right.

They want it to be effective because I think even monitoring is effective.

I don't think it is crawling.

I think it's.

It does give you a lot more value than that.

But the only thing I will say is there's some really good people at Microsoft in and around like the data security and governance space.

So there is a lot of really good like documentation out there.

Again, it's not that specific, but in terms of like what you're trying to achieve and how you should think about it, Microsoft has some really good guidance there.

But it's not going to be like conditional access in the way that it's like here's like, you know, some really specific, you know, use cases that you want to use this for, if that makes sense.

Conditional access is probably a bad example because it is pretty flexible as well.

But you get what I'm saying, like it's not, you know.

Yeah, there is some default, isn't there?

You know, block Lexi authentication, etc.

MFA on admins, that kind of thing where.

Yeah.

And I suppose the only thing you haven't touched on is there are templates looking for specific types of data in the portals as well, so.

True.

So if your organization is concerned about PII data being exfiltrated, there are templates that are, I would say relatively good, especially as starting points for organizations to get started.

So that is very powerful.

Yeah, yeah.

GDPR, HIPAA, etc.

Yeah, yeah.

GLBA.

Yeah.

PCI, DSS, etc.

Etc.

Really good.

Cool.

Okay, what's our next episode then?

Sam?

Okay, I.

I don't know what the title should be, but it's going to be all of the other Defenders for Clouds.

Defender Clouds excluding.

I don't know how to describe it, but basically I've been going through this all my previous latest.

Previous episodes have been all around different Defender for Cloud capabilities and I'm going to round up a bunch of the smaller ones into them as one single episode because I'm not sure you can talk about some of them for much more than 10 minutes.

So I feel like it would be a bit of a cop out if it was my turn to do a, you know, an episode And I spent 15 minutes on Defender for DNS, you know, so that's probably a bad example.

But anyway it doesn't exist anymore, so.

Yeah, but you get what I mean.

So yeah, like Key Vault Resource Manager.

What else is there?

I can't remember but I'll bundle them all up into a little mega episode.

Basically that'll be my next one.

Yeah, no, that's cool.

Okay.

Did you enjoy this episode?

If so, please do consider leaving us a review on Apple, Spotify or YouTube.

It really helps us reach out to more people like yourselves.

If you have any specific feedback or suggestions to our episodes, we have a link in our show notes to get in contact with us.

Yeah.

And if you made it this far, thanks ever so much for listening and we'll catch you on the next one.

Yep.

Thanks.

All.

Right.