Don’t get caught off guard by the hidden dangers of insider risks!
Published Mar 02 2021 06:00 AM 7,022 Views

Is your organization effectively-prepared to identify and take action on ever-increasing insider risks? According to a recent Microsoft survey of security decision-makers, 93% of businesses are concerned with insider risks, with nearly two-in-three (66%) reporting their organization is “very concerned.”


Every decision-maker involved with insider risks whom we speak to tells us the same thing, “Balancing the ability to quickly identify and manage insider risks while maintaining a dynamic culture of trust and collaboration is a priority.”


To effectively identify insider risks, one must be able to quickly reason over sequences of activities, which when correlated together signify heightened risk. Furthermore, since these are trusted insiders, and protecting corporate culture and end-user privacy are important considerations, being able to collaborate across security, HR, and legal is a requirement when it comes to effectively manage insider risks.


What’s the solution that will accelerate time to action? Insider Risk Management in Microsoft 365.


Throughout 2020, we continued to introduce innovation at a rapid pace, including expanding the quality of insights and providing a richer investigation experience. Today, we are excited to announce the public preview of additional features that make it easier to get started with Insider Risk Management and detect potential insider risk activities with enhanced machine learning models.


With privacy built-in, pseudonymization by default, and strong role-based access controls, Insider Risk Management is used by companies worldwide to identify insider risks and take action with integrated collaboration workflows.


“Insider Risk Management enables us to accelerate time to act on insider threats by reducing detection time and aggregating the related information more effectively and efficiently which ultimately helps to mitigate risk to the company by improving our response,” stated Bob Bruns, Chief Information & Security Officer, Avanade.


Making it easier to get started

With millions of daily activity signals generated across your vast data landscape, trying to figure out how to get started can be overwhelming. How can you tell which insider activities are potentially risky? Which policies should you enable? Which activities should you focus on?


Here’s where a new feature in Insider Risk Management, analytics, can help by accelerating the identification of potential insider risks and quickly taking action. With one click, you can have analytics run a daily scan of your tenant audit logs, including historical activity, and leverage the power of the Microsoft 365 Insider Risk Management machine learning engine to identify risks with privacy built-in by design.


Insider Risk Management analytics pageInsider Risk Management analytics page

With analytics, organizations can really start to get a good understanding of the breadth of insider risks in their environment, even before they have set-up an insider risk policy, to uncover hidden risks they may not otherwise have visibility into. These insights are provided in an anonymized and aggregated way to help organizations determine which policies to set up to start taking action.


Configuring and fine-tuning policies

With a better understanding of the insider risk posture, leveraging these insights to create effective policy configurations is the next step. There’s already a vast catalog of policy templates to quickly get started in identifying the risks, including ones focused on data leakage or data theft by departing employees.


With this release, we are making these templates even easier to work with.


First, we are giving you the ability to set up a departing employee data theft policy with no requirement to set up a connector. We do that with native integration with Azure Active Directory (AAD), allowing the system to look for a termination date and use that as the trigger point to orchestrate the policy.


Insider Risk Management policy configuration pageInsider Risk Management policy configuration page

Similarly, for the data leakage policies, you now can set up the policy without having an associated data loss prevention (DLP) policy in place. We use built-in thresholds to trigger the policy and begin policy orchestration.


We have further enriched the policies by making improvements to our Sensitive Information Type (SIT) classifications through which we provide an improved fidelity of matches for sensitive information within documents. We have also added capabilities to detect a downgrade or removal of a Microsoft Information Protection (MIP) sensitivity label from a SharePoint file or site – which can be an indicator of an insider threat actor trying to cover their tracks. In addition, we are continuing to enhance our visibility with more relevant signals from SharePoint Online, Microsoft Teams, and other Microsoft 365 workloads, as well as introducing seamless integration with Microsoft Cloud App Security (MCAS) to help expand our visibility into 3rd party applications.


Finally, policy management across the board has been significantly improved including a new enhanced policy creation wizard – as well as a policy health check – to help you identify misconfigured policies, which could impact detections.


Insider Risk Management policy health pageInsider Risk Management policy health page


Enhanced machine learning models

Customers often tell us, “We have implemented a data loss prevention (DLP) solution to try and address insider risks, but the noise and alert fatigue is just too much.” Correct, solutions such as DLP are focused on identifying and protecting content – essentially transactional activity risks –  so they aren’t meant for the complexity inherent with insider risks.


Identifying insider risks is not just about looking at the content activity. To truly get an understanding of the user intent, it is critical to not just focus on individual transactional activities but to correlate related activities over time.


This is where Insider Risk Management shines, and with this release, we are making the solution even smarter.


First, we are releasing a sequencing model, which looks at a series of activities to determine potential risk. For example, a user may download a set of documents, rename them to potentially evade detection, and then copy them to a USB device. With the sequencing model, the system is now able to detect these sequences, going above and beyond what traditional transactional techniques like DLP can provide. This not only improves the fidelity of detections but also greatly reduces the work that the analyst or investigator must perform.


Insider Risk Management sequencing alerts triage pageInsider Risk Management sequencing alerts triage page

Second, not all insider risks are the same. Some users may attempt to download a large number of sensitive files at once, while others may try to evade detection by taking small amounts of content over a longer period of time and exfiltrate over a diverse set of methods. Identifying the second type of insider risk requires a significantly more sophisticated model, one that looks at cumulative activity over a larger time span.


With this release, we are introducing the Cumulative Exfiltration Anomaly Detection (CEAD) model, which identifies cumulative exfiltration anomalies such as an unusually large amount of data being:

  • Exfiltrated over a date range
  • Exfiltrated through different methods (print, upload to the cloud, email, etc.)
  • Being shared externally


Watching the watchers

Lastly, removing bias from the process is an important aspect of having a trusted insider risk management program. This means you need to have an audit trail of your insider risk analysts to be able to identify potential red flags. For example, why was a particular user removed or added to a policy, or why was a high-risk alert dismissed without further action? To address these red flags, we are now rolling out a new auditor role, which organizations can use to audit the actions of all their insider risk analysts.


Get started today

We have new videos showcasing how the new features in Insider Risk Management can help customers identify and remediate insider risks. We also have a new interactive guide to help you become familiar with the various capabilities coming in this release. 


The new features will start rolling out to customers’ tenants in the coming days and weeks. Insider Risk Management is one of several products from Microsoft 365 E5, including Communication Compliance, Information Barriers, and Privileged Access Management, that helps organizations mitigate insider risks and policy violations. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started.


Learn more about Insider Risk Management, how to get started, and configure policies in your tenant in this supporting documentation.  Keep a lookout for updates to the documentation with information on the new features over the coming weeks.


Finally, if you haven’t listened to our podcast “Uncovering Hidden Risks”, we encourage you to listen about the technologies used to detect insider risks and what is required to build and maintain an effective insider risk management program.


We are excited about all the new innovations coming out with this new release and look forward to hearing your feedback.


Thank you,

Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering

Version history
Last update:
‎May 11 2021 01:58 PM
Updated by: