Protecting against insider risks in an uncertain environment
Published Jul 21 2020 08:00 AM 9,545 Views

Countless security and compliance officers around the world are now asking themselves, “Is my organization effectively prepared to identify and take action on ever increasing insider risks?”


The primary reason for this question is COVID-19, and the rapid digital transformation it has forced organizations to undertake. According to a recent survey, the lives of up to 300 million information workers worldwide have been upended, and many are now working remotely with limited resources, insecure wi-fi networks and increased stress. In addition, due to the rapid progression of the pandemic, many information workers are expected to use their home PCs or other shared devices.


Remote work, while protecting employees from exposure to the virus, increases the distractions they likely to face, such as shared home workspaces and remote learning for children. According to the SEI CERT institute, user distractions are the cause for many accidental and non-malicious insider risks. Stressors such as potential job loss or safety concerns are also now heightened, which may lead some employees to participate in malicious activities, such as stealing intellectual property.


In February this year, we introduced Insider Risk Management from Microsoft 365, helping organizations worldwide leverage the power of cloud scale combined with machine learning to identify insider risks and quickly take action with integrated collaboration workflows.


Today we are pleased to announce the public preview of several new features that further enhance the rich set of detection and remediation capabilities already offered in the solution.


Increased visibility with a focus on signal quality


While having broad visibility into end user activities, actions, or communications are important, when it comes to effectively identifying risks, the quality insights matters most. In this release, we are significantly expanding the quality of insights that Insider Risk Management delivers to intelligently flag potentially risky behavior.


We are further enhancing our already rich native integration with Microsoft 365 to surface additional insights across Microsoft Teams, SharePoint, and Exchange, including:


  • Sharing files/folders/sites from SharePoint Online to domains marked “unallowed”
  • Downloading content from Teams
  • Emailing outside the organization to domains marked “unallowed”


Insider Risk Management indicators selection pageInsider Risk Management indicators selection page


On devices, we continue to leverage the agentless capture of signals from Windows 10 endpoints to deliver new insights related to the obfuscation, exfiltration, or infiltration of sensitive information, including:


  • Using Edge to copy files to personal cloud storage
  • Copying files to USB
  • Printing documents
  • Transferring files to a network share
  • Using Edge to download content from an unallowed domain
  • Using Edge to download content from a third-party site
  • Renaming files on device


For those using Microsoft Defender Advanced Threat Protection (MDATP), we can now provide insights into whether someone is trying to evade security controls by disabling multi-factor authentication or installing unwanted software, which may indicate potentially malicious behavior.


Finally, one of the key early indicators as to whether someone may choose to participate in malicious activities is disgruntlement. In this release, we are further enhancing our native HR connector to allow organizations to choose whether they want to use additional HR insights that might indicate disgruntlement to initiate a policy.


More detail on the breadth of new signals being captured can be found on our documentation site.


Quickly getting started without complex configurations or agent deployments


Customers have told us one of the features they really appreciate in Insider Risk Management is the ability to leverage the built-in policy templates to quickly get started on identifying risks.


Before switching to Insider Risk Management, many Microsoft 365 customers we spoke to were using a fractured and expensive approach to identify insider risks. They captured signals using a User Activity Monitoring (UAM) solution and fed these signals into a separate User Entity Behavior Analytics (UEBA) solution, with the hopes of finding the insider risk needle in the haystack. We know from our own experience in attempting to deploy these complex types of solutions at Microsoft, that not only is this approach not scalable, but it often results in a lot of ‘noise’ as it lacks enrichment, such as visibility into the sensitivity of the data and lack of broader context. In addition, deploying UAM and UEBA solutions takes considerable engineering resources to configure and maintain signal ingestion scripts, identify rules, and manage endpoint agents.


Insider Risk Management from Microsoft 365 was developed in close collaboration with our internal digital security and risk engineering organization. We leveraged our deep learning and research in this space to design a solution that was easy to get started with.


With Insider Risk Management, there is no requirement to deploy and manage endpoint agents on Windows 10 devices or configure and maintain complex scripting to ingest signals. You just simply choose the policy template most appropriate for the risk you are concerned about and add the users you want to look at. In the backend, our cloud-based machine learning and AI engine reasons over billions of signals to identify the risks most relevant for you to act on.
In this release, to help organizations identify an even broader variety of risks, we are introducing new policy templates, including:


  • Data leaks by priority users
  • Data leaks by disgruntled users
  • General security policy violations
  • Security policy violations by departing users
  • Security policy violations by priority users
  • Security policy violations by disgruntled users


Insider Risk Management policy templatesInsider Risk Management policy templates


We are also now introducing the powerful ability to customize policy templates. With policy customization, you can change the thresholds of the various indictors each policy reasons over to meet the unique needs of your organization.


Policy indicators thresholdsPolicy indicators thresholds


More detail on these new templates and policy customization can be found on our documentation page.


Expanding extensibility into existing organizational systems and processes


Many organizations are already leveraging existing Security Orchestration, Automation and Response (SOAR) systems to log and classify incidents by impact and urgency to prioritize actions for those assigned to them.


With this release, we are integrating with ServiceNow APIs, which will provide the ability for Insider Risk Management case managers to directly create ServiceNow tickets for incident managers. These tickets can be customized to add information about the description of the incident and will also contain a link back to the case in Insider Risk Management for more detailed insights.


In addition, we are also pushing Insider Risk Management alerts to the Office 365 Management Activity API. These alerts will contain information such as alert severity and status (active, investigating, resolved, dismissed). These alerts can then be consumed by Security Incident Event Management (SIEM) systems like Azure Sentinel to take further actions such as disabling user access or linking back to Insider Risk Management for further investigation.


Get started today


The new features in Insider Risk Management will start rolling out to customer’s tenants in the coming days and weeks. Insider Risk Management is one of several products from Microsoft 365 E5, including Communication Compliance, Information Barriers and Privileged Access Management, that help organizations mitigate insider risks and policy violations. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started.


Learn more about what’s new with Insider Risk Management and how to get started and configure policies in your tenant in this supporting documentation. We look forward to hearing your feedback.


Thank you,
Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering

1 Comment
Version history
Last update:
‎May 11 2021 01:59 PM
Updated by: