Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Drive efficiency and accelerate time to action in managing insider risks
Published Nov 02 2021 08:00 AM 6,492 Views

As our recent Work Trend Index showed, people are collaborating, chatting, emailing, and sharing in new ways and greater volume than ever before. Between February 2020 and February 2021, the time spent in Microsoft Teams meetings more than doubled (2.5 times) globally, the average Teams user is sending 45 percent more chats per week, the number of emails delivered to commercial and education customers is up by 40.6 billion, and we’ve seen a 66 percent increase in the number of people working on documents.


That same report also found that people are burned out. One in five global survey respondents say their employer doesn’t care about their work-life balance, with 54 percent feeling overworked and 39 percent feeling exhausted. And there are trillions of productivity signals from Microsoft 365 quantifying the precise digital exhaustion workers are feeling.


Not only does this create challenges for productivity and engagement, but it also creates risk for the organization. A study conducted in 2020 out of CyLab, Carnegie Mellon University’s Security and Privacy Institute—with support from Microsoft—found that 69% of organizations had malicious, high-concern insider incidents such as financial fraud, sabotage, data theft, or workplace violence.


The report also drew a direct correlation between the stressors impacting employees and an increase in insider risk incidents. A positive corporate culture, in which employees are engaged, rewarded, and supported, can decrease both malicious and inadvertent insider risks, such as data loss, data theft, insider trading, and others.


We have been working closely with our customers to invest in tools and capabilities within Insider Risk Management to help them to support a positive work culture while using data signals to identify potential risks within their organizations.


In July we announced some key features to further enrich the triage and alert management experience with granular role-based access controls to limit the visibility of alerts, cases, and user activity to specific analysts or investigators, as well as, the flexibility to take action on bulk alerts.


Today, we are excited to announce the public preview of several new capabilities in Insider Risk Management that drive additional efficiency on managing alerts, native integration with Microsoft Sentinel, additional connectors to support a broader range of risks, and a new policy template to help address risks in the healthcare industry.


Getting the most out of your investment with a guided experience
It can be intimidating for organizations that are at the beginning stages of their insider risk journey to know where to start. That’s why we are excited to share a new guided experience that provides a step-by-step walk-through for our tenants onboarding to our Insider Risk Management solution. When tenants log in, they will be met with recommended actions they must complete to fully onboard configure insider risk management policies. Included in this experience is a new email notification to let admins know when their policy has started to generate alerts.


Analysts and investigators are also provided with recommendations specific for their roles, providing guidance on how to go review alerts and cases and help with the triage and investigation experience.


More details about recommended actions can be found here.


Figure 1: Insider Risk Management Overview page with new guided experienceFigure 1: Insider Risk Management Overview page with new guided experience


Accelerate time to action
Efficiency for insider risk analysts and investigators during alert review and triage is critical to enable teams to quickly identify and take action on potentially impactful activity. We are excited to share enhancements to the alert review experience that make it easier for teams to understand the context for an alert, like whether the user has a resignation date, along with an at-a-glance summary of the activity that was detected that led to an alert being created. This helps focus their detailed review on the riskiest activities and prioritize the alert and triage efforts.


Figure 2: Insider Risk Management Alert review experience illustrating the triggering event and activity that generated the alertFigure 2: Insider Risk Management Alert review experience illustrating the triggering event and activity that generated the alert


We’re also introducing additional sorting and filtering capabilities in Activity explorer, to drive efficiency during detailed activity reviews, allowing analysts and investigators to quickly focus on the most impactful review activities. These enhancements help accelerate triage review and time to action on insider risks within the organization.


More details about triaging alerts can be found here.


Enhanced policy trigger customization
We know that managing insider risk is not a one-size-fits-all approach. We are introducing additional customization functionality for built-in policy triggers so that organizations can make policies work for their unique requirements. That’s why we are excited to announce the ability to customize "exfiltration" triggers. You can fine-tune your data leak policies to trigger on specific events such as printing files or uploading to the cloud with custom thresholds. This helps manage the noise and prioritizes the triggers that indicate risky activities that are of interest to the organization.

As part of expanding our visibility into users' past activities before a triggering event, we are adding support for historical lookback into email-based exfiltration activities. This will be supported for all the policy templates with an email exfiltration indicator.
More details about indicators and triggers can be found here.


Figure 3: Customizable thresholds for built-in triggersFigure 3: Customizable thresholds for built-in triggers


Enhancements to Cumulative Exfiltration Anomaly Detection (CEAD)
Not all insider risks are the same, and some are more sophisticated than others, especially when insiders are trying to evade detection. In March we announced the CEAD model which identifies cumulative exfiltration anomalies over a longer period of time and exfiltration over a diverse set of methods.


