Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Critical Use Cases of DSPM

  1. Last updated
  2. Save as PDF
Limited Availability: To access DSPM Data Explorer, contact Skyhigh Support.

 

Achieve Unified Enterprise Data Visibility  

Goal: To display a comprehensive view of data risk across all enterprise environments, including both sanctioned and Shadow IT services.

Use Case: Consider a Security Operations Center (SOC) administrator is tasked with investigating the diverse data landscape of an organization, with a particular focus on Payment Card Industry (PCI) data for unsanctioned service. The SOC aims to identify which services are accessing PCI data, the individuals involved in that access, the distribution of the data across the organization, and the specific file types associated with it. This information is crucial for ensuring compliance and safeguarding sensitive financial information.

How to achieve this?

Utilizing integrated SSE/CASB capabilities, Data Explorer displays the data classified as 'PCI data' uploaded to unsanctioned services such as personal Dropbox, Google Drive, or communications apps such as Facebook or personal instances of Slack, etc. The SOC aims to identify which unsanctioned services are accessing PCI data, the individuals involved in this access, the distribution of the data across the organization, and the specific object types associated with it. This information is crucial for ensuring compliance and safeguarding sensitive financial information.

To assist SOC with the investigation of high-risk PCI data on unsanctioned services, refer to the detailed use case on About Data Explorer.

Enable Effective AI Service Data Governance

Goal: To establish comprehensive control and visibility for sensitive data as it interacts with both external and internal AI or GenAI services.

Use Case for External AI: Consider an employee attempting to paste sensitive data, such as source code or customer lists containing Protected Health Information (PHI), into an unmanaged AI service like ChatGPT. A SOC analyst requires a solution that prevents data leakage by blocking such uploads preemptively.

How to achieve this?

Using the SSE/Web capability, the File Upload Prescan enables organizations to establish robust backend controls by defining precise policies. This powerful capability immediately flags users attempting to paste sensitive data, such as source code or customer lists (e.g., PHI), into an unmanaged AI service like ChatGPT. Real-time blocking of such uploads prevents data leakage before it can occur, safeguarding critical business data and ensuring compliance with data protection regulations. This proactive approach significantly enhances data security by mitigating the risks associated with shadow IT and the increasing use of generative AI tools. To establish controls and define polices for External AI services, see Enable Real-Time DLP Scan for Files Uploaded via Browser.

Use Case for Internal AI:  Consider a scenario where a finance team inadvertently uploads high-risk documents, such as executive merger documents, and shares them with an internal AI service like Microsoft Copilot for quick summarization and information extraction. The SOC needs a mechanism to restrict these high-risk files from being used to train standard employee-accessible AI models, effectively enforcing the principle of "Least Privilege for AI."

How to achieve this?

  1. Enforce DLP with Integrated SSE/CASB: Leverage integrated SSE/CASB capabilities to establish comprehensive Data Loss Prevention (DLP) controls. Define DLP policies that act as a barrier, preventing services like Copilot from accessing sensitive data. This directly enforces the least privilege principle for AI. Furthermore, utilize AIP labels within Skyhigh CASB DLP policies for Office 365 applications to protect sensitive files from Copilot. For detailed steps on securing authorized sensitive data from sharing with Microsoft 365 Copilot, see DLP for Microsoft 365 Copilot.
  2. Validation with Data Explorer: Utilize the Data Explorer feature to validate that high-risk files (e.g., executive merger documents) are not being used to train the Copilot model. By filtering the Services as "Microsoft Copilot" in the Data Explorer dashboard, you can view the comprehensive data distribution with source data. Observe the risk distribution and data distribution charts to confirm that your sensitive organizational data is not exposed to internal AI services. For more details on Data Explorer, see Introduction to Data Explorer

Prevent the Upload of High Risk Data to Risky Destinations/Services

Goal: To block the uploading of highly confidential data to destination services or applications identified as high-risk.

Use Case: An employee attempts to upload a signed Non-Disclosure Agreement (NDA) to a potentially risky application, such as ChatGPT. The system first tags the file as 'Highly Confidential.' A high data risk score is then assigned because of the destination service's inherent risk (ChatGPT). The SOC needs a solution to proactively stop the upload of such high-risk files to risky web services.

How to achieve this?

Use the SSE/Web capability to implement a policy that blocks uploads of any sensitive file to web applications with a high risk score (e.g., above 7 out of 10). This is achieved through Risky Application filtering using Service Groups within the Web DLP policy. For configuring the policy to block access to applications in these service groups, see Application Blocking.

Monitor Data Used by Risky Users

Goal: To monitor all data accessed, created, or shared by a particular high-risk user and to prevent the user from sharing or downloading.

Use Case: A departing employee, considered high-risk by SOC, has recently accessed a large volume of sensitive data, including 500 PCI records and 2000 PII files. This user was also the last editor of the 'Q4 Earnings Projections' document. The SOC needs to actively monitor this user's data access and recent activities, and crucially, prevent any data downloads.

How to achieve this?

Utilizing DSPM/ Data Explorer capability, SOC can filter the high risk users to monitor data accessed by the user, along with their activities are monitored through the services. 

How to achieve this?

  1. Monitoring Data Access and Activity using DSPM/Data Explorer. Utilizing DSPM /SSE capabilities, SOC can filter the Risks as High in the Data Explorer dashboard to monitor data accessed by the high risk user, along with their activities are monitored through the services.  For more details on Data Explorer, see Introduction to Data Explorer.
  2. Preventing Data Downloads (SSE/Web). Utilizing SSE/Web capabilities, the SOC can implement an SSE/Web DLP policy:
    • Create a web policy targeting the specific user group that contains departing employees.
    • Define a custom service group for the relevant cloud services for which you want to revoke access for the services.
    • Define the response action to block downloads from these services during any download attempts. For details on configuring the policy to revoke user access to custom services, see Create Shadow/Web DLP Policy.

