Countless security and compliance officers around the world are now asking themselves, “Is my organization effectively prepared to identify and take action on ever increasing insider risks?”
The primary reason for this question is COVID-19, and the rapid digital transformation it has forced organizations to undertake. According to a recent survey, the lives of up to 300 million information workers worldwide have been upended, and many are now working remotely with limited resources, insecure wi-fi networks and increased stress. In addition, due to the rapid progression of the pandemic, many information workers are expected to use their home PCs or other shared devices.
Remote work, while protecting employees from exposure to the virus, increases the distractions they likely to face, such as shared home workspaces and remote learning for children. According to the SEI CERT institute, user distractions are the cause for many accidental and non-malicious insider risks. Stressors such as potential job loss or safety concerns are also now heightened, which may lead some employees to participate in malicious activities, such as stealing intellectual property.
In February this year, we introduced Insider Risk Management from Microsoft 365, helping organizations worldwide leverage the power of cloud scale combined with machine learning to identify insider risks and quickly take action with integrated collaboration workflows.
Today we are pleased to announce the public preview of several new features that further enhance the rich set of detection and remediation capabilities already offered in the solution.
Increased visibility with a focus on signal quality
While having broad visibility into end user activities, actions, or communications are important, when it comes to effectively identifying risks, the quality insights matters most. In this release, we are significantly expanding the quality of insights that Insider Risk Management delivers to intelligently flag potentially risky behavior.
We are further enhancing our already rich native integration with Microsoft 365 to surface additional insights across Microsoft Teams, SharePoint, and Exchange, including:
Sharing files/folders/sites from SharePoint Online to domains marked “unallowed”
Downloading content from Teams
Emailing outside the organization to domains marked “unallowed”
Insider Risk Management indicators selection page
On devices, we continue to leverage the agentless capture of signals from Windows 10 endpoints to deliver new insights related to the obfuscation, exfiltration, or infiltration of sensitive information, including:
Using Edge to copy files to personal cloud storage
Copying files to USB
Transferring files to a network share
Using Edge to download content from an unallowed domain
Using Edge to download content from a third-party site
Renaming files on device
For those using Microsoft Defender Advanced Threat Protection (MDATP), we can now provide insights into whether someone is trying to evade security controls by disabling multi-factor authentication or installing unwanted software, which may indicate potentially malicious behavior.
Finally, one of the key early indicators as to whether someone may choose to participate in malicious activities is disgruntlement. In this release, we are further enhancing our native HR connector to allow organizations to choose whether they want to use additional HR insights that might indicate disgruntlement to initiate a policy.
Quickly getting started without complex configurations or agent deployments
Customers have told us one of the features they really appreciate in Insider Risk Management is the ability to leverage the built-in policy templates to quickly get started on identifying risks.
Before switching to Insider Risk Management, many Microsoft 365 customers we spoke to were using a fractured and expensive approach to identify insider risks. They captured signals using a User Activity Monitoring (UAM) solution and fed these signals into a separate User Entity Behavior Analytics (UEBA) solution, with the hopes of finding the insider risk needle in the haystack. We know from our own experience in attempting to deploy these complex types of solutions at Microsoft, that not only is this approach not scalable, but it often results in a lot of ‘noise’ as it lacks enrichment, such as visibility into the sensitivity of the data and lack of broader context. In addition, deploying UAM and UEBA solutions takes considerable engineering resources to configure and maintain signal ingestion scripts, identify rules, and manage endpoint agents.
With Insider Risk Management, there is no requirement to deploy and manage endpoint agents on Windows 10 devices or configure and maintain complex scripting to ingest signals. You just simply choose the policy template most appropriate for the risk you are concerned about and add the users you want to look at. In the backend, our cloud-based machine learning and AI engine reasons over billions of signals to identify the risks most relevant for you to act on. In this release, to help organizations identify an even broader variety of risks, we are introducing new policy templates, including:
Data leaks by priority users
Data leaks by disgruntled users
General security policy violations
Security policy violations by departing users
Security policy violations by priority users
Security policy violations by disgruntled users
Insider Risk Management policy templates
We are also now introducing the powerful ability to customize policy templates. With policy customization, you can change the thresholds of the various indictors each policy reasons over to meet the unique needs of your organization.
Expanding extensibility into existing organizational systems and processes
Many organizations are already leveraging existing Security Orchestration, Automation and Response (SOAR) systems to log and classify incidents by impact and urgency to prioritize actions for those assigned to them.
With this release, we are integrating with ServiceNow APIs, which will provide the ability for Insider Risk Management case managers to directly create ServiceNow tickets for incident managers. These tickets can be customized to add information about the description of the incident and will also contain a link back to the case in Insider Risk Management for more detailed insights.
In addition, we are also pushing Insider Risk Management alerts to the Office 365 Management Activity API. These alerts will contain information such as alert severity and status (active, investigating, resolved, dismissed). These alerts can then be consumed by Security Incident Event Management (SIEM) systems like Azure Sentinel to take further actions such as disabling user access or linking back to Insider Risk Management for further investigation.
Get started today
The new features in Insider Risk Management will start rolling out to customer’s tenants in the coming days and weeks. Insider Risk Management is one of several products from Microsoft 365 E5, including Communication Compliance, Information Barriers and Privileged Access Management, that help organizations mitigate insider risks and policy violations. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started.
Learn more about what’s new with Insider Risk Management and how to get started and configure policies in your tenant in this supporting documentation. We look forward to hearing your feedback.
Thank you, Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering