In the recent webinar, we delved deep into the intricacies of blending information protection with security operations. As many of you have shown interest in practical applications of the strategies discussed, here are some of the most frequently asked questions answered comprehensively based on the insights shared during the session.
How can we balance the need for data security with the legitimate needs of users to access and share information for business purposes?
Data security and user accessibility are often seen at odds, but with the right approach, they can complement each other effectively. To address the balance, Jeremy Sawyer of Epiq Global highlights the utility of Microsoft’s adaptive protection within DLP policies.
As discussed in the webinar, Microsoft has introduced adaptive protection measures that intelligently balance security protocols with user access needs. Jeremy explained, “You could still have those requirements… You could still say that these are the crown jewels, but you could dictate what people can do based on their risk.”
The adaptive approach allows users who present lower-risk profiles to work with sensitive data under fewer restrictions, while higher-risk users are subjected to more stringent controls. Jeremy further elaborated, “They’re allowed to work normally with that type of data without any restrictions, whereas a user that’s higher risk, you could put some guardrails in there.”
This allows organizations to maintain robust data security while accommodating the operational needs of their users, marking a shift from static to more dynamic and responsive data protection strategies.
How can we ensure SecOps can work on information protection alerts without viewing any sensitive information?
A core challenge in security operations is ensuring that the personnel dealing with alerts do not access sensitive information unnecessarily.
appropriate personnel at the correct level of the investigation, maintaining security and confidentiality.
Jeremy explains the application of role-based access controls (RBAC) within the context of insider risk management and Microsoft Purview. He describes a tiered access system, where different levels of personnel are assigned varying levels of data access based on their roles and the sensitivity of the information.
“So you establish… your L1 L2 L3 tiers; you can assign like a more junior analyst… the ability to review the event data, be able to like see the plotter and what’s going on with the account but not actually go into the file and look at the contents,” Jeremy explained.
This method ensures that only the necessary information is accessible to the appropriate personnel at the correct level of the investigation, maintaining security and confidentiality.
How the log noise can be minimized and concentrate on what matters the most?
Log noise can significantly impede the efficiency of security operations by burying significant threats under false positives.
Andrew Hodges discusses strategies for minimizing log noise and concentrating on significant alerts in data protection and security operations. He notes that turning on DLP can lead to a flood of alerts, many of which are false positives that can overwhelm security operations centers (SOCs).
SecOps teams can focus on genuine threats, enhancing overall security operations efficiency.
To address this issue, Hodges recommends a structured approach: starting with a well-configured system and employing a “crawl, walk, run” strategy to gradually scale up security measures. This method helps in properly setting up a data security program to avoid unnecessary alerts.
He stressed the importance of a well-configured system to reduce this noise: “If you have a really well oiled, properly configured, a purview environment, you’ve got well-trained users… that’s going to inherently cut down on the noise.”
Furthermore, Andrew discussed the importance of automation in managing the flood of alerts: “How we use automation to inherently try to tear through that noise… deal with a lot of the false positives so that the real things that we need to investigate drip through.”
This multi-pronged approach, combined with emerging AI technologies, aims to refine the process of managing and responding to security alerts.
DIFENDA ON DEMAND