Real-World Cybersecurity Success

Explore Neko Security's Case Studies and see our proven cybersecurity solutions in action. From advanced threat detection to robust security infrastructure design, these stories demonstrate how our specialist team delivers tangible results. Discover how we protect businesses from evolving cyber threats with our expert-led approach.

CLlENT

A Leading Multinational Education Provider, with a significant global footprint and a commitment to protecting the Personally Identifiable Information (PII) of its vast student and staff base, embarked on a critical initiative to enhance its data security. The organization sought to implement robust Data Loss Prevention (DLP) capabilities within its Microsoft 365 environment to gain visibility and control over sensitive data, particularly passport details, shared externally. This proactive measure aimed to safeguard critical information and ensure responsible data handling across its international operations.

THE IMPERATIVE: GAINING VISIBILITY AND CONTROL OVER SENSITIVE DATA

In an increasingly complex digital landscape, the Education Provider recognized the paramount importance of preventing accidental or unauthorized sharing of sensitive information. The primary goal of this initial DLP implementation was to detect passport details being shared externally via email, SharePoint/OneDrive, or Teams chat and channels. This would provide crucial visibility into how critical data was leaving the organization and lay the foundation for a mature data protection program.

CHALLENGE

The Multinational Education Provider faced several key challenges in safeguarding its sensitive data:

• Lack of Visibility into Data Exfiltration: Without dedicated DLP policies, the organization had limited insight into how and where sensitive information, such as PII, was being shared outside its M365 environment.

• Risk of Accidental Exposure: Employees might unintentionally share sensitive data with external parties via email, file-sharing services, or messaging platforms, potentially leading to data breaches or compliance violations.

• Need for a Staged Approach: Implementing DLP effectively requires a phased rollout to ensure accuracy and minimize disruption. The Provider needed a strategy that would first focus on detection and awareness before moving to more restrictive controls.

• Integration with Security Operations: DLP alerts needed to be effectively managed and responded to by the Security Operations Center (SOC) team, requiring integration with their existing SIEM platform, Splunk ES.

SOLUTION

Neko Security partnered with the Education Provider to implement and configure Microsoft 365 DLP policies, alongside a Splunk ES correlation search for streamlined alert management. The solution focused on providing immediate visibility and establishing a robust process for handling DLP events.

M365 DLP POLICY CONFIGURATION

Neko Security configured targeted DLP policies within the Microsoft Purview console to detect the external sharing of passport details across key M365 services:

• Exchange Email DLP: Policies were established to monitor all M365 Exchange Email communications for selected sensitive information shared with external recipients. Rules were defined for both high and low volumes of PII, with corresponding severity levels for alerts.

• SharePoint/OneDrive DLP: Similar policies were applied to all M365 SharePoint sites and OneDrive accounts to detect targeted sensitive information shared externally. These also differentiated between high and low volume sharing scenarios.

• Teams Chat and Channel DLP: The DLP coverage was extended to M365 Teams chat and channel messages, monitoring for external sharing and triggering alerts based on volume.

• Monitoring Mode Deployment: Initially, all policies were deployed in "Test without notifications" mode. This allowed the organization to gain visibility, promote user awareness, and refine business processes without impacting end-users, aligning with a phased DLP maturity approach.

SPLUNK ES INTEGRATION FOR ENHANCED ALERTING & RESPONSE

To ensure that DLP alerts were efficiently managed by the SOC team, Neko Security developed and configured a correlation search in Splunk Enterprise Security:

• Centralized Alerting: DLP events from M365 are ingested into the Provider’s Splunk ES instance.

• Targeted Notable Events: A specific correlation search was created to analyze these events and generate notable events for the SOC team, focusing on PII sent to domains not on an approved whitelist. 

• Enriched Event Details: The notable events in Splunk ES provide enriched information, including the type of PII, sender, destination domain, and drill-down capabilities for analysts to investigate further.

• Defined Remediation Process: Neko Security also documented a detailed DLP event response and remediation manual, guiding analysts through initial assessment, investigation, remediation actions, and reporting. This includes templates for email notifications and a flowchart outlining the process.

This comprehensive solution provided the Education Provider with the tools and processes to detect, analyze, and respond to potential data loss incidents effectively.

RESULTS & IMPACTS

The implementation of M365 DLP policies and Splunk ES integration by Neko Security delivered immediate and ongoing value to the Multinational Education Provider:

• Increased Visibility of Sensitive Data Flows: The organization gained crucial insight into how and where passport information was being shared externally across email, SharePoint, OneDrive, and Teams.

• Foundation for Data Protection Maturity: This initial phase established a baseline for DLP, allowing the Provider to understand its data exposure, educate users, and refine business processes involving sensitive information.

• Streamlined SOC Operations: The integration with Splunk ES and the provision of a detailed remediation manual enables the SOC team to efficiently investigate and respond to DLP notable events.

• Proactive Risk Reduction: By detecting the external sharing of PII, the Provider can now proactively address potential data breaches, ensure compliance with data protection regulations, and protect its reputation.

• Informed Future Enhancements: The insights gained from this first phase will inform subsequent phases of DLP deployment, such as expanding the types of sensitive information monitored, implementing endpoint DLP, and automating response actions.

• Enhanced Security Awareness: The process of investigating DLP alerts and involving business users and managers helps to promote greater awareness of data security best practices throughout the organization.

“Your team has done a great job and we are more than happy with the outcome. We look forward to extending this and working with the team on other initiatives”.

Global Educator

Head of Cyber Security Defence