Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others – both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.
Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.
Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldn’t, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should – when sensitive data is being exfiltrated.
Consider the following principles when shaping your information protection strategy:
Visibility – You can’t protect what you can’t see. Strive to achieve complete visibility into sensitive data across all repositories.
Data-centric protection – Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.
Assume breach – Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.
The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s endpoint protection platform, addresses this challenge by integrating with Azure Information Protection, Microsoft’s data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data.
Microsoft Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.
Discover sensitive documents on Windows devices
Microsoft Defender ATP’s built-in sensors discovers labeled data on all devices monitored by the Microsoft Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.
Figure 1. Azure Information Protection – Data discovery dashboard shows data discovered by both Microsoft Defender ATP and Azure Information Protection
It doesn’t end there. Being an endpoint protection suite, Microsoft Defender ATP monitors and calculates device machine risk level – an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that device’s record in Microsoft Defender ATP, where the administrator can investigate and mitigate detected security threats.
Figure 2. Azure Information Protection – Data discovery dashboard shows device risk calculation
Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Microsoft Defender Security Center. Windows endpoints will start discovering labeled documents immediately.
Figure 3. Microsoft Defender Security Center– Settings page
Detect sensitive data leaks from Windows devices
In addition, Microsoft Defender ATP integrates sensitive data awareness into Microsoft Defender Security Center. Each incident or alert raised in Microsoft Defender Security Center includes a ‘data sensitivity’ attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation – from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.
Figure 4. Microsoft Defender Security Center – Incident queue, sorted by data sensitivity
Conclusion
Protecting sensitive data requires a comprehensive approach. Sensitive data stored on devices that are constantly on the move presents its own unique challenges. Microsoft Defender ATP and Azure Information Protection work together to effectively reduce the possibility of losing sensitive data. Together, these solutions provide discovery and protection capabilities required to govern and protect sensitive data, enforce compliance, and proactively mitigate risks.
These are just the first few steps we’ve taken to enhance the information protection capabilities. Stay tuned for more upcoming features built into Windows 10.
Start here to learn how you can leverage of this capability.
Using Microsoft Security Copilot to expedite the discovery process, Microsoft has uncovered several vulnerabilities in multiple open-source bootloaders impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot. Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability in the GRUB2, U-boot, and Barebox bootloaders.
Microsoft detected a large-scale malvertising campaign in early December 2024 that impacted nearly one million devices globally. The attack originated from illegal streaming websites embedded with malvertising redirectors and ultimately redirected users to GitHub to deliver initial access payloads as the start of a modular and multi-stage attack chain.
Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks.
Microsoft researchers found multiple vulnerabilities in OpenVPN that could lead to an attack chain allowing remote code execution and local privilege escalation. This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information.
