Become an Insider Risk Management Ninja
**Insider Risk Management is a solution in Microsoft Purview. Some assets and past recordings may refer to it as Insider Risk Management in Microsoft 365 or in Microsoft Compliance; these all refer to the same solution. **
** Updated September 2024 **
In this Ninja page, we share the top resources for Insider Risk Management users to become more proficient with the Microsoft Purview Insider Risk Management solution.
We are very excited and pleased to announce this edition of the Ninja Training Series. There are several videos and resources available, and the overall purpose of the Insider Risk Management Ninja training is to provide the relevant resources to get started and become more proficient in this area.
After each section, there will be a knowledge check based on the training material you’ve just finished! Since there’s a lot of content, the goal of these knowledge checks is to help you determine if you were able to get a few of the major key takeaways.
Lastly, this training will be updated on a Semi Annual basis to ensure you all have the latest and greatest material! We are continuously delivering product updates and thus you should check both the public roadmap and message center posts to stay up to date.
Let us know what you think below in the comments!
Latest Insider Risk blog is at: https://aka.ms/insiderriskblog
All Insider Risk Management Blogs
Legend:
VIDEO - Product videos | WEBCAST - Webcast recordings | COMMUNITY -Tech Community |
DOC- Docs on Microsoft | BLOG - Blogs on Microsoft | GITHUB - GitHub |
NEW - New/updated items | GUIDE - Interactive guides | LEARN - Learning path |
EXT - External Sites | PODCAST - Podcast |
Why do I need Insider Risk Management?
We are operating in the most sophisticated threat landscape ever seen and coupled with the latest great disruption—hybrid work—security is more challenging than ever. Protecting your organization from external threats is only one piece of the puzzle. You also must protect your organization from the inside out, another facet of “assume breach” in your Zero Trust approach. Insider risks can be malicious or inadvertent, but they all impact one of your organization’s most important assets: your data. Based on recent surveys we know that more than 60% of insider threat incidents were the result of employee carelessness. In the 2022 Cost of Insider Threats: Global Report, the Ponemon Institute found that the average cost of activities to resolve an insider incident was $15.4M USD and it took an average of 85 days to contain an incident. A 2021 Verizon data breach investigation report showed that >20% of security breaches are due to internal actors. Research from Carnegie Mellon University’s CyLab in 2021, with support from Microsoft, found that a majority of surveyed organizations had experienced over five malicious insider threat incidents in the last year (69 percent of respondents), and over 10 inadvertent or data misuse incidents (58 percent of respondents). In a study from Predicts 2023: Cybersecurity Industry Focuses on the Human Deal 90% of employees who admitted undertaking a range of unsecure actions knew that their actions would increase risk to the organization and undertook the actions anyways. Gartner® predicts, “By 2025, insider risk will cause 50% of organizations to adopt formal programs to manage it, up from 10% today.”**
- NEW - BLOG - Microsoft a Leader in the 2023 Forrester Wave™ for Data Security Platforms
- BLOG - How Microsoft can help reduce insider risk during the Great Reshuffle
- NEW - BLOG - Microsoft Purview data security mitigations for BazaCall and other human-operated data exfiltration attacks
- VIDEO - Holistic approach to risk detection and prevention
- VIDEO - Insider risk management overview
- DOC - Why is Insider Risk important
- EXT - Your Biggest Cybersecurity Risks Could Be Inside Your Organization (hbr.org)
- BLOG - Data Security Index
- NEW - VIDEO - Corporate espionage Incident
- NEW - DOC - Top insights and best practices from the new Microsoft Data Security Index report
Ready for the Why do I need Insider Risk Management knowledge check?
Overview
Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization. Risk analysts and investigators in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.
