Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Empower multiple teams and prioritize investigations with Insider Risk Management
Published May 06 2024 09:00 AM 5,908 Views

Your data is a prime target in most security incidents. But when an incident occurs, do you have the information you need to prioritize incidents and contain them based on the importance of the data itself?


With insider incidents becoming a bigger concern each year and 74% of organizations saying these occurrences have become more frequent[1], detecting insider risks is now a vital part of safeguarding digital landscapes.  Microsoft Purview Insider Risk Management is used by organizations across the world to correlate various signals to identify potential insider risks while ensuring user privacy by design, but it can also be used to detect data security risks coming from external attackers. The past year saw a dramatic surge in identity attacks, with an average of 4,000 password attacks per second. Some of these attacks are successful in compromising user credentials, enabling the attacker to persist in the organization's systems as an insider, having access to sensitive data.


That is why besides data security and data compliance teams, SOC (security operations center) teams also play a pivotal role in safeguarding organizations’ data against a myriad of threats, coming from both Insiders and external attackers. However, security admins are challenged in a fragmented tooling landscape, requiring these professionals to often analyze repeated alerts and to manually correlate insights across solutions, restricting visibility on risky data and users involved in an incident. With customers that employ more security tools experiencing 2.8x more data security incidents[2], it is crucial that security teams have access to integrated solutions across their data landscape to help them triage and prioritize incidents with broader context for their investigations.


 Microsoft Purview Insider Risk Management correlates various signals, such as unusual access patterns and data exfiltration, to identify potential malicious or inadvertent insider risks, including IP theft, data leakage, and security violations. Insider Risk Management enables customers to create data handling policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.  


Empowering SOC teams to better investigate insider risks

Today, we are excited to announce the public preview of Insider Risk Management context on the Microsoft Defender XDR user entity page. With this update, SOC analysts with the required customer-determined permissions can access an insider risk summary of user exfiltration activities that may lead to potential data security incidents, as a part of the user entity investigation experience in Microsoft Defender. This feature can help SOC analysts gain data security context for a specific user, prioritize incidents, and make more informed decisions on responses to potential incidents.


When looking into an occurrence in Microsoft Defender’s Incidents view, the security analyst now can dig further into an incident’s source. In the following example, a multi-stage attack stole an employee’s credentials, followed by exfiltration activities that triggered multiple data loss prevention (DLP) alerts, such as sharing payment cards information externally.

Figure 1: Incident in Microsoft Defender showing a user’s Insider Risk LevelFigure 1: Incident in Microsoft Defender showing a user’s Insider Risk Level

This activity resulted in ‘High Insider risk severity’ which is integrated into the Defender Incident investigation experience. You can click on this risk level to view the user activities within the Defender portal. This is important because Insider Risk Management can be set up to flag potentially risky activities by users Inside your organization or in “persistence” attacks where someone’s identity may have been hijacked by an external attacker. In this case, the attacker has taken explicit steps to mask the sensitivity of exfiltrated data by downgrading file labels. Thanks to sequence detections, Insider risk management was able to assign high severity based on the sensitivity of the original files in spite of the masking attempts.


Figure 2: user’s Insider Risk activity summary in Microsoft Defender, showing sequence of potentially risky behaviorFigure 2: user’s Insider Risk activity summary in Microsoft Defender, showing sequence of potentially risky behavior

Once these insider risks are detected, you can also automatically enforce protective controls with Adaptive Protection. Adaptive protection in Microsoft Purview dynamically adjusts security measures based on data insights and user behavior, integrating these risk levels into Data Loss Prevention and Conditional Access policies to dynamically apply the right level of preventative controls. Once the Adaptive Protection thresholds are met, the Insider Risk Condition in Microsoft Entra Conditional Ac... will create dynamic access policies to automatically trigger additional protections, based on the user’s insider risk level.


 In summary, the policy protections you set and their corresponding signals from Microsoft Purview flow directly into Microsoft Defender XDR to help you assess the value of potentially compromised data, and this investigation is complemented by the access block made possible by the integration of Adaptive Protection and Conditional access.


Microsoft Copilot in Purview for Insider Risk Management

We are also excited to announce the General Availability of the copilot capabilities embedded in Microsoft Purview, including in Insider Risk Management.


As announced at Microsoft Secure, data security and data compliance analysts can now access real-time guidance for their analysis, relying on copilot summarization capabilities and natural language support, built directly into their proven and trusted investigation workflows. These capabilities will help organizations save time, speed up investigations, and point to specific incidents to investigate next, therefore mitigating security risks.


Figure 3: embedded Copilot summarization into Insider Risk ManagementFigure 3: embedded Copilot summarization into Insider Risk Management

Improving breadth and visibility with new features on Insider Risk Management

We have recently announced new Insider Risk Management features focused on facilitating investigation and improving the experience of data security teams.


In March, we introduced the enrichment of Insider Risk Management with communication-related indicators originated from Communic..., utilizing machine learning to detect potential risks like discriminatory language or sensitive data leakage in various channels, while maintaining user privacy through pseudonymization and implementing role-based access controls. Insider Risk Management now also extends data security across your data estate, detecting data risks in Microsoft Fabric, as well as other SaaS apps like DropBox, GitHub, Box, and infrastructure clouds like AWS.


Figure 4: Enriching Insider Risk Management with Communication Compliance dataFigure 4: Enriching Insider Risk Management with Communication Compliance data

We are also excited to announce several incoming features that are becoming available to customers in the next month.


Insider Risk Management is enhancing the existing email insight alerts to provide additional information for when business-sensitive data is potentially leaked from a work email account to a free public domain or personal email account, potentially leading to a data security incident. This feature will make the triaging experience easy by highlighting, for example, when an insider is sending an attachment to their personal email.


We are also announcing the Public Preview of the Adaptive Scopes, which allows admins to use adaptive scopes created within the Microsoft Purview compliance portal to scope Insider Risk Management policies, to dynamically define membership of users or groups based on Entra ID attributes, like location or department.

Other features that will soon be available:

  • Admins can now exclude specific users and groups from Insider Risk Policies and will be able to delete all associated alerts and users in scope when deleting a policy, to help quickly reset and remove inactive policies.
  • The policy tuning analysis feature will now take into consideration specific priority content in your policies to predict the number of users matching the policy conditions in a tenant.  

These capabilities will start rolling out to customers’ tenants within the coming weeks.


Get started

Thank you,

Nathalia Borges, Senior Product Marketing Manager

Sravan Kumar Mera, Principal Product Manager, Microsoft Purview



[2] Top insights and best practices from the new Microsoft Data Security Index report | Microsoft Securi...

Version history
Last update:
‎May 15 2024 09:54 AM
Updated by: