Uncover hidden risks and accelerate time to action with new features in Insider Risk Management
Published Feb 06 2023 09:00 AM 8,108 Views

Over the past few years, hybrid workspaces with information workers collaborating across various environments have become more common than ever. And with this comes the likelihood of data security incidents – such as data exposure, leak, or theft – that can happen anytime, anywhere. According to recent research, 20% of data breaches are due to internal actors*, and costs businesses an average of $7.5 million annually**.

Because not all the potential insider risks become incidents or breaches, quickly identifying the most critical insider risks and prioritizing resources to investigate and mitigate them is crucial to reducing impact from incidents.

We are excited to announce several new features in public preview in Insider Risk Management that can help you better uncover hidden insider risks and accelerate time to action:


  • Extend intelligent detections to non-Microsoft environments
  • Enrich obfuscation detection in sequences
  • Improve investigation experience with a new visual chart and alert filter
  • Reduce noise of insider risk alerts


Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.


Extend intelligent detections to non-Microsoft environments
Many organizations use multiple cloud environments to enable end-user collaboration. To detect critical insider risks based on how users work today, it’s important for organizations understand potentially risky activities that may lead to a data security incident across their environment.

In addition to the already rich set of signals Insider Risk Management captures from Microsoft environments, we are excited to announce the extension of the sequence detection capability to third-party cloud environments. With the update, admins can configure data leak or data theft policies to detect a series of connected user actions that start with downloading files from non-Microsoft domains. For example, suppose a user downloaded files from dropbox.com, renamed them to appear less sensitive, and saved them on a portable device. In this case, it could suggest that the user was potentially trying to exfiltrate sensitive data while evading detection. Insider Risk Management will generate an alert for these multi-environment risky activities, allowing security teams to take the appropriate action.


Figure 1 Adding sequences that start with downloading from third-party sites in an Insider Risk Management policyFigure 1 Adding sequences that start with downloading from third-party sites in an Insider Risk Management policy


Enrich obfuscation detection in sequences
To enable organizations to identify a sequence of related risky activities and understand user intent, Insider Risk Management categorizes user activities into collection, exfiltration, obfuscation, and clean-up. We are continuously adding new signals in each category. We are excited to introduce the update for admins to opt-in and include file archiving as an indicator of obfuscation in sequences to detect potential data leaks or theft incidents.


Enhance investigation experience with a new visual chart and alert filter
Insider Risk Management analysts and investigators usually spend most of their time each day triaging alerts and investigating potential insider risks that might result in data security incidents. We have been continuously investing in improving the alert and investigation experience, and today we are introducing two updates.

First, a new visual representation in the user activity page shows how a user's exfiltration activities build over time and across exfiltration channels, alongside key events, such as resignation date. Often, it is challenging to detect data security incidents caused by low-and-slow insiders who exfiltrate data slowly through time. They might print one file one day, email one file another day, and so on, to gradually exfiltrate sensitive data under the radar. With this new trend chart, admins can leverage the visualization of cumulative exfiltration activities to spot this low-and-slow pattern more easily.


Figure 2 Admins can view the cumulative exfiltration trends on the user activity page in an alert or caseFigure 2 Admins can view the cumulative exfiltration trends on the user activity page in an alert or case


Second, on the alerts page, admins can now filter out any activity that was already reviewed in a past alert for a policy so they can focus review activity on new activities that might lead to a data security incident.


Reduce noise of insider risk alerts
Managing potential noisy signals created within the system can help ensure that Insider Risk Management continuously detects and surfaces the most critical alerts. To achieve this, we introduced multiple ways for admins to exclude noise by specifying sensitive information types or file types that might represent less impactful, so the Insider Risk Management policies will ignore the files that match the exclusion. With this update, the file type exclusion will now extend to email attachments to help reduce noisy alerts.

Another primary sources of noise could come from the system itself. Sometimes, a single user activity could generate duplicate signals used to identify insider risks, creating noisy alerts. For example, when a user opens a file for reading and leaves it open, the system will keep logging FileRead operation at regular intervals throughout the day. In our last blog, we announced the deduplication logic for Copy to USB, Copy to network share and SharePoint and OneDrive for Business sync signals. With this update, we are extending this logic to the next set of the most common 13 signals including SharePoint file download, File print, File upload to cloud. These signals will be deduplicated in Insider Risk Management without losing risk context and significantly saving security teams time on identifying the most critical risks.


Enable Adaptive Protection with Insider Risk Management
In addition to the above announcements, today, we are also announcing the public preview of Adaptive Protection, a new capability of Microsoft Purview that enables organizations to optimize the balance between data protection and productivity automatically. Adaptive Protection leverages machine learning to identify and mitigate the most critical risks with the most effective protection controls dynamically, saving security teams valuable time while ensuring better data security.

By leveraging the machine learning-driven analysis in Insider Risk Management, Adaptive Protection detects potentially risky user actions that may result in a data security incident and automatically adds the user to a stricter Data Loss Prevention policy. The protection policies are adaptive based on user context, ensuring that the most effective policy, such as blocking data sharing, is applied only to high-risk users while low-risk users can maintain productivity. You can read this Tech Community blogpost and watch the Mechanics video to learn more about how to enable Adaptive Protection with Microsoft Purview.



Get started with Insider Risk Management today
We are thrilled to share these announcements with you. Here is a summary of next steps and other resources to help you and your organization get started with these capabilities:

  • Learn more about Adaptive Protection and Insider Risk Management in our technical documentation.
  • Insider Risk Management is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you are an organization using Microsoft 365 E3 and would like to experience Insider Risk and other Purview solutions for yourself, check out our E5 Purview trial.
  • Read more about Insider Risk Management: In addition to using the right tools, you need best practices when building an effective insider risk program. You can learn how to build a holistic insider risk management program with five elements that help companies have stronger data protection while ensuring user trust.


- Erin Miyake, Principal Product Manager, Microsoft Purview Insider Risk Management


*Data Breach Investigations Report 2022, Verizon

**Building a Holistic Insider Risk Management Program survey 2022, Microsoft

Version history
Last update:
‎Feb 06 2023 09:23 AM