Addressing insider risks in an increasingly complex data landscape
Workplaces in 2022 are being challenged with an increasingly complex and expanded data landscape where corporate data is growing at an ever-faster speed. In this new landscape, organizations are having to consider their data risk appetite, and determine how to best protect both user privacy and sensitive data for their environment.
Many organizations rely heavily on traditional insider risk tools and strategies dating from the days when employees were situated in office parks and worked with far fewer third-party partners, cloud platforms, and different types of devices. Having a solid data loss prevention strategy in place is key, but it is only one part of the solution to comprehensively addressing potential data risks internally. A strong insider risk management solution should drive better organizational security with a user-centric approach, all while also supporting end-user privacy. This user-centric approach means a better understanding of how data is being created, accessed, and shared.
At the end of the day, data doesn’t move itself; people move data.
Microsoft Purview Insider Risk Management helps organizations quickly identify and mitigate insider risks. Built with privacy by design, it empowers security teams to better understand what relevant data activities are the riskiest within their organization, create policies to address these risks, and then collaboratively investigate and mitigate these risks.
Today, we are excited to announce new public preview functionality within Insider Risk Management designed to improve the admin experience, provide better visibility into customer-defined risky user actions and further integrate with Microsoft solutions.
Further improving the Insider Risk Management admin experience
Something we often hear from security leaders and insider risk teams is that it can be challenging to cut through the “noise” and figure out which alerts to focus on and prioritize. Insider Risk Management already uses machine learning to help admins prioritize alerts and manage noise, but we are excited to announce capabilities that will further enhance the admin experience. The following new capabilities will be rolling out in the coming weeks:
- File path exclusions (ex: excluding a file path on an endpoint that may be contributing towards noisy signals, which may include file paths like Filerename or Filedelete from temp folders)
- Site URL exclusions (ex: excluding activities on a commonly used non-sensitive Sharepoint, OneDrive and Teams sites from contributing to unnecessary alerts)
- Keyword exclusions (ex: excluding activities on an object that contains specific keywords such as paths that may contain “PublicMarketingMaterial”)
Setting up rules to exclude these attributes means that Insider Risk Management analysts and investigators can spend more of their time dedicated to “true” security or data risks.
Enhancing analytics to quickly address risks
One of the most powerful tools that Insider Risk Management admins have at their disposal to understand patterns and risks across their estate is analytics. Within 48 hours of starting an analytics assessment, aggregated insights are available in the assessment results. Insights from analytics allow admins to see activities that may involve potential sensitive data leaks or data theft from departing users. For example, it would show as what percentage of users across the organization have shared files with people outside of the organization, downloaded and transferred files to a USB device, or uploaded files to a cloud repository. Analytics works across M365 signals, as well as leveraging signals from your managed devices, including Windows and Mac. These insights are incredibly helpful in ensuring you are setting up insider risk policies that meet the needs of your organization, all while protecting user privacy with anonymized results.
Today, we are further enhancing analytics with easy one-step to policy creation: now, from both the analytics insights page or the Recommended Actions task page, administrators can easily click “Create Policy” and use default thresholds to create a new insider risk policy in just a couple clicks.
Analytics assessment results will also now be included in the Insider Risk Management overview page, so it is even easier for admins and analysts to get visibility and track day-to-day updates across their organization.
Better visibility into risky activity
Understanding and identifying risky user behavior can take many forms, depending on customers’ policies and “what” types of data are being shared with “whom.” It also means identifying when users are violating an organization’s acceptable use policy, particularly if individuals are using managed devices to access data or locations that are not permitted. Organizations may determine what acceptable use policies are for them based on their own internal policies, governance and organizational requirements, such as how sensitive or highly confidential information should be accessed or shared outside the organization.
In addition to the Insider Risk Management policy templates already available to security teams, we are now including a new policy type, “risky browser usage.” This new template gives admins the ability to define and identify browsing actions considered “risky” for their end-users, because these actions violate organizations’ specific policies or may result in a security incident. Sites classified as risky, according to policy-driven classification, could include those hosting malware, hacking and other content organizations may consider unacceptable. These triggers will surface security alerts for a user visiting one of these sites from a managed device, for the right admin to address as needed.
If a customer has set up a risky browser usage policy and a user covered by that policy visits one of the websites deemed high-risk by the policy, this will be detected by Insider Risk Management and the action will raise an alert. These detections surface activity using extensions for Microsoft Edge and Google Chrome.
Integration with Microsoft data classification and SIEM solutions
Microsoft Purview Insider Risk Management is an incredibly powerful tool for organizations looking to identify and manage insider risks end-to-end.
We are excited to announce that Insider Risk Management can now leverage the same trainable classifiers that are available in Microsoft Purview Information Protection.
These trainable classifiers can use machine learning to recognize content types that are specific to your organization. Classifiers are best used for content that isn’t easily identified by pattern-matching methods, but rather identifying an item based on what the item is. These classifiers can be “trained” by looking at hundreds of examples of the content you are interested in classifying, and can include pre-trained classifiers (created and pre-trained by Microsoft), or custom trainable classifiers (ones that you create and train yourself).
This means that you can now use trainable classifiers to help specify what content types are the highest priority to surface within Insider Risk Management. An engineering firm, for example, can use pre-trained classifiers like source code or IP, or custom-trained classifiers like “blueprints” for content unique to their organization, to help in identifying potential risky user behavior that may come from data leakage or data exfiltration of those data types.
To learn more about trainable classifiers available within Microsoft Purview Information protection, visit the documentation page here: Learn about trainable classifiers - Microsoft Purview (compliance) | Microsoft Docs.
Furthermore, the updated Microsoft Purview Insider Risk Management solution available within Microsoft Sentinel makes it easier for SOC teams to find and investigate potential insider risks. Microsoft Sentinel, Microsoft’s cloud-native security information and events management (SIEM) solution, is designed to help security teams get a birds’ eye view across the enterprise.
The Insider Risk Management workbook within Microsoft Sentinel now includes updated content and an enhanced user interface, as well as additional capabilities like recommended data connectors and user-based Entity Search. These new updates make it even easier for SOC teams to leverage the power of Insider Risk Management from within Microsoft Sentinel. To learn more about these capabilities, visit Announcing the Microsoft Sentinel: Microsoft Insider Risk Management Solution - Microsoft Tech Community.
Updated Microsoft Purview Insider Risk Management solution within Microsoft Sentinel
Get started
These new features in Microsoft Purview Insider Risk Management have already rolled out or will start rolling out to customer tenants in the coming weeks. These solutions are also generally available across government clouds, supported in Government Community Cloud (GCC), GCC-High, and US Department of Defense (DoD) tenants.
If you are a current Microsoft 365 E3 user and interested in experiencing Insider Risk Management, check out the Insider Risk Management Trial or the Microsoft Purview Trial to see how Insider Risk Management and Microsoft Purview solutions help you better protect and govern your data. Insider Risk Management is also available with Communication Compliance, the Microsoft solution designed to help organizations foster safe and compliant communications across corporate platforms. Built with privacy by design, this solution ensures that usernames are pseudonymized by default, role-based access controls are built-in, and audit logs are in place to help ensure user-level privacy.
Learn more about how to get started and configure policies in your tenant in the supporting documentation for Insider Risk Management. Check out our previous blog for our last product announcements. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.
Katie Anderson, Sr. Product Marketing Manager, Microsoft Purview Insider Risk Management
Talhah Mir, Principal Product Manager, Microsoft Purview Insider Risk Management