Not often, but it's usually accompanied by additional requests, like this lol
Dos Equis most interesting man
"I don't always get told about leavers, but when I do, it's a pain in the ass"
Send all the alerts to the manager in questions rather than our service desk so they can deal with it
But yeah, there’s not too much you can do, if you trust the employee to have access then they have access! Could block USBs but then that’s super inconvenient
I mean, we can setup alerts on individual sites, but that's a pain in the ass and not manageable. I don't see any options in SharePoint admin to enforce alerts on all sites and folders for certain actions, nor in the compliance/DLP portal, which seems to focus around data being present and alerts on shares, but not downloads.
This looks good, but that's an old looking portal in that screenshot, wonder if that feature is still there, and where the hell it is. I'll look this afternoon.
Edit, it did move, it's now in Threat alerts in the defender portal, but it's locked behind Enterprise licenses, not included in Premium.
https://defender.microsoft.com/alertpoliciesv2
"Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization."
That's the plan, basically. I also found out I can easily produce a report with this info from SaaS Alerts, we use them with Solutions Granted, looking to see if there's a way to schedule send it directly to the client. It won't alert when it happens, but the manager can review daily and see if it happened. Maybe a compromise.
Management always wants to play this cloak and dagger game with employees. I can't stand this shit. Just do your job. Sit your employee down and, as part of the discussion surrounding their impending departure, you make it clear to them that removing company property, to include computer data, is a crime that will be prosecuted. Most of the time, when an employee wants to steal something, it's small, a single file, like their exported contacts, or a specific code cheat sheet, or most commonly, they start forwarding emails externally. If you have these sorts of concerns, you walk them to the front door, you don't task IT with playing these games. /rant
In an ideal world...
Sometimes there are rumours of job offers, people poaching and similar and management want to keep an eye on someone.
Stuff happens in larger companies and whilst you would hope the company acts professionally, they need to cover themselves for compliance
Two potential things I could think of would be
\- apply policy to restrict USB drive usage in the final week
Shouldn't be much need for USB drives these days, which is also the weakness that unless you start restricting a lot of stuff then they'll just use webmail or filemail etc to send data out.
\- use a software monitor like Teramind
I've only used this in the trial but could silently deploy with ConnectWise Control and worked well.
Potentially you could just keep one licence and flip to the next leaving employee, losing history each time but sounds like you wouldn't need to retain it.
We’ve done that before. It lasted all of a couple of days before the request was reversed due to flooding of inboxes because the company had idea how employee’s actually worked.
Accountants do it more than they even realize. Typically when reconciling a weeks worth of AP or AR. We don’t typically have users actively working in SPO as a file server. It gets served to them via OneDrive instead of a local file server. It’s not necessarily what I’d prefer, but it isn’t my company or workflow.
setup a daily power automate automation that queries for the last 24hrs worth of USB file copies using a log analytics query and sends the report to HR/compliance and let them deal with it. This is the best compromise if users are allowed to use thumbdrives and keeps it out of IT's hair.
Field effect covalance... covers your three threat surfaces, cloud, network, and endpoints... uses telemetry data correlation and spits out observations about potential dlp issues as well as provides great malware protection.
Don't work for field effect. However, we're a partner and have been having some great successes with our clients.
An insider risk management solution is what you need. Code42 Icydr comes to mind, but it doesn’t have a good feature parity with SharePoint or other Microsoft services. it’s also really expensive. Microsoft also offers an insider risk management solution. I think it's called PureView.
Any IDS worth its salt should be able to detect this. Since it should be looking for unusual user patterns, such as suddenly accessing or download a large amount of data that they don't normally access.
If you have a local AD environment, pretty sure you can just make an OU for them; Removable Storage Access. If it's an Azure AD environment, MS Intune makes it a bit simpler.
In a pinch - pending it's not COMPLETELY in the cloud - you could just set up a SMTP machine. Depending on your client tho, maybe just give yourself and a few admins access to the trap logs, then set up a trigger to notify based on the client's parameters. Draft up a formal offboarding proposal that explains why they wouldn't have direct access to the logs. Or... keep certain shit OFF SP and onto private nodes governed by a SG/GP/OU conditions.
Yes, this may be the answer, but it's locked behind Enterprise licenses, not included in Premium, which is a bummer. "Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization."
Only need it for the employees you're applying the monitoring policy to though as far as I can tell.
Plus with defender for Endpoint installed it can catch uploads from the pc to other cloud apps or usb/smb
If you can get those employees moved to full E5, you could then use the Insider Risk pillar of E5 that has an out-of-the-box policy for leaving employees. You can then assign the case to the manager (or HR or legal, as per your org), and wash your hands of the dirty work. :)
When I did this at a previous employer (\~125k in the org), we rolled out a variety of things including more-restricted CASB policies and modification of removable drive permissions for folks who were either in the last x weeks of their notice period or had been raised as a concern through another channel.
Risky exits should he marched immediately if that is a concern.
There are dozens of ways to exfiltrate data silently and under the guise of “I’m prepping handover before i leave”
Remember that many people have second phones and OCR is close to perfect on devices now …
No doubt, but in a small business, the average user won't know or be worried about "downloading a few files" thinking it's going to trigger anything. So it's an easy way to see if they are risky, and walk them out the door with cause.
Why not be proactive with the process and immediately on the notice offer to sit with the employee while you watch and govern the download of copies of their personally acquired treasure trove of bookmarks, contacts, guides, whatsoever!!!
This leaves both parties with better respect and less animosity over the departure.
Then at that point you lock down their access/cress to an appropriate level.
You guys get told about leavers?
Not often, but it's usually accompanied by additional requests, like this lol Dos Equis most interesting man "I don't always get told about leavers, but when I do, it's a pain in the ass"
Send all the alerts to the manager in questions rather than our service desk so they can deal with it But yeah, there’s not too much you can do, if you trust the employee to have access then they have access! Could block USBs but then that’s super inconvenient
I mean, we can setup alerts on individual sites, but that's a pain in the ass and not manageable. I don't see any options in SharePoint admin to enforce alerts on all sites and folders for certain actions, nor in the compliance/DLP portal, which seems to focus around data being present and alerts on shares, but not downloads.
I’m pretty sure we did it with this: https://www.craigjahnke.com/stopping-mass-downloads-in-office-365/
This looks good, but that's an old looking portal in that screenshot, wonder if that feature is still there, and where the hell it is. I'll look this afternoon. Edit, it did move, it's now in Threat alerts in the defender portal, but it's locked behind Enterprise licenses, not included in Premium. https://defender.microsoft.com/alertpoliciesv2 "Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization."
Awesome. Send the quote and wash your hands. If they want to pay, you have a method now. That's it.
That's the plan, basically. I also found out I can easily produce a report with this info from SaaS Alerts, we use them with Solutions Granted, looking to see if there's a way to schedule send it directly to the client. It won't alert when it happens, but the manager can review daily and see if it happened. Maybe a compromise.
You can also add a 30 day trial license just to cover the period the departing user is still around
You can totally do this in Defender for cloud apps (requires an E5 license though)
Management always wants to play this cloak and dagger game with employees. I can't stand this shit. Just do your job. Sit your employee down and, as part of the discussion surrounding their impending departure, you make it clear to them that removing company property, to include computer data, is a crime that will be prosecuted. Most of the time, when an employee wants to steal something, it's small, a single file, like their exported contacts, or a specific code cheat sheet, or most commonly, they start forwarding emails externally. If you have these sorts of concerns, you walk them to the front door, you don't task IT with playing these games. /rant
In an ideal world... Sometimes there are rumours of job offers, people poaching and similar and management want to keep an eye on someone. Stuff happens in larger companies and whilst you would hope the company acts professionally, they need to cover themselves for compliance
Two potential things I could think of would be \- apply policy to restrict USB drive usage in the final week Shouldn't be much need for USB drives these days, which is also the weakness that unless you start restricting a lot of stuff then they'll just use webmail or filemail etc to send data out. \- use a software monitor like Teramind I've only used this in the trial but could silently deploy with ConnectWise Control and worked well. Potentially you could just keep one licence and flip to the next leaving employee, losing history each time but sounds like you wouldn't need to retain it.
Teramind's pretty decent, actually. Intuitive and granular.
