Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Auto-labeling for Office Online services

Last week Microsoft released a new function to be able to act on data-at-rest information in Teams (SharePoint and OneDrive). In my previous article about how to prevent information leakage when inviting external guests into Teams, we had a scenario for “Project Delta”. The business case was to be able to share the project information in a secure way to all internal and external project members. There was also a requirement to restrict internal sensitive information to invited guests.

This article is about how to automatically identify and protect information. In many cases we already have existing sensitive information without correct classification and protection at rest. For local files we have had the AIP Scanner for a while that is able to both identify certain information as well as label this information with the correct information classification and protection (when needed). For data stored in the cloud (Office 365) we have had the possibility to identify the same information with the build in solutions in Compliance Center. What we now have is possibility to also apply classification and protection automatically, to identified files in the cloud.

Let’s go back to the previous business case for “Project Delta”.

When it comes to identify information all the different solutions use “Sensitive info types” from the Compliance portal. Here we have the built-in information types that includes everything from financial, privacy to medical and health information. imageWe also have possibilities to create our own information types.
In this example we have a project with a defined project number (that is used for example in document templates). We have created a sensitivity info type that looks for this number.

The result from this will show us (under Data classification in the Compliance portal) how many files we have in Office 365 that includes information related to Project Delta.

image image

Auto-labeling

The new auto-labeling feature gives us the possibility to take action on this information.
Auto-labeling is found under Information Protection in the Compliance portal

image

A new policy gives us the possibility to act on predefined information types or create a custom policy.

image

We then specify the location for the information we want to automatically apply labels to.

image

For each of these locations we can create specific rules with conditions. In our case we want to identify everything that include Project Delta information and apply protection to it.

imageimage

Another scenario would be more advanced rules for instance to only label Project Delta information that is being shared externally.

We then choose what Label we want to apply for identified information. Where we choose the Label for Project Delta.

When we turn on this policy it will start in simulation mode. This help us ensure that we apply the label to correct information.

We can then go back and review which files have been identified and ensure that the policy is properly configured.

image

When we are ready, we can turn on the policy.

image

The result will be that identified Project Delta information in all these locations will be automatically classified and protected to only the members of the project.

imageimage

Other solutions to identify Project Delta information based on this sensitivity info type

  • Auto-Labeling in Office that can auto apply a label or recommend the end-user to apply the correct labelimage

  • Scan local file shares and SharePoint servers with the AIP Scanner.
    The scanner uses the same sensitivity info types and gives a view of all local files including Project Delta information.
    image

The AIP scanner have a couple of news as well. Let’s keep that for a coming article