While organizations have long prioritized external cybersecurity risks, many have now awoken to the risks posed by trusted insiders due to the potentially greater damage they can cause. In fact, according to a recent poll Microsoft conducted of Chief Information Security Officers (CISOs), 73% of respondents indicated that their organization plans to spend more on insider risk technologies due to COVID-19.

 

Successful insider risk management programs are built on a framework to identify insider risks with integrated operational processes which allow for collaboration between key stakeholders across the organization to take action.

 

In February this year, we introduced Insider Risk Management from Microsoft 365, helping organizations worldwide leverage the power of cloud scale combined with machine learning to identify insider risks and quickly take action with integrated collaboration workflows. In July, we released several new features which our customers are excited about:

 

  • Significantly expanding the quality of insights to intelligently flag potentially risky behavior
  • New templates to quickly get started without complex configurations or agent deployments
  • Policy customization to meet the unique needs of each organization
  • Expanding extensibility into existing organizational systems and processes

 

Today, we are excited to announce the public preview of additional features which further enhance the integrated investigation and collaboration workflows within Insider Risk Management.

 

Deeper integration with Microsoft Teams

 

Many organizations have insider risk management programs that often focus exclusively on implementing technology solutions without incorporating necessary cross company processes to effectively remediate the risks which are found. While technology plays an important role, it is just one component of an effective insider risk program.

 

With this release, customers can leverage native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created , a private Microsoft Teams team will also be automatically created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:

 

  • Use channel conversations to coordinate and track review/response activities
  • Share, store and review relevant files and associated evidence

 

Insider Risk Management and Microsoft Teams integrationInsider Risk Management and Microsoft Teams integration

 

More details on native Microsoft Teams integration within Insider Risk Management can be found here.

 

Put intelligent workflows to work with Power Automate integration

 

Automation services are steadily becoming significant drivers of modern IT, helping improve efficiency and cost effectiveness for organizations. According to a recent McKinsey survey “the majority of all respondents (57 percent) say their organizations are at least piloting the automation of processes in one or more business units or functions.” Automation is no longer a theme of the future, but a necessity of the present, playing a key role in a growing number of scenarios.

 

Today we published a new Power Automate connector for Microsoft 365 Compliance solutions which includes automation triggers and actions for Insider Risk Management. With this release we are making four Power Automate templates available within Insider Risk Management:

 

  • Notify users when they’re added to an insider risk policy: A user may need to be notified that they are being added to a policy for legal or privacy reasons.
  • Request info from HR or manager about a user in an insider risk case : An insider risk analyst or investigator may want to consult HR or manager for additional context or concerns on a user to enrich their investigation into activity.
  • Notify a manager with insider alert information for an employee: Provides the ability for the insider risk management team to notify a manager that their direct report has an insider risk alert.
  • Add a calendar reminder for an analyst to follow-up on a case: Allows an analyst or investigator to add a reminder to their calendar to follow-up on a case.

 

Insider Risk Management Power Automate flowInsider Risk Management Power Automate flow

 

More details on these new Power Automate templates within Insider Risk Management can be found here.

 

Providing a richer investigation experience

 

Understanding the severity, impact and intent associated with potential insider risks is key to determining the appropriate steps required to quickly take action.

With this release, we are further enhancing the built-in investigation experience within Insider Risk Management, providing investigators with additional analytics features such as:

 

  • Alert triage pane providing a significantly improved visual summary of both activities (number of files downloaded, number copied to USB, etc.) and content detected (number of labels applied, number of sensitive content types detected, etc.) associated with an alert
  • Content widgets showing additional details on the types of labels applied, types of sensitive content detected, keywords detected, etc.
  • Activity Explorer allowing further analysis of each of the activities associated with an alert, e.g. site URL from which files were copied from, destination domain to which files were sent, etc.

 

Insider Risk Management activity explorer dashboardInsider Risk Management activity explorer dashboard

 

More details on these investigation features within Insider Risk Management can be found here.

 

Further expanding signal visibility to physical locations

 

Access to an organization’s physical assets – secure areas, critical equipment, or storage centers containing sensitive data – creates opportunities for a malicious insider to perform data theft or sabotage.

 

Physical access is typically governed by the Physical Control and Access System (PCAS). Since PCAS exist in silos, it is tough to coordinate access records across the systems. This creates a challenge for an insider risk analyst to track risky behavior involving the organization’s physical assets.

 

With this release we are providing a new physical badging connector, allowing organizations to send badging records from their PCAS systems (e.g., Linnell, Honeywell, etc) or from an enterprise data lake to Insider Risk Management using a simple push-based API connector.

 

These badging records provide Insider Risk Management with the ability to provide insights into risky behaviors such as an employee trying to access company’s sensitive resources post termination or trying to gain unauthorized access to company’s critical physical resources.

Insider Risk Management alerts dashboard highlighting physical activity signalsInsider Risk Management alerts dashboard highlighting physical activity signals

 

More details on the physical badging connector within Insider Risk Management can be found here.

 

We are also further extending the agentless capture of signals from Windows 10 endpoints to deliver new insights related to the infiltration of sensitive information via web browsers. In addition to Edge, we now receive signals when a user is using Chrome, Firefox and Opera to:

 

  • Download content from an unallowed domain
  • Download content from a third-party site

 

More detail on the breadth of new signals being captured can be found on our documentation site.

 

Get started today

 

The new features in Insider Risk Management will start rolling out to customer’s tenants in the coming weeks. Insider Risk Management is one of several products from Microsoft 365 E5, including Communication Compliance, Information Barriers and Privileged Access Management, that help organizations mitigate insider risks and policy violations. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started.

 

To see all of these features in action watch our skilling videos. You can also learn more about Insider Risk Management and how to get started configuring policies in your tenant with our supporting documentation. Finally, to learn more about Microsoft Compliance and access technical training, visit the Virtual Hub today.

 

Finally, we have just finished recording a number of podcasts focused on insider risks, the technologies used to detect them and what is required to build and maintain an effective insider risk management program. We interview a number of experts ranging from an applied researcher at Microsoft, to a leader at Carnegie Mellon’s Insider Threat Center, to a CISO who is considered to be the leading authority on insider risks. You can listen to the podcast series through one of the following mediums (other platforms will be available shortly):

 

 

Definitely listen to our show! If you like what you hear, we’d love for you to Subscribe, Rate and Review it on iTunes or any other podcast platform you may use.

 

We look forward to hearing your feedback.

 

Thank you,
Talhah Mir, Principal Program Manager, Microsoft 365 Security and Compliance Engineering