- VIDEO - Insider Risk Management walkthrough
- BLOG - Insider risk management in Microsoft 365
- VIDEO - Manage data risks from employee insiders with Microsoft Purview
- NEW - VIDEO - Microsoft Secure 2023 Ep02: Manage insider risk in Microsoft Purview
- LEARN - Insider Risk Management Learning Path
- VIDEO - Manage risk and compliance with end-to-end security solutions
-
NEW - PODCAST - 3 steps to build a data security strategy
- NEW - DOC - Empower data security teams to proactively manage insider risks across diverse digital estate
- EXT - Building an effective insider risk program
- EXT - Building a holistic Insider Risk Management program
Ready for the Overview knowledge check?
Getting Started
Use insider risk management policies to identify risky activities and its management tools to act on risk alerts in your organization. There are steps to help you get started with everything from permissions, analytics, easy policy creation, and managing your policies. Once potential risk is identified an investigator can review the details of an alert to make a decision based on organizational policies.
Besides the traditional methods of supervising insider risks, Microsoft has launched Adaptive Protection, which employs machine learning and behavioral analytics to identify and mitigate potential insider threats. It observes user activities defined by the organization and modifies its responses based on the recognized risks.
We hear from customers how valuable context is during a security investigation. With forensic evidence, an opt-in add-in to Insider Risk Management, security teams can get visual insights into potentially risky user actions that might lead to a data security incident, all while protecting user privacy. With customizable event triggers and built-in user privacy protection controls, the visual capturing capabilities from forensic evidence help security teams better investigate, understand and respond to potential security data incidents like unauthorized data exfiltration of sensitive data. The benefit to customers is having more context available to support security investigations, which can drive accuracy and timely resolution as well as help in determining whether security and compliance incidents stem from willful or inadvertent actions, a stolen device, malware infections or other security related risks. We know that protecting the privacy of users that have policy matches is important and can help promote objectivity in data investigation and analysis reviews for insider risk alerts which is why we offer pseudonymization which is on by default.
- Solution Guide
- Licensing
- Permissions
- Understand your risk
- Setup Policies
- DOC - Get started with insider risk management
- DOC - Insider risk management settings
- VIDEO - Insider Risk Management policy configuration
- DOC - Insider risk management policies
- DOC - Get started with insider risk management forensic evidence
- DOC - Help dynamically mitigate risks with Adaptive Protection
- BLOG - Manage the most critical data security risks inside your organization with intelligent automation
- BLOG - Streamline the process to bring your own detections in Microsoft Purview Insider Risk Management
- NEW - BLOG - Manage insider risks in multi-cloud environments
- Investigate
- VIDEO - Insider Risk Management alert triage experience
- DOC - Investigate insider risk management activities
- DOC - Take action on insider risk cases
- VIDEO - Insider Risk Management investigation and escalation
- VIDEO - Identify and taking action on critical insider threats
- NEW - DOC - Review data with the insider risk management content explorer
- NEW - DOC - Manage the workflow with the insider risk management users dashboard
- NEW - BLOG - Supercharge security and compliance efficiency with Microsoft Security Copilot in Microsoft Purview
- NEW - BLOG - Empower multiple teams and prioritize investigations with Insider Risk Management
- NEW - BLOG - Harnessing the power of Generative AI to protect your data
- NEW - VIDEO - How Copilot for Security in Purview can help
- Audit
Ready for the Getting started knowledge check?
Adaptive Protection
Adaptive Protection in Microsoft Purview uses machine learning to identify and mitigate the most critical risks with the most effective data loss prevention (DLP) and/or Conditional Access protection controls dynamically, saving security teams valuable time while ensuring better data security. Adaptive Protection helps increase risk mitigation by extending and managing preventative options associated with detected risky action to the capabilities provided by DLP and/or Conditional Access policies.
Adaptive Protection helps mitigate these potential risks by using:
- Context-aware detection. Helps identify the most critical risks with ML-driven analysis of both content and user activities.
- Dynamic controls. Helps enforce effective controls on high-risk users while others maintain productivity.
- Automated mitigation. Helps to minimize the impact of potential data security incidents and reduce admin overhead.
