How to Close Critical Data Loss Prevention (DLP) Gaps in Microsoft 365

Over a million businesses worldwide use Microsoft 365, with 731,000 companies in the United States alone. That represents a big juicy audience for hackers, bad actors and others.

And although Microsoft 365 provides foundational rule-based data loss prevention (DLP) and data classification to address compliance requirements, it falls short when protecting against data loss caused by people.

That’s why many of our customers choose Tessian to layer on top of 365, to stop complex, targeted attacks most SEGs just can’t stop. Tessian complements Microsoft 365 with a behavioural analytics layer and offers enhanced data protection by closing critical DLP use case gaps such as inadvertent or accidental data loss, sensitive data exfiltration to unauthorised or personal accounts, and insider risks. Tessian also has more robust investigation, reporting, and remediation tools.

In this article, we’ll explore three DLP challenges, identify where Microsoft 365 falls short, and describe how Tessian helps security teams overcome them.

Want to explore this topic in greater detail? Download the Solution Brief: How Tessian Closes Critical DLP Gaps in Microsoft 365


Microsoft 365 can’t stop accidental data loss 

Misdirected emails are the number one data security incident reported to data protection regulators across the world.

Every day, inadvertent human error on email leads to organisations putting their customer’s data at risk, breaching mandatory industry and data protection regulations and losing highly sensitive intellectual property. In fact, according to Tessian research, 800 misdirected emails are sent every year in organisations with 1,000 employees.

You can check out 11 data breaches caused by misdirected emails here.

Microsoft’s capabilities here are limited to files on Sharepoint and OneDrive sites, where you can allow or block specific domains. It cannot detect if you shared an email or files (including files in Sharepoint) to a wrong party. 

In addition, Microsoft 365 Email DLP capabilities are not context-aware. What that means in practice is that it lacks context between parties exchanging email and hence cannot proactively identify wrong recipients or wrong attachments.

Microsoft 365 detection is purely based on DLP policies and data classification – Regex pattern matches, proximity of certain keywords to the matching patterns, exact data matching and Fingerprinting. These techniques cannot be applied to detect wrong recipients or wrong attachments.


How does Tessian prevent accidental data loss?


Stop Misdirected Emails
Tessian’s behavioural approach ensures that emails reach the right recipients, preventing accidental data breaches over email. Leveraging historical data to map email relationships with context, deep content inspection, and behavioural analysis, Tessian identifies first-time contacts, flags recipient anomalies, and stops misdirected emails in real-time.

Prevent Wrong Attachments
Tessian uses a combination of attachment scanning, natural language processing (NLP), and deep content inspection to map email content to users, entities, and projects. This helps detect a variety of anomalies and warns when employees are about to send a wrong attachment.

Easy and Accurate Reporting
Insights and analytics with the Human Layer Security Platform makes compliance and reporting easy. Admins can readily filter, view, and track accidental data loss events prevented by type, as either misdirected emails or misattached files using the HLS intelligence portal to mitigate events.

Learn more about Tessian Guardian.


Microsoft 365 can’t prevent exfiltration of sensitive data to unauthorised or personal accounts 

Whether it’s an employee negligently sending emails to unauthorised or personal accounts, or individuals maliciously stealing company intellectual property for personal gain while exiting the company, sensitive data exfiltration is a major problem in today’s organisations.

Don’t believe us? 27,500 unauthorised emails are sent every year in organisations with 1,000 employees. 

Unfortunately, Microsoft 365 DLP capabilities do not effectively detect when unstructured data leaves the organisation. This is because it’s not able to identify the unique context of each employee at a granular level. Traditional approaches to prevent data exfiltration on email rely on a litany of pre-defined rules and denylists, and retrospective incident response.

Tackling the problem of data exfiltration by manually maintaining denylists in a world of innumerable new freemail and personal domains is a losing game. Relying on users to manually classify documents puts organisations at risk, while relying on machine based RegEx classification for sensitive content detection or human-in-the-loop quarantine leads to false positives, false negatives and significant administrative burden.


How does Tessian prevent data exfiltration? 


Automatically Detect Non-business Email Accounts with Historical Email Data
Tessian analyses historical email data to understand normal content, context and communication patterns, enabling a comprehensive mapping of every employee’s business and non-business email contacts. Relationship graphs are continuously updated as email behaviour changes over time after Tessian is deployed.

Perform Real-time Analysis of Emails Before They’re Sent to Detect Data Exfiltration
Tessian’s Human Layer Security Engine analyses all outbound emails in real-time and uses machine intelligence to automatically predict data exfiltration based on insights from the relationship graph, deep inspection of the email content, and previous user behaviour.

Automatically Detect and Prevent Data Exfiltration Over Email
With Tessian, you can automatically detect anomalous patterns of exfiltration. Real-time warnings are shown to employees when data exfiltration threats are detected and guides them towards secure behavior. Warning triggers can be tailored to suit your company’s security policies and workflow requirements; employees can be warned, emails can be blocked, or activity can be silently tracked. Employee interactions are also logged for inspection in the Tessian dashboard.

Learn more about Tessian Enforcer.


Microsoft 365 can’t measure and report impact of human layer risk

Insider threats are often perceived to only include those who may have malicious intent, such as disgruntled employees or employees who hack into the organisation to gain access to credentials. However, employees exfiltrating data via email are often simply careless or negligent as well.

Microsoft 365 monitoring and reporting capabilities, including insider risk capabilities, are content detection and triage focused and does not provide any type of holistic visibility into employee risk profiles, high risk users in order for security and risk management leaders to take specific actions to improve their employee’s data handling practices and strengthen their security posture.

How does Tessian approach insider risk management?

Tessian’s approach is human-centric and behavioural, and is able to detect intent and the unique context of the particular employee’s situation. The Human Layer Security Platform maps employee email activity and builds unique security identities for every individual. Dashboards and analytics surface these insights and give full visibility into threats you’ve never been able to detect before. With Tessian, you can predict and pre-empt security risks caused by human behaviour.

Superior Risk Analytics
Enriched individual risk profiles that are modelled with a broad range of signals from email usage patterns, relationship graphs, job role, security decisions in real time as well as from 12 months of historical emails and calculates individual risk scores. Because of this unique data modelling, Tessian provides a profile that is contextually rich with granular visibility into risk drivers.

Dynamic Risk Scoring
Security risk scores are dynamically updated to represent an accurate individual risk profile in real time. The risk scores trend down when the user makes positive security decisions and trend up when poor security decisions are made, or if the user exhibits high-risk email security behaviour. These scores and risk drivers are also aggregated at the user, department, and company level and are benchmarked against the Tessian network.

Defend Against Data Breaches with Defensible Audit
Detailed reporting and audit logs provide defensible proof against data breaches. If risk is identified, Tessian’s Human Layer Risk Hub enables you to formally document all associated events such as exposure, owner, mitigation decisions and actions.

Download the solution brief here.

To learn more about how Tessian can help strengthen your DLP posture, book a demo now.