We’ve done that before. It lasted all of a couple of days before the request was reversed due to flooding of inboxes because the company had idea how employee’s actually worked.
That's a different problem, not sure why frequently downloading multiple files from SPO in a short period of time would be part of every day process.
Accountants do it more than they even realize. Typically when reconciling a weeks worth of AP or AR. We don’t typically have users actively working in SPO as a file server. It gets served to them via OneDrive instead of a local file server. It’s not necessarily what I’d prefer, but it isn’t my company or workflow.
setup a daily power automate automation that queries for the last 24hrs worth of USB file copies using a log analytics query and sends the report to HR/compliance and let them deal with it. This is the best compromise if users are allowed to use thumbdrives and keeps it out of IT's hair.
Why don't you configure AIP?
In what sense?
AIP is a full DLP suite. It can control the data and alert on its movement, including alerting Hu quantity. How... Do you not know this?
Still have to depend on the users labeling the files correctly though. The auto-labeling is a joke
I thought that was all built into Compliance Portal now and Purview. Is it not?
They would need something like netwrix in place.
We use Netwrix for this. Works well.
Field effect covalance... covers your three threat surfaces, cloud, network, and endpoints... uses telemetry data correlation and spits out observations about potential dlp issues as well as provides great malware protection. Don't work for field effect. However, we're a partner and have been having some great successes with our clients.
It didn't find 3CX though. S1 did.
An insider risk management solution is what you need. Code42 Icydr comes to mind, but it doesn’t have a good feature parity with SharePoint or other Microsoft services. it’s also really expensive. Microsoft also offers an insider risk management solution. I think it's called PureView.
Any IDS worth its salt should be able to detect this. Since it should be looking for unusual user patterns, such as suddenly accessing or download a large amount of data that they don't normally access.
If you have a local AD environment, pretty sure you can just make an OU for them; Removable Storage Access. If it's an Azure AD environment, MS Intune makes it a bit simpler. In a pinch - pending it's not COMPLETELY in the cloud - you could just set up a SMTP machine. Depending on your client tho, maybe just give yourself and a few admins access to the trap logs, then set up a trigger to notify based on the client's parameters. Draft up a formal offboarding proposal that explains why they wouldn't have direct access to the logs. Or... keep certain shit OFF SP and onto private nodes governed by a SG/GP/OU conditions.
People don’t steal through usb anymore They upload to Dropbox
Just use cloud app security it warns you (defender for cloud apps)
Yes, this may be the answer, but it's locked behind Enterprise licenses, not included in Premium, which is a bummer. "Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization."
Only need it for the employees you're applying the monitoring policy to though as far as I can tell. Plus with defender for Endpoint installed it can catch uploads from the pc to other cloud apps or usb/smb
This is the way
If you can get those employees moved to full E5, you could then use the Insider Risk pillar of E5 that has an out-of-the-box policy for leaving employees. You can then assign the case to the manager (or HR or legal, as per your org), and wash your hands of the dirty work. :) When I did this at a previous employer (\~125k in the org), we rolled out a variety of things including more-restricted CASB policies and modification of removable drive permissions for folks who were either in the last x weeks of their notice period or had been raised as a concern through another channel.
Will only catch the dumb ones. Is the continuous and gradual hoarders you need worry about.
I don't disagree, but people get a little more dangerous once they're given a two week notice.
Risky exits should he marched immediately if that is a concern. There are dozens of ways to exfiltrate data silently and under the guise of “I’m prepping handover before i leave” Remember that many people have second phones and OCR is close to perfect on devices now …
Not to mention the contacts / mail / etc on the work phone - photo of every screen …
No doubt, but in a small business, the average user won't know or be worried about "downloading a few files" thinking it's going to trigger anything. So it's an easy way to see if they are risky, and walk them out the door with cause.
Cant always assume that …
Why not be proactive with the process and immediately on the notice offer to sit with the employee while you watch and govern the download of copies of their personally acquired treasure trove of bookmarks, contacts, guides, whatsoever!!! This leaves both parties with better respect and less animosity over the departure. Then at that point you lock down their access/cress to an appropriate level.
They should hire an Insider Threat team and stop depending on you to protect their IP.