Navigating uncertainty and corporate change can be a major challenge for organizations, especially for security and compliance teams. The processes and ways we engage with our colleagues, customers and partners look very different than they did just a few years ago. The nature of work is evolving, and our strategies on how to protect our users and our data must evolve with it.
Results from Microsoft’s most recent Work Trend Index indicated 52% of employees are considering a switch to remote or hybrid in the year ahead, and that 43% of employees are likely to consider changing jobs. Security teams will now have to be more diligent in protecting their corporate data as employees work from different locations or leave the organization.
We recently shared how Microsoft insider risk solutions were evolving to meet the needs of the Great Reshuffle, including enhanced data exfiltration detection capabilities and richer alert context.
Today we announced Microsoft Purview - a comprehensive set of solutions which help you govern, protect, and manage your entire data estate. This new brand family combines the capabilities of the former Azure Purview and the Microsoft 365 Compliance portfolio that customers already rely on, providing unified data governance and risk management for your organization. Insider Risk Management in Microsoft 365 will now be called Microsoft Purview Insider Risk Management.
As part of this announcement, we are excited to announce the latest updates for Insider Risk Management:
- New policy recommendations, email notifications and sequence detection in analytics
- Policy triggers based on anomalous activity
- Detection capabilities for priority file types
- Expanded coverage with third-party alerts (via Microsoft Defender for Cloud Apps)
- Recommended guidance and actions for Insider Risk Management admins
- Launch of our new “Become an Insider Risk Management Ninja” resource page
New updates to analytics
One of the best ways to get started with Insider Risk Management is with an analytics assessment. Within 48 hours of an Insider Risk Management administrator initiating the analytics assessment, the results provide actionable insights which may indicate risk of data leaks or theft, such as what percentage of users in your environment are performing exfiltration activities. These results are anonymized and aggregated, providing a top-level view of existing risks in your environment while protecting user privacy.
We are excited to announce that analytics will now be going further with new policy recommendations, email notifications and sequence detection capabilities in public preview:
- New policy recommendations: The results of an analytics scan will now include recommendations for policy thresholds, specifically built to address potential data leaks and IP theft. For example, if the analytics scan determines that your organization sends a large number of sensitive attachments to recipients outside of the organization, the recommended threshold for a data leak detection policy may be higher than in a typical organization. This helps security or compliance teams to set thresholds and policies that better reflect their organizations’ specific needs.
- Email notifications for analytics activation: We are now adding new email notifications so that Insider Risk Management administrators receive an email notification once analytics has been turned on and when the assessment results are first available.
- Enhanced insights with sequence detection: Identifying risky user behavior can be tricky when looking at isolated events, like confidential documents being sent to an external email recipient or downgrading a sensitivity label from “Highly Confidential” to “General”. When these events are tied together, however, security teams have more context and can better identify which activities pose a bigger risk. In Insider Risk Management, we refer to this as “sequence detection”: the activities may not raise alerts individually, but a flow of specific activities, like “Downgrade sensitivity level” > “Download” > “Exfiltrate”, may be something we want to flag as potentially risk activity. Analytics in Insider Risk Management will now include insights into the percentage of users who are performing sequences of risky activities, in addition to other data leak and exfiltration detection. (Learn more about sequences here: Investigate insider risk management activities)
New policy triggers based on anomalous activity
We are also further expanding Insider Risk Management’s ability to support organizations concerned about anomalous (or abnormal) activity. With our new anomalous activity policy trigger, security and compliance teams will have the ability to customize their policies to trigger on an anomalous activity, like an unusual amount of emails with attachments sent outside the organization, and bring users into scope of that policy.
This new capability means that Insider Risk Management can augment and support work done by security teams, by identifying what activities are abnormal or irregular for a user. Organizations looking to integrate more machine learning and automated decision making into their insider risk investigations may find that the anomalous activity trigger capabilities can help in identifying potential risks.
New detection capabilities for priority file types
When thinking about high-priority data or sensitive documents, your organization may have specific file types deemed particularly important. For example, an automotive company developing new car designs may create and save these designs in 3-D formats like .3dxml or .3mf. These files can be considered particularly sensitive due to the nature of their content, and organizations may want to prioritize these critical IP file types as high priority.
Insider Risk Management now allows organizations to indicate specific file types they would like to prioritize for additional visibility and scrutiny. Insider Risk Management administrators who are setting up new policies are able to indicate which file extensions should be considered high-priority, which can help in risk detection and surfacing important alerts.
Expanded coverage with third-party alerts (via Microsoft Defender for Cloud Apps)
Insider Risk Management becomes even more powerful with alerts surfaced from third-party connected applications. We are now supporting nine additional third-party anomaly alert types via Microsoft Defender for Cloud Apps. These automatically enabled detection policies can detect and collate results, identifying behavioral anomalies across your users and devices in your network. Through this integration, Insider Risk Management expands coverage into multi-cloud environments including alerts identifying anomalous activity on Google Cloud Platform or Amazon Web Services, and allows organizations to have visibility if users are performing potentially high-risk activities like unusual mass deletion of content from a connected cloud app.
To leverage these capabilities in your policies, update your Insider Risk Management settings to include the “Microsoft Defender for Cloud Apps” policy indicators.
To learn more about anomaly detection policies in Defender for Cloud Apps, visit our Microsoft Docs page: Create anomaly detection policies in Defender for Cloud Apps.
Recommended guidance and actions for Insider Risk Management administrators
The best way to leverage the full capacity of Insider Risk Management is configuring the solution for your environment, your organizational requirements and your users.
Administrators are now more empowered than ever with guided recommendations for fine-tuning Insider Risk Management to fit their needs. These new recommendations are designed to help you to better manage noise from alerts in your environment, with recommended policy actions like adding domains, excluding specific file types or ensuring that all users are covered with at least one policy.
Watch part one of our new Insider Risk Management Mechanics video series
We have just kicked off a new Mechanics video series about our insider risk solutions. Insider Risk Management and Communication Compliance. In our first video, we show how you can leverage machine learning to identify explicit high-risk incidents like data theft or workplace harassment and how our solutions provide designated stakeholders with context and workflows to take action on insider risk.
New “Become an Insider Risk Management Ninja” resource page
Microsoft has a number of resources to help you get started and to learn more about using and configuring Insider Risk Management. For the one-stop shop of our public-facing material and resources on the solution, check out the new “Become an Insider Risk Management Ninja” resource page at https://aka.ms/insiderriskninja.
This page will be updated quarterly so be sure to bookmark it to see the latest on Insider Risk Management!
Get started
These new features in Microsoft Purview Insider Risk Management have already rolled out or will start rolling out to customer tenants in the coming weeks. These solutions are also generally available across government clouds, supported in Government Community Cloud (GCC), GCC-High, and US Department of Defense (DoD) tenants.
We are happy to share that there is now an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal. If you are a current Microsoft 365 E3 user and interested in experiencing Insider Risk Management, check out the Insider Risk Management Trial or the Microsoft Purview Trial to see how insider risk solutions and analytics can give you actionable insights.
Learn more about how to get started and configure policies in your tenant in the supporting documentation for Insider Risk Management. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.