Data Loss Prevention

 View Only
  • 1.  Microsift Teams and DLP

    Posted Mar 24, 2020 12:20 PM
    Scenario:
    User is in Microsoft Teams, and is sending a message to another employee via the chat that contains sensitive in formation like a SSN or a CC#.  What I what to happen is when the user hits send, the upload start,  or at some point the a message pops up warning the user that the message they are about to send contains xyz personal information and will be send to a cloud location.
     I was trying to get Endpoint Notify Response Rule to accomplish this...will this work or is it even possible?

    If any one has a suggestion, procedure or advice it will be welcomed thank you.

    Darren


    ------------------------------

    Darren Dozier
    Randolph Brooks Federal Credit Union
    ------------------------------


  • 2.  RE: Microsift Teams and DLP

    Posted May 06, 2020 04:25 PM
    You will need to start with adding Teams.exe under Application Monitoring to detect traffic in Teams.


  • 3.  RE: Microsift Teams and DLP

    Posted May 09, 2020 12:09 AM

    Actually it may not works as its https traffic. You will need to use a CASB I believe to monitor Teams. Something like

    https://www.netskope.com/about-casb




  • 4.  RE: Microsift Teams and DLP

    Posted May 09, 2020 01:50 AM
    Is anyone using Microsoft Casb MCAS
    This message contains information that is confidential and may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message.




  • 5.  RE: Microsift Teams and DLP

    Posted Jul 22, 2020 02:24 PM
    I think it will work because the dlp intercepts prior to the data being sent through the tls tunnel


  • 6.  RE: Microsift Teams and DLP

    Posted Jun 23, 2020 10:51 AM
    we did a side by test of MCAS and Symantec CSAB and neither detected content pasted into a Teams chat.  It's my belief that all products have a hard time detecting content posted into online chats or document creation because the content is pasted is codified as one long string of html code.  The html codes interfere with number pattern detections (such as 9 digit SSN) because those patterns are now substrings.  Creating a detection rule for substrings when it comes to web generates a ton of false positives making it useless.  It's a little better when it comes to detection words.  I've attached an image from a web prevent incident that illustrates how DLP sees content posted into a Teams chat.  
    example



  • 7.  RE: Microsift Teams and DLP

    Posted Jul 22, 2020 02:23 PM
    Daren
    This is very easy to accomplish. create a response rule and apply it to the SSN policy.


  • 8.  RE: Microsift Teams and DLP

    Posted Aug 10, 2020 12:10 PM
    Response rules only work if the data is in a file format and is being drag and dropped or uploaded to the chat window. Typed data into the Teams app will not be affected by DLP.

    ------------------------------
    Security Engineer
    OhioHealth
    ------------------------------



  • 9.  RE: Microsift Teams and DLP

    Posted Aug 24, 2020 07:26 AM
    Darren, check for ethical walls solution offered by Smarsh, Verint, Nice, ASC, Redbox.... 
    Those companies are on the real time compliance market for a while and they offer solution for Teams

    Franck