This combined approach effectively revokes all access rights for the departing user across all managed cloud services. Any subsequent download attempts are automatically flagged as a High-Priority Incident on Policy Incidents for forensic review. This automated, integrated process significantly reduces the time Security and IT teams would otherwise spend on manual log correlation.

Monitor PCI Data Residence and Usage

Goal: To identify the risks associated with sensitive data by continuously monitoring access and ownership, thereby preventing unauthorized access.

Use Case: A key security requirement for SOC admin is to monitor data ownership and access, especially when non-PCI-certified analysts are listed as owners. The SOC admin needs visibility into who owns or has recently accessed the PCI data.

How to achieve this?

Utilizing DSPM/Data Explorer capabilities, the Data Explorer immediately identifies policy violations, assigns a corresponding risk score, and provides a detailed view of data classified as PCI data. This includes:

  • The exact count of all files containing PCI Data (Cardholder Data, Primary Account Numbers).
  • Details of the cloud services accessed.
  • Information on users who own or have recently accessed the data. For more details on Data Explorer, see Introduction to Data Explorer.

The SOC administrator can use the following steps within the Data Explorer dashboard to analyze PCI data residence and usage:

  1. Overview of Discovered Data. Go to the Chart or Table View, which provides an overview of discovered data. Using the Chart View is recommended for streamlined investigation in this scenario.
  2. Filter by Classification: Apply the Classifications filter to identify data categorized as PCI.
  3. Analyze Distribution: Examine the Distribution by Object Type metrics to understand the variety of file types (Document, PowerPoint, Spreadsheet, etc.) and the precise count of files containing PCI Data. This insight into file types and counts helps prioritize security efforts for vulnerable formats and volumes.
  4. Review Access Details: From the Services and Users tables, find specific information about the services and users who have accessed the data recently.

    clipboard_e0f65edd66ff38b91dcb713f36bc25572.png

Manage Data Distribution and Assets 

Goal: To effectively manage data risks requires a complete understanding of data distribution, including data types, data size, and locations, with the sensitivity levels 

Use Case: A SOC admin needs to analyze the distribution of sensitive data across the organization. This information is crucial for optimizing security policies, pinpointing high-risk areas, and ensuring compliance.

How to achieve this?

Utilizing the DSPM/Data Explorer capabilities, the SOC admin can use the following steps within the Data Explorer dashboard to analyze the data distribution:

  1. Overview of Discovered Data. Go to the Chart or Table View, which provides an overview of discovered data. Using the Chart View is recommended for streamlined investigation in this scenario.
  2. Filter by Classification: Apply the Classifications filter to identify data classified as PII, PHI, financial data, Merger and Acquisition, or intellectual property.
  3. Analyze Distribution. Examine the Distribution by Object Type metrics to see how sensitive data is spread across different file formats (e.g., the ratio of PDF files to XLSX files containing PII). This analysis enables targeted DLP policy optimization based on document type. For instance, discovering that key intellectual property is predominantly stored in DWG (CAD) files within a specific design repository allows for focused security efforts.
  4. Analyze Size Distribution. Examine the Distribution by Object Size (MB) to identify large documents (e.g., over 100MB) that contain PII. These often represent archived datasets or database backups, posing a significant, high-value single-target risk. Identifying and securing these "whales" of data is a priority for the SOC admin. For more details on Data Explorer, see Introduction to Data Explorer.

    clipboard_e07fb31c7d63986bdcac8c68e229b0c1b.png

Perform File Search by Digest/Hash (Forensic Integrity)

Goal: To use a deep, forensic-level search capability to detect data exfiltration and resist common evasion techniques like file renaming.

Use Case: A SOC  team suspects a departing, high-risk employee of exfiltrating sensitive customer data. However, the employee has renamed the Customer_DB.xlsx file to Vacation_Photos.jpg to bypass basic Data Loss Prevention (DLP) solutions that rely solely on file names or extensions. The SOC needs a reliable method to identify all instances of this specific stolen data, regardless of its filename or location across the enterprise.

How to achieve this?

Utilizing DSPM/Data Explorer capabilities, the Data Explorer dashboard provides an option to search files by Digest/Hash, enabling the SOC team to effectively detect data exfiltration.

  1. Obtain the Hash. The SOC team first gets the SHA-256 hash (or other cryptographic digest) of the original Customer_DB.xlsx file, which is known to contain the sensitive customer database.
  2. Search by Digest/Hash. Apply Digest/Hash filter to search for the exact cryptographic hash (SHA-256).

    clipboard_e1f4bf590380d43c6f00da45f05e2a917.png

  3. Identify Exfiltrated Data. The Data Explorer identifies all instances of the file with the matching cryptographic hash, even if it was renamed to Vacation_Photos.jpg. This is possible because Data Explorer focuses on the content's digital signature rather than its name or extension. For more details on Data Explorer, see Introduction to Data Explorer.

This capability ensures forensic integrity by guaranteeing that all copies of the critical data object are found. The SOC can then take immediate action, such as quarantining the files, revoking access, and initiating a thorough investigation into the insider threat, confident they have identified every copy of the stolen data. This process is vital for incident response and preventing further data loss.
 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.