Microsoft 365 Endpoint DLP: Is it Ready for the Enterprise?

Skyler Butler, Director of Product Management

09.17.2020

Microsoft Inspire, the company’s annual global partner conference, is always an exciting event, and the 2020 virtual broadcast was no exception. Speakers addressed the challenges that companies and partners are facing, while offering a full agenda of information and announcements about new products and capabilities. InteliSecure is a Microsoft Silver partner, and our attendees were impressed by the number of newly minted features to support data security—an area that is more important than ever as enterprises continue to adapt to dramatically accelerated digital transformation.

One of the most anticipated announcements was the public preview of Microsoft 365 Endpoint Data Loss Prevention (DLP). Endpoint security capability for Windows 10 and Microsoft Edge is a highly requested functionality that until now, Microsoft DLP has lacked. That gap has prevented many organizations from adopting the Microsoft data protection stack.

Is Endpoint DLP ready for enterprise data protection? We explored the preview offering and are ready to offer our early findings.

Installation and Configuration: Simple Data Protection Policy Setup

Endpoint DLP is built into Windows 10, Office apps, and the latest release of Microsoft Edge, which is based on the open-source Chromium code. The solution is designed to provide activity monitoring and protection capabilities for sensitive information on endpoint devices.

The new endpoint protection capabilities are part of Microsoft 365 E5. Most endpoint systems in the wild using Windows 10 will be compatible; devices must be:

  • Running Windows 10 build 1809 or higher
  • Azure Active Directory (AD) joined or hybrid Azure AD joined
  • Using the Microsoft Edge Chromium-based browser to enforce policy actions for cloud upload activity

You will need to onboard the devices in your Microsoft 365 compliance center. This onboarding is separate from Intune or Microsoft Defender onboarding, but I believe in future releases they will integrate this functionality.

Once onboard, you can apply current DLP policies to the Endpoint DLP protection suite. Before doing so, you will want to review the Endpoint DLP settings in the Policies section of the compliance center. Endpoint DLP settings are where you configure how the solution monitors or excludes certain activity.

For example, if you have an anti-virus solution, Endpoint Detection and Response (EDR), or other security tools, best practice is to whitelist those file paths in the settings. Additionally, you may want to restrict certain browsers, domains, or applications from accessing sensitive information. The settings help you allow or block the transfer of sensitive information by end users and the applications they are utilizing. Settings also help prevent your other security tools from interfering with the DLP detection process (and vice versa).

 

Endpoint DLP Settings

Figure 1: Endpoint DLP settings enable you to allow or restrict access to sensitive information.

 

Applying an existing or new DLP policy is quite simple. In the policy creation wizard, just select the channel in which you want to apply endpoint inspection.

 

Applying a policy in Endpoint DLP

Figure 2: Simple toggles make it easy to apply and remove policies.

 

The advanced DLP settings give you several options to specify the actions Endpoint DLP will inspect—and what activity will be allowed once a condition is triggered.

 

Policies in Endpoint DLP

Figure 3: Advanced settings in Endpoint DLP enable you to address specific behaviors associated with data-loss risk.

 

After you save this policy it will be enabled on the devices that were enrolled previously.

The device-restriction options that are provided are on a par with options in other enterprise DLP solutions today. We would like to see these options refined in future releases of Endpoint DLP. For example, it would be useful to have the ability to inspect specific applications (not simply deny or allow them) and enable custom whitelisting for USB types (e.g., encrypted or company-issued devices versus personal USBs). Local drive inspection is also not included; however, with other DLP tools, InteliSecure recommends that this feature not be enabled because it can cause negative end-user experience issues.

Testing and Events: Ensuring Effective Data Protection

From our initial testing, InteliSecure has found opportunities for improving the flow of events and the frequency of policy polling times. We also found that Endpoint DLP provides additional information that we didn’t expect.

In our test, we attempted to take a variety of actions involving credit card numbers on a Windows 10 system using the Chromium-based version of Microsoft Edge. For every action we attempted, we determined that the software detected when those actions violated our DLP rules and executed the policies we had defined.

Browsers

We found that when we used unallowed browsers (e.g., firefox.exe), a pop-up instructed the user to utilize the Chromium-based Edge for any sensitive information uploads. It blocked our action, preventing us from posting to a website we use for testing (dlptest.com).

However, when we attempted the test through the Outlook client, we were surprised to find that it did not take action against the Outlook client. To detect sensitive information being sent through email, you will need to use 0ffice 365 DLP.

USBs

USB transfers were blocked upon attempted upload. However, we were surprised to see the block action identifies as “Write-protected USB.” Although the block successfully prevented the transfer of sensitive data, the message may confuse end users into thinking there could be an issue with the USB device—not that the action they’d attempted was risky.

Information copy

When we attempted to copy and paste our credit card numbers from clipboard, the software successfully blocked the action and generated a pop-up notifying the user that what they were attempting to copy was restricted and gave the user an ability to cancel.

We did not test Print as we did not have a valid print system configured for our testing purposes.

Results

Overall, the capabilities of Endpoint DLP work as Microsoft says they will. Our InteliSecure team did not run into any bugs, errors, or unexpected issues while performing our tests.

We were also excited to see that Endpoint DLP also monitors when files are created, modified, saved to cloud, and saved to removable media, and detects when a file is renamed.

We encountered a few issues with the Endpoint DLP preview version:

  • It takes 1-2 hours to see a policy applied to an endpoint, slowing testing and making it difficult to determine which changes have been applied.
  • Security incidents are sent to the Microsoft compliance center but separated from other data in the “Data Classification” and “Activity Explorer” tabs within that section.

 

Endpoint DLP security incident report

Figure 4: Endpoint DLP displays security incidents in the compliance center’s Activity Explorer tab.

 

One of the primary issues many organizations have with using Microsoft DLP solutions is that data is not centralized in one place. Endpoint DLP adds another location for data review to the mix, increasing the complexity of security management in the Microsoft ecosystem.

InteliSecure has solved the complexity problem by creating Aperture, a single-pane-of-glass interface that centralizes information and alerts from Microsoft DLP tools and allow customization on workflows and classification of these alerts. Our development team anticipates adding Endpoint DLP information to Aperture in the coming weeks as Microsoft gets closer to a final release of the solution.

Our Take: Endpoint DLP Will be a Viable Option for Data Protection

Today, if InteliSecure were to answer, “Is Endpoint DLP ready for our enterprise data protection program?” we would say “almost.”

The solution offers some significant and beneficial capabilities:

  • Detection natively built into the OS—This is an ingenious way to get DLP endpoint capability without the trouble of dealing with “yet another agent” as security teams manage numerous endpoints.
  • Ease of adoption—The fact that the capability is built into the Microsoft DLP suite also enables easy uptake and management for an already overtaxed security operations team.
  • Ease of use—In typical Windows fashion, the app’s setup and wizards are intuitive, making it easy to apply policies and understand their expected outcomes.
  • Supports remote device security—It’s essential for organizations to maintain a degree of data protection regardless of where the endpoint is located, and the inclusion of Edge browser security is an extremely powerful tool in preventing data leakage.

We have high hopes for the value that Endpoint DLP can provide for corporations who are using the Windows operating system on their endpoints, either exclusively or across a majority of users. However, the fact that the solution only covers Windows 10 systems could be a non-starter for corporations utilizing Mac, Linux, or older Windows platforms.

In addition, we hope and expect that other issues will be addressed:

  • The lack of customization for alerts—or in the case of USB transfer, no alerts at all—will be a point of frustration for many teams.
  • The fact that alerting is shifted into an area of the compliance center that’s different from other application-specific DLP tools is troubling; it makes it difficult to correlate alerts across different channels.

We believe as this product gets closer to an official release, we’ll see its few issues addressed. If so, many organizations that are not already using a third- party DLP software will be able to easily add Endpoint DLP to their data protection toolbox.

With its ease of use, the ability to see agents deployed, and a view into the current health status of user devices, Endpoint DLP will be a great help for organizations that are currently struggling to managing endpoints in the thousands.

Learn more about Aperture

InteliSecure is solving visibility issues in Microsoft DLP with our Aperture platform. Learn more about how this solution can simplify data protection for your internal teams.