Introduction to Microsoft Purview Insider Risk Management

04.07.2024

In a conversation about computer security, cloud security, cyber threats, cyber-attacks, attacks on computer systems and the ways how companies and individuals become victims of attacks and lose their data, how the data is stolen, everyone immediately thinks about hackers and how external attacks are the reason of data breach and data loss.

Undoubtedly hackers and external attacks still pose a threat to company data but as companies and their computer and cloud infrastructure get progressively better protection, attackers increasingly turn to the ones with direct contact with the valuable company data.

People with direct contact with the data – employees - are becoming the major threat and concern among businesses of all sizes. Insider threat statistics are scary, and the numbers have been rising constantly. According to various statistics around 65% of data breaches are caused by insider threats while more than 70% of organizations report that insider attacks have increased constantly over the last two years. More than half of the companies have had an insider attack in the last 12 months, and the number of incidents due to insider threat has increased over 50% in two years.

Obviously, the major threat to the company data are privileged users like administrators and C-level executives because they have access to the most sensitive data, but essentially, every user is a potential threat if it has access to the data that attackers want.

According to Eleanor Thompson’s “The insider Threat - Assessment and mitigation of risks”, there are four types of malicious insiders or insider threats: malevolent insider, the vengeful insider, the wicked insider, and the virtuous insider. A malevolent insider deliberately harms a system for its personal gain, a vengeful insider retaliates against the organization and its leadership, a wicked insider knows what the rules are but disobeys them either for personal interest or because of some other intentions, while the virtuous insider is an employee that is usually well intended but places organizations at high risk through its risky behavior.

There is no single guaranteed tool to prevent insider threats, but a multitude of tools and a sound, holistic approach is what organizations need to reduce insider threats: privileged access management, just in time access, access control lists, incident response management, employee monitoring, security incident, data loss prevention, event management systems (SIEM) and others.

Fortunately, Microsoft Purview comprehensive insider risk prevention features will significantly increase organizations’ capability to mitigate these types of security and compliance concerns.

To be able to use Microsoft 365 Purview Insider risk management, you must have one of the following Microsoft 365 E5, A5, F5, G5 subscriptions. Alternatively, Microsoft 365 E3, A3, F3, G3 subscriptions will work too, together with either Compliance, Insider Risk Management add-ons.

Ultimately, Office 365 E3 subscription paired with Enterprise Mobility and Security E3 paired with Compliance add-on will provide you with sufficient rights to work with Insider risk management.

Microsoft Purview Insider risk management (IRM) is just one product in the palette of risk and compliance solutions available in Microsoft Purview that works together with communication compliance, information barriers and privileged access management to help organizations successfully mitigate insider threats.

Inside the risk management will help you mitigate regulatory compliance violations, leaks of sensitive data, policy and confidentiality violations, IP theft, fraud, and different types of data loss.

Before proceeding with the technical implementation of the insider risk management, organizations should start onboarding process with planning activities that will thoroughly assess and determine desirable and required compliance regulations, procedures, and requirements. This task requires involvement of various departments besides information technology department, and involvement of different stakeholders like privacy, human resources, legal, security and compliance stakeholders.

Implementing and enabling insider risk management in the production should not be different than what the standard practice describes when implementing any potentially disrupting procedures, products, or features. You should test insider risk policies on a small subset of users in a test environment to determine privacy, compliance or legal issues in your organization, and fine tune the policies to meet all necessary requirements. The alternative is to test insider risk policies in the production environment, but also on a small subset of users to minimize any potentially negative impact on your production environment.

To get started with Insider risk management, log into https://compliance.microsoft.com and select Insider risk management option on the left side menu.

Before going deeper into IRM workflow, you need to consider completing some initial and desirable steps, and a high-level summary is very conveniently available on the Overview page.

These are not the only steps you should perform, of course, but a handful of recommended actions only. On the compliance portal, under Insider Risk, selecting All recommended actions will bring up somewhat expanded list of recommendations that provide an excellent starting point to configuring Insider risk management. These options are available from IRM settings anyway, but following this advice will save you some time in configuring IRM, while focusing on most important configuration settings. To access recommended actions pane, select all recommended actions text on the overview page, or click on a wrench icon in the upper right corner of the overview page.

The recommended setup actions are in fact the list of actions you should do first when setting up insider risk management:

  • Turn on auditing to record user and admin activity,
  • Set up right permissions by assigning you to the correct groups,
  • Choose policy indicators, that is, risk management activities you want to detect,
  • Create a policy to start receiving alerts,
  • Assign permissions to other users, to delegate access.

The first thing you should do is turn on analytics to scan for potential risks. Analytics scans different areas for user activity, such as Microsoft 365 audit logs, Entra ID activities, Exchange Online activities and, if configured, Microsoft 365 HR data connector activities. The first analytics scan usually takes 48 hours to complete while analytics scans after that are completed daily. Analytics settings can be found on the Insider risk management settings page and turned on there later, if needed. The recommended setting is to turn analytics on so Microsoft 365 can scan sources in organization logs to detect activities used by inside the risk policies. These scans run daily and can be used later to set up insider risk policies.\

After the initial analytics scan finishes, the analytics report will include insights for any potential data leaks, data theft and exfiltration attempts. The report will show what was detected details about detected activities and recommendations for creating policies that will detect alert and prevent such activities.

Insider Risk Management in Microsoft 365 is a solution that helps organizations identify and remediate insider threats, such as data leaks, data theft, or data exfiltration. Insider risk can be caused by malicious or negligent actions of employees, contractors, or partners who have access to sensitive data and systems. Insider Risk Management in Microsoft 365 uses advanced analytics, machine learning, and Microsoft Graph to detect anomalous user behaviours, alert security teams, and provide investigation and response tools.

Do you have any additional questions?

For more information, we are always happy to assist you. Feel free to contact us at info@kompas-xnet.si or call us at 01 5136 990.

Contact us

Novice

Naročite se na Xnet novice in ostanite na tekočem glede novih tečajev, seminarjev, možnosti pridobitve novih certificiranj in akcijskih cen.

Not yet subscribed to our newsletter?

Subscribe to Xnet news and stay up to date on new courses, seminars, opportunities to obtain new certifications and special prices.

Need assistance? bot icon
Need assistance?