Adaptive Protection dynamically assigns appropriate DLP and/or Conditional Access policies to users based on the risk levels defined and analyzed by the machine learning models in insider risk management. With this new capability, static DLP and/or Conditional Access policies become adaptive based on user context, ensuring that the most effective policy, such as blocking data sharing, is applied only to high-risk users while low-risk users can maintain productivity. The policy controls constantly adjust, so when a user’s risk level changes, an appropriate policy is dynamically applied to match the new risk level.
- BLOG - Adaptive Protection in Microsoft Purview
- NEW - BLOG - Manage the most critical data security risks inside your organization with intelligent automation
- NEW - BLOG - A new era in data security with dynamic controls to manage data access and mitigate risks
- NEW - BLOG - Protect your data and recover from insider data sabotage
- DOC - Help dynamically mitigate risks with Adaptive Protection
- VIDEO - How Adaptive Protection can help identify and mitigate risk in you organization
- VIDEO - Risk-based automatic DLP policy adjustment with Adaptive Protection
- VIDEO - Can security be automatic for your files and data?
- NEW - VIDEO - Insider Risk Management Advanced Features Forensic Evidence and Adaptive Protection
- NEW - VIDEO - Insider Risk in Conditional Access | Microsoft Entra + Microsoft Purview Adaptive Protection
Ready for the Adaptive Protection knowledge check?
Forensic Evidence
Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky security-related user activities. With customizable event triggers and built-in user privacy protection controls, forensic evidence enables customizable visual activity capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data. You set the right policies for your organization, including what risky events are the highest priority for capturing forensic evidence, what data is most sensitive, and whether users are notified when forensic capturing is activated. Forensic evidence capturing is off by default and policy creation requires dual authorization.
Important:
Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.
Organizations set the right policies for themselves, including what risky events are highest priority for capturing forensic evidence and what data is most sensitive. Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with pseudonymization (which is on by default for Insider Risk Management). Setting up policies and reviewing security alerts within Insider Risk Management leverages strong role-based access controls (RBAC), ensuring that the designated individuals in the organization are taking the right actions with additional auditing capabilities.
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
- NEW - DOC - Get started with insider risk management forensic evidence
- NEW - VIDEO - Insider Risk Management Advanced Features Forensic Evidence and Adaptive Protection
- NEW - DOC - Set up forensic evidence in Windows 365
- NEW - DOC - Manage insider risk management forensic evidence
- NEW - DOC - Learn about insider risk management forensic evidence
- NEW - GITHUB - Forensic Evidence Set–up
Ready for the Forensic Evidence knowledge check?
Connectors
While Insider Risk Management can get several first-party signals without having to configure or set up additional agents. We can also get additional insights from Endpoints, Microsoft Defender for Cloud Apps, and Microsoft Defender for endpoints. We can bring in additional insights from your HR system, physical badging platform, and Electronic Health Records (EHR) system to improve the signal quality and increase the number of signals we are able to pull in. We recently announced the ability to import third-party insider risk detections with a connector. With the new Power Automate guidance for the HR data connector and the 3rd party connector we are making it easier to automate some of this process.
- DOC - Insider risk indicators
- DOC - Onboard your endpoints (Windows)
- DOC - Onboard your endpoints (macOS)
- VIDEO - Setting up an HR Data connector
- DOC - Data Connector for physical badging connector
- DOC - HR data connector import (Improvements with Power Automate)
- DOC - Data connector for Healthcare EHR
- DOC - Data connector for Epic EHR
- DOC - Microsoft Defender for Endpoint
- DOC - Microsoft Defender for Cloud Apps
- DOC - Browser signal detection
- BLOG - Microsoft Security innovations to expand multi-cloud protection
- BLOG - Microsoft Inspire: Prepare for the future of security with AI
- DOC - Set up a connector to import third-party insider risk detections (preview)
- DOC - Custom indicators - Configure policy indicators in insider risk management
- BLOG - Streamline the process to bring your own detections in Microsoft Purview Insider Risk Management
- DOC - Set up a connector to import third-party insider risk detections (preview)
- BLOG - Manage insider risks in multi-cloud environments
- NEW - BLOG - Seamlessly secure your data estate with Microsoft Purview
Ready for the Connectors knowledge check?
Integrating with other tools
Insider Risk Management can ingrate with other tools such as Microsoft Communication Compliance, which can identify users who are sending inappropriate messages over work channels, such as threatening or harassing messages, could potentially become a risk to your organization. Leveraging these risk signals in Insider Risk Management policies, security teams can detect risky actions that may lead to a security incident. In addition to Communication Compliance, security incident and event management (SIEM) integration with Insider Risk Management leverages the Office 365 Management APIs or PowerAutomate, which can be configured to take repeatable actions as part of the remediation process. If the alert warrants further investigation, then you can escalate the policy violations seamlessly from Insider Risk Management to an eDiscovery (Premium) case for deeper legal review or action.
- DOC - Working with Communication Compliance
- NEW - DOC - Unlocking Data Security Insights: Communication Compliance and Insider Risk Management Integration
- NEW - DOC - Configure policy indicators in insider risk management – Communication Compliance Indicators
- DOC - Working with PowerAutomate
- NEW - DOC - Sharing data with Defender and DLP
- DOC - Working with Microsoft Teams
- DOC - Export insider risk management alert information
- DOC - eDiscovery Premium - Take action on insider risk management cases
- COMMUNITY - Leveraging the Microsoft Sentinel
Ready for the Integrating with other tools knowledge check?
Fine-tuning your policies for Insider Risk Management
When you get started with Insider Risk Management you can use analytics to understand what policies you might want to create. As you build your policies you might notice that some are too noisy or you are missing activities you want to see. There are several options that can help you fine-tune the policies so you are alerted on the most actionable alerts for your organization's risk. One of the areas of focus should be on the intelligent detection signals where you can look to filter out certain file types, locations, allowed and unallowed domains, sensitive information types, trainable classifiers, keywords and much more. These will help you fine-tune policies to get activities that are most relevant to your organization. Another area we recently made changes was to priority content and priority content only scoring. These settings within a policy allow you focus on the priority content so when you get an alert you know it is based on what you define as priority.
- DOC - Set your indicator level settings
- DOC - Get help managing your insider risk alert queue
- DOC - Configure intelligent detections
- DOC - Prioritize content in polices
- DOC - Sequence detection
- DOC - Cumulative exfiltration detection
- DOC - Peer groups for cumulative exfiltration detection
- DOC - Review policy health for recommendation
- NEW - BLOG - Fine-tune with real-time analytics
- NEW - LEARN - Best practices for managing your alert volume in insider risk management
- DOC - Get started with Admin Units in insider risk management
- NEW - DOC - Set up global exclusions for insider risk management policies
- NEW - DOC - Create and manage insider risk management policies
Ready for the Fine-tuning your policies knowledge check?
Official Certification
Implement Adaptive Protection in Insider Risk Management module has been added to the SC-400: Manage Insider and Privacy Risk in Microsoft 365 learning path. Adaptive Protection in Microsoft Purview uses machine learning to dynamically apply the most effective data loss prevention (DLP) controls.
Additional Resources
- Microsoft 365 Roadmap: Roadmap of upcoming features and changes.
- Message Center: Notifications and details of updated changes to Microsoft 365
- What is new in Microsoft Purview
- Tech Community – Security and Compliance: Blogs, community forums, and more
- Insider Risk Management feedback portal
- NEW - Microsoft Customer Stories
Once you’ve finished the training and the knowledge checks, please go to our attestation portal to generate your certificate; you'll see it in your inbox within 3-5 business.
**Gartner, Predicts 2023: Cybersecurity industry focuses on the human deal, Jan 25, 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.