Insider risk solutions are often based on singular User Entity Behavior Activity (UEBA) capabilities which are greatly dependent on complex configurations and endpoint agent deployments. These approaches place the burden on the analyst to tune respective analytics and manage endpoint agent configurations. This approach loses sight of the simple fact that insider risk exists across the entire enterprise environment.
Zero Trust architectures are based on "assume breach" fundamentals which reinforce the requirements for tripwires and multiple levels of trust validations for access to resources. Cloud and hybrid-based computing environments facilitate these approaches because assets must communicate with the cloud by the fabric. The Microsoft Purview Insider Risk Management Solution leverages comprehensive signals across the entire computing environment, including identity, endpoints, applications, data, infrastructure, networks, and automation platforms. Extensible technologies such as Azure Arc, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps extend coverage into hybrid, on-premises, and multi-cloud environments. Advanced correlations in Artificial Intelligence, Machine Learning, Fusion, UEBA, and geospatial orientation are applied to aggregated signals for granular analysis of risk-based behavior across numerous products.
This solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:
Managing and minimizing risk in your organization starts with understanding the types of risks found in the modern workplace. Some risks are driven by external events and factors that are outside of direct control. Other risks are caused by internal events and user activities that can be minimized and avoided. Some examples are risks from illegal, inappropriate, unauthorized, or unethical behavior and actions by users in your organization. These behaviors include a broad range of internal risks from users:
Privacy is a key component of the Microsoft Purview Insider Risk Management Solution. This solution is based on both user trust and confidentiality for the protection of respective data. Detection algorithms are tuned to remove false positive alerts while aligning to regulatory and compliance requirements. This solution doesn't incur net-new capabilities as it leverages existing signals within the security architecture. Azure Active Directory enforces strict Role-Based Access Control (RBAC) to control confidentiality, integrity, and data availability.
Content Use Cases
Insider Risk Management Workbook: A dashboard for simple navigation across dozens of functional areas and 250+ customizable visualizations for advanced analysis and reporting of risk-based behavior. Workbook sections include:
Analytics Rules: (5) Microsoft Sentinel rules generate incidents and alert insider teams with aggregation of risk-based behavior across numerous signals.
Hunting Queries: (5) Microsoft Sentinel hunting queries proactively search for risk-based behavior outside standard alerting schemas.
Microsoft Purview Insider Risk Management Connector: Enables connection of Microsoft Purview Insider Risk Management to Microsoft Sentinel for single-pane visibility and aggregation of alerting data.
Playbook: Notify Insider Risk Management Team provides the capability to automatically monitor insider risk management alerts and notify the insider risk management team with the relevant details in both email and Microsoft Teams message.
This content is designed to provide the foundation for building and operating an insider risk management program. Below are the steps to onboard required dependencies, enable connectors, review content, and provide feedback.
Frequently Asked Questions
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.