Today we are announcing additional enhancements to the cumulative exfiltration activity model to improve the detection rate of higher-risk activities. For example, now when exfiltration activity involves priority content, it will be assigned a higher risk score and more clearly indicate when a high-risk activity is likely to be impactful to your organization.


More details about cumulative exfiltration detection can be found here.


Expanded coverage with macOS support
Most organizations have a mix of devices and operating systems, and it’s critical for an insider risk solution to provide visibility across the entire tenant environment no matter the endpoint. Today we are announcing the support for endpoint exfiltration signals for Office, PDF, and CSV files from macOS endpoints which will expand the scope of insider risk detections across your environment.


Integration with Microsoft Sentinel
Organizations of every size have unique methods and preferences for triaging Security and Compliance alerts. Today we are announcing new integration with Microsoft Sentinel providing the flexibility to collect, detect and investigate insider risk activities within Microsoft Sentinel. This native connector allows for seamless import of alerts, which provides analysts with a single pane of glass to review alerts for insider risk in a broader organizational context.


Solutions in Microsoft Sentinel combine one or more data connectors, workbooks, analytics rules, playbooks, hunting queries, parsers, watchlists, and other components to provide in-product discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel.


The Microsoft Sentinel: Insider Risk Management Solution, now in Public Preview, demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Microsoft Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into Insider Risk Management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts.


Figure 4: Insider Risk Management Workbook within Microsoft SentinelFigure 4: Insider Risk Management Workbook within Microsoft Sentinel


More details about the Microsoft Sentinel Insider Risk Management data connector can be found here.


Mitigating insider risks within Healthcare
Healthcare has been found to have a very high rate of insider-related data breaches. Based on the 2018 Verizon Data Breach Investigation Report, privilege abuse (misuse) was one of the most common actions resulting in breaches. The challenge of managing these insider risks stems from the fact that they deal with a vast amount of highly sensitive data that must be kept current and accessible in a very timely manner as life and death decisions can depend on it. In addition, they are subject to a much higher standard of scrutiny regarding privacy and disclosure requirements than other verticals, due to regulations such as Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.


To help reduce insider risks within the Healthcare industry, we are introducing a healthcare policy template with built-in indicators and detections that leverages data from Epic and other electronic medical records (EMR) solutions – using our Data Connectors - to help healthcare companies identify potential insider risks related to patient data misuse.


Thanks to Insider Risk Management from Microsoft, our HR team can jump in before we suffer a catastrophic issue. We rely on its synergy with our other Microsoft Security and Compliance solutions to be much more proactive and boost compliance

– David Finkelstein, Chief Information Security Officer, St. Luke's University Health Network

More details about the patient data misuse policy template will be available here once the feature rolls out over the next few days and weeks.


Figure 5: Epic and generic healthcare connector empowering Insider Risk Management’s EMR suspect access scenarioFigure 5: Epic and generic healthcare connector empowering Insider Risk Management’s EMR suspect access scenario


Learn more about our additional connectors and how they enable non-Microsoft data sources for compliance scenarios including Communication Compliance and Advanced eDiscovery here.


Features that are now generally available
Finally, we are excited to announce that several of the features which we have previously released in public preview will now be generally available starting in the coming days and weeks:


Get started today
We have videos and an interactive guide to help you become familiar with the various capabilities of the solution.


The new features announced today will start rolling out to customers’ tenants in the coming days and weeks. Insider Risk Management is one of several products in Microsoft 365 E5, including Communication Compliance, Information Barriers, and Privileged Access Management, that helps organizations mitigate insider risks and policy violations.


We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Compliance Admin Center with a free trial. By enabling the trial in the Compliance center, you can quickly start using all capabilities of Microsoft Compliance, including Insider Risk Management, Records Management, Advanced Audit, Advanced eDiscovery, Communication Compliance, Microsoft Information Protection, Data Loss Prevention, and Compliance Manager.


This trial is currently rolling out to tenants worldwide and you can learn more about it here.


Learn more about Insider Risk Management, how to get started, and configure policies in your tenant in this supporting documentation. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.


Finally, if you haven’t listened to our podcast “Uncovering Hidden Risks”, we encourage you to listen about the technologies used to detect insider risks and what is required to build and maintain an effective insider risk management program.


We are excited about all the new innovations coming out with this new release and look forward to hearing your feedback.


-Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering


Version history
Last update:
‎Dec 02 2021 03:43 PM
